Information Security Tips from Westfield Insurance: Physical Security

15 posts categorized "Physical Security"

28 September 2009

Shredded documents can be unshredded

Shredding is the ultimate defense, right? Once it's shredded, it's gone!

No longer. It was always vulnerable if your attacker had the shredded chaff and plenty of free time. Think of the shredded embassy documents from the Iranian Hostage crisis of 1979. Those students reconstructed the pages with nothing more than scotch tape and patience. More recently, methamphetamine users have been hired by identity theft ringleaders to do the same thing.

Bill Wilson of the Big I recently found a number of services which make the "unshredding" problem much more manageable. In the Enron case, the government hired ChurchStreet Technology to scan the chaff, then used computer algorithms to piece the documents together. They claim to take the recovery time from hundreds of hours down to mere minutes. It's expensive but not terribly complicated. And your trash is in the public domain - anyone can take it back out of the dumpster without breaking any laws.

So how do you fully protect your waste paper from those ID thieves with too much time on their hands?

If you're still using a strip-cut shredder, get rid of it now. Upgrade to a cross-cut that chops the paper into very small bits of chaff.
Feed your pages into the shredder vertically, that is, with the words perpendicular to the shredder blades.
Don't have unusual-colored paper. Or if you do, shred enough of it that it can't be easily picked out. The rule in the army used to be no less than 20 sheets of any given paper type in each shred "lot".
Stir the chaff before disposal. A careful attacker could exploit the fact that pieces from the same document tend to come out of the shredder close to each other and remain so in the waste bag. A few quick stirs can randomize the chaff and make reconstruction much harder.
Send the chaff to a paper recycler. Even the best reconstructors can't bring a page back after it's been turned into new paper pulp. Of course, you have to be sure that your waste isn't intercepted before it hits the recycler but there are several bonded shredding companies that will do that for you.

How much is enough? It depends on who's out to get you. For most home users and small businesses, one and two are probably enough. If you really have something to hide, consider three and four and look into five when your shredding contract comes up for renewal. Find the right balance, remembering that identity theft is real but that most of us are not dealing with DoD nuclear secrets.

Bill Wilson publishes a bi-weekly newsletter filled with useful information including a technology column in almost every issue. His target audience is an independent insurance agent but many of his topics are applicable to any small business owner. If you're not subscribed already, I recommend looking them up.

Posted by Mike Rossander on 28 September 2009 | Permalink | Comments (0) | TrackBack (0)

31 March 2009

Lock your doors, here comes the Conficker worm!

You can hardly look at any news source anymore without being bombarded by articles about security incidents, privacy breaches, worms, viruses, zombies, botnet's or a host of other Information Security related headlines. The media really eats this Information Security stuff up.

This week’s news continues this trend.

Get ready for the “Conficker.c” worm that has already infected 5 to 10 million computers worldwide and is waiting for April 1, 2009 to awaken. The experts predict that the payload, which is what the worm will do when it is activated, will somehow involve people being separated from their money. This assumption is based on the knowledge that many of this worms predecessors have been targeted at convincing their helpless victims to purchase what they think is "anti-virus software" to protect their computers from the very worm that they are already infected with.

It really is all about money these days. Microsoft has even jumped in and offered a $250k reward for information leading to the capture and arrest of the worm writer.

Over the last few months the news has been filled with companies getting "hacked" and loosing their customer privacy related information (SSN & Account numbers, etc...). There have also been several companies that have just simply lost information through carelessness and bad security practices.

And over the next few months I am sure that we will continue to hear about more about companies losing information, more virus and worm scares that threaten society and more about victims who have lost money due to identity theft, phishing attacks or more worms.

I have been in the Information Security profession for a long time and while Information Security threats are ever changing, fast paced and have grown to ever increasing scales, there are some simple and basic things that companies and people can do to significantly reduce their exposure to these threats.

Not surprisingly, they are really just common sense, don't change much over time and you already know how to do them.

Patch your systems and do it all the time. The Conficker.c worm exploits a vulnerability that a patch was released to mitigate in October 2008. New patches are being released all the time. I guarantee viruses and worms will be written to exploit them.

Have basic protections in place like a personal firewall that blocks nonstandard traffic and antivirus software that is regularly updated and is configured to regularly scan your computer. We hear this all the time. Are you doing it?

Don't download and run pirated software or software that does illegal things. This includes peer-to-peer file sharing as well as pirated versions of your favorite tax software.

Be suspicious of everything. And even more so if someone or something is trying to help you or give you something for free. Nothing is free. Come on, you know that don’t you?

The bottom line is simple. Protect the information on your computer the same as you would protect your physical property. Lock your doors and windows. Don't let strangers in your house even when one comes to the door and wants to give you $100 dollars. Change your locks if you think that someone has been inside your house. Don't accept (or seek out) stolen property. If you receive a recall notice for your car because of failing brakes, make a point to get them fixed as soon as possible.

Security is security. Use the same logic with computers and information that you use to determine what you should and should not do with your valued physical possessions. Applying this logic will avoid the majority of the Information Security problems that you hear about in the news.

Posted by Bill Murray on 31 March 2009 | Permalink | Comments (1) | TrackBack (0)

27 January 2009

Security mistakes you can fix cheap

Budgets are tight everywhere this year. It's tempting to put off investing in security because "we just can't afford it now." That's a risky strategy at any time but worse, it's largely an unnecessary attitude. There are many things you can do to improve your security posture that don't cost cash. They do cost your time and attention, though. Make fixing these common mistakes a priority.

Walk around your office some night and see how many people keep their passwords on sticky notes right on the computer monitor. Keeping track of passwords is hard. But writing them down and leaving them out for every casual visitor or after-hours maintenance person to see is inexcusable.
While you're walking around, see how many people left sensitive documents on their desks. Make sure that sensitive documents, especially including anything with an SSN or Drivers License Number on it, is put away at night. If you absolutely can't implement a clean desk policy in your office, at least flip over the top page in the stack to reduce the temptation to snoop.
If you allow the use of thumbdrives in your environment, make sure you watch for them, too. Thumbdrives are high risk devices - very easy to steal.
Make sure people keep their access cards with them at all times. Access cards are your credentials. If they fall into the wrong hands, the bad guy effectively is you. He/she can do anything you can do and you will get the blame. Access cards should be protected as carefully as the data they protect. (And, by the way, neither under your keyboard or in the top right drawer of your desk is a safe place to keep them. Thieves know to look there.)
Prevent tailgating and make sure your visitors are escorted. Challenge unknown people - politely but directly. Don't assume that just because a person is in your area that they have a right to be there.
Remember the fax and the printer. Countless sensitive documents get overlooked and often forgotten or lost when we send them to the printer. Make sure you have internal control and that documents get picked up immediately.

based in part on a CSO Online article

Blog changes

In other news, this will be my last tip for a while. Westfield has asked me to take on some new responsibilities within our Legal department so some of the other members of the Information Security team will be stepping up to the publication of these tips. Writing the tips has been a lot of fun. I hope they have been helpful to you. Stay safe.

Posted by Mike Rossander on 27 January 2009 | Permalink | Comments (0) | TrackBack (0)

03 November 2008

Stolen laptops

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It's not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don't think you've ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee's practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don't give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet - out of sight, out of mind. Don't assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don't just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You'd never be that careless at home. Don't let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it's time to ask for your free copy of your credit report from the next agency.

Posted by Mike Rossander on 03 November 2008 | Permalink | Comments (0) | TrackBack (0)

29 September 2008

Cover up your documents

How many people have access to your desk when you're not around?

I assume that your co-workers are basically good people. If they weren't, you wouldn't have hired them in the first place. Does that mean you know everything about them? Or would you be like so many on the news commenting after the fact that he/she "seemed like such a nice person"? It would be a wonderful world if we could trust every person we met. Unfortunately, even good people can fall prey to temptation.

You also need to worry about the people you didn't hire. If you're like most small offices, the landlord's cleaning staff, contractors, visitors and many other outsiders have some degree of access to your space. And you generally have few assurances about who they are, what background checks were run or what supervision they receive.

You have to assume that people you can't know have access to your space when you're not around. Most of them are good people. Do what you can to help those honest people stay honest.

Always turn off your computer at night. Don't just lock the screen. If your IT team has set it up properly, extra protections will kick in when you shut the computer all the way down.
If you have a laptop, lock up it in a desk drawer at night. Laptops, PDAs and mobile phones are high-theft devices. Don't make it easy for the thief.
If you have enough space, put away your paper files at night. Lock them in a desk drawer or filing cabinet. Even if the cabinet doesn't lock, it will at least be more obvious when an unauthorized person is snooping though the files. It's harder to tell when someone is snooping through the papers on top of your desk as they are "cleaning" it.
If you can't lock the papers up, at least put a cover sheet or blank page on the top of the pile to protect the confidential information from casual oversight.
Make sure you collect papers off faxes and printers as soon as possible. Don't leave them exposed to guests and others walking the halls.
If you see something suspicious, call for help. If you have an internal security team, make sure everyone in the office knows how to contact them both during and after normal business hours. If your office's immediate action drill is "call the police", make sure they know how to do that, too.

Posted by Mike Rossander on 29 September 2008 | Permalink | Comments (0) | TrackBack (0)

19 May 2008

Safe vacationing (encore tip)

It's hard to believe that it's almost Memorial Day and that people will start leaving for summer vacations soon. Please take appropriate precautions both before you leave and while you're on your vacation to reduce your risk of fraud and identity theft.

Before you leave:

Clean out your wallet.
- Use traveler's checks or credit cards for payment. Leave your checkbook at home.
- Leave your debit card(s) at home. Under federal law, your liability is limited if your credit card is misused. If your debit card is stolen, you could lose all the money in your checking account.
- Take an ATM card that does not have debit card privileges. Your bank should be able to issue you an "ATM only" card.
- Never carry your Social Security card in your wallet.
- Leave any unneeded credit cards and any other unnecessary documents at home.
Photocopy your wallet and keep the copy in a safe place. If your wallet is stolen, the copies will tell you who to call to get your cards canceled. Note: If you will be gone for a long time, consider leaving a copy with someone you trust who can help you cancel the cards while you're still on the road.
Stop your newspaper delivery and have the Post Office hold your mail (or ask a trusted neighbor to collect them for you). The bills and account statements in your unlocked mailbox are a goldmine for an identity thief. And the packages and newspapers piling up on your front step are a sure sign to a burglar that you are away.

While on your vacation:

Don't leave your wallet, passport or any identifying documents in your hotel room unattended. Use the hotel safe if it's available.
Keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.
Guard your credit card receipts and rental car agreements, especially if they contain your full credit card number or driver's license number.
Use ATMs at banks or credit unions and which are in well-lit areas.
If you are taking your laptop with you, be very careful when using it for on-line banking and other password-protected services, especially if you are connecting to a wireless hotspot.
Be equally cautious of cyber-cafes and other public-access internet facilities. Anyone could have left a keystroke logger on the machine in order to capture your ID and password.

By the way, there will be no InfoSec Tip next week. Have a safe holiday.

Posted by Mike Rossander on 19 May 2008 | Permalink | Comments (0) | TrackBack (0)

28 April 2008

"Hi. How can I help you?"

If you're in a business, train your team to ask strangers "Hi. How can I help you?"

The wording of the question is important. "Can I help you?" gives the person the opportunity to say "no." The word "how" quietly forces the person to state a purpose. If he/she is unable to answer this question easily, that is a tip-off that the person could be up to no good. Be polite and personable but don't let strangers go unchallenged.

Make sure you teach your team what to do when someone strikes them as suspicious. If the person claims to have forgotten an ID badge, have him/her escorted to your main entrance to be properly signed in. Likewise, if the person claims to be law enforcement, escort him/her to your Security Office so that credentials can be verified. Remember, badges can be faked.

based in part on a CSO Online column

Posted by Mike Rossander on 28 April 2008 | Permalink | Comments (0) | TrackBack (0)

21 April 2008

What to do when you lose your wallet

My brother-in-law had his wallet stolen over the weekend. In the interest of learning from the misfortunes of others, here are some things to think about.

Never, never, never carry your Social Security card in your wallet.
Photocopy your wallet about once a year. Lay the contents out on a copier (front and back) so you have a record of all the cards and contact numbers.
Only carry the cards that you use on a regular basis. Leave the rest in a safe place at home. If you have bills set up to auto-pay by credit card, use a card that you leave home. Otherwise, you'll have to change all those accounts when the card is cancelled.
When your wallet is lost or stolen, immediately call the financial institutions and start canceling the cards that were lost.
Call the three credit reporting agencies and put a fraud alert on your account. Consider putting a credit freeze on your account. (A fraud alert is free but must be renewed in 90 days. A credit freeze will typically cost $10 and requires extra effort to have lifted when you want to apply for credit legitimately but it provides somewhat better protection.)
If you haven't reviewed your credit report lately, do it now. Follow the instructions at annualcreditreport.com.

Police advise men to keep the wallet in their front trouser pocket, not a jacket pocket and definitely not a rear pocket. Police advise women to keep their purse with them and to carry it on their strong-hand side (if you're right-handed, carry it on your right shoulder).

If you're traveling, keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

Posted by Mike Rossander on 21 April 2008 | Permalink | Comments (0) | TrackBack (0)

26 November 2007

Tailgaters are a danger to everyone

No, I'm not talking about the Browns fans drinking in the parking lot. I'm not even talking about the road-ragers who think that we'll drive differently just because they're close enough to read the fine print on your license plate renewal sticker.

The tailgaters we need to worry about at work are the neatly-dressed people who quietly walk up behind us and expect us to politely hold the door even though they have no right to be in our building. Tailgating is the art of acting like you belong and of using social pressure to convince people to ignore their own rules and policies. Tailgaters practice coming up behind you with just the right balance of professionalism and distractedness so that you believe that they belong. Good tailgaters come prepared with a plausible excuse why you should "be a nice guy" and break the rules – "It's raining ", "My arms are full", "I forgot it in my desk last night", etc. There is no way to identify a scammer just by looking at him or her.

Tailgaters represent a real risk for your organization. Once in the building, they can steal information, compromise systems or worse. If the intruder is a disgruntled claimant, a former employee or a significant other, they could be attempting to get into the building for violent reasons.

Whatever your entry control procedures are, you should have a strict "no tailgating" policy. Do not let staff hold the door for anyone until you are sure that they are authorized to be in the area. If your building uses security badges and someone tries to follow you through a controlled door, demand to see their badge. If they are a visitor, politely escort them to your main entrance and get them properly signed in. (You do have a Visitor's Log, of course. If not, here's a template you can use. Visitor Logs are surprisingly effective at deflecting these criminals to other, easier targets.)

You also need to know what your office's emergency reaction plan is before someone forces their way in. Know who to call and how to report the breach. Don't put yourself in harm's way but do not allow the intruder to wander your halls unchallenged.

Posted by Mike Rossander on 26 November 2007 | Permalink | Comments (0) | TrackBack (0)

23 April 2007

VIP Cons

Recently, four Westfield folks went into Cleveland together for a Cavalier's game. As they pulled into the arena's parking garage, they noticed that several of the parking spaces had been marked off with traffic cones. One of the parking attendants removed one of the cones and waved them into a very close parking spot on the same level as the pedestrian bridge to the game. They assumed that it was some sort of VIP treatment that came with their tickets. They locked coats and purses in the trunk, then went in to enjoy the game.

Over the next three days, all four reported that their corporate credit cards had been used for fraudulent transactions. Police believe that the car was "marked" by a confederate working as a parking attendant based on the make of their car and their professional appearance. He waved them into the "VIP spot" so his confederate would know which cars to target. The criminals either picked the lock of the car with a slim-jim and popped the trunk from the inside or recorded the electromagnetic code of the trunk's remote so they could open the trunk themselves.

When the four people each checked their wallets, only these corporate credit cards had been stolen. Personal cards, personal checks and cash were untouched. It's human nature to pay more attention to our personal accounts than to a faceless corporation's account. Intelligent criminal exploit that trait and selectively target who and what to steal so they can go undetected as long as possible.

The bank did an excellent job of handling the fraudulent transactions but we all pay when the criminals get away. It is extremely unlikely even with this evidence that criminals will be caught or prosecuted. Sometimes the best we can do is to avoid being targets in the first place.

If someone's offering you a service that seems too good to be true, it probably is. Be extra cautious (and a little bit suspicious) when someone is giving you unexpected special treatment.
Keep your valuables with you whenever possible.
Watch your credit card accounts (personal and corporate) carefully.
Always lock your vehicle.

Posted by Mike Rossander on 23 April 2007 | Permalink | Comments (0) | TrackBack (0)

02 April 2007

How do you get rid of an old computer?

It's time for spring cleaning and you finally want to get rid of that old computer that's been gathering dust for so long. What will you do with the old one? You can't just give it away or sell it. There are thieves who specialize in buying used computers on eBay just to search them for private or financial information before reselling them.

Even if you remembered to delete your files, the data is not really gone yet. (When you delete a file in Windows, all that really happens is that the file information is removed from the computer's "table-of-contents". The data is still on the hard-drive and will stay there until Windows decides that it needs to overwrite that particular space with a new file. That can take months or years.) Even re-formatting the hard-drive does not sufficiently wipe the data. You might hide it from a casual hacker that way but a determined attacker using the latest techniques will be able to reconstruct your hidden information. Read this PC World article for more.

You also can't just put the old hardware out on the curb with the weekly trash. Even if it doesn't get taken from your trash by some passerby, there are hazardous materials within most of the devices that should be properly disposed of. Here are some steps you should take:

Make a couple of backup copies of important data and programs by writing the files to CDs.
Use one of the free or relatively inexpensive software programs available that will write over the data on the hard drive. This ensures that no one will be able to access your personal information later even if they try to use data-restoration software. Click here for a review of several common programs.
If you can, donate or recycle the equipment. Computer manufacturers often have suggestions on their websites (see for example, Dell or HP) and may even offer free pick-up and will work with local agencies in order to donate or recycle the equipment. You can also look for local donation sites at websites such as Earth 911. Finally, many counties offer computer hardware drop-off locations at their hazardous waste collection and recycling sites (e.g., Medina, and Summit counties) .

Note: Several donation programs ask that you not delete the operating system or software from your computer, arguing that schools can't afford to replace the software. This is in general untrue. Most schools, like most corporations, buy "site licenses" and can reinstall the operating system at a fixed, discounted rate. If you do want to donate the software along with the hardware, give them the original installation disks and let them install the software themselves. Always wipe the drive before you donate it.

Posted by Mike Rossander on 02 April 2007 | Permalink | Comments (0) | TrackBack (0)

12 February 2007

No Tailgating

My mother taught me to be polite and always hold the door for strangers. Those early lessons are hard to ignore, especially when the weather is bad. It is very hard to tell a coworker "no" and force them to walk around to the main entrance of the building in the rain or snow. Unfortunately, in today's world of identity theft, litigation and physical violence, those polite habits are increasingly a threat to the safety and security of our coworkers and customers. Imagine the risks if you let someone in who does not belong here. With unescorted access to our building, an intruder could pick up enough information to commit identity theft against our customers on a massive scale. Or worse, the intruder could be coming in with malicious intent toward a fellow employee.

Every company needs have a policy about visitors and needs to enforce a strict "no tailgating" policy. Visitors should always be signed in and out of your facility and should always be escorted while in any non-public part of your facility. If a customer or other important visitor comes to the wrong door, politely greet them and then tactfully escort them to the correct entrance so they can be signed in.

Employees and contractors should be required to show their authentication every time they enter the building. Do not hold the door for anyone and please do not expect someone to hold the door for you. This is an essential part of security discipline.

If someone does follow you into a non-public part of your building and/or refuses to show their ID badge, immediately go to the nearest phone and call your local Security contact. Give them your name, location and a description of the intruder. The borders between information security and physical security are increasingly blurry. These days, security is everyone's job.

Posted by Mike Rossander on 12 February 2007 | Permalink | Comments (0) | TrackBack (0)

22 January 2007

Photocopy your wallet

If your wallet is ever lost or stolen, you need to immediately contact the issuers of all the credit cards and identity documents and begin the process of getting new cards.

About once a year, lay out the contents of your wallet on a photocopier. Copy both the front and back so you have a record of all the card numbers and phone numbers.

Be sure to keep the copy in a very safe place. When you make a new sheet, be sure to shred the old one so it can not be misused.

File a police report immediately in the jurisdiction where your credit cards or wallet were stolen. Do not wait until you return home. Promptly calling the police shows to the credit providers that you were diligent and will be the first step toward their investigation.

Consider calling the three national credit-reporting agencies to place a fraud alert on your name and social security number. That will make it a bit harder for the thief to open new accounts in your name.

If you are traveling, keep your identity document (passport or drivers license) separate from your wallet. You should also carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

Posted by Mike Rossander on 22 January 2007 | Permalink | Comments (0) | TrackBack (0)

11 September 2006

Private information on cell phones

The average cell phone has a life expectancy of 18 months. What happens to all your personal information when you upgrade your phone? In too many cases, that personal information gets passed along to the next user.

Personal information can include:

stored phone numbers and addresses	usually not much of a worry
records of calls made or received	not a problem unless you've been talking to someone that you wouldn't want your spouse or employer to know about
pictures	again, may not be a problem depending on what kind of pictures you took
copies of text messages sent and received	often a serious privacy issue
the speed-dial setting for your voicemail with both the access number and password	potentially very serious

This is not an all-inclusive list. Modern phones also include calendars, memo pads, to do lists and other applications, all of which you might have used and which might have personal or business information that should be kept private.

Most phones include a delete function but independent reviews of those delete functions show them to be mostly pretty poor. Good hackers can undelete the information on most common cell phones with only a little specialized equipment and knowledge. To protect your privacy:

Treat a phone's text message service with the same caution that you use for unsecured email. Be especially professional in your use of text messaging.
Make sure that your old information is really gone before giving the phone to a friend, family member, charity or try to sell it online. (If all else fails, a 2½ lb sledge hammer does a very reliable job of making the data unreadable – but it won't be worth much when you're done.)

For additional information and a real-life scenario, read this recent story from CNN.com.

Posted by Mike Rossander on 11 September 2006 | Permalink | Comments (0) | TrackBack (0)

21 August 2006

ATM Skimmers

Some thieves use a tactic called ATM skimming to steal your card number and PIN. While this tactic has been used for several years in large cities and tourist areas, there is some evidence that the tactic is now being used more in smaller areas.

ATM skimming depends on a device that clips onto the outside of the ATM and sits on top of the cardslot. The device is camouflaged to look like a normal part of the ATM. When you insert your card, the skimmer reads the magnetic strip as it goes past into the regular ATM card reader. The skimmer does not interfere with the operation of the ATM.

The thief will often also put up a small camera positioned to watch your hand as you enter your PIN. The camera might be camouflaged as a brochure holder. These devices often have built-in antennae to send the numbers wirelessly to the thief's computer in a nearby car.

See this Snopes.com article for pictures of an ATM skimmer in place.

Banks regularly check their ATMs for these devices but if you see something suspicious, you should call the Bank immediately. If your bank offers a "smart card" (a card with an embedded chip), those are currently secure from most skimmer attacks. Regardless, you should always monitor your bank statement carefully to make sure that all the transactions on it are really yours.

Posted by Mike Rossander on 21 August 2006 | Permalink | Comments (0) | TrackBack (0)

Information Security Tips from Westfield Insurance

Westfield Links

About

FeedBurner

Archives

Categories

Blogroll & other links

Hubspot Code