28
Mar 13

Cash Claws, Fake Fascias & Tampered Tickets

facebooktwittergoogle_plusredditpinterestlinkedinmail

Credit and debit card skimmers aren’t just for ATMs anymore. According to European anti-fraud experts, innovative skimming devices are turning up on everything from train ticket kiosks to parking meters and a host of other unattended payment terminals.

Recently, at least five countries reported skimming attacks against railway or transport ticket machines, according to the European ATM Security Team (EAST), a not-for-profit organization that collects data on skimming attacks.  Two countries reported skimming attacks at parking machines, and three countries had skimming incidents involving point-of-sale terminals. EAST notes that Bluetooth devices increasingly are being used to transit stolen card and PIN data wirelessly.

Skimming devices found at train ticket kiosks in Europe. Source: EAST

Skimming devices found at train ticket kiosks in Europe. Source: EAST

The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.

This fake ATM fascia includes a card skimmer and bogus PIN pad. Source: EAST

This fake ATM fascia includes a card skimmer and bogus PIN pad. Source: EAST

EAST found that eight countries reported cash-trapping attacks at ATMs, with three of the eight nation’s reporting “significant increases” in this type of attack. The most common method of cash trapping used by crooks continues to involve what’s known as a “cash claw,” a device designed to be inserted into the cash dispense slot on an ATM and pry additional bills from the machine as it opens to dispense cash.

"Cash claws" designed to pry additional bills from an ATM's cash dispensing slot. Source: EAST

“Cash claws” designed to pry additional bills from an ATM’s cash dispensing slot. Source: EAST

The latest report from EAST continues to emphasize that most card fraud stemming from skimming incidents in Europe is in fact perpetrated outside of Europe, particularly in the United States, the Dominican Republic, Brazil, Mexico, Peru and Thailand.

EAST posits that a big reason for this trend is the broad adoption in Europe for a bank card security standard known as EMV (short for Europay, MasterCard and Visa), more commonly called “chip-and-PIN.” Most European banks have EMV-enabled cards, which include a secret algorithm embedded in a chip that encodes the card data, making it more difficult for fraudsters to clone the cards for use at EMV-compliant terminals. Because chip-and-PIN is not yet widely supported in the United States, skimmer scammers who steal card data from European ATM users tend to ship the stolen card data to buyers or co-conspirators in the United States, where the data is encoded onto fabricated cards and used to pull cash out of U.S. ATMs.

EAST notes that in ten European countries, one or more card issuers have now introduced some form of “geo-blocking,” by which payment cards are blocked for usage outside of designated EMV Chip liability shift areas. The organization found that issuers which have adopted such tactics continue to show a decline in skimming incidents and in skimming related losses.

Update, Mar. 31, 9:27 a.m.: A reader who services ATMs took issue with my description of the way these cash claws typically operate. He offered a different explanation: The claw is pushed into the dispenser by the thief. When a customer requests cash the cash becomes trapped in the claw and is not visible by the customer because its behind the cash shutter/slot. The machine reports a fault with dispensing and is unable to pull the cash back from the dispenser because the claw us trapping it. The thief returns when the victim leaves and forces the shutter open and pulls the claw and cash out. According to the ATM guy, this kind of attack can vary in how its performed. For example the shutter can be forced open first and the claw inserted.

Tags: , , , , , , , ,

33 comments

  1. First, this is the evil cousin of the “outsource at all costs” and “anonymity is always good” crowds. We continue to eliminate jobs at banks and the like and this trend fits perfectly with skimming. I always try to bank via a human.

    Second, the solution for this is for the ATM vendors to add two or more light-sensitive diodes at various places on the ATM. The first would be in the middle of the keyboard. The second would be on the face of the card reader area (the flat plate surrounding the card reader). And they would be placed as inconspicuously as possible to avoid detection by low-lifes. If any of these diodes stopped receiving light for a specific period of time, say one minute, the ATM would shut down and call home. If the diodes were designed properly, even if low-lifes placed LEDs on the inside of their device to try to fool them, they would not transmit the required amount and/or spectrum of light.

    • I’ve thought of that, too, but it would be hard to make it as sensitive as you describe without being susceptible to a lot of false alarms from blowing debris/dust, rain, darkness, street lighting/headlights, people’s hands touching the ATM during use, or vandals who scribble on the sensors with black markers just to cause havoc (or to get the monitoring staff to stop paying attention to alarms in advance of putting a skimmer on the ATM).

      • All good points.

        “rain, darkness, street lighting/headlights”

        I think the complete solution would involve having an infrared or ultraviolet light source above the ATM, with the diode matching that light source. This would prevent criminals attaching plastic parts to it because they would not really be sure what wavelength was being used.

        “people’s hands touching the ATM during use”

        That’s why I included a one minute delay. If people sometimes hold their hand over a part of the ATM for longer, then set the delay longer. Even a five minute delay would not invalidate the basic scheme.

        “vandals who scribble on the sensors with black markers just to cause havoc (or to get the monitoring staff to stop paying attention to alarms in advance of putting a skimmer on the ATM)”

        If this happened, it might be time to station a police officer in an unmarked car just across the street. I suspect it would be criminals crying wolf.

        And of course the ATM video camera would be working as usual to record criminals being cute.

        I never said it would be easy!

        • First, you’re right – it’s all about profits. And second: Nice, there are some ways to secure ATMs and transactions against manipulations, but regrettably the banks are still happy to shift the blame on others and are insured. Which brings us back to profits… (At least they’re very sorry for every victim. 8-))

        • A lot of people don’t realize those security cameras often aren’t video. They may just take a photo at the time of the transaction.

          • Actually the really funny thing is that drive-up ATMs designed for oversized top-heavy land yachts (SUVs) can miss taking video or photo at all if someone drives up in a normal car (or a sporty car with minimal ground clearance and a low center of gravity) the camera because just reaching the keypad requires a full arm extension. It’s a good thing I opted for an aftermarket targa top that’s translucent so I can look up and through…

            • Bilbo Baggins

              If you think the only camera pointing at your face at a drive up ATM is the one in the machine you are severely mistaken :)

    • Carl 'SAI' Mitchell

      It would probably be better to use a hall effect sensor at the card reader slot. If a second reader is placed over it three will be a change from normal when a card is inserted.

  2. I still say the bloody banks need to simply send someone around periodically to examine the ATMs for tampering, and certainly when the things are reloaded. It’s not rocket science and not that expensive compared to everything else a bank does. It’s little more than “external janitorial duty”.

    • Regrettably that’s not enough (the crooks are very fast) and we’re talking about banks – they hate labor costs and love profits – by hook or by crook.

      • But they LOVE their “Monday morning huddles” and their “Jump(s) into January”.

        (Check Youtube for those)

    • They do – but as others have noted, criminals move fast. In most cases the crooks stay nearby at all times while the skimmer is in operation.

      A skimmer can be on and off between 2 inspection visits. Security companies work to routines, which poays perfectly into the hands of criminals (This is why randomising things helps a lot)

  3. ALLEN THOMPSON

    Brian -
    Thanks for including pictures of the bad stuff in the body of your text. I often forward your work to friends and acquaintances and I know know from subsequent conversations that they haven’t “scrolled most of the way down, found the ATM Skimmers link and clicked on it to read”. By putting the pix front and center, so to speak, it makes your info a lot more compelling – especially for those who take cyberspace for granted and who are the very ones more liable to be hit. I hope you continue this. It really makes a big difference. Many sincere thanks.

  4. Every time I use a bank ATM machine, the first thing that I do is check it out completely. If something doesn’t look quite right, then their no way in hell that I ‘m going to insert my cards. Some bank (MT&T) ATM machines in my area have large plastic protrusion where the person inserts their cards, I believe this is to prevent skimming devices from being attached..

    The problem is that big banks now and days don’t want to employee people as tellers. They are forcing everyone to use online banking and ATM machines. The days of bank tellers are numbered because technology will replace them and if you call the bank’s 1-800 number then you’re e talking to a person in India. You would think that if banks want to convert everyone to online banking and ATM machines that they would invest a lot more money in security to protect their customers.

    Or we can all just move to Cyprus and have all are money stolen by the big banks while being limited in what can be withdrawn at the local ATM machine. How we are so lucky in the United States, but for how long?

  5. since the banks can just print more money anyway, that’s a much cheaper solution than fixing the problem!

    • No the treasury prints the money and loans the money to federal government in return they get security bonds.

    • Printing more money has never been thought of as a good solution. Just look at countries like Zimbabwe, their ‘president’ decided since the economy is in trouble they should simply print more money. Needless to say the repercussions were catastrophic! Inflation sky rocketed and the Zimbabwe government ended up scrapping their own currency and use US dollars (among other currencies) instead!

  6. A lot of these fascias in Europe are installed by Romanian gangs, with the expansion of the EU this problem has only got worse and will continue to.

    Perhaps if other countries implemented chip and pin (EMV) then we would see a worldwide reduction in crime especially at POS terminals etc. It has not reduced card not present crime though.

  7. One must ask yourself if the convenience is worth the risk? Having your money accessible at so many locations is what we want but at the same time its also a invitation for thieves. Do we really need security like retina scans and fingerprint readers just to get a few bucks from a ATM? Is that what its coming down too?
    Are PIN’s really the way to go for security? Heck many times I pay $3 or more in ATM fee’s for each transaction! Is this the lousy security I get for that? Really?

  8. As long as the banks are not responsible for fraudulent withdrawals or make it extremely difficult for the original account holder to prove fraud, why should the banks care to spend the extra money for protection ?

  9. A nearby gas station went through the trouble of tagging all their card reader slots with tape bearing the company logo, so if you were at a reader and the tape was obscured you’d know something had gone wrong.

    It took about a week for OCD customers to remove the tape from every reader.

    • Not such a bad idea however — a bank can engrave its logo and the ATM address on the face at the card slot. It’s not likely to move the ATM, and if it does, it just has to eat the cost of a new fascia.

      A skimmer’s value to a criminal would be significantly reduced if it could only be used at a single address.

  10. We have a next door neighbor who works for a bank (one of their ATMs was previously featured here as they got a skimmer attached).

    Anyways, I was asking him why we don’t do chip-and-pin here. It isn’t like the technology is new. And it comes down to money. Who pays for the upgrade? The banks can make up any fraud losses through increased fees, so they don’t care enough to take that next step.

    His initial point was that it would cost a fortune to re-issue all of the cards, I guess I would argue that one would do a rolling upgrade. As old cards expire, give people new cards with chip-and-pin.

    The next question is, who would upgrade all of the ATMs and the merchant card readers. I don’t know the answer to that one.

    The other side of this is that it gradually becomes more and more difficult for people from the U.S. to travel in Europe as more and more terminals require chip-and-pin.

    But this would be a good topic for a followup post here. What’s the holdup in getting chip-and-pin here in the U.S.?

    • You answered your own question: money. There are a bazillion ATM machines around the country and that would require lots of service calls.

      I disagree with your neighbor about issuing new cards. You were correct, a rolling reissue is the way to do it. They could even wait until a card is renewed to issue new ones.

      This is where I diverge from right-wingers who decry regulation at every turn. We can give banks hundreds of billions in bonuses and bailouts, but the sky will fall if we ask them to actually do anything for customers (note to readers: that was sarcasm). The only way banks will start to issue chip-and-pin cards is if the government requires them to.

      And you are correct about travel to Europe. People are telling stories about how they cannot obtain cash in smaller cities. Larger cities have banks where one can walk in and receive cash via a magnetic strip card — assuming one speaks the local language. If I were going to travel to Europe anytime soon, I would buy euros (or whatever) from Travelex in advance, even given the worse exchange rate.

    • When I was in San Francisco, California in 2004, they had chip and pin in the stores there, before we had chip and pin in here the UK.

  11. When I need cash I stick with using one ATM that I know well. This increases my chances at detection, since I know it well and when something is whacky with my balance or account I know where it happened too without a doubt (since I check my account details regularly in addition to the above).

    I refuse to pay fees on below minimum purchases and usage fees for ATMs to access my money, so if a place doesn’t take credit card and I don’t have cash I’ll go elsewhere (or ask myself if I really *need* (not *want*) that item or if it can simply wait).

    Cash is super handy because sometimes you can get a discount on bigger ticket items so they don’t have to pay transaction fees if you plan for it and ask about it (worst they can say is no way jose and if your name isn’t jose that’s even better!).

    This has saved me hundreds of dollars each year now that I plan and budget better!

    I think the chances of being ripped off by someone pulling off an attack against a database of card numbers are greater than being hit by a skimmer to be honest…

    I think the banks also consider it safer to have an ATM held up at gunpoint then a human being.

    • Hey that’s not a bad idea (only using one ATM that is) if the banks use some kind of ‘location lock’ feature its would be harder for the bad guys to use the stolen details somewhere else, but also there should be a feature to override the location lock in case you need to take out money from another location. Plus if you took the ‘location lock’ to the next level you could tell your bank that you only use your ATM card (or credit card?) in a certain location (eg a city or state) and if you need to use it anywhere else you need to authenticate like using a SMS or something like that. I know there will almost always be a way to thwart security measures but there needs to be more done to combat the problem.

      Also its important to take note that whatever security measures Banks and other financial institutions take its important that its doesn’t become to cumbersome for the average Joe. Any security measure that limits the average consumer from performing basic tasks is less likely to be adopted especially if there is a consumer outcry. A good but non-financial example would be the User Account Control (UAC) in Windows Vista especially, its supposed to protect people from harmful software yet for many its was just another headache that annoyed the death out of some people.

  12. Here is one reason for US folks to push legislation for chip-and-pin cards: Because the chip is located near the edge of the card, the card goes in only half-way into the ATM slot. So using one’s eyes (or fingers if one is blind) it’s easy to verify the magnetic stripe is not being read.

    As a bonus, the ATM is also unable to “swallow” the card if the bank software decides it doesn’t like the card or the owner.

  13. Re the comment about chip and Pin being a new technology

    Chip and Pin has been implemented in Europe/UK for over ten years and has been massively successful. The incidence of fraud and card misuse has fallen way down – The banks have recouped the costs by the reduction in fraud several times over. This of course is why cards that are cloned in Europe are then used overseas.

    The cards themselves were phased in over a period of 5 years with machines being upgraded to use both Chip and Pin and Magnetic stripe over that period (Machines still usually have the capability to use Magnetic Stripes if your card does not have a chip – don’t know if the banks have disabled this tho)

    It has become so successful that now even small shops (coffee/paper stands etc) will have a chip and pin machine to accept payment. This is so common that I now rarely carry any cash on my person and just depend on my cards to pay for things – it’s faster to punch in your pin to authorize a transaction than it is to fumble for change.

    By the way, in the UK use of cash machines and payment terminals is largely free – the banks/shops bear the cost of the transaction as a cost of doing business.

  14. “Most European banks have EMV-enabled cards, which include a secret algorithm embedded in a chip that encodes the card data, making it more difficult for fraudsters to clone the cards for use at EMV-compliant terminals.”

    The algorithm isn’t secret. The key’s are (when keys are used).

    Also, as anyone can make a mag-stripe copy from a chip-card, that same frauster can make an SDA copy of any emv card. Thus fraud will continue until all countries have moved away from magstripe AND offline SDA transactions.

    Europe have already switched to DDA cards, but it doesn’t really help as long as other countries are still allowing SDA transactions, and I don’t expect that to stop anytime soon.

    It’s currently not possible to clone a DDA card. There are unfortunately flaws in the DDA protocol, which have been fixed in the third EMV flavour: CDA, but not many are using CDA yet.

    Anyway, when the frauster puts up a facial with a screen and keyboard, and the facial snatches the card after the pin has been entered no EMV version will help.

    Looks like wireless is the way forward :-)

  15. Skimmers fit over card slots because the there is a conformity in the shapes – parallel surfaces of the skimmer attach to parallel surfaces of the ATM. Have protruding posts (a few centimeters – inch or two or make it the exact width of the card so that you could lay your card beside it to verify the height) such that any attachment would cover this up or have to stick up higher. If the public could expect a uniform design then it would be easy to detect visually. Include a photo of what the slot is supposed to look like right at the machine. Sketch it and etch it into metal. This doesn’t eliminate the problem but I think would make it easier for anyone suspicious to detect something amiss. As it stands now I don’t think I could detect a well-sculpted overlay.

  16. Watch this. It deals with ATM card skimmers.
    http://www.youtube.com/watch?v=ieSUGYuw-js


Read previous post:
Missouri Court Rules Against $440,000 Cyberheist Victim

A Missouri court last week handed a legal defeat to a local escrow firm that sued its financial institution to...

Close