Debit card compromised - what's the most likely way?

[nst68]

I just had a call from my bank (Santander), it seems I'm in Indonesia trying to take some cash out

What is the most likely way my details were obtained?

I've checked my transactions, most are either supermarket chip & pin, cash withdrawals and online (mainly using PayPal).

My card is contactless, can enough information for a cash withdrawal be got from someone walked around using a scanner?

 

[joeyjojo]

I've always assumed it's stolen from websites where you've saved card information. Wouldn't have thought it would be from "real world" information theft (chip & pin, ATMs), unless you used an ATM with a hacked card reader I suppose.

 

[Caged]

The most likely place is going to be an ATM with a mag stripe skimmer and a camera to capture your PIN.

 

[Monkeynut]

Will almost definitely be a compromised ATM you've used.

 

[Siliconslave]

Will almost definitely be a compromised ATM you've used.

or a chip and pin machine in a store somewhere - there have been cases of machines getting compromised in the factory...

 

[tlrBeta]

I just had a call from my bank (Santander), it seems I'm in Indonesia trying to take some cash out

What is the most likely way my details were obtained?

I've checked my transactions, most are either supermarket chip & pin, cash withdrawals and online (mainly using PayPal).

My card is contactless, can enough information for a cash withdrawal be got from someone walked around using a scanner?

If it was chip & pin that put it down to the following:

1) Compromised ATM

2) Someone skimmed your card whilst at a restaurant etc, then saw you enter your pin. They then created a clone and well used it at chip & pin terminals. The general rule of thumb these days is to never let your card go out of sight.

To answer your contactless question, no. Only card number and expiry information is sent across during a contactless transaction. These usually have £20 limit (soon to be £30) and only work for a number of transactions before a pin is required. They would have still required to see your pin to do chip & pin transactions.

 

[Blackjack Davy]

Scanned your PC for malware recently? When I had the same thing it was a trojan or keylogger (keylogger I think).

 

[Haggisman]

Scanned your PC for malware recently? When I had the same thing it was a trojan or keylogger (keylogger I think).

Not for stolen card details it won't be

 

[flame696]

Its from an ATM its thd easiet way.

Or a website you have entered your card number

 

[anything I don't mind]

Did you notify your bank you were travelling?

 

[arknor]

Do you not cover the keyboard with one hand whilst typing the pin?

 

[HazardO]

Personally I only use my debit card for removing cash from a cash machine (And always cover the pad although this is not foolproof). Any transaction goes on a credit card which keeps fraudsters away from my bank account.

 

[xGBHxPegasus]

Had my credit card used for cash withdrawals a week or 2 ago.

Apparently someone phoned up as me and answered all the security questions and got some replacement cards sent (not sure where or they intercepted my mail).

Now have all that info removed and a password, also got RM to do a Mail collect so nothing gets delivered to my flat. Although its not surprising as a lot of others had issues with fraud 6 months ago.

 

[MooMoo444]

Do you not cover the keyboard with one hand whilst typing the pin?

I personally don't but I think I will now if it's that easy to get a card cloned :/

 

[arknor]

I personally don't but I think I will now if it's that easy to get a card cloned :/

well that's how they get peoples pin numbers if you don't notice the skimmer and camera and some are very tidy looking and won't seem out of place

 

[FloppyPoppy]

Do you not cover the keyboard with one hand whilst typing the pin?

They sometimes use fake keypads on top that capture the pins whilst still pressing the keys below

Like this

They can be very convincing

So not covering the pin isn't always the cause as these devices are becoming more prominent now, I never use a atm without sticking my card into a crack of the pad and seing if I can lift it.

 

[RoyMi6]

So not covering the pin isn't always the cause as these devices are becoming more prominent now, I never use a atm without sticking my card into a crack of the pad and seing if I can lift it.

I used to work for a worldwide ATM company and still have personal contacts in the industry.

Unfortunately even this isn't fool proof as we've seen ones that use bluetooth/wifi to transmit the data to devices rather than having to be removed.

The device was stuck on with araldite basically as it was never meant to be removed - so even this check wouldn't always work.

Until a few years ago STILL the most effective way of avoiding ATM skimmers was covering your PIN when you entered it. Slowly that's changed as more keypad covers have appeared but from what I've seen even the guys that make the machines are hard pressed to instantly identify a fake keypad without using it.

I'd highly recommend still covering you hand.


On a side note, funny story, when we first started putting on the green blobs on the card entry slot to make it harder for skimmers to be attached there was a massive number of people calling in saying they had "seen a skimmer" on the ATM and in addition a LOT of calls from customers saying people had smashed them off

I worked on the software development side so nothing to do with me, but obviously a little bit of advertising on the purpose of those things would have helped a long way!

Best thing was of course that then they started making skimmers that HAD a massive green blob on them that could be attached to old ATMs without them.

With enough time scammers will always be able to beat the physical devices on ATMs.


EDIT: Ah found it! This was the other one I couldn't be bothered describing without an image to go with it

Even if you don't go down the "expensive" wireless data transmitting devices, this is another keypad that wouldn't come out if you tried to attack it with your card as the entire face plate it's attached to is fake!

http://krebsonsecurity.com/2010/06/atm-skimmers-separating-cruft-from-craft/

 

[flame696]

The pin pad scam is scary i will start using atms with in the banks instead of the ones outside

 

[Caged]

I have no idea why ATM software has developed to the point where you can be shown adverts for more services that the bank has to offer, but not a photo of what the card slot and/or keypad are supposed to look like.

 

[RoyMi6]

The pin pad scam is scary i will start using atms with in the banks instead of the ones outside

While statistically yes, this is "safer", there's still many reported cases of skimmers being found on indoor and even BANK ATMs. The crooks are basically exploiting the very fact that 1) bank employees don't expect someone to be so blatant and 2) customers, like yourself, assume that there's extra security inside when really all the security exists around the money.

I have no idea why ATM software has developed to the point where you can be shown adverts for more services that the bank has to offer, but not a photo of what the card slot and/or keypad are supposed to look like.

Becoming more of a valid option as the screens are now higher resolution, but it's been proven that without physical copies to compare against it's often impossible for people to compare a 2D image on a screen to a 3D physical object and determine whether they match identically - especially when the skimmers these days are one to one replicas just with a slight increase in dimensions.

EDIT: That's even to say that there's even something to see!

There's "invisible" card skimmers that sit inside the card slot and if they're using a camera for monitoring the keypad then there might not even be any physical change to see on the keypad itself.

Also, even if I gave you this photo of this keypad:

Do you think someone would notice this camera?