August 21, 2014

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.

A side view of the stainless steel insert skimmer pulled from a European ATM.

A side view of the stainless steel insert skimmer pulled from a European ATM.

“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”

Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):

The backside of the insert skimmer reveals a tiny battery and a small data storage device (far left).

The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).

Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.

insert-frontside

Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard.

For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.

This angle shows the thinness of this insert skimmer a bit better.

This angle shows the thinness of this insert skimmer a bit better.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries with a total deployment of more than 640,000 cash machines, European financial institutions are increasingly moving to “geo-blocking” on their issued cards. In essence, more European banks are beginning to block the usage of cards outside of designated EMV chip liability shift areas.

“Fraud counter-measures such as Geo-blocking and fraud detection continue to improve,” EAST observed in a report produced earlier this year. “In twelve of the reporting countries (two of them major ATM deployers) one or more card issuers have now introduced some form of Geo-blocking.”

Source: European ATM Security Team (EAST).

Source: European ATM Security Team (EAST).

As this and other insert skimmer attacks show, it’s getting tougher to spot ATM skimming devices. It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots.

Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Are you as fascinated by ATM skimmers as I am? Check out my series on this topic, All About Skimmers.


88 thoughts on “Stealthy, Razor Thin ATM Insert Skimmers

  1. Eric

    3rd pic looks like a thumb print between the battery and the red circle.

      1. Tom

        So Eric has basically cracked this case wide open! Well done Eric.

  2. Canuck

    America’s reluctance to adopt chip and pin reminds me of their reluctance to adopt the metric system. Just always have to be different eh?

    1. khigh

      Here in the USA, Chase sent me a chip and _signature_ card last week. Maybe they’ll add the PIN later; at least the chip part is catching on.

      Agreed, the metric system is superior. But are you from Canada? If so, is it true that Canada still measures land in acres instead of hectares, because the conversion effort would be monumental? Sometimes being “not different” just isn’t worth it.

      Or: How do Canadians feel about American-style spelling? Color vs colour, center vs centre…

      Cultural traditions can be fascinating.

      1. Sasparilla

        It remains to be seen regarding the PIN part of Chip of PIN for the U.S.. From what I understood, at least originally the banks in the U.S. weren’t going to do the PIN part as it would be cheaper (really).

        To think these yahoo’s that gave us this system we’re watching collapse in insecurity about us, cause it was cheaper than making things more secure – to think they’ll learn their lesson and integrate the PIN part of Chip and PIN may be a long shot.

        1. Robert.Walter

          I don’t know how it affects functionality, or if it incorporates un activated PIN tech in a more compact chip design, but the chip+sign style chip is about 3/4 the vertical size of the chip+pin style chip, and has like only 6 elements instead of 8.

          I just received a chipped AMEX card and it has chip+sign (sigh) … I was hoping scraps of paper with my initials on them floating around would be a thing of the past… (I’m really hoping Apple comes with a universal payment system, that dispenses with plastic, that still allows me to get Amex loyalty points, with the iPhone 6).

          1. Christoph

            Robert Walter, how many contact fields you see on the card surface is just indicative of the chip type the bank used, not whether it is chip+PIN or chip+signature.

            Also, banks might take into considerations consumer´s habit of signing for credit and be reluctant to siwtch to “PIN first”. But there may still be a “PIN preferred” CVM list in the chip which could be activated at a later time in the card´s life.

      2. Robert.Walter

        … fascinating but not relevant here or worth comparing and defending.

        Using a practical exception to impugn a larger better system, in this case, can only serve to make one feel good while embracing obsolete concepts rather than adopting the superior system.

        In the case of chip+pin, Europe had to move to it because increasing fraud forced the change… Until recently that level of intolerable fraud had not been reached in the USA. To change the entire infrastructure for a minimal problem would have driven capex not in line with the savings from better security. But since chip+pin was effective in Europe, the black hats started exploiting the USA’s antiquated tech, and the ballooning problem has led to a chip solution (the lesser secure chip+sig not chip+pin) to be in place nationwide by Oct 2015 (this being sped up, by the Target breech, at least as far as card issuances are concerned.)

      3. David in Toronto

        Most Canadians are unit tolerant. Many products list both. Many people in my age bracket switch seamlessly between imperial/metric. Seniors tend to stick to imperial and young adults more metric.

        Land is officially recorded in hectares going forward. Imperial is still often used informally to as it’s far easier to talk about 1 quarter (sq. mile), or 160 acres than 64.7497 hectares. And some things just don’t have the same cachet like stating windchill in watts per square meter.

        On spelling there are still folks that find the US spellings vulgar. Me, meh, I can empathise or empathize. Although some different words seem to get spelled more frequently in the US way and others in the British way. In the end the spellcheckers will subvert us all.

        1. Alex

          I’ve not found anyone in my 30s age bracket that measures humans in meters. Its all feet. Also try going to home depot and get any kind of home improvement done in metric. Actually I’ve not found anybody using metric for anything but long distances and even then most people even measure that in hours considering the speed limit is 100km/h here.

      4. Tsmith

        As far as your question about the metric system in Canada, it pretty much comes down to people tend to use imperial in daily life, but organizations and the government use metric.

        A couple examples: Milk and other beverages are bought in L/mL, but cooking measurements are usually cups, oz, lbs, tbsp., tsp, etc. Most products, such as canned goods, will have both metric and imperial for this reason. All roads are obviously in kilometers, but for common distances, such as measuring in a woodshop, it’s all inches and feet.

        As far as spelling, it seems to be kind of 50/50, depending on the person. A lot of people use American spelling, simply because all the spell checkers are set to that by default.

      1. Angry Thinker

        This is a reply to Canuck’s comment above.

    2. EJ

      We’re all about money, not what makes sense. Unless that, too, is money, then we’re all set. Short-sightedness is the national pastime.

    3. Andy

      A pint of beer
      A mile a minute
      4th and inches

      Some things don’t translate well and never will.

  3. Ronm

    I see more and more better changes for the NFC technic to obsolete the current magnetic readers and the card reader technic, currently in favor in Europe…

    Maybe the states should skip the current card reader technic and adopt NFC for all payment purposes. It’s not a technically but a managerial challenge. The states seems to lack the ability to commit and roll-out stae wide solutions if it has nothing to do with terrorism…

    Disturbing the trust in a financial system of a state is a terrorist act, to me… Experiencing the behaviour of certain Bank CEOs it’s merely a game of profit…

    I think it will ever be the latter…

    1. Carl Hage

      NFC is even worse than a mag stripe and should be banned without some sort of challenge-response encryption/signature. The simplistic bank card NFC tag ID can be skimmed without contact with a cell phone– no fancy equipment required.

      I used to have a chip on my card, but the bank abandoned that and now replaced it with the highly insecure NFC. The EMV chips can be insecure as well, but at least with a chip it needs to be inserted into a machine.

      Brian, is there any known skimming via NFC? (Other than demos by people using their own cards.)

      1. Robert.Walter

        Is there any guidance how one disabled the NFC RF chip? Does it take drilling through the RF chip, or cutting a slice out of the card to deactivate the antenna?

        Where to drill? What dia?

        1. jim

          Guys, it’s easier to disable. No need for a screwdriver. Just grab your tin-foil, left over from making hats. Wrap it up in any form of fariday cage you want. I just remember that in one of the makers it was demonstrated, and broke the next day. Safer, no. There’s an app that scans NFC communications frequencies, looking for “friends with similar tastes” how is that secure? And its also in apples apps, seeds?

          1. JSG

            Faraday cages aren’t nearly as simple as that – they have to be engineered for the right frequency, and grounded.

            If you don’t want to ever use the NFC chip in a card, put it in the microwave for about 2 seconds.

  4. Kirk

    Is it not cost effective for a bluetooth-detection peripheral to be installed at ATM machines for an early warning about these devices signaling?

    1. Eric

      How would you tell the difference between a skimmer and someone with a cellphone in their pocket?

      1. Greybeard

        Persistence? As in, “The same Bluetooth MAC has been visible for more than 15 minutes” (and yes, it would have to be clever, keeping a list, so that as customers came and went and it “saw” their Bluetooth it wouldn’t forget the skimmer’s, and if the skimmer was smart enough to shut down periodically, it would say “I saw the same one way too often”, and the like).

        Nice idea, actually; might be a transient solution–someone will come up with MAC spoofing or something–but it seems like it would find some percentage. The question, as ever, is “How to implement?” ATMs don’t have Bluetooth capabilities now (I don’t think), so this is an investment the banks would have to make, weighed against the likelihood that the “fix” becomes obsolete quickly…

        A similar approach could be taken in general, to include cellular ESNs (and I suppose the branch employees’ cells would have to be registered with the reporting service, so they didn’t cause false positives), Wi-Fi, and so forth. But then a cheap frequency-hopping spread-spectrum chip will come along…

        1. SeymourB

          15 minutes is probably too short of a time. I’ve sat behind people doing god knows what at the drive-through ATM for at least 30 minutes before. Rummaging around in their car (probably looking for their card), ejecting and re-inserting the card several times while they try to remember what their PIN is, discover that cancel isn’t the same thing as enter, etc.

    2. Anon

      What makes you think skimmers use bluetooth? It’s certainly not a requirement.

  5. Bill

    I’m with you, Brian. I find this stuff fascinating. The effort and ingenuity put into this, though misguided, is impressive.

  6. Eric

    It surprises me a bit that these ATM machines have the full dip slot like what we have and not a shallower EMV slot like one would use for a credit card transaction. With the shallower slot, one doesn’t insert the card all the way, which eliminates the possibility of the entire magstripe being cloned.

    But I suppose they are worried about the American tourist.

    1. Security Guy

      One could argue that nothing would speed the adoption of Chip/PIN in the US faster than if it became common knowledge that US-based credit cards were unusable in, well, everywhere else.

      If you did any amount of travelling outside of the US you’d demand that your bank provide a chip/PIN card fairly soon in these circumstances.

    2. Greybeard

      Some/most/all ATMs will eat the card if it’s marked as stolen or whatever. Can’t do that with a dip slot. Doesn’t make your suggestion dumb, just sayin’ that’s perhaps why ATMs have full slots.

      1. Security Guy

        ATM’s have full slots because you need the entire mag stripe the full length of the card.

        If the primary goal is to prevent a fraudulent card from being used that can easily be done at the host end by just flagging the card as fraudulent. It would never be usable after that. Confiscating the card is not necessary.

        1. Greybeard

          Shouldn’t need to confiscate in theory, but the banks want to, I’m told. It’s also to minimize leaving the ATM while “unlocked” , i.e., while someone else can walk up, see that you’ve done so, and do a cash withdrawal. Yes, you can still do this but only by also leaving the card happens all the time I’m sure! ).

  7. Sean

    Hello Brian can you please give us/me the onion links to see –the darker corners of the Web .

    I would like to see the sites you visit .

    1. Security Guy

      I suspect that Brian would not want to do this.

      Why would he? He’s probably spent years cultivating this knowledge and just putting it out in the public only makes it easier for competitors to clone his knowledge.

      krebsonsecurity.com being the go-to place for these kinds of articles and breaking stories is really the main value of Brian’s brand.

      1. IA Eng

        Agreed, not a good idea.

        His sources are his – if some one is looking for a place to buy illegal stuff, or you want to experiment on their own, contact a security forum and ask there.

        It would be at their own risk – one never knows what type of evil lurks within these websites. So if you can muster up their own motivation and creativity, and learn as they do, its a better idea. That clears anyone of harm/fault for suggesting a website to visit.

        Plus revealing personal sources can whittle down his chances at getting back into these sites. As many people that read this blog, how many would try to venture to these sites? Many would move to an alternate URL, and finding them once again may prove to be a feat.

  8. B_Brodie

    Can someone decipher the “ATM Related Skimming Losses – Top Six Locations” graph for me?

    The totals don’t add up to 100%, and it is not clear what the USA’s 88% is a share of.

    Thanks.

      1. BrianKrebs Post author

        It’s not meant to be a totals graph. It just means that of countries that reported skimmed cards being used in other nations, 83 percent of them reported use in the United States, more than any other country.

        1. BaliRob

          Sorry Brian – just like double negatives – your answer is as clear as mud – at least to me.

          Also, the graph very confusing and gives a totally misleading picture of the subject matter.

          However, as always, love reading your letters to us.

          1. Angry Thinker

            The graph is crystal clear, maybe you are not used to reading graphs?

          2. Diane Trefethen

            @BaliRob
            At the 33rd EAST meeting, members were asked to please list the foreign countries in which their financial institutions have lost money to ATM card skimming. Of the 18 members that responded, 83% included the USA on their lists. 44% listed Thailand. 44% Indonesia, etc. In other words, of the 18 members that submitted a list, 15 of them had the USA on that list.

  9. Peter

    I find the craftsmanship interesting. It looks like something from either the middle ages or a high school shop class.

    It looks like they started out trying to be very precise, but at a certain point they were like “f it” and hit it with a hammer a bunch of times to make it fit.

  10. TheOreganoRouter.onion.it

    I don’t see any surface mount micro-controller or ASIC chip on the skimming device. Am I missing something here? Need that critical information.

    We need a better close up view of the P.C. board area

    1. Cosmic

      Click on the 2nd image for an enlargement. Look over to the left of the watch battery. There are things there that may be epoxied. That small square metal can may be an xtal oscillator.

      1. TheOreganoRouter.onion.it

        Looking at it again, I was thinking it looks more like the insides of of a SD card or a USB drive.

        My thought is that the computer that runs the ATM gets infected with a memory scrapper malware when the skimmer device is inserted. The skimmer device then captures or scrapes the card information in memory before it gets encrypted, which then the data gets sent to the memory chips ( four square black chips devices)

        The battery is there so that the data doesn’t get lost in the memory chips when the skimmer device is removed. The black component between the four memory devices and the battery contacts is a voltage regulator chip.

        The silver square is the memory controller device and or ROM to hold the malware.

  11. Moike

    >Last, but certainly not least, cover the PIN pad with your hand when entering your PIN

    Does anyone make a “PIN shield” which would attach to the hand and obscure the view of the PIN entry? When you’re driving, it’s nearly impossible to cover the pin entry with the other hand without exiting the vehicle.

    1. pboss

      Put the car in park, turn your body towards the window and just use both hands.

      1. Alex

        How about just parking your car and going inside the bank? I do that every time even in -40 up here in Canada. I never got the drive through atm concept. Or drive through at all. I love all those people in the drive through line waiting for 10 people in front of them while theres absolutely no line for me inside though when I’m getting my coffee 🙂

  12. The Dude

    I work in bank security, and the ingenuity of the makers of these things amaze me. Usually the pics of these devices are taken in blurrycam, and you can’t tell how the thing ticks. But this device is a work of art, and whoever made this wields a soldering iron like a god. I’d love to know what IC is the brain under that lump of epoxy. Don’t be fooled by the size of the battery, because the chip probably only wakes up when a card is inserted, meaning it could survive for months collecting data

    1. JSG

      “wields a soldering iron like a god”.

      Really? It looks pretty terrible to me. And I have to ask – why stainless steel, when plastic would work just as well and it’s easier to make something with?

  13. C. Biggio

    It appears that this even comes with a handy dandy wire stripper (3rd pic, upper right). It even looks like you could use it for a bottle opener.

  14. Jeanetta

    I used my card at Goodwill in Florida around the time of the breach and since have had over $1200 stolen from my account. The charges came from Chicago and were used to purchase money grams. The thief was even able to call for my balance info and change my pin number! And they did all of this without having my physical card!

    I am wondering how we go about contacting Goodwill to see what they are going to do to rectify this?!

    1. caryn

      Jeanetta, how is it you lost that amount of money? Are you checking your cc acount on a regualar basis? I check my accounts daily looking for illegal transactions. Just a suggestion. Contact your cc company and inform them of this asap.

  15. Bentan Testravosky

    The United States always takes a “Wait and See” approach. That’s why Pearl Harbor and the September 11th Attack happened. The US knew about them, but waited and then saw. I want a chip-and-PIN card. More than I want a cheese danish right now and a weekend of debauchery with “Gin” Wigmore, Mette Lindberg belting out their songs with Brian Krebs on guitar. After the Target Breach, we saw how fast cards could be re-issued. Lets get with the program US Banks and Merchants. The Mag Strip stupidity needs to end. I think I’ll have that danish now … since that seems to be the only thing that can be attainable in the near future.

  16. Katrina L.

    I check my bank account too many times a day (10+) for a skimmer to do any damage without me noticing right away. I’m always baffled by folks who lose thousands of dollars and don’t notice until three weeks later.

    1. Alex

      I hope you’re joking about that lol. Why would I check my bank account even once a day? A few times a month sure. But anything else is panicking. Or are you on Facebook/Twitter withdrawal and need something to check?

      1. JCitizen

        Some of us use debit cards, even though only locally. You have 48 hours to catch criminal activity, or you lose your money. Before anyone criticizes the use of debit cards at all – bear in mind that they don’t have interest, and you get all your fees back from purchases, when you have a really good credit union! They are actually cheaper than using cash! They are darn well worth looking at the account every two days – at least. It only takes a minute or less to checkup on it – and it is a good habit anyway to track one’s expenses.

        1. Alex

          Must be a US thing then. I live in Canada. Here are the RBC rules as an example and I’ve lived in Germany too where you have 6 weeks to dispute a debit card charge. If you only get two days your bank is screwing you over…

          Transaction errors (unauthorized, incorrect amount, merchant errors)
          If you identify a transaction error on your statement, such as an unauthorized and/or incorrect amount, we must hear from you no later than 60 days after we send you the FIRST statement on which the problem appears.

          I never have to pay interest on my credit card either as I use it like a debit card, I.e. I pay it off multiple times per month. I’ve never paid any fees for a debit card purchase either. I keep track of what I buy on a more fine grained level than per account statement line item. I can tell you how much money I spent for alcohol in June 2011 vs. December 2010 and what the average price I paid for gas in those same months 🙂

  17. Bait and Switch

    The issue with PIN will only be related to credit cards. PIN will still be used with Debit cards, as they are today. The issue with Credit Cards is that Banks associate the use of PIN and a Credit Card with a Cash Advance. Until the Banks allow the use of PIN at MCC codes that are not ATM or branches (6011 and 6010), we will be stuck with signature or signature-less transactions. The reason they most likely won’t enable change is because of the almighty dollar. If the transaction is more secure (via PIN), then there will likely be lawsuits surrounding interchange, due to a lower risk profile. Merchants and “DICK” Durbin will argue the Banks should make less, merchants will pay less and we the consumer are saved (SIC) money by lower prices (BS). So with fraud losses managable and income between 1.8% and 2.95%, what is their motivation for change.

    1. Alex

      Canada here where I need to use pin basically everwhere and none of those are treated as cash advances or I’d be going mad from the cash advance charges to my cc. You can however get your online 3d secure purchase of lottery tickets treated as a cash advance, which I find pretty weird.

    2. KM

      Where I live (UK) and places where I regularly visit on business (UAE, Singapore) all use chip-and-pin in every store, not a single one is regarded as cash advance.

      The idea that chip-and-pin makes a transaction cash advance is just nonsense. All because you are entering a pin does not magically transform the POS device into an ATM!

  18. Sastrugi

    Sorry Brian, but that chart is still bothering me. According to your explanation the 83% USA number is the percent of cards skimmed in other countries that are used in the USA? So it doesn’t include cards that are skimmed in the USA?

    The reason this is important is that if the 83% also includes cards skimmed in the USA, then the number isn’t as bad as it looks since the USA has the most ATM transactions by far.

    Am I correct is saying that the percentage listed for each country represents the fraction of foreign-origin skimmed cards being used in that country? But that wouldn’t make sense unless the same card is being used in multiple countries (which is possible). But that would confound the data since every country’s bar excludes a different country.

    Lol, its complicated, but that graph was not the best I’ve seen. No need to answer.

    1. Diane Trefethen

      @Sastrugi
      “Am I correct is saying that the percentage listed for each country represents the fraction of foreign-origin skimmed cards being used in that country?”

      No.

      The EAST members were asked to list the countries in which they lost money. 83% (15) of them included the USA on their lists. 44% (8) of them included Thailand, etc.

  19. K Yipper

    This guy apparently didn’t have access to a 3D printer that uses powdered metals to print elaborate and thin devices. From his machining skills it’s obvious he’s not a machinist and you can tell by the bent metal that he had access to an ATM in his garage where he was trial fitting the piece and making small adjustments. Someone will improve upon this concept with application of 3D printing. This is not a challenge, just a statement

    1. Soy Tenly

      This device is like a prototype. The craftsman who made it was trying to make an insert that would evade any detection sensors because its purpose requires that it not be detected and thus not ejected as if it were a card.

      We don’t know how many different types of readers he was trying to make it work in. And he probably did not have the engineering, design, and manufacturing documentation that showed all the dimensions and tolerances involved, even for one machine.

      Without that documentation, or without a working prototype, there is no way to make a 3D-printed device. And he might not have access to a printer that can make product with tight tolerances, or the material that will be rugged enough to withstand handling and insertion; credit and debit cards are very thin.

      In other words, a homemade device.

      I can imagine a Rube Goldberg-type of mechanism that would thwart devices like this, but such mechanisms are complex and prone to jamming, especially when insects and spiders make their way into the mechanism.

      1. Bill

        I certainly wouldnt call him a craftsmen and the tolerances arent needed …he can get the size by cornering 2 or more credit cards to find the space needed for the thickness of the device…and I certainly wouldnt use metal and then run wires thru it….plastic would be the ideal choice for insulatin and decorative purposes…

        1. SeymourB

          Actually, you need to measure the size of the slot, the thickness of the ATM card, and then make sure your device is the thickness of the difference between the two.

          In all likelihood the thickness of this device was determined by the thickness of the battery, which isn’t the way to do it.

  20. John B.

    Couldn’t they just install a metal detector that sets off an alarm when the metal skimmer device is inserted? Or a device to detect the battery in the skimmer? C’mon , guys, this isn’t rocket science.

  21. TJ

    Brian, I’ve been considering using Google Wallet, specifically the Google Wallet Card. One of the security features Google Wallet offers is the ability to change your PIN at any time. So if you use the Google Wallet Card at a sketchy ATM to withdraw cash, you can immediately change your PIN afterwards. I’ve been diligently covering ATM PIN pads since I read one of your articles years ago, but this Google Wallet feature seems to provide some additional peace of mind. I’m curious if you’ve had any experience with Google Wallet or any of the competing wallets and if you recommend them.

  22. mbi

    It seems that card companies could restrict their cards to Europe where the new cards are used and some feature for people that travel to the States to restrict magnetic strip use. Infrequent travelers could go to the Internet to enter travel dates to activate the magnetic stripes. For frequent travelers they’d be unblocked, but thief’s wouldn’t know which ones. This would drastically cut back on the profitability of skimming magnetic strips in Europe. It would have to be an industry standard practice for it to work.

  23. FARO

    Not really related but there is news afoot about the malware “Backoff” that was used in the Target breech. DHS and the Secret Service are informing merchants of breeches. Related to some severs or crooks overseas.

  24. JCitizen

    There is no way I’d detect this thing!! Ingenious! Of course the only critical ATM I use, would probably belch this thing out, because it won’t keep the card. Also I’ve used ATMs that suck the card into a storage tank if you don’t take the card out of the slot after a certain time period – if you actually received money it will store that too.

    I had brain damage from sleep apnea and once farted off to town without withdrawing my money or my card. It took me 2 hours to remember what I’d done. Needless to say, I was relieved when the bank knew what I had done and could retrieve the card AND the money. WHEW!

  25. Joey

    Great read. I wonder if US ATMs get attacked more but US banks just don’t want the bad publicity and hide the data?

    1. IA Eng

      The USA makes a fistful of cash on ATM fees every day. Add in the fact that merchants pay a fee to maintain the ability to swipe CC data and get payments, the Banks make more than what is lost. So, unless the Banks start to lose money or go lower than the required ROI, they are just happy with the way things are working.

      Banks may contact members, or members contact the bank when a skimmer may have been used to compromise a card. If these card compromises had to be reported each individual card breach, that would cause the state and feds to take notice.

      All these things ATM’s need is a small factor swipe strip. The CC needs a one time 6 digit pin to be used, much like what an RSA token can do. That eliminates the skimmer. But, how much would that cost the banks? Probably more than the occasional skimmer issue. They’d have to replace / upgrade the ATM, and engineer a new card, and have some business produce these cards at a price point that is acceptable to banks.

      =\

  26. All Confused

    so how do you protect yourself at the ATM?

    really look at the card slot to see if anything is in it?
    grab the card slot thing and see if it comes off?
    try yanking off any extra layer of plastic or metal anywhere on ATM?
    use your hand to shield the keypad when inputting your pin?

    any other unusual things to watch out for?

  27. Bill

    Well I have an extensive electronics background and fro the looks of this it appears it wouldnt work…unless the one wire that is attached to the battery is insulated because the other one is ground and it would short to ground…maybe thats why it set off the alarm by heating up the metal…just an observation

Comments are closed.