Anti-Skimming Solution. How to evaluate and avoid mistakes?
There are many anti-skimming solutions vendors on the market, choosing the “right” supplier is a not easy task, especially for less experienced buyer. All devices are more or less the “same” in their functionality (they prevent the cards to be skimmed in ATMs). As a rule only “appearance of devices is different and, of course – the price!
The price is a big issue, due to the fact it can differ 3-4 times by different vendors. Is the difference in pricing really shows the difference in functionality and quality? I suppose any vendor will insist it is true, but we in fact doubt the statement is right. Let analyze in more details what is important and what is not in the anti-skimming solutions.
Check the number of “antennas” used by the device.
Theoretically stereo skimming protection could be archived using just one antenna however criminals could easily compromise this. The use of two antennas prevents tampering of the anti-skimming protection against stereo skimming.
Many vendors are promoting own device pointing to the fact they are “nice looking”, equipped with the LCD 1-2 even 3 lines displays, simplifying the installation process or used to inform about the “situation” (f.e. “card skimmer detected”).
In fact we should not forget, the anti-skimming device will be installed inside the ATM and usually, nobody will see it any more once installed. Therefore, LCD displays or a nice looking box can be considered as cheap marketing gimmick with no added value to the customer at all, especially, if they are associated with higher price of the device.
What is really important to the user is the simplicity in installation and later service of the device. This is the most important way to lower TCO of the solution! Anti-skimming device, as the “whole” ATM, has own TCO that must be calculated and used in choosing the right device. Some of them require “calibration” after installation and “recalibration” after service calls on ATM. These operations usually are done on the “field” by field service staff, whose qualification very often is not very high. The more complex operations (like i.e. installation of antennas into existing card reader bezel) are required, the higher probability exists the job will be done in wrong way and in best case must be repeated (incurring additional expenses) or the anti-skimming device will work not properly, creating the wrong feeling of security. Therefore, always the customer must ask the vendor in what cases the “reinstallation’ or “recalibration” of the offered device is required.
There are different technologies and ways the criminals are using in skimming attacks. Do not forget, it is not enough that the anti-skimming device is emitting a “jamming signal”, preventing skimming device from downloading the card information. If the jamming signal can be easily copied and repeated, then the information red by the skimming device, even if anti-skimming is in active use, can be easily “encoded”. Therefore it is important to know not only if the anti-skimming device is protecting against “stereo skimming”, but also how good or bad the jamming signal algorithms using in the anti-skimming solution are. Otherwise, if the algorithm is “weak” it easily can be “repeated” by the criminals and the user will again get wrong feeling of security.
The “deep insert skimming attacks” are becoming more frequent since the last 2 years.
It is a very “bad” attack, due to the fact it is very difficult to recognizable even by the ATM owner’s technical staff (the skimming device is not visible from outside and requires that the ATM will be screened very carefully to find if anything is installed inside the card reader).
Check if the offered solution has built-in protection against “deep insert skimming” or it is offered as an option? Deep insert skimmers cannot be “neutralized” in the same way as the “overlay skimming devices”, due to the fact they are placed inside the card reader and the jamming signal cannot be used to prevent the card reading during it being moved through the card reader, because this will prevent the card information reading process by the card reader itself.
In fact, the simplest way to protect the card reader against the deep insert skimming is to make the throat of the card reader as narrow as possible, or to install an additional plate inside the card reader to prevent “something additional” being installed. The idea behind this is very simple. The thickness of a generic bankcard is not more than 0.8 mm. Criminals have managed to manufacture the skimming device with the thickness around 2 mm.
Therefore, if one makes the space available inside card reader less than 2 mm in height, the insertion of deep insert skimmer devices becomes impossible. As a rule of thumb, the solution is cheap and simple and therefore cannot significantly raise the overall price of the anti-skimming device.
Card Skimming & Card Shimming
Very often anti-skimming device vendors are promoting that their device is protecting the ATM from “card skimming” AND “card shimming” . In fact this again is more marketing gimmick and has no added value at all. And the reason is as follows:
– Shimming itself makes little or no sense. Even if one manages to read the non-encrypted information exchanged between the chip and card reader, the information captured doesn’t provide СVV1/CVC1 (only IСVV1/ICVC1). The IСVV1/ICVC1 is encrypted СVV1/CVC1 data that in fact can be decrypted.
However decrypted values will no longer be the same as СVV1/CVC1 on the magnetic stripe therefore cannot be used in cloning the card. Values of СVV2/CVC2 that could be used in fraud of e-commerce processes are never exchanged. Therefore, protection against shimming has more of a marketing than a practical value.
Most of anti-skimming devices are equipped with USB ports and have a dedicated software agent. The remote monitoring is running on an agent, which is installed on the native ATM application. The agent receives its data from the controller and transmits this data to the Remote Management & Monitoring system (RMM). In fact and in real life, this type of solution could become headache of the ATM service company and the ATM owner itself.
The reasons are as follows – The data from controller is sent to the agent through USB port. There are following disadvantages in the case an SW agent is being used:
- Often a disk image is used during the ATM application’s initial SW installation or re-installation. In this case the standard situation is that either the agent is not present on the ATM SW disk image, or it is misconfigured as each agent installation has specific parameters that should be configured manually. In addition, the “old” version of the agent may have already been deleted.
- The ATM Security department of the bank can close any communication channel with ATMs (IP) except the main communication channel with the Processing Center. In this case, the communication of RMMs will be entirely blocked.
It is much better if the anti-skimming device can be connected to an independent data network, using for example an Ethernet port. In this case the communication channel with the anti-skimming device is directly connected, hence it is “independent”, and does not require to be connected to the ATM PC. Due to this non-dependency, even if the bank’s security department will insist on closing all other communication channels, it would be not difficult to agree to use Direct Connect option and chose an independent ATM communication channel.
Significant disadvantage of the solution using SW agent will be obvious when the bank SW will decide to use the ATM monitoring system to monitor also the anti-skimming device itself. In the case of SaaS it would be difficult to agree with the service outsourcing company to takes responsibility for SW that was not developed by themselves. In the case that the anti-skimming solution is independent from any ATM resources, it becomes entirely controlled by the bank itself or the monitoring thereof could be outsourced to the third company.
The anti-skimming device StopSkimmer sold by SPL GROUP in fact meets all requirements we have discussed above.
Subscribe to Our Newsletter