T&T cybercriminals target local ATMs

(Trinidad Guardian) A security expert at a local commercial bank says skimming attacks like the one which occurred on December 28 will happen again because ATMs are increasingly being targeted by cybercriminals who are using increasingly sophisticated high-tech methods to empty the accounts of bank customers..

“It is not a matter of if but when skimming attacks will happen again,” said the official who spoke on condition of anonymity because of the sensitive nature of his job,

“ATMs are under siege more than ever from skimming. Skimming, where ATM thieves steal PIN and account numbers using remote devices, is increasing dramatically and is becoming a high-tech art that’s hard to detect.”

The expert said one of the commercial banks targeted in the recent skimming attack has already stepped up its security drive by identifying high-risk ATMs and deploying additional security to monitor those locations.

He told the Sunday Guardian skimming isn’t new and had been around for at least ten years but the technology involved was getting better every year

While the recent skim attack was initially reported to have affected customers at RBC, customers at Scotiabank and Republic Bank Limited also reported that their accounts were emptied of funds.

Skimming is the act of obtaining information from a debit or credit card with a card reader device. The PIN is often obtained separately, usually by someone who is watching or by hidden cameras or sophisticated devices that may be attached to the ATM. Once the magnetic strip data and PIN are obtained, a counterfeit card is produced and then used to get funds from an unsuspecting bank customer’s account.

The expert said ATM thieves typically use two devices to capture victims’ PIN and card data. One device is placed near where the victim swiped a bank card and reads the magnetic strip on the card with the account number.

Technology had evolved to the point where moulded plastic can be fitted into ATM slots. These devices are available over the Internet for as little as US$300.

A camera hidden from view captures the victim’s PIN and the cybercriminal gets that data in real time using a laptop to remotely access the skimming device. The criminals then burn the data onto a blank card to access the customer’s accounts.

The expert said banks have been upgrading security systems to prevent online attacks, as well as ATM fraud, phishing and skimming. To reduce the risk of skimming, swipe ATMs have been installed by some commercial banks. At these machines customers swipe their cards rather than insert them into a slot.These have been proven to reduce the occurrences of skimming as it is more difficult for a criminal to add a skimming device onto these machines.

“Cameras have also been added, not only to the ATM but inside and outside the ATMs,” the expert said. “However, offsite ATMs which are not directly linked to any banks remain very vulnerable.”

At most banks, he said, there were strong policies and systems for protecting customers’ privacy and safeguarding personal, business, and financial information entrusted to the bank.

In addition to stringent privacy practices, banks employed a diverse range of technologies and security mechanisms to ensure the safety, confidentiality and integrity of customer information and transactions, the expert said.

Shiva Bissessar, managing and technical director of Pinaka Technology Solutions, said the recent skimming incidents were not isolated cases and there have been incidents in the past. He said several arrests were made; equipment used to make fake driver’s permits, passports, ID cards and clone and capture bank credit and debit cards was seized at a house in Trincity in 2013.