Does anyone have any information about credit/ATM card skimming? If you have any websites, forums, IRC channels or other sources of informations about this topic.
I am doing a paper about this subject for a class in college (Cybercrime program).
Thanks!
Can you be more specific on what aspect of skimming ?
This is one type of skimming (discovered two years ago) on a garage forecourt petrol pump offering customers the card payment system. It skims the card details.
You will have trouble finding information on this topic through mainstream resources. If you have LE connections, especially federal ones, they will be a valuable resource. The specifics on cases involving skimming and it's technology are purposefully kept tight lipped.
The specifics on cases involving skimming and it's technology are purposefully kept tight lipped.
I used to think that too until a television programme showed credit card skimming in a UK restaurant, some forums discuss the subject, people selling commercial services put info in their powerpoint slide presentations etc etc. The photos above were posted by a security personnel who had his credit card details skimmed at the petrol pump and took the photos above and released them. Quite a few cases were uncovered following these photos and that can only be a good thing.
If more people were made more aware and shown photos of what to look out for then they can be more cautious and increase their chances of not been stung.
I vaguely recall several YouTube videos showing such devices.
I vaguely recall several YouTube videos showing such devices.
You can Google all the information that you need to build one. If you know where to go, you can even find BBs with addresses where you can purchase them online, for about $300-$500 USD or you can find suppliers of molds for the faceplates and make them, yourself. You can also buy machines to make fake credit cards complete with the holograms for arount $10k USD if you know where to look.
RedBox, the company that makes the video rental vending machines, even posted pictures of skimmers to their web site after a few of their machines were bugged.
If LE thinks that they are keeping this information from criminals, they are kidding themselves.
Be careful, though, if you try to do this, make sure that you alert your instructor or some other reliable person as to what you are doing. There are various LE sting operations on the web which are indistinguishable from the real thing (Google "DarkMarket" for an interesting story) and you don't want to get yourself in trouble simply for doing research.
There's no doubt you can Google all this information and there is a ton of it available on the net. I was trying to give the benefit of the doubt without having to redirect to http//lmgtfy.com We all know anything that peaks your interests can be answered with some internet research.
That said, there is an enormous amount of information available through LE contacts. Many of the newer implementations of skimming are kept as quiet as possible in hopes of curving the copycat type of thief. Granted, yes, that information is probably on the net somewhere. We will never be able to stop the smart criminals…we're just trying to prolong the inevitable and stump the stupid criminals. There are benefits to it being made public as trewmte suggest, but that information has to be disseminated very carefully. At any rate as everyone is suggesting you can simply find a lot online, but if you just so happen to have LE contacts you may give that a shot.
Many of the newer implementations of skimming are kept as quiet as possible in hopes of curving the copycat type of thief.
At the expense of whom? Those who will be victimized until the skimmers are detected?
RedBox put its information online because it wanted consumers to be able to detect when a machine had been compromised and how. Security through obscurity is a valued principle, but the problem is that the implementation frequently makes the intended victim more vulnerable than less. For example, an intended victim might not be able to detect an RFID skimmer, but if they know that such exist, they can purchase products to protect themselves from it.
During the Cold War, the US government "allowed" a certain number of "secrets" to get into the hands of the enemy. The feeling was that this information served as a deterrent.
Most Microsoft code is proprietary and confidential. Has this made it more secure? IMHO no. In fact, experience suggests just the opposite.
I certainly believe that there exists a body of knowledge which should be restricted to those who are legitimate law enforcement and government security officials. But I also spend time lurking on various BBs and blogs where accurate, detailed information is exchanged as to how to create SQL injection attacks, how to hack into Facebook or AIM, how to build a PE virus, etc., is exchanged. Those who want to do bad already have the information. Those of us who want to advise our clients how to escape vulnerability need to have it as well.
The big problem, as I see it, is that LE has a limited role in prevention, limited simply due to the resources required. Look at the major PII thefts of the past 12 months and ask yourself what LE could have done, by itself, to stop them?
The answer is that the methods need to be known, as well, by those members of the private sector whose duty it is to defend their clients. By the time that LE gets to somebody like Heartland, the cow has already escaped.
I do agree, however, that a good rapport with LE can be extremely helpful. A public/private partnership would be even better.
Gizmodo had an article on this today…
http//