Experts in the United States and Europe are tracking a marked increase in ATM skimmer scams. But let’s hope that at least some of that is the result of newbie crooks who fail as hard as the thief who tried to tamper with a Bank of America ATM earlier this week in Nashville.
Nashville police released a series of still photos (which I made into a slideshow, below) that show a man attaching a card skimming device to a local ATM, and then affixing a false panel above the PIN pad that includes a tiny video camera to record victims entering their PINs. According to Nashville NBC affiliate WSMV.com, this scammer’s scheme didn’t work as planned: The card skimmer overlay came off of the ATM in the hands of the first customer who tried to use it.
As you can see in the image montage, the first would-be victim arrives less than seven minutes after the thief installs the skimmer. The story doesn’t state this, but the customer who accidentally pulled the card skimmer off of the ATM actually drove off with the device. Interestingly, the fraudster returns a few minutes later to salvage what’s left of his kit (and perhaps his pride).
As lame as this ATM skimming attempt was, a few aspects of this crime are worth highlighting because they show up repeatedly in skimming attacks. One is that the vast majority of skimming devices are installed on Saturdays and Sundays, when the crooks know the banks will be closed for at least a day. As a result, you have a much higher chance of encountering a skimmer if you regularly use ATMs on a weekend.
Second, the thieves who install these fraud devices very often are lurking somewhere nearby — to better keep an eye on their investments. If you ever happen to discover a skimming device attached to an ATM, just remember that while walking or driving off with the thing might seem like a good idea at the time, the miscreant who put it there may be watching or following you as you depart the ATM area.
Once or twice a month I am interviewed by various news outlets about ATM skimming attacks, and I’m nearly always asked for recent figures on the incident and cost of these crimes. Those stats are hard to come by; I believe the last time the U.S. Secret Service released figures about the crime, it estimated that annual losses from ATM fraud totaled about $1 billion, but that was for 2008.
Source: Verizon
Today’s figures are almost certainly higher. On Tuesday, Verizon Enterprise Solutions released its annual data breach investigations report, a deep dive into more than 620 data breaches from the past year. Interestingly, this year’s report shows that of the Top 20 Threat Actions the company tracked across all of the breaches from 2012, physical tampering was the most frequent cause — present in more than 30 percent of all incidents detailed in the report.
“Physical tampering is our way of categorizing the installation of a skimming device, and that was the number one threat action out of everything we looked at,” said Wade Baker, managing principal of RISK intelligence at Verizon. “If you look at the last two [Verizon annual] reports, a large majority of the data set was the point-of-sale intrusions at small organizations such as retail establishments and restaurants, and those are actually a much smaller portion of our data set this time.”
The European ATM Security Team (EAST) earlier this month released annual statistics that show a 13 percent increase in ATM fraud losses at European banks in 2012 over the year prior (see table below).
Source: European ATM Security Team (EAST)
Extrapolating from reports of increases in monetary losses from ATM skimming attacks in Europe, it’s not hard to see how the U.S. could be faring quite a bit worse. The incidence of ATM skimming in the United States is almost certain way up over previous years. That’s because according to anti-fraud experts in Europe, most card fraud stemming from skimming incidents in Europe is in fact perpetrated outside of Europe. a big reason for this trend is the broad adoption in Europe for a bank card security standard known as EMV (short for Europay, MasterCard and Visa), more commonly called “chip-and-PIN.”
Most European banks have EMV-enabled cards, which include a secret algorithm embedded in a chip that encodes the card data, making it more difficult for fraudsters to clone the cards for use at EMV-compliant terminals. Because chip-and-PIN is not yet widely supported in the United States, skimmer scammers who steal card data from European ATM users tend to ship the stolen card data to buyers or co-conspirators in the United States, where the data is encoded onto fabricated cards and used to pull cash out of U.S. ATMs.
Want a simple, free way to protect yourself from ATM skimmer fraud? Cover the hand entering your PIN with your free hand. That way, if a hidden card skimmer manages to capture your card details, the hidden camera won’t be able to capture your PIN (some fraudulent PIN capture devices are actually PIN pad overlays, but those are comparatively rare and far more expensive than hidden spy cameras).
Note that there are additional problems with chip & pin, especially as occurred in the UK. When phantom withdrawals happened, the banks responded along the lines of the system being so secure it must have been the customers making the withdrawal so tough luck. (They even sued a former cop for fraud.) Essentially the customers were out the money, presumed guilty and had no recourse.
It turned out to be an inside job at the banks. I avoid “secured” cards for this very reason, since they don’t really benefit me, and there is no way the banks can be trusted.
@Roger,
They call this “Liability Shift”. It would not be a nice experience and Brian reported at least once previously disturbing news that faulty EMV implementations allowed ” transaction replay” attacks (with the transaction amount and account number allowed to change). But from other news I get here in Europe it seems 2013 would have far less losses (compared to 2012) related to skimming due to EMV and to the fact that more and more banks started this year to block by default card-present transactions outside European Community. You would have to specifically request unblocking your card for a certain period before travelling outside EC.
Yep.
http://krebsonsecurity.com/2012/09/researchers-chip-and-pin-enables-chip-and-skim/
As far as I can tell “liability shift” is about who takes the fall for fraudulent transactions between the banks and retailers.
What I am concerned about is when they try to pin it on the consumer on the grounds that the banks and retailers now have “perfect” security, as happened in the cases I referenced.
At the moment the banks have to prove that a transaction was not fraudulent such as if you reported a phantom withdrawal. With c&p you could end being the one having to prove it was fraudulent which is considerably more difficult.
How Not To Rob An ATM Machine:
http://NewsInfo.Inquirer.net/393883/new-atm-robbery-ploy-sticky-keypad
MANILA, Philippines–Nothinghigh-tech here. Just a few drops of sticky stuff to keep potential victims “glued” to the spot.
While other crime syndicates are reportedly using scanners and hidden cameras, a man allegedly devised what he thought to be a simpler way to rob users of automated teller machines (ATMs).
The Malabon City police have arrested Aron Conular, 44, for allegedly stealing the ATM card of a woman who was caught off-guard and distracted from using the machine’s keypad which the suspect had earlier smeared with a strong glue.
Northern Police District spokesperson Superintendent Ferdinand del Rosario said “this is the first time we have seen such a case. It’s a cruder, less sophisticated scheme compared to the techniques we have seen wherein criminals place a skimming device which captures ATM data and a camera which records the PIN (personal identification number) as it is typed on the keypad.”
Conular, a janitor living in Quezon City, was arrested Wednesday night after a long chase which started when he took the ATM card of Vernadette Ramos at a Metrobank branch on J.P. Rizal Street in Barangay San Agustin.
In a report, Senior Police Officer 1 Eduardo Tribana of the Malabon police said Ramos was about to withdraw cash and had already inserted her card into the ATM around 9 p.m. when she felt that the keys were sticky.
Conular then approached the woman, offered to help her and suggested that she look for the bank’s security guard for assistance.
Ramos followed Conular’s advice, briefly leaving her ATM card inside the machine, but she couldn’t find any guard nearby. When she looked back, she caught the suspect pulling the card out of the ATM.
It was not clear in Tribana’s report how Conular was able to get the card, but Del Rosario said he may have simply pushed the “cancel” button to eject it from the machine.
When Ramos demanded her card back, the suspect just ignored her, walked away and boarded a passenger jeepney, according to Tribana.
Ramos, who went to the ATM on a scooter, followed the jeepney and saw Conular get off and take a tricycle. She continued tailing the suspect until she met a team of policemen on patrol.
The officers eventually cornered Conular and recovered Ramos’ ATM card. The suspect also yielded a knife when arrested, Tribana said.
Del Rosario said “the success rate (of such a scheme) may not be good since the suspect will still likely have no knowledge of the card’s PIN, unless a camera has recorded it.”
“Usually, ATM robberies involve suspects who force the users to empty their accounts or wait for them finish the transaction before robbing them,” the NPD spokesperson said.
Del Rosario reminded ATM users to be vigilant especially when using the machine during late hours. “Look around first for suspicious persons nearby. Better yet, use ATMs that are in busy areas or where there are security guards on-site.”
I live in a state where I can travel legally armed in my car. My firearm is always in easy reach before I use an ATM. When I pull up, I always do a 360 scan for any sign of a lurker/observer. When I enter my PIN, I do it two-handed, as Brian suggests. I then drive away immediately after the machine is finished. If necessary, I pull over elsewhere on the lot, in a safe area, to put stuff away, etc.
If a skimmer ever comes off in my hand, I will sure as heck drive off with it, straight to the nearest available authorities. If the skimmer’s owner wishes to follow me, so be it. If he wishes to intercept me, well, surprise!!
Bottom line: I hardly ever use ATMs.
Your life seems to be marginally better than that of the lawless west in the 1800’s.
Thanks for reminding me why the US is not the best place on earth to live.
Please don’t inject offtopic nationalism here. This blog is for discussion of security.
Ok, tough guy.
Plus you may finally get your deepest darkest wish fullfilled:
You think you’ll actually have an excuse to shoot another human being.
Of course, escalating an encounter to the use of deadly force when no such use of force is necessary or even warranted tends to come with a prison sentence, so I wish you luck when you’re serving time.
My “deepest darkest wish” is to be able to defend myself on an equal footing against the kind of armed robbery that many unfortunate (and unarmed) ATM users have undergone. You can keep the “luck” that you “wish” me. I suspect that a prison sentence for me and others similarly prepared is your “deepest darkest wish.”
So what is the recommended action when a skimmer comes off in your hand. Is this worth a call to police (non-emergency number)?
For your protection, dial 911 immediately. You’re reporting a crime in progress, and if the thief is nearby, you might actually be in danger. 911 operators are better equipped to record details than the non-emergency number, and better staffed.
If you don’t call it in, you may be recognized by your bank anyway, especially if your card number or your license plate is associated with a transaction that coincides with the security camera’s time stamp. That means you will be visible on the security tape, holding a skimmer device. If you don’t turn it in yourself, you’ll soon have to explain to the police why you didn’t.
Well, Atlanta has never been associated with a high degree of competence before in my view, except when chicanery is involved.
I laughed so hard I almost injured myself.
Go Gators!
Probably this guy’s first attempt. He doesn’t look like the smartest guy in town, either.
I’d certainly agree that if you find one of these things, don’t handle it at all if you can. You don’t want YOUR fingerprints on it! And definitely report it to the bank and the police. And don’t run off with it, that’s tampering with evidence – a felony.
If the freakin’ thing comes off in your hand, “running off” with it might be the safest thing you can do, on the premise that the device’s criminal owner might be nearby. I’d sooner take my chances with the authorities than with an armed skimmer operator. I forgot to mention that, in addition to my other precautions at an ATM stop (see comment above), I keep the transmission in “drive” just in case I have to make a hasty exit to avoid a robbery or other danger.
What a strange world you live in, where you think everyone is armed. I suspect this is a case of wish fulfillment.
It is a strange world we live in, Sandy, I mean Seymour.
In the strange world in which I live, Seymour, the likes of you are free to practice unlicensed, ignorance-fed psychoanalysis on the likes of me. But lest you think that I think everyone is armed: I’m pretty sure you are not. And when it comes to informed, logical argument, I’m absolutely positive you’re unarmed.
Love reading your blog and it give me more knowledge regarding taking more security to my account.
Anyway, do you have any data or information about such bad practices in Asia ?
Thank you.
The reported response to liability shift at several banks has been to flat out decline chip card transactions and visa auth transactions in particular.
Perhaps a better response by visa than liability may have a mag stripe removal mandate?
Me and my wife found one of these when we were out shopping one day, while i was pretending to use the ATM my wife called the police, they were there within minutes, the officer removed the device and also showed us what it was and how it worked, it was a very simple camera which was a Nokia 3210 stripped out of its case
I might add here that “it’s your fault” to the two guys in the vehicle that people have now become more aware in getting their personal information stolen by these skimmers
Thanks for the tips! Scammers are always coming up with new ways so it’s good to make sure what they are up to.
My daughter’s card was skimmed 2 weeks ago at an ATM. She realized it the next day when she had no money in her account to put gas in her car.
Unfortunately it has been a very humiliating experience as the SECU that she has an account with does not believe her. They have a photo of her withdrawing $20 one minute and a photo of a man she has never seen before withdrawing $200 recorded the very next minute. When they showed both photos to her (and to me) they had already captioned the second photo of the man as “Girl hands her card to guy to use”. Slander? My daughter is outdone by this and so am I. She says she absolutely DID NOT HAND HER CARD TO SOME GUY TO USE.
Do any of you know if, when theifs use these skimmers, they are able to control the time the withdrawal is recorded as well as record account and pin numbers? How can this happen? I’m just getting started. The banks reaction is unacceptable. We have had many accounts with them over the years and we have never had any problems or any similar incidents.