Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
This is a fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.
It’s hard to know whether this was a homemade skimmer, or one that was purchased from online criminal forums. Some of the skimmers sold on these forums are extremely sophisticated, incorporating features such the ability to send an SMS text message to the thieves’ mobile phone whenever a new card is swiped.
This type of fraud is actually far more common that you might think: A quick query on Twitter for “ATM skimmer” usually brings up plenty of local news reports about these devices being found on ATMs.
Practice basic ATM street smarts and you should have little to fear from these skimmers: If you see something that doesn’t look right — such as a odd protrusion or off-color component on an ATM — consider going to another machine. Also, stay away from ATMs that are not located in publicly visible and well-lit areas.
Update, 12:10 p.m: Mikko Hypponen from F-Secure sent in a few fascinating Twitter pics of other ATM skimmers that include ingenious ways to send the stolen credentials to the scammers.
If you liked this post, please check out my follow-up posts on ATM skimmers:,
ATM Skimmers Part II, includes an entire gallery of ATM skimmer images.
Would You Have Spotted This ATM Fraud? Delves into some of the rent-to-own skimmer models.
Fun With ATM Skimmers, Part III Examining the skimmer problem in Europe (+ more skimmer photos!).
ATM Skimmers: Separating Cruft from Craft Skimmer scammers are everywhere! Only buy your skimmer devices from real thieves!
Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message Skimmers with embedded cell phones allow thieves to continue stealing credentials without ever returning to the scene of the crime.
Skimmers Siphoning Card Data at the Pump Skimmers aren’t just for ATMs.
You can’t trust anything anymore.
Your girl Mary š
The ATMS I usually use begin transactions with a couple of screens touting various bank services. Maybe it would be possible for banks to create a screen that would show a picture of their ATM slot with a message that would say something like, “This is what our ATM should look like. If this one looks different do not use it and press [some button] to report it.” (I am assuming/hoping bank employees who service these machines inspect for tampering, but there might be several days between services.)
You know what I think I will pass this on to my credit union.
Post it on the ATM machine. I will add to yours post what to the skimming device look like on the ATM nachines. Along with what it look like with out the skimming device on it.
I have mention to my credit union about leting people know of a skimming at ATMs. The respond was they have Cameras at each ATMs at all brach locations The main branch has all branch covered. The thing I want to get at is to educate the customers of being aware of skimming devices on these ATMs
On youtube there are advertisement to sell skimmings devices to put on the ATMS. This is wrong. There should be a law against advertising devices for stealing money.
Some piece of shit skimmer drained my account for 500 bucks just recently. The vampire probably used a skimmer since the transaction showed up as an ATM withdraw.
The thing is I didn’t know that these types of things existed and therefore wasn’t at all cautions when I would use an ATM. Now of course I know what these bastards do so I will be way more cautions.
Banks need educate their customers that these things are out there looking to drain your bank account in a flash.
Sorry this happened to you, it is scary to think this could happen.
Yes, I agree that the banks should now be very alert. They should find a way to make their facility safe for their customers.
The instructions in Braille are a nice touch.
This is one reason I always enter my PIN (a) with my other hand over the hand that’s entering the data and (b) with several false keystrokes. Whether machine or camera, that should defeat most observers.
That wouldn’t have helped with a skimmer. It reads the data directly off your card. No amount of holding your hand over it is going to be able to bypass that.
dumbass hes talking about the pin. the pin isnt stored in the card.
Why do you have to resort to name calling? I believe the devices can record keystrokes, thus making it possible for them to also record your PIN number.
Eileen, did you not take the time to read Joe K.’s comment? That is why people get frustrated.
To Not Joe K-
Yes, I did read it, I read the whole article. But who can say that the camera can’t read his keystrokes as he is holding his hand OVER the keypad? The cameras are designed to view from the side, and the criminals may be able to figure out his pin.
But what really bothered me was Johnson’s ATTITUDE, his verbal abuse, and his need to degrade someone else. I just don’t think that is necessary, there is enough trouble with people getting their money stolen.
We are discussing a real problem here and I don’t see any reason for potential victims, to FIGHT among each other, do you? That is not helpful, it is counter-productive in my opinion.
If someone does not understand what is happening here with the ATM machines, why not correct their thinking in an appropriate kind way, instead of slamming them with verbal abuse. This ATM threat is, I think, new to most people and so we may not understand exactly how this is happening.
I’m just sayin’.
Love the article on ATM skimmers. How about gas pumps as well. Just heard from someone that works for a major gas company they are having a significant problem with people breaking into gas pumps and hiding skimmer in the inside of the pump. No amount of tugging on the gas pump will find that skimmer. Evidently the crews doing it are sophisticated and very quick at their work, easily bypassing the locks on the pumps. Just in case people were tired of only being afraid of their atm’s š
will the camaras show the person who is using a card
i had mine stolen and i wanna no will i see who took my money
Wouldn’t the fraud be detected each time a bank employee refills the machine”s supply of currency???
I would guess that the thief has been casing the ATM to see when someone services/refills the unit. Then he removes the skimmer before the scheduled time.
No, because they are refilled from the back so the teller would not normally see the front of the machine.
Not all ATM’s are refilled from the back. Most in fact are filled by either pulling out a draw type system from the bottom or a large portion of the front opens as a door. To answer the question, these ATM’s are serviced by bank employees and they are servicing many machines a day. one small detail such as an “insert card here” sign will go unnoticed by the servicing employee’s. the people that SHOULD catch it, are the people who are working inside the stations etc. where the atm’s are placed. (yes i know some are outside, but if you look them up, most of the ones targeted are inside stores. ) My wife had her physical card stolen last year and a person used it at three different stores in Virginia Beach. The employees at one of them stores actually new the person and was obviously covering for him since he used it at 2:30 in the morning and the station locks its doors at midnight and rarely lets anyone in after. The other two stores attempted to help but both erase their video logs after two days. Now they have skimmed her credit card and charged $1300 to the card. The money is still on hold and has not been paid out but the law requires the bank to pay it out anyway even though they know it is going to a criminal. And i cant file a claim until the money has been paid for them. The law is LITERALLY protecting the criminal and making things impossible for the victim to correct. It will take laws being changed to fix this and not a “quick check” every time you go to the atm.
Not really – the bankers are checking the amount of physical cash left in the machine vs. the money withdrawn/deposited by consumers.
The skimmers directly withdraw money from your account – like it was your ATM card. So the problem is not noticed, usually, until people start complaining about missing funds and fradulent withdrawls from their accounts.
April 2, WESH 2 Orlando ā (Florida) Ocoee Publix employees find skimmer on ATM. Employees at one Orange County Publix said they found a skimming device on the storeās ATM. Police were called to the store on South Maguire Road in Ocoee April 1. The device steals data from users who put a card into the machine. Police said itās not known how long the skimmer was there. Anyone who has used the machine is advised to call their bank. Source: http://www.wesh.com/news/23033295/detail.html
Being old & old fashioned, I go to the neighborhood branch of the locally owned bank at the beginning of every month, go inside, write & cash a check, which I try to make last the month (it nearly always does). I say hello to the tellers & sometimes chat a moment with them &/or the manager, and then put all but $30-$40 in a safe place at home until I need it.
I also try to pay cash at restaurants & places where the card gets taken out of sight (altho I am fully aware that as noted elsewhere the card can get snookered in my presence in the wink of an eye — why make it easier). My card typically has 5-8 transactions a month, none of them ATM’s.
I realize this isn’t possible for a lot of folks, and I do travel occasionally (last time I used an ATM for cash was in Port Aux Basques, Newfoundland!), but it is possible to plan and minimize ATM (and card) use, especially for small transactions. Rewards aren’t very rewarding if you get your identity snarfed, and paying cash for small transactions helps to keep spending under control.
Sorry for the wet-blanket lecture ;-), and yes, I do have lots of fun, too!
model so I want,I want so please buy myself skimmer model (silvia85@rambler.ru)
Thanks for taking the opportunity to talk about “Would You Have Spotted the Fraud? ā Krebs on Security”, I benefit from learning about this subject. If possible, as you gain data, please update this blog with new information. Thanks, Hier
I have been reading a lot on here the topic Would You Have Spotted the Fraud? ā Krebs on Security inspired me, i have picked up some really great ideas. Thanks and i hope to see more soon.
The Calgary Police where alerted to this type of stuff by a bank customer. The video is very good at showing how complex and yet simple these things are.
http://www.cbc.ca/canada/calgary/story/2010/04/27/calgary-debit-machine-bank-skimming-scam-td-steal.html
The cameras show the person who is using a card
i had mine stolen and i wanna no will i see who took my money
Wouldnāt the fraud be detected each time a bank employee refills the machineās supply of currency?
I created a Starcraft 2 web site found here:
Starcraft 2
http://www.thedarkshrine.com
I am going to be adding a lot of things to the site, such as replays, vods, maps, fpvods, live streams, tools, esports info and much more. There is a wiki there and really could use helpers to assist. I hope you fellas can register as my goal is for this website to be one of the strongest SC2 sites online. Please register asap as there will be a tournament. If you have any feedbacl please feel free to let me know!
Thx. Great board by the way!
I ran into this kind of gizmo in Stockholm when I was gonna make a withdrawal from the closest ATM. I called the mall police who closed it down on the spot.
Sneaky bastards!
http://www.itmoln.se
MolntjƤnster
thanks everybody for their valuable information
This is not our “fathers’ country” Times are way different like the Oldsmobile š
There should also be a burden of responsibility on those who provide the services to ensure that they provide safe and secure facilities. If that were the case then the usage of the skimmers would be far less of an issue.
Wow, really makes you realize how careful you have to be in the days of electronic cash transactions.
I always use the same machine, and always look at the card slot to see if there is a difference. Once I tried grabbing it, but couldn’t pull it off :)….so…How hard should I have to pull? I hate to get arrested for breaking the darn thing. I assume they use double sided tape. Some of which is quite strong…like carpet tape. Also….Is there a way to find out if ATM’s in your locality have been hit? From what I’ve read…consumer law needs to force banks to provide this data, before their customers start destroying their machines as a test of validity.
I NEED atm skimmer gsm i m from india so tell me price and detail and i need camara jamar also how to i fit in atm that product
I’m white but I go around speaking only spanish to hispanics just to see what happens to me can you post your comments about it?
They’ll think you’re racist!
that’s why all ATMs have transparent and/or embedded card intakes here, not opaque protruding ones.
crazy what bad guys use today. i think worldwide the same problems with ATM skimmers.
If the banks would spend the money (some are) to update to current security measures readily available, this would be a thing of the past. Criminals would have to completely start over or find something else to steal. A magstripe is VERY easy to read and copy. The pin # is not that hard to get. A smart chip enabled card does not transmit until inside the machine, and it cannot be read from the outside. It is also flashable so the encryption can be changed. This technology has been out for years. All we need to do it petition the banks to start putting some effort in hiring qualified security personnel to implement the current security measures available today, and most of this theft would be a thing of the past
Why not have a straight flat front from top to bottom with touch technology, nothing protruding so that nothing can be attached, or if it is then it will show as obvious protrusion, and of course embedded chip technology.
I thought of this idea. Have both monitor and keypad on touch screen so nothing can be easly attacht to it. Have a scan device on the ATM like they do at stores. Then no pin number needed. On Youtube people are advertising skimming devices for sale. I do not know how Youtube allow them to advertise the skimming devices. I think youtube should not allow this on their website. This makes me mad.This encourages would be thief to steal money from others.
Most cards with chips also have a mag-stripe in order to be compatable with older machines or to be used in other countries. In the UK we went over to chip and pin a few years ago but the cards still have the mag-stripe.
Dear Brian,
I just came across your blogging site and am really impressed with it and your history on how you got into information security. I’ve been a practitioner for awhile now myself and am around the same age as you. I maitain my CISSP and really just consider myself a jack of all trades but master of none as there are so many areas in computer security that my real goal is to always just help educate those that are not in the field. Your blogs have some really good material and definitely the info on the ATM skimmers will be a nice collection to add to my talks as I try to educate others on all the dangers out there and how to combat it. Keep up the good work !!!!
Sincerely,
Alex Levin
One thing people are not realizing, is that some of the people who are servicing the machines are not actual technicians for that particular device. Take for instance ATM’s at a bank. The people who restock the machines and take out the deposits are not qualified to actually service the machines (this means they do not know what is or is not supposed to be inside the machine) these people who open the machine on a daily or semi daily basis are only trained to open the machine to restock it or to pull the deposits, not inspect the machine for abnormalities. If you really want to stop this kind of fraud, We should force the banks and other companies to have qualified people technicians check their devices every day. Maybe even twice a day.
I am really thankful to this topic because it really gives up to date information :*-