Best Practices For Preventing Skimming Published Version 09

Best Practices for Preventing ATM Skimming
International minimum security guidelines and best practices
Produced by the ATM Industry Association Contributors Include:
FOR ATMIA MEMBERS USE ONLY Copyright Information

Copyright 2009 ATMIA, All Rights Reserved.
Should you wish to join ATMIA's Anti Skimming portal on www.atmia.com, e-mail Mike Lee, ATMIA's CEO, at mike@atmia.com
Disclaimer
The ATM Industry Association (ATMIA) publishes this best practice manual in furtherance of its non-profit and tax-exempt purposes to enhance protection of the ATM against skimming. ATMIA has taken reasonable measures to provide objective information and recommendations to the industry but cannot guarantee the accuracy, completeness, efficacy, timeliness or other aspects of this publication. ATMIA cannot ensure compliance with the laws or regulations of any country and does not represent that the information in this publication is consistent with any particular principles, standards, or guidance of any country or entity. There is no effort or intention to create standards for any business activities. These best practices are intended to be read as recommendations only and the responsibility rests with those wishing to implement them to ensure they do so after their own independent relevant risk assessments and in accordance with their own regulatory frameworks. Further, neither ATMIA nor its officers, directors, members, employees or agents shall be liable for any loss, damage or claim with respect to any activity or practice arising from any reading of this manual; all such liabilities, including direct, special, indirect or inconsequential damages, are expressly disclaimed. Information provided in this publication is "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or freedom from infringement. The name and marks ATM Industry Association, ATMIA and related trademarks are the property of ATMIA.
Please note this manual contains security best practices and should not be left lying around or freely copied without due care for its distribution and safekeeping. ATM INDUSTRY ASSOCIATION GLOBAL SPONSORS 2009
UNITED STATES INTER-CONTINENTAL AND REGIONAL SPONSORS SEPTEMBER 2009
Copyright 2009 ATMIA FOR USE BY ATMIA MEMBERS ONLY | All Rights Reserved | www.atmia.com
Page 2 of 48
Table of Contents
TABLE OF FIGURES .......................................................................................................................................4 FOREWORD ....................................................................................................................................................5 EXECUTIVE SUMMARY...................................................................................................................................6 ACKNOWLEDGEMENTS................................................................................................................................10 CHAPTER 1. INTRODUCTION .....................................................................................................................11 1.1. 1.2. 1.3. 1.4. 1.5. A BRIEF HISTORY OF SKIMMING ............................................................................................................... 12 WHAT IS SKIMMING? ............................................................................................................................... 12 IS CHIP AND PIN THE ANSWER?................................................................................................................ 13 THE NEED FOR GREATER PUBLIC COMMUNICATION ................................................................................... 14 A CALL TO ACTION................................................................................................................................. 15
CHAPTER 2. CLASSIFICATION SYSTEM FOR ATM SKIMMING & PIN-COMPROMISE ...............................16 2.1. ATM SKIMMING & PIN COMPROMISE CLASSIFICATION ............................................................................... 16 2.1.1. ATM Skimming Classification (ASK-) .......................................................................................... 16 2.1.2. ATM PIN-Compromise Classification (APC-) ............................................................................. 21 2.2. CASE STUDIES: EXAMPLES OF ATM SKIMMING DEVICES .............................................................................. 26 2.3. CODES FOR ASK AND APC SYNTAX .......................................................................................................... 29 CHAPTER 3. PCI GUIDELINES ON PREVENTING SKIMMING .....................................................................33 3.1. 3.2. 3.3. WHAT/WHO IS PCI? .............................................................................................................................. 33 THE PCI STANDARDS .............................................................................................................................. 33 HOW DO THE PCI STANDARDS ADDRESS SKIMMING? .................................................................................. 35
CHAPTER 4. BEST PRACTICES FOR PREVENTING CAPTURE OF MAGNETIC STRIPE DATA DURING ATM TRANSACTIONS ...................................................................................................................................38 4.1. 4.2. 4.3. 4.4. PROTECTION OF THE MAGNETIC STRIPE DATA........................................................................................... 38 INTEGRATION WITH IT SYSTEMS............................................................................................................... 39 ROLE OF THE CONSUMER IN FRAUD PREVENTION ....................................................................................... 40 SUMMARY .............................................................................................................................................. 40 PIN SECURITY OVERVIEW........................................................................................................................ 42 EDUCATING THE CUSTOMER .................................................................................................................... 42 MANUFACTURING CHANGES FOR THE EPP AND FASCIA .............................................................................. 43 ADVANCEMENT OF BIOMETRICS TO REPLACE PIN ...................................................................................... 43 SUMMARY OF BEST PRACTICES FOR PROTECTING PINS .............................................................................. 44 USEFUL READING ................................................................................................................................... 45 STANDARDS DOCUMENTATION.................................................................................................................. 45 RELEVANT LINKS .................................................................................................................................... 46 SUMMARY OF RECOMMENDATIONS ............................................................................................................ 47 CHECKLIST OF RECOMMENDATIONS........................................................................................................... 48
CHAPTER 5. BEST PRACTICES FOR PREVENTING INTERCEPTION OF CUSTOMER PIN........................42 5.1. 5.2. 5.3. 5.4. 5.5. 6.1. 6.2. 6.3. 7.1. 7.2.
CHAPTER 6. FURTHER READING AND LINKS ...........................................................................................45
CHAPTER 7. CHECKLIST OF RECOMMENDATIONS FOR PREVENTING SKIMMING .................................47
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 3 of 48
Table of Figures
Figure 1. Card Entry Area Skimming Device suggested classification syntax summary ......................17 Figure 2. Internal skimming method summary .....................................................................................18 Figure 3. Remote and secondary near-proximity skimming technique summary ................................19 Figure 4. Attachment methods and common power source summary .................................................19 Figure 5. Storage capability of ATM skimmers communication, download summary .........................20 Figure 6. Activation and encryption summary .....................................................................................20 Figure 7. Feature, capacity & endurance summary .............................................................................21 Figure 8. Common external PIN compromise method summary ..........................................................23 Figure 9. Common internal PIN compromise method summary ...........................................................23 Figure 10. Remote and secondary PIN-compromise device summary..................................................23 Figure 11. Attachment methods and common power source summary ...............................................24 Figure 12. Storage, communications, and download summary ...........................................................24 Figure 13. Activation and encryption summary ...................................................................................25 Figure 14. Additional PIN-compromise device feature summary .........................................................25 Figure 15. PCI standards overlap in payment transaction life cycle ...................................................37
Page 4 of 48
Foreword
Today, skimming is one of the most widespread and organised crimes directed at the ATM, as well as at Point of Sale devices. The Anti Skimming Forum of ATMIA believes this manual will help to reinforce the ATMs Trusted Environment as well as the reputation of the ATM as a safe and convenient self-service banking device. It sets out international minimum security guidelines and best practices for preventing skimming at ATMs. To combat fraud, it is imperative that all ATM deployers in all regions and countries take best practices very seriously, and implement all guidelines and best practices contained herein to the greatest extent possible.
ATMIA Anti Skimming Forum August, 2009
Page 5 of 48
Executive Summary
Please note that this Executive Summary cannot replace reading the whole manual. The summary is merely a guide as to the content and main principles of prevention of skimming at ATMs.
1. Recent indicators show sharp rises in incidents of skimming on an increasingly global scale. 2. ATMs were first confirmed to be targeted by new styles and designs of skimming device in the late 1990s. Inspection of the ATM uncovered scratches and marks on the fascia that indicated a device of some type had probably been previously attached to the machine. 3. Today, the number of different designs and a multitude of technologies used to create ATM skimming devices necessitates the development of an ATM skimming-classification system. The best defense may vary according to the type of device used for the skimming attack. 4. Card skimming is defined as the unauthorized capture of magnetic stripe information by modifying the hardware or software of a payment device, or through the use of a separate card reader. Skimming is often accompanied with the covert capture of customer PIN data. Armed with this information the fraudsters will create dummy cards and raid the customers account. Increasingly, card details captured through skimming at an ATM in one country will be used to commit fraud in another country. 5. UK Payments published figures show that counterfeit card losses in the UK fell by 68 percent in the four years to 2008 because the introduction of chip and PIN makes it harder for criminals to use fake cards in ATMs and shops in the UK. Now, UK card information is being used to create counterfeit cards that are then used in other countries. 6. Fraud committed abroad using UK card information increased from 23.8 million in 2004 to 132.8 million in 2008. In particular, fraud committed in the US using data from UK issued cards has increased by 181 percent since 2005, totaling 31.7 million in 2008. A recent UK Payments publication notes that As more and more countries around the world progress their chip and PIN rollouts, it is expected that fraud will continue to shift towards countries such as the USA, which as yet has no plans to implement chip and PIN.
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 6 of 48
7. Solutions for preventing the copying of magnetic stripe data at the ATM include devices (protruding illuminated hardware) aimed at preventing the attachment of the skimming machine, solutions that involve a jitter (rapid stop-start motion) movement that will nullify attempts to record card information when a foreign device is detected at or near the ATM card entry slot. 8. As the most used retail banking channel, for many the ATM represents the face of banking. Banks need to communicate the nature of the problem to the media and customers without creating fear and uncertainty. It is important to communicate how chosen solutions to skimming work and any implications this will have for an ATMs appearance or performance. 9. Customers can lessen the potential impact of skimming by protecting their PIN, the front door key of their bank accounts, by covering the keypad with their free hand when entering the code. 10. Card skimming is an international problem and its prevention requires a consistent global approach. 11. The new international classification system for skimming devices includes card entry skimming devices, targeting specific types of card-activation interface such as Motorized, Swipe, Dip and Contactless, internal skimming devices (such as pre-head tap skimmers and malware capable of obtaining non-encrypted card data within the ATM system), remote & secondary near-proximity skimming devices, for example, hand-held machines and tapping equipment, as well as ancillary or support technology like attachment methods, power sources, card data storage methods (such as integrated memory chips, local SD data cards and MP3 recorders), integrated cameras (for PIN-compromise) and radio receivers as well as activation methods like remote control. 12. ATM PIN- compromise devices in the classification system include external PIN-compromise devices (such as spy cameras, keyboard overlays and binoculars), internal PIN-compromise devices (such as electronic tapping equipment or malicious software), remote & secondary PIN-compromise devices (such as lobby door false keyboards), as well as ancillary or support technology like attachment and activation methods, power sources, storage communications & download capability (such as radio receivers). 13. Each of the current PCI standards, PCI PIN Transaction Security (PCI PTS), PCI Payment Application Data Security Standard (PCI PA DSS) and PCI Data Security Standard (PCI DSS), have material relevant to preventing skimming. The PCI PTS program is the program that addresses the issue of skimming most directly. Each of the standards that are designed for devices that accept the direct input of payment card data have a requirement to secure the path from the card reader to the security processor within the device. This requirement covers both the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR). For details of specific requirements, see Chapter 3.
14. Moving away from the magstripe and using secure identity management and credentialing to provide access to this channel has proven to be the most effective way to minimize the losses due to card skimming. However the complete removal of the magstripe is not anticipated to occur in the near future, so protecting this sensitive data is crucial in mitigating the risks and losses associated with card skimming. 15. There are several methods to keep sensitive account information contained on the magstripe safe from fraudsters; the most effective method is the use of chip-based cards that house the data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce. Contactless cards provide another alternative to the magstripe. If the magstripe is used, out-of-band authentication using a cell phone or a biometric reader can provide a second form of authentication that can be used as alternate methods for conducting secure transactions at the ATM. 16. Anti-skimming solutions can be deployed to help detect and prevent the application and usage of card skimming devices. Card readers can be equipped with some type of foreign object detection technology and can alert a financial institution or law enforcement in the event that a skimming device is installed to the fascia of an ATM. Jitter technology is a process that controls and varies the speed of movement of a card as it is inserted through a card reader, making it difficult to read card data. Other anti-skimming technologies are effective in identifying, jamming or disturbing skimming devices when they are attached to the ATM. Video surveillance and monitoring are additional security measures that are effective methods for deterring or detecting placement of card skimmers and other fraudulent devices such as PIN overlays and mini cameras. 17. Regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments should be conducted. Local staff including ATM servicers must be trained to look for fraudulent devices and be educated on the appropriate action to be taken should they discover a skimming device on a machine. 18. A self-contained, secure environment including physical and logical access control and enhanced identity management is essential in securing an ATM. The use of intelligent fraud-detection systems to monitor for unusual spending patterns and identify fraud before it is discovered by the cardholder. 19. The consumer must be educated to be vigilant and inspect the ATM before using it. Consumers must also be educated on how to protect their PIN. Shielding the entry of the PIN with their hand and body is just one way a consumer can prevent someone from viewing it.
20. Information sharing of fraud related activity with industry stakeholders can help to identify current threats and trends and facilitate deployment of the most effective fraud mitigation tactics. There is also an opportunity to influence regulatory requirements to support fraud prevention tactics that will in turn help demonstrate the return on investment for security spend. 21. One of the weakest links in any ATM transaction is the entry of the customer PIN. The PIN in its current form is static and always four (or, in some countries, six) numbers. Despite improvements in the security of the transmitted PIN and account data via 3DES, no significant improvements or best practices have emerged to protect the physical entry of the customer PIN at the ATM. 22. Investigation is encouraged of new technologies to create EPPs that incorporate a scramble methodology to number placement at each transaction. 23. Biometrics offers a difficult to duplicate replacement to a static numerical PIN. As each fingerprint or retinal scan is unique, it is clearly more robust than a four digit PIN. As it may be a costly enterprise, deployment of biometrics as a means to move away from the customer PIN may be several years away. 24. A multi-layered approach to preventing skimming is the best methodology, integrating customer education and vigilance about PINs, technological investigation, industry information-sharing, manufactured security solutions and compliance to security standards for protecting card data and PINs. Chip and PIN technology has a proven record in reducing skimming and is highly recommended worldwide by the ATM Industry Association.
Acknowledgements
The ATMIA is indebted to the contribution of the following industry experts in assembling these Anti Skimming Best Practices, in addition to all members of its Anti Skimming Forum: Douglas Russell, Director, DFR Risk Management Ltd Terrie Ipson, Marketing Manager, Diebold Andrew Jamieson, Technical Manager, Witham Laboratories Wynne Evans, Consultant, Wynne Evans Communications Steve Weeks, Commercial Manager, ATM Parts Co Jeffery Miller, Service Manager, Edge One Incorporated George Athanasakis, Director, Australian Technology Management Pty Ltd Mike Urban, Sr Director, Fraud Solutions, FICO Cyndi Spencer, formatting editor
Chapter 1. Introduction
Skimming: A Current and Increasing Global Threat Recent indicators show sharp rises in incidents of skimming on an increasingly global scale. In April, 2009, EAST (European ATM Security Team) reported a 129 percent increase in card skimming incidents in 2008 over the previous year. A total of 10,302 cases were reported. Yet Europe is not alone. Skimming is occurring throughout the world, from Russia to the USA, from Australia to the Middle East, from South Africa to South America. For example, a glance through the financial media for just one month, July 2009, reveals the growing nature of the international threat of card skimming at the ATM. In Las Vegas it was reported that there were 75 skimming attacks over a three month period compared to previous rates of 2-3 incidents a year. In Sydney Australia, the New South Wales Fraud Squad reported 60 skimming attacks in the first four months of 2009, with a spokesman stating that the devices used are becoming smaller, more sophisticated and capable of storing more data. In April it was reported that nine Romanian nationals had been arrested in relation to skimming attacks on Australian ATMs. In California it was also reported that skimmers and card duplicators could be bought from overseas sellers via the internet for a few thousand dollars. It would appear that there is a global epidemic. Yet card skimming is not new. Early forms of skimming device and indeed dummy ATMs installed in empty shop fronts were used to capture card information in the nineties. What has changed is the scale and geographical spread of such attacks. What do we mean by card skimming at the ATM?
1.1.A Brief History of Skimming

Skimming started to gain momentum as a method of undermining plastic card-based systems in the mid to late 1980s. At that time, the most common modus operandi was for criminals to operate in retail premises: typically, the food and beverage industry and at fuel (gas) stations. The devices used to copy the magnetic stripe, while large by todays standards, were often just small enough to be concealed in the perpetrators clothing or hidden out of sight below the cash desk. ATMs were first confirmed to be targeted by new styles and designs of skimming device in the late 1990s. Prior to the first ATM skimming device being recovered, there had been various incidents globally, including one, in which the logical and physical evidence pointed towards skimming as the most likely method of card-compromise. Analysis of the historical usage of cards (that were subsequently identified as being compromised) eventually narrowed down the likely CPC (common point of compromise) or CPP (common point of purchase) to a particular ATM. Inspection of the ATM uncovered scratches and marks on the fascia that indicated a device of some type had probably been previously attached to the machine. Today, the volume of skimming incidents is considerable, as discussed in the previous section. There is also a considerable number of different designs and a multitude of technologies used to create skimming devices. So significant is the number, that it has become increasingly important to create an ATM skimming-classification system. The purpose of the classification system is to ease communication within the industry and, with law-enforcement, to globally standardize recording of skimming crimes, as follows: Enables measurement of trends Provides country comparisons Highlights patterns and the migration of particular devices Aids the industry in deciding which anti-skimming initiatives and solutions are best-suited as a defense against particular types of ATM skimming device
1.2. What is Skimming?

Card skimming is defined as the unauthorized capture of magnetic stripe information by modifying the hardware or software of a payment device, or through the use of a separate card reader. Skimming is often accompanied with the covert capture of customer PIN data. Armed with this information, the fraudsters create dummy cards and raid the customers account.
This raises a number of issues: What are the implications of the introduction of chip and PIN technology in some countries? What percentage of card skimming takes place at ATMs rather than at POS devices? What are the best ways to prevent this happening and what are the implications for consumer behavior / confidence in the ATM network and indeed the banks?
When we talk of ATM Fraud it is important to distinguish between the point of compromise (where the data is captured) and the location at which the actual fraud takes place. In the UK, for example published figures for ATM fraud (where cash has been fraudulently withdrawn from an ATM) will normally involve stolen cards (and PIN details), ID theft where a legitimate card is used on a fraudulent account or in some instances cases where a card has been captured at the ATM by a criminal using a Lebanese loop style device. In the case of card skimming, though card details may be captured at an ATM in the UK, the dummy (counterfeit) card created using this information could well be used in another country. Indeed, recent developments mean this is more likely. From a consumer perspective another feature of this counterfeit fraud is that they will frequently be unaware of the fraud until they receive a statement or a transaction is refused at a store or ATM due to insufficient funds.
1.3. Is Chip and PIN the answer?

UK Payments (formerly APACS) published figures show that counterfeit card losses in the UK fell by 68 percent in the four years to 2008 because the introduction of chip and PIN makes it harder for criminals to use fake cards in ATMs and shops in the UK. However such cards can be used at stores that havent been upgraded to chip and PIN or at an overseas cash machine that hasnt been upgraded. What the UK has witnessed has been a classic migration of card fraud, whereby UK card information is being used to create counterfeit cards that are then used in other countries. Fraud committed abroad using UK card information increased from 23.8 million in 2004 to 132.8 million in 2008. It is interesting to note the countries where this fraud is occurring. Despite the geographic proximity of France, there has been a very significant reduction in such compromises since they have rolled out the global chip and PIN system. In contrast, fraud on UK issued cards (and card details) in the United States has increased by 181 percent since 2005, totaling 31.7 million in 2008.
A recent UK Payments publication notes that As more and more countries around the world progress their chip and PIN rollouts, it is expected that fraud will continue to shift towards countries such as the USA, which as yet has no plans to implement chip and PIN. ATM manufacturers have introduced a number of solutions aimed at preventing or nullifying attempts to copy magnetic stripe information at the ATM. These have included devices (protruding illuminated hardware) aimed at preventing the attachment of the skimming machine, solutions that involve a jitter (rapid stop-start motion) movement that will nullify attempts to record card information by making it impossible to get a reading and detectors that send alerts, either direct to the branch or to an ATM monitoring system, when a foreign device is detected at or near the ATM card entry slot. A leading South African retail bank recently announced that it was using pepper spray technology - if cameras observe that someone is tampering with the ATM another machine will eject pepper spray in order to disable the criminals until an armed response team arrives. The technology is currently being deployed at 11 high-risk sites.
1.4. The Need for Greater Public Communication

As the most used retail banking channel, for many the ATM represents the face of banking. Any attacks on a banks ATM have the potential to undermine confidence in its network and brand. Indeed, so high profile is the ATM that adverse media comment regarding such attacks may also impact upon institutions not directly involved. This recognition that you are only as strong as the weakest link has forced banks in a number of countries to recognize that this is not a competitive issue and that the implications of card skimming go beyond immediate financial losses. The presence of and potential for card skimming activities presents the banks with a number of communication challenges. The first is the need to communicate the nature of the problem to the media and customers without creating fear and uncertainty. You want to let people know there is a problem, you want them to look out for fraudulent devices but at the same time you dont want to scare them off using the ATM. You also want them to understand that the situation is being addressed by the use of best in practice technology and this too is something that requires clear communication. It is important to communicate how the solution operates and any implications this will have for an ATMs appearance or performance. If a fraud prevention device is introduced it will need to be easily identifiable as such in order to increase confidence that the network is protected. There will be a need to educate customers and the media as to its appearance, otherwise there is a danger that people will believe that the fraud prevention device is itself something that has been attached by
fraudsters. People will need to know how the prevention device will affect the appearance and operation of the ATM, as indeed will the police. Similarly, people will want to know whether a fraud prevention device will have implications for the speed of operation. ATM manufacturers have worked closely with deployers so that ATM performance is not impaired by the introduction of jitter solutions and on customer education - in particular on the use of screen layouts to verify the appearance of devices that act as a deterrence protrusion. It is important to encourage positive action. One thing people can do to lessen the potential impact of skimming is to do everything in their power to protect the PIN, including covering the keypad with their free hand when entering the code. Card skimming at the ATM has become an international problem, with professional criminals operating globally. Wherever you are based, the threat is there and your customers accounts are at risk. The introduction of chip and PIN does not necessarily change the point of compromise since the lack of a globally introduced solution means all cards continue to carry magnetic stripe data for use in non chip-compliant countries. What has happened is that the location of the actual fraud spend may change. Card account details captured in the UK can be used to withdraw funds in countries with weaker controls.
1.5. A Call to Action

The purpose of this guide is to address best practice in the area of ATM card skimming prevention. It will identify skimming types, consider guidelines on preventing skimming and the capture of magnetic stripe data during ATM transactions and address issues such as cardholder identification and standards. For a criminal, possession of the card details is only part of their objective, they also want the means of identifying the cardholder, the PIN. It is therefore important that we consider how customers might best protect this information but also to consider alternative means of customer identification that are not so easily stolen or replicated. Biometric solutions are already applied in a small number of countries and can bring a new dimension to card security. A 2009 Harris Interactive Research Study reported that 67 percent of US ATM users would be likely to switch bank after an instance of ATM fraud or data breach. But the problem is that your clients details can be compromised anywhere in the world where they are able to use the card. Card skimming is an international problem and its prevention requires a consistent global approach.
Chapter 2. Classification System for ATM Skimming & PIN-Compromise

The syntax used to classify ATM skimming and PIN-Compromise devices and techniques covered in this chapter utilizes a string of alpha numeric designators.
2.1. ATM Skimming & PIN Compromise Classification

The highest level designator for ATM skimming is ASK and for PINcompromise, APC. The second level includes characteristics such as the general type of device, methods used to attach devices and the technical specification of the device. For example, an ATM skimming device overlaying a Swipe reader and attached with double-sided adhesive tape is designated with the following syntax: ASK-S1-AM1 In cases where further details are known about the device, such as its power source, data storage method, communications capability, and activation and encryption methods, the designation string is expanded. For example, if it is known that skimming device ASK-S1-AM1 has integrated rechargeable batteries, stores data on an SD data card, supports Bluetooth, is activated by a switch and encodes the data captured using the Advanced Encryption Standard, the syntax string would be: ASK-S1-AM1-PS2-ST3-CD4-AC1-EC2
2.1.1. ATM Skimming Classification (ASK-)

The structure of this section is as follows: Card Entry Area Skimming Devices (M,S,D, C) Internal Skimming Devices (IT, IS) Remote & Secondary Near-Proximity Skimming Devices (RS,RD,RH, RE) Attachment Methods (AM) Power Sources (PS) Storage, Communication & Download Capability (ST, CD)
Activation Methods (AC) Encryption Methods (EC) Additional Features (FX) Capacity & Endurance (actual values used)
Card Entry Area Skimming Devices

ATM skimming devices are specifically designed to target specific types of card-activation interfaces. The four most common card readers used are: Motorized card readers are probably the most common type of reader used globally. Although, in the Americas and elsewhere, Swipe and Dip readers are common. Skimming devices suitable for targeting motorized readers have various characteristics. They are often designed to be attached directly to the card-entry slot, molded around the entry area or integrated within a false front covering a large area of the fascia. Additional designs include a modified anti-fraud device inhibitor, an overlay or sheath for an anti-fraud inhibitor and a miniature attachment to an anti-fraud inhibitor. Swipe reader skimming devices commonly cover the entire genuine swipe reader, mounted above or below (or on the right or left if horizontally mounted) the swipe reader. They are also known to be integrated within a large false fascia front. Dip readers targeted by skimming devices are directly attached to the entry slot, molded into an overlay covering the whole Dip reader and integrated within a false front. Contactless readers, when targeted with skimming devices, include covers over the contact area.
Figure 1 below summarizes the types of Card Entry Area Skimming Devices and suggests appropriate classification syntax:
Motorized Readers
Directly to card-entry slot Molded around entry area False front covering larger area Modified anti-fraud device inhibitor Overlay of anti-fraud inhibitor Attachment to anti-fraud inhibitor Other M1 M2 M3 M4 M5 M6 M0 Other D0
DIP Readers
Directly to card-entry slot Molded overlay covering DIP reader False front covering larger area D1 D2 D3
Swipe Readers
Overlay covering swipe reader Mounted below or left of swipe reader Mounted above or right of swipe reader False front covering larger area Other S1 S2 S3 S4 S0
Contactless Readers
Overlay covering contactless reader C1
Other
C0 Source: DFR Risk Management Ltd.
Figure 1. Card Entry Area Skimming Device suggested classification syntax summary
Internal Skimming Devices

A more sophisticated method of ATM skimming involves internal compromise of the ATM card reader module or the internal ATM system. Most motorized card readers have a magnetic flux detector known as the pre-head, which is located externally to the card reader shutter and is intended to activate the shutter only when a magnetic card is presented to the card reader entry slot. The pre-head is, in most cases, an actual magnetic stripe read head. Pre-head tap skimmers connect to the pre-head contact terminals and use it to obtain the magnetic stripe data during card-entry and card-eject. With access to the actual card reader module, criminals are able to attach a read head tap skimmer directly to the terminals of the genuine magnetic stripe read head. Printed circuit board (PCB) parasites and internal data line taps added to the card readers electronics skim the magnetic stripe data. Additional internal skimming attacks include compromise of the internal communication system which carries card data from the card reader module to the ATMs processor. Malicious software (Malware / Trojan) is capable of obtaining non-encrypted card data within the ATM system. Figure 2 below summarizes internal skimming methods.
Internal Compromise of Card Reader
Pre-head tap Read head tap Card reader PCB parasite Card reader data line tap Other IT1 IT2 IT3 IT4 IT0 Other IS0 Source: DFR Risk Management Ltd.
Internal Compromise of ATM System

Internal communications tap Software / Malware / Trojan IS1 IS2
Figure 2. Internal skimming method summary
Remote & Secondary Near-Proximity Skimming Devices

This category covers ATM skimming devices in close proximity to the targeted ATM. Secondary Swipe and Dip readers are used to skim card data prior to the consumer using their card to commence a transaction. Typical methods include Swipe or Dip readers attached to the access door to the ATM location (door-access skimmers), apparent card-cleaning devices, as well as devices purported to validate or activate cards prior to being used at an ATM. Variants include devices attached to the ATM surround and standalone terminals close beside the ATM. Hand-held skimming devices are used by criminals to copy consumers cards while the criminal obtains temporary access to the card. Modus operandi includes distraction methods and pick- pocketing. Tapping external modems, telephone-line connectors and local communication hubs are additional methods used to obtain card data in close proximity to an ATM.
Figure 3 summarizes remote and secondary near-proximity skimming techniques.

Secondary Swipe Devices
Door-access skimmer Card-cleaning device Card activation / validation device Stand-alone terminal Other RS1 RS2 RS3 RS4 RS0 Other RH0
Hand-held Skimming Device

Pocket-sized skimmer RH1
Secondary DIP Devices

Door-access skimmer Card-cleaning device Card activation / validation device Stand-alone terminal Other RD1 RD2 RD3 RD4 RD0
External Modem / Communications Hub

Modem tap Telephone-exchange tap Communication-hub tap Wi-Fi intercept Other RE1 RE2 RE3 RE4 RE0 Source: DFR Risk Management Ltd.
Figure 3. Remote and secondary near-proximity skimming technique summary
Attachment Methods and Power Sources

Double-sided adhesive tape is a common method of attaching many external ATM skimming devices, as is glue or liquid adhesive. Physically attaching skimming devices is also achieved by screwing, bolting and welding (fusing) devices to the ATM fascia. Molded overlay skimmers often rely on friction to remain attached to the ATM card reader. ATM skimming devices are powered by various means, including integrated rechargeable and non-rechargeable batteries, separate battery packs, power taps from the ATM itself, as well as other continuous power sources. Figure 4 summarizes attachment methods and common power sources.
Attachment Method
Adhesive tape Glue Screw / bolt Friction fit Weld / fuse AM1 AM2 AM3 AM4 AM5
Power Source
Integrated non-rechargeable batteries Integrated rechargeable batteries Separate battery pack From ATM power From other constant power source PS1 PS2 PS3 PS4 PS5
Source: DFR Risk Management Ltd.
Figure 4. Attachment methods and common power source summary
Storage, Communication and Download Capabilities

ATM skimming devices utilize a number of card data storage methods from integrated memory chips to local SD data cards and MP3 recorders. Some, however, have no local storage capability. Data is downloaded from skimming devices using integrated sockets (such as USB), analogue radio transmitters and digital communications protocols such as Bluetooth, Wi-Fi, SMS, among others.
Figure 5 summarizes the storage capability of ATM skimmers and the various communication and download technologies.
Storage
None Local integrated chip Local data / SD card MP3 / MP4 (or equivalent) recorder Cell phone storage ST1 ST2 ST3 ST4 ST5
Communication & Download

None Socket / USB Analogue RF Bluetooth Wi-Fi (802.11) SMS / MMS / Text GSM / Data Digital RF (non-specific) CD1 CD2 CD3 CD4 CD5 CD6 CD7 CD8 CD0 Source: DFR Risk Management Ltd.
Other
ST0
Other
Figure 5. Storage capability of ATM skimmers communication, download summary
Activation and Encryption

ATM skimming devices are limited to how long they can remain unserviced, based upon various parameters including whether they are powered continuously or only activated when required. Activation methods include proximity-detection, remote control and card-initiated. The ability to interrogate a skimmer, once recovered, might be inhibited by the use of encryption. One of the most popular designs of skimming device supports Advanced Encryption Standard (AES) protection which makes analysis of card data actually compromised by the skimmer very difficult. Figure 6 summarizes activation and encryption.
Activation
Always on (switched) Proximity detector Remote control Card activated Other AC1 AC2 AC3 AC4 AC0 Other EC0 Source: DFR Risk Management Ltd.
Encryption
None AES EC1 EC2
Figure 6. Activation and encryption summary
Additional Features, Capacity and Endurance

Some ATM skimmers have additional features such as integrated cameras (for PIN-compromise), a radio receiver to receive PIN data from a PINcompromise device and motorized transports to provide a smooth consumer-interface. Electromagnetic screening is used to attempt to defeat anti-skimming devices that disrupt the skimmers ability to record card data.
The maximum endurance from the power source, and the maximum number of cards whose data can be captured, are important characteristics of ATM skimming devices. Figure 7 provides a reminder of some additional features of ATM skimming devices and the important statistics of endurance and capacity.
Features
Integrated camera Receiver for PIN-compromise device Screened for anti-skimming interference Motorized card transport Other FX1 FX2 FX3 FX4 FX0 Other Source: DFR Risk Management Ltd.
Capacity & Endurance

Maximum endurance from power supply Maximum number of cards data stored
Figure 7. Feature, capacity & endurance summary
2.1.2. ATM PIN-Compromise Classification (APC-)

The structure of this section is as follows: External PIN-Compromise Devices (SC,TC,KB,SV) Internal PIN-Compromise Devices (IP,IS) Remote & Secondary PIN-Compromise Devices (RC,RK) Attachment Methods (AM) Power Sources (PS) Storage, Communications & Download Capability (ST,CD) Activation (AC) Encryption (EC) Additional Features (FP) Capacity and Endurance (actual values used)
External PIN-Compromise Devices

There are three primary methods of obtaining the PIN at, but external to, an ATM. The first method involves the use of different types of cameras. Spy cameras have the specific and limited purpose of covert filming. Cell phone cameras are often adapted and disguised for covert filming, as are compact digital and analogue video cameras. The positioning of the camera is restricted in that line-of-sight with the ATM keyboard is required to ensure the accurate observation of the PIN being entered. Some locations are more favored than others, as interference from objects, including the victims person, has an impact on the percentage of PINs successfully compromised.
One of the most favored locations for many models of ATM is the light panel or light diffuser which is often directly above the ATM keyboard. False panels are also used to disguise cameras and may be positioned above, left or right of the ATM keyboard. In environments where it is common to have advertising leaflet boxes in close proximity to the ATM, they are modified to conceal one or more cameras. Other additions to the ATM which are utilized to disguise cameras include safety or rear-view mirrors. Where ATMs are installed with a canopy to provide shelter from sunlight and rain, cameras are often hidden in the canopy. Some ATM skimming devices are packaged with an integrated camera. The second method of PIN-compromise is fake keyboards and keyboard overlays. Often these devices still allow the genuine keyboard to be activated when the PIN is entered on the PIN-compromise device. Sizes of device vary from almost an exact size-match with the genuine keyboard through a full fake-keyboard shelf to a false-front covering a large area of the ATM fascia. The third method involves a less technical approach and can be characterized as personal or human surveillance. Covert shoulder-surfing, which involves the perpetrator looking over the shoulder of the victim as they enter their PIN, is one of the most popular personal surveillance techniques. Shouldersurfing may also be more overt and includes the perpetrator pretending to be helpful to the victim (the helpful stranger approach). Long- range lenses, including telescopes and binoculars, are also used to observe PIN entry. As are the attachment of strategically positioned mirrors or the exploit of particular angles which allow the reflection of the keyboard to be observed. Even differently colored dust is used to compromise PINs. Figure 8 summarizes common external PIN-compromise methods.
Camera Location & Packaging
In light diffuser / light panel In leaflet box In false panel above PIN pad In false panel right of PIN pad In false panel left of PIN pad In safety mirror In sun / rain canopy Integrated with skimmer Other SC1 SC2 SC3 SC4 SC5 SC6 SC7 SC8 SC0
Keyboard
Exact-size keyboard overlay Shelf / full-panel keyboard overlay False-front covering larger area Other KB1 KB2 KB3 KB0
Camera Type
Spy camera Cell phone camera Video camera Other TC1 TC2 TC3 TC0
Surveillance
Shoulder surfing - covert Shoulder surfing assist victim Long -range lens / telescope Mirror Colored dust Advertising panel reflection Other SV1 SV2 SV3 SV4 SV5 SV6 SV0 Source: DFR Risk Management Ltd.
Figure 8. Common external PIN compromise method summary
Internal PIN-Compromise Devices

Technically-expert PIN-compromise perpetrators, with access to the internals of the targeted ATM, can add an electronic tap or parasite device to the interior of the ATM keyboard, tap (and, if required, reposition) the integrated ATM security camera, compromise the internal communications of the ATM and introduce or modify software (Malware / Trojans). Figure 9 summarizes methods of internal PIN-compromise.
Internal Compromise of Modules
ATM integrated security camera tap Internal keyboard tap Other IP1 IP2 IP0
Internal Compromise of ATM System

Internal communications tap Software / Malware / Trojan Other IS1 IS2 IS0 Source: DFR Risk Management Ltd.
Figure 9. Common internal PIN compromise method summary
Remote & Secondary PIN-Compromise Devices

Remotely positioned Spy Cameras are occasionally used to observe PIN entry as well as genuine CCTV security cameras, which either have their video feed intercepted or are exploited by someone with access to the monitoring station. Keyboards positioned at the entry door to the ATM location and the installation of fake PIN activation or validation terminals are further methods of obtaining the PIN. Figure 10 summarizes remote and secondary PIN-compromise devices.
Remote Cameras
ATM location CCTV ATM location spy camera RC1 RC2
Remote Keyboards
Door-entry keyboard PIN-activation / validation keyboard Stand-alone terminal RK1 RK2
Other
RC0
Other
RK0 Source: DFR Risk Management Ltd.
Figure 10. Remote and secondary PIN-compromise device summary
Attachment Methods and Power Sources

In a similar way to ATM skimming devices, the attachment methods for PIN-compromise devices include double-sided adhesive tape, glue or liquid adhesive, screwing, bolting, welding (fusing) and friction. ATM PIN-compromise devices are powered by various means, including integrated rechargeable and non-rechargeable batteries, separate battery backs, power taps from the ATM itself, as well as other continuous power sources. Figure 11 summarizes attachment methods and common power sources.
Attachment Method
Adhesive tape Glue Screw / bolt Friction fit Weld / fuse Other AM1 AM2 AM3 AM4 AM5 AM0
Power Source
Integrated non-rechargeable batteries Integrated rechargeable batteries Separate battery pack From ATM power From other constant power source Other PS1 PS2 PS3 PS4 PS5 PS0 Source: DFR Risk Management Ltd.
Figure 11. Attachment methods and common power source summary
Storage, Communication and Download Capabilities

ATM PIN-compromise devices utilize a number of card-data storage methods from integrated memory chips to local SD data cards and MP3 and MP4 recorders. Some, however, have no local storage capability. Data is downloaded from PIN-compromise devices using integrated sockets (such as USB), analogue radio transmitters and digital communications protocols such as Bluetooth, Wi-Fi, SMS, among others. Figure 12 summarizes the storage capability of PIN-compromise devices and the various communication and download capabilities.
Storage
None Local integrated chip Local data / SD card MP3 / MP4 or equivalent recorder Cell phone camera storage ST1 ST2 ST3 ST4 ST5
Communications & Download

None Socket / USB Analogue RF Bluetooth Wi-Fi (802.11) SMS / MMS / Text GSM / Data Digital RF (non-specific) CD1 CD2 CD3 CD4 CD5 CD6 CD7 CD8 CD0 Source: DFR Risk Management Ltd.
Other
ST0
Other
Figure 12. Storage, communications, and download summary
Activation and Encryption

As with ATM skimming devices, PIN-compromise devices are limited to how long they can remain unserviced, based upon various parameters including whether they are powered continuously or only activated when required. Activation methods include proximity-detection, remote control and transaction-initiated. The ability to interrogate a PIN-compromise device, once recovered, might be inhibited by the use of encryption. Standards supported include the Advanced Encryption Standard (AES) protection which makes analysis of PIN data very difficult. Figure 13 summarizes activation and encryption.
Activation
Always on (switched) Proximity detector Remote control Card / transaction activated Other AC1 AC2 AC3 AC4 AC0
Encryption
None AES DES 3DES Other EC1 EC2 EC3 EC4 EC0 Source: DFR Risk Management Ltd.
Figure 13. Activation and encryption summary
Additional Features, Capacity, and Endurance

Some PIN-compromise devices have additional features such as integrated skimmers and a radio receiver to receive card data from a skimming device. The maximum endurance from the power source, and the maximum number of PIN data that can be captured, are important characteristics of ATM PIN-compromise devices. Figure 14 provides a reminder of some additional features of PINcompromise devices and the important statistics of endurance and capacity.
Features
Integrated skimmer Receiver for skimming device Other FP1 FP2 FP0
Capacity & Endurance

Maximum endurance from power supply Maximum number of PIN data stored Other Source: DFR Risk Management Ltd.
Figure 14. Additional PIN-compromise device feature summary
2.2.Case Studies: Examples of ATM Skimming Devices

Example 1: Sofia Skimmer
The Sofia skimmer is a sophisticated and miniaturized device which originates from Bulgaria, and is the most common type of ATM skimming device favored by Eastern European organized crime. Some models of Sofia skimmer store the card data locally in an encrypted format which makes analysis all but impossible for most forensic labs. Other models utilize a miniature analogue RF transmitter modeled on a bug or listening device.
ASK-M1-AM1-PS1-ST2-CD2-AC1-EC0 The above example of Sofia skimmer has the following identified characteristics: Targeted at Motorized card readers and fitted directly to the card entry slot (ASK-M1) Attached with adhesive tape (AM1) Powered by integrated non-rechargeable batteries (PS1) Integrated chip used for local storage (ST2) Miniature sockets used to connect for download of data (CD2) Activated (switched on) using a switch (AC1) Non-standard encryption used to protect from interrogation (EC0)
Example 2: Skimmer Covering Receipt Slot

To facilitate the ability to disguise larger devices and separate power supplies, it is common for the skimmer to not only cover the card entry slot, but also larger areas of the fascia. In this example, the skimmer covers the receipt slot.
ASK-M3-AM1-PS3-ST1-CD3-AC1-EC1 The above example has the following known characteristics: Targeted at Motorized card readers, packaged into a false front covering a larger area (ASK-M3) Attached with adhesive tape (AM1) Powered by separate battery pack (PS3) No identified local storage (ST1) Transmits card data using analogue RF transmitter (CD3) Activated by a switch (AC1) No encryption (EC1)
Example 3: False keyboard and shelf

This example of a false keyboard integrated into a false shelf allows space to conceal power and cell phone electronics.
APC-KB2-AM1-PS3-CD7 The above example has the following known characteristics: False keyboard integrated into full shelf (APC-KB2) Attached with adhesive tape (AM1) Separate battery pack (PS3) GSM cell phone used to transmit PIN data (CD7)
Example 4: RF Pin-hole Spy Camera Above Keyboard

This is an example of an analogue RF spy camera attached above an ATM keyboard:
APC-SC3-TC1-AM1-PS3-ST1-CD3-AC1 The above example has the following known characteristics: Camera in panel above keyboard (APC-SC3) Spy camera (TC1) Attached with adhesive tape (AM1) Separate battery pack (PS3) No local storage (ST1) Sends image of PIN entry via analogue RF transmitter (CD3) Activated by switch (AC1)
Example 5: Skimmer Molded Around Card-entry Slot

This is an example of a skimmer that is molded to fit around the entry slot:
ASK-M2 Details available about the above example are limited, thus short designator string.
Example 6: Dip Skimmer Molded to Cover Genuine DIP Reader
ASK-D2-AM1-ST2-PS3-CD2 The above example has the following known characteristics: Targeted at Dip readers and designed to cover the genuine reader (ASK-D2) Attached with adhesive tape (AM1) Local storage of data on the board (ST2) Separate battery pack within skimmer case (PS3) Sockets for download of data (CD2)
2.3.Codes for ASK and APC Syntax

The following table lists the ASK and APC syntax codes.
Code AC1 AC2 AC3 AC4 AC0 AM1 AM2 AM3 AM4 AM5 AM0 C1 C0 CD1 CD2 CD3 CD4 CD5 CD6 CD7 CD8 CD0 D1 D2 D3 D0 EC1 EC2 EC3 EC4 EC0 FP1 FP2 FP0 FX1 FX2 Type
Activation Activation Activation Activation Activation Attachment Method Attachment Method Attachment Method Attachment Method Attachment Method Attachment Method Contactless Readers Contactless Readers Communications & Download Communications & Download Communications & Download Communications & Download Communications & Download Communications & Download Communications & Download Communications & Download Communications & Download DIP Readers DIP Readers DIP Readers DIP Readers Encryption Encryption Encryption Encryption Encryption Features (APC) Features (APC) Features (APC) Features (ASK) Features (ASK)
Method
Always on (switched) Proximity detector Remote control Card / transaction activated Other Adhesive tape Glue Screw / Bolt Friction fit Weld / Fuse Other Overlay covering contactless reader Other None Socket / USB Analogue RF Bluetooth Wi-Fi (802.11) SMS / MMS / Text GSM / Data Digital RF (non specific) Other Directly to card entry slot Molded overlay covering DIP reader False front covering larger area Other None AES DES 3DES Other Integrated skimmer Receiver for skimming device Other Integrated camera Receiver for PIN compromise device
Code FX3 FX4 FX0 IP1 IP2 IP0 IS1 IS2 IS0 IT1 IT2 IT3 IT4 IT0 KB1 KB2 KB3 KB0 M1 M2 M3 M4 M5 M6 M0 PS1 PS2 PS3 PS4 PS5 PS0 RC1 RC2 RC0 RD1 RD2 RD3 RD4
Type
Features (ASK) Features (ASK) Features (ASK) Internal Compromise of Modules (APC) Internal Compromise of Modules (APC) Internal Compromise of Modules (APC) Internal Compromise of ATM System Internal Compromise of ATM System Internal Compromise of ATM System Internal Compromise of Card Reader Internal Compromise of Card Reader Internal Compromise of Card Reader Internal Compromise of Card Reader Internal Compromise of Card Reader Keyboard Keyboard Keyboard Keyboard Motorized Readers Motorized Readers Motorized Readers Motorized Readers Motorized Readers Motorized Readers Motorized Readers Power Source Power Source Power Source Power Source Power Source Power Source Remote Cameras Remote Cameras Remote Cameras Secondary DIP devices Secondary DIP devices Secondary DIP devices Secondary DIP devices
Method
Screened for anti-skimming interference Motorized card transport Other ATM integrated security camera tap Internal keyboard tap Other Internal communications tap Software / Malware / Trojan Other Pre-head tap Read head tap Card reader PCB parasite Card reader data line tap Other Exact-size keyboard overlay Shelf / full-panel keyboard overlay False-front covering larger area Other Directly to card entry slot Molded around entry area False front covering larger area Modified anti-fraud device inhibitor Overlay of anti-fraud inhibitor Attachment to anti-fraud inhibitor Other Integrated non-rechargeable batteries Integrated rechargeable batteries Separate battery pack From ATM power From other constant power source Other ATM location CCTV ATM location spy camera Other Door-access skimmer Card cleaning device Card activation / validation device Stand alone terminal
Code RD0 RE1 RE2 RE3 RE4 RE0 RH1 RH0 RK1 RK2 RK3 RK0 RS1 RS2 RS3 RS4 RS0 S1 S2 S3 S4 S0 ST1 SC1 SC2 SC3 SC4 SC5 SC6 SC7 SC8 SC0 ST5 ST0 SV1 SV2 SV3
Type
Secondary DIP devices External modem / communications hub External modem / communications hub External modem / communications hub External modem / communications hub External modem / communications hub Hand-held skimming device Hand-held skimming device Remote Keyboards Remote Keyboards Remote Keyboards Remote Keyboards Secondary swipe devices Secondary swipe devices Secondary swipe devices Secondary swipe devices Secondary swipe devices Swipe Readers Swipe Readers Swipe Readers Swipe Readers Swipe Readers Storage Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Storage Storage Surveillance Surveillance Surveillance
Method
Other Modem tap Telephone exchange tap Communication hub tap Wi-Fi intercept Other Pocket sized skimmer Other Door-entry keyboard PIN-activation / validation keyboard Stand-alone terminal Other Door-access skimmer Card cleaning device Card activation / validation device Stand alone terminal Other Overlay covering swipe reader Mounted below or left of swipe reader Mounted above or right of swipe reader False front covering larger area Other None In light diffuser / light panel In leaflet box In false panel above PIN pad In false panel right of PIN pad In false panel left of PIN pad In safety mirror In sun / rain canopy Integrated with skimmer Other Cell phone storage Other Shoulder surfing - covert Shoulder surfing assist victim Long-range lens / telescope
Code SV4 SV5 SV6 SV0 TC1 TC2 TC3 TC0
Type
Surveillance Surveillance Surveillance Surveillance Camera Type Camera Type Camera Type Camera Type
Method
Mirror Colored dust Advertising panel reflection Other Spy camera Cell phone camera Video camera Other
Chapter 3. PCI Guidelines on Preventing Skimming

3.1. What/Who is PCI?
The Payment Card Industry Security Standards Council (PCI SSC) is a independent standards body formed by five of the major card brands (Visa, MasterCard, JCB, American Express, and Discover). This council was formed to create, maintain, and manage various standards that govern the security of payment card transactions. PCI SSC does not set mandates for the compliance to the standards that it maintains; it only manages the process for issuing, maintaining, and updating the standards. It is up to the individual card brands that formed the PCI SSC to issue such mandates on how, when, and by whom compliance to the PCI standards must be met.
3.2. The PCI Standards

At the time of writing, PCI SSC manages three different standards: PCI PIN Transaction Security (PCI PTS) PCI Payment Application Data Security Standard (PCI PA DSS) PCI Data Security Standard (PCI DSS)
In addition to these standards, a PCI PIN audit security program also exists, but this is currently maintained independently by Visa and MasterCard, not by PCI SSC (although this is expected to change within the next few years). These different standards address different aspects of the payment process.
PCI PTS
PCI PTS is actually a series of standards that address the security of the hardware and firmware into which customer PINs are entered and encrypted during a transaction.
At the time of writing, the following standards exist under the PCI PTS program: PCI POS PED addresses the security of PIN Entry Devices (PEDs) that are operated within an attended shop style environment. PCI EPP covers the security of Encrypting PIN Pads (EPPs) that are used to enter and encrypt PINs within larger, generally unattended, devices such as ATMs, ticketing machines, fuel dispensers, etc. PCI UPT covers the overall security of such larger unattended devices such as those noted above; with the exception of ATMs. PCI ATM covers the security of unattended devices that provide for the withdrawal or deposit of cash. At the time of writing, this standard is under development and has not yet been published. PCI HSM addresses the security of Hardware Security Modules (HSMs) that are used to generate, re-encrypt (or translate), or verify customer PINs; or to manage the keys used in PIN Entry Devices which encrypt customer PINs directly.
PCI PA DSS
PCI PA DSS provides a set of security requirements for software that is involved in the authorization or settlement of payment transactions. This standard was created to ensure that such software does not prevent any company implementing the software from being compliant to the PCI DSS requirements. The scope of PA DSS can include the application software used in payment devices such as ATMs and PIN Entry Devices.
PCI DSS
PCI DSS is an umbrella standard that essentially covers any areas which are not directly covered by the other PCI standards. Any system that stores, processes, or transmits payment card data is in scope of the PCI DSS requirements. This standard provides a set of best practice guidelines for how any system and business that handles payment card data should provide security to this data.
PCI PIN
Finally, the PCI PIN standard is an audit program that confirms the key management practices for cryptographic keys that are used to encrypt customer PIN data.
3.3.How Do the PCI Standards Address Skimming?

As the various PCI standards cover different aspects of payment transactions, they each assist in preventing skimming in different ways. The PCI PTS program is the program that addresses the issue of skimming most directly. Each of the standards that are designed for devices that accept the direct input of payment card data have a requirement to secure the path from the card reader to the security processor within the device. This requirement covers both the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR). Specifically, the PCI PTS requirements for Unattended Payment Terminals (PCI UPT) has the following requirement:
DTR A11 It is not feasible to penetrate the UPT to make any additions, substitutions, or modifications to the Magnetic-Stripe Reader or the UPTs hardware or software, in order to determine (e.g., skimming attacks must be prevented) or modify magnetic-stripe track data, without requiring an attack potential of at least 14 per UPT, for identification and initial exploitation, as defined in Appendix B.
Source: PCI UPT DTRs v1.0, April 2009, page 15
Similar requirements exist in the PCI POS PED and PCI ATM standards. The above requirement is further clarified with the following statements:
Countermeasures include, for instance, active detection of skimmers, active disturbance of the skimming process, or notice to the cardholder on what the reader should look like. The protection of the reader may consist of resistance of the UPT cabinet/the reader enclosure against manipulation. Skimming attacks to recover payment card data may occur via either the attachment of external devices or attacking other areas (hardware or software) of the UPT. Both must be considered for this requirement. Access to the inside of the UPT for routine maintenance (e.g., replenishing paper) shall not allow access to clear-text account data, e.g., by making cabling which transmits the data physically inaccessible to routine maintenance personnel or encrypting the sensitive card data transmitted internally within the UPT between components.
Source: PCI UPT DTRs v1.0, April 2009, page 15
Therefore, the PCI PTS standards specifically make note that protections against skimming must go beyond merely securing the physical exterior of the payment device, as skimming may occur through the implanting of internal monitoring devices as well as external devices. To this end, the security of any openings, access hatches, or service panels must be considered, if such openings allow for access to plaintext card data. Because of this, in many instances, it is considered best practice to protect card data logically, using encryption, when routing it through exposed cabling and component within larger payment devices such as UPTs and ATMs.
This requirement should not be confused with a necessity for encrypting magnetic strip read heads, as this is not mandated by the standard and is often not necessary for smaller PIN Entry Devices that can more easily provide physical security to the path of the signals from the MSR to the security processor. It should also be noted from the PCI PTS requirements that although some guidelines are provided in regards to protection against the placement of a physical skimming device, these requirements are not the only options that exist. The guidance provided within these requirements does not intend to constrain or restrict the possible ways in which skimming can be prevented. In fact, one reason for this is so that the market can actively work on creating new and more advanced ways in which anti-skimming technology can be embodied and deployed. When considering the security requirements within the PCI PTS program requirements it is important to understand that these cover only the security of the data from the card reader to the internal security processor of the payment device. Once this data has reached the security processor it is up to the payment application and overall payment system in which the device operates to secure the data. This is where PCI PA DSS and PCI DSS add their assistance to the security of card data. These programs protect such data in two ways: (1) by securing the applications themselves; and (2) by securing the transmission of payment card data. PCI DSS and PA DSS require that payment applications, and the systems on which they are installed and operated, are secured in line with industry best practice. This includes removing any unnecessary services from the devices, securing remote access, using network security devices such as firewalls, IDS/IPS, regularly testing the security of systems, and so forth. PCI DSS has many individual compliance requirements, and it is beyond the scope of this document to cover them all. It is strongly recommended that the full PCI DSS requirements, as well as the ATMIA Software Security Best Practice document, is considered when devising an antiskimming strategy. PCI DSS also mandates that the transmission of card data across open, wireless, and public networks must be encrypted using strong cryptography. In these standards, such cryptography essentially means the use of triple DES, AES, RSA, or Elliptical Curve Cryptography.
Although this standard does not require the use of such encryption across all networks, it is strongly recommended that encryption is used whenever transmitting card data, as capture during transmission is a common skimming attack vector. The diagram in Figure 15 shows a pictorial representation of how the different PCI standards overlap to cover the life cycle of a payment transaction. This diagram shows that: The PCI PTS program covers the security of the data as it enters the ATM or payment device. The PA DSS program covers the security of the data as it is used in commercial payment software. And, the PCI DSS program covers the security of payment data as it is transmitted and processed within the broader payment network.
Figure 15. PCI standards overlap in payment transaction life cycle
Chapter 4. Best Practices for Preventing Capture of Magnetic Stripe Data During ATM Transactions
4.1. Protection of the Magnetic Stripe Data
Card skimming is a global threat and it will continue to be an industry issue as long as the magnetic stripe containing the cardholders account information remains on the card. Moving away from the magstripe and using secure identity management and credentialing to provide access to this channel has proven to be the most effective way to minimize the losses due to card skimming. However the complete removal of the magstripe is not anticipated to occur in the near future, so protecting this sensitive data is crucial in mitigating the risks and losses associated with card skimming. There are several methods to keep sensitive account information contained on the magstripe safe from fraudsters; the most effective method is the use of chip-based cards that house the data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce. Contactless cards provide another alternative to the magstripe. If the magstripe is used, out-of-band authentication using a cell phone or a biometric reader can provide a second form of authentication that can be used as alternate methods for conducting secure transactions at the ATM. Anti-skimming solutions can be deployed to help detect and prevent the application and usage of card skimming devices. Card readers can be equipped with some type of foreign object detection technology and can alert a financial institution or law enforcement in the event that a skimming device is installed to the fascia of an ATM. Jitter technology is a process that controls and varies the speed of movement of a card as it is inserted through a card reader, making it difficult to read card data.
Card skimmers generally require a smooth intake of the card to get a good read of the magstripe. The design of the card reader bezel also plays an important role in the deterrence of the application of a skimmer. The design of the entrance of the card reader should prevent the attachment of skimming devices and /or make such devices obvious to the user. Other anti-skimming technologies are effective in identifying, jamming or disturbing skimming devices when they are attached to the ATM. Video surveillance and monitoring are additional security measures that are effective methods for deterring or detecting placement of card skimmers and other fraudulent devices such as PIN overlays and mini cameras. Regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments should be conducted. Local staff including ATM servicers must be trained to look for fraudulent devices and be educated on the appropriate action to be taken should they discover a skimming device on a machine.
4.2. Integration with IT Systems

A self-contained, secure environment including physical and logical access control and enhanced identity management is essential in securing an ATM. The use of intelligent fraud-detection systems to monitor for unusual spending patterns and identify fraud before it is discovered by the cardholder. ATM network and multiple issuer-based consortiums are also important for detecting outbreaks of counterfeit card fraud and determining the size and scope of the cards the criminal still has in inventory. Cards that are at risk of counterfeit fraud can then be used during real-time transaction authorizations to minimize financial losses. Industry fraud solution vendors also continue to increase the effectiveness and sophistication of customer-profiling neural network systems that can identify unusual spending patterns and potentially fraudulent transactions. These profiles have been implemented at the merchant and terminal level in order to further enhance the decision to authorize or deny a transaction in real time based on known fraud or unusual terminal transaction behavior. If a transaction scores with a high risk of fraud, the issuer will then contact the cardholder to check if the suspect transaction is genuine If not, an immediate block can be put on the card.
4.3. Role of the Consumer in Fraud Prevention

The evolution needs to be in the mind of the consumer, where at one time they worried over an armed person approaching them but now they need to also beware of good Samaritans who want to steal their information while conducting a transaction. The consumer should check the ATM before using it and protect his/her PIN. Shielding the entry of the PIN with their hand and body is just one way a consumer can prevent someone from viewing it.
4.4. Summary
Some best practices for the mitigation of fraud due to card skimming: Building awareness among consumers, branch personnel, and ATM service teams can result in the detection of devices added to an ATM fascia. Visual clues such as tape residue near or on a card reader may indicate the former presence of a skimming device. Chip -based cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce. Contactless cards, out-of-band authentication using cell phones and biometric readers are all new authentication technologies that can be used as alternate methods for conducting secure ATM transactions. Alert systems monitor routine patterns of withdrawals and notify operators or financial institutions in the event of suspicious activity.
In addition to following these best practices, there are several antiskimming solutions that financial institutions can implement to help mitigate risk. A multi-layered approach to securing the card reader is the best methodology. Foreign object detectionATMs equipped with this type of technology can alert a financial institution or law enforcement in the event that a skimming device is added on the fascia of an ATM. Jitter technologyis a process that controls and varies the speed of movement of a card as moves in and out of a card reader, making it difficult if not impossible to read card data. Card skimmers generally require a smooth intake of the card to get a good read of the magstripe. Card reader bezel designthe design of the entrance of the card reader should prevent the attachment of skimming devices and /or make such devices obvious to the user.
Anti-skimming technologiesare effective in identifying, jamming or disturbing skimming devices when attached to the ATM. Video surveillance and monitoringis an effective method for deterring or detecting placement of card skimmers and other fraudulent devices such as PIN overlays and mini cameras.
In summary, implementing multiple layers of security to help deter and detect fraudulent attempts provides the best approach to anti-skimming. Information sharing of fraud related activity with industry stakeholders can help to identify current threats and trends and facilitate deployment of the most effective fraud mitigation tactics. There is also an opportunity to influence regulatory requirements to support fraud prevention tactics that will in turn help demonstrate the return on investment for security spend.
Chapter 5. Best Practices for Preventing Interception of Customer PIN

5.1. PIN Security Overview
One of the weakest links in any ATM transaction is the entry of the customer PIN. The PIN in its current form is static and always four numbers (and, in some countries, six). Despite improvements in the security of the transmitted PIN and account data via 3DES, no significant improvements or best practices have emerged to protect the physical entry of the customer PIN at the ATM.
5.2. Educating the Customer

Drawing from the Latin phrase caveat emptor, the customer must bear some burden for situational awareness both on their home front as well as when away when using an ATM. Given the high rate of skimming attacks, it is clear customers are not cognizant on how to identify a skimming device or how to protect themselves from skimming. In addition to the customer component, financial institutions, ATM manufacturers and payment processors customers need to be educated on the human fraud factor of over the shoulder surfing as well as the variety of card capture devices and schemes being used in place of costly skimming devices. It is imperative that customers learn the importance of the process to shield their PIN entry on every transaction. This can occur through targeted campaigns both through marketing messages displayed on the ATM screen before and during a transaction, as well as marketing materials mailed to them with statements. An aware customer is perhaps the best first defense against skimming attacks, to include interception of the PIN via electronic or human means.
5.3. Manufacturing Changes for the EPP and Fascia

Several new products have come to the fore that are add-on devices that incorporate raised shields that thwart both camera based as well as human capture of PIN entry. While this is a good first step, ATM manufacturers should be turning an engineering eye towards incorporating these changes as a base offering on their ATMs. Improvements in the design of card readers to prevent/detect magnetic stripe capture devices show that the manufacturers are giving this threat attention, and the same attention needs to be focused on the fascia surrounding the EPP. We cannot discount the notion of advancing the technology and design of the EPP. The alarm industry faced a similar problem with regards to access controls at sensitive locations. The compromise of access control PINs was nearly eliminated via the use of a keypad that changes the position of the numbers on the keypad with every transaction. For those with visual impairments, the keys would default back to static in the traditional position. As criminal technology advances, so must the technology to combat it. The EPP should be viewed within the same redesign context as the card reader to combat skimming.
5.4. Advancement of Biometrics to Replace PIN

1
Biometrics is becoming a visible technology being deployed across a wide variety of applications, from time clocks to computer access controls. While no technology is foolproof, biometrics offers a difficult to duplicate replacement to a static numerical PIN. As each fingerprint or retinal scan is unique, it is clearly more robust than a four digit PIN. As it may be a costly enterprise, deployment of biometrics as a means to move away from the customer PIN may be several years away.
It is worth noting that the DDA (Disability Discrimination Act) is a major obstacle in implementing any effective biometric technology for use at ATMs. For example, Nationwide Building Society developed and piloted Iris recognition technology at ATMs several years ago (featured on TV at the time) and then subsequently scrapped it.
5.5. Summary of Best Practices for Protecting PINs

Some best practices for protection of the customer PIN include: Financial institutions should begin targeted customer awareness messages to educate customers on identification of skimming devices and to shield the entry of their pin on every transaction. Financial institutions should begin installing fascia add on devices to shield the PIN from interception in the interim pending ATM design and manufacturing changes. ATM industry design changes to incorporate shielding devices on all fascia components as a standard feature could be considered. Continuing industry investigation of biometrics as an ultimate replacement technology for static PINs. Investigation of new technologies to create EPPs that incorporate a scramble methodology to number placement at each transaction.
Chapter 6. Further Reading and Links

6.1. Useful Reading
1. Navigating PCI DSS - Understanding the Intent of the Requirements, Version 1.2, October 2008
https://pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf www.privacyrights.org
2. A Chronology of Data Breaches Privacy Rights Clearing House, 3. Building Trust Securing the Payment System by Visa Inc.,
http://www.corporate.visa.com/st/main.jsp?src=home
4. ATMIA and Global ATM Security Alliance best practices: 4.1 Best Practices For Preventing Insider Fraud 4.2 Best Practices For ATM Physical Security, Version 2
6.2. Standards Documentation

PCI Standards at https://www.pcisecuritystandards.org Data Security Standard (PCI DSS) Payment Application Data Security Standard (PA-DSS) PIN Entry Device (PCI PED) PCI PIN Security Standard2 PCI ATM3 Guidance for web applications development can be found at: Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Main_Page
CEN XFS-J/XFS (CEN =Comit Europeen De Normalisation; XFS = Extensions for Financial Services; J/XFS = Java Extensions for Financial Services) device interface standards At the time of writing, the PCI PIN program is maintained by Visa and MasterCard directly, not PCI SSC 3 At the time of writing, this new global standard in the making is unpublished. Other standards include PCI UPT (Unattended Payment Terminals) and PCI HSM (Hardware Security Modules).
ISO Standards

ISO 11568 ISO standards for Cryptography Key Management for banks ISO 11770 ISO standards for Cryptography Key Management Lifecycle ISO / IEC 9564-1: Banking - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS System ISO 13491 Banking Secure Cryptographic Devices (Retail) ISO 7810 Identification Cards Physical Characteristics ISO 7811 Identification Cards Recording Technique ISO 7812 Identification Cards Identification of Issuers ISO 7813 Identification Cards Financial Transaction Cards ISO 7816 Identification Cards Integrated Circuit(s) cards with contacts
Other standards and best practices of relevance:

X9.24 Part 1: Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques. FIPS 140-2 Specifications for security of Hardware Security Modules NIST SP 800 57 Recommendation for Key Management ANSI TR-31 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms ANSI Technical Guideline 3 (ANSI TG-3) Guideline for Financial Services EMV (Chip and PIN) http://www.emvco.com MasterCard POS Terminal Security (PTS)
http://www.mastercard.com/us/merchant/support/pts_program.html
6.3. Relevant Links

The following links are provided for informational purposes only. Inclusion here does not represent an endorsement by ATMIA or the contributors to this Guide of any specific product or vendor. Visa Inc., http://www.corporate.visa.com ATM Security http://www.atmsecurity.com See the Risk Management section of Visas website for additional references, http://usa.visa.com/merchants/risk_management/index.html For PIN Security documents and references, including auditors guides, see: http://usa.visa.com/merchants/risk_management/cisp_pin_security.html Privacy Rights Clearing House www.privacyrights.org US Federal Trade Commission www.ftc.gov ATM Industry Association www.atmia.com Sans Institute, http://www.sans.org/ US National Security Agency, http://www.nsa.gov/ Verizon Business 2008 US Data Breach Investigation Report:
http://www.verizonbusiness.com/products/security/risk/databreach/
Chapter 7. Checklist of Recommendations for Preventing Skimming

7.1. Summary of Recommendations
1. Support Chip and PIN technology as a global solution to skimming. 2. Link up to international industry initiatives combating skimming. 3. Conduct a sensitively worded customer education campaign on skimming, including the absolute requirement for customers to shield their PIN entry on the ATM keypad with their spare hand during ATM transactions. Also include information about the ATM interface and any technologies they need to be aware of. In addition, cover existing best practices and reaffirm that customer and card data protection is paramount. 4. Add additional security solutions to protect the card data and PINs. 5. Protect where possible the magstripe with second layer of authentication such as using cell phone message confirmations of transactions. 6. Study the adversarys methods, devices and support technologies. 7. Use the international classification system in this manual. 8. Secure the path from the card reader to the security processor within the device, including the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR), in accordance with relevant PCI requirements. 9. Encourage regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments should be conducted. 10. Use intelligent fraud-detection systems to monitor for unusual spending patterns and identify fraud before it is discovered by the cardholder. 11. Support continued R & D in the areas of improved technologies for preventing skimming, including investigating enhanced EPPs, biometric replacements for PINs. 12. Adopt a multi-layered security approach to prevent skimming using all of the above.
7.2. Checklist of Recommendations

Tick off the checklist items, one by one, to ensure you are implementing these anti skimming best practices.
Link up to anti skimming industry initiatives globally as this is a global problem with clearly identifiable international fraud migration patterns. Support chip and PIN as a global technology, but when the magstripe is in use, out-of-band authentication, using a cell phone or a biometric reader, can provide a second form of authentication that can be used to secure transactions at the ATM. Anti-skimming solutions can be deployed to help detect and prevent the application and usage of card skimming devices and to offer greater PIN protection, such as PIN shields. Conduct customer education campaigns on skimming and PIN protection. Know your adversary and his weapons study and apply the skimming classification system in this manual to create an international common language for skimming prevention AND study all the different types of skimming devices, both internal and external, remote and near, as well as all their supporting technologies. Study PCI security standards, namely, PCI PTS, PCI PA DSS and PCI DSS, especially where relevant to prevention of skimming. In particular, secure the path from the card reader to the security processor within the device, including the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR). Conduct regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments. Use intelligent fraud-detection systems to monitor unusual spending patterns and identify fraud before it is discovered by the cardholder. Support continued R & D in the areas of improved technologies for preventing skimming, including investigating enhanced EPPs, biometric replacements for PINs, etc. Adopt a multi-layered security approach to prevent skimming using all of the above.

Best Practices For Preventing Skimming Published Version 09

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Best Practices For Preventing Skimming Published Version 09

Transféré par

Droits d'auteur :

Formats disponibles

Best Practices for Preventing ATM Skimming

International minimum security guidelines and best practices

Produced by the ATM Industry Association Contributors Include:

FOR ATMIA MEMBERS USE ONLY Copyright Information

Best Practices for Preventing ATM Skimming

UNITED STATES INTER-CONTINENTAL AND REGIONAL SPONSORS SEPTEMBER 2009

CHAPTER 6. FURTHER READING AND LINKS ...........................................................................................45

CHAPTER 7. CHECKLIST OF RECOMMENDATIONS FOR PREVENTING SKIMMING .................................47

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com

ATMIA Anti Skimming Forum August, 2009

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 6 of 48

Best Practices for Preventing ATM Skimming

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 7 of 48

Best Practices for Preventing ATM Skimming

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 8 of 48

Best Practices for Preventing ATM Skimming

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 9 of 48

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 10 of 48

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 11 of 48

Best Practices for Preventing ATM Skimming

1.1.A Brief History of Skimming

1.2. What is Skimming?

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 12 of 48

Best Practices for Preventing ATM Skimming

1.3. Is Chip and PIN the answer?

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 13 of 48

Best Practices for Preventing ATM Skimming

1.4. The Need for Greater Public Communication

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 14 of 48

Best Practices for Preventing ATM Skimming

1.5. A Call to Action

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 15 of 48

Best Practices for Preventing ATM Skimming

Chapter 2. Classification System for ATM Skimming & PIN-Compromise

2.1. ATM Skimming & PIN Compromise Classification

2.1.1. ATM Skimming Classification (ASK-)

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 16 of 48

Best Practices for Preventing ATM Skimming

Card Entry Area Skimming Devices

C0 Source: DFR Risk Management Ltd.

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 17 of 48

Best Practices for Preventing ATM Skimming

Internal Skimming Devices

Internal Compromise of ATM System

Figure 2. Internal skimming method summary

Remote & Secondary Near-Proximity Skimming Devices

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 18 of 48

Best Practices for Preventing ATM Skimming

Figure 3 summarizes remote and secondary near-proximity skimming techniques.

Hand-held Skimming Device

Secondary DIP Devices

External Modem / Communications Hub

Figure 3. Remote and secondary near-proximity skimming technique summary

Attachment Methods and Power Sources

Source: DFR Risk Management Ltd.

Figure 4. Attachment methods and common power source summary

Storage, Communication and Download Capabilities

Best Practices for Preventing ATM Skimming

Communication & Download

Figure 5. Storage capability of ATM skimmers communication, download summary

Activation and Encryption