This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.
On Saturday, Nov. 23, a customer at a Bank of Brazil branch in Curitiba, Brazil approached the cash machine pictured below, dipped his ATM card in the machine’s slot, and entered his PIN, hoping to get a printed statement of his bank balance.
When the transaction failed, the customer became suspicious and discovered that this ATM wasn’t a cash machine at all, but a complete fake designed to be seated directly on top of the real cash machine. Here’s what the legitimate ATM that was underneath looked like.
When the cops arrived, they pulled the fake ATM off the real cash machine. Here is the fake ATM, set down on the floor.
The backside of the phony cash machine reveals what may be a disassembled laptop with the screen facing outward. The entire apparatus is powered by two large batteries (right). Notice the card skimming device (top right, with the green light) and a side view of the component for the fake PIN pad (top).
It’s not clear from the reporting in these stories from the Brazilian media (nor from the Youtube video from which the above photos were taken) exactly what hardware was included in this device. It seems difficult to believe that thieves would go to all this trouble without incorporating some type of GSM or 3G components that would allow them to retrieve the stolen information wirelessly. I don’t imagine it would be easy to simply walk away from a cash machine unnoticed while holding a giant fake ATM, and a wireless component would let the skimmer scammers offload any stolen data even after their creations were seized by the authorities.
This device appears to be nearly identical to a fake ATM found in April 2013 in Santa Cruz do Rio Pardo. The story about that April incident has much higher resolution photos, and states that the fake ATM indeed included a 3G mobile connection, ostensibly for sending the stolen card and PIN data to the thieves wirelessly via text message.
Interestingly, much like grammatical and spelling errors that often give away phishing emails and Web sites, the thieves who assembled the video for the screen for the fake ATM used in the April robbery appear have made a grammatical goof in spelling “país,” the Portuguese word for “country”; apparently, they left off the acute accent.
Most skimming attacks (including the two mentioned here) take place over the weekend hours. Skimmer scammers like to place their devices at a time when they know the bank will be closed for an extended period, and when foot traffic to the machine will be at its highest.
Keep a keen eye out for anything that looks amiss when you visit the ATM; if you see something that doesn’t look right, notify the bank or owner of the machine, and go somewhere else to get your cash. More importantly, make sure you’re aware of your physical surroundings when you go to withdraw money, and whenever possible use cash machines in well-lit, open places. Most people probably have a better chance of being physically mugged while at the ATM than they do getting scammed by a skimmer. According to a January 2013 report by the U.S. State Department, this is especially true for foreigners in São Paulo, Brazil, where “express kidnappings” occur when criminals force their victims to extract their daily cash limit from an ATM machine.
Finally, although it would not have helped the victims of these fake Brazilian ATMs, using your hand to cover the PIN pad while you enter your digits is a great way to foil most skimmers, which tend to rely on hidden cameras as opposed to fake PIN pads or PIN pad overlays.
Fascinated by ATM skimmers? Check out my series on these fraud devices: All About Skimmers.