10 Ways Criminals Get Debit Card Data

Criminals are more organized and sophisticated than ever before. Attacks on ATM machines range from simplistic to highly organized efforts involving multiple ATMs across the country, hundreds of fraudulent cards and criminal gangs spanning the globe.

So, how do criminals get your customers' debit card data? Here are 10 different ways:

Attack sophistication: Low / Scale of attack: Small

The simplest way for a criminal to get card data is to steal someone's card. To get the PIN, the thief might shoulder surf or guess a weak password, such as a birth date.

Attack sophistication: Low / Scale of attack: Moderate

A criminal might decide to steal either an ATM or POS terminal. Cash can be pulled from the ATMs, but both types of machines could store card numbers if misconfigured. A stolen machine is also valuable in order to learn about weaknesses or ways to physically attack it.

Attack sophistication: Moderate / Scale of attack: Small

Breaking into mailboxes and stealing bank statements or other personal information can let a criminal conduct identity theft. Often they'll try to change the victim's mailing address with the bank, order a new card, and activate it. If the bank has good processes in place that are adhered to, then this type of attack can be stopped.

Attack sophistication: Low / Scale of attack: Moderate

If a deft criminal can get a hold of a card for a few seconds, then they can swipe it through a reader and get its data.

Attack sophistication: Low / Scale of attack: Moderate

In this case, the criminal places a card reader over the machine's intrinsic reader. They might also attach a video camera or a pin-pad overlay to capture the PIN.

Attack sophistication: Moderate / Scale of attack: Large

More capable criminals could place a skimming device inside a terminal, such as at a gas pump. The skimmer intercepts messages on the data lines, and is tough to detect without opening up machines.

Attack sophistication: High / Scale of attack: Moderate

A terminal can be hijacked by replacing the operating system with a compromised one. An avenue of attack might be available for those ATMs with remote control capabilities that are left in the default (and insecure) settings. Stolen machines might also be modified and then used to replace an existing, non-compromised terminal.

Attack sophistication: Moderate / Scale of attack: Moderate

Why add a skimming device to a real terminal when you can just use your own fake one? Criminals have been known to place fake, modified terminals in public spaces where victims will use their cards but receive communication error messages. In reality the terminal has captured card data and PIN, and stored it for later retrieval.

Attack sophistication: Low / Scale of attack: Moderate to Huge

With so many means of attack, there is a glut of card information on the market. Lazy criminals can simply buy card data, starting at $1 or less. Quality costs extra, but in the underground marketplace there are products for everyone.

Attack sophistication: High / Scale of attack: Huge

Capable hackers are able to crack the security on merchants and other card data holders, and access large volumes of card data. With the heightened awareness of cybercrime, the industry has made strides in using more secure techniques for storing data (or in many cases, ensuring that they don't store it). This has made it harder for criminals, but there are still many opportunities for attacks.