Wed | Sep 28, 2016

Held up with an ABM Card: Is plastic panacea or pestilence?

Published:Saturday | March 20, 2010 | 12:00 AM

Mario James, Gleaner Writer

The modern financial world is built on plastic. Credit and debit cards are spurring the cashless revolution. It's quite chic to say to the windscreen washers at the intersection of Hagley and Eastwood Park roads, "I ain't got no change, boss ... ongle plastic mi got!" More often than not, this ruse works. And, truthfully, having plastic does seem to sweep away the brown coins that seem to collect and spawn in your car interior like lint.

But, going with digital dinero does have its drawbacks. Accessibility to your cash is most convenient. Trouble is, with digital commerce this convenience is not limited to you. There are folks out there who go to extreme lengths to make sure that this convenience is spread worldwide. Its easy money for them, as they haven't got to do the traditional dirty work to get it. Just last Wednesday, a fuel pump attendant was charged with lifting nearly J$1.4 million from unsuspecting motorists.

The device used in this case - a magnetic card reader - can be bought on eBay for less than US$50. Shipping and handling to Jamaica was listed at $23.95 - so even if customs charged 50 per cent duty on the aggregate, for less than US$111, or J$10,000 - unwanted free enterprise can rear its ugly head. The unit even comes with a USB cable end.

The source website, whose URL Saturday Life is not publishing, claims to have cheap PVC magnetic swipe cards - the same size and shape of the cards used to make bank cards.

Kemar Williams, an IT professional contacted by The Gleaner, painted a sombre picture of how easy it could be to steal money from an ATM - without guns, violence, a saw or sledgehammer.

"An inside link to the bank must be first be forged," he said. "That link would have to provide one vital piece of information. The criminal would need to know how the financial institutions arrange the data on the card. This is especially important," he said.

Walter Emertalso has a thorough grasp of IT - and put a lot of thought into such an operation.

"The next step would be data collection," he said. This, Emert went on, would involve, for example, removing the ABM door's mounted reader and installing a similar-looking one that has been reworked. This new card-swipe device - known colloquially as a skimmer - like the one it replaces is not connected to the system, he told us. Its only purpose is to open the door.

The reader could be modified to store data.

"ABM debit cards traditionally have nine data fields," Emert told Saturday Life. "They typically store first, middle and last names, date of birth, address, a telephone number, account number, PIN and a bank code, which is used to identify the bank the account is situated."

Being at the door, when the account holder comes and swipes his card to gain entrance, the reader is programmed to open the door, which happens. But instead of reading one particular field - which happens normally - the entire record is stored on a chip, similar to a thumb drive. It is stored in an editable file format.

Williams said most readers have USB ports which enable the data to be downloaded quickly. A simple smartphone would be used in that operation.
Using the data structure obtained from the 'inside link', the numbers would then
be processed, or delimited, to show up what he calls 'fields' - at which point
the data make sense to humans.

Left like this, hundreds, even thousands of cards can be collected
over days or weeks.

IT managers from two banks declined to comment when asked if this
information was false. MultiLink, which operates Jamaica's debit network, did
not respond to Saturday Life queries in time for publication.

"A special interface could be built to connect a Windows CE
smartphone - such as a Palm Treo, which is capable of about 20 million
instructions per second - to the card slot in the ABM," Williams went on. The
interface would look like a card with a ribbon cable coming from it, and would
have to be made. "However, plans for that kind of device are readily available
on the Net," he said.

The final piece of the puzzle is software - also readily available
on the Internet. The software, which The Gleaner has opted not to name,
can be programmed to run a 'directory attack' - a term used by Emert. The
programme would plug in 10,000 numerical combinations of a numerical four-digit
sequence into the ABM and the machine would flag the record when the PIN is
correct. The hand-held smartphone would then go to the next record, and so on.

"Each record would take 20 seconds to produce a PIN," he added.
This data would be loaded on to the blank bank cards.

The goal of all this high-tech thievery is not to deprive an
account as soon as its PIN is known. The goal is to get as many accounts as
possible so that the cash extracted from each account doesn't have to be all
that large. If 100 accounts have generated proper PINs, extracting $1,000 from
each account three, four times a month is not as noticeable, yet nets a decent
house money as the database grows.

Debit-card fraud victims are most vulnerable, the source claims;
there are none of the built-in safeguards that the credit-card system has. Banks
are reportedly also usually more reluctant to reimburse debit-card fraud.

Next time the cashier asks, 'Cash or credit?' - maybe you should
consider reaching for the long green!

* Names withheld for privacy

mario.james@gleanerjm.com

ABM safety tips

Play It Safe

Use cash when it's safe to do so.

Take an extra minute to write a cheque

Use a credit card and pay it off at the end of the month.

Check your monthly statements for fraudulent charges.

Be aware of your surroundings at all times.

Notice who is standing near you and what they are doing when you use your card.

Be aware of phones when around points of sale because most phones have cameras. The camera can be used to photograph credit-card information.