1、Designation: E3017 15Standard Practice forExamining Magnetic Card Readers1This standard is issued under the fixed designation E3017; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revision. A number in parentheses
2、 indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 Magnetic card readers, when used for illegal purposes,are commonly referred to as skimmers. This practice providesinformation on seizing, acquiring, and ana
3、lyzing skimmingdevices capable of acquiring and storing personally identifiableinformation (PII) in an unauthorized manner.1.2 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsibility of the user of this standard to establish appro
4、-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2. Referenced Documents2.1 ASTM Standards:2E2763 Practice for Computer ForensicsE2916 Terminology for Digital and Multimedia EvidenceExamination2.2 ISO Standards:3ISO/IEC 7812 Identification C
5、ardsIdentification of IssuersISO/IEC 7813 Information TechnologyIdentificationCardsFinancial Transaction Cards2.3 SWGDE Standards:4SWGDE Best Practices for Computer ForensicsSWGDE Recommendations for Validation Testing3. Terminology3.1 Definitions of Terms Specific to This Standard:3.1.1 parasitic s
6、kimmer, na type of device manufacturedfor the capture of account data from magnetically encodedcards that operates in-line with the originalATM, gas pump, orother card reading device.3.1.2 start sentinel, na 5-bit binary sequence, or equiva-lent ASCII character, used to signify the beginning of trac
7、kdata. (See ISO/IEC 7813).3.1.3 skimmer, na magnetic card reader, specifically whenused for an illegal purpose.3.1.4 skimming, nusing a skimmer to acquire PII in anunauthorized manner.3.1.5 swipe, vto manually pass a magnetically encodedcard through a card reader device to transfer information fromt
8、he card.3.2 Acronyms:3.2.1 ADPCM, nadaptive pulse code modulation3.2.2 AES, nadvanced encryption standard3.2.3 ASCII, nAmerican standard code for informationinterchange3.2.4 BFSK, nbinary frequency-shift keying3.2.5 CVV, ncard verification value3.2.6 CVV2, ncard verification value 23.2.7 EEPROM, nel
9、ectrically erasable programmableread only memory3.2.8 IIN, nissuer identification number3.2.9 PAN, nprimary account number3.2.10 PCM, npulse code modulation3.2.11 PII, npersonally identifiable information3.2.12 PIN, npersonal identification number3.2.13 USB, nuniversal serial bus3.2.14 XOR, nexclusi
10、ve or3.2.15 ZIF, adjzero insertion force3.2.16 BIN, nbank identification number4. Significance and Use4.1 As a skimming device is not typically deemed contra-band in of itself, it is the responsibility of the examiner todetermine if the device contains unauthorized account infor-mation. The purpose
11、of this practice is to describe bestpractices for seizing, acquiring, and analyzing the data con-tained within magnetic card readers.4.2 LimitationsSkimmers present unique examinationchallenges due to:1This practice is under the jurisdiction of ASTM Committee E30 on ForensicSciences and is the direc
12、t responsibility of Subcommittee E30.12 on Digital andMultimedia Evidence.Current edition approved May 1, 2015. Published June 2015. DOI: 10.1520/E3017-15.2For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Customer Service at serviceastm.org. For Annual Book of ASTM
13、Standards volume information, refer to the standards Document Summary page onthe ASTM website.3Available from National Institute of Standards and Technology (NIST), 100Bureau Dr., Stop 1070, Gaithersburg, MD 20899-1070, http:/www.nist.gov.4Available from the Scientific Working Group on Digital Evide
14、nce (SWDGE),https:/www.swgde.org.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States14.2.1 Rapid changes in technology,4.2.2 Difficulty of device disassembly,4.2.3 Lack of standards in use of the technology,4.2.4 Use of alternate/repurpos
15、ed components,4.2.5 Use of encryption,4.2.6 Multiple data encoding/modulation formats,4.2.7 Prevention of chip identification by obfuscation of thedevice,4.2.8 Availability of training and documentation,4.2.9 Lack of chip information/documentation,4.2.10 Lack of adapters available for chip reading,4
16、.2.11 Lack of softwares ability to support reading chipdata, and4.2.12 Lack of commercial software available to analyzeencrypted data extracted from skimmers.5. Technical Background5.1 As skimmers are often unique in design andimplementation, examination processes vary depending uponthe category or
17、type of device, or both.5.2 In general, skimmers may be broken down into thefollowing three categories:5.2.1 Hand-held,5.2.2 Altered hand-held, and5.2.3 Custom.5.3 The processes used in examinations vary greatly de-pending on the device itself and the manner in which the storedinformation is encoded
18、.5.4 Hand-HeldData extraction of hand-held skimmers(Fig. 1) is accomplished by connecting the skimmer to theexaminers computer by means of a data cable. Onceconnected, a program is executed that extracts all of the storedtrack data from the device.5.5 Altered Hand-HeldIt is common for commercialskim
19、mer devices to be dismantled and used for parts (canni-balized). These devices are commonly seized from automatedteller machines (ATMs), bank point-of-sale terminals, and gaspumps. Examination of these devices is frequently performedin a manner similar to hand-held devices. Wireless-enabledskimmers
20、are often seen as an alteration of commercialskimmers (Figs. 2 and 35).5.6 Custom:5.6.1 By far, the most complicated and difficult-to-examineskimmers are custom-manufactured devices (Fig. 4). Thesedevices use many different circuit designs and proprietary dataencoding, modulation, and encryption sch
21、emes. These skim-mers can be combined with a pinhole camera or a keypadoverlay to capture the personal identification number (PIN) ofthe account holder.5.6.2 As it is common in some larger metropolitan areaATMs to require a customer to use their account card for entryto a vestibule, subjects can imp
22、lant foreign circuitry into thedoor reader (Fig. 5).5.6.3 Some skimming devices may have the capability tooutput captured data by means of wireless communicationmethods (Fig. 6). These devices may transmit their data inreal-time or batch mode. The transmitting ability of thesedevices and the choice
23、of transmission protocols used makedetection of receivers difficult.5.7 Card Data/Structure:5A trademark of Bluetooth SIG, Inc., Kirkland, WA.FIG. 1 Example of a Hand-Held SkimmerFIG. 2 Example of an Altered Hand-Held SkimmerFIG. 3 Example of an Altered Hand-Held Skimmer with Bluetooth5FIG. 4 Exampl
24、e of a Custom SkimmerE3017 1525.7.1 Fundamentals of Track Data:5.7.1.1 The International Standards Organization (ISO) cre-ated ISO/IEC 7812, which specifies, “a numbering system forthe identification of issuers of cards that require an issueridentification number (IIN) to operate in international, i
25、nter-industry and/or intra-industry interchange.”5.7.1.2 The primary account numbers are generally 15 or 16digits in length but may be as short as 12 (Maestro) or as longas 19 (China UnionPay). The credit card companies havereserved prefixes, for example, American Express credit cardsbegin with 34 o
26、r 37. Credit card processors use the Luhnalgorithm (see ISO/IEC 7812) to ensure the integrity of theprimary account number (PAN).5.7.1.3 Applications such as access control, identification,and driver licenses have developed their own custom formatsfor each track. This capability to reformat the cont
27、ent of eachtrack has allowed magnetic stripe card technology to expandinto many industries. As defined for financial industryapplications, the magnetic stripes carry three tracks of data.(1) Track 1Track 1 contains alphanumeric informationfor the automation of airline ticketing or other transactions
28、 inwhich a reservation database is accessed. In addition to theaccount number and expiration date, this track will contain theaccount holders name. Typically, Track 1 is only read byhand-held and altered hand-held skimmers.(2) Track 2Track 2 contains numeric information for theautomation of financia
29、l transactions. While this track does notcontain the account holder name, it does contain the electroniccard verification value (CVV). This track is read by systemsthat require a PIN (for example, ATMs). Typically, customskimmers will capture only Track 2 information. Track 2 isencoded using 5-bit A
30、SCII (4-bit odd parity). The accountinformation follows a start sentinel of 11010.(3) Track 3Track 3 contains information that is intendedto be updated (re-recorded) with each transaction (for example,cash dispensers that operate off-line). This track is rarely usedand is not of forensic value in mo
31、st financial fraud investiga-tions.5.7.2 Card Verification Value 2 (CVV2)This code is athree- to four-digit number printed on the back of a card (hardto steal electronically) (Fig. 7). It was designed to help curbfraud in “card not present” transactions, such as Internetpurchases.5.7.3 Debit CardsWh
32、en skimmed, debit cards and creditcards contain similar data. However, debit cards are differentfrom credit cards as the account is directly linked to fundavailability in a bank (or otherwise stored) account. Debit cardspresent a much more attractive target for skimming as com-promised accounts can
33、be converted directly into cash asopposed to goods and services.6. Evidence Collection6.1 Seizing Evidence:6.1.1 Devices should be collected and protected in the samemanner as flash memory devices (refer to Practice E2763).Associated cables, documentation, and software should also becollected.6.1.2
34、Identifying parasitical devices can be challenging, asthey are, by their nature, designed to be hidden. These includerecording devices hidden under keypads and those placedin-line with a legitimate card reader (Figs. 8 and 9). Removalof these devices may be destructive in nature and should bedone ca
35、utiously.6.2 Handling EvidenceEvidence should be handled ac-cording to laboratory policy while maintaining a chain ofcustody and by using best practices (refer to Practice E2763).6.3 EquipmentEquipment in this section refers to thenon-evidentiary hardware and software the examiner uses toFIG. 5 Exam
36、ple of a Custom Skimmer (Door)FIG. 6 Example of a Cellular Enabled SkimmerFIG. 7 Example of CVV2FIG. 8 Example of Keypad OverlayE3017 153conduct data extraction and analysis of the evidence. Equip-ment and software applications should be verified6to ensureproper performance.7. Data Extraction7.1 Han
37、d-Held/Altered Hand-Held Skimming DevicesAsskimmers are not useful unless one can extract the swiped cardinformation, the manufacturers of these devices provide soft-ware to facilitate the exportation of the stored data. Thesoftware typically has the added functionality to decode storeduser password
38、s from the device.The software only provides forlogical extraction (that is, no deleted information) into a textformat. The examiner will need the device, appropriatesoftware, and the appropriate data cable to conduct a successfuldata extraction. Of particular note, the cable used performs theextrac
39、tion by means of serial over Universal Serial Bus (USB)connectivity. The proper driver loaded on the examinationcomputer and a low COM port setting should be selected so thedevice has sufficient priority on the system.7.2 Custom Skimming DevicesAll skimming devices mustfirst read the magnetic signal
40、 stored on a card. This process isaccomplished by means of an electromagnetic head, similar tothat found in an audio cassette tape player. As the card ismanually swiped through the device, the head converts themagnetic signals on the card into an electrical signal oftime-varying voltage, which is pa
41、ssed to other signal process-ing components for digital conversion. Devices that store thatwaveform without further processing are referred to as “ana-log” devices. “Digital” devices further process the waveform torecover the encoded digital data and only store the decodedinformation.7.2.1 Analog Sk
42、imming Devices“Analog” skimming de-vices pass the analog swipe waveform to an analog-to-digitalconverter (ADC), to produce a digital waveform which isstored, undecoded, in flash memory. The resulting data fileextracted from a device is similar to an audio file and will besignificantly larger than a
43、decoded bit string of account data.7.2.1.1 IdentificationRecognizing an analog skimmer isimportant as the method of extraction is different than that ofa custom, digital skimmer. While the examiner may notice thelack of an analog to digital encoder chip (although a digitalskimmer may lack this chip
44、as well with the processing beingcompleted by the microcontroller), the identification of ananalogue skimmer is typically made by recognizing the unusu-ally large storage capacity of the devices flash memory chipand are typically indicative of an audio-based skimming device(Fig. 10). While a typical
45、 custom skimmer may use a flash chipwith two megabytes of storage, an analogue skimmer willtypically contain a flash storage chip in the two gigabyte range.7.2.1.2 ExtractionAs analog skimmers likely originatedas other devices, that is, MP3 sunglasses, an examiner mayextract the information from the
46、 device over USB mass storagedevice mode. As it is common for a person constructing theskimmer to remove the USB header, the examiner mustrecognize the architecture and solder a new header on thedevice to facilitate communication. Once the header isattached, a write blocker shall be used between the
47、 device andan examiners computer, and an image (Terminology E2916)of the device can be extracted using traditional computerforensics imaging software.7.2.2 Digital Skimmer DevicesDigital skimmer devicesaccept input via a magnetic stripe reader just like analogskimmers. However, once the skimmers pro
48、cessor receives thewaveform, the signal is decoded with logic before being storedin flash memory. Data is stored in a digital format, which mayor may not be encoded or encrypted or both. Extraction ofinformation from a digital skimmer is most commonly done byremoving the flash chip and reading the i
49、nformation throughthe use of a chip programmer.7.2.2.1 ExtractionAs custom (and some altered) skim-ming devices typically do not have a universal method toconnect to and download the skimmed account information(other than USB used by analog devices), an examiner shouldconsider removing the data storage chip and then read theinformation stored therein. The microcontroller may also needto be removed and read to understand the encoding orencryption methods used by the device. Code protection mayprevent the extraction of code from the dev
