insights

Winter Sales Bank Fraud Alert: don’t forget about SKIMMING

 | 

Banking & Fintech

Usually We ask ourselves how best to protect our assets and, after analyzing the situation, we install alarm systems, take precautions when withdrawing cash from ATMs and read the fine print in the contracts we sign. But we may not be aware of the risks involving economic activitiesespecially those we carry out electronically, and electronic means, and for this reason we apply few or no security measures. In this sense, it is important to know the term

skimming

,

What is Skimming?

The term Skimming was originally used in literature to designate a selective reading technique that allows finding data of interest quickly, but in cybersecurity it refers to the set of techniques used by cybercriminals to steal a person’s bank details. This information
allows you to threaten and extort companies
committing crimes by usurping someone else’s identity, making purchases in someone else’s name, making transfers with someone else’s money, or even financing terrorist groups.

Skimming in cybersecurity, however, refers to the type of fraud (art. 249 of the Penal Code) committed by electronic means. Their objective is to obtain our banking information through different methods, mainly by copying or cloning the information of the magnetic stripe of our physical bank card. The concept also includes the various strategies that are used jointly or individually for this purpose. Some of the most commonly applied strategies are:

Installation or use of illegal devices

These aredevices capable of copying or recording our bank card information (from the magnetic stripe and/or its credentials) in order to clone it, use its credentials in e-commerce or sell it to a third party. In general, when we use our bank card to make purchases or withdraw money from the ATM, we run the risk of having our data stolen. Usually, the devices used are:


  • Illegally modified dataphones
    to register the credentials and/or the magnetic band of our bank card and thus clone it.
  • Devices other than the dataphone with magnetic stripe or RFID reading, which are used by an employee when we give our card to make a payment with a dataphone. A slight misdirection is enough to perform the maneuver.

  • ATM registration devices

    ATMs
    that simulate being part of the ATM, such as a keypad and card insertion slot superimposed on the originals, which record both the card information and the PIN.
  • Spy cameras that can be installed in dataphones and ATMs and easily go unnoticed, since they are manufactured with the appearance of a screw or other elements capable of being integrated into any device. They are used to register the security PIN.

2. Phishing

This is the sending messages with malwareusually via email, but also via SMS, WhatsApp, etc., (Smishing) or by making telephone calls (Vishing), which, through the social engineeringIn this way, they manage to impersonate the identity of a company, organization or trusted person in order to obtain our bank details, among other personal data.

We are more prone to fall for Phishing scams, as it is a strategy that involves little technical knowledge, is easy to apply and complicates the work of law enforcement agencies in attributing the crime to a natural person, thanks to the anonymity offered by cyberspace.

3. E-Skimming

E-Skimming consists of accessing banking and personal information that legitimate online stores store in cyberspace, for subsequent fraudulent use and/or carding. To do this, cybercriminals exploit unpatched vulnerabilities in the computer systems used to manage the platform. e-commerce.

Vulnerabilities can be exploited in two ways: on the one hand, they are exploited in a way that allows criminals to access the personal and sensitive information of customers and employees; on the other hand, they can impersonate the customer’s identity and make purchases and orders in their name that do not attract the attention of the company’s IT security service that has the
e-commerce
.

This type of fraud is very much the order of the day, but it is important to note that it is a technique with a long-established track record among cybercriminal gangs. In 2011 the Guardia Civil arrested, within the framework of Operation “UKUNGA”, 8 people who were part of an international criminal network dedicated to Skimming, thanks to which they swindled more than 1 million euros.

How can we protect ourselves from Skimming?

As we have seen, the main objective of the
Skimmers
is to get hold of our banking information. Christmas time, and later on, the Christmas season.
Winter Sales
are an opportunity for S
kimmers
to act, as we make more purchases than usual, we jump on the bargains and are more susceptible to
Skimming
also on the Internet.

Thus, the first thing to be aware of is that Skimming can be carried out in two ways: with card present and not present.

The card present methodsSkimming devices, which consist of the use of illegal devices, are the most complex to implement due to the difficulty of access to skimming devices. Before them, we must take some precautions such as:

  • Do not lose sight of your card when making a payment at any merchant.
  • Cover the PIN with your hand when withdrawing cash from the ATM and make sure there is no leftover or foreign device.
  • If something makes us suspicious (we find a spy camera or some other device), the best thing to do is to alert the bank staff and the authorities.
  • If we have the slightest suspicion that a fraudulent charge has been made on our account, we should inform the competent authority about the places (physical or online) where we have made a financial transaction (stores, banks, etc.); as well as contacting our bank to report the charge and cancel the card cloned by the criminals.

Regarding the card-not-present methodswhich are more common than the previous ones, we must avoid the human error that causes the social engineering of phishing:

  • Be wary of
    links or attachments
    Check that the sender of a message is who he/she claims to be and that his/her identity has not been impersonated.
  • Do not provide
    personal information
    . Our bank will never ask us by any means to enter our banking credentials to verify that we are us. If the message is from someone you “know” it is best to contact him or her directly to ask if he or she really sent the message, as your acquaintance may be a victim of malware.
  • Awareness of the
    manipulation techniques
    that are usually used and to avoid, as much as possible, publishing personal information. Remember that cybercriminals take advantage of the information we publish to know how to deceive us more easily.

Finally, we must avoid the vulnerabilities derived from our computer system: we must computer system:

  • Maintain the
    software up to date
    The updates contain security patches that protect us from vulnerabilities as they are identified.

  • Segment the network
    to minimize the effect of any attack and reduce it to a single segment of our network.
  • Install a suitable
    appropriate antivirus
    depending on the level of protection required for the information we keep.
  • Delete cookies on a daily basis

    cookies

    especially if we use other people’s devices, to avoid fraudulent tracking of our digital footprint, as well as to ensure that our data and passwords are not recorded on any page or USB that can be accessed by cybercriminals.
  • Create
    strong passwords
    If possible, enabling two-factor authentication.

Isabel Navarrete Sánchez