Tuesday, January 6, 2009

Anti-Skimming Recommendations from SEPA

I've covered card skimming on this blog extensively in 2008.  There's a big problem in Europe, where they have instituted EMV, with having the magstripe skimmed there, then transferred onto cloned cards, and used in the United States, where EMV is nowhere to be found.  SEPA (Single Euro Payments Area) has now released recommendations to fight skimming in Europe. 

Here's page one of a three page PDF.  Click here to open the PDF file in full.

INTRODUCTION

SEPA countriesSEPA Countries - Image via WikipediaThe growth of skimming fraud is a major driver for the rollout of EMV across the SEPA. This should be completed by 2010 and it has already resulted in dramatic reductions in the use of fraudulently duplicated cards in the countries where it has been introduced. However, it has also resulted in fraudulent transactions migrating to countries where EMV has not yet been implemented or is not planned, often outside the SEPA area. As many such countries have no plans to introduce EMV, cards will continue to have both mag-stripe and chip and therefore there will remain a significant risk of a fraudster skimming a magstripe in an EMV country and using the duplicate card in a non-EMV country or environment.

BACKGROUND

Card skimming involves the capture of a card’s mag-stripe information (which may be debit, credit or ATM only), and matching it with the card’s PIN number in order to produce a duplicate card. This may occur at ATMs, Point of Sale (POS), or indeed any other location where a customer uses their card and PIN.

The mag-stripe information is captured by fitting an additional card-reader over the ATM’s card slot and the PIN is usually obtained by the use of micro cameras, although “shoulder surfing,” may also be used. This information is then stored on a chip within the skimming device or more usually transmitted immediately to a lap-top PC nearby. Devices are usually attached to ATMs for short periods e.g. 20 minutes and the device is usually being observed. For this reason ATMs which are busy and which have ample adjacent parking are particularly attractive to fraudsters.

The duplicate card can then be used in a non-EMV ATM, or if the duplicate card passes visual inspection, Point of Sale (POS). Information on the chip is not captured which means that the card cannot be used in an EMV environment and this normally limits use to locations where EMV has not been introduced. Fraudulent data may be sold on and mixed with other sources of data and the actual card production may be months after the data was captured, although on other occasions duplicate cards have been used less than 24 hours after the attack.

With a duplicate card a bank account can be drained until there are no funds available, or in the case of a credit card, until the credit limit is reached. As ATM usage is subject to daily withdrawal limits, these transactions usually take place close to, or at the daily limit over a number of days. EAST (European ATM Security Team), reports that the number of cases of skimming remains high across Europe with over 4501 ATM incidents in 2007, resulting in losses of over € 438 million1.

PIN Debit Payments Blog

Reblog this post [with Zemanta]

Disqus for ePayment News