I spent several hours this past week watching video footage from hidden cameras that skimmer thieves placed at ATMs to surreptitiously record customers entering their PINs. I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code.
In February 2011, I wrote about geek gear used in a 2009 ATM skimmer incident at a Bank of America branch in California. The theft devices employed in that foiled attack included a card skimmer that fit over the real card acceptance slot, and a hidden ball camera.
I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code. Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn’t quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.
Some readers may thinking, “Wait a minute: Isn’t it more difficult to use both hands when you’re withdrawing cash from a drive-thru ATM while seated in your car?” Maybe. You might think, then, that it would be more common to see regular walk-up ATM users observing this simple security practice. But that’s not what I found after watching 90 minutes of footage from another ATM scam that was recently shared by a law enforcement source. In this attack, the fraudster installed an all-in-one skimmer, and none of the 19 customers caught on camera before the scheme was foiled made any effort to shield the PIN pad.
Earlier this year, I spoke at a security conference in Doha, Qatar, and watched an educational presentation on ATM fraud given by a member of EAST, the European ATM Security Team. At the conclusion of the talk, the presenter played for the audience the following video, which suggests that at least some European ATM users are a bit more security savvy when using cash machines.
Sure, not all skimmers are foiled by the cover-the-hand technique: Some skimmer schemes rely on PIN pad overlays instead of hidden cameras. But it’s far less common to find crooks legitimately selling the more sophisticated fraud devices, as PIN pad overlays + card skimmer sets often cost between $8,000 and $12,000 in the underground, whereas all-in-one skimmers can be had for a few thousand dollars apiece.
Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.
If you liked this post, consider checking out the other stories in my ATM skimmer series, All About Skimmers.
- Bug Exposes IP Cameras, Baby Monitors
A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the device’s Internet address to view live and recorded video footage, KrebsOnSecurity has learned.