07
Jul 14

The Rise of Thin, Mini and Insert Skimmers

facebooktwittergoogle_plusredditpinterestlinkedinmail

Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Here’s a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year.

According to a new report from the European ATM Security Team (EAST), a novel form of mini-skimmer was reported by one country. Pictured below is a device designed to capture the data stored on an ATM card’s magnetic stripe as the card is inserted into the machine. While most card skimmers are made to sit directly on top of the existing card slot, these newer mini-skimmers fit snugly inside the card reader throat, obscuring most of the device. This card skimmer was made to fit inside certain kinds of cash machines made by NCR.

An NCR mini-skimmer designed to slip inside of ATM's card acceptance slot. Image: EAST.

A mini-skimmer designed to slip inside of an NCR ATM’s card acceptance slot. Image: EAST.

“New versions of insert skimmers (skimmers placed inside the card reader throat) are getting harder to detect,” the EAST report concludes.

The miniaturized insert skimmer above was used in tandem with a tiny spy camera to record each customer’s PIN. The image on the left shows the hidden camera situated just to the left of the large square battery; the photo on the right shows the false ATM fascia that obscures the hidden camera as it was found attached to the compromised ATM (notice the tiny pinhole at the top left edge of the device).

The hidden camera used in tandem with the insert skimmer. Source: EAST.

The hidden camera used in tandem with the insert skimmer. Source: EAST.

EAST notes that the same country which reported discovering the skimmer devices above also found an ATM that was compromised by a new type of translucent insert skimmer, pictured below.

A translucent mini-skimmer made to sit (mostly) inside of an ATM's card acceptance slot. Source: EAST.

A translucent mini-skimmer made to sit (mostly) inside of an ATM’s card acceptance slot. Source: EAST.

Though not insert skimmers, the devices pictured below — removed from ATMs in Europe this year — also come with a slim profile. I have seen various models of the card skimmer pictured below, devices that are generally made and sold to compromise Wincor/Nixdorf brand ATMs.

The card skimmer (left) and the hidden camera, disguised as a panel above the PIN pad. Images: EAST.

The card skimmer (left) and the hidden camera, disguised as a panel above the PIN pad. Images: EAST.

The device pictured below is a slender skimmer powered by what looks like either a cannibalized MP3 player or mobile phone. Mobile-powered skimmers allow thieves to have the stolen card data relayed via text message, meaning they never need to return to the scene of the crime once the skimmer is in place. MP3-based skimmers capture card data as audio waves that specialized software can later convert into card data.

This wafer-thin overlay skimmer includes a high-quality finish.

This wafer-thin overlay skimmer includes a high-quality finish. Photo: EAST

As the EAST report notes, ATM skimmers are still a problem in Europe, even though virtually all cash machines there only accept cards that include so-called “chip & PIN” technology. Chip & PIN, often called EMV (short for Eurocard, MasterCard and Visa), is designed to make cards far more expensive and complicated for thieves to duplicate.

Unfortunately, the United States is the last of the G-20 nations that has yet to transition to chip & PIN, which means most ATM cards issued in Europe have a magnetic stripe on them for backwards compatibility when customers travel to this country. Naturally, ATM hackers in Europe will ship the stolen card data over to thieves here in the U.S., who then can encode the stolen card data onto fresh (chipless) cards and pull cash out of the machines here and in Latin America.

“In countries where the ATM EMV rollout has been completed most losses have migrated away from Europe and are mainly seen in the USA, Asia-Pacific, and Latin America,” the EAST report notes. “From the perspective of European card issuers the Asia-Pacific region seems to be eclipsing Latin America for such losses.”

One of the simplest ways to protect yourself from ATM skimmers is to cover the PIN pad when you enter your digits. Still, you’d be surprised at how few ATM users actually take this simple but effective precaution.

If you liked this story, check out the rest of my series on ATM skimmers.

Tags: , , , , , ,

69 comments

  1. South East Asia there’s a big problem with this. The skimmers target holiday makers. Especially on islands where there’s often only one or two ATMs. Because people don’t check their account balances that often, they can clone cards, withdraw cash before the account owner knows. Bank have little sympathy as they say the card was used to make withdrawals from the same ATM. I know quite a few backpackers/those on gap year break who’ve gotten fleeced thousands.

    It’s very hard to avoid. I try to use over the counter withdrawals where I can. And ATMs inside bank branches (so there’s video security & in my head a less likely target).

    • Actually it is pretty easy to avoid. Some European banks (e.g. the Dutch) simply started blocking all ATM transactions on their cards originating from outside Europe.

      This means shipping skimmed data abroad has no effect, as it cannot be used outside Europe and inside Europe ATM’s won’t use or accept the magnetic card.

      Of course customers can request this blockage to be removed, permanently or just for the duration of a trip. But most customers never travel outside Europe, and if they do credit cards are generally an safer alternative.

      This simple thing has dramatically reduced skim-fraud in those countries.

      • that’s pretty lousy solution, so what you recommend people going for vacation to Thailand? travel with tons of cash and lose money on exchange fees?

        withdrawing money from ATM is still most economical way how to get to your money on vacation, but yes you must be careful about ATM, preferably inside bank but as was said you don’t have many options on islands

        this “solution” reminds me like when websites refuse to load content for me because I surf from Chinese IP address because boohoo, all of us residing in China are spammers and bots judging by some clever admins

        btw. chip and pin is not problem just with US, good luck serving Chinese customers, even if they won’t use Unionpay (biggest payment system in world, bigger than small Visa and Mastercard) and apply for Chinese Visa/MC there is big chance card will come without pin

        • Not lousy, as like I said, a simple call or web click will enable it for a trip. Not unlike the call you make to your credit card company when you go abroad …

        • Through my online bank account, indicate my trip (where I’m going and when) so my bank knows if a transaction happens in that country listed during that time, high are the possibilites that the transaction is legitimate.

      • Seems enough enough to get around that. Just use a proxy that gives you an IP address in the country the card originates from and have a grand ol’ time shopping online.

        Then again, I guess most scammers are relatively lazy and there are so many countries and banks that do not make it so easy that they just focus on them instead.

  2. there more serious issues in other countries.CCTV camera point to the keypad.You can sniff problem….insiders can do the nasty side.

  3. for some reason, Gmail decided that this emailed security bulletin from Krebs was spam…

    then again, they send all my eBay and banking emails to spam too, even after telling them otherwise about 500 times… :-(

    • create filter

      • The problem is partially fixed by creating a filter, but because Gmail is trained by other people who are marking good messages as spam instead of hitting the unsub button distorting the filters used by Gmail etc and making good emails appear as spam to others. Yes create a rule but it’s helpful to mark good messages as not spam every time you get the chance.

        Other issues arise when people using the same IP block as the source email (or email distributor) are using it to spam others, making all users of the same IP block to be marked as bad. This has happened to me a few times. Not easy to fix when you are being blacklisted by many different anti-spam groups.

  4. And I still say that the Banks are to blame!
    They try to train the CUSTOMERS to detect the skimmers, but customers have almost no chance to do so.
    One huge problem is the Design of the ATM. Banks seem to try to outdo the others by deploying ATMs that look different. How shall a customer know if some attachment is there from the bank or from a thieve! Because there are so many different design, the customer has no baseline to compare to.

    It’s as if the dollar bills would be hand painted by classes of second graders every single one made individually. How should people detect counterfeit money than? Would be ridiculous, wouldn’t it?

    But it’s exactly the situation with ATMs. The Bank expects the customer to detect changes on something that the customer has no way of knowing how it should look in the first place!

    But as long as the banks can blame the losses to the customers, they won’t change anything. Despite the fact, that they could install systems on the ATM to detect if something has changed.

    • Of course they are, why do you think ATMs exist in the first place? To save the $9/hr they would be paying a 20 year old to man the teller window.

      • guarantee you that most of the $9.hr employees can’t make or count change.. so we’re better off !

        • Well when $9/hr means they aren’t eating good food, can’t afford college, and are probably driving an unsafe vehicle then you might be right, but its lose/lose either way for the customers. Until banks foot more of the costs and have some real skin in the game this will keep on being a problem no matter what changes we make to the cards… They’re the critical point that allows and writes the fraud off as an acceptable cost of doing business.

    • +1
      Banks are permitted write-offs of the losses.
      Then they pass any overage to the customer.
      The Banks have the lawyers on their side, along with any politicians to pass bills to protect their “interest” (pun).

      Cease the write-offs and you watch how banking evolves (or dies).

      And thanks Brian. Once again, I am paranoid at the ATM machine… (peers at anyone around…pulls at interface, looks for any thing suspicious…)

      BTW, there is a CU I bank at…they have an outside ATM, no walls, no protection… You could park across the lot and with a zoom lense, record PINs…and info. Then there is the weather…
      Who thought of that one!

      • “Banks are permitted write-offs of the losses.”

        LOL!!! You CRACKED me up with that comment!

        You are permitted to write off your gambling losses too. Does that mean that you want to run out and loose money??? Doubt it.

        Banks would rather not to have these losses in the first place.

    • Marco, In the U.S., more than half of the ATMs are not owned by the banks but by non-financial companies so rant all you want about the evil banks. Maybe you should invent that device that will automatically detect when something has been put on the ATM that is not authorized and then you can make your millions and save the world.

    • Don’t go blaming the banks. When we need an ATM, we call up the companies that manufacturer them (we don’t build them ourselves) and ask what they got to sell us.

      Call up NCR, Diebold, or the other ATM manufacturers and tell them to design and build an ATM that some crook can not attach a specifically designed for that model ATM skimmer to the front of it that looks like it should / could be there, and it does not interface with the ATM in any way.

      Maybe the ATMs should be installed on a scale so that if any extra equipment is installed, the extra weight will trigger an alarm. Oh, but then any deposit would cause the alarm to go off too.

  5. In Finland, most, if not all ATMs have two readers: One for EMV cards and a separate one for cards that only have a magstripe.

    The chip card slot only takes that card in as far as it needs to read the chip, so I doubt (though not sure), that it would be impossible to read data from that little bit of magstripe that ends up inside the reader.

    This of course does not prevent people from sticking chipcards into the magstripe reader slot, though I seem to remember that ATM will tell you to put it in the other slot instead if you make that mistake.

    • The skimmer could just extend the chip slot far enough to catch the full stripe.

      • Captain Obvious

        You would hope that an extra 2″ of card reader sticking out from the machine on the chip side would be a red flag to even the most obtuse consumer…

        • Not really if any effort is put into designing said device. It’ll just seem like the reader sticks out a tiny bit, which no real users will question.

          • Also the speed and direction in which it is pulled maters.

            I’ve seen POS readers in some European trainstations which had very solid metal card-entry points (as in cannot break/replace), which first sideways move the card into their metal slot, and then very very slowly move inward. Only when completly inside it would actually read the magentic strip.

            Perhaps not impossible to counter, but makes it very hard to just insert or attach a second device.

            • Now that’s a very good idea.

              Always amazes me how many of these vendors leave vulnerabilities a mile wide in various sort of card-reading devices.

              The one that killed me was how certain popular gasoline pump manufacturers “security” consists of a keyed lock that uses the exact same key for every single pump that they make. [facepalm]

              Here in California when electronic voting machines were tested a few years ago at least one vendor was found to have the same sort of “security” – in this case a “lock” of the sort usually found on cheap office furniture – which of course all use essentially the same simple key…

  6. Thanks to mobile apps & PayPass (also known as Pay Wave and a buncha other names) I actually almost never find myself inserting my card into any sort of machine these days. Good thing too apparently.

    • Reading from a distance would actually be easier that trying to read the stripe, wouldn’t be surprised to see some 2 way skimmers that do that if it catches on more.

    • Hehehe. Yeah, we know how secure mobile apps are. :D

      And people never lose their smartphones, of course. :D :D

      And people never forget to use a lock password or the encryption functions on the smartphone. :D :D :D

      And OS’s never fail to actually keep the data security when they tell you they are. :D :D :D :D

  7. TheOreganoRouter.onion.it

    It would be nice if we could see the PC board in closer detail to see the individual integrated circuits part numbers .

    By looking at the chip part numbers, you can cross reference online to see what the functionality of what each one does to better understand the over all board circuitry of how it works.

    • … or it could give away more secrets about how to build them. My guess is they are obscured for this reason.

      • TheOreganoRouter.onion.it

        I would imagine the board processor and axillary chips are stock items, not custom S.O.C . surface mount parts like for example what you would find in high definition flat screen television or cell phones . Nothing real much to hide if you can buy the parts off the shelf.

        • Some use mobile phone parts, but the price of fabrication of a custom chip is getting so cheap that they can, and do make them to order. After all, they have the cash (your cash), to pay for the tech.

          • You can buy inexpensive programmable chips, testing boards, and Programmable Logic Controllers (PLCs) and other items these days. PLC programs are typically written in a special application on a personal computer, then downloaded over a network to the PLC. The program is stored in the PLC either in RAM or some other non-volatile flash memory. It has been a long time since I played around with embedded hardware design. Many electronic boards contain programmable devices due to requirements to modify circuit functionality. Other times programmable logic is used to determine end functionality. Once determined, non-programmable chips can be used.

  8. ” This card skimmer was made to fit inside certain kinds of cash machines made by NCR. ”
    “I have seen various models of the card skimmer pictured below, devices that are generally made and sold to compromise Wincor/Nixdorf brand ATMs.”
    Could pictures of the NCR and Wincor/Nixdorf ATMs involved please be posted so that the readers will know which ATMs to avoid? If not pictures, could some unique, visible feature be described which would help the user to avoid the ATMs?

  9. Its clear that better ATM slots have to bee used since the current one’s are so easily compromised. For commercial bank customers to safeguard their accounts they issue token devices which along with the account number issue a one-time use four digit number that allows bank account access. Something along these lines should be developed for public bank use. If implemented skimming the account or even the token number since its one-time use would be useless. The device is a small fob type unit which could be attached to a key-chain and runs off a small battery which every time you press the button displays a new four digit number tied to your identity. I got mine from Citibank and used it for years to access my business account.

    • You’re thinking about RSA SecurID tokens (or the like). They have been compromised in the past as well.

      • I suppose that one can say that you don’t need to outrun the bear – you just need to outrun the other campers. Meaning that as long as magnetic stripe is prevalent, the crooks aren’t going to spend much effort on anything more advanced.

    • Well since I assume you are in the USA because you are using Citibank:

      The main issue here isn’t forcing people to jump through burning hoops of flame (ie 2-factor/OTP keyfobs that you have to carry everywhere just to make simple ATM transactions), it is greedy US banks and retailers who willfully prevent citizens from being protected by proven card security technology (ie chip/pin cards), because they don’t want to make the capital investment necessary to deploy them, because it cuts into their profit margin.

      Thus the report’s observation that the miscreants often use US-based money-mules because they can easily steal from ATMs using cloned cards, comes as no surprise, sadly.

  10. Erik Carlseen

    One would think that a cheap optical sensing system inside of the card slot would be able to detect something put into it (can see cards coming in and going out, and also unauthorized devices). Not exactly rocket science these days.

  11. I went back to the gas station(Hess in Florida) after $1,100 was slowly being taken out of my account. They told me it couldn’t be them because they check their outside pads for skimmers ONCE A WEEK. Ok to my calulations, there is 24/7 hrs /days to a week. I was lucky, I was leaving out of town in a couple of hours,filled up my car, went home to do online banking and caught it right away. Called my bank and drove so fast over to them. The manager was catching the theft still going on as I was walking in and closed my account down. Had to get a new card,new pin and wait a month to get my money returned. Never ever use ATM machines outdoors, if you do, cover the pad with your hands and body. You might look like an idiot but better to have your hard earned money used by you and not the idiots that steal from you.

  12. I have covered the number pad with whatever I’m carrying (usually an envelope, bu sometimes just my bare hand) when I enter my pin for years. it’s such a simple solution. Thanks for reminding us that security is sometimes just a matter of learning a new and simple habit.

  13. Any movement towards pins that are longer than four digits?

  14. in addition to covering the keypad, would it be a good idea for the atm manufacturers to turn OFF the sounds as the keypad buttons are pressed?

    If you aren’t sure where the hidden camera is, you might be obscuring the pin as you press it, or you might only be partially blocking the camera’s view.

    if there were no beeps every time you hit a key, then you could cover the keypad, fake press a number or two before pressing OK. That would then be harder for thieves to see the correct pin.

    Perhaps a picture of what the ATM is supposed to look like on the ATM screen itself before prompting for the pin?

    Or an option to send a text message to the phone number you (pre?) specify, then a one time / 5 minute pin is issued? Or perhaps a qr code is issued and then the atm reads the qr code from the phone?

    just random ideas…

    • They could make an alternate picture part of the overlay, or try to malware alter the picture if its on screen, or even just encase the whole thing like the one with the laptop monitor built in…

      It almost has to be separate from the ATM altogether, and still could be messed with if people know the area/know how it is usually placed.

  15. David in Toronto

    I have a tendency to “vigorously” inspect ATMs before I use them. Especially unfamiliar ones. Running fingernails along the slot, attempting to pull various bits, including the front, off the machine. Looking for extra stuff like boxes of leaflets around the machine. Security guards have questioned me on it before. And while I honestly didn’t expect to find anything because this should be a rare thing, I once pulled off a secondary reader and promptly called the bank. An interesting surprise to say the least.

    • I do the exact same thing. Pulling suspicious parts to ensure its legitimacy. Then, covering an area larger than the keypad with an enveloppe while typing my PIN and faking some movements. I type with all my fingers, so quite hard to predict which key I typed.

  16. Covering the pin pad is not as effective as you’re made to believe. Instead of a camera, fake button overlays can be used.

    • It is very effective. PIN capture devices that rely on overlays are much more expensive than hidden cameras, and in my experience they are far, far less common.

      • Agreed Brian, I just mean it is not fool proof but I’m not suggesting against it. In fact I ALWAYS cover my hand when using one. Just don’t let doing so make you feel protected. (If you get time, respond to my email :) )

  17. I try to use only a cash machine that is located inside the cafeteria at Intel Corp, where I work. I have never seen any sign of tampering on those machines.

    You have to get past security to get to the cafeteria, and if you are an Intel employee and you try to tamper with the machine and you are caught, then you would be fired *very* fast!

    For purchases at ‘risky’ merchants, I use my credit card or cash.

    When I worked at Boeing, they had a similar cash machine inside the cafeteria, which is inside security.

    May I suggest that you please look at where you work and see if there is a cash machine inside, off the street.

    Thank you

    Mark Allyn

  18. Thomas Henden

    I don’t understand how the skimmers are able to make such accurate fake fronts in the ATMs. It’s like they have access to the drawings of the front or something, i doubt that it would be so easy to take measurements of an actual ATM, and they vary in design, too.

    Every colour, every nuance and choice of material must be good, there can be no inaccuracy or glitches, or at least the more observant customers would notice that something is wrong and alert the bank. Best thing for the skimmers would be if they manage to skim cards for some period, then recover their device and thus the evidence, too.

    Lucky thing they are not always as clever as they could have been.

    • We are long past the days when cybercrooks were kids or here today/gone-tomorrow lone-wolves.

      Cybercrime is now a key pillar of organized crime worldwide, and can be an extremely lucrative “business”.

      So it would not surprise me for a minute that some of these organizations may have connections where they just purchase ATM machines themselves to reverse-engineer or have insiders at companies that work with ATM machines and gain access that way.

    • David in Toronto

      This has been going on for a long time. I attended a presentation by LE in 2007 about an incident that showed exactly how professional these operations were. They were prepared, capable, well planned, managed, and their operations were aware of bank and network anti-fraud practices and were tuned to minimize risk, maximize gain from their investment.

      A small group of criminals had a handful of false fronts for a specific ATM model used by several banks. They hit drive up/through outdoor ATMs. The install reportedly was about 90 seconds and the operational life about half a week.

      The fronts were so good they were almost not caught. The armored car cashing service thought the ATM looked a bit odd and called bank security. The bank people on visual inspection didn’t notice at first. It required close physical inspection to catch it. After this lucky break, some forensics and good old fashioned police work got a detailed warrant.

      The ensuing raid found the criminals were hitting ATM locations and machines of bank A as long as they thought it safe. Compromised cards (mag stripe and pin) were produced and then hit in groups by issuing bank. Then fronts were then re-purposed to switching to banks B, C, etc. The raid netted detailed maps, plans, projections, and records. ATMs and Issuers were being hit in order of expected maximum gain.

      The presenter joked that about the only thing they didn’t find was a cost benefit analysis.

  19. What happens if I stay in Europe and just use a big permanent magnet to erase the magnetic strip?

    • I think you will find that the magnetic coercivity on card magstripes is such that it would take a lot more than a common permanent magnet to reliably degauss them.

      Back in the days when audiotape was popular, I discovered that high-quality metal-particle audio tape was almost impossible to degauss with standard degaussing equipment. You needed special very high powered equipment to accomplish it.

  20. First of all I love this site. I live in the Philippines and I make a it point to always go to the bank and withdraw a large amount of cash to carry out any purchase. I had a friend who had his card skimmed in Manila and his account was cleaned out within 24 hours. I travel a lot to Asian countries and have learned to use cash everywhere in ASIAN countries.

  21. I’m sorry, but covering the pad with your hand while typing in your PIN is not really helping if the criminal has put a thin second layer on the keypad that serves as a keylogger. I’ve been victim of such an attack and you just don’t see the difference. The keypads match the originals 1 to 1 and even have scratches on them for authenticity, so to detect those you have to properly check the whole ATM. Good luck with that. Sadly the only thing that keeps you secure is not using any form of electronic cash card.

  22. I read about a Case where The criminals use a thermo cam to detect The Heat After a hand coverd Pin Input.

    So just cover entering of The Pin won’t do.

  23. I believe the case you’re referring to was an academic study, not a real-life attack

    http://www.nbcnews.com/id/44178369/ns/technology_and_science-security/t/thermal-cameras-can-steal-atm-pins/

    Pay no attention to the naysayers; covering the PIN pad with your hand takes almost no extra effort, costs nothing, and protects you from most skimmers.

  24. My grandparents wouldn’t wear seatbelts because a California highway trooper told them in 1961 that he narrowly escaped being buried in his car when an avalanche occurred, because he didn’t have his seatbelt buckled.

    I’ll give you one guess as to how my grandfather met his end. Hint: it wasn’t an avalanche.

    Just cover the pad with your hand.

  25. A lot of skimmers in the US are in bank branches that require you to use a card to unlock the door. I always use a different card to open the door than i use at the ATM.

  26. Why not just use a fingerprint biometric sensor in place of a PIN. There is no better way to validate that the individual at the ATM is the person they claim to be. No need to enter a PIN renders these attacks useless.

    • Though it may make the ATM and card use more secure, what if the crooks, like mentioned above simply do the heat sensitivity thing and capture a fingerprint instead of a PIN? Or they violate the biometric device and capture all fingerprints.

      Nothing is fool proof. Use of ATMs are risky only for the customers. The ATMs typically charge a fee for their use, which is sort of like you paying their insurance plan in case an ATM is hacked somewhere. Recouping some of the cash stolen via ATM fees lessens the blow of the loss that the bank may eat.

      Is a Proximity card that has a 4-6 digit PIN any better? Pass the card near the sensor, look at the one time PIN associated with the card and then type it in and hit an enter key.

      • Not all biometric sensors would be the right choice in this environment. In an unattended ATM setting banks need to choose sensors that include liveness detection to prevent fake fingers made of latex, glue or other materials and to ensure that a live person with real human tissue has presented their finger on the sensor. Additionally, banks should ensure that the sensor uses a crypto boundary that prevents tampering with the device, brute force attacks or man-in-the-middle attacks.

        I don’t believe that your suggestion to use a Proximity card has much merit. The card needs to be high frequency to provide both read and write capabilities and would need some secure element to ensure that it is not a cloned card. At each transaction, the card would need to send and receive a new secure OTP as well. This could be a pricey card if a new card needs to be issued to each bank customer.

        From the user’s perspective, now they need two cards (one in the machine, and another for the OTP)? or just one new expensive card?

        While I’m a huge believer in two-factor authentication, I personally prefer to use one factor that I can’t forget at home and that doesn’t cost me a dime.

Leave a comment