Subscribe to RSS
Follow me on Twitter
Join me on Facebook
ATM skimmers –or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.
Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).
The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.
Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro — shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card’s magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).
The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.
Both the card skimmer and the PIN pad overlay device relay the data they’ve stolen via text message, and each has its own miniature GSM device that relays SMS messages (buyers of these kits are responsible for supplying their own SIM cards). According to the vendor of this skimmer set, the devices are powered by lithium ion batteries, and can run for 3-5 days on a charge, assuming the skimmers transmit on average about 200-300 SMS messages per day.
This skimmer kit even includes an alarm feature so that if it is removed — either by the fraudster or a bank manager or passerby — the devices will immediately transmit any of their stored stolen data.
Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. Also, don’t be shy about covering the PIN pad with your hand so that any shoulder-surfers (or hidden cameras) can’t see your code. If you find an ATM skimmer or other fraud device attached to an ATM, report it to the bank. If the bank is closed, it’s probably a good idea to leave the device alone and to call the police: There is a good chance that the thief who attached the device is somewhere nearby.
Further reading:
Would You Have Spotted the Fraud?
Would You Have Spotted This ATM Fraud?
Fun With ATM Skimmers, Part III
Tags: atm skimmer, model 5886, NCR ATM
There’s also the practice of using an entirely fake ATM; is that still called skimming?
Like or Dislike:
2 
3
@evm x man — by Fake do you mean like non-existent, 2 dimensional ATMs
http://krebsonsecurity.com/wp-content/uploads/2010/06/2datm.jpg
or Defcon type ATMs:
http://krebsonsecurity.com/wp-content/uploads/2010/06/defconatm.jpg
Well-loved. Like or Dislike:
7 
1
Hi Brian,
Just wanted to mention that Romanian organized crime police busted a large criminal gang that was manufacturing ATM skimmers for both sale and use in Europe.
I wrote a piece on the whole story, but I don’t want to spam your blog with links
Well-loved. Like or Dislike:
12 
3
You must be referring to this article :
http://news.softpedia.com/news/Romanian-Authorities-Shut-Down-ATM-Skimmer-Manufacturing-Operation-143204.shtml
Nice story. I think I recall seeing a video of the Romanian police raiding the creators of these things? I like that about the Romanian police: When they bust these guys they always release videos of them busting in on them at o’dark thirty and sticking a gun behind their ears.
Well-loved. Like or Dislike:
6 
0
Kudos to you Brain for supplying that link; and a gracious thank-you to Lucian as well!
Like or Dislike:
2 
0
Simple advice:
Get cash at the grocery store checkout.
Mail checks to the bank.
Pay with cash whenever possible.
Hot debate. What do you think?
11 
13
Not sure where we would be getting this cash, if we followed your advice. Grocery stores and gas stations are popular targets for skimmers.
Brian’s previous articles have included pictures of skimmers, and posts of suggestions on how to avoid them. Giving the card slot and keypad a good tug is one possible way.
Better practice would be to use credit cards, not ATM cards, for purchases; there are consumer protections for unauthorized use and there is no instant access to your bank funds.
Well-loved. Like or Dislike:
14 
1
I think his comment is more geared toward how exploitable digital currency is. Sure it’s convenient, but there are many risks that the consumer accepts when they choose plastic over paper.
Like or Dislike:
3 
2
In the USA, it is common practice to ask a grocery clerk to overcharge you by some amount, pay with a check or ATM card, and be refunded the difference in cash from the till.
While a grocery store ATM might be a common target for skimmers, I have trouble believing a staffed POS terminal and PIN pad would be.
Like or Dislike:
3 
4
This was 3 years ago, but it really can happen.
http://cbs5.com/local/identity.theft.albertsons.2.454858.html
Like or Dislike:
3 
1
I read about a group of fraudsters posing as bank technicians who were going around installing replacement eftpos terminals with their own equipment they got found out because one service station (gas station) attendant rang her bank to check if it was authorised. Dont know if it is true or an urban myth.
Like or Dislike:
0 
1
Yes, there have been several cases of crooks swapping in pre-compromised point of sale terminals.
Sometimes, they even reprogram them to play Tetris!
http://krebsonsecurity.com/wp-content/uploads/2010/06/postetris.jpg
Well-loved. Like or Dislike:
11 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
6 
16
Just because the ATM is located in a public, well lit area do not assume it’s safe. I was taken after using a “no-name” terminal (by which I mean not belonging to a Bank, Trust Company or other reputable firm) located upstairs in the middle of the Main Subway Station in Toronto – can’t get much more public than that!
Well-loved. Like or Dislike:
7 
1
What about touch-screen ATMs?
I would assume a crook would need to use a camera to capture the PIN.
Like or Dislike:
2 
1
Most of the skimmers I’ve seen for sale target older ATMs. I’ve yet to see one that tries to mess with touch screen ATMs.
Like or Dislike:
4 
2
In one of the recent newsletters received from local police they mentioned a local ATM got a skimming device attached. They said no “tracks” were successfully stolen because the ATM immediately entered “out-of-order” status upon attaching the rig. They also mentioned if we want to cash money from a (non-skimmed) ATM, never to lay the mobile phone near the keypad as we key-in the pin as it might disable the ATM. Enough to deduce banks and ATM vendors are attempting to fight back this generation of skimming devices with sensors detecting mobile phone close proximity. A good initiative, although I’m afraid skimmers might soon find workarounds – in a previous article Brian reported there are GSM, wifi, Bluetooth as well as cheap(er) versions without remote communication. At least I’m glad to learn, in this particular skimming attempt, they lost a few thousand worth of equipment (which was confiscated by police) without a single card skimmed.
Well-loved. Like or Dislike:
6 
0
Cameras are often used now to view pin entry this is why I think banks should deploy a keyboard resort on virtual keyboards to make it harder for shoulder browsers etc to identify codes. Also the new chip based cards maybe defeating skimmers has anyone heard anything about their effectiveness in this regard? Are they upgrading card readers in ATMs to read the chip in addition to the magnetic strip many retail outlets in Australia now have readers that use the chip technology. No doubt the fraudsters will devise something for this eventually too. I believe it is possible to dispense with credit cards altogether using correct software routines to correctly validate users. Most point of sale equipment now has the hardware capacity, payments can even be done by mobile phone now.
Like or Dislike:
0 
0
What you could do is to destroy the magnetic stripe on the card since it’s not being read when your using the chip. Withdraw money from an ATM with chip possibilities and pay with cash if the merchant can’t offer a chip and PIN solution. In that case the magnetic stripe can’t be read and therefore can’t be cloned. I’m not saying that chip & PIN (sounds like a delicious meal, doesn’t it?) will solve everything, but it will make it a bit harder for the fraudulent organizations.
Another thing that is really important is knowledge regarding the security issues one can encounter in the everyday life. We all need to be more secure.
By the way, I really like the little smiley down to the right. Made my geeky day
Like or Dislike:
0 
0
Part of the problem is that the cards need to be backward compatible with magnetic strip only ATMs which are still in the majority around the world, this means there will always be a switch somewhere and most of the attacks I have seen force the CNP cards to believe they are at a magnetic stripe only one and go into that mode (google Ross Anderson). The CNP smartcards are not cheap, you might be suprised to know that banks pay on average $2 per card so multiply that by many hundreds of millions lets say here in Asia, not to mention the reader upgrade costs and you have a serious bottom line issue.
The best low cost solution to this problem I have seen is the http://www.magneprint.com idea which has serious penetration in South America and the bank managers say that card fraud went down to zero after implementing the system. The implementation costs I believe apart from software integration involve replacing ATM magnetic strip reader heads with a more sensitive magneprint version which can read the background noise of the magnetic strip. The science seems pretty solid and the implementation is working clearly so banks should give this technology a go before they get dazzeled by the hitech complexity of CNP which to my mind is in many ways the enemy of security. While it is more difficult to setup for a hitech electronic crime once you are actually pulling it off the chances of people noticing it is happening with an overly complex system diminishes.
Like or Dislike:
1 
0
That’s more or less the same approach as Digital Certificates, Bank Tokens, Digipass, Iron Key, MYPW and Visa Code Secure. Problem with systems like this is the validation is not setup to detect if an unauthorised person is on the client end. Most fraud is in-house not external and the result of parties known to the target obtaining their details and often using their equipment to access to their account. It should allow for a memorable set of credentials for the user and be designed in such a way as to make it difficult for the user to share those credentials even if intentional.
Like or Dislike:
0 
0
I wouldn’t be so quick to dismiss Magneprint technology; the magnetic particles are built using nanotechnology in a pattern that is unique to the individual issued the card. It would be technically impossible to copy, and even if they could, there is a back up feature that measures and records the way an individual swipes the card – no poser could possible copy this. This science is similar to the high tech that made the iPod possible as a touchscreen gadget.
The mathematics involved are likened to chaos theory, but the card system is relatively cheap to make. The best part about it, is the old cards would work in the system until everyone was converted over.
I do not work for this company – it is just that we discussed and haggled the arguments on Tech Republic and we almost unanimously agreed this was the best next step in two factor authentication; that was economical enough not to become the disaster that chip and pin did.
Like or Dislike:
2 
0
I must admit I cannot see the commonality of your list and how they relate to card cloning fraud. To be clear magneprint has nothing to do with online authentication, it is all about identifying cloned client cards, from what I understand they take a fingerprint of the natural background noise on a magnetic strip. This is all randomly produced at the time of manufacture so its sopposedly impossible to replicate and not possible with off the shelf blank cards which they currently use to write the data to. The ATM’s check this signature and accept or reject the client. Im not affiliated or an expert on their system but there is alot more info on this link.
http://www.schneier.com/blog/archives/2009/12/magneprint_tech.html
Like or Dislike:
1 
0
That’s not what their website claims & in any case I wasn’t dismissing anyone, I think they are valid technologies but they are missing the point, I was talking about authentication in particular not card cloning if you have good authentication you don’t have to worry about card cloning because you don’t have to worry about cards. The issue with these technologies is they don’t protect users from those close to them who would steal from them. They may perhaps facilitate the institution denying liability a point that Krebs has highlighted on numerous occasions in regard to hapless victims of fraud finding out where they stand legally after the fact. In regard to cost you can change two factor authentication to three factor relatively cheaply and I understand there has been research by Cambridge University that indicates a significant drop in the potential for loss by having 3 or more pieces of required information in an authentication process.
Like or Dislike:
2 
0
Okay, I’ll bite; how about combining it with another economic system that should be very affordable. We haven’t seen a weakness yet; I would be interested in your critique of this scheme.
http://blogs.techrepublic.com.com/security/?p=2271&tag=nl.e019
I thought we hashed it out pretty well – maybe not.
Like or Dislike:
2 
0
Brian,
In a sea of bloggers, you are still a journalist. Thank you.
Well-loved. Like or Dislike:
6 
0
I would like to offer a link to the discussion about magneprint we had on our forum at Tech Republc, and let readers who are interested see what they think.
http://blogs.techrepublic.com.com/security/?p=2825&tag=content;leftCol
Like or Dislike:
1 
1
I must admit I cannot see the commonality of your list and how they relate to card cloning fraud. To be clear magneprint has nothing to do with online authentication, it is all about identifying cloned client cards, from what I understand they take a fingerprint of the natural background noise on a magnetic strip. This is all randomly produced at the time of manufacture so its sopposedly impossible to replicate and not possible with off the shelf blank cards which they currently use to write the data to. The ATM’s check this signature and accept or reject the client. Im not affiliated or an expert on their system but there is alot more info on this link.http://www.schneier.com/blog/archives/2009/12/magneprint_tech.html
Like or Dislike:
0 
1
Okay Amy;
How about combining that technology with this:
http://blogs.techrepublic.com.com/security/?p=2271&tag=nl.e019
Another good discussion on a simple and relatively cheap solution. Remember – chip and pin was expensive and it was defeated; sometimes the simple cheaper solution, will suffice. It may not be perfect, but would elevate the difficulty in skimming and other poor authentication schemes.
And wouldn’t put small banks out of business from the cost of implementation!
Like or Dislike:
1 
1
Other than it being more difficult for users, how about this strategy: A customer submits his card to start the transaction, but when the screen asks him to enter his PIN number, it instead asks him to slowly enter a longer string of digits with his PIN in the middle, e.g., “Enter 844####76989, where ‘####’ is your PIN number. Then press, ‘ENTER.’” Not only would that number string be randomly generated, the length of the string and the part in which the PIN would be inserted would also vary. The criminals could use a camera or a keypad to record his keystrokes, but they don’t know which keystrokes are the PIN.
Granted, it is more complicated. The bank might have to have special accounts for blind users that still require only the PIN code. And there might need to be a way for people who find the instructions confusing to click a button that says, “Just let me enter my 4 digit PIN.”
Like or Dislike:
3 
1
I like the idea, it seems like a low cost implementation which could be used at ATM’s which are regularly targeted by skimmers because of their location, like on the outside of buildings in empty carparks. At the very least it would put a psychological question mark over attackers plans when they go to invest several thousand in the skimmer, “what if they start doing this all over the place?”. I think what some people might miss about the scheme is that it doesn’t have to be perfectly secure to deter a massive percentage of potential attackers, just enough to make their time/money investment not worthwhile. The difficult part would be getting the banks to implement it as generally they imagine the average user is far more mentally challenged than I believe they really are.
I also liked the idea of entering your pin number backwards which would allow the transaction but trigger a silent duress alarm to the police. The whole sorry tale of that idea is outlined here http://www.snopes.com/business/bank/pinalert.asp essentially killed by an ATM banking system which entirely didn’t care despite very little cost to them and a security attitude which would prefer to give people no security rather than confuse a small percentage of potential users.
Like or Dislike:
1 
1
How about Passwindow? What do you gentlemen think of this?
http://www.passwindow.com/index.html
Like or Dislike:
1 
2
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
1 
8
You will get red thumbed into oblivion as the readers here are very sensitive about any specific product or company promotion however if you would like to contribute to the conversation you can give your take on the reverse pin number ATM alarm method I mentioned above.
Like or Dislike:
1 
1
Why not put all ATM’s in a Faraday enclosure to prevent any wireless communication at all. It would block 3G, WiFi and blue tooth transmissions.
The bad guys would have to hardwire of come back later and manually download the data.
ATM locations that are not in such enclosures would be required to be labled as such and “buyer beware”.
Like or Dislike:
1 
0