Think like a criminal to avoid being scammed
by Steve Hailey and Mike Andrew | Shared by Lynnwood Times

By now we have all heard advice on how to avoid being scammed this holiday season.  In this article, internationally recognized Cyber security and Digital Forensics experts Steve Hailey and Mike Andrew offer some additional food for thought

“How did they get my credit card information?!” “How did they get my bank account information?!”

We hear these questions way too often, and even from people that have taken steps to protect their information and avoid identity theft as well as credit card fraud. Criminals don’t need access to your computer or credit cards to steal your identity or empty your bank account.  You just need to think like a criminal to understand how it’s done. 

Give Me Twenty and Take My Thousands You go to the mall or a big box store and are offered twenty dollars (or something else of value) to complete a credit application; what a deal!  The scammer gives you twenty dollars for your personal information that will be worth thousands of dollars to them on the Dark Web. When the application asks you to list bank account numbers and information on other credit cards you have, it’s likely a scam.  Being approached in the parking lot is a red flag as well.

Swiper, No Swiping! (A.K.A. How Does the Drive-Through Cashier Drive a New BMW?) You offer up your credit card to pay for that mocha or burger, and end up waiting several minutes before your card is returned.  You may even see the person you gave your card to disappear out of sight for a bit.  In addition to paying for your food, something else may have happened. Your card was swiped through an illicit card reader, and will now be used to commit fraud.   This type of activity is often tied to local crime rings, seasonal and transient workers, and “one person” operations. 

I Beat My Old Score, but My Identity Was Stolen! This is an issue we see way to often when investigating a network compromise or information theft.  It can happen in people’s homes or in a Fortune 500 company; we’ve seen both.

The original Xbox gaming system (black and green) used a vulnerable wireless protocol called Wired Equivalent Privacy or WEP.  When owners of the slightly newer Xbox 360 use wireless controllers that work with the original Xbox, they also need to use WEP for the wireless controllers to function.  We also find WEP being used because it is the only wireless protocol that some legacy or outdated computer equipment supports. WEP is very easy to crack, and is not secure.  

If you are using WEP, hackers can sit outside your home or business, crack your WEP key and be accessing your network (and thus personal information) in a matter of minutes. 

Have I Been Skimmed, Shimmed, or Carded? Skimmers and shimmers are physical devices used to illegally obtain your credit card information.

Skimmers are used in Automated Teller Machines (ATM’s), gas pumps, and just about any type of device used to swipe your credit card.  This includes nonbank ATMs, such as those in convenience stores, and the Point of Sale (POS) systems used by a myriad of merchants.   Shimmers can be used in the same places that skimmers are used, but are much harder to detect, as they are very small devices; usually nothing more than a thin circuit board with a few microchips.

Data collected by skimmers and shimmers can be used to fabricate magnetic strip based cards.  In other words, to make physical credit cards that can be used just like any legitimate card.  Skimmers and shimmers can be purchased pre-made on the Internet and the Dark Web, or, for the do-it-yourself criminal, a 3-D printer can be used to make the plastic housing for the skimmer, with circuit boards and parts from MP3 players used for the electronics.

Materials and equipment to make credit cards can be purchased from Amazon, eBay, and multiple other Websites.  Amazon and eBay are not doing anything wrong mind you, the materials and equipment used to facilitate criminal enterprises are also used for very legitimate and legal purposes.  

Once your information has been skimmed or shimmed, criminals can use the data collected to make online purchases, steal your identity, and as a commodity to be sold and traded with other criminals. 

We commonly find that many people have a false sense of security with the newer microchip cards.   While the shift away from magnetic strip technology has cut down on card fraud, not all merchants or ATM owners are compliant; many do not want the expense required to upgrade their equipment.   Skimmers and shimmers are also commonly used in conjunction with cameras and fake keypads to record and capture your PIN number.  Yikes!  We know this is a lot to get your head around.  Take five minutes to watch the following four videos on YouTube, and all will be clear.

http://bit.ly/lynnwoodtimes

This process of stealing your card information and/or making cards to enable fraudulent purchases is known as Carding.  If you’ve got approximately $700.00 in crypto currency or credit cards (stolen is fine), you can take classes online via the Dark Web to become a Certified Carder.  No fooling, we’ve done it.

Keep in mind that while the major credit card networks have a $0 liability guarantee for fraudulent credit card transactions, don’t be complacent; this is what the criminals are hoping for.  You see, stealing your card data is often just one part of a bigger scheme.   

Criminals can easily steal your identity by piecing together information gleaned from your credit card(s) with information obtained by having your license plate ran and by going through your trash.  By the way, the next time you are pumping gas and decide to clean out your car, pay attention to what you are throwing away.   Criminals regularly go through the trash bins at gas stations and car washes to obtain your old mail, to include those credit card offers, statements, and old receipts that you toss.

Is It Hopeless? Know that we’re all scared to even go outside, here are a few tips to avoid being scammed:

• Use phone apps to pay for your fast food and convenience store purchases, or, use gift cards that you load yourself. 
• Do not use the WEP wireless protocol on your network or networked devices!  Use the Wi-Fi Protected Access II (WPA2) protocol. 
• Use virtual credit cards for all online purchases.
• Inform your credit card companies to not honor purchases made with old accounts.
• Do not use ATM’s at convenience stores.
• Physically inspect ATM, gas station, and POS card readers for gaps in the assembly, lose parts, and colors that do not seem to match.
• Check gas station pumps for the “Do Not Tamper” seals and locks.
• Use microchip credit cards, and have a particular card you always use if the chip reader is not working and you have to “swipe” instead.
• With microchip cards, always run as credit, not debit.

We hope you have enjoyed the article!  For additional information and tips, please visit us on the Web:

http://bit.ly/CSA-TIPS

Steve and Mike instruct the Cyber Defense and Digital Forensics programs at Edmonds Community College, and also serve as Subject Matter Experts in Cyberterrorism for programs sponsored by the Department of Homeland Security.  When not busy with the above, they oversee the operations of CyberSecurity Academy.