Digital Transactions Authoritative, insightful and timely information for payments professionals
Leading ATM manufacturer NCR Corp. this week issued a warning about a new variant of card skimming that gives an ATM user no clue that the machine’s card reader is stealing debit card information. Meanwhile, a report says payment cards used at a theme park in Hershey, Pa., may have been compromised in a possible two-month data breach that ended in May.
Duluth, Ga.-based NCR issued the alert Tuesday regarding so-called card-reader eavesdropping involving a break-in of the ATM from the top. So far, the new method has been confirmed to have been used by criminals on freestanding NCR Personas ATMs, not through-the-wall ATMs, in bank lobbies in the United Arab Emirates. An NCR spokesperson confirmed the security alert but did not reply to a question about whether the new tactic has been used in the U.S. or Canada.
“The criminals are gaining access to the card reader by breaching the security of the ATM top box,” the alert says. “They are then attaching a similar electronic device to that observed in previous [eavesdropping] attacks to attach directly to the card reader to capture the card data. No holes are drilled in the fascia to gain access; therefore the attack is invisible from the exterior of the ATM once the top box is closed.”
In earlier eavesdropping attacks, criminals opened a hole near the card reader, typically the “card-orientation window” on the front of the machine with a graphic that shows the user how to insert the card. In either case, the hole is big enough for the attacker to reach in and place a tap directly on the card reader to skim data when cards are inserted.
“One end of the device is attached to the contacts on the back of the magnetic-stripe read head of the card reader, whilst the other is attached to a data-storage device,” the alert says. “Once the tap is in place, the hole in the fascia can be disguised by placing a sticker, or some other cover over the hole.”
NCR says it has an anti-eavesdropping kit for its Personas and SelfServ ATMs that encloses the card reader in a protective shield.
The growth of eavesdropping attacks is due to the widespread availability of anti-skimming technology that prevents traditional skimmers from being placed on card readers on the outside of the ATM, according to NCR. “Eavesdropping is successful because skimmers are placed in a location that third-party anti-skimming technology cannot protect, since the ATM must be capable of reading the card,” the alert says.
In other security news, the KrebsOnSecurity blog reported this week that Hersheypark, a resort and theme park in Hershey, Pa., home town of candy maker The Hershey Co., is investigating a possible payment card data breach. Sources at three financial institutions told Krebs that they detected patterns of fraudulent card activity after their customers used their cards at Hersheypark properties between mid-March and and late May.
“We have received reports from some of our guests that fraud charges appeared on their payment cards after they visited our property,” a Hersheypark spokesperson says by email. “We take reports like this very seriously. While our company does have security measures in place designed to prevent unauthorized access to our network, we immediately began to investigate our system for signs of an issue and engaged an external computer security firm to assist us. The investigation is ongoing.”
Further details about the possible breach were unavailable.
