Card trapping is a type of ATM security attack, where the cyber-criminals trap a user’s credit or debit card to obtain the card details. The criminals install a device inside the card acceptance slot of an ATM, to trap the ATM cards inside the cardholder. Razor-edged spring traps are generally used by the criminals to trap cards as it stops the customer from ejecting their ATM cards after the completion of the transactions and prevents the ATM from retracting. In this scam, the ATM does not register the credit or debit card entry details, the criminals seldom pose as a fellow customer and aid the card trapped victims in order to gain their ATM PIN. The ATM cash trapping comes under the low technology ATM attacks.
The criminals use tweezers to retrieve the customer’s card from the ATM. An overlay device attached to the keypad helps the criminals to record the PINs of ATM users. Wire, thread, or tapes are typically used by the criminals to trap the cards. Criminals usually choose the ATM, which does not have any branches nearby, so that the users are not able to deactivate the cards immediately after the card trapping attack. Disabling the credit or debit cards shortly after the occurrence of card trapping incidence will stop the criminals from making transactions, saving money of the ATM users. The ATM card trapping attacks usually occur after the banking hours, so that the customers cannot disable their ATM cards immediately.
The stolen ATM cards can be used later with or without the ATM PIN. For example, the signature-based cards can be used at the point of sale terminals to shop instead of withdrawing the cash from ATM. Thin plastic sleeves can also be used to perform the card trapping attacks. The tiny plastic sleeves are inserted into the card reader to prevent the ATM from reading the magnetic stripe data, and to trap the credit or debit cards in the card reader slot. When the customer inserts the card into the card slot, the ATM asks for the PIN repeatedly, and criminals then gain access to the ATM PIN using various techniques. When the card trapping victim leaves ATM, assuming that the device has “swallowed” their card, the criminals remove both the plastic sleeve and the ATM card from the machine. Hidden video cameras are also used by the cybercriminals to record the customer’s ATM PIN details.
Types of card trapping devices
- Tape measure (builder loop)
- Fuse wire (Lebanese loop)
- Water bottle (Algerian V)
- VHS tape (Romanian loop)
Steps followed by the cyber-criminals to execute card trapping:
- The first step involves the cyber-criminals tampering the ATM. Criminals fit a loop of materials or the plastic ‘V’ shaped material to the false card reader slot and then place it over the real card reader slot inside the ATM.
- Once the user inserts the card to the card slot, the ATM card gets trapped in the false card trap.
- The ATM screen does not change or prompt the users to enter the password, as the ATM does not detect the card.
- The customer then tries to retrieve their card from the card slot. But fail as the card is trapped in the false card slot.
- The customer walks out of the ATM to seek help to retrieve the cards.
- The criminals then enter the ATM and take out the card and walk away.
Prevention measures for users to tackle ATM card trapping attacks:
- The ATM users should be educated on the card trapping devices to prevent them from being a card trapping victim.
- The ATM users should never accept help from strangers during the transactions.
- If the credit or debit card gets stuck in the ATM, the users should inform the respective authority about the incidence immediately so that the card can be blocked before the criminal makes any transactions.
- The cardholder should never write down their PIN on the ATM cards.
- The customer should check the bank transaction and withdrawal details regularly.
- Never share the ATM PIN or the password with strangers in the ATM.
- ATM users should pay close attention to the card reader slot. If the slot looks bulky or strange, try pushing it with the hands. If there is the fake card reader over the real card reader, the card reader slot will shake back and forth or even come off the machine.
- Never use the ATM with incorrectly attached or the harden keyboard. If found, then cancel the transactions, and inform the bank immediately.
- Look for the hidden cameras installed by the criminals inside the ATM.
- Use bank ATM and reduce the usage of stand-alone ATMs, as stand-alone ATMs are more vulnerable to the cash trapping attacks.
Prevention measures adopted by banks to tackle ATM cart trapping attacks:
- Anti-skimming solutions introduced by the ATM vendors will protect the ATM from card trapping devices.
- Designing the ATM to prevent the entry of foreign objects will stop the criminals from inserting unwanted devices.
- Regularly updating the ATM hardware and software will keep ATM away from the card trapping devices.
- Providing the remote or stand-alone ATM with adequate security will reduce the ATM card trapping attacks.
- The contactless capability of the card can help to face the card trapping attacks. Introducing tap cards will protect the users from the card trapping attacks in ATM.
- Only authorized persons should be allowed to carry out works on the ATM.
- The early trap activation settings can be enabled by the bank, which allows the card reader to carry out a partial eject motion on the approval of the credit or debit cards. This setting guarantees that the card trap does not block the card eject path.
- Bank can introduce the built-in sensor devices in the card reader to detect deceptive devices that keep the shutter open.
The banking security experts at Netsentries have developed a series of hands-on vulnerability assessments that look at the entire ATM environment. We can identify software, hardware, and communication protocol vulnerabilities that can be exploited and provide remediation measures to effectively resolve them.
Please visit our website to know more about our ATM Security Assessment Services.