March 25, 2010

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.

Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely that the technician simply overlooked it.

Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for example, was manufactured for a specific model of Diebold ATMs, Donaldson said.

Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.

Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.

The business end of a standard, $1,500 Diebold skimmer sold online.

Interestingly, after my last story on ATM skimmers, I received several spammy comments on the entry directing readers to a site that specializes in selling ATM skimming devices. That site sells a Diebold ATM skimmer that is apparently identical to the one found attached to the Alexandria ATM starting at a base price of $1,500 (see image at right). If the thief wants to have the stolen data sent to him from a safe distance via a wireless technology — such as Bluetooth or cell phone (GSM) — the price for one of these Diebold skimmers increases to $2,000 or even $2,500.

The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.

The backside end of a standard, $1,500 Diebold skimmer sold online.

Employees are instructed to download specialized software written by the employers that pulls the stolen data off of the card skimmer at the end of a day’s “work.” The software also automatically uploads the stolen card data to the employer’s servers. The employee allegedly holds the key to making sure his employers don’t just make off with 100 percent of the stolen data, as he retains stolen PIN information.

“This way, you will have pad numbers we will have track info and we split them 50% each on cashout day,” the site explains. “We have to decide a working day from total amount of tracks you will have send us our % of pin numbers and we will send your % of tracks info, then exactly the same day will do the final job cash out.”

A bogus Diebold ATM PIN pad overlay sold online for $1,700.

Of course, the entire site could be little more than a very clever scheme to bilk gullible thieves out of $1,000: Not surprisingly, the site owners only accept irreversible forms of payment, such as wire transfers or money orders.

Further reading:

Would You Have Spotted the Fraud?

ATM Skimmers, Part II

Update, 1:47 p.m. ET: I was just interviewed about this article on The Kojo Nnamdi Show, part of WAMU 88.5 FM, a National Public Radio news station in Washington, D.C. You can listen to a recording of that show at this link here.

Update, March 26, 11:13 p.m.: I was meeting a source in Washington, D.C. today and happened to walk past another Wachovia ATM. I was so struck by the fact that I could not tell the difference between the skimmer-tainted ATM in the post above and this machine in D.C. that I snapped these photos. The ATM in question is right next to the Archives/Navy Memorial Metro Station.

[EPSB]

Have you seen:

ATM Skimmers: Separating Cruft from Craft…The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

[/EPSB]


91 thoughts on “Would You Have Spotted this ATM Fraud?

  1. Matt

    I was under the apparently wrong impression that many ATMs had a low res, time lapse, pin hole camera going all the time in them. It would mean the criminals would have to hide their faces on the way up to the ATM and for good measure they should have multiple fake pinholes. Not an easy problem to solve. Perhaps equipping the ATMs with http://www.MagTek.com magnetic stripe readers which apparently makes cloning cards magnetic stripes difficult as it uses the natural background noise of the magnetic stripe as a signature.

    1. Jose Navarro

      The only way to defeat this type of crime is two fold:

      a) Replace the track 2 for a chip card (as it is done in Canada)

      b) Do not issue a client card with a track 2 on the same chip card. Have the client ask for a client card with a track 2 for purposes of travel to countries that do not support chip technology and this card has a linited time to live such as two weeks.

      Implementing a chip card with a track 2 in the same card does not eliminate the problem, because the track 2 can always be copied and then used in ATM’s that do not support the chip technology. Sweden has deployed ATM’s with TWO card readers, one for chip card (which is issued for their local customers) the second track 2 reader is used for visitors of other countries that come to Sweden and do not have a chip card from their Banks.

      Fraud at ATM’s has been reduced to 0.01% and this only happens to tourists with track2 cards.

      1. Pete

        Chips and pin is only secure when the card issuers get off their rich & fat arses and mandate end to end encryption. Leaving it up to the heartlands of this world is complete shite… unless of course they implement chip and pin to offset all the liability back to the merchant and the customer, which they do.

        1. Jimmy

          Yeah, we’ll need to wait until a congressman’s card gets skimmed to see any action unfortunately.

    2. Jose Navarro

      Hi Matt;

      The time lapse pinhole cameras do not work because they can be defeated with bubble gum, sungalses, wigs, ski masks, etc.

      Installing a card reader over the ATM card reader plus an overhead camera to catch the PIN number takes about 70 to 90 seconds to a professional and it is done usualy at 2:00 am when there is no client traffic in the ATM vestibule.

      The cameras have to be on live all the time and have the security officers watch live all vestibules, notice the instllation action, shutdown the ATM and dispatch a security team. with more that a couple of dozen ATM this task is impossible to accomplish.

      1. infosec_pro

        Jose, given the price of terabyte drives these days, there is no excuse for banks not storing digitized pics of the ATM whenever there is a person within arms reach of it. The ATM needs to be serviced regularly enough to reload the cashbox, so retention requirements are not high. With a one to two day retention to allow review and archiving the storage media requirements are not at all unreasonable. This could at least help apprehend some of the low level perps.

        1. Jose Navarro

          We have tried this. Unfortunately, possession of the information without having committed any fraud is NOT a crime. The Canadian Federal Government is in the process of modifying legislation in order to prosecute and jail people for the simple reason of possessing the information; even no fraud has been committed.

          Until such laws are not in our books, catching these people is useless.

          1. F

            @Jose
            If I remember correctly from Law classes, it IS a crime. Counseling and assisting fraud is a crime…

  2. MK

    Ever since I read your last post about skimmers I’ve been tugging at the card readers and keypads every time I go to the ATM. My wife always gets really embarrassed.

    1. BrianKrebs Post author

      I almost spit out my coffee when I read your comment, except that now my wife has come around to the idea of tugging at the ATM card slot.

      1. MK

        Sometimes I look in the rearview mirror to see the reaction from the car behind me. Hey…I just figure they might thank me some day.

      2. Patrick

        Brian,
        I almost did the same thing when I heard the comment about tugging at the reader when you were on Kojo’s show yesterday (good story by the way).
        But, I guess I might be one of the tuggers as well – some of these things are looking TOO real to spot right away and I’ve been in the InfoSec / Cybersecurity world a long time.

        Like a few of your other commenters, I think the time for a chipped card is overdue. But, that is just my opinion.

    2. Shane

      I’ve become almost paranoid about making ATM withdrawals; tugging, pushing, twisting, and prodding on every piece of the machine as if doing some obscure ATM 10-point maintenance inspection routine. I’ve almost resorted to using a screw driver or key to ensure these high-tech skimming parts are not present but can see myself screaming “I was only looking for a skimmer!” as the police haul me off to jail for tampering with the ATM. I think as more of these stories hit the mainstream media, we’re going to see more people doing the same inspection routines. Great articles Brian!

    1. JBV

      Replying to your OT comment – did you notice that BK (or a BK impersonator) posted a comment on the WP article?

      1. wiredog

        I don’t wade into the story comments at any newspaper. They are unmoderated and full of trolls, flamers, and other assorted online riff raff.

      2. infosec_pro

        complete with grammatical faux pas…
        🙂

    1. BrianKrebs Post author

      @wiredog – I don’t think so. We may be talking about two different incidents, recently. This is straight from the press release that the Alexandria Police issued:

      “The Alexandria Police Department is investigating the use of a skimming device on an ATM machine, located at the Wachovia Bank at 3694 King Street. On Sunday, February 28, 2010, at approximately 1:30 P.M., an ATM technician working on the machine found the skimming device. The engineer took photos of the device and went inside the bank to notify the bank’s security office. When he returned a few minutes later, the device had been removed.”

      1. Glenn Fleishman

        Don’t most ATMs have a service number on the front for problems? They generate fees when working and complaints when not, so I suspect someone had trouble getting a card in or out, called the ATM service line, and a tech was sent. Which would make sense if the skimmer made it harder to get the card inserted or removed.

  3. bob

    Maybe I’m too cynical, but my immediate thought upon reading this was, “Is the ATM technician involved? Who does the ATM technician work for? Did the ATM technician put the device on, take a picture, and then remove it before going into the bank? Was the ATM technician trying to improve his or her job security?” The quick disappearance just seems to coincidental to me.

    1. Patrick

      I’m with you on this, it does seem just a wee bit coincidental.
      It could be a very true situation but, I’m a skeptic on these kinds of things. I’d like to see more followup on this ATM and ATM tech…

  4. jim

    Seems like a lot of these skimmers rely on blending into a poorly designed ATM front surface. If the surface was smooth then any protrusion would signal a skimmer has been attached. Further an embossed warning plainly visible indicating this to customers would help as well.

    1. MK

      I actually don’t think changing the design of the ATM would really help. Customers usually don’t have any point of reference as to what an ATM “should” look like, and even if it was a smooth surface a thief could just use a light adhesive to secure an unassuming-looking skimmer to it.

      A warning would probably just be painted over or have something placed on top of it to hide it.

      1. BrianKrebs Post author

        Some ATMs do actually give you a point of reference. It’s funny (not ha-ha funny but coincidence) that this happened on a Wachovia ATM, as that bank was recently bought by Wells Fargo, which unless I’m mistaken on some new ATMs actually has a picture on the outside of the ATM showing exactly what the ATM *should* look like. Guess this was an older model.

        1. MK

          Then they can just put a sticker over the sample picture 🙂

          That’s interesting though (and encouraging to learn that at least one bank is doing *something*). I haven’t come across even any sort of half-measure against this kind of thing with BoA, RBS Citizen’s, or Chase ATMs. Given how low my expectations of the banking industry have fallen as of late, I suppose this isn’t surprising.

  5. Dierdre

    You mention that the technician went into the bank. Why was the bank open on Sunday? Isn’t that rather unusual in itself?

    1. BrianKrebs Post author

      Yeah, I mentioned in the story that that seemed weird. I just double checked with the police dept. and they confirmed it was in fact on a Sunday, but that no one else but the technician was inside the bank that day. They said he went inside to call Wachovia security. So, I guess dude had access to the bank itself, which makes sense when you consider that half of the ATM (or more than half actually) is on the inside of the bank.

      1. John

        Kinda suspicious maybe. Took a photo of the skimmer, presumably with his cell phone cam, but couldn’t call security with the cell phone?

        1. Patrick

          Very true.
          And, did the guy actually go inside the bank to make the call…

    2. d

      Where I live the bank is open on Sunday, but drive thru only. And only for actual members with valid accounts. Yes, there are tellers inside the bank and only bank employees are allowed in the bank on Sundays.

  6. Budding Paranoiac.

    Brian…

    I’ve just sent a link to this article to my PNC Bank’s computerized message center. I think a second or third thought should be given to the idea that all of this (bleepin’) automation which as been installed to reduce payrolls and other overhead expenses might be weighed against the costs of these thefts and the electronic countermeasures required by the banks.

    This is the price (fee) we pay (pun intended) for ‘convenience’? We got along just fine with drive-through bank teller windows with a sometimes pleasantly smiling teller handing out cash through a slotted drawer upon presentation of some sort of bank issued I.D.

    They even might’ve said that tiresome…”Have a nice day”.

    Where’s our gain?

    1. BrianKrebs Post author

      Two responses. One is , you gain convenience, because ATMs don’t keep bankers’ hours ;), they’re open 24/7. If you want that face-to-face, you can still go into the branch, but only during branch hours.

      Second, it is unlikely that if you were to fall victim to ATM skimming, that you’d ever lose a dime as a result. Trust me, if a bank has an incident with a skimmer attached to their ATM, they are not going to give any customers a hard time if they lost money as a result.

      1. Seeker

        Unlike if you get ripped off via an unauthorized ACH transfer.

  7. Budding Paranoiac.

    Oh, I forgot to mention…why does one need to take out cash after daytime business hours? Midnight shift munchies? Taxi fare for (…am trying to be tactful here) …a “friend” after a favor was rendered?

    < ; D

  8. James

    According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.

    —-

    Many unanswered questions here. How was it the crook happened to be at the scene watching the technician, and then was able to swoop in and out in a few minutes time while the tech went inside? Amazing stroke of luck. And certainly there must be video all around these banks capturing people and cars in the vicinity on top of the ATM video THAT SHOULD make it possible to develop some leads.

    Frankly, if this happened as the tech says it did, it’s no wonder this is a growing business. The problem has far more to do with the banks themselves (which doesn’t surprise me in the least).

    1. Christopher

      “How was it the crook happened to be at the scene watching the technician, and then was able to swoop in and out in a few minutes time while the tech went inside? ”

      Well, if you had laid down $1,500-$2,500 for a skimmer, would you leave it unattended? My guess is that whomever was responsible only put it on while the bank was closed, the ATM traffic was higher, and the liklihood of somene “in the know” noticing it was less.

      And, if the link above to the ATM is correct, I would not put odds against the culprit living in a front apartment in that brick building across the street w/ line of sight on the ATM.

    2. Mike Baptiste

      From what I’ve read before about skimmers – they don’t always stay attached for long. You attach it, leave it for hours or a day, and grab it. Some are wireless so you park nearby and receive the data remotely (kind of a drag when your $1500 skimmer with numbers in FLASH gets taken by an ATM tech). I’m sure whoever put this on was nearby, saw the ATM tech, noticed him go inside, and drove ‘through’ the ATM to grab the skimmer.

      I’m sure the ATM tech was there because either someone had trouble inserting a card through the skimmer and reported it, or perhaps the skimmer had been in place before and they were starting to trace fraud back to the ATM. Any number of reasons a tech would be there.

  9. Jason Dove

    Brian you are incorrect. You can be a victim of skimming and lose your money. Banks believe if a pin was used, the owner should have protected it. If you are clearly the victim of skimming, your bank may reimburse you. However, that is not always easy to figure out. Crooks most often sit across a parking lot watching their device and how many cards they have collected. They may not use your card info for months, then sell many in batches. Cards skimmed could also be from multiple banks, not just the branch that was compromised. Some crooks are also banging the cards slowly. Twenty dollars here, twenty dollars there. Many people are not real good at tracking their accounts. All this can make it difficult to trace back to an original skim site.

    1. BrianKrebs Post author

      I was talking about cases in which a bank acknowledges that they had a skimmer incident.

      And yes, technically, they can hold people liable for losses due to ATM skimmers. However, the cases in which they can hold customers liable for losses from ATM skimmers do not differ from the terms surrounding losses from having your debit card compromised.

      Consumers who report suspicious or unauthorized transactions on their ATM or debit card, or against their online banking account within two days of receiving their bank statement that reflects the fraud also are limited to $50 in losses. But waiting longer than that can costs consumers up to $500 (the liability is unlimited if a consumer waits more than 60 days to report the fraud).

      The potential loss is no different whether the fraud came from ATM skimmers or someone stealing your debit card info from an online store and using it. Consumers still have to pay attention to their bank statements. There is no substitute for that.

      1. Jason Dove

        The one big difference is whether or not the bad guys get the PIN from the website.

  10. Ernie Douglas

    Brian,

    Please tell me that the photo is legit!…and if Isound abit aw struck Iam. This looks like my atm at my bank here in Cali….
    If this is that easy and it appears it is this changes how bank from now ON……It’s teller interaction in the bank and frankly thats small compared to this……..

    Thanks for update Brian……

  11. mvario

    I just listened to the NPR radio segment, good stuff!

    I think it’s pretty easy to guess why the banks don’t want to publicize this kind of thing, they don’t want customers to lose confidence in ATMs.

    When ATMs were introduced it was a golden egg for banks. Numbers I’ve found from 2001 said that the average cost to the bank for a teller transaction was $1.oo to $2.00, whereas for ATMs it drops to .15 to .50 cents.

    And that doesn’t take into account the tacked on ATM fees which are a multi-billion dollar industry all by themselves.

    If folks start losing confidence in ATM security and start going back to tellers, even in small amounts, it will start cutting into those bank profits.

    1. Matt

      I am no ATM expert but the device in the video which wirelessly “jams” the skimmers sounds highly suspicious, highly. I cant even imagine how that is possible with my basic electronics knowledge.

      The next point would be they only focus on video camera pin recorders (which looked quite ridiculously obvious in the video) but if I was a criminal I would use the fake keypad overlays (as shown in Brians previous ATM articles) which would appear to be far more reliable and effective and so the advice to cover the keypad with your other hand is entirely useless.

      They also dont give any information about how they plan to “detect if something has been placed over the card slot” I imagine the ATM criminals would have a better idea than their own technicians and could modify the devices to avoid the detection sensors quite easily but without any details its all smoke and mirrors.

      1. Jason Dove

        Matt,
        You are right in most of your observations.
        However, the keypad overlays are currently not as prevalent as the cameras, so covering the keypad with your hand is better than nothing at all.
        The cameras in the video are not what they use. The pin hole cameras are disguised as well as the skimmer devices.

        1. Matt

          Do the cameras just record to a memory stick for later retrieval like the skimmer or do they transmit? Does anyone have any experience with these devices and know the *real* transmission range of the pinhole cameras (not what they say on the box) and are the signals encrypted somehow? Im suprised the quality and speed of the video is good enough to visually capture the pins being entered in rapid succession.

          I always wondered why they dont put a hood of sorts covering the keyboard. The natural hand position for hand covering the keypad never seemed worth it since im usually more concerned about the guy standing directly behind me in the line with a clear unobstructed view of the keypad even if i try to cover it with my other hand. I will probably start pulling and tugging at the slots and keypads from now on. Of course usability must come into it or else we will end up looking like this at the ATM http://www.engadget.com/2008/04/16/the-body-laptop-interface-is-knitted-from-thneed-which-nobody-n/

      2. Mike Baptiste

        In theory ATMs could be outfitted with wireless receivers on the commonly used bands (Bluetooth, Wifi/XBee, even 49MHz) and software to analyze the timing of transmissions (vs the content since most are at least basically encrypted). But this would be hard to work since most cars these days are wireless chaos between cell phones, headsets, laptops, iPhones, wireless backup cameras, and so on. Probably not worth the cost vs what it would prevent.

  12. Mark Higdon

    I have read several posts that mention the tech’s taking cellcam pix of the illegal device before going inside to report it. Even before reading those posts, it occurred to me that consumers can protect themselves to some extent by (after ascertaining that no illegal device is attached) taking pix of the atm(s) that they typically use and referring to those pix before any future transactions. If anything has changed on the atm from the reference pic, don’t use it until you know it is safe to do so. No folding, spindling, mutilating or tugging required.

  13. Wes

    Gah, I’ve used that ATM before (though not recently). That’s close enough to ones I use more frequently that now I have to be paranoid!

  14. Gannon

    I’m wondering why an ATM needs a high res screen. I’d think more in terms of those old LCD laptop screens that were so polarized you have to be within 10 degrees of normal to read them. A 2-3 digit captcha is a nice way to get people to smile for the camera too. Pay Phones had a similar “shoulder surfing” problem until somebody got the bright idea to mount them at belt level. Most ATM’s I’ve seen have that covered.

  15. Neil Spellman

    I wonder if the thieves have found a cracked window, specifically Sundays. Think about it from their point of view. They go to an ATM on Sunday at 4AM and install this reader. People use the ATM for the day until someone makes the call to the local PD (I would be inclined to say that a majority of people will call the PD rather than bank security) and the uniform shows up. I have been this uniform in my past. It is Sunday and I am detailed to take this report with you. At the conclusion of this it may or may not occur to me to contact Bank security. So the bank is still unaware unless, 1. the customer calls or 2. the Police Officer, who is also continuing to respond to other incidents, calls. Meanwhile the thief, who has watched all of this, has entered the ATM and removed the offending device. It seems to me that the Banks have a responsibility beyond merely making this available to their customers, they really have to do more about the effective monitoring of the devices. The camera is a step but in our conversation here we all came up with creative solutions to overcome this. What else can be done? Well, I would say that first, you want to have some redundancy in your cameras, then you educate your consumers with short videos on things like not holding the door open for the next customer and checking to be sure there are no attachments to the machine. I would also make sure the local Police know who to contact on Sundays.

  16. Max

    In response to “no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place”

    The ATM technicians are there as the service contract requires according to what the bank bought from the company providing service. The ATM itself sends certain information to the bank network regarding status that may trigger a service call with the provider.

    – a past ATM technician

  17. John Pisello

    I would think one solution to this problem would be to design ATMs so that foreign objects cannot be attached to them. For example, I can imagine a clear Plexiglas panel engineered into the frame of the ATM, which sits a half-inch or so in front of the chassis and has openings for the customer’s ATM card and for their fingers to press the keypad keys (but not a big opening around the entire keypad). Seems to me something like this would prevent the bad guys from attaching a skimmer or fake keypad in the first place.

    Keep up the great reporting, Brian!

  18. Beeker

    It seems that some of the banks are not upgrading their ATM to reflect current trend of security. My credit union has a large key pad with a card slot on the lower bottom side that would make it hard for a skimmer device to be attached or in a way to make less obvious that the device can be attached.

    Still, like Brian says always tug at it to make sure it is safe to bank

    1. infosec_pro

      Beeker, ATMs aren’t cheap, so replacing them before their planned end of life refresh cycle will significant shift the ROI numbers away from the plan used to justify them initially. There’s probably some sophisticated and expensive software modeling package to weigh that ROI impact against the increased cost of losses from skimming and recommend the most cost-effective replacement strategy, at least for the big banks with enough of an installed base to get good statistics about risk broken out by ATM model…

      1. Beeker

        I am in agreement with you about the fact that ATMs are not cheap as I deal with finance and understand the bank’s ROI and other factors.

        What I was referring to is to replace it at its end of life cycle with security in mind. My CU replaced their ATMs located at their branches but on some of older ones are in the outlying areas and it is still being used.
        I have yet to hear it happened but you never know.

  19. fauxgeek

    ATM tech work on weekends for various reasons. If the firewalls located in the ATM go down typically an atm tech will be sent out and an engineer will check layer 1 layer blah blah blah out.

  20. Mimi Hart

    You cannot stop skimming. The data on the stripe is in the clear. It can be read and copied by a ten year old.

    So what can be done? You can read the magnetic fingerprint on the card and authenticate it to the original. It requires a minor change to the reader, but no change to the cards – even the ones already in your wallet. Some banks are doing this now and report that it has eliminated skimming fraud.

    Chip & PIN is interesting but it has not stopped fraud in the areas where it has been implemented. A chip card is a small, inexpensive computer embedded in plastic. It can be cloned just like PCs can be cloned.

    My PC, which is hundreds of times more expensive than a chip card, crashes regularly, needs constant security updates, and has been hacked several times, despite vigilance.

    On the other hand, the magnetic fingerprint occurs naturally and is extremely difficult to duplicate. So we cannot prevent skimming, but we can examine the magnetic fingerprint, detect a counterfeit, and decline the transaction. This makes cloned cards useless to criminals. If you can’t get any money, why skim or clone?

    Want to learn more? http://www.magtek.com

    1. Nick H

      If you’re depending on an analog magnetic fingerprint, what happens when the card is repinned and the stripe is rewritten with an updated offset?

      Oh, let me guess, Magtek would be more than happy to sell me a new encoder setup to work around this limitation.

      Hrrrm… Gotta love profiteering on both sides of this problem.

      1. Matt

        I am not connected with MagTek but I believe rewriting the tracks wont affect a cards underlying magnetic fingerprint as the MagTek read head is looking between the tracks at the blank background between the trackss and also at a far deeper level of magnetic noise which is unaffected by read/writing. http://www.magneprint.com/information/what_is_magneprint.asp This is a far far cheaper solution for everyone than replacing the entire global card infrastructure with more electronic solutions and their associated readers and writers.

        1. Nick H

          Hmm, interesting. I did some more research, and located the original patent for this type of fingerprinting:
          http://www.google.com/patents/about?id=_t8CAAAAEBAJ

          You’re right that it sounds that this type of fingerprint survives write cycles.

          However, I don’t see how this technology is possibly cheaper. If I understand correctly, it requires a special read head. So, all POS devices, ATMs, issuing equipment, etc would need retrofitting or replacing. Sounds like a global card infrastructure replacement to me…

          Not to mention network changes…

          Or card-not-present transactions off a cloned card…

          And as long as backwards compatibility exists in the system, it’s still insecure. Think of all those cheap Triton ATMs floating around. As long as you can clone a card and take it somewhere that doesn’t fingerprint, you’re in the clear.

          Even small changes take time. I can’t remember if it’s this year or next, but VISA is finally mandating encrypting PIN pads, IIRC.

          1. Matt

            Yes you are right the downside is the special (extra sensitive) read head replacement however this is the only hardware cost. Your other points are equal with introducing a smartcard system but quite a bit further outside the existing framework and so could only be more expensive.

            The smartcard system also has no solution to online (card not present authentication) which is a separate issue.

            The cost of the read head logically would be far cheaper than an entire new smartcard reader module inside say an ATM which is where these have been deployed.

            From the factories in China a magnetic stripe cards go (in bulk) at around 10 cents each whereas the smart cards go from 80 cents to $1 to $1.20 and when multiplied by x million users that’s quite a chunk of change. Smartcards generally work great but reliability wise they have nothing on a magnetic strip card and exposed metal contacts in some places (like the seaside) have terrible problems with corrosive films covering the contacts not to mention the pressure from being squashed between someone’s large rear end and a pile of coins.

            I dont doubt the financial system will choose the most expensive, hi-tech solution put forward to them because money is never really an object for them but it does seem entirely unnecessary and such a major decision either way you want to be sure there isnt another better solution just around the corner because once they commit to CAP there is no going back.

            Im really not a sales person for MagTek but I have just seen too many hacks on hi tech electronic technology and have developed an aversion for it.

  21. danb

    I’m living in South Korea, where many of the ATMs have touch screens, which I’m guessing are harder to skim the user’s PIN from. I never made the security connection until reading this.

    (One odd/annoying thing I must note: most bank ATMs here automatically shut down at 10pm or midnight! I have even seen a few which have a shutter that comes down at closing time.)

  22. Egman

    A quick pragmatic suggestion for avoiding ATM skimmers. 1. Get cash back at the grocery store. 2. mail checks to the bank (yes, this still works, ask them how.)

  23. Igor

    Well, I can tell a visible difference. As you can see on the picture of a fake slot one of the lights around the slot is absent. It is because there is the strip reader (as you can see on the back of the one for sale). On the genuine one all light are on. So there should be no problem to identify a bogus reader.

  24. BH

    Diebold? The same people who brought us electronic voting machines and all their scandal? How interesting.

  25. Dick

    Magneprint is a joke. It is deemed to be the end all of card fraud.. the reality is that if the banks instituted it, fraudsters would simply use 3rd party machines that don’t support it.

    And if EVERY machine DID get magneprint (which there is no incentive to do, since a pin transaction is 100% payed), it would STILL be easy to bypass.

    Magneprint is nowhere near as secure as they deem it to be, even if every machine was capable, it could be beat with $50 worth of equipment.

  26. stallman

    With all the technology an ATM has inside it’s mind boggling that the manufacturers don’t spend an extra dime to protect them against tampering. It would be fairly simple for the manufacturers of the ATM to make the machines able to self check. Installing a skimming always subtly changes the external looks of the face plate one way or another. A simple video camera monitoring the key parts of the machine could immediately detect if anything is attached to it and lock down the ATM or trigger an alarm. What the heck is the big deal? Both the bank and the manufacturers should be held criminally responsible for putting people at risk.

Comments are closed.