Data Skimming: 3 Places Your Data Can Be Compromised and What You Can Do - ITS Tactical
 

Data Skimming: 3 Places Your Data Can Be Compromised and What You Can Do

By Rob Henderson

Physical Data Skimming

Imagine that you’re out at a local theme park. It’s been a long day and you’ve been snapping pics, recording video and texting friends and family. You didn’t even notice that your phone battery was running low and now you need a recharge as quickly as possible. Thankfully, up ahead you notice a free phone charging station. You’re in the clear right? Maybe not.

Public services like phone charging stations, ATM’s and vending machines may seem convenient, but the reality is that your data could be at risk when using any of them. It’s easy for someone to create a skimming device that allows them to capture information from your card or phone for use later.

Public Phone Charging Stations

Physical Data Skimming

More and more of these charging stations are popping up in businesses, airports and other public places as the demand for charging devices grows. While they might seem convenient, phone charging stations can be used to strip images and data while your phone is connected.

In some cases, malware could even be uploaded to the phone or device. While there aren’t specific examples available of a phone charging station being used to steal data from a phone, the threat exists and caution should be taken.

Avoiding these chargers is the best practice, but if you’re absolutely in need of a charge and can’t avoid plugging up, consider using a condom. A USB Condom that is. Since USB is capable of carrying power and data simultaneously, the USB condom blocks the data pins inside the USB and only allows power to flow through.

Alternatively, you can also carry USB cable and a wall charger to plug directly into a wall outlet. Just be cautious here too and if it doesn’t look like a standard outlet, avoid it.

ATM Skimmers

Physical Data Skimming

ATM’s can be an extremely convenient way to get cash when the bank is closed, or when you just don’t feel like getting out of your car. Unfortunately, ATM Skimmers are becoming smaller and harder to detect. An ATM skimmer is a device placed over an ATM card reader that’s capable of reading the magnetic card data. These are usually paired with a small camera that records the numeric pad while the PIN number is entered. This gives the thieves access to your ATM card number and your pin, allowing them to create a duplicate card with the same magnetic data and withdrawing money from ATM’s.

The main issue with ATM skimmers is that you won’t know you’ve been hit until it’s too late. Unless someone discovers the skimmer, the thieves can remove it and create the dummy cards to use whenever they like. Most ATM’s provide balance information about your accounts, including savings, with nothing more than the ATM card and your PIN. Meaning thieves with your data could continue checking your account for the perfect opportunity to strike.

So what’s the best method to avoid ATM skimming? Don’t use them. If you’ve got an event coming up that requires you to have cash, head to the bank when they’re open and go inside to withdraw cash. It’s less convenient, but getting cash directly from a teller is much more secure. If you absolutely have to get cash and the bank is closed or not available, try to find a gas station or other merchant that offers cash back. Cash back usually offers you $10 – $40 and is more secure than using an ATM.

Changing your pin number occasionally can also help keep you more secure. Many people keep the same PIN number for years and never think about changing it. Your PIN number is a password that protects your bank information and having the same four or six digit code for years increases the risk of having that information compromised.

Vending Machines/Credit Card Terminals

Physical Data Skimming

These days, everyone is accepting credit cards for anything from a soft drink to a charitable donation. The rise of handheld credit card scanners and plug & play scan devices means that anyone can get set up to take credit cards within a few minutes.

Recently while leaving my local supermarket, I was approached by a gentleman asking for donations for his organization. When I gave my usual response that I don’t carry cash and only have plastic, he responded that was okay since he had a credit card terminal. As I left the parking lot, I was even more amazed to see that people were actually swiping their cards to give donations to this person. While he may have been with a legitimate organization, he could have been skimming the data and using it for other purposes.

Credit card skimming is a much more dangerous issue, since cards can be used virtually anywhere including the Internet. Skimmers can take the information and rack up thousands in charges before you’re been alerted to the fact that the card was compromised. If you think that having the 3 digit code on the back of your card will protect you from card theft, keep in mind that cameras are getting smaller every day and the resolution is getting better. It would be easy to capture that information as the card was run through a scanner.

Also be wary of holding your card out in public in situations like waiting in line to pay. Cell phone cameras can be used to snap a picture of your card and if enough information is visible, the thief won’t even need to run the card through a scanner if the photo gave them all the information they need.

Not using unattended credit card terminals as found on vending machines and other public devices ensures that your information isn’t available for capture. Frequently requesting a new card number from your credit card company is also a best practice, as it minimizes the time any thieves would have to use your information. Many times, credit card companies allow you to tailor the fraud detection on your card and you can increase the monitoring while decreasing the maximum purchase amount. At times, this may be inconvenient since you may need to call the company before making larger purchases, but it can help avoid unauthorized charges from going through.

Use your best judgement when it comes to ATM’s, charging stations and credit card terminals and remember that if it doesn’t feel right, it probably isn’t. It would be better to err on the side of caution than risk having your data stolen and potentially spending months straightening it out.

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.

Discussion

13 comments
Q SQN
Q SQN

Hak.5 is very educational just as well as their other YouTube channel Threatwire which is amazing in regards to this topic

kclfc
kclfc

Hi, 


I'm a long time reader, first time poster.


I just had to share something i've known for quite some time about USB connectors. (I tried to link the instructables page but it wouldn't let me). you can cut a piece of paper to cover the centre two contacts in a usb jack and thus making it charge only.


I used the method severe the connection from my phone to my work laptop because work has policies to encrypt everything - and thus removing all my data. so i could still use my laptop to charge.


Also, this method also tricks your phone into thinking it's not plugged into a data connection and will pull the full amperage through the connection - some PCs and wall usb sockets can push 2A so you get a quicker charge. normal data connections can only do 0.5A because it would otherwise fry the data connections.


Finally, once you get used to what you're doing you can just rip paper with your fingers so you can just do it with a leaflet or something in the area and not have to pull out a DIY/craft kit to make this work.


Hope it helps!


cheers


khanh


KR0SIV
KR0SIV

I'm considering just making usb adapters, they would actually make a nice item for the store here.

The idea being a straight through usb adapter with the data pins cut, allowing you to charge your device in public without worrying about the possibility of a usb exploit being used against you.


It would essentially only allow power through, not data.

randypb
randypb

Great article Rob, it gets me thinking, and that's what I expect from ITS!

Travis Duarte
Travis Duarte

this is why i dont use those stations in the philipine malls an i tell my wife to deal with no battery till we get home

WitchDoc
WitchDoc

Thanks for the USB condom info.  Great stuff as usual!

Steve Hupe
Steve Hupe

I carry a plug adapter. More electrical sockets than USB sockets anywhere. Even parking lots in a pinch.

Jacob Farley
Jacob Farley

Some parking lots will have plugs attached to light posts or the outside of buildings. Most people don't see them cause they aren't looking for them

Don Nelson Nolasco
Don Nelson Nolasco

This is why I carry a portable battery. 11000+ mah and i can power my family's phones and cameras in my bag

Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.