Subscribe to RSS
Follow me on Twitter
Join me on Facebook
ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Past posts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.
According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.
EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.
ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.
Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.
While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).
-
- Image courtesy IBM. Hidden camera in false panel above PIN pad.
-
- Courtsey ENISA: A type of fraud device called a cashtrap siphons off bills as they exit the machine.
-
- Image courtesy IBM: False ATM front-mount that includes card skimmer.
-
- Image courtesy IBM: The back of the false ATM front-mount w/ skimmer.
-
- Image courtesy ENSA: Bogus PIN pad overlay + ATM card skimmer
-
- Image courtesy ENISA: False ATM top with camera + ATM card skimmer
Tags: chip and pin, EAST, EMV, Idan Aharoni, RSA, U.S. Secret Service
Good post, but has the U.S. banking industry – and retailers – made any push to adopt the EMV standard? Or would that be too much like, uh, admitting there is a problem?
Well-loved. Like or Dislike:
9 
3
Visa and MC say it costs too much money. What they mean is that it costs THEM too much money. Fraud is paid for by all card users, but security improvements have to come from the vig they charge retailers for card processing and hit their bottom line instead of yours. It’s pretty infuriating.
Well-loved. Like or Dislike:
19 
0
Chip & pin is not the panacea it’s often presented as. In the UK in particular, it’s mostly used as an excuse by the banks to stick customers with paying for (and sometimes even being charged with crimes for) fraudulent activity by organized crime that can well beat chip & pin security. You don’t want chip & pin here in the USA.
Well-loved. Like or Dislike:
9 
3
Richard is right:
Chip and Pin has been cracked in more ways than one – some of which look a lot like the skimming tech in this article. One of the techniques only required a paper clip!
A very expensive attempt at a failed solution!
Well-loved. Like or Dislike:
5 
0
come on, that’s like saying: why wear a safety belt, people also die wearing them.
you could still reduce fraud greatly by implementing Chip and Pin in the States.
And the paperclip is used to pick the lock on the ATM, because many of them have really simple locks and the “one key fits all” concept easies maintainance.
Of course then C&P won’t help
Like or Dislike:
0 
0
I find it fascinating that the above video is dated some 3 1/2 years ago, but the problem is only recently getting wide(?) press. I can’t help but wonder what percentage of ATMs are compromised at this point? Are the people who load/maintain them regularly now trained to check to see if the machines have been tampered with? Or is that just too easy to circumvent by the ease at which these devices can be put on and taken off at will?
Also, I wonder if I can request that my debit card only be allowed to be used at my own bank’s ATM (it’s very local)?
Like or Dislike:
3 
1
FWIW: I was talking to a banker recently. She said her small community bank, with 12 branches and ATMs only at their branch locations, has two full time employees who are responsible for checking all their ATMs for skimmers and other fraud devices (more in my message below) several times daily. Of course on a varying schedule, etc., to keep the bad guys on their toes.
Well-loved. Like or Dislike:
10 
1
I spoke with my bank (major regional bank) and they told me they inspect the ATM for skimmers, but wouldn’t say more. I also asked the manager of a local gas station if they inspect their pumps for skimmers, his response was “what’s a skimmer?”
Well-loved. Like or Dislike:
8 
0
Excellent article Brian!! The fake ATM modifications are even more realistic than I thought they would be!!
This will put everyone on alert when using unfamiliar ATMs!
Looks like it would pay to slam your fist in certain areas, to make sure they are not a facade. If it’s fake it might come right off, or at least sound hollow and chintzy.
Hot debate. What do you think?
3 
6
Do you have any numbers on this kind of fraud in Canada over the past few years? Chip & PIN technology is not ubiquitous, but it shouldn’t take long.
Like or Dislike:
1 
0
I was talking to a banker recently (same conversation as my message above) and she said her security department was encountering another type of electronic device attached to their ATMs for the purposes of fraud.
As I understood her, it is a small coin sized disc attached to the ATM, and apparently it catches electronic signals from within the machine. When I asked for further details, she could not provide any as security wasn’t her field.
Mr. Krebs, and readers – have any of you heard of such devices?
Well-loved. Like or Dislike:
13 
3
qka: i know of ANTI skimming devices, that block skimmers by radiating electro magnetic signals to the skimmer, basically scrambling it’s reading capability.
“Whether criminals use skim devices in conjunction with the card reader, false fronts or when the skim device is connected to the pre-head of the card reader, the CPK will always create an electromagnetic protection field in the vicinity of the card entry slot. This protection field makes it impossible to read data and that’s what it’s all about.”
http://www.tmdsecurity.com/index.php?page=2_3
i don’t know how well they work, though
Like or Dislike:
0 
0
The report on ATM crime attached to http://www.h-online.com/security/news/item/An-alarming-increase-in-ATM-crime-743283.html is good – it has a section on Golden Rules to avoid becoming a victim, with some good advice.
Like or Dislike:
1 
0
Hi all,
good to know about some basic facts about skimming:
http://en.wikipedia.org/wiki/Skimming_(credit_card_fraud)#Skimming.
US will not in any near time adopt “chip&pin” since it means large investments for banks in reissuing cards to new cards with chip and gradually replacing/upgrading all POS&ATM devices in the field….these are just some of the “basic” facts for chip&pin in US.
@qka: never heard for any such device attached to ATM that would “catch electronic signals within the machine”…seems that the banker missed some information to have a complete picture. ATM skimmers and cammeras are most common way for data capture from customer cards.
@Kevin: if you have a Maestro,Mastercard or VISA card,than it is from business side (technically it is possible, but bank won’t do that only for some cards), impossible for your issuing bank to restrict “your” card to be used only at your bank ATMs.
Advantage (and to some degreee disadvantage in this case) is that these cards are worldwide accepted.
Like or Dislike:
2 
1
The video shows those guys attaching the camera and card skimmer in 12 seconds. That’s fast. Other similar videos have shown a third person who acts as a lookout.
I wonder if the payoff comes from selling the magnetic data and PIN, as opposed to actually trying to withdraw funds from the account?
Like or Dislike:
1 
0
@Reid;
This, it would seem, to be the best method. But the information would have a time limit, in case the skimmer were discovered.
Because of this, I would think the information would be gathered quickly enough, so the crooks could get the cash at another location or source.
I’ve seen data loggers on some of these devices, featured in other articles, with a wireless transmitter for sending the ill-gotten info to the crook somewhere either within range, or even using repeaters, to ship it fairly long distances.
These small devices are getting cheap enough, that losing them is small overhead.
Like or Dislike:
0 
0
http://www.computerworld.com/s/article/9177056/Wal_Mart_to_support_smartcard_payments
Like or Dislike:
0 
0