SIGN IN

RISK ASSESSMENT —
Automated robbery: how card skimmers (still) steal millions from
banks
Skimming costs less than ever, but a new generation of credit cards might stop it.
SEAN GALLAGHER - JUN 28, 2012 12:30 AM UTC

A harmless-looking ATM machine in Greenwich Village, New York.

In January 2011, a pair of Bulgarian-born Canadians named Nikolai Ivanov and Dimitar Stamatov took a road trip from their home in Quebec to New York City. Their
five-day visit to Manhattan’s East Village and Astor Place wasn’t your typical tourist trek, though; instead of Statue of Liberty souvenirs, the pair collected the card data
and personal identification numbers for over 1,100 ATM cards. Ivanov and Stamatov were "skimmers."

Skimming isn’t new—it’s been around almost as long as ATM machines. But Ivanov and Stamatov benefitted from a new generation of skimming technology that has
turned the once-difficult crime into a mass-market business. Using pre-fabricated gear perfectly matched to the hardware of Chase Bank ATMs, they were able to read
the magnetic stripe off of victims' cards and even record victims punching in their PINs. After this bit of fun, the duo went on a cross-country withdrawal spree using
clones made from their victims' cards, pulling over $264,000 in cash from machines in Arizona, Illinois, and Canada.

The road trip proved so successful that the two men returned to New York again in May 2011, this time bringing Ivanov’s younger brother Iordan along for the ride.
But the second skimming trip had a different conclusion; New York City police caught Ivanov and Stamatov as they were removing their gear from an ATM machine at
the Chase branch at 785 Broadway (Iordan escaped back to Canada). By then, according to later admissions in court, the two men had amassed over $280,000 in
fraudulent withdrawals and transactions—most of which were sent to relatives back in Bulgaria.
New York County District Attorney

At left, one of the Chase ATMs "compromised" by Ivanov and Stamatov's skimming gear. At right, the
card reader—disguised as a lip that fits over the ATM's existing card slot—and the pinhole video
camera used to capture victims' PINs.

Skimming has been a problem for decades, but it’s become increasingly common in the past five years—and it’s spreading. Tracie Gerstenberg, who does anti-
skimming business development for Tyco Integrated Security (formerly ADT), said that while skimming was previously focused in large metro areas like “New York
City, Chicago, southern California, and the entire state of Florida, really,” it has recently become prevalent in smaller suburban settings where people “aren’t as
educated about skimming.”

converted by Web2PDFConvert.com
Skimmers are getting away with more and more cash, as well. In 2010, according to Secret Service figures, skimmers netted an average of $30,000 per incident; in
2011, their take rose to $50,000. By comparison, “The average bank robbery might be around $3,000 to $4,000,” said Doug Johnson, vice president of risk
management policy at the American Bankers Association. (Economists have recently shown exactly why robbing banks doesn't pay.)

The scam has moved beyond ATMs. Skimmers now attach card readers to gas pumps across the US, capturing both credit and debit card data. Self-checkout
machines at grocery stores have been targeted, too. And one larger criminal organization in New York was paying waiters to collect their well-heeled customers’ credit
card data last year with hand-held card readers. That ring took in $1.2 million in cash as fake credit cards were used to purchase handbags, watches, and other luxury
goods to be resold.

The US explosion in skimming has been driven, in part, by the low-tech nature of most US credit cards, which are still tethered to the same technology used for nearly
50 years: the magnetic stripe. Credit and debit cards in other parts of the world still use the magnetic stripe, of course, but in many places only as a backup to “smart”
chip systems commonly referred to as “chip and PIN” or “EMV” (for EuroPay, MasterCard, and Visa, the companies driving cryptographically equipped smart cards in
Europe and elsewhere). While chip-and-PIN-based ATMs and point-of-sale systems have reduced the volume of skimming fraud in Europe, Johnson says that the US
has become the “preferred place to cash out” for skimmers from around the globe. “That’s obviously something we’d like to defeat,” he added.

To fight the trend, banks have answered with counter-skimming technology—everything from sensors that detect devices being attached to card readers to jammers
that block external readers from recording and transmitting card data. But at the level of the card itself, any wholesale move away from the magnetic stripe remains
years off, mostly due to the lack of financial incentive for card issuers and merchants to invest in the new tech, and because of the long life cycles of ATMs and point-
of-sale systems.

Magnetic card data: what’s in your wallet?

To understand why skimming is such a problem, you have to understand the nature of the standard credit or debit card. Despite the introduction of “chip and PIN”
technology elsewhere and all the talk of near field communications (NFC) and wireless payments here, the US payment card system has not changed significantly
since the magnetic stripe was added to cards in the 1960s. As we’ve become more reliant on credit and debit cards for our daily transactions, the cards have become
the target of criminals for the same reason Willy Sutton said he robbed banks: they’re where the money is.

The basics of skimming are not exactly rocket science: capture the magnetically encoded data from a credit or debit card and record it to a blank card or sell it to
someone else who will. “Anytime anyone gets the dump of a credit card—the full dump—if you make a copy with it, it’s as good as the original.” said Ondrej Krehel,
Information Security Officer at Identity Theft 911, a data risk management consulting firm in New York.

The data on a magnetic card is stored in binary form using a technique called Frequency/Double Frequency (F2F) encoding (also known as Aiken Biphase encoding).
An unencoded magnetic track—one with no data—is completely magnetically consistent, with the poles of each of the permanent magnets embedded in the track
facing the same direction.

The encoding of a credit card starts by laying down markers that define the length of each bit. A marker gets created by forcing a magnet within the strip to flip its
polarity—creating a region of magnetic flux where two like poles push right up against each other. The flux create a “clock” signal that can be detected by a magnetic
card reader as a series of spikes at the boundaries of each bit. When converted to binary data by a reader, these are translated as zeros. To write a 1 to the track, an
additional point of flux is inserted between the clock frequency bits, adding an additional flux point to the wave, as shown below:
Silicon Labs

An example of F2F encoding on a magnetic stripe track

The standard format for credit and debit cards (and most other magnetic cards) uses three tracks to store data, each about 2.8 millimeters wide, with Track 1 closest
to the edge of the card. Some payment cards with thinner magnetic stripes only use two tracks, because most credit cards only store data in Track 1 and 2, in a
format defined by the International Organization for Standardization’s ISO/IEC 7813 specification.
Tysso

A diagram of the position of the three tracks on an ISO standard magnetic card

Track 1 contains all the data associated with the card, including the primary account number, the name of the holder, the expiration date, a card security code
(typically, it’s not the same as the one printed on the card), and a longitudinal redundancy check value used to spot read errors. Data on Track 1 is encoded in 7-bit
characters (6 bits for the data, plus one for parity). Track 2 holds mostly the same data, minus the cardholder’s name; its data is encoded in 5-bit characters (four plus
one for parity). Both Track 1 and Track 2 start with a series of “clocking zeros” to provide readers the base clock frequency so they can count the data bits properly,
and they begin and end the real data with “sentinel” symbols that alert the reader where to actually look for data.

The third, less-frequently used track’s data is formatted according to another ISO spec, ISO/IEC 4909. Track 3 was designed to be writeable, to provide a way for
prepaid cards and other payment cards to carry balance information. But few credit or payment cards use this track and most point-of-sale systems ignore the data.

For skimmers, the main trick is to record all this magnetic data and to do so without the cardholder noticing.

Page: 1 2 3 Next

SEAN GALLAGHER
Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.
EMAIL sean.gallagher@arstechnica.com // TWITTER @thepacketrat

SHARE THIS STORY

converted by Web2PDFConvert.com
 SHARE THIS STORY
READER COMMENTS 82

← PREVIOUS STORY

Related Stories
Sponsored Stories
Powered by

Type Your Name, Wait 7 Seconds

TruthFinder
How To Fix Your Fatigue (Do This Every Day)
EnergyAtAnyAge.com

2017 Solar Rebates Eliminate Upfront Installation Costs

Energy Bill Cruncher

Worry About One Less Thing: Try Walmart's Free Grocery Pickup Service Now
Walmart

Today on Ars
RSS FEEDS CONTACT US
VIEW MOBILE SITE STAFF
VISIT ARS TECHNICA UK ADVERTISE WITH US
ABOUT US REPRINTS

WIRED Media Group

Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars Technica Addendum (effective 5/17/2012). Your California Privacy Rights. The material
on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.

converted by Web2PDFConvert.com