Postal Service: Beware Stamp Kiosk Skimmers

The United States Postal Inspection Service is investigating reports that fraudsters are installing skimming devices on automated stamp vending machines at Post Office locations across the United States, KrebsOnSecurity has learned.

USPS Automated Postal Center (APC) self-service stamp kiosk.

USPS Automated Postal Center (APC) self-service stamp kiosk.

Earlier this month, I began hearing from sources in the banking industry about fraudulent debit card activity on cards that were all recently used at self-service stamp vending machines at U.S. Post Offices in at least 13 states and the District of Columbia.

Asked about the activity, a spokesperson for the U.S. Postal Inspection Service confirmed that the agency has an open investigation into the matter, but declined to elaborate further beyond offering tips for consumers to help spot skimming devices that may be affixed to automated stamp vending machines at post office locations.

In an emailed response, the USPIS said it is urging USPS employees to visually inspect the Automated Postal Center (APC) machines multiple times during the day, and that it is asking customers to do the same.

“USPIS recommends customers who use the APC machine should personally visually inspect the machine prior to use,” the USPIS said. “Look for any type of plastic piece that looks like it has been slid over the actual credit card reader. Look for any other type of marking on the machine that looks as though it has been applied by a third-party.”

The USPIS is asking customers who see something that appears to be out of place on the machines to notify the local post office supervisor immediately.

The USPIS declined to answer additional questions about the investigation, such as when the fraud first began. But according to sources at two separate financial institutions whose customers have been impacted by the activity, the fraud began in late November 2013, and has been traced back to self-service stamp vending machines in Arizona, California, Colorado, Florida, Georgia, Kentucky, Massachusetts, Nebraska, New York, Oregon, Pennsylvania, Utah, Virginia, and Washington, D.C.

Banking sources said the fraud follows a fairly consistent pattern: The thieves are targeting debit card users and somehow stealing the PINs associated with the cards. Ostensibly, the fraudsters then fabricate new cards and make cash withdrawals at ATMs ranging from $500 to $800 per card.

Skimmers typically employ some type of device used to steal the data stored on the magnetic stripe on the back of the cards, as well as a hidden camera or PIN pad overlay to record the customer entering his or her PIN. It is not clear what type of skimming devices may be used in this fraud scheme, but the APC kiosks appear to be custom-made by Wincor-Nixdorf, a major ATM manufacturer. As such, many types of skimming devices sold in the cybercrime underground and made for Wincor ATMs may work just as well with this kiosk.

This fraud spree may be related to this news report from April 1 via Fox News affiliate KPTV out of Beaverton, Ore. (one of the banks I spoke with confirmed that the fraud they were seeing indeed traced back to APC kiosks in Beaverton). That story includes photographs of a man local police say was caught on camera withdrawing cash at ATMs using counterfeit cards stolen from Postal Service customers.

The U.S. Secret Service, which typically investigates skimming incidents and counterfeit card fraud, declined to comment for this story.

One way to protect yourself against this type of fraud is to use a credit card in lieu of a debit card whenever possible. With a credit card, your liability is maxed out at $50 in the case of fraudulent transactions. Things get more complicated with debit cards. Although many banks also will observe the $50 limit on debit card fraud, customers could be facing losses of up to $500 if they wait more than two business days after learning about the fraud to report it. Also, while your bank is straightening out the situation, any cash you may be missing could be held in limbo, and other checks you have drawn on the account may bounce in the meantime if the fraudsters manage to clean out your checking account.

In addition, it’s a good idea to cover the PIN pad when you’re entering your PIN. Doing so effectively prevents thieves from stealing your PIN in cases where a hidden camera is present.

For more on skimmers and how they work, check out my series All About Skimmers.

Оставьте комментарий