DO NOT PASS GO – Banking Security Risks at your ATM, POS, PC, and Mobile – Part One

Posted: October 27, 2014 in Hacking, Network Security, Physical Security, Security, Social Engineering
Tags: , , , , ,

By William V. Burns

 October 27, 2014

Online Banking Risks

Online Banking Risks

 Withdrawing money from your bank or other financial institution triggers some sort of animal instinct in us; we feel a sense of satisfaction in handling the cash, followed by a quick look around for predators.

That look around was too late, and ineffective anyway. You have already been preyed upon. Oh the cash in your hand is safe enough, depending on how much crime there is in your neighborhood. Count it quietly and put it away. But check the balance on your ATM receipt. You see? Your balance is now zero.

 The predation was invisible and swift.

Where it could have happened?

 Right at the ATM you just left.

There is an entire criminal industry centered on defrauding people while they withdraw money. One widespread method is called ‘skimming.’ The criminal has a device, called a ‘skimmer,’ made by them or bought online on the darker side of the Internet, which looks like part of the ATM. They walk up, snap or glue it in place, and walk away. When you swipe your card in the ATM, the device reads your card information; it records you entering your PIN, and then transmits your bank information to the criminal who then uses that information to empty your account.

 Back at home, on your PC.

It looks like your bank sent you an email alert. There was a problem with your account! The email asked you to verify your banking information immediately or your account would be locked. You clicked on the link in the email and logged on to your account. You saw the words ‘account verified.’ You relaxed.That email wasn’t from your bank. It was from a criminal. You got phished.

 At the store, while buying something for yourself.

The ‘skimmers’ referred to above are also installed by criminals on Point Of Sale (POS) terminals in retail locations. There also exist for sale ‘dongles’ that can be surreptitiously plugged into the POS in line with the cable or in an empty socket – these dongles capture the information from your card purchase and send it to our criminal. They emptied your account.

 At the fuel pump.

Fuel pumps are big targets nowadays for skimmers. There’s also some fraud from clerks inside the station convenience store swiping your card twice; once on the machine, and the second time through a small card reader plugged into their smartphone. Got your money.

 In line at the supermarket.

You wouldn’t let a stranger lurk right behind you at the ATM or the fuel pump. They have no reason to be so close. It’s different in the supermarket checkout line, where we’re all just folks, pushing our food, booze, snacks, and cleaning supplies up against each other, fumbling at the little keyboard. The fellow leaning close is engaging in a ploy called ‘shoulder surfing,’ a bit of social engineering to grab your PIN. Your card number has already been compromised through him taking a quick digital picture with his phone. One email later, and his partner in Zaire withdraws your money.

 Inside your smartphone.

You download a new banking app for your smartphone, and load it up with your account information, routing number, and password. Unfortunately, the app was designed by a hacker, and they sold your information to a third party, who loots your account.

 On the other side of the world, in a corporate server.

You bought a nice pair of pants at this franchised boutique six months ago. You used your debit card. The corporation has a database with customer names, addresses, card numbers, and authentication data. After some hard work finding a security vulnerability in the boutique’s corporate server and exploiting this to gain access, a Russian hacker now has your account information, which he sells to another cybercriminal. Your account balance falls to zero shortly after.

 What next?

What can you do? How can you protect yourself when there are so many people after your money?

Sensible precautions are outlined in part two, which will follow shortly.


Krebs On Security – All about Skimmers

USNews – Is it safe to bank online?

Wall Street Journal – ‘Phishing’ Scams Cast Net on Mobile Banking

 Naked Security – 8 Tips for safer online banking

 Bankrate – Online banking: Is your Money safe?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s