May 13, 2014

The United States Postal Inspection Service is investigating reports that fraudsters are installing skimming devices on automated stamp vending machines at Post Office locations across the United States, KrebsOnSecurity has learned.

USPS Automated Postal Center (APC) self-service stamp kiosk.

USPS Automated Postal Center (APC) self-service stamp kiosk.

Earlier this month, I began hearing from sources in the banking industry about fraudulent debit card activity on cards that were all recently used at self-service stamp vending machines at U.S. Post Offices in at least 13 states and the District of Columbia.

Asked about the activity, a spokesperson for the U.S. Postal Inspection Service confirmed that the agency has an open investigation into the matter, but declined to elaborate further beyond offering tips for consumers to help spot skimming devices that may be affixed to automated stamp vending machines at post office locations.

In an emailed response, the USPIS said it is urging USPS employees to visually inspect the Automated Postal Center (APC) machines multiple times during the day, and that it is asking customers to do the same.

“USPIS recommends customers who use the APC machine should personally visually inspect the machine prior to use,” the USPIS said. “Look for any type of plastic piece that looks like it has been slid over the actual credit card reader. Look for any other type of marking on the machine that looks as though it has been applied by a third-party.”

The USPIS is asking customers who see something that appears to be out of place on the machines to notify the local post office supervisor immediately.

The USPIS declined to answer additional questions about the investigation, such as when the fraud first began. But according to sources at two separate financial institutions whose customers have been impacted by the activity, the fraud began in late November 2013, and has been traced back to self-service stamp vending machines in Arizona, California, Colorado, Florida, Georgia, Kentucky, Massachusetts, Nebraska, New York, Oregon, Pennsylvania, Utah, Virginia, and Washington, D.C.

Banking sources said the fraud follows a fairly consistent pattern: The thieves are targeting debit card users and somehow stealing the PINs associated with the cards. Ostensibly, the fraudsters then fabricate new cards and make cash withdrawals at ATMs ranging from $500 to $800 per card.

Skimmers typically employ some type of device used to steal the data stored on the magnetic stripe on the back of the cards, as well as a hidden camera or PIN pad overlay to record the customer entering his or her PIN. It is not clear what type of skimming devices may be used in this fraud scheme, but the APC kiosks appear to be custom-made by Wincor-Nixdorf, a major ATM manufacturer. As such, many types of skimming devices sold in the cybercrime underground and made for Wincor ATMs may work just as well with this kiosk.

This fraud spree may be related to this news report from April 1 via Fox News affiliate KPTV out of Beaverton, Ore. (one of the banks I spoke with confirmed that the fraud they were seeing indeed traced back to APC kiosks in Beaverton). That story includes photographs of a man local police say was caught on camera withdrawing cash at ATMs using counterfeit cards stolen from Postal Service customers.

The U.S. Secret Service, which typically investigates skimming incidents and counterfeit card fraud, declined to comment for this story.

One way to protect yourself against this type of fraud is to use a credit card in lieu of a debit card whenever possible. With a credit card, your liability is maxed out at $50 in the case of fraudulent transactions. Things get more complicated with debit cards. Although many banks also will observe the $50 limit on debit card fraud, customers could be facing losses of up to $500 if they wait more than two business days after learning about the fraud to report it. Also, while your bank is straightening out the situation, any cash you may be missing could be held in limbo, and other checks you have drawn on the account may bounce in the meantime if the fraudsters manage to clean out your checking account.

In addition, it’s a good idea to cover the PIN pad when you’re entering your PIN. Doing so effectively prevents thieves from stealing your PIN in cases where a hidden camera is present.

For more on skimmers and how they work, check out my series All About Skimmers.


26 thoughts on “Postal Service: Beware Stamp Kiosk Skimmers

  1. Moike

    These postal machines are equipped with upward-facing cameras, which may be more successful at getting an recognizable face ID than standard ATM cameras. They just need to be able to also trigger them at any activity around the camera window or card swipe slot.

  2. TheOreganoRouter.onion.it

    You would think that the FBI and or Secret Service would be involved in something like this. Wouldn’t you not agree?

    1. BrianKrebs Post author

      Yeah, the US Secret Service declined to comment. Thanks for the reminder. I added that bit to the story.

    2. Shawn

      Absence of evidence is not evidence of absence.

      Declining to comment, does not inherently imply that they are not investigating it 🙂

  3. D

    That’s mighty ballsy to go inside a Federal building and mess with the ATM’s. I’m aware messing with any ATM is a federal offense but to walk inside a Post Office and install a skimmer is mighty mighty ballsy. I’m sure these folks will be caught. They picked one of the worst places to pull this kind of scam.

    1. EG

      Actually, not really. I think the last hack that happened to my card, the breach occurred at at one of these machines inside a PO. The machines are generally in the lobby area, where few people, including the PO employees ever go. Often their locations in the PO are completely isolated, making these machines perfect targets for installation of these skimmers. I’m never using one of them again–I’ll go to the counter.

      1. Shawn

        You can always order the pre-paid boxes and they’ll deliver them to your house (FREE), and then you can pay for postage from home, and schedule a pick-up. Never have to deal with the lines or the attitudes from the people at the counter either.

      2. Stratocaster

        Not only are the machines in the lobby area, but usually the lobbies are open 24×7 so customers can access their post office boxes. Not a lot of folks stopping by there at 2 AM to see skimmer evildoers.

        1. SeymourB

          Who needs employees when you have security cameras recording all entrances to the lobby and activity at the kiosk?

  4. Jeffrey Bates

    The Secret Service or FBI– may not be involved– because the Postal Service has it’s own investigative branch– the US Postal Inspection Service. They undergo training via the FBI academy, and investigate/enforce all manner of postal crime– theft/fraud of any kind.

  5. SK

    I’m always wondering why those machines (ATMs and such) don’t show the picture of the card reading slot/keypad on the screen. This way you would always know how it is supposed to look like, and not guess whether is it looks suspicious or not.

  6. Chris Grabowy

    For that matter how long before we find these skimmers on other related machines? Redbox anyone? Gas station pump? Vending machines are starting to accept CC/Debit cards…

    1. RNcine

      Gas Stations are already being hit . I filled up my tank and like any normal person used the debit keypad near the pump.
      Since I was leaving out of town in a couple of hrs. I logged on to my bank an saw $1,100 was missing. Called up bank and those skimmer idiots were still pulling money from my account. Did receive all my money back but it took 3 wks.
      The gas station told me they always check their pads for skimmers………ONCE A WEEK! I now always go inside and pay.
      Mr. Krebs has a great article on skimmers by the way.

  7. June Shannon

    had my gas cardz hacked too, but after a lengthy investigation by the MEGA-DERPS at conocophillips, they finally gave usin’s our monies back, then I canceled my 25 yr. acct with them. we don’t need their stinkin credit. i showed them, uh huh! i’ll show em awls yes i wills.

    lil ol me = Winner, winning – I Win
    ConocoPhillips = MEGAFAIL – they lose

    honey boo-boo’s mom

  8. Mack Krout

    Brian , the APC’s are now receiving ‘maintenance upgrades’ , which include more secure card-readers and pin pads

  9. Harry Johnston

    I’m just baffled that people buy enough stamps (in person, at the post office) to make vending machines economically viable in the first place. 🙂

  10. Kimery

    Happened to me at the Batavia, Illinois post office. Never would have dreamed that it would happen at the post office. $2.30 worth of postage and they tried to get $600.00 (8 $75.00 reloads to Starbucks cards) Luckily Starbucks worked with me and I got my $600.00 back… which by the way I didn’t have in my account to begin with. I guess it’s not safe to use a debit card anywhere. Cash or credit from now on!

  11. Robert

    Thought I would add that the need for visual inspection several times a day would suggest that the automated security isn’t up to snuff. Remember, this is an entity in financial distress, and the mentality at USPS would be about loss of stamps as much as repelling skimmer attempts.

    USPIS is the jurisdictional investigative body, but since we have crimes across state lines, the FBI is also likely involved.

    Go gettem’, guys…

  12. Jeff Mercer

    Yep, the USPS has it’s own Federal law-enforcement arm, the US Postal Inspectors Service. They are FBI trained, they have guns and they routinely work with other Fed law-enforcement on cases. Anything from mail bombings to death threats by mail, the whole Silk Road case and of course any sort of contraband sent by mail.

    And yep, all APC’s have cameras on them that point upwards to get a shot of the customer. Camera is activated when a purchase is made normally. But there’s also cameras in most USPS retail facilities aimed at public areas. So there’s a very good chance they can find shots of the individuals installing/removing the skimmers.

    Pretty stupid to target the APCs because in addition to all the usual charges the criminals can face, they also get to be charged with Federal crimes such as tampering with USPS equipment.

    As always, pay attention to what you’re doing in public and watch your bank statements. My wife had her wallet stolen last month, the good ol’ analog thieves are alive and well, 🙁

  13. Jackie

    Although this is a problem that could be avoided by the people using these machines being more careful, it is necessary for someone to step in and investigate (or if an investigation is already being done, to provide their customers with some information rather than withholding what they know). If there are banks that are linking the problems directly back to these machines, there is evidence that it is an issue and something should be done about it. Customers should not have to worry about dealing with these types of situations although it is obviously their responsibility to keep track of their bank statements and such.

  14. Cheryl J.

    Krebs, Debit cards are not the same as ATM cards in the banking world. While Regulation E caps fraud losses on transactions processed on the ATM network, cards with Visa or Mastercard logos are protected by their zero liability standard. Further, banks are also required to pay items up to the fraud amount, not assess fees for the items and pay interest (if it is an interest bearing account) on the fraud amount during the time the funds were not present in the account. Advising customers that they should use credit cards rather than debits because it is more safe is misleading and takes interchange fee income from the local finanacial instututions and gives it to the major credit card companies.

  15. Mike

    US Postal Inspectors carry as much weight as the Secret Service and FBI in investigating crimes. Anyone ballsy enough to go from the neighborhood 7-11 skimmers to the postal service will be quite surprised when the whole weight of the federal government law enforcement comes down on them.

    Mail fraud, and related mail crimes are all very clearly defined crimes with a pretty easy burden of proof, and the “victim” is not a bank that wants to keep it’s name out of the paper.

    Kiddie porn perps have been nailed on postal service charges when the true victims can’t or won’t testify (postal service prosecuted the largest number of kiddie porn cases before the internet made it too easy). Drug dealers, money launders, any sort of trafficker multiplies their tales of woe if they use the postal service in the commission of their crimes.

    “Making a federal case” out of something isn’t just a metaphor…

  16. Dwight Brown

    “The USPIS is asking customers who see something that appears to be out of place on the machines to notify the local post office supervisor immediately.”

    Based on my personal experience with my local post office, I’m sure the one clerk who is on duty will get right on that, after she finishes her coffee break and her lunch.

Comments are closed.