10 Ways Criminals Get Debit Card Data

Criminals are more organized and sophisticated than ever before. Attacks on ATM machines range from simplistic to highly organized efforts involving multiple ATMs across the country, hundreds of fraudulent cards and criminal gangs spanning the globe.
 
So, how do criminals get your customers' debit card data? Here are 10 different ways:
 

Steal cards

Attack sophistication: Low / Scale of attack: Small
The simplest way for a criminal to get card data is to steal someone's card. To get the PIN, the thief might shoulder surf or guess a weak password, such as a birth date.
 

Steal machines

Attack sophistication: Low / Scale of attack: Moderate
A criminal might decide to steal either an ATM or POS terminal. Cash can be pulled from the ATMs, but both types of machines could store card numbers if misconfigured. A stolen machine is also valuable in order to learn about weaknesses or ways to physically attack it.
 

Offline account takeover

Attack sophistication: Moderate / Scale of attack: Small
Breaking into mailboxes and stealing bank statements or other personal information can let a criminal conduct identity theft. Often they'll try to change the victim's mailing address with the bank, order a new card, and activate it. If the bank has good processes in place that are adhered to, then this type of attack can be stopped.
 

Separate skimming device

Attack sophistication: Low / Scale of attack: Moderate
If a deft criminal can get a hold of a card for a few seconds, then they can swipe it through a reader and get its data.
 

Overlaid skimming devices

Attack sophistication: Low / Scale of attack: Moderate
In this case, the criminal places a card reader over the machine's intrinsic reader. They might also attach a video camera or a pin-pad overlay to capture the PIN.
 

Internal skimming devices

Attack sophistication: Moderate / Scale of attack: Large
More capable criminals could place a skimming device inside a terminal, such as at a gas pump. The skimmer intercepts messages on the data lines, and is tough to detect without opening up machines.
 

Hijacked terminals

Attack sophistication: High / Scale of attack: Moderate
A terminal can be hijacked by replacing the operating system with a compromised one. An avenue of attack might be available for those ATMs with remote control capabilities that are left in the default (and insecure) settings. Stolen machines might also be modified and then used to replace an existing, non-compromised terminal.
 

Ghost ATMs and fake fronts

Attack sophistication: Moderate / Scale of attack: Moderate
Why add a skimming device to a real terminal when you can just use your own fake one? Criminals have been known to place fake, modified terminals in public spaces where victims will use their cards but receive communication error messages. In reality the terminal has captured card data and PIN, and stored it for later retrieval.
 

Buying the data

Attack sophistication: Low / Scale of attack: Moderate to Huge
With so many means of attack, there is a glut of card information on the market. Lazy criminals can simply buy card data, starting at $1 or less. Quality costs extra, but in the underground marketplace there are products for everyone.
 

Data breaches

Attack sophistication: High / Scale of attack: Huge
Capable hackers are able to crack the security on merchants and other card data holders, and access large volumes of card data. With the heightened awareness of cybercrime, the industry has made strides in using more secure techniques for storing data (or in many cases, ensuring that they don't store it). This has made it harder for criminals, but there are still many opportunities for attacks.
 
"10 Ways Criminals Get Debit Card Data." Verafin.com. Verafin Inc. Web. 8 Aug 2013