Friday, March 29, 2013

Card skimming goes viral

It should come as no surprise that if most computer criminals are interested in money, they would go where the money is. As a report this morning indicates, often that means either banks or points of sale.

That in itself is nothing new. For years gas pumps and ATMs have been targeted, often by hiding tiny magnetic readers that read the data on your credit or debit card when you insert it into the machine.  As technology progresses, those once easily-recognized additions have gotten smaller and smaller, to the point that they may be very difficult to recognize, or even be inside the machine where you cannot see them.

Today's report highlights a different approach, one that is far more difficult to detect. Russian-based security company Group-IB recently discovered malware called “Dump Memory Grabber,” which it believes has already been used to steal debit and credit card information from customers using major US banks. Unlike most malware (commonly called computer viruses) you may be familiar with, this malware is actually installed on the ATM or the point of sale registers/kiosks. It harvests everything the device obtains from the user - including everything from the mag stripe as well as potentially the PIN.
What is the paranoid consumer to do? Well, there isn't much you can do to avoid this kind of fraud if the device you use has been compromised, but the same tips often spoken apply here. Only use well-lit, well-travelled ATMs and kiosks; if tamper-evident tape is used on the device, look to be sure it has not been tampered with; and walk away if something feels wrong.

These steps won't guarantee your card will never be swiped though. I do a few additional things to minimize the personal risk. First and foremost, I NEVER use a debit card or ATM card for purchases. Consumer protections laws (in the US at least) for debit cards are not nearly as strong as the same for credit cards, and a debit card is linked directly to a checking account. With a debit card, if a thief gets the number and my PIN, they have direct access to drain my account. With a credit card (paid in full every month! no sense in trading illegal scams for the perfectly legal trap of interest-laden revolving credit...), there is a degree of separation between purchase transactions and my bank account.

Additionally, I use Quicken financial management software (there are a few others that would work) that downloads transactions daily, so I know within a day or two of a fraudulent charge and can do something about it immediately, rather than finding out at the end of the month.

Bottom line: be smart and keep a healthy degree of paranoia about you.


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.