05
Sep 12

A Handy Way to Foil ATM Skimmer Scams

facebooktwittergoogle_plusredditpinterestlinkedinmail

I spent several hours this past week watching video footage from hidden cameras that skimmer thieves placed at ATMs to surreptitiously record customers entering their PINs. I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code.

In February 2011, I wrote about geek gear used in a 2009 ATM skimmer incident at a Bank of America branch in California. The theft devices employed in that foiled attack included a card skimmer that fit over the real card acceptance slot, and a hidden ball camera.

I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code. Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn’t quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.

Some readers may thinking, “Wait a minute: Isn’t it more difficult to use both hands when you’re withdrawing cash from a drive-thru ATM while seated in your car?” Maybe. You might think, then, that it would be more common to see regular walk-up ATM users observing this simple security practice. But that’s not what I found after watching 90 minutes of footage from another ATM scam that was recently shared by a law enforcement source. In this attack, the fraudster installed an all-in-one skimmer, and none of the 19 customers caught on camera before the scheme was foiled made any effort to shield the PIN pad.

Earlier this year, I spoke at a security conference in Doha, Qatar, and watched an educational presentation on ATM fraud given by a member of EAST, the European ATM Security Team. At the conclusion of the talk, the presenter played for the audience the following video, which suggests that at least some European ATM users are a bit more security savvy when using cash machines.

Sure, not all skimmers are foiled by the cover-the-hand technique: Some skimmer schemes rely on PIN pad overlays instead of hidden cameras. But it’s far less common to find crooks legitimately selling the more sophisticated fraud devices, as PIN pad overlays + card skimmer sets often cost between $8,000 and $12,000 in the underground, whereas all-in-one skimmers can be had for a few thousand dollars apiece.

Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.

If you liked this post, consider checking out the other stories in my ATM skimmer series, All About Skimmers.

Y

  • Bug Exposes IP Cameras, Baby Monitors

    A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the device’s Internet address to view live and recorded video footage, KrebsOnSecurity has learned.

     

Tags: , , , , ,

66 comments

  1. I never cover the entry either.

    Why? Playing the odds…

    Over 400,000 ATMS in the United States. That means 400,000 to one that the one I’m using is compromised. Or actually, X to one given that some percentage of them really are compromised, I suppose, where X is still a pretty large number.

    The figure I would be interested in is how many ATMs in the United States are EXAMINED for the presence of skimmers or cameras by the maintenance team that restocks them and how often is that done. That would bring the figure back closer to over 400,000 to one…

    Still, I suppose I should take up the habit.

    • Yeah, that’s the same reason I never bother to wear a seatbelt…

      • The two can’t be compared. One results in death or serious injury…the other results in my few tens of dollars going missing… :-)

        Now if I had thousands of dollars in there – and someone could beat the lousy $300 limit on withdrawals – I might be more concerned.

        • Feel free to do what you want obviously but some of us don’t mind going to all that extra effort of moving our hand a few inches even if the chances are miniscule that it will actually foil criminals due to there being a miniscule chance of the ATM being compromised.

          Not really sure why you’re having this discussion to be honest ;)

          • Because it’s obviously a low-risk crime…

            And it should be lower risk if the banks would actually CHECK their ATMs instead of dumping the risk all on the consumer by telling us WE need to check their ATMs!

            Why should *I* be the one to detect a skimmer on THEIR ATM?

            Now, I understand the need to block someone’s view EXTERNALLY from my entering my PIN – and most of the time my body does that nicely. But why do I have to take additional measures to defend myself from a compromised BANK device?

            THAT’S the point!

            • I do see what you’re point is – but you started by pointing out what a miniscule risk it is to start with.

              Now you expect 400,000 (to use your figures) checks to happen daily, assuming one check occurs every 24 hours averaged across all ATM’s, which is far less time than skimmers usually remain undetected currently – from memory, dont quote me I could be completely wrong on that point.

              You could be talking millions of dollars daily depending how far the checking went – for example perhaps a staff member should physically inspect the inside of the card slot to ensure the “slimline” skimmer featured on this blog isn’t installed. It doesn’t seem at all practical without passing on costs in terms of money or convenience (removing ATM’s to accomodate the checking of the remaining units).

              Or like the article says you could just move your hand a few inches. Or chance it like you said …

              • The risk of loss is greater than “a few tens of dollars” at the cash machine. If the skimmers get your PIN, they have your full credit card number _and_ the PIN — good anywhere for as much as you are worth.

                • JR is correct.

                  The skimmer collects sufficient data to duplicate your card. Scavenging your PIN enables the perpetrator to use the clone Debit/ATM card at any merchant accepting Visa/MC labelled debit cards.

                  Regardless if your ATM withdrawal limit is $300- if you have a $1200 balance in your bank account, the perpetrator can use your duplicated Visa/MC labelled ATM/Debit card and PIN at a store and purchase $1200 worth of merchandise.

    • That’s just laziness Richard! Why avoid adding such a simple, extra layer of security which will further reduce the odds of a compromise?

  2. Personally I’ve fallen into the habit of placing my palm over the keypad with my fingers and thumb underneath. That means that I don’t need to use my other hand to conceal the entered numbers and it’s as easy to do this as not. I even (usually) throw in a couple of unnecessary finger movements for extra obscurity which is admittedly over the top when as Richard says the odds are in your favour. Why take the risk though.

    • Especially since its barely any extra effort.

      I usually choose Cashback at supermarkets tho :D

      • Not too long ago there was a recall of card swipe/PIN keypads for a major retail chain (the name escapes me right now though). The speculation at the time was that the unit they bought, for all their stores, was defective by design and being exploited by criminal organizations… though beyond a company memo being published there were few details to go on at the time.

        More ardent readers of this and other security blogs could probably correct me on the actual reason, since it probably came out later, during one of my insanely busy stretches when I don’t have time to read.

        • Seymour, If I recall, it was the Michael’s chain of arts & crafts stores. This was reported sometime in mid-2011. The debit card readers installed at the registers were compromised at the wareshouse of their vendor prior to installation.

          I believe 80 of their stores in 20 different states had their debit card readers recalled and replaced with new hardware.

          I never did see a follow up estimate on how many customers may have been exposed to card fraud by using their ATM/Debit cards at Michaels stores.

      • I did that until my (now former bank) charged me for it. They considered it as an ATM withdrawl from another bank.

    • >>I even (usually) throw in a couple of unnecessary finger movements for extra obscurity which is admittedly over the top

      Haha, glad I’m not the only paranoid ATM user out there that does this :D

      • The extra finger movements might fake out someone PIN-surfing over your shoulder, but it isn’t going to fool someone studying a video recording. In fact the extra digits will alert them to pay closer attention.

        • I usually just cover it up with whatever piece of paper I can find in the car; envelope, social security card, etc.

          (apologies if this is a dupe, wordpress gave me an error)

    • Since I am almost always doing it from my card, I usually just grab any piece of paper that’s handy and cover the keypad with that. You know, an envelope, social security card, whatever.

      • @Sastray

        Purely as an aside, you really shouldn’t be carrying your Social Security card around with you, except for those very rare occasions that you need to physically present it to someone.

  3. Not sure about other countries, but here in Ireland all the ATMs show a big message on the start screen warning customers to cover the keypad while entering the PIN and to contact the police and not enter a PIN if they notice anything suspicious about the machine.

  4. In the UK, we have some ATMs such as ones from HSBC banks which have a pin pad overlay, so there is a metal cover ontop of the pinpad and you would have to place your heands below it to enter you pin. Covers it up from every angle.

    • I’ve never seen those in AU but from the sounds of it I do wonder why this isn’t implemented more widely.

      It would have to make both concealing a camera and filming characters surely, particuarly if the cover is just a very thin metal sheet where hiding the housing of a camera would be difficult.

  5. How does a card skimmer transmit the pin to the atm? And can’t atms be programmed to shut down or at least send a warning if it’s been tampered?

    • The skimmer collects the data off the mag stripe on cards used legitimately. The camera records the PIN entered. The two have clocks to synchronize the data collected. The skimmer does not communicate with the ATM. Rather, the purloined data is used at a later time & place.

      • @qka I was asking, since the card touches the skimmer first (I assume) how does card info on the stripe make it past the skimmer to the atm mechanism that reads info off the stripe?

        To me, it seems that a skimmer is sitting in front of the atm device, but since the atm recognizes the card and the stripe, somehow the info is passing through the skimmer, if that’s any clearer.

        • @Tom Perry,

          A skimmer is a thin device, molded from plastic and containing an electronic read head, that lines up directly in front of the real ATM’s card slot. It has its own pass-through slot, so the victim’s card travels all the way through the skimmer into the real reader. Check out some of the photos in Brian’s All About Skimmers stream and it should become more evident.

    • There’s no way to detect adhesion of tape or glue, which is often how the skimmers are attached.

      • Well, there’s no way to detect them on currently available ATMs. But the manufacturers certainly could employ stress sensors, weight sensors, motion-recognition camera systems, lasers, or maybe even some sort of electrode system measuring resistance or capacitance between the surfaces a skimmer would attach to, to detect a skimmer’s physical presence. It would probably add a lot to the cost of an ATM, of course. But I wouldn’t be surprised if the manufacturers are already working on this for the next generation of ATMs.

        • Manufacturers have already released newer models which incorporate new anti skimming methods/designs. The problem is it’s up to the banks to actually invest the capital to upgrade their ATM’s, which sometimes doesn’t happen for a while.

          Commercial services have also become very popular, providing anti skimming equipment/modifications for existing ATM’s. One that comes to mind is ADT’s ATM Security services.

          http://www.adt.com/commercial-security/products/anti-skim-solutions
          (not sure if external links allowed, admin pls remove link if so)

        • Diebold manufactures an advanced skimming detection card reader that can shut the ATM down or alert the police if the skimming device is present. Diebold also sells and installs a TMD device that both detects a skimming device and actively jams the skimming device from working. The latest trend is that criminals are skimming the card at the ATM vestibule door instead of the ATM because the ATM immediately shuts down when they install the skimming device. Not all financial institutions are willing to invest in the technology. Pressure and questions from their members often motivates them.
          http://news.diebold.com/article_display.cfm?article_id=5065

  6. The keypad for debit card/cash back at my local ALDI market has a shield that covers most of the keypad; a slot up the middle allows you to see the keys to press and lets those with bigger hands get access.

    Maybe something like this should become more common?

    • ANSI TR-39 addresses this.

    • There are actually false “pin pad shields” that criminals are using now that have a camera hidden inside of it. You may think it is protecting you, but in reality it is recording you.

  7. Hi,

    I use one hand to cover the keypad and enter the PIN so it doesn’t look as obvious that you are trying to obscure anything.

    The technique is to rest your four fingers across the top of the keypad area and use your thumb, concealed by your palm, to press the buttons.

    If you have a card that swipes, rather than being inserted, you can use the card to rest across the top of the keypad and again use the thumb.

    Both approaches look very natural and if you think you need to practice, just use a phone or numeric keypad on a PC keyboard to get the hang of it.

    Terry

  8. Why can’t they just collect the sound of the keys and translate that into what numbers I’ve pressed?

    • Watch and listen to those videos above. You will hear the same pitch and tone of beep regardless of which numeric key is pressed.

      • Haha, my non-golden ears did not hear there wasn’t a change in the pitch. Thanks.

        Ps, great article.

        • I wouldn’t be to concerned, the mythical golden ears have been sought for the last 100 years or so and still no sign of them after countless rounds of blind testing.

          Even if a certain breed of audiophile insists that confirmation bias doesn’t effect them and they do in fact have golden ears ;)

      • Skimming using audio devices such as MP3 players was possible in older, stand-alone units, if I’m not mistaken. Newer models come equipped with jamming transmitters and many other enhancements.

  9. Brian,

    Great article. I was mostly watching to see what people’s pins were because I’m currently researching PIN selection. You didn’t happen to write them all down, did you?

  10. The flashing LED’s surrounding the card slot on Bank of America’s ATM’s would seem to make it harder to attach a skimmer over it, nay?

    Also, I’ve adopted the habit of using my wallet to shield the pin pad as I enter my digits. Pretty much covers the whole thing.

    • I’ve seen several skimmers that include clear plastic or silicon parts that let the flashy LEDs come right through. Plus, as long as it’s semi-translucent, it will still let light through, and customers can’t really be expected to know what color the lights are supposed to be.

  11. Do these things just glue in place? Would it be worth our while to see if the reader comes loose after a quick twist before we put our cards in?

  12. This blows my mind! I can’t believe the security camera from the ATM already couldn’t detect this skimmer altering its functionality. I’m sure it wasn’t very obvious, but surely they could’ve caught the person who set it up.

  13. Nice play on words in the title Brian!

    You’d have to pay for a Handy in some locations. ;)

  14. Since my original post was downgraded (by idiots, apparently), my main point hasn’t been addressed.

    i.e., WHY don’t the maintenance teams detect skimmers? Can they really be attached so well that the people who maintain the ATMs cannot detect them? Or do the banks just not care?

    • From my albeit limited experience, I get the impression that most built-in ATMs, such as at bank branch locations, are accessed for service through the back. At my credit union, specifically, there’s a small locked “closet” near the front door that provides access to the ATM for service. The people performing the routine service don’t even look at the front of the machine.

      • Obviously, my point is that they should be required to do so.

        The ATM I use most frequently is in an alcove in a building, and there is a door to the left of the ATM to access the rear of the ATM. There is nothing stopping the maintenance team from examining the ATM from the front.

        That is undoubtedly the case in almost all locations. I mean, they do try to keep the damn SCREENS CLEAN, right? How hard is it to add a check for skimmers?

    • Maintenance is usually performed during hours when the machine is being used the least, unless it’s broken/down. Most skimmers have a limited battery life. People try to make use of this time during busy hours.

      I’m thinking maintenance teams don’t detect it because the devices are kept for a very short period and then quickly removed. Most banks have someone visually inspect the ATMs in the morning for anything suspicions, as an added measure.

      • Now that makes sense. If I were an ATM thief, I’d time my visits between regular reloads and maintenance and make sure my device wasn’t there at maintenance time.

        However, all that means is that the bank needs a guy to drive around to all the ATMs in the city every day and do a check. Not exactly a huge expense for the bank…

        ATM thieves aren’t going to sit outside the ATM waiting for a guy to check, removing their stuff before and putting it back up after. The whole point of a skimmer is a cheap way to capture PINS without having to sit in a car with a camera…

        • >>However, all that means is that the bank needs a guy to drive around to all the ATMs in the city every day and do a check. Not exactly a huge expense for the bank…<<

          if you will ask in the future why some/many readers will downvote,
          the 2 sentences above are the reason…

          • Would you care to explain IN DETAIL WHY it is a huge expense for the bank to hire some minimum-wage person, train him to detect skimmers and send him round every couple of days? Is this any more expensive than having a completely useless armed guard in every branch (because we all know they are completely prohibited from using those firearms inside the bank absent a direct threat to someone’s life…)

            Otherwise your remark is just blowing smoke…

  15. I am wondering if ATM manufacturers could defeat these things with a simple light sensor built into the plastic around the card slot, and perhaps also built into the keypad.

    The idea is that if the light sensor ever saw it go completely dark for more than a minute or so, the ATM would automatically go into an “out of order” mode.

  16. I routinely cover my hand when entering the PIN, either on ATMs, parking meters, or other POSes. On top of that I watch for suspicious seams or loose parts that can indicate a pin overlay. I do that since 2009, Brian’s blog was one factor in convincing me, alongside some materials circulated by local police. I don’t feel any reason to be ashamed of taking those security measures (some readers pointed out techniques to obscure the pin number in a non-obvious way, but why should I ) ?
    I reported twice to police skimming devices and in one case I got confirmation one was indeed installed and an investigation was started (it was a POS in a Pizza shop).
    I think it should be noted that some images are from august 2009, meantime the awareness is greater and a far larger percentage (by my own observation in WE aroung 50 percent) is obscuring the pin, at least to some degree.

  17. Or you could just park your car. Get out, and go use the one inside the bank that’s more likely to be safe!

  18. The following idea will earn this comment a gazillion thumbs down but here it goes. Minimize ATM use. Do so by joining the cashless society. I joined by getting a cash back credit card. I charge everything and in just a short time I have earned $50. Every now and then I have a need for this strange substance called cash. When that need arises I go to the ATM at my bank. I never use an ATM off of bank property. I make a quick check for skimmers and then withdraw the maximum amount. The cash is put in an envelope which is then stored in the maximum security compartment of my antique roll top desk. My desk then becomes my ATM. As for deposits, they are done electronically. The thumbs down button is the red one.

  19. a simple but effective solution is to use your wallet to cover your pin presses.
    Asking why there isn’t weight sensors or light sensors or some other type of check/sensor is fine but understanding that the banks want the machines up 100% of the time for usage so false positives mean downtime meaning less usage. lots of things can be done but can make the ATM experience for customers time consuming or not possible at all because the machine is out of service due to false positives.
    then theres the maintance cost of this high tech security, the hardware costs. the cost of replacing when fraudsters damage them etc.

    The use of chip & pin in europe has dropped skimming significantly but in the US it’s still big business, chip & pin will eventually have a flaw but currently it’s the most secure option. credit card terminals are less secure than ATM’s in my opinion since the card server is in the shop and a massive flaw is some places have lax security on those servers and store unencrypted card data.
    i’d be more worried about my card data being stolen from one of the many databases from companies.
    i’d say more fraud has been commited with stolen card data from databases then skimmers.
    check out someone called max butler aka max vision.
    the book kingpin by former hacker kevin poulsen gives a good account of card fraud.

    summary is visual check(3 seconds) wallet+hand cover pin. if in doubt leave it out.

  20. Once again, no one has bothered to discuss my main point: why is it that WE are required to protect ourselves from skimmer but the bank is NOT? And WHY is it such a hugely expensive proposition for a bank to simply check its ATMs for skimmer on a regular basis?

    This would seem to be probably the absolute simplest possible crime to avoid if the banks would put any effort into it at all.

    Apparently the suckers calling themselves consumers would prefer to meekly bow once again to the banks’ “authority” and indulge in all sorts of maneuvers to protect themselves from the banks own massive failure to care a whit about them.

    Again, it makes sense to protect yourself from EXTERNAL viewers of your PIN entry – no one is denying that. But it’s ridiculous to have to worry about ATMs compromised by actual physical criminal devices attached to them.

    The next person to have his account compromised in this fashion should file a class action lawsuit against the bank involved for “criminal negligence”.

    • Short of putting a guard next to every ATM, 24 hours a day, it’s not physically possible to protect each ATM at all times.

      Personally, I think it stems from a much bigger problem – how banks treat fraud as a whole. Instead of investing capital into newer technology, employee education and actually investigating crime, fraud has become an expense item. Banks incorporate fraud into their operating budgets and simply write off at the end of the year.

      In the short run, certainly is cheaper then putting up capital. But is it really addressing the problem?

    • It has been answered.
      Staff do check the machines and the machines are monitored but you can never be 100% and it’s not practical to have OTT security measures.

      You can go around life and expect everyone else to look out for you and get nowhere. it’s like walking around a dodgy part of town with money in your hand and getting robbed, and then complaining the police should prevent you from being robbed, it’s their fault.
      It’s never about eliminating fraud/crime, it’s about reducing the chances of being effected by crime. at machine level there’s things done to reduce fraud, then staff level, but the customer must also take BASIC precautions too.

      You are looking from the outside with no idea how anything works on the inside and demanding answers. You first have to understand the variables before you can understand the answer let alone have an answer.

      Now i can’t comment for all banks but fraud is a daily battle, and it’s accepted that it happens but it’s constantly being reviewed to try prevent it from working without impacting the customers.

      if you still do not understand etc then you never will unfortunately.

      p.s read your terms of service that you agreed to with your bank card and back account. you agreed to take certain measures to prevent fraud on your account/card.

  21. I am trying to find some good developer tools for iphone / android / smartfone. And not just a dev tool kit I also need the translator to convert to iphone / android / smartfone. I am interested in making apps for all new phone models. If anyone is interested in dev projects hit me up please. I have an idea about developing a cellphone app that will upload video instantly to a website with password for secure viewing at a later time even if the cellphone is confiscated.

  22. Please be aware this happened to me yesterday i’d just picked my daughter up from playschool and had my son in his pram went to my local co-op brought my bits and i went outside to check my bank im not sure why i did as money wouldnt have gone in yet but i just wanted to make sure. I put in my pin and checked my balance it hadnt gone in so i pressed release care the machine reads “please take you card” and my card wasnt there i inform the shop and they say although its there name above the ATM theres nothing they can do so i went back outside obviously upset and try to find something on me in which i can phone my bank to cancel my card when another ladys at the ATM with her card in doing her business and i said im really sorry but that machines just taken my card i think it’ll take yours so she swears quite alot and clicks release card only for the machine to spit her card at her and a big plastic cover of the card slot with a slit in on the floor turns out the machine had been tampered with unfortunatly because she got her card back she just walked off so im not sure if she informed her bank but a co-op worker came out and found a hidden camera the timer read it had been on for 17 minutes it looked the size of a phone. Obviously i was very upset although my bank was empty it had felt lik somebody had snatched my bag from my hand. This is still theft and we informed the police and they were given a good discription by the people of the shop of the men on cctv cameras also they would be on the device camera itself fitting it, they came for the device and to get finger prints as some people have there life savings in their banks, pension money and wages. I usually always cover my pin but being in a rush i just sadly forgot. I just want to warn people of these crimes as you here about them and dont really listen – i know i didnt. I think my card jammed the machine where the device had been put on as these devices are normally left on for an hour in which they can recieve a pin every 3 minutes which doesnt take a genious to realise in an hour thats a hell of a lot of pins and a hell of a lot of people lifes that effects . One things for sure i’ll take good care when checking out a cash machine next time.

  23. Yep. I’ve written about a couple of skimmers for sale in the underground that rely on dual-SIM cards to relay data:

    http://krebsonsecurity.com/2010/06/sophisticated-atm-skimmer-transmits-stolen-data-via-text-message/

    http://krebsonsecurity.com/2010/12/why-gsm-based-atm-skimmers-rule/

    Also, the last skimmer post I did before this one highlighted wafer-thin skimmers that are made to be inserted into the card acceptance slot.

    http://krebsonsecurity.com/2012/07/atm-skimmers-get-wafer-thin/