February 2, 2010

Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.

According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said.

Click the individual images below for an enlarged version.

[EPSB]

Have you seen:

Would You Have Spotted This ATM Fraud?…The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.

[/EPSB]


104 thoughts on “ATM Skimmers, Part II

  1. Marcus

    I have to be honest, if I found one of these I would probably pull it off and take it home to reverse engineer it. The whole faceplate model changed my perception of what to look for

    1. Jeremy

      One thing these skimmer articles never mention is the arrest rate for the perpetrators. I know from experience (I worked at two different banks) that most large banks have an internal security force. If the ATM servicer saw something amiss with a unit, they would have no problem what-so-ever putting someone on it as a stakeout until the thieves returned.

      Be careful if you decide to remove a skimmer from an ATM yourself, because you might find yourself at the mercy of a couple of bank security agents, until you convince them that you weren’t the one who placed it there.

      A side note: we would fairly often have people try to pass fraudulent checks or otherwise scam the bank. We had two buttons at each station: a panic button for a true robbery and an alert button for something like a fraudulent check. The alert button contacted both the police and the private security and 75% of the time, the private security made it to the bank first. The one time we had a robbery (I wasn’t there), the private security also made it there first.

      1. Jorge

        Besides your recommendation about don’t remove the skimmer to avoid a security problem, also in many places the perpretators are normally watching the ATM, and I’m sure they wouldn’t as nice as the internal security, you know what I mean, so you better just leave and make your calls from a secure place.

  2. Jack

    This was a very informative article. I saved it with the pics so I can show it to my family.

    Another thing the banks need to do is to have telephone numbers posted on or somewhere near the ATM machine so that people can call from their cell phones right away if they see anything suspicious.

    I drove up to the ATM on the side of my bank bldg one day and noticed that it looked irregular. The card slot was crooked and not properly affixed so I didn’t use it. I looked for a phone number to call. I also looked around to see if there was anyone loitering in the area. I found a piece of paper in my car, wrote a note warning people not to use it (or go to the walk up ATM instead) and stuck this in the opening until the bank or police had a chance to look into this. I went home and called my bank but wasn’t able to leave a message so I called the police dept after that and reported it to them.

    1. Greg

      You don’t need the bank to post a number. Try 911, I’m pretty sure the cops can contact them, or stake it out and catch the people when the come back to get their cameras, card readers and pin pad overlays.

      1. Jeremy

        Don’t call 911 unless it’s an emergency. Something like this is urgent, but it’s not life-threatening. Program the non-emergency police number into your phone and use that instead. The last thing you want to do is delay the police/fire department/ambulance getting to a robbery/house fire/heart attack because you called 911 over a suspicious ATM faceplate.

        1. Allen

          This might vary from municipality to municipality, but it may be universal now: Our police force asks people to always use 911, even for non-emergencies, as it GREATLY increases public participation in reporting vandalism, etc. When I asked the Chief of police about interfering with real emergencies, he said the first thing they ask when you call is whether it’s an emergency, and if it’s not, they slide you off to the non-emergency line. They say that they are constantly fighting what they call an out-of date recommendation not to use 911, and work every day to change that perception.

          As I say, I don’t know if this is universal so you should check with your locals to find out what they want you to do, but it seems like something that every modern PBX or whatever office telephony system should be able to easily support.

          1. AlphaCentauri

            My city has only 911 for all calls, too. But a couple years ago a teenager who lives here was taking public transportation to visit a friend in the suburbs and got completely lost. He didn’t know what to do, but had been told when he was a child to look for a policeman when he got lost. He called 911 and was arrested for misusing the emergency service.

            1. Ray Butlers

              Anecdotes are a waste of time. Plus, I’ll be looking this one up on Snopes.

  3. Rod

    This post makes me recall back in 2005 when a friend of mine in Aguascalientes, Mexico had to go at night to the ATM to get some cash, he went and after returning he was admired of a ‘new’ ATM (1 of 3) available at that specific bank, he mentioned things like having just used a new ATM system with a color display and touchscreen capabilities… he was completely unsuspected at the time. To make the story it short, of course he got no money at the time and days later he found 2 grand to be missing from his account. Weeks later a band of Venezuelans was arrested in the area.

    Greetz to Germy Muñoz.

    1. Jack

      Rod-May 8, 2010 at 7:08 pm
      This post makes me recall back in 2005 when a friend of mine in Aguascalientes, Mexico had to go at night to the ATM to get some cash, -“Weeks later a band of Venezuelans was arrested in the area.”

      I’m seeing more and more folks from Venezuelan working in restaurants as well. I NEVER use a credit card when eating in these places. Won’t use a debit at a gas station either.

      Times is a changin and it doesn’t take any work at all for crooks from these countries (or Romania, etc) to grab other people’s cash anyway they can.

      Be especially vigilant while your on vacation and DON’T GO to an ATM at NIGHT!

      If the ATM looks suspicious, then take a pic of it with your camera phone and let local law enforcement check it out.

  4. Leslie

    My bank and many other banks around here now have round bulging globe-shaped atm-card slots so a flat skimmer attachment will not just mount inconspicuously on the outside.
    And the ultimate security technique: just pay cash! And don’t forget to ask for your 2% price reduction since that’s what the merchant has to pay visa etc for their payment processing, so there’s no reason YOU should have to pay more to use cash.

    1. desta elliott

      Typically, credit card companies prohibit rebates to cash customers on pain of losing credit card privileges

    2. Trevor

      Really? Your that clueless that you think merchants are just going to calculate a 2-3% reduction of the goods you bought because your using cash? Wake up, this is the real world, and thats the price the merchant is paying to get the business when they would loose it if you didn’t have cash, they sure are not going to “discount” the merchant processing fee’s back to you for using cash.

      Anyone who asks for it is probably one of the cheapest people around, as anyone with common sense would feel embarrassed to ask the merchant to cut the price even more. This isn’t a bazaar with haggling going on all day. Congrats Leslie, hope lots of people asked and got disgusted looks from the merchant, while they considering just asking the customer to leave if they persisted and pushed for the 2-3% merchant fees to be discounted off a cash purchase.

      1. AlphaCentauri

        The gas stations around your way must do things differently. Where I live, the ones that DON’T pass on credit/debit card fees have big signs advertising, “Same price, cash or credit!” It just depends on the contract the merchants sign and on what is usual and customary in their location and in their market sector.

    3. Ray Butlers

      All retail customers pay all expenses for the retailer, including banking services, rent, etc. You dont’ get a menu of the things you don’t want to pay for.

      ….and cash is an expense as well….and so are checks….
      so….if I use a credit card, they should charge me for their credit card expenses, but NOT for cash and check expenses, right?

      1. Robert

        As a company that accepts all forms of payment, I can tell you that cash and checks are far less expensive to accept than are credit cards. I pay just under 3% per credit card transaction because I’m small potatoes compared to Walmart and the like. Fortunately, most of my clients pay by cash or check. And, of course, cash goes into a coffee can.

        Even though it’s against most merchant agreements, you are seeing more merchants these days (mom and pops, mostly) adding an up-charge for credit purchases.

        1. Ray Butthead

          I believe you, but the expenses related to check and cash processing will vary with the type of business. Some businesses are indeed much better operating as cash-only. Remember, however, that cash is never free. You probably have to pay for your change from the bank, plus you have the costs of security, insurance, and the cost of theft risk from employees, etc. It’s a judgement call and indeed many business should switch to cash only. Debit/Credit cards were sold pretty agressively and now seem normal to nearly all consumers, much to the benefits of Visa/MasterCard. (And of course checks cost money too due to fraud and returned items, etc. Most banks charge for check deposits too.)

  5. Ken

    Hi Mr Krebs!

    Recently I had 2 (different) credit union debit cards skimmed. The credit unions will not reveal the location of the skimming (do they know?). However, the time frame that I was given for each card skimming overlap, and as the card “a” is rarely used, I was able to determine that the only times it was used during this time frame, it was used with card “b” from the other cu.
    There was only one day in the appropriate time frame when both cards were used (2X) on the same day. Once was at the local cu atm, and the other was at a local gc in two different debit card readers. I feel that it would be unlikely that both readers at this location would be compromised, so that leaves only the cu itself.
    The cu manager emphatically denies that it happened at their atm, but the evidence is pretty strong. Do these institutions actually know, and might she be denying this because she really doesn’t know, or is trying to limit liability? I felt the machine acted strangely as well, giving an error on the card from that cu, but giving cash from the other, out of town cu. I also felt that it unusual that an individual I had not seen before was seated on the bench outside this cu–even though it was cool, and he would have been more comfortable on the sunnier side of the street.

    I wish these institutions would reveal the location of the skimming–if they even know.

    1. Greg

      Not necessarily, I’d think it’s common to compromise more than one reader at one location. If you’re targeting a location, especially if it’s the same model of ATM/POS device, I think you’d hit them both at once.

    1. JamesK

      If you can read a couple of sentences you will know exactly where the images are from.

      1. AlphaCentauri

        “She” isn’t really trying to get an answer. It’s a spam link. Mouse over the username to see the guilty spammer’s URL at the bottom of your browser.

  6. S

    I got my debit card # stolen and I think it was probably from a skimmer, so this is really good to know! I was advised by many to look out for skimmers (give everything a tug before running a card through the machine) and now I know what to look for!

    Thanks a lot! This is a huge help and I’ll make sure to pass this info along!

  7. TOM_C_A_T

    I think better to use at least two bank accounts…

    One with very less balance in it to use its card on ATM…

    …and other for bigger transactions simply using cheques.

    You can ebank and transfer money to first account as required,

    you might not detect skimmed ATM every time but you can be sure of the transaction from your ATM Card use and risk very less.

    You can even make a habit of transferring money every night to the ATM card account just as much required to go for the next day.

    Simple !

  8. tony

    The fact that so many ATM machines are running Windows is what frightens me most about this article.
    I would never trust important data to a Windows system. I can’t imagine, for the life of me, why banks are doing this.

  9. Robert

    There are card readers that are far more difficult to mount skimming equipment to. Redbox has designed a simple reader that appears all-but-impossible to attach a skimmer to. Why don’t the ATM and gas pump manufacturers do this?

    Some ATMs use full capture readers in order to confiscate cards that are reported stolen. This is unnecessary as once it’s reported stolen, it shouldn’t be possible to use again anyway.

    I suppose the manufacturers feel the price to retrofit is greater than their losses to fraud — nevermind that their customers are the ones who suffer terrible inconvenience! As usual, everything is measured against the bottomline.

Comments are closed.