Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
This is a fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.
It’s hard to know whether this was a homemade skimmer, or one that was purchased from online criminal forums. Some of the skimmers sold on these forums are extremely sophisticated, incorporating features such the ability to send an SMS text message to the thieves’ mobile phone whenever a new card is swiped.
This type of fraud is actually far more common that you might think: A quick query on Twitter for “ATM skimmer” usually brings up plenty of local news reports about these devices being found on ATMs.
Practice basic ATM street smarts and you should have little to fear from these skimmers: If you see something that doesn’t look right — such as a odd protrusion or off-color component on an ATM — consider going to another machine. Also, stay away from ATMs that are not located in publicly visible and well-lit areas.
Update, 12:10 p.m: Mikko Hypponen from F-Secure sent in a few fascinating Twitter pics of other ATM skimmers that include ingenious ways to send the stolen credentials to the scammers.
If you liked this post, please check out my follow-up posts on ATM skimmers:,
ATM Skimmers Part II, includes an entire gallery of ATM skimmer images.
Would You Have Spotted This ATM Fraud? Delves into some of the rent-to-own skimmer models.
Fun With ATM Skimmers, Part III Examining the skimmer problem in Europe (+ more skimmer photos!).
ATM Skimmers: Separating Cruft from Craft Skimmer scammers are everywhere! Only buy your skimmer devices from real thieves!
Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message Skimmers with embedded cell phones allow thieves to continue stealing credentials without ever returning to the scene of the crime.
Skimmers Siphoning Card Data at the Pump Skimmers aren’t just for ATMs.
Tags: atm skimmer, citibank, twitter
Yeah, I am totally fascinated by these things to. Keep hoping I will find one in the wild. Every time I got the ATM I spend like 10 minutes trying to pull the reader off, not so much as a security thing but just because it would be cool to actually see one working.
- SR
Well-loved. Like or Dislike:
76 
28
Hi everyone. Just a quick note to say that many of you (>500) have signed up for RSS updates to the comments on this post. If you instead meant to sign up for the RSS feed on this blog, that URL is:
http://www.krebsonsecurity.com/feed/
Well-loved. Like or Dislike:
27 
5
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
37 
48
Unless he dies in the attempt, no Darwin Award.
Well-loved. Like or Dislike:
16 
1
Start checking gas station pumps as well. Really, any unattended card reader, not just feral ATMs. But skimmers are pocket-sized or smaller, so even attended readers are at risk.
Another card trick, detected at a fast food joint, had the cashier dip the card beneath the counter, just for an instant, where it was skimmed before coming back up and run through the real card reader.
Well-loved. Like or Dislike:
37 
1
I have over 35 years experience in electronics design etc.
I can strip a cheap tape recorder and with little effort make a skimmer.
I don’t have either the time or inclination to make a fancy package to stick it on a legitimate card reader.
Sure I could make money like this.
I just have a little higher morrals than the new generation of gimme, gimme, gimme kids.
I had an older father like friend who never had a credit card until he was 83 years old.
His was skimmed under the counter by a friend of a lady who hew was helping out, “she said she needed goods to cook for her home business.” The skimmer and friend who skimmed it were in JC Penny. They cleaned him for over $4000.00 before he asked me about it.
I almost caught the bitch.
If I had I quite probably would be in jail right now.
I believe in cruel punishment for people like that. That old man lived on $800.00 a month SS and in housing provided by me.
Well-loved. Like or Dislike:
88 
6
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
23 
48
D@mn kids! Get off my lawn! Grumble!
Like or Dislike:
5 
2
Another reason why fast food restaurants are bad for your health!
Well-loved. Like or Dislike:
8 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
1 
20
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
0 
9
Brian, great write up! I talked about this on my podcast recently and I’m going to link them to this article to give them a better idea of what these skimmers look like. Thanks!
Twitter- @cybercrime101
Well-loved. Like or Dislike:
23 
4
WOW…. I had no idea they looked so normal. Had no idea. Can’t believe I have been so trusting. Thanks for the great article
Well-loved. Like or Dislike:
25 
3
Gina – You’re a step ahead of me!!!! Boy, talk about feeling like a dinosaur!!! Ididn’t even know things like those ATM scam-devices existed!!
Well-loved. Like or Dislike:
7 
1
Sheesh! I probably would not have noticed this device on the ATM.
If I used the same ATM every time I use an ATM I may have noticed, but I travel a lot and use a variety of machines in all kinds of places.
Thank you for the write-up! I will use this as a reminder to be more aware.
Well-loved. Like or Dislike:
33 
2
This sort of thing partly depends on the wide variety of ATM hardware out there. It may be mostly cosmetic differences, to suit a particular bank’s house style at the time the machine was installed, but it does keep changing. We might spot this on a machine we use every week, but some of us are moving around, and using different machines all the time.
Are you a trucker, for instance?
Well-loved. Like or Dislike:
21 
7
I carry enough small bills in cash to eliminate ATM machines.
Well-loved. Like or Dislike:
8 
3
Um – just wondering…where you get the small bills? Most of us get them from ATMs. Do you go to the bank or use cash-back on debit transactions at the store?
Well-loved. Like or Dislike:
5 
1
Surprisingly, there are many resources for ATM skimming devices readily available online. A quick search on YouTube turns up a wide variety of people advertising skimming devices. One even currently offers a 20 percent discount.
There are also YouTube videos that show how to hack wireless routers and just about any other criminal enterprise one can think of. In many cases, the videos show URL’s for purchasing “tools of the trade”.
Well-loved. Like or Dislike:
21 
13
The manufacturers of these devices should be criminally prosecuted. There are no legitimate uses for these things.
Well-loved. Like or Dislike:
57 
18
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
60 
111
Disagreed, everyone has the right to protect themselves.
In this case that means taking down those who perpetrate malicious activities against innocent users of the banking system.
Those who install these devices should be arrested and jailed, and the manufacture of such devices should be outlawed and those who make them also arrested and jailed for producing these fraudulent devices. They are fraudulent because they are fundamentally deceitful about the introduction of a third-party observer to a private electronic transaction.
Well-loved. Like or Dislike:
41 
4
I agree on utility if not on principle. These devices exist whether there is a video for it on youtube or not. The people who create them should certainly be prosecuted but not banned from advertising. Frankly if you are stupid enough to advertise on a public domain website then like you say – natural selection should step in and get them arrested pretty sharpish.
There should also be a burden of responsibility on those who provide the services to ensure that they provide safe and secure facilities. If that were the case then the usage of the skimmers would be far less of an issue.
Well-loved. Like or Dislike:
15 
10
Criminality is becoming so sophisticated it’s frightening. The authorities have the means to track these individuals that sell them online, what the hell are they waiting for? It’s obvious their greed exceeds common sense. When I was just coming around to setting the alarm on my vehicle. Gina, a wonderful world we live in. As is said, only in America.
Hot debate. What do you think?
6 
4
Nonsense – this has been around for years (!) in Europe, where they actually started with complete fake fronts – but they became more sophisticated, now only needing a false slot. In that sense you might be seeing only the newer ‘generation’ in the States…
Like or Dislike:
4 
1
They’re now so sophisticated, they’re factory made.
Not long ago an entire shipment of card readers for storefronts (yes, the ones your bank installs at the supermarket) was intercepted that had skimmers built into them by the Chinese factory, as well as cellphones preprogrammed to send the data to some number in eastern Europe or Russia.
These things are professionally designed, manufactured on the same lines as the regular ones (are those even being made any longer?), packaged, and shipped to the banks or their handling companies who install them in stores and ATMs.
Like or Dislike:
0 
0
Wow, the things crooks think of. Just imagine if the bankers started stealing money! Can you imagine it….service fees, bailouts…they could take the tax paying suckers for trillions!
Well-loved. Like or Dislike:
10 
4
I guess I am not so crazy in thinking that it is a good idea to get in the habit of planning ahead and stopping by the bank and have a teller give me the cash I am going to need for given trip or shopping spree. It also helps not to overspend.
Well-loved. Like or Dislike:
43 
11
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
26 
42
@Ed Johnson: *not* everyone in the world will accept US dollars in payment, nor are they required to. I am 100% certain that all merchants in my country (which is in Europe) would refuse US dollars in payment for anything.
Well-loved. Like or Dislike:
32 
18
As I write this, it is July 3, 2010, several months later after your comment was posted. The euro has crashed in value. I am sure the vendors and retail stores will be quite happy to accept American currency – as long as those bills are not counterfeit.
Like or Dislike:
3 
2
A vanishingly small percentage of traders accept US$ in the UK, and most of them will /not/ accept travellers cheques either.
(A few tourist hot-spots will take Euros, but don’t bet on it.)
Well-loved. Like or Dislike:
10 
6
Travelers Checks@ yikes did I slip into a void in the time continuum!!!!
Hot debate. What do you think?
6 
7
Yeah, not everyone accepts American money, and places that do will not accept large bills due to an increasing percentage of fraudulence. Most countries do not accept traveler’s checks either.
The best thing to do is have your cash converted to whatever type suits the country you are going to, so that you avoid disagreements.
Well-loved. Like or Dislike:
6 
1
I wouldn’t have seen them… Now I’m really going to start looking.
Thanks Brian!
Well-loved. Like or Dislike:
12 
7
WOW,
Guess I’m going to have to speand some time (like Space Rogue) trying to see if I can find one.
I’d love to find one in the “wild”
Great article.
b, give me a call
Hot debate. What do you think?
11 
9
Another thing to remember when using ATMs:
If it asks you “do you want a receipt” DO NOT WALK AWAY when you collect your money and receipt.
At least in the ATM I use (at 7-11′s) after you take the $ and receipt it asks, “Do you want another transaction?”. If you’ve already left, the next person to use the ATM can access your account!
I warned somebody just last month about this after he walked away too early
Well-loved. Like or Dislike:
63 
34
You are wrong, if you do another transaction, the machine always asks for your PIN again.
Hot debate. What do you think?
30 
28
I used to program ATM “loads”. At one time it was common for machines with motorized card readers (that hold your card until the end of the transaction) to allow transaction chaining without re-entering a PIN. PIN re-entry was only required on dip or swipe card readers.
Sometimes a load for a motorized reader would be sent to a dip reader, leading to people walking away and allowing the next person to perform another transaction.
Eventually we required PIN re-entry on all ATMs regardless of card reader type.
Well-loved. Like or Dislike:
60 
4
mine don’t
Like or Dislike:
0 
0
> At least in the ATM I use (at 7-11’s) after you take the $ and receipt it asks, “Do you want another transaction?”. If you’ve already left, the next person to use the ATM can access your account!
Bank of America added that to the ATM flow (at least in the Northeast US), and it struck me as particularly risky in the same manner. To test it out I pressed “yes, I want another tx” and it asked me to swipe my card again. Are you sure the one you use at 7-11 doesn’t do the same thing?
Well-loved. Like or Dislike:
13 
3
I frequently use the machine at the post office to avoid standing in long lines to ship a small package or buy books of stamps and I use my debit card. I have completed more than one transaction without re-swiping my card – I use my debit as a credit here and do not enter a pin, but if I walked away too soon without tapping “no” for “do you want to complete another transaction,” the next customer could ship & purchase with it all being charged to my account.
As a general rule, I think if you’re going to use a charge card or debit card at any machine, it’s a good idea to make sure the machine has ended your session. Cliche, but: Better safe than sorry!
Well-loved. Like or Dislike:
19 
2
@Gary: FWIW, I can remember when ATMs were new, and the Wells Fargo ATM routine would not give the card back until the customer answered “no” to the question “Do you want to do another transaction?”. Many customers walked away with the money and the receipt(s) but left their card in the ATM.
Eventually Wells Fargo changed the routine. If you withdrew cash, it would first return your card, then output the money and print the receipt. So if you had any other transaction(s) it was better to do them before withdrawing any cash. People then started walking away with their card and the cash, but leave the receipts littering the area around the ATM.
Well-loved. Like or Dislike:
16 
4
I *heard* (may be a rumor) about particular type of ATM asking this question, which had time out couple of seconds. If you were fast enough to hit the “cancel” button on the keypad while the question was present, you could have withdrawn money from the customer account without pin. At the time I heard this it should have been already fixed by ATM vendor, so I never seen it for real. But the described behavior would well fit a careless programmer’s mistake.
Since then I never leave from ATM before it turns into the “demo mode” asking for card, just to be sure. It takes just couple of seconds more anyway.
Well-loved. Like or Dislike:
13 
4
as a tech for NCR, the worlds largest atm manufacturer, i can tell you there is no way to withdraw cash from an atm without the correct pin…the process occurs well before the dispenser even starts moving. as far as the skimming goes, look for mismatched paint…NCR uses a custom blend of several bases and materials thats damn near impossible to fake…If something looks off, look at another machine on the site…see if theyre all the same, or if there all aligned properly…bottom line if something seems off, dont use the machine – contact the banks security department… Quite personally i have seen some pretty shady atms out there…if its not for a reputable bank, i avoid using them as well…you never know who’s maintaining them or weather they can be trused…the best defense we all have is our eyes and hands…if something looks off, feel it…does it feel to be made of the same material as the rest of the machine…look to the side, are there gaps, or paint scrapes? bottom line is common sense
NCR CE
Well-loved. Like or Dislike:
56 
5
Brian: Great write-up! Thanks!!
NCR TECH: Appreciate your confidence in NCR’s design and manufacturing quality, but Brian’s pics show that skimmer with sophisticated design and construction are out there and are difficult to detect. How does “common sense” enable the average person to notice an overlay skimmer that matches color and format to the extent shown here? And are you suggesting that citibank in Woodland Hills, CA, is not a “reputable” bank? (The neighborhood looks pretty clean, too; check GoogleMaps street view.) I’m not reassured by your analysis. So where does that leave us? Your employer probably doesn’t want users dismantling ATMs to check for parasite devices … although I suppose that would be job security for you.
Well-loved. Like or Dislike:
22 
8
speaking as a moron who actually got his account cleaned out, I can say that you are wrong.
When in a rush to pay off a bill in cash, I ended up forgetting my card and dashing off after the money had been delivered. Someone walked up behind me and cleaned out my account. The ATM was a Citizens Bank machine. It took the guy’s picture, and the money was reimbursed to me by the bank after three months of investigation.
Here’s the kicker, though. After three months my wife and I found out that the bank had not contacted the police, as we had been told. When we contacted the police, we were told that banks generally don’t want to get involved in prosecuting these crimes, as it is not cost effective for them (?)
That’s the reason these crimes continue. The banks won’t prosecute. They just return the money to the victim and call it even.
Well-loved. Like or Dislike:
11 
1
Wow, that’s a pretty slick job. I definitely wouldn’t have noticed that.
Well-loved. Like or Dislike:
8 
3
Brian, Nice article. I love the pictures. I don’t use ATM that much but I will surely be checking them out first from now on.
Well-loved. Like or Dislike:
7 
3
Romania is the source of this kind of ‘equipment’.
Well-loved. Like or Dislike:
33 
21
Brian-
Great pics & writeup, as usual.
I rare use cash anymore, so I never need to make a withdrawal at an unfamiliar ATM. I make deposits at the ATM at my bank’s branch inside my local grocery store. The store is open, and fairly busy, 24/7.
Despite all that, I look at it pretty closely every time I use it… and I just showed these pictures to my wife, so she’ll be more suspicious of ATMs in general.
Well-loved. Like or Dislike:
7 
1
I don’t know if I would have spotted this.
But geez – can’t Mikko find a better way to upload pictures than with twitter??
Well-loved. Like or Dislike:
7 
2
Nope. I wouldn’t have known about this. I always use the same ATM machine. Thanks for the info. And @Gary, thanks also for your info.
Hot debate. What do you think?
5 
3
I usually use familiar ATM machines, but gas stations are another story.
Hot debate. What do you think?
6 
4
The Dutch railways suffer from the same problem, because their ticket machines take bank cards too. They tried to fix it by attaching plates with big studs over the ATM entry, but failed: http://www.youtube.com/watch?v=dHW8nVUY39g
(At 00:21 the voiceover says “We weren’t allowed to film you installing the plate, why was that” and the rest speaks for itself I think.)
Well-loved. Like or Dislike:
6 
1
Even at machines you think you trust, always, always, always cover the hand keying your PIN with something else. Doesn’t solve the skimming problem, but it does make your account a less-desirable target because they’d have to work a lot harder for the half of the information they don’t have.
Well-loved. Like or Dislike:
9 
2
Not sure if the PIN is encrypted on the card (I hope not), but if so, brute-force might be ‘easy’ – max. 10.000 – 1 combinations…
Like or Dislike:
0 
2
I was just wondering if the machine still spit out cash with the skimmer attached? In other words if you could have a normal transaction and never even know you’d just had your bank card compromised.
Very scary. Thanks for giving me something new to worry about! :p
Hot debate. What do you think?
6 
5
Yes, the machine still functions normally, so as to not arouse suspicion and remain in use without detection for as long as possible.
Well-loved. Like or Dislike:
6 
1
Wouldn’t the fraud be detected each time a bank employee refills the machine”s supply of currency???
Like or Dislike:
3 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
5 
34
Dorian, I think you may have missed the point. When someone has recorded your card information and your pin code, then someone can make a new card and withdraw money from your account. Over here (Europe) we are mostly using cards with chips nowadays, which are more safe, however the cards with chips are not more secure as long as the magnetic stripe can be used as well.
Well-loved. Like or Dislike:
18 
0
Great article and awesome pictures. This was a perfect to the point explanation/tutorial/awareness blog post on the subject of card skimmers. Well done!
Like or Dislike:
4 
1
@dorian: If a thief has a record of your debit card number and the associated PIN, he can make a duplicate card and then use a regular ATM to withdraw money from your account. He does not need to have your actual card in order to rob you blind.
Well-loved. Like or Dislike:
8 
0
@Pete, Yes, you can still withdraw money from an ATM that’s been tampered with. If it didn’t dispense cash, customers would know something was wrong with it, and someone would probably report it to the ATM operator.
Well-loved. Like or Dislike:
5 
0
Saw this linked from boingboing, and so I’ll give the same advice here. Develop the habit of pretending to enter many more numbers than are in your pin. This way the camera, should the ATM you are using turn out to be compromised, will not be able to tell what your actual pin is.
It takes some time to develop the habit but once you do it is very easy. I don’t even think about it anymore. I usually appear to enter a random pattern of 10 to 12 numbers (of which only 4 are actual keypresses, of course, but if done right any camera (or person looking over your shoulder for that matter) won’t be able to tell).
Well-loved. Like or Dislike:
45 
2
Was this ATM in front of a bank branch, or was it a Citibank owned ATM in a less supervised location? I’m impressed by the boldness of the thieves if they managed to attach the skimmer to an ATM that is right in front of a bank.
Like or Dislike:
3 
0
I don’t know whether the ATM was in front or inside. Looks like it was inside. Here’s the address:
22000 Ventura Blvd., Woodland Hills, Calif. 91364.
Here it is on Google Street View:
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22000+ventura+blvd,+woodland+hills,+calif+91364&sll=37.0625,-95.677068&sspn=49.043149,61.347656&ie=UTF8&hq=&hnear=22000+Ventura+Blvd,+Woodland+Hills,+Los+Angeles,+California+91364&z=17&iwloc=A&layer=c&cbll=34.168498,-118.606298&panoid=ubZV4t9lJkr-g9TjIBV_3g&cbp=12,188.51,,0,5.05
Like or Dislike:
3 
1
Thanks for the street view link. It looks like the ATM was outside, at the back of the bank on the Topanga Canyon Blvd side of the building.
The ATMs at my bank have surveillance cameras attached to the machines, as well as other cameras mounted to the walls. Do banks ever proactively review the footage captured from these cameras? In the few reports I’ve read about this type of attack, it seems that bank physical security teams only look at what was recorded after a theft has occurred. I’m assuming this means that they don’t lose enough money to this type of fraud to consider paying for constant monitoring?
Like or Dislike:
3 
1
I live in Calabasas (right next to Woodland Hills) and my Dad used that ATM on December 5th. I asked him about it and he said they sent him a new ATM card right after they found out. He didn’t know why they sent it to him, thanks for the info!
I just wrote a post on my site about it too. Its just way too close for comfort…
Well-loved. Like or Dislike:
10 
1
If you “walk” around the back on street view there are a couple of ATMs visible. Not clear if they’re drive-up or not (there’s a truck blocking part of the view).
Drive-thru’s are probably easier to compromise. People aren’t as close and they’re often in a great hurry.
Like or Dislike:
2 
1
hi, very impressed with the information here! if i do ever find one it will be put under my 12 size boot. keep up the good work krebsonsecurity.
Like or Dislike:
3 
4
Important note: If you do see one of these on an ATM, beware, the criminals may well still be around (in my experience they like to hang around to keep an eye on their skimmer). If they notice you noticing it, they will probably come to remove it; it’s up to you whether or not you want to be in their way when they do!
Well-loved. Like or Dislike:
14 
1
Also never move it, I ripped one off the bank machine in anger after finding it and the cops sounded shocked when I called them. They told me to not go back to my car yet and wait in a public area till they got there. Usually the criminals monitor them and have beat up a few ppl in my area when their devices were discovered.
My bank was useless. They didn’t know what to do when I called them (Sat morning when branch was closed), and they just told me to call their ATM department. The ATM guy sounded like he was annoyed that I was calling him and asked me for the ATM serial number. After searching for a few mins, he then told me that’s actually located behind the machine…
I went to get a new ATM card the next week, and showed the pictures to clerk and he showed them to all his coworkers and the branch manager as none of them had seen one before. The only training they got was a paragraph in an email memo…
Well-loved. Like or Dislike:
19 
0
My ATM card was hacked in just this way a few years ago. I had never heard of it and only discovered the actual problem after researching online. The thieves (or folks who had purchased the info from the thieves) were having a merry ol’ time renting cars and dining out in Brazil–I watched their progress when I reviewed my bank statement. My former bank was absolutely NO help at all and, while they replaced my money eventually (even though they observed transactions were occurring in BRAZIL while I was standing in front of them in OHIO) I will never bank with them again.
Well-loved. Like or Dislike:
7 
2
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
5 
17
Yeah I’ve seen pics of these before. Looks like they are much more sophisticated now. Thankfully I’ve stopped using ATM’s – I only take out cash from the teller about once a month.
Like or Dislike:
3 
3
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
4 
15
This is the standard that most ATMs in France have settled on as well, and yet twice in the past two months I have seen someone take their card as soon as it comes out and immediately walk away, leaving their money that’s dispensed a few seconds later. Lucky for them that I’m an honest person
Like or Dislike:
3 
1
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
7 
15
Yeah I’d like to think they’d catch em with cameras.
Like or Dislike:
1 
3
Biometrics will solve this problem. You cannot skim a fingerprint and reuse it the way credit card or debit card information is used.
People may be able to skim and develop some sort of format to reuse them in the future but I have been researching biomentric devices that do not read fingerprints as an image file.
Hot debate. What do you think?
7 
12
Why do you think you can’t skim a fingerprint? After all, biometric readings need to be converted to digital information, and that digital information is what’s checked to see if it’s correct or not.
Step 1: Intercept and record the digitized fingerprint info.
Step 2: Re-submit the digitized fingerprint info later.
Step 3: Profit! (Ill-gotten, of course.)
I admit that it requires a bit more work than just snarfing a magstripe, but biometrics aren’t quite as bulletproof as many would like to suggest.
Well-loved. Like or Dislike:
11 
1
two problems with fingerprints:
1. you _can_ “copy” a fingerprint, see http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en
2. unlike an atm card, you cannot replace it when it has been compromized
Well-loved. Like or Dislike:
7 
0
Fingerprints are so pwnd!
http://www.youtube.com/watch?v=MAfAVGES-Yc;hd=1
Well-loved. Like or Dislike:
4 
0
Great information. Thanks for educating me. I have never heard of this. I would like to repost this on StrongMothers.com
Lisa
Hot debate. What do you think?
3 
5
I work at major bank in Toronto – one of the busiest. On one day in December we changed 80 cards for clients that used ‘compromised’ bank machines. Some were victims of theft, some did not have the cards dublicated YET.
We found in our branch three different skimmers within three weeks. I stood by watching one for hours waiting for someone to come back and pick it up (with a closed sign on).
They can be wireless so the skim-artists don’t have to pick them up at the end of the day. The busier the branch the more cards they can skim. The cover on the top of the keypad made it easier to hide the camera, so we removed it.
This isn’t made public by any of the Big Banks here – probably because it’s so easy to do, it would start a goldrush.
Well-loved. Like or Dislike:
6 
1
ps- i used to work at a different bank four months ago and hadn’t used my card in the last three months. Two weeks ago i logged into my webaccount and noticed someone stole my $500 limit from a bank machine i’ve never used….
the criminals will sit with the card data for months at a time to evade a connection to the source. consider a gas station attendent working for three months collecting cards. quit one day and for 24 hours print new cards with THREE MONTHS OF DATA. then have five people driving to machines withdrawling daily limits for the next week. the only problem is where to launder all the easy money
Well-loved. Like or Dislike:
5 
1
anyone know if the new chip cards are affected by this, in Canada the chip cards are pretty common by now.
Like or Dislike:
3 
1
Yes the chip cards as well.
Like or Dislike:
3 
2
be aware these are not the only skimmers, use caution at gas pumps, restaurants, supermarkets in short thieves are so elaborate a skimmer can be hidden in any point of sale machine, they can copy the front of the ATM and over lay it on top of ATM including buttons and even brochures, depending on ingenuity could hide camera. thieves then use computer to copy or clone you’re card, go to ATM before nidnight take out max amount, wait for midnight a new day and withdraw again they will clean you out. or sell all the info online, i found a persons identity for sale at $5
search videos key word skimmer
Hot debate. What do you think?
6 
3
Brian, great article and pictures, also the update from the twitter. It would be great if we can try to identify one. Recently, our country was faxed by a large scheme of ATM fraud. People are talking more about Cards with intelligent chip attached, to avoid fraud.
Do you have any opinion on this? If yes, please share…
PS: Would definitely visit this site more often…
Thanks in advance…
Like or Dislike:
1 
1
Someone cast that plastic case and did the engineering and assembly of that that skimmer. I suggest a law by which manufacture or importation or possession of a skimming device, or the act of attaching one to an ATM, or using one to capture information necessary to make a fake card all should be made a felony. Brian and commenters, what do you think?
Hot debate. What do you think?
7 
7
USING one to commit fraud is already fraud, so no new law is needed.
POSSESSING one should not be illegal, because the device itself is valuable for academic study by the people fighting against this kind of crime. Erecting legal barriers which only impede the law-abiding is wrong-headed.
Remember, it’s the act, not the tool, that is the crime.
Well-loved. Like or Dislike:
9 
4
That’s just backwards and moronic thinking. If the vast majority of the use of these items is illegitimate, with legitimate use such as study being in the minority, then make the possession and manufacture illegal and allow exceptiosn by permit for the legitimate users. If you let this go uncontrolled, they will be easy to obtain and use with no repurcussions for those who manufacture and supply these tools of theft.
Hot debate. What do you think?
7 
7
What are you suggesting this law would do? How would it be enforced? Laws without enforcement only stop honest people from doing things. (To Rick’s point, researchers)
If you’re caught installing one of these, or removing one, you will be prosecuted. If you are randomly stopped and have one in your possession, you may not, but how often do you think that happens?
To those suggesting that law enforcement should prosecute sellers of criminal devices consider (even if you disagree with Rick’s point above that commission and not possession of tools is the crime) the exponential cost (many of the perpetrators are overseas; arrest one and there will always be others to fill he void; internet transactions are expensive to track/trace) to law enforcement. This problem is (not yet) widespread enough to justify that kind of expense and I, for one, would not want my tax dollars spent so frivolously.
Like or Dislike:
1 
0
YIKES TOO
Like or Dislike:
2 
0
Why use ATMs, I’m in Europe but why use ATMs when the stores take cards?
As long as you give the ATM your card it doesn’t matter if you have a chip or not since it is possible to read the strip anyhow.
Leave checks and ATMs use cards in the shop.
Like or Dislike:
1 
5
If you’re buying petrol after hours you have to use your card, you can’t go into the store. If you want to withdraw cash after hours, same thing. You may not be able to avoid using the cards altogether.
Like or Dislike:
2 
1
There are numerous cases of readers in stores being compromised as well — plus in stores, it’s much easier for them to capture your PIN as well, since the version used in stores replaces the whole keypad as well as card reader.
Like or Dislike:
3 
1
The number of comments which have been left about ‘finding one in the wild’ bring out one question.
How easy are these to pull off? One guy mentioned taking 10 minutes to see if he could pull off the card reader. Are they easy to pull off, or does it take a bit of effort? If I pull on one and it doesn’t come off with a good tug, does that mean it’s safe?
Well-loved. Like or Dislike:
7 
0
Why bother with a skimmer? Buy one of those “independent” ATMs (like the kind you find in gas stations or Quikie Marts), and collect all the card data and PINs you want. All it will cost you is $100 (max) per card swipe.
Hot debate. What do you think?
5 
3
Ahahahahahahahahaha! Good one.
Like or Dislike:
0 
1
Is it the reason that in Europe, they are using smart chip, so the reader is authenticated by the card before any operation can be done… So illegale reader means that the card will refuse to work…
Hot debate. What do you think?
2 
7
my question is, why the customers of a bank (card users) have to live in fear and suspicion, why cant the banks themselves keep an eye on their ATM machines, or have they a financial gain or stake in these skimmers?
Every bank got a camera on every ATM to keep an eye on the customers, dont they spot somebody who is mounting a skimmer on their machine?
Soon it will be safer to keep your cash under your matress and get a shotgun.
Like or Dislike:
3 
1
Unfortunately, the camera on an ATM will only work when a card is put in the slot. To have them work on a motion sensor or something would require more expenditure on the security system. Bear in mind, the security system on an ATM is NOT there to protect you. It’s there to protect the bank. Protecting yourself is up to you.
Well-loved. Like or Dislike:
6 
1
Several years ago charges started showing up on my credit card from Russia. We had recently returned from a trip to France where we used ATM’s a lot. Never did know how the Russian criminal got our card number and pin info. I think this probably explains it. As an example, I was charged for plane tickets from Moscow to Minsk, two places I’ve never been.
Like or Dislike:
1 
2
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
1 
17
Wow, didn’t know that these things got so invisible. Before reading this, I knew these devices existed and felt comfortable that I would recognise one. From now on I’ll use to hands to enter my pin code : one to enter the Pin and one to provide additional shield.
Like or Dislike:
1 
0
Without any problem i should put my card in that reader. I think my money is not safe anymore.
Like or Dislike:
0 
0
Wow..amazing, i like this article. may be can be implemented in my country . hahaha
Like or Dislike:
0 
3
This is real problem. Why no-one discourage using ATMs if skimming devices are so popular? Cash is still ok, isn’t it?
Like or Dislike:
0 
0
PERFECT example of why cash is so much better…. get out of the habit of using the cards, there NOTHING but trouble!!!
Like or Dislike:
0 
1
ya know two or three motorized metal prongs slowly but very strongly poking out of the surface of the machine near the slot once before and once after your card is inserted would pop this off.
Like or Dislike:
1 
0
John, I think the bad guys can drill holes
But I agree that the card slot could be physically secured or even be monitored by a camera in the top of the housing.
Like or Dislike:
0 
0
I guess this will be the good excuse to get a chip in your body, which looks like it’s not too far down the road. 666 doesn’t sound too strange now.
Like or Dislike:
4 
1
Then won’t the bad guys kill just to get whatever part the chip’s implanted in?
Like or Dislike:
0 
0
GREAT article!! Factual, clearly explained, timely, relevant & helpful. I’m sending it to my whole mailing list. Keep up the gd work
Like or Dislike:
0 
0
That’s why I never use an ATM.
Your girl Mary
Like or Dislike:
0 
2
In my last bank statement I found out that someone cleaned out my checking account. Thank God that I didn’t have but about $500 in there because of not having a job. Someone must have skimmed my card at my banks ATM because that is the only place I usually use it. I have gone over this in my mind over and over again and can not for the life of me know how this could have been done and now I see these sophistocated skimmers that these crooks use. It makes sense now. It only took the crooks abouts 3 days to clean out my $500 and they take money out twice a day so folks, if you have alot of money in your account beware that it doesn’t take long for them to clean you out. Like I said I didn’t know until I got my bank statement at the end of the month. I hope they catch these people!
Like or Dislike:
1 
0
You can’t trust anything anymore.
Your girl Mary
Like or Dislike:
0 
4
The ATMS I usually use begin transactions with a couple of screens touting various bank services. Maybe it would be possible for banks to create a screen that would show a picture of their ATM slot with a message that would say something like, “This is what our ATM should look like. If this one looks different do not use it and press [some button] to report it.” (I am assuming/hoping bank employees who service these machines inspect for tampering, but there might be several days between services.)
Like or Dislike:
3 
0
Some piece of shit skimmer drained my account for 500 bucks just recently. The vampire probably used a skimmer since the transaction showed up as an ATM withdraw.
The thing is I didn’t know that these types of things existed and therefore wasn’t at all cautions when I would use an ATM. Now of course I know what these bastards do so I will be way more cautions.
Banks need educate their customers that these things are out there looking to drain your bank account in a flash.
Like or Dislike:
2 
0
The instructions in Braille are a nice touch.
Well-loved. Like or Dislike:
4 
0
This is one reason I always enter my PIN (a) with my other hand over the hand that’s entering the data and (b) with several false keystrokes. Whether machine or camera, that should defeat most observers.
Like or Dislike:
0 
0
Love the article on ATM skimmers. How about gas pumps as well. Just heard from someone that works for a major gas company they are having a significant problem with people breaking into gas pumps and hiding skimmer in the inside of the pump. No amount of tugging on the gas pump will find that skimmer. Evidently the crews doing it are sophisticated and very quick at their work, easily bypassing the locks on the pumps. Just in case people were tired of only being afraid of their atm’s
Like or Dislike:
3 
0
will the camaras show the person who is using a card
i had mine stolen and i wanna no will i see who took my money
Like or Dislike:
0 
0
Wouldn’t the fraud be detected each time a bank employee refills the machine”s supply of currency???
Like or Dislike:
2 
0
April 2, WESH 2 Orlando – (Florida) Ocoee Publix employees find skimmer on ATM. Employees at one Orange County Publix said they found a skimming device on the store’s ATM. Police were called to the store on South Maguire Road in Ocoee April 1. The device steals data from users who put a card into the machine. Police said it’s not known how long the skimmer was there. Anyone who has used the machine is advised to call their bank. Source: http://www.wesh.com/news/23033295/detail.html
Like or Dislike:
0 
0
Being old & old fashioned, I go to the neighborhood branch of the locally owned bank at the beginning of every month, go inside, write & cash a check, which I try to make last the month (it nearly always does). I say hello to the tellers & sometimes chat a moment with them &/or the manager, and then put all but $30-$40 in a safe place at home until I need it.
I also try to pay cash at restaurants & places where the card gets taken out of sight (altho I am fully aware that as noted elsewhere the card can get snookered in my presence in the wink of an eye — why make it easier). My card typically has 5-8 transactions a month, none of them ATM’s.
I realize this isn’t possible for a lot of folks, and I do travel occasionally (last time I used an ATM for cash was in Port Aux Basques, Newfoundland!), but it is possible to plan and minimize ATM (and card) use, especially for small transactions. Rewards aren’t very rewarding if you get your identity snarfed, and paying cash for small transactions helps to keep spending under control.
Sorry for the wet-blanket lecture
, and yes, I do have lots of fun, too!
Like or Dislike:
2 
0
model so I want,I want so please buy myself skimmer model (silvia85@rambler.ru)
Like or Dislike:
0 
3
Thanks for taking the opportunity to talk about “Would You Have Spotted the Fraud? — Krebs on Security”, I benefit from learning about this subject. If possible, as you gain data, please update this blog with new information. Thanks, Hier
Like or Dislike:
0 
1
I have been reading a lot on here the topic Would You Have Spotted the Fraud? — Krebs on Security inspired me, i have picked up some really great ideas. Thanks and i hope to see more soon.
Like or Dislike:
0 
1
The Calgary Police where alerted to this type of stuff by a bank customer. The video is very good at showing how complex and yet simple these things are.
http://www.cbc.ca/canada/calgary/story/2010/04/27/calgary-debit-machine-bank-skimming-scam-td-steal.html
Like or Dislike:
0 
0
The cameras show the person who is using a card
i had mine stolen and i wanna no will i see who took my money
Like or Dislike:
0 
1
Wouldn’t the fraud be detected each time a bank employee refills the machine”s supply of currency?
Like or Dislike:
0 
1
I created a Starcraft 2 web site found here:
Starcraft 2
http://www.thedarkshrine.com
I am going to be adding a lot of things to the site, such as replays, vods, maps, fpvods, live streams, tools, esports info and much more. There is a wiki there and really could use helpers to assist. I hope you fellas can register as my goal is for this website to be one of the strongest SC2 sites online. Please register asap as there will be a tournament. If you have any feedbacl please feel free to let me know!
Thx. Great board by the way!
Like or Dislike:
0 
5
I ran into this kind of gizmo in Stockholm when I was gonna make a withdrawal from the closest ATM. I called the mall police who closed it down on the spot.
Sneaky bastards!
http://www.itmoln.se
Molntjänster
Like or Dislike:
0 
0
thanks everybody for their valuable information
Like or Dislike:
0 
0
This is not our “fathers’ country” Times are way different like the Oldsmobile
Like or Dislike:
0 
1
There should also be a burden of responsibility on those who provide the services to ensure that they provide safe and secure facilities. If that were the case then the usage of the skimmers would be far less of an issue.
Like or Dislike:
0 
0
Wow, really makes you realize how careful you have to be in the days of electronic cash transactions.
Like or Dislike:
0 
1
I always use the same machine, and always look at the card slot to see if there is a difference. Once I tried grabbing it, but couldn’t pull it off
….so…How hard should I have to pull? I hate to get arrested for breaking the darn thing. I assume they use double sided tape. Some of which is quite strong…like carpet tape. Also….Is there a way to find out if ATM’s in your locality have been hit? From what I’ve read…consumer law needs to force banks to provide this data, before their customers start destroying their machines as a test of validity.
Like or Dislike:
0 
0