The source of stolen cards continues to originate through two primary methods: skimmers and network breaches. A hardware skimmer is a device placed over a card port on an ATM or gas pump. The skimmer is designed to capture the data on the cardís magnetic strip as it is inserted for payment or to withdraw cash. This physical attack on the card previously required a criminal to retrieve the skimmer in order to download the captured data. Today, most skimmers sold in the Underground Economy are equipped with GSM or Bluetooth functionality thereby allowing criminals to remotely retrieve the stolen data and reduce the risk of capture. Generally these skimmers are equipped with enough memory to store a few hundred credit card numbers. Additionally, skimmers are sold to specifically match the manufacturer and model of ATM being targeted. Since ATM manufacturers publicly release new bank contracts, criminals are able to plan skimmer placement before new ATMs are even installed.
A soft skimmer is a device placed on a POTS (Plain Old Telephone Service) circuit in order to intercept the data in transit. Stand-alone ATMs in convenience stores or hotel lobbies may rely on modems for communication with a merchant network. After recording the tones on these phone lines, criminals use widely available software to convert the tones to digital data, specifically credit card numbers. Skimmers continue to be a threat to consumers in countries that rely on magnetic stripe cards.
Unauthorized access to computers and networks containing credit card track data has proven especially disastrous for merchants and banks. The breaches of Heartland Payment Systems, RBS WorldPay, and TJX illustrate the determination of criminals to find and secure large databases of credit card track data. In the past, Point of Sale (POS) terminals used in retail outlets were exploited through vulnerabilities in the underlying operating system that these terminals use. Failure to patch the operating system has led to remote exploitation via freely available hacker tools. Data exfiltration has occurred for months before the merchant discovered or was alerted to the tainted POS terminal. Criminals continue to aggressively hunt for large amounts of card track data either in storage or in transit. Once a target is identified, the compromise is only a matter of time and resources. Today, financial databases and networks continue to fall victim to the most motivated and talented hackers. Previously, compromises have existed for over a year before the breach was discovered. The purveyors of this data will quickly become rich, as will the end users who purchase the data for coordinated exploitation.