2018 USENIX Security Symposium论文集：系统安全与网络攻防

USENIX

需积分: 9 79 浏览量更新于2024-07-16 收藏 103.47MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

资源详情

资源推荐

Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer ...................1511

Thanh Bui and Siddharth Prakash Rao, Aalto University; Markku Antikainen, University of Helsinki;

Viswanathan Manihatty Bojan and Tuomas Aura, Aalto University

Wireless Attacks

All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems ..........1527

Kexiong (Curtis) Zeng, Virginia Tech; Shinan Liu, University of Electronic Science and Technology of China;

Yuanchao Shu, Microsoft Research; Dong Wang, Haoyu Li, Yanzhi Dou, Gang Wang, and Yaling Yang,

Virginia Tech

Injected and Delivered: Fabricating Implicit Control over Actuation Systems by Spoofing Inertial Sensors ...

1545

Yazhou Tu, University of Louisiana at Lafayette; Zhiqiang Lin, Ohio State University; Insup Lee, University of

Pennsylvania; Xiali Hei, University of Louisiana at Lafayette

Modelling and Analysis of a Hierarchy of Distance Bounding Attacks ..............................1563

Tom Chothia, Univ. of Birmingham; Joeri de Ruiter, Radboud University Nijmegen; Ben Smyth, University of

Luxembourg

Off-Path TCP Exploit: How Wireless Routers Can Jeopardize Your Secrets .........................1581

Weiteng Chen and Zhiyun Qian, University of California, Riverside

Neural Networks

Formal Security Analysis of Neural Networks using Symbolic Intervals .............................1599

Shiqi Wang, Kexin Pei, Justin Whitehouse, Junfeng Yang, and Suman Jana, Columbia University

Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring .......1615

Yossi Adi and Carsten Baum, Bar Ilan University; Moustapha Cisse, Google Inc; Benny Pinkas and

Joseph Keshet, Bar Ilan University

NT: Author Attribute Anonymity by Adversarial Training of Neural Machine Translation ..........1633

Rakshith Shetty, Bernt Schiele, and Mario Fritz, Max Planck Institute for Informatics

GAZELLE: A Low Latency Framework for Secure Neural Network Inference .......................1651

Chiraag Juvekar, MIT MTL; Vinod Vaikuntanathan, MIT CSAIL; Anantha Chandrakasan, MIT MTL

Information Tracking

FlowCog: Context-aware Semantics Extraction and Analysis of Information Flow Leaks in

Android Apps .............................................................................1669

Xiang Pan, Google Inc./Northwestern University; Yinzhi Cao, The Johns Hopkins University/Lehigh University;

Xuechao Du and Boyuan He, Zhejiang University; Gan Fang, Palo Alto Networks; Yan Chen, Zhejiang

University/Northwestern University

Sensitive Information Tracking in Commodity IoT ..............................................1687

Z. Berkay Celik, The Pennsylvania State University; Leonardo Babun, Amit Kumar Sikder, and Hidayet Aksu,

Florida International University; Gang Tan and Patrick McDaniel, The Pennsylvania State University;

A. Selcuk Uluagac, Florida International University

Enabling Refinable Cross-Host Attack Investigation with Efficient Data Flow Tagging and Tracking ....1705

Yang Ji, Sangho Lee, Mattia Fazzini, Joey Allen, Evan Downing, Taesoo Kim, Alessandro Orso, and Wenke Lee,

Georgia Institute of Technology

Dependence-Preserving Data Compaction for Scalable Forensic Analysis ...........................1723

Md Nahid Hossain, Junao Wang, R. Sekar, and Scott D. Stoller, Stony Brook University

Fear the Reaper: Characterization and Fast Detection of Card Skimmers

Nolen Scaife

University of Florida

scaife@uﬂ.edu

Christian Peeters

University of Florida

cpeeters@uﬂ.edu

Patrick Traynor

University of Florida

traynor@cise.uﬂ.edu

Abstract

Payment card fraud results in billions of dollars in

losses annually. Adversaries increasingly acquire card

data using skimmers, which are attached to legitimate

payment devices including point of sale terminals, gas

pumps, and ATMs. Detecting such devices can be dif-

ﬁcult, and while many experts offer advice in doing so,

there exists no large-scale characterization of skimmer

technology to support such defenses. In this paper, we

perform the ﬁrst such study based on skimmers recov-

ered by the NYPD’s Financial Crimes Task Force over

a 16 month period. After systematizing these devices,

we develop the Skim Reaper, a detector which takes ad-

vantage of the physical properties and constraints neces-

sary for many skimmers to steal card data. Our analysis

shows the Skim Reaper effectively detects 100% of de-

vices supplied by the NYPD. In so doing, we provide the

ﬁrst robust and portable mechanism for detecting card

skimmers.

1 Introduction

Credit and debit cards dominate the payment landscape.

Such cards have fundamentally transformed consumer

behavior, from reducing the dangers of needing to carry

large sums of cash to eliminating interaction between

customers and employees at gas stations. Consumers

now prefer to use such payment cards in the retail set-

ting by a margin of more than three-to-one [52].

Almost as well-known as the cards themselves is the

ease with which fraud can be committed against them.

Attackers often acquire card data using skimmers – de-

vices attached to legitimate payment terminals that are

designed to illicitly capture account information. Once

installed, skimmers are nearly invisible to the untrained

eye and allow attackers to sell stolen data or create coun-

terfeit cards. Such fraud is projected to reach over

$30 billion by 2020 [5]. Moreover, even with the in-

creased rollout of EMV-enabled cards, such fraud con-

tinues to grow, with ATM fraud increasing nearly 40%

in 2017 [28]. Without reliable methods for rapidly iden-

tifying the presence of skimming devices, the frequency

of such fraud is likely to continue growing.

In this paper, we design and deploy a device for de-

tecting skimmers. We start by conducting the largest

ever academic analysis of such devices. We then use

the results of this analysis to develop the Skim Reaper,

a portable, payment card-shaped device that relies on the

intrinsic properties of magnetic stripe reading to detect

the presence of additional read heads in a payment ter-

minal. The Skim Reaper is inserted into the card slot and

counts the number of read heads present in the slot; those

payment terminals with more than one are identiﬁed as

having a skimmer.

We address these problems through the following con-

tributions:

• Characterize and Taxonomize Recovered Skim-

mers: We partnered with the New York Police De-

partment’s (NYPD) Financial Crimes Task Force

and systematized the unique skimmers they iden-

tiﬁed across nearly 16 months. To the best of

our knowledge, our taxonomy is the ﬁrst large-

scale academic examination of real skimmers. We

then use this analysis to show that common advice

to consumers to detect skimmers is not effective

against modern skimming attacks.

• Develop Portable Detection Tool: We develop and

present the Skim Reaper, a card-shaped device for

detecting multiple read heads in a card slot. We ex-

plain the physics of reading magnetic stripe cards,

then show how these can be used to both effectively

detect read heads and prevent adversarial counter-

measures.

• Validate Tool Using Real Skimmers: We ﬁrst con-

ﬁrm the effectiveness of our system on a custom,

USENIX Association 27th USENIX Security Symposium 1

0 1 0

Magnetic Stripe

Polarity

Signal

Decoded Binary

Clock Ticks

NN SS S

Figure 1: F2F Encoding: A polarity transition per clock

cycle encodes a 0, whereas two encode a 1.

conspicuous 3D-printed skimmer. We then use 10

real-world skimmers to show that our system is ro-

bust against a wide variety of skimmer form factors.

The security of payment systems in general, and

ATMs in speciﬁc, has long been studied in Computer Se-

curity [11]. Many members of the public even argued

that such devices were already secure enough to use for

national elections (although signiﬁcant research in that

space disagreed with such an assertion [32, 47, 45]). Un-

fortunately, these systems remain signiﬁcantly vulnera-

ble and require continued attention.

The remainder of the paper is organized as follows:

Section 2 offers a primer on payment card readers and

fraud against those devices; Section 3 analyzes and cate-

gorizes the skimming devices found by the NYPD’s Fi-

nancial Crimes Task Force in 2017; Section 4 details the

design of the “Skim Reaper” detector; Section 5 pro-

vides experimental results against real recovered skim-

ming devices; Section 6 discusses countermeasures and

other insights; Section 7 examines related research; and

Section 8 gives our concluding remarks.

2 Fundamentals of Card Reading & Fraud

2.1 Magnetic Stripe Encoding

Magnetic stripes store small amounts of data using fre-

quency/double frequency (F2F) encoding. F2F stores

both the clock and the data, allowing a reader to quickly

synchronize and read the data when the card moves at

an inconsistent speed (such as when being swiped). Fig-

ure 1 shows how decoding is performed: when the mag-

netic polarity change occurs within a clock cycle, the

bit is a 1. Otherwise, it is a 0. Finally, the bitstream

is decoded into plaintext characters containing the card

data (e.g., name, account number, and expiration date).

Data is stored on up to three adjacent tracks on a single

stripe [29, 30], each having its own standard for character

encoding and density.

2.2 Fraud

Magnetic stripe cards offer no inherent protection from

duplication. All data contained on a card’s tracks are

written as plaintext, and an adversary with access to the

magnetic stripe (e.g., with a skimmer) can create a legit-

imate card. These cloned cards, while magnetically dis-

tinguishable from the originals [4, 48], contain the same

data as the originals.

To prevent the use of counterfeit cards, banks and pay-

ment networks added Card Veriﬁcation Values (CVVs).

CVV1 codes are part of the data on the magnetic stripe.

This code prevents the card from being cloned with only

knowledge of data printed on the physical card (e.g., the

account number). However, if the adversary has access

to read the card’s magnetic stripe, the CVV1 code is eas-

ily cloned along with the rest of the stripe data. CVV2

codes are printed on the physical card and are often re-

quested when making phone or online purchases (known

as “card not present transactions”). This code is intended

to prove possession of the original card. Adversaries can

either acquire this code by recording PIN entry with a

camera

, through sites that sell card data with codes, and

with compromised web browsers [35].

Once the adversary has obtained data and created a

counterfeit card, the cards are “cashed out.” When cash-

ing out, counterfeit cards are used to either purchase

goods (to be resold later) or to retrieve cash from an

ATM. Once purchases for a given card are declined, the

cards are discarded.

In the remainder of this paper, we focus on the prob-

lem of detecting acquisition of payment card data. With-

out this data, adversaries will be unable to perform card

fraud.

2.3 Common Advice

Card skimming is a well-known crime, and advice aimed

at protecting consumers is widespread. The most com-

mon suggestions are:

1. Look for signs of a skimmer.

2. Pull on the card reader.

3. Use a smartphone app to scan for skimmers with

Bluetooth radios.

4. Use an EMV (Chip) card.

5. Use cash.

While seemingly helpful on their surface, many of

these tips offer little in terms of speciﬁc steps. Beyond

common sense, Tips 1 and 2 suggest that users know how

payment devices should look and feel.

Some credit and debit cards have the CVV2 printed on the face of

the card and (for cards with the code on the back) some card acceptors

allow the card to be inserted face down, allowing a camera with a view

of the card to capture the code.

2 27th USENIX Security Symposium USENIX Association

Location /

Type

ATM

Gas

Pump

POS

Terminal

Total

Bank 12

Deep Insert 10

Shimmer 2

Gas Station 6

Internal 5

Overlay 1

Hotel 3

Overlay 2

Wiretap 1

Restaurant 5

Overlay 5

Retail 9

Deep Insert 1

Overlay 5 3

Total 26 5 4 35

Table 1: The breakdown of skimmer BOLOs by the

NYPD Financial Crimes Task force between 2016-Jul-14

and 2017-Nov-11. ATMs were the most widely attacked

device using both deep-insert and overlay skimmers.

Tip 3 proposes the use of a smartphone-based app for

detecting Bluetooth radios. Of all of the above tips, this

is the most easily testable, and the strength of this tip can

be evaluated based on an analysis of the relative use of

Bluetooth radios by skimming devices.

Tip 4 suggests that users have the option to use a chip-

enabled card; however, EMV deployment is far from uni-

versal. For instance, less than 7% of ATMs in New York

City accept EMV [44], and ATMs in Europe with EMV

enabled continue to see an increase in skimmers [34].

This is because EMV-enabled cards have a magnetic

stripe as a backup, which attackers can still use to clone

card data.

Finally, Tip 5 requires that users essentially abandon

payment cards or fundamentally change their behaviors

(e.g., instead of paying at the pump, go inside the gas sta-

tion, wait in line and pay with cash). Security solutions

requiring signiﬁcant behavioral changes are unlikely to

be successful.

We will use our observations in the next section to fur-

ther evaluate Tips 1, 2, and 3.

3 Characterizing Real-World Skimmers

As we discussed, common advice for reducing the risk

of being a victim of skimming is pervasive. These argu-

ments are based on the detectability of single skimmer

models and not on a complete understanding of skim-

ming attacks. To the best of our knowledge, there has

been no systematization of real-world skimmers, leading

to a gap in our understanding of these devices and how

they continue to be successful despite this advice.

To gain a better understanding of the skimmers found

in practice, we partnered with the NYPD Financial

Crimes Task Force and obtained their skimmer BOLOs

for the time ranging from 2016-Jul-14 to 2017-Nov-11.

The 35 memos we obtained provide the location, type,

and data retrieval method for unique skimmers discov-

ered during this time. Table 1 shows the breakdown of

each of the recovered skimmers. Multiple devices of the

same campaign do not result in an additional BOLO. As

a result, they provide clear insight into the variety of

skimming technology conﬁscated by police in the New

York City market. We explore these reports and perform

the ﬁrst large-scale characterization and breakdown of

skimmers.

3.1 Taxonomy

In the skimmers discovered by the NYPD, we found

ﬁve distinct installation points for skimmers in two cate-

gories: those that require only external access to the tar-

get device and those that require internal access. For ex-

ternal access, the skimmer can be installed without open-

ing the payment device

; for internal access, the payment

device must be opened (e.g., via key or drilling a hole).

We further divide these into skimmer types, which for

external-access skimmers consist of: those that ﬁt on the

magnetic stripe slot (overlays), those that ﬁt in the mag-

netic stripe slot (deep-inserts), those that ﬁt in the EMV

slot (shimmers), and those that ﬁt on the physical com-

munication line (wiretaps). Figure 2 provides a diagram

of an ATM with the placement of each type of skimmer.

3.1.1 External-Access Skimmers

Skimmers requiring no access to the internals of the tar-

get machine were the most common type of device re-

covered. These are the lowest-risk devices to deploy

since they can be installed in seconds [54] and are dif-

ﬁcult to identify without expertise.

Overlays were the most prevalent device discovered in

our data set, comprising nearly half (46%) of the skim-

mers. These devices are placed on top of the card slot

using a form factor custom-designed to match the target

machine. The rear side of the overlay contains a mag-

netic read head, decoding and storage equipment, and

a battery. Since the overlay sits atop the card accep-

tor, only millimeters exist between the new fac¸ade and

“Be on the lookout:” These memos are sent out to inform other

ofﬁcers to watch for similar attacks.

For simplicity, we refer to any device which accepts a consumer

payment card (e.g., an ATM, POS terminal, or gas pump) as a payment

device unless discussing a speciﬁc type of device.

USENIX Association 27th USENIX Security Symposium 3

剩余1756页未读，继续阅读

哎呀我不会发光啦~

粉丝: 0
资源: 2

2018 USENIX Security Symposium论文集：系统安全与网络攻防

sec19_full_proceedings.zip

DASFAA - 2019 - proceedings.zip

布谷鸟优化算法的20个参考文献

《幼儿饮食行为研究综述》的参考文献

基于光场驱动的显微操作发展的参考文献

基于微信小程序的系统设计，外文参考文献

微信小程序外文参考文献

能推荐几篇遗传算法优化的文献吗

latex引用多个文献

知识图谱英语参考文献

基于python的数据分析外文文献_python外文文献.doc

经典DOA估计方法对应的文献有哪些

有关于虹膜定位研究的纯理论外文文献

criminisi算法实现污损车牌的修复的代码实现

基于区块链的电子病历存储国内外研究现状 文献

胶囊网络相关的外文文献

reliefF算法详细介绍及实例python代码

Kennedy, J., & Eberhart, R. (1995). Particle swarm optimization. Proceedings of the IEEE International Conference on Neural Networks, 4, 1942-1948.

最新资源

基于区块链的电子病历存储国内外研究现状文献