Monday 24 November 2008

Card fraud: Skimming or Database Attack?

I have just come back from visiting a customer in the Gulf. The customer was not in the banking sector but it was brought to my attention an event in the region about a month ago where UAE banks were hit by a wave of card fraud. None of us want to have to replace our cards or our passwords unless we really have to, so it is quite startling when a number of different banks contact their customers to force them to make these changes. The rumors were that a gang had put up cameras and skimmers to capture card and PIN details. I am troubled by the interpretation that skimming was to blame. The security on ATMs, particularly around what data is held where (e.g. the PIN is never transmitted unencrypted) is very solid. With such a large number of different banks being “hit” and with so many PINs being stolen I wonder whether there was actually an intermediate system that was holding too much card data -- and that it was vulnerable.