"Grab hold and give it a wiggle" - security advice for Black Friday and December

Filed Under: Data loss, Featured, Law & order

Much of the world is about to enter its busiest retail period.

It's Thanksgiving weekend in the USA, which means Black Friday, so called because it's supposed to be the day that brings retailers out of the red and into profit.

And that's just the start of the vacation and shopping season known as December.

With any retail surge you can expect a corresponding surge in cybercriminality.

So the latest warning from our friends at the Fraud and Corporate Crime Group at the Queensland Police Service (QPS) in Australia should come as no surprise.

They're focusing on a particular sort of IT-enabled crime at the moment: ATM skimming.

This was prompted by the recent discovery of newly-installed ATM skimming devices in the Queen Street mall - a buzzing pedestrianised eating-drinking-and-shopping precinct right in the heart of Brisbane, Queensland's capital.

(Don't forget that Brisbane is subtropical and in the Southern hemisphere. You can eat and drink al fresco in Queen Street even in winter. So in summer it's quite the place to be, and quite the place to spend. The beer, I can assure you, is chilled to perfection, or slightly better.)

ATM cards rely on two-factor authentication.

You need not only the card but also your secret PIN code. Many cards are still easy to clone - they can be "skimmed" by covertly reading off the contents of the magnetic stripe. But PINs are hard to guess, even though they are typically just four or five digits long. That's because you don't get many chances.

As you may have found out the hard way - possibly after an evening spent at the Queen Street mall - an ATM will eat your card and lock your account after a small number of incorrect PINs, usually three. That helps keep your funds intact, as well as alerting you to criminal attempts against your account.

Unlike offline password crackers, crooks can't rely on trying over and over again until they guess correctly. That gives you good protection, as long as the crooks can do no better that guessing at your PIN.

But ATM skimmers remove the guesswork. These devices combine a tiny magstripe reader, hidden in front of the genuine card slot, with a covert camera or duplicate PIN pad. This allows the crooks to duplicate both authentication factors the same time. The skimmer clones your magstripe whilst the camera records the digits in your PIN.

The good news is that ATM skimmers, usually made of moulded plastic, have to be attached onto existing cash machine hardware. With a bit of caution you should be able to spot them - the colour and texture probably won't be perfect, the fit won't be exact, and the skimmer might well be slightly loose.

That's the case with the ones recovered in Brisbane by the QPS detectives, as you can see in the picture above. (The red arrow is there to draw your attention to the pinhole behind which the camera is hidden.)

Be alert over the holiday period. Here's a cute QPS video giving you some simple tips for when you're withdrawing cash:

And here's some advice you probably never thought you'd hear in an information security context: "Grab hold and give it a wiggle."

Oh. One more thing.

The Queensland cops would like to speak to the chap shown on the right.

If you've seen him, you can dob him in.

Call: Crimestoppers on 1800 333 000

Call: Policelink on 131 444.


, , , , ,

You might like

2 Responses to "Grab hold and give it a wiggle" - security advice for Black Friday and December

  1. Seth.D · 859 days ago

    Did you have to make the title so... suggestive?

  2. Stacie · 858 days ago

    *shakes head* It's only suggestive if one wants it to seem that way

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog