“Grab hold and give it a wiggle” – security advice for Black Friday and December

Much of the world is about to enter its busiest retail period.

It’s Thanksgiving weekend in the USA, which means Black Friday, so called because it’s supposed to be the day that brings retailers out of the red and into profit.

And that’s just the start of the vacation and shopping season known as December.

With any retail surge you can expect a corresponding surge in cybercriminality.

So the latest warning from our friends at the Fraud and Corporate Crime Group at the Queensland Police Service (QPS) in Australia should come as no surprise.

They’re focusing on a particular sort of IT-enabled crime at the moment: ATM skimming.

This was prompted by the recent discovery of newly-installed ATM skimming devices in the Queen Street mall – a buzzing pedestrianised eating-drinking-and-shopping precinct right in the heart of Brisbane, Queensland’s capital.

(Don’t forget that Brisbane is subtropical and in the Southern hemisphere. You can eat and drink al fresco in Queen Street even in winter. So in summer it’s quite the place to be, and quite the place to spend. The beer, I can assure you, is chilled to perfection, or slightly better.)

ATM cards rely on two-factor authentication.

You need not only the card but also your secret PIN code. Many cards are still easy to clone – they can be “skimmed” by covertly reading off the contents of the magnetic stripe. But PINs are hard to guess, even though they are typically just four or five digits long. That’s because you don’t get many chances.

As you may have found out the hard way – possibly after an evening spent at the Queen Street mall – an ATM will eat your card and lock your account after a small number of incorrect PINs, usually three. That helps keep your funds intact, as well as alerting you to criminal attempts against your account.

Unlike offline password crackers, crooks can’t rely on trying over and over again until they guess correctly. That gives you good protection, as long as the crooks can do no better that guessing at your PIN.

But ATM skimmers remove the guesswork. These devices combine a tiny magstripe reader, hidden in front of the genuine card slot, with a covert camera or duplicate PIN pad. This allows the crooks to duplicate both authentication factors the same time. The skimmer clones your magstripe whilst the camera records the digits in your PIN.

The good news is that ATM skimmers, usually made of moulded plastic, have to be attached onto existing cash machine hardware. With a bit of caution you should be able to spot them – the colour and texture probably won’t be perfect, the fit won’t be exact, and the skimmer might well be slightly loose.

That’s the case with the ones recovered in Brisbane by the QPS detectives, as you can see in the picture above. (The red arrow is there to draw your attention to the pinhole behind which the camera is hidden.)

Be alert over the holiday period.

And here’s some advice you probably never thought you’d hear in an information security context: “Grab hold and give it a wiggle.”