February 16, 2011

On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users.

But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.

The camera was discovered more than a day later by a maintenance worker who was servicing the ATM. The device, pictured below with the boxy housing in which it was discovered, was designed to fit into the corner of the ATM framework and painted to match.

The self-contained camera and box attached to the Bank of America ATM

The ATM pictured on the right below is shown with the card skimmer and video camera attached (click the image for a slightly larger look).

California police say the video camera and skimmer were installed by the person pictured below. The entire scam ran only for about three hours, and was reported about 11 AM. Police recovered both the skimmer and video camera, so no customer or bank losses ensued as a result of the attack. Meanwhile, the crook responsible remains at large.

The image below shows some of the manufacturer’s specs on the “Camball-2” camera that was used in this attack, which retails for around $200 and runs for about 48 hours on motion detection mode.

Here’s a closer look at the relatively crude device attached to the mouth of the card insert slot, designed to steal data recorded on the magnetic stripe on the back of all bank cards. Criminals can then encode the information onto counterfeit cards, and — armed with the victim’s PIN — withdraw money from the victim’s account from ATMs around the world.

The authorities I’ve been interviewing about skimmer scams say the devices are most commonly installed on weekends, when many banks are closed or have limited hours. It’s difficult — once you know about the existence of these fraud devices — not to pull on parts of ATMs to make sure they aren’t compromised. If something comes off of the machine when you yank on it, and the bank is closed or the ATM isn’t attached to a financial institution, it’s probably best just to leave the device at the scene and not try to make off with it. Otherwise, consider the difficulty in explaining your actions should you be confronted by police after walking away. What’s more, in many skimmer cases, the fraudster who placed it there is monitoring the scene from somewhere within viewing distance of the compromised ATM.

It’s easy to be frightened by ATM skimmers, but try not to let these fraud devices spook you away entirely: Stick to machines in well-lit areas, places where you feel relatively safe physically. On top of that, cover your hand when entering your PIN, as many skimmers rely on hidden cameras and can’t steal your account credentials without recording those digits. Also, remember that any losses you may incur from skimmers should be fully reimbursable by your bank (at least in the United States). While the temporary loss of funds may not cover the cost of any checks that bounce because of the incident, these also are losses that your financial institution should cover if they were incurred because of a skimmer incident.

[EPSB]

Have you seen:

Green Skimmers Skimming Green…To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

[/EPSB]


21 thoughts on “Having a Ball with ATM Skimmers

  1. george

    I’m glad in this story the thief lost his equipment and did not make it with any usable track and pin codes. This I hope will set him back a few thousand dollars he “invested” in his tools of trade. If this happens to criminals just starting their skimming venture, I believe it is unlikely to make soon another attempt. Once they succeed to pull-out successfully a couple of times with stolen card info, chances are high they will replace lost equipment with ever more sophisticated devices.

    1. Insert Name Here

      I doubt that reader cost anywhere close to $1000 dollars, much less several thousand. Even with the camera and housing, I’m guessing around $500-$700 at most. As the information on how to manufacture these becomes readily available, the prices will drop as well. I suspect as with most things, you get what you pay for and looking at this example I kinda doubt it was very much.

  2. vali

    A romanian company has invented a revolutionary anti-skimming device.
    They took the idea from a haker which in the past built skimmers and now have the safest method of atm protection.
    Recently Forbes romania published an article about this issue.
    If you are interested in more details please contact me.
    I am project manager in the company that owns the ATM security system .

    1. 32bit_greg

      To continue a tradition in which foreign languages and even alphabets are heavily used in the comments section:

      Comentariul Dvs. a fost votat atit de categoric “down” !
      Poate are legatura cu faptul ca putini mai cred ca exista o metoda “definitiva”, miraculoasa de combatere a skimming-ului. Poate din cauza ca nu ati furnizat mai multe amanunte despre cum functioneaza, un link la compania la care va referiti sau o metoda de contact accesibila si cititorilor de comentarii. Poate si din cauza ca am cautat in Google “Forbes Romania” “anti-skimming” si am fost trimis doar la comentariul Dvs. si la 1-2 alte link-uri total irelevante.

      1. 32bit_greg

        And translation:
        Your comment has been voted so definitely “down”!
        Maybe has to do with the fact that few still believe there is a method of “definitive” miraculous’s combat skimming. Maybe because you have not provided more details about how it works, a link to the company you are referring to or a contact method accessible to the readers. Maybe because I searched for Google Forbes Romania “” anti-skimming “and I was sent only to your comment and 1-2 other totally irrelevant links.

  3. Yuri

    Well, new developement in the ATm fraud worl.I’d call it ‘Nonintrusive ATM pentesting” or ATm skimmers went public . If earlier crooks were making their lives harder with card-readers , now evey Joe and Jane can buy at RadioShack wireless mini-camera or two, attach it to the ATm and just read remotely card numbers and PIN codes. Simplicity is the king.

  4. wiredog

    “It’s difficult — once you know about the existence of these fraud devices — not to pull on parts of ATMs to make sure they aren’t compromised. ”

    And believe me, you get some strange looks and comments from any other customers that may be waiting around.

  5. Lindy

    I’m using my umbrella at the ATM from now on… year round! lol

    1. AlphaCentauri

      Check some of Brian’s prior blog posts. More sophisticated skimming setups have a keypad overlay to record the keystrokes by touch rather than vision.

      My question: In skimmers with a keypad overlay, is there any coordination between the camera and the card slot? If one started keying random numbers on and off during the transaction, could the thieves tell which numbers were keyed at the correct time?

  6. Jarett

    If that was a commercial bank account that was compromised, it would NOT have been covered by any fraud protections. Regulation E only protects private accounts from electronic fraud.

  7. J

    I’ve used this particular type of ATM before. The card slot is recessed in the machine but the overlay doesn’t look like it is built to match it. Was there somekind of adhesive used to hold the skimmer exactly over the slot?

  8. Jim

    Brian.. comment/question..

    The financial ATM’s (owned by banks) like the one pictured, have a camera buried into the machine (the comment)..
    Is that camera only activated when ‘the user’ starts the transaction process? (the question).

    Thanks,
    Jim

    1. BrianKrebs Post author

      Hrm. That’s a good question. I don’t know. I suspect it’s different at every bank, but it would seem silly to have these things set to record all the time. My guess is that most of them are as you say set up to start recording when someone begins transacting with the machine and puts a card in the acceptance slot.

      1. george

        Hi Brian,
        I think you are right about being different at each bank, but it would make sense to record also outside the time when a transaction is performed. For instance, thieves installing or removing skimming devices would most likely not perform a transaction at the same time. (some are covering their faces anyway, but this will attract more attention from bystanders so I guess they will make a personal choice here, probably settling to sunglasses or alike). Those cameras are not of high quality, (VGA resolution) and would not use a great deal of storage space, even if 7 to 10 most recent days are retained.
        The reason I believe at least some banks are recording full time with their cameras (or at least proximity activated, anytime when someone gets within 1m from the ATM) is that I saw pictures circulated by our local police of a skimmer (person) preparing to install a pin overlay which were clearly made by the ATM internal camera. That person was in his early fifties (which I thought to be atypical) and was only using a baseball pet to (unsuccessfully) cover his face. He was later apprehended – I understood he was polish.

  9. Kamu

    Errr.. is this from 2009?

    Expensive camera.. no remote downloading.. card slot looks terrible. Not very good is it?

  10. name

    http://www.bankitprogram.com/news/blog/47-in-the-news/131-atm-shimming

    Excerpt:
    “…Called “shimming”, the attacker compromises the ATM card reader by using a dummy “carrier card” to insert a thin, flexible circuit board through the card slot. The shim mechanically locks into place over the electrical contacts of the card reader, effectively functioning as a “man in the middle” splitter device, invisible from outside the machine. … “

  11. Hedi

    In here, we install the ATM shield on ATM, in present ,our company developed a new system of ATM shield, it’s call “foreign matter detecting and alarm device”, any abnormal thing be added on ATM, the device of ATM shield will detect and alarm.

    1. Al Mac

      That sounds great.

      Won’t stop insider crime, where insider turns off the detection system temporarily, but then later it may be obvious an insider involved, although not yet obvious which insider.

Comments are closed.