March 11, 2011

To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

Earlier this year, authorities in Ireland began dealing with a rash of ATM skimmers like the one picture directly below. The green anti-skimming device is backlit and oddly-shaped, a design intended to confound skimmer makers. But as can been seen from the first picture here, the only obvious difference between a compromised ATM and an unadulterated one in this case is a small plastic lip at the top, which the crooks in this attack used to house the electronic brains for their skimmer.


The second picture below shows the underside of the skimming device, removed from a compromised machine in the background.

A representative from the Garda (Irish Police) declined to discuss the skimming photos, saying that for legal reasons they were unable to comment on ongoing court cases. But a source close to the investigation said identical skimmers have been found attached to ATMs across the country. The source said a 33-year-old Moldovan man has been arrested in Limerick in connection with the attacks, which authorities have called part of a global ATM fraud operation.

Last fall, while lurking on some underground criminal forums, I encountered another type of skimmer masquerading as an anti-skimming device for cash machines made by NCR. The skimmer pictured below is sold for several thousand dollars by a Russian guy who has a presence on at least two major carding forums. His advertising literature claims the battery-operated device will hold a charge for about three days. He also claims his skimmer won’t work on Russian ATMs: “It will immediately disrupt those wishing to operate via Russian ATMs: A majority of the BINs [Bank Identification Numbers] of Russian banks are hardwired into the chip; they are not processed.”

Picture of a anti-skimmer skimmer for sale on underground forums.

When I first saw his skimmer photos, I wasn’t too impressed. I’d never seen anti-skimming devices that looked even remotely like his in real life. But that changed in December, when the wife and I traveled to Costa Rica for some friends’ destination wedding. While we were there, we had a chance to stay in and hike through the gorgeous Monteverde Cloud Forest, and at the end of a guided tour through the forest I needed to stop by the ATM to tip our guide. When I got to the town’s bank and saw the ATM pictured below, I took a step back. For one thing, the NCR ATM looked like it had one of these fake anti-skimmer devices attached.

I grew more nervous when I noticed that the only other ATM at this bank was out of order (skimmer thieves often place out-of-order signs on nearby ATMs that are not compromised, in a bid to steer people to the hacked ATM). I yanked pretty hard on the green device affixed to the ATM, and it remained attached. Left with the choice between stiffing our driver and excellent guide without a tip and taking out cash from this machine, I chose the latter. I haven’t seen any suspicious charges yet, but it just goes to show you how even a little knowledge of these ATM skimmers really can make you paranoid.

[EPSB]

Have you seen:

ATM Skimmers: Hacking the Cash Machine…Most of the ATM skimmers I’ve profiled in this blog are comprised of parts designed to mimic and to fit on top of existing cash machine components, such as card acceptance slots or PIN pads. But sometimes, skimmer thieves find success by swapping out ATM parts with compromised look-alikes.
[/EPSB]


30 thoughts on “Green Skimmers Skimming Green

  1. Caspian Kilkelly

    Those “anti skimming” devices are all over Canada (and at least some parts of the northeastern US) on non-bank installed ATMs-(standalone machines, rather than the ABMs you find at banks) They’re a little funny looking. What’s more disconcerting is the system the cheap ones use to read the card- it’s a swipe device, rather than a grab and hold device. The lack of mechanical actuation makes it much easier to put a well camouflaged skimmer on the machine- unlike the ABMs (mostly Nixcor/Windorf or similar), which all have a little card grabber that prevents against the type of attack you describe.

    Standalone ATMS (like the ones Diebold makes) have always been a major source of fraud in Quebec, since they’re often in unmonitored or insecure areas, while the bank ones are usually pretty well watched. In principle, ATM security is the same as staying safe walking home at night… Stick to areas where traffic is slow enough for them to notice you, and there are lots of people around doing things..

      1. Joel

        Hi Brian , The green skimmer on the NCR ATM for sale picture you show I saw one on a Bank of America ATM in Orlando FL the night of Friday February 11th 2011.
        I knew something didn’t look right from what I have learned from reading all your other articles. So needles to say I didn’t dare use that ATM. And now I’m glad I didn’t.
        Thanks!!!
        …Joel

      2. Andrew

        We have a huge problem with card loning/skimming devices in South Africa. Could you please forward me your email address that I can contact you regarding questions I wish to ask you.

      3. Andrew

        Both of the above green tipe skimmers have been found in South Africa during June, July 2011.

  2. LonerVamp

    Strange, after-market things attached to an ATM certainly make me nervous. That includes anti-skimmer attachments that look themselves suspicious. 🙁

    And what sort of behavior does that reinforce for users? That things attached to an ATM are fine?

  3. JBV

    Why didn’t Brian have a second bank account, complete with an ATM card, that held only the $$ he anticipated needing for the trip? Would have saved him a lot of anxiety. A savvy traveler would use this limited account, while still carrying the main account’s card for unanticipated emergencies.

    1. BuddhaChu

      That’s exactly the setup I have. Steal the card or it’s data and you’ll end up with about $400 max.

  4. Vic

    If ATM makers were to put up a warning of some sorts that a skimmer device might be attached, do you or anyone reading this think that would deter this sort of crime?
    I relate it to the warning AOL used during the rampant Phishing times in the late 90s, “Warning no AOL employee will ever ask for your password or credit card info”. Once that was added to every IM window and Chat room I believe phishers had a lot hard timing fooling users.
    Perhaps the warning could even be on the screen itself?

    1. Will

      But phishing must still work or there wouldn’t be phishers.

  5. Zeridon

    Hi Brian,

    The antiskimming device pictured in the last photo is Legit. We have them on a certain bank ATM’s in Bulgaria. Although as noted above desinformation abounds. The bank has not been kind enough to post information why they put the device on the ATM’s. Usually it can be identified by the semi 3D/transparent lock logo (though i find it cumbersome).

    PS: No i don’t work in the bank or ATM industry.

  6. Alexander

    Hi, these “anti skimming” devices are very common in Germany.
    First time I saw them I immediately called the bank support in order to confirm that it was indeed not a skimmer.
    And every time I see them I try to pull at them like you did, just to reassure.
    So I don’t think it makes the ATM secure, it just makes me more paranoid.

  7. Jason

    In Canada, pretty much every store, restaurant and convenience store accepts Interac for payment via the same machines that process credit cards. We still have bank machines though.

    In my city, there have been under the counter skimmers at some places that have captured card information, however. Twice in two years, my bank suspended my card and required me to come in to get a new one because of these skimmers. And one time, they even tried twice to take about $300-400. I think these under-the-counter skimmers even more scary because there is nothing visible and many have claimed that they didn’t know about them either until they were investigated. I’m still not sure though if they have to scan the card twice to use those (I watch carefully for that) or whether they can just get the data from the device.

    In any case, Canada has already started using chips on the cards (along with the magnetic strip for backwards compatibility), although not everyone has one yet and not all the point-of-purchase terminals use them yet. I’m pretty sure all the bank machines do though, though not the cash stops often in convenience stores and gas stations. I believe by sometime next year though, all the terminals will have to have the chip readers. Supposedly this will cut down on fraud because of the higher difficulty in making cards with embedded chips but I’m curious what Brian and others think.

    1. BrianKrebs Post author

      Hi Jason, welcome. As far as chip and PIN is concerned, it doesn’t do much to stop thieves from using your cloned card: They just use it someplace where the chip part isn’t recognized, and since all cards with chips are backwards compatible with regular mag-stripe readers, all a thief needs to do is clone your card and use it at any ATM in the United States.

      If you look at the European ATM Security Team, ATM fraud reports they show that ATM fraud is up, and that the biggest share of ATM fraud losses come from Europeans who have had their accounts dinged from over here in the US.

      http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/

      From that piece:

      “EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard”

      1. Jason

        Thanks for your reply. Wouldn’t that change if the banks stopped offering cards with the magnetic strips though? Although I know a lot of Canadians go to the US, soon the strip won’t be needed here. Maybe I should press my bank to have a Canadian-only version of the chip card with no magnetic strip. For those visiting the US, they could offer a US version. I don’t see why we should risk our bank accounts because the US won’t upgrade their security to use the chips.

      2. Jason

        Forgot to add the obvious question, are European losses down to using the chip? Or are the majority of cloned card users in the US?

    2. Zeridon

      Hi Jason,

      There has been quite a serious research in the EMV field and it’s looking bad … prety bad. If a system is deployed correctly it indeed lowers the fraud, otherwise it’s just crap (and judging by the research and papers released it is so).
      So quick pointers:
      * google for “chip and pin is broken”
      * “The Smart Card Detective: a hand-held EMV interceptor” (http://www.wecho.com/media/the-smart-card-detective.pdf)

      1. Jason

        That’s really discouraging. Why even bother changing all terminals to only allow chip transactions if it doesn’t work? Note I’m not not disagreeing with what you’ve said, Zeridon or Brian, I’m just really surprised they haven’t though of this. I would’ve thought Canada could do better because we have a small number of banks. Makes one wonder if we’d be better just going back to cash transactions.

  8. techmonkey

    I don’t think it’s wrong to be paranoid about that at all. I even check all the gas pumps I pull up to; one pump I almost used had the door lock obviously broken and the door hanging open. I decided to mosey across the street to the next station at that point.

  9. омайгадбл

    Perfect idea! Skimers everywhere!
    Воруй, убивай, еби гусей!

  10. Matt Krebs

    Thanks Brian, I need to be more vigilant when using any ATMs.

  11. Julia Norris

    Brian, to add to your collection of ATM skimmers – Boynton Beach, Florida police warn of new twist on ATM identity fraud – ” thieves have been cutting the bottom of the ATM card readers to remove the microchip, police said. They then insert their own battery-operated card reader to skim customers’ account information.”
    Story and photo of damaged reader in the Palm Beach Post http://www.palmbeachpost.com/news/crime/boynton-police-warn-of-new-twist-on-atm-1379582.html?cxtype=rss_news
    Started reading your column when you were still with the Washington Post and greatly appeciate your efforts to keep us all protected and informed. Noted the SANS Internet Storm Center uses KrebsonSecurity as an authoritative source.
    Many thanks and keep up the good work

    1. BrianKrebs Post author

      Oh, that’s brilliant, Julia. Thanks for the link. I may have to get more details on that.

      Bk

  12. Derik Minaj

    BK..Just make clear my head out. We have EMV, chip card and anti-skimmer. Which one one can be used to stop skimmers? Or are you telling me there is nothing we can do to stop this Catastrophe

  13. Simon

    All of the ATMs here in the UAE have the same card slot as you found in Costa Rica.

    Compared to many places in Europe, here in Dubai the banks have a quite high daily cash withdraw limit – usually around 5000 dirhams (which is about 1000 euros, or 1350 usd). The limits I’ve found in Europe seem to be around 400 euros, so a card skimmed here could take money from an account twice as fast as elsewhere…

  14. Emiljano

    Here in Albania the fraud with skimmer device is more intensive in this time, please did you have any information for the best product of anti-skimmer that is in use ?

  15. Darnley

    Wow that is a beautiful/dangerous piece of equipment. Where is the story behind the first two images?

Comments are closed.