Credit card skimming is a major threat to credit and debit card users. Here's what you need to know about this increasingly common form of financial fraud.
Credit card fraud: Elusive PINs
Collecting credit card data is a relatively simple matter of capturing the account number. But debit cards are even more desirable to thieves because the bad guys can plunder a bank account quickly and completely without the account holder realising what's happening. The card networks monitor credit card usage, and they have rigorous risk- and fraud-prevention policies in place. In contrast, debit cards are linked directly to a bank account, though obtaining the PIN associated with a debit card is somewhat more difficult.
The most common high-tech ways to steal PINs are with tiny cameras mounted within a fish-eye mirror and with an electronic mesh overlaid on the keyboard. Criminals are often caught while mounting or removing such cameras, but recently they've figured out less obvious ways to steal PINs.
PINs are usually four digits long. When you key in your PIN, software at the ATM or point of sale automatically converts it into a one-way algorithm called a hash. Then, if someone captures the data steam, they'll see only the resulting hash value, not the original four or six digits. By itself, a hashed PIN is a useless string of numbers. You can't type in the hashed PIN as it appears on your debit card or within a database inside a bank network, because those digits will be converted into yet another value. Instead, you have to find a way to generate that hash value, and until recently that wasn't practical.
In 2008 the FBI disclosed that attackers had used the PINs of US Citibank account holders during a crime spree in New York. According to the FBI documents, attackers had located the PIN data in a data breach, analysed and decrypted the algorithm used, and then generated a table of all the possible four- and six-digit PIN codes that that algorithm might produce - what's called a Rainbow Table in cryptography. The criminals didn't have to match an accountholder's PIN exactly; they only needed the four digits that would produce the same hash value.
Credit card fraud: Royal Bank of Scotland
Even if criminals can reproduce the encrypted hash value, they cannot withdraw more than certain amount during a single transaction or within a certain period - unless someone inside the bank's network adjusts those values. That happened on November 8, 2008, when a gang of criminals robbed the US payment processing arm of The Royal Bank of Scotland group, RBS Worldpay, from both the inside and the outside. Within a 12 hour window they withdrew an estimated $9.4m from ATMs in 230 cities across the globe. Meanwhile, someone else on the inside increased the daily withdrawal limits on individual accounts - in one instance to half a million dollars.
An Estonian suspect was extradited to the US in August 2010. Another suspect, 28-year old Victor Pleshchuk, received four years' probation from a Russian court the following month. A third, unnamed suspect remains at large.
NEXT PAGE: Protect yourself