May 7, 2010

ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Past posts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.

According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.

ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.

Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.

While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).

[EPSB]

Have you seen:

All-in-one Skimmers…ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.

[/EPSB]


44 thoughts on “Fun with ATM Skimmers, Part III

  1. d

    Good post, but has the U.S. banking industry – and retailers – made any push to adopt the EMV standard? Or would that be too much like, uh, admitting there is a problem?

    1. Ronaldo

      Visa and MC say it costs too much money. What they mean is that it costs THEM too much money. Fraud is paid for by all card users, but security improvements have to come from the vig they charge retailers for card processing and hit their bottom line instead of yours. It’s pretty infuriating.

    2. Richard Johnson

      Chip & pin is not the panacea it’s often presented as. In the UK in particular, it’s mostly used as an excuse by the banks to stick customers with paying for (and sometimes even being charged with crimes for) fraudulent activity by organized crime that can well beat chip & pin security. You don’t want chip & pin here in the USA.

      1. JCitizen

        Richard is right:

        Chip and Pin has been cracked in more ways than one – some of which look a lot like the skimming tech in this article. One of the techniques only required a paper clip!

        A very expensive attempt at a failed solution!

        1. mk

          come on, that’s like saying: why wear a safety belt, people also die wearing them.

          you could still reduce fraud greatly by implementing Chip and Pin in the States.

          And the paperclip is used to pick the lock on the ATM, because many of them have really simple locks and the “one key fits all” concept easies maintainance.

          Of course then C&P won’t help

  2. Kevin

    I find it fascinating that the above video is dated some 3 1/2 years ago, but the problem is only recently getting wide(?) press. I can’t help but wonder what percentage of ATMs are compromised at this point? Are the people who load/maintain them regularly now trained to check to see if the machines have been tampered with? Or is that just too easy to circumvent by the ease at which these devices can be put on and taken off at will?

    Also, I wonder if I can request that my debit card only be allowed to be used at my own bank’s ATM (it’s very local)?

    1. qka

      FWIW: I was talking to a banker recently. She said her small community bank, with 12 branches and ATMs only at their branch locations, has two full time employees who are responsible for checking all their ATMs for skimmers and other fraud devices (more in my message below) several times daily. Of course on a varying schedule, etc., to keep the bad guys on their toes.

      1. Ned

        I spoke with my bank (major regional bank) and they told me they inspect the ATM for skimmers, but wouldn’t say more. I also asked the manager of a local gas station if they inspect their pumps for skimmers, his response was “what’s a skimmer?”

  3. JCitizen

    Excellent article Brian!! The fake ATM modifications are even more realistic than I thought they would be!!

    This will put everyone on alert when using unfamiliar ATMs!

    Looks like it would pay to slam your fist in certain areas, to make sure they are not a facade. If it’s fake it might come right off, or at least sound hollow and chintzy.

  4. Chris

    Do you have any numbers on this kind of fraud in Canada over the past few years? Chip & PIN technology is not ubiquitous, but it shouldn’t take long.

  5. qka

    I was talking to a banker recently (same conversation as my message above) and she said her security department was encountering another type of electronic device attached to their ATMs for the purposes of fraud.

    As I understood her, it is a small coin sized disc attached to the ATM, and apparently it catches electronic signals from within the machine. When I asked for further details, she could not provide any as security wasn’t her field.

    Mr. Krebs, and readers – have any of you heard of such devices?

    1. mk

      qka: i know of ANTI skimming devices, that block skimmers by radiating electro magnetic signals to the skimmer, basically scrambling it’s reading capability.

      “Whether criminals use skim devices in conjunction with the card reader, false fronts or when the skim device is connected to the pre-head of the card reader, the CPK will always create an electromagnetic protection field in the vicinity of the card entry slot. This protection field makes it impossible to read data and that’s what it’s all about.”

      http://www.tmdsecurity.com/index.php?page=2_3
      i don’t know how well they work, though

  6. Marko

    Hi all,
    good to know about some basic facts about skimming:
    http://en.wikipedia.org/wiki/Skimming_(credit_card_fraud)#Skimming.
    US will not in any near time adopt “chip&pin” since it means large investments for banks in reissuing cards to new cards with chip and gradually replacing/upgrading all POS&ATM devices in the field….these are just some of the “basic” facts for chip&pin in US.
    @qka: never heard for any such device attached to ATM that would “catch electronic signals within the machine”…seems that the banker missed some information to have a complete picture. ATM skimmers and cammeras are most common way for data capture from customer cards.
    @Kevin: if you have a Maestro,Mastercard or VISA card,than it is from business side (technically it is possible, but bank won’t do that only for some cards), impossible for your issuing bank to restrict “your” card to be used only at your bank ATMs.
    Advantage (and to some degreee disadvantage in this case) is that these cards are worldwide accepted.

  7. Reid

    The video shows those guys attaching the camera and card skimmer in 12 seconds. That’s fast. Other similar videos have shown a third person who acts as a lookout.

    I wonder if the payoff comes from selling the magnetic data and PIN, as opposed to actually trying to withdraw funds from the account?

    1. JCitizen

      @Reid;

      This, it would seem, to be the best method. But the information would have a time limit, in case the skimmer were discovered.

      Because of this, I would think the information would be gathered quickly enough, so the crooks could get the cash at another location or source.

      I’ve seen data loggers on some of these devices, featured in other articles, with a wireless transmitter for sending the ill-gotten info to the crook somewhere either within range, or even using repeaters, to ship it fairly long distances.

      These small devices are getting cheap enough, that losing them is small overhead.

  8. Sequoia

    What can be done to avoid falling victim to ATM skimmers? Is there an article or resource on this? I am sufficiently paranoid, now I’d like to know what to do to protect myself.

    1. BrianKrebs Post author

      Hi Sequoia. Being aware is half the battle. These things are not terribly common, but there’s always a chance you could stumble upon one, esp. if you travel a lot and use lots of different ATMs.

      The first step is essentially looking for anything that doesn’t quite seem right about the ATM: an off-color component, or one piece that juts out at a weird angle. I sometimes feel kind of silly doing it, but often when I’m at an ATM I find myself pulling on a portion of the machine just to make sure it’s really attached. I’m sure I look pretty silly doing it, but then I’ve heard of other readers doing the same after reading these articles.

      The most important thing you can do at an ATM is be aware of your physical security. You’re probably much more likely to be physically robbed than to fall victim to an ATM skimmer. To that end, pay attention to your surroundings when you approach an ATM, only visit those in well-lit and publicly visible areas, avoid ATMs that give you a strange feeling. Cover the PIN pad with your hand when you enter your PIN, to foil any potential shoulder surfers or hidden cams.

  9. Kitsch

    Shit – I just realised that the third one along (“Image courtesy IBM: False ATM front-mount that includes card skimmer.”) is my local high street! I have a sudden urge to go and examine my bank statements very carefully…

  10. Kitsch's mum

    Thanks for the heads up. however, ff you look carefully, you’ll see that the street scene includes the wine shop that’s been gone for ages, so the photo is old. I took money out of the machine in question this morning, as I do frequently, and it looks as dilapidated as always. Not had a problem with this particular one, fortunately. Still, stay sharp, kiddo.

  11. Psinet

    Sorry to but in, but I was reading this blog after finding my way here from Slashdot. I didn’t read all the way through this thread (almost did!), but an idea occured to me that I passed onto my IT housemate. He considered it a brilliant idea so I figured I would contribute it towards the comman war against these grifters.

    A very cheap and simple solution would be to set up a small CMOS camera with an infrared filter attached. With a lens properly focussed on the relevant areas (keypad, card reader etc), a “key” image of the ATM can be aquired in this spectrum. By feeding the images to software, an alogarithm can be designed to detect when the ATM is not in use. This would allow for an unimpeded image of the ATM, which can then be compared with the original “key” image. Any alterations in shape, size or IR reflectivity can be detected and an alert sent.

    Including UV or other wavelengths into the “key” image would substantially increase the difficulty of any attempted skim-plant.

    TBH, I would be suprised if the idea is not already out there – but now I know for sure. Long live honesty.

    1. JCitizen

      You are not butting in, I’m sure Brian welcomes all contributions to the discussion! Thanks! 🙂

  12. Lynn Wheeler

    US had rather large pilot the early part of this century … but it was in the “YES CARD” period … “trivial to clone/counterfeit a card” … reference to cartes2002 presentation on “YES CARD” that first appeared in 1999 (original gone 404, but lives on at wayback machine), mentioned at end of page:
    http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

    secret service made presentation at ATM Integrity Task Force meeting in 2003 that included some “YES CARD” stats & details … which prompted somebody in the audience to comment that billions were spent to prove chips are less secure than magstripe.

    In any case, evidence of the pilot appeared to evaporate w/o a trace. My impression is that it could be some time before it is attempted again … this time allowing others to thoroughly vet the technology.

    POS terminals would ask card 3 questions: 1) is PIN correct, 2) is it offline transaction, 3) is transaction within credit limit. Countermeasure to counterfeit magstripe is to deactive the account so online transaction doesn’t go through. With counterfeit “YES CARD”, don’t need to know correct PIN (everything entered is accepted) and the transactions are always offline, so account deactivation has no effect, and all transactions are accepted regardless of value.

    One of the issues of compromised ATMs is, in some cases, been done during manufacturing (no external evidence).

  13. Lynn Wheeler

    Note the US reluctance to deploy chip technology … isn’t so much the cost of a single deployment (such arguments are frequently obfuscation and misdirection); they’ve already tried it once and had to back off … the current situation is possibly concern that there might have to be the cost of a large number of deployments (after already being burned once)

    disclaimer: I use to have several offices and labs at Los Gatos lab … mentioned here with regard to ATM machines
    http://en.wikipedia.org/wiki/IBM_3624

    and managing magstripe standard:
    http://en.wikipedia.org/wiki/Magnetic_stripe_card

    1. JCitizen

      @Lynn;

      Very interesting comments Lynn! I’ve always thought a combination of Magneprint and Passwindow, was a more practical(cost) and equally viable solution than chip-n-pin.

      Thoughts?

  14. Lynn Wheeler

    … part of recent post in linkedin payment system thread …

    part of the issue in the ’90s was a lot of dithering over chips for SDA versus the power-hungry and expensive beasts for DDA. The challenge by the transit industry, in that time-frame, was come up with a chip that was more secure than the “DDA chips” … while being significantly cheaper than the “SDA chips” and being able to securely do a contactless x9.59 financial standard transaction within the transit turnstile elapsed time and power limitation requirements.

    ….

    nearly all of the chips associated with the paradigm that “YES CARD” vulnerability was associated with, were insecure and/or extremely expensive … with various other shortcomings.

    disclaimer: we had been called in to consult with small client/server startup that wanted to do payment transactions on their server; they had also invented technology called “SSL” they wanted to use; it is now frequently called “electronic commerce”. somewhat as result in the mid-90s we were asked to participate in the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (i.e. *ALL* as in debit, credit, ach, stored-value, POS, unattended, wireless, contactless, high-value, low-value, internet, aka *ALL*). I was co-author of the resulting x9.59 financial transaction standard … that also eliminating the threats & vulnerabilities from skimming, breaches, and harvesting information from previous transactions. Part of being able to apply x9.59 was then doing a chip that also met all the same requirements (have extremely high security while at the same time have as close to zero cost as possible) and be useable for *ALL* environments.

  15. psinet

    I fail to see how chips will secure transactions.

    The issue here is skimmers obtaining info regarding accounts, pins and pass. The technology on the card itself is beside the point. It can all be accessed, it can all be reverse engineered, no matter what new device you hand out to account holders. I have still not even seen effective biometric security in all these years.

    It is the physical transaction points themselves where the weak link lies. ATM’s, EFTPOS etc must be trusted and verified with updated certificates in the same way the web has done. Implementing multispectral tamper-detect cameras on those devices would seal the doom of these criminals.

    I am a little bewildered as to why they are so insecure, and why noone has identified this simple path to security.

  16. Lynn Wheeler

    Basically x9.59 financial transaction transaction is sent to the chip … which returns a code that is unique to that transaction … which is added to the transaction before sending off to be processed. The transaction processing includes verification of the unique transaction code as a form of authentication.

    Current skimming and breach exploits use harvested (static) information to perform (new) fraudulent financial transaction (basically a form of “replay attack”, current paradigm, there is no transaction unique information, static information from previous transactions are sufficient) … usually as far away as possible from the compromised end-point (to maximize compromise ROI).

    X9.59 eliminated all such “replay attacks” (with non-static, unique code for every transaction). As aside, the major use of SSL in the world today is this earlier work for “electronic commerce” to hide transaction details. Since X9.59 eliminates transaction detail information leakage as a vulnerability, it is no longer necessary to hide transactions details (as countermeasure to “replay attack” fraudulent financial transactions) … and therefor also eliminates the major use of SSL in the world today (this earlier work we did for “electronic commerce”).

    X9.59 didn’t eliminate exploits where compromised end-point actually performs a fraudulent transaction (as opposed to skimming information to perform a “replay attack” fraudulent transaction someplace else). However, reducing fraudulent transactions to only the end-points that have been compromised … does make them much easier to identify and quicker to shutdown.

    X9.59 did provide for allowing both the account owner’s chip as well as the transaction environment (aka “end-point) to provide unique transaction codes … so that both the account owner and the end-point can be authenticated on every transaction. This minimizes problem with counterfeit end-points and also helps speedup identification of compromised endpoints (that may be performing fraudulent transactions).

  17. psinet

    If you haven’t noticed, it is the badly implemented technology itself that has given them access. New technology is, by its very nature, not well enough understood to foresee the future uses and applications of it.

    Therefore, when it comes to financial security, new implementations of technological security should be avoided in favor of simpler, innovative methods that resist technological manipulation.

    Physical camera feeds in multispectrum detecting device tampering, alongside facial recognition cameras would seal the deal on physical fraud.

  18. psinet

    An ATM relying on trust certificates to operate could have its certificate revoked even before a single transaction is performed on a compromised ATM (i.e seconds) by identifying tampering in a particular light spectrum. That certificate and image can be reviewed by a trained human, and then escalated to sending a technician to the location and repairing/replacing the device.

    As far as beating ATM identification, handshake and authentication by trying to impersonate the ATM itself, that may be slightly off-topic. Such conversations are as applicable to websites as they are to ATM’s.

  19. psinet

    I should point out that before theses technological innovations were implemented as a consequence of demands for convenience, we have an entirely new breed of crime. Before the implementation, they needed guns. Now they just need a few electronic components from toys, a false ebay account and a soldering iron. Previously, you had to wave the gun in someones face – now you just have to spend 11 seconds at an ATM. It is very tempting.

    I am strongly advocating an atavistic perspective on this. There is no end to human ingenuity. Only so much can be achieved electronically. A read only networked camera device monitoring for tampering being itself monitored for physical tampering by a read only networked camera device makes things pretty complicated for a potential criminal.

    And it is very easy to setup.

  20. Lynn Wheeler

    The static data paradigm results in millions of places all over the planet where the information might be harvested. PIN-debit transactions can be done a counter POS terminals (where costs are well under hundred dollars) … as a point of compromise. Then the static data is used to produce a counterfeit card (along with PIN) that is used at ATM machines (and/or other POS terminals) , which haven’t been compromised.

    A lot of stories that make into public news are related to things that consumers might actually be able to do something (like recognize overlays). Lots of other exploits rarely make it into the public news.

    X9.59 does nothing for armed robberies … but enormously eliminates the other kinds of financial threats … and the ROI on credit/debit card armed robberies is drastically lower (enormously more effort per each transaction, with much greater risk to the criminal)

    I was tangentially involved in the Cal. state data breach notification legislation having been brought in to help wordsmith the Cal. electronic signature legislation. Several of the participants were heavily involved in privacy issues and had done detailed, in-depth consumer privacy surveys. The #1 issue was identify theft, namely the form of fraudulent financial transactions against existing accounts because of data breaches (another form of static data vulnerability, similar to skimming). There seemed to be little or nothing being done about breaches … and it was apparently hoped that the press resulting from the notifications would prompt some corrective action.

    As a side-note, most security is motivated by self-interest … protecting ones own assets. In the case of breaches … it is the account owners that are at risk, and usually unrelated to the entities that experience the breach.

    1. Ray Butlers

      Actually, the entities (banks) are at enormous risk since they are liable for all losses. The customers are protected by law (regulation E).

      1. Lynn Wheeler

        There has been a lot written that large component of interchange fee is proportional to prospect of fraud … and US financial institutions get 40% of their bottom line off payments (for some large institutions 60%). On individual fraud items, the bank is liable … however the prospect of fraud allows the institutions to significantly inflate interchange fees (and their bottom line).

        One of the periodic articles is that European institutions get less than 10% of their bottom line from payments … which could account for less resistance to new technologies that would significantly reduce fraud (since the corresponding reduction in interchange fees have less effect on their bottom line).

  21. psinet

    I should point out that both MD5 and SHA-1 are already crackable by communities of loosely linked ppl on the internet.

    SHA-2 will take a while, but not long 😉

  22. Lynn Wheeler

    I didn’t make it to crypto conference where MD5 break was first presented in rump session … but somebody in the rump session sent me an email in real time … asking if I would identify all internet standards that reference MD5 … so I added it as part of my internet standard index information.

    Part of the x9.59 and the chip effort was something called “parameterized risk management” … which could associate integrity level of all components involved in transaction and, if necessary update it in real time. Transaction can then be evaluated based on whether minimum integrity levels of the components met the requirement for performing the transaction.

    Part ATM processing standards has involved DUKPT with DES … and even tho DES is considered broken … the issue in the ATM/DUKPT case is that the encrypted information has to be broken within the elapsed time it takes to perform the transaction.

  23. JCitizen

    Thank you psinet and Lynn Wheeler, for all of your comments. This has been very illuminating discussion.

    I don’t hear much about authentication here, so I must not be understanding all your points. I can see where the encryption used would be critical in that area though. It seems a bit of AI[artificial intelligence] would go a long way to help in some of what I understand in Lynn’s comments. I know my bank uses some of this in day to day transactions, and it seems to work fairly well, and I haven’t been denied transactions very often, and when I do, it makes sense why the transaction got tripped.

    I want to express my appreciation for your time here.

    1. Lynn Wheeler

      Note that the x9.59 financial transaction standard is all about authentication. As mentioned, in the mid-90s we had been invited to participate in the X9A10 financial standard working group (somewhat as the result of this earlier work we had done on what is now comingly called “electronic commerce”) which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (*ALL*, debit, credit, stored-value, gift card, point-of-sale, internet, face-to-face, unattended, low-value, high-value, transit turnstyle, etc aka *ALL*). Detailed end-to-end threat and vulnerability studies had been done of numerous environments before coming up with x9.59 standard.

      Part of authentication work for x9.59 resulted in no longer having to “hide” transactions &/or account numbers as part of preventing fraud. Now, the major use of *SSL* in the world today is this earlier work we had done for “electronic commerce”, for hiding transaction details. The work for x9.59 eliminates the need to hide transactions … so it also eliminate the primary use of *SSL* in the world today. It also eliminates the threat from fraudulent transactions as a resulting of skimming, evesdropping, and data breaches (doesn’t eliminate skimming, evesdropping and/or data breaches, just eliminates crooks being able to use the information for fraudulent transactions).

      1. JCitizen

        Very well! I understand now – thank you for your posts!

  24. 3xpl0it3r

    I sell ATM SKIMMER, price 1000 dollars. I can show on webcam. my id on yahoo mesenger is: acces.denied

  25. Jayson

    Pretty scary that these devices keep getting smaller and smaller. This site isn’t doing anything illegal, but someone could easily use their readers for doing this 🙁

    http://www.swipetek.com/

Comments are closed.