Police warn of Central Square bank skimming

Cambridge seeks bank skimmers

Skimmers sought. See it larger.

Cambridge Police are looking for a group they say installed "skimmers" on ATMs in Central Square to capture customer bank information.

Police say the skimmers were in operation between November and January - and that the group "extracted an undisclosed amount of cash from the compromised accounts in New York City" two weeks ago.

Police have released photos of the men suspected of installing the devices, which collect data from their bank cards to be imprinted on blank cards.

Police say they've stepped up surveillance of local ATMs.

Although the devices are now sophisticated enough to escape cursory examination, police offered some tips:

Inspect ATMs, gas pumps or credit card readers before using them. Be suspicious if you see anything loose, crooked, damaged or if you notice scratches or tape residue.

  • When entering your PIN, block the keypad with your other hand to prevent possible hidden cameras from recording your number.
  • If possible, use an ATM at an inside location.
  • Be careful of ATMs in tourist areas, as they tend to be popular targets of skimmers.
  • If your ATM card is not returned after a transaction or after hitting cancel, immediately contact the financial institution that issued the card.

Neighborhoods: 

Topics: 

Free tagging: 

Comments

So...

By on

...which banks in Central Square had their ATMs skimmed?

Isn't that really important to know? I'm not blaming uHub here, maybe they didn't release this information... but they certainly ought to.

up
21

on twitter

By on

they said they didn't release the bank info due to the ongoing investigation.
makes me glad I'm a luddite and go into the bank!

up
13

I'm actually surprised this

By on

I'm actually surprised this doesn't happen more often. It only takes a few minutes for a device to be installed. All mag stripe data is captured and the thieves can gather their data via wifi.
This is why some gas dispensers ask for billing zip code, to compare with the mag stripe. The data is washed as soon as authorization for the transaction is returned (a matter of seconds), and none of that data is available to the merchant, only the banking network. It is against the law for any merchant to store that data anywhere.

It's a huge problem in the southwestern area of the country with gas dispensers.

up
18

Zip Code

By on

Lots of companies also ask for zip codes if their credit card processing account is in a 3 tiered system (qualified, mid qualified, and non qualified transaction).

By entering the billing zip code, the transaction can be moved from mid qual to non qual, which costs the business less.

up
12

I've only heard instances

By on

I've only heard instances where the zip code is used to verify that the user of the card knows the cards billing address. If the zip code can't be verified the transaction will not go through.

I've never heard of the tiered system you mentioned. Maybe it's the business I am in but we have strict standards of encryption and processing to protect all consumer data. I must annually verify and sign off that our systems in place meet all expectations of data security.

I often wonder about those phone adapters that allow credit card transactions. Between encryptions and bank keys and not using any old network or wifi to transmit that data. Our networks are segmented so no credit card or customer data ever shares bandwidth with non secure data.

It's unlikely that major

By on

It's unlikely that major companies (like gas stations) would be on a 2 tiered system as it's a ripoff. Their likely on interchange plus (or cost plus).

But you can def enter the wrong zip code on a 3 tiered account and it will go thru, but it will go to non qualified and cost the business well over 3% of the transaction.

up
12

Yes, Interchange + is what I

By on

Yes, Interchange + is what I am familiar with. Why would any processor or merchant allow a bad zip code transaction to go through? It's an opening for fraud. I've written before how a white card (actually about 30) were tested at one of our locations. Since the MA Law that outlawed zip code prompts because of someone was getting too much junk mail, all white cards this guy had were approved and ready for use! To me that law was written without people actually knowing the consequences, definitely unfriendly to businesses.

I'l go out on a limb

By on

and guess this crew is from out of state, probably NY/NJ, and are connected to ethnic based organized crime, not Italian.

Just saying.

Elmer's Lil' ATM Safety Tip

By on

Use a different card to open the outer door into an ATM booth than the card you'll be using for the actual transaction. Any card with a mag stripe will unlock the door. If a skimmer on the door grabs that card's data, it won't work with the PIN you enter at the ATM.

up
15

Question

By on

If a skimmer on the door grabs that card's data, it won't work with the PIN you enter at the ATM.

Just to be clear - put another way, you are saying that if the skimmer is installed on the door, it will grab the PIN from the card that you used to open the door but since that isn't the card that you will put into the ATM, the crooks won't have the PIN for the card you were actually going to use on the ATM and thus won't have access to that account.

However, they still have access information on one of your other cards, whose account is now compromised - the one that you used to open the door.

Why is what you propose significantly better?

up
11

Any Old, Expired, Or Invalid Card Will Open The Door

By on

Well first of all, no PIN is involved in opening the door. Any card with a mag stripe will work, even if the card is expired or otherwise useless. You could keep such card in your wallet just for unlocking ATM doors. Even if you use a (different) valid card to unlock the door, the skimmer would only get the information on its mag stripe; not the expiration date, CVV number, or cardholder's name.

However, if you open the door with the same card you use at the ATM, the skimmer will collect the mag stripe data, while a hidden camera collects the corresponding visual data and PIN entry.

Of course, this won't help if the skimmer has been installed onto the ATM itself, but the door openers are a much easier target. One may ask why banks even bother to use door unlocking card readers, since they provide absolutely no security, but have a huge potential for exploitation.

Anyway, it's very easy to take the simple precaution of using different cards for each; it might help.

Do you have any evidence that

By on

Do you have any evidence that the door card readers have ever had skimmers?

In my experience, the door unlocks as soon as the first bit of the magstripe goes in. So there's no way a supposed door skimmer device could read the whole stripe.

up
10

Yes, There Are Many Examples Of This ...

By on

…
http://krebsonsecurity.com/2011/01/atm-skimmers-that-never-touch-the-atm/
https://www.schneier.com/blog/archives/2011/02/atm_skimmer_on.html

… If you search a bit, you'll see it's a very common method of attack.

I know what you mean about it not requiring much of the card to be inserted for most readers to open. So, if a door reader ever appears "different" and licks more of the card, it'd be a red flag that it might be a skimmer.

up
13

in other countries

ATMs have shields next to/over the PIN pad to block shoulder-surfing or camera observation of PINs. Those should be standard equipment here, too.

I'm not sure to what extent European-style "chip-and-PIN" cards would help. Krebs on Security is skeptical, but IMHO it might be an improvement over what we have now.

up
10

Chips are the way to go!

By on

Chips are the way to go! Europe is far ahead of the USA in that technology. I believe our due date to transition to chips is in 2015 but I expect delays. It's a very expensive cost for a business to purchase and have installed new card readers, especially for your local mom and pop around the corner.

And as far as the shields go, I've been to some stores where there's like a "hood' over the pin keypad to block others from viewing, and I appreciate that. I wish more would have something like that. There are times I've used my hand to cover the pin pad.

up
11

Chips can be compromised too.

By on

Chips can be compromised too. No tech is immune to skimming if the fraudsters have the right tools.