It’s an important case because we rely more and more heavily on ATM/Debit and Credit Cards as we move toward a cashless society. And they’re all vulnerable to the type of attack detailed here. New card skimmers are showing up that get the mag stripe data. Some are coupled with small cameras that watch you enter your PIN. The info is sent to a Bad Guy via a wireless network, and the Bad Guy makes a new mag stripe card, drives across town, withdraws money out of another ATM or makes a purchase at a retail store (no PIN is required if the transaction is run as a credit card purchase), and disappears into the sunset. You’ll never see your money again.

Roll ‘em:

Basically, the Bad Guy just needs a few seconds to attach a skimmer to the ATM and attach a camera to a convenient location in view of the keypad. Everything can be pre-programmed, so this whole operation can be done in the blink of an eye. The system works by wirelessly transmitting all of the information to the crook, at a safe distance from the ATM.

The point is it’s easy to read magnetic stripes, it’s easy to re-encode magnetic stripes, and it’s easy to buy a bunch of blank credit-card-sized magnetic stripe cards and encode those stripes with stolen numbers. Since merchants don’t verify that you have a genuine— or even genuine-looking— card anymore, a Bad Guy can copy your card and use it at any gas station, any ATM, or any self-service kiosk, and probably not get caught.

Numerous incidents of ATM skimming have been reported recently, including:

• NetworkWorld: ATM skimming equipment seized at Brisbane Internat’l Airport
• BankInfoSecurity: Ohio Skimming Scam Nets $50K
• The Washington Post: Bank expert discusses ATM skimming — and how to detect it

So, what can be done about this?
There are a few things consumers can do to dramatically improve security in their life, like monitoring their transactions, using known ATM machines and keeping an eye out for changes, etc. But just like passwords are no longer considered a sufficient means of protecting access to online accounts due to things like phishing, relying on a magnetic stripe on a credit card is just not enough to protect your financial transactions. Adding a second method to verify that the account owner is, in fact, the person conducting the transaction would offer material benefit.

PhoneFactor’s Transaction Verification is an easy, effective means of protecting consumers. PhoneFactor simply calls the card holder to verify the transaction before dispensing the cash or completing the transaction. It works for online transactions as well as in person transactions as ATMs and retail locations.

- Steve

Is there anything you can do about the security risk of mags stripe cards? ATMs are the easiest to steal, and the latest case, where a bank ATM was rigged to steal card after card in broad daylight, shows that PCI regulations can’t stop the Bad Guys.

Find out the places you go every day that put you and your bank account most at risk. Gas stations? Movie theaters? Listen in, call in, or join them on live chat as they discuss strategies to protect your ATM cards and credit cards.

Listen At:

Host Steve Dispensa, PhoneFactor’s CTO, Will Be Joined by Co-Hosts To Solve Cases, Offer Advice for Protection, and Take Callers, Live Chat

February 11, 2009 - With news stories breaking weekly about attacks on personal and financial data, PhoneFactor is starting an Internet Radio Talk Show called Security Break Live! With Steve Dispensa. The premiere show will take on ATM fraud and magnetic stripe card cloning.

With the jobless rate continuing to climb and the bad guys getting more desperate, the safety of personal data has never been in greater question. Security Break Live! will broadcast potential solutions to crimes in the news. With live chat and the hosts taking callers, the twice-monthly show will also provide a community venue for critical discussions about whether the law is keeping up with criminals’ ability to break it.

“Identity theft keeps skyrocketing, and we need to start talking about solutions. I want to help people protect themselves, and their businesses, from these imminent threats,” said Steve Dispensa, the show’s host and PhoneFactor’s CTO, who closely monitors emerging threats and the impacts on user authentication. Dispensa was an industry pioneer in transaction-level verification to combat man-in-the-middle attacks against authenticated sessions, and has numerous patents pending for related out-of-band authentication protocols.

The award-winning PhoneFactor, the two-factor authentication provider that secures millions of logins with a simple phone call, will kick off the radio talk show this Friday, Feb. 13, at 12 p.m. ET, at www.blogtalkradio.com/securitybreaklive. Dispensa is also hosting a blog at www.securitybreaklive.com.

The premiere show partners Steve Dispensa with guest co-host John Quain, CBS Up to the Minute tech correspondent and a frequent contributor to The New York Times. Together, they’ll take on the two latest cases of ATM fraud and card cloning in broad daylight. Is there anything you can do about the security risk of magnetic stripe cards? ATM cards are the easiest to steal, and the latest cases, where hundreds of cards were stolen, show that PCI regulations can’t stop the crime.

The radio show will be broadcast on the 2nd and 4th Friday of every month, with special live broadcasts from security industry shows, such as the RSA Conference in San Francisco, April 20th-24th.

The second show, to air on Friday, Feb. 27, at 12 p.m. ET, will take on the enormous security breach at Monster.com, one of the largest breaches of personal data in history. Joining Dispensa will be guest co-host Elinor Mills, senior writer at CNET News.