March 17, 2015

If an ATM you’d like to use is enclosed in a vestibule that requires a card swipe at the door, it might be a good idea to go find another machine, or at least use something other than a payment card to gain entry. Thieves frequently add skimmers to these key card locks and then hide cameras above or beside such ATMs, allowing them to steal your PIN and card data without ever actually tampering with the cash machine itself.

One recent skimming incident began when fraudsters placed a card skimmer directly on top of this key card “dip” device, which managed access to a bank ATM vestibule:

Locks secured by mag stripe readers typically aren't very discriminating or physically secure.

Locks secured by mag stripe readers typically aren’t very discriminating or physically secure.

The attackers in this incident then placed a hidden camera in a false panel above the ATM.

A tiny pinhole lets the hidden video camera record customers entering their PINs.

A tiny pinhole lets the hidden video camera record customers entering their PINs.

Here’s the backside of the phony door card reader the thieves placed on top of the legitimate card reader:

Skimming devices aren't just for ATMs!

Skimming devices aren’t just for ATMs!

Take a gander at the technology stuffed into the false overhead panel, which appears to have been powered by a disassembled Casio digital camera:

A hidden pinhole camera made from a cannibalized Casio digital camera.

A hidden pinhole camera made from a disassembled Casio digital camera.

Pro tip: These door security devices aren’t too smart, and most of them will happily accept just about any card with a magnetic stripe. But don’t take my word for it: Next time you pass one of these ATM vestibules on the street, whip out your library card or ID card and see for yourself.

Sometimes crooks will remove the door card readers and actually tinker with the technology inside the reader, as I detailed in a skimmer story from 2011. In that incident, the hidden camera was stuck behind a mirror that was affixed to the wall several inches above the actual ATM. The thieves in this case might have done the same, as the dip card device appears to have been affixed to the door with little more than two Phillips-head screws.

If you enjoyed this post and are fascinated by skimming devices, there are more than three dozen other skimming stories in this ongoing series — All About Skimmers.


41 thoughts on “Door Skimmer + Hidden Camera = Profit

  1. Donald J Trump

    Unbelievable, their no where is safe to use your credit cards now and days. :–(

    1. Soy Tenley

      Ideally, inside the bank after it is open for business.

      1. jim

        You have to remember the civella case in Kansas city. One of the already a felon convicted children of mob boss deseased, a. Civella, was recently, late last year, hauled into court for skimming money from one of the delivery services, forgot what they call them now, but like Brinks. You know, delivers money to machines and banks with weapons in hand. So should you trust the machines in the bank?

  2. Anonymous

    I’d never considered this before, will keep in mind going forward. Thanks.

  3. CJ

    In my experience any card will open that type of door.

    It is interesting/distressing to see how a poor choice like that can help unravel what little security there is …

  4. DelilahPerez

    In So Cal, I only know one bank branch that has this kind of secured lobby entrance, and that’s the Bank of America that was robbed in 1997 while a national TV audience watched. I’ve never ran into another BofA that has that kind of secured entrance.

    1. John Connor

      aint nobody got time for that, but most bofa’s have this feature. i guess that’s the limitation of their security minded 6 figure income security folks. seems that’s what the itt and other cis education places are letting pass for Security Experts these days. hopefully they read this blog and expand they minds on security issue, because god knows they’re not going to find it wasting their time playing online social media games or whatever they seem to waste time with.

    2. NotHappie

      The BoA kiosk in the Port Authority in New York City had an entry system like that, though it may be changed by now(I lived there until 2010).

  5. grayslady

    Sadly, these card-accessible entries connected to banks are mostly found in northern urban locations with a fair amount of homeless people. The ATM vestibules are kept warm in the winter–something homeless people would also appreciate.

    Personally, I feel uncomfortable using these card-controlled vestibules, because I’m afraid that their so-called security provisions actually prevent someone from helping me if an attacker manages to gain access. The attacker may know that using any mag strip card allows access, but I didn’t know it until I read Brian’s column today, and I doubt that many people who might come to my aid would know it either.

    Perhaps it sounds too simplistic, but after reading Brian’s articles about skimmers, and with so many types of ATM machines (drive up, walk up, ATMs at the Walgreens, card machines at the grocery store, etc.), I’d love to see a law mandating that every machine used to accept or dispense payments feature a tamper-proof photo of what the machine should look like. The photo should also include a warning not to use the machine if any part of the machine doesn’t exactly resemble the components in the photo.

    1. Infosec Pro

      That’s a great idea! And there is an easy way to show the photo so it would be resistant to tampering: show it on the ATM screen.

      If the thieves are able to change what the ATM screen is showing they probably don’t need to add a skimmer, they can most likely just use the ATM reader itself.

      I will be passing this along to a friend in the banking industry. Thanks!

    1. Drew B

      Angela, the camera is used to capture your PIN as you enter it into the ATM. Then they have card # from the door skimmer, and PIN number from the camera. Next step is creating a new card with your info, and then cashing out.

      1. jim

        Actually the don’t need a camera, just a keystroke record. The size and number of pictures available, means its easier to decrypt the card numbers. ATM’s and store do not send unencrypted information out. Yes computers are faster, programmers smarter, but the stream has to be decrypted. And now you have three or four of the numbers, just got easier to decrypt.

  6. EstherD

    They’re quite common here in the Boston area. Figured out this risk scenario myself a few years ago, after reading a few of the earlier BK articles on skimmers. Consequently, the ONLY secured-lobby ATM I have used for many years is one with a handicap access switch on the outer door. Pushing the giant square button grants *anyone* access… NO card of ANY kind required!

      1. NotHappie

        In urban areas, it gives you a sense of having a buffer zone from the milling masses. Imagine no vestibule in a crowded space – Just as your cash is being dispensed, a thug and his friend get into a scuffle and one gets pushed into you, handily grabbing your cash in the fracas…

      2. EstherD

        Then there’s always the WEATHER: Over 100 inches of SNOW this winter, several weeks with temps mostly in the single digits, and winds gusting to 40-50 MPH. Only available alternatives to vestibule-style ATMs during non-banker’s hours require standing in the street completely exposed to the elements, trying to deal with cards, cash, and checks for deposit, ALL w/o the benefit of GLOVES. But then maybe you actually have to live in the NE to really understand.

        1. Fin-Man

          Here in Finland we have several metres of snow every winter and temperatures down to -30 degrees centigrade (-20 degrees Fahremheit). Our ATMs are usually situated outside, without any vestibules.

          1. Scarboni

            Not sure why that’s something you’d want to brag about, Fin-man. Sounds like a horrible scenario that – were it my country with such lack of concern for warmth or comfort – I’d want to just keep to myself.

            1. Josh

              I think what Fin-man is implying is that vestibules aren’t so NorthEasterners are warm from the cold. It’s so they feel safe from people on the street. Meaning they are afraid of the people on the street.

  7. therotintheroot

    I love these guys. Criminal yes, but also ingenious.

  8. Elizabeth

    I thought you reported about the door vice ATM skimmers a few years ago.

    1. Roo

      Did you read the whole story?
      He actually referenced the previous story from 2011.
      This one was a little bit different, which I’m guessing is why he wrote another.

  9. mackke

    And good for you if you saw it years ago, Elizabeth.
    I wasn’t the least bit aware of the issue, and I have to deal
    with this situation often.
    Thanks, Brian…

  10. Larry

    Thank you for writing about this. Here on the East Coast, these card reader door locks are all over. I’ve been saying to anyone that will listen that the locks are nothing more than security theater. What is it that they are trying to prevent? Do the owners really believe that a crook is going to walk up to an ATM vestibule with nefarious intent, but turn away when they see the card reader? Everyone knows that as Brian points out, the so-called locks are simply detecting a magstripe and do not do any reading of the stripe data (thank god!)

    Now, as this article points out, these so-called locks are worst than theater: they are a vector for card skimmers. I wish every bank manager would read this article and simply remove the useless vestibule locks.

    1. nick

      in my city almost all the banks have them. it gets cold during the winter and without them all the banks downtown would have homeless people sleeping inside… even with them installed you still see people from time to time sleeping inside..so imagine without it

  11. Rick Blaine

    Haven’t seen this around our bank atms as a rule.
    I wonder if peephole cameras are in business restrooms. I assume they are so I smile as I do my thing.

    I wish we could have these enclosures or wind breaks around our gas pumps. It can be real cold answering the half dozen questions before getting gas.

  12. chris reed

    I wouldn’t suggest using your ID card, that still contains a lot of PII and could further help the thieves if they really wanted, e.g. print up a new ID with their photo, then use it in fraudulent card setup.

  13. The Phisher King

    I reluctantly have to give credit to whomever came up with this scam, as it exploits a very simple weakness that most of us would never have given a second thought about.
    It is a shame that this person is not using their powers for good rather than evil, as they could potentially help make things significantly better while at the same time make a decent pile of money.

  14. Dan

    Most likely these Perps are posing as maintenance personnel to do skimmer and camera installations. PCI 3.0 has made an attempt to address this problem on POS and CC storage devices but it’s very weak. They suggest you call the maintenance company’s office to ‘verify’ the person asking for access to the business. What if the number they provide is fake and the person on the other end a fraudster as well?

    PCI Auditors don’t seem to have a sense of urgency or training on how to check PCI required businesses for how they authorize and verify personnel when they arrive to do work on computer equipment or even wash the windows.

    The same should apply to ATM machines, but who regulates them?

  15. John Devine

    Once again you show the fraudster how to perform the crime.

    I don’t get it.

    I also don’t know why all the networks are not linked bu sequence number abd allow any banks with a fraud affadavit to pull picture instantley from any camera.

    It is almost like the banks want a little fraud to keep all these fraud detectives employed.

    1. BrianKrebs Post author

      John,

      There is a basic tenet of security that you can’t protect against threats you don’t know about. Not writing about threats doesn’t make them go away; it just leaves those who might be scammed ignorant of means to protect themselves.

    2. EchoCharlie

      You would be surprised how many law enforcement efforts and crime prevention occurs through public warning and disclosure rather than direct enforcement. It is is simple matter of numbers. Limited X number of law enforcement or secuirty personnel vs. vast Y number of potential victims.

      If you implicitly trust those who serve, even at their very best, to ALWAYS keep you safe, you are naive. Such a thing is impossible. One of the best elements in personal safety/security is informed common sense.

      As an aside, most competent criminals out there are not being “informed” by such information…they are already putting together the next scam…

      1. Roo

        You would be surprised at how many bank workers don’t know about this as well. I had a problem using my card recently and had to get a new one, and we started talking about security and scanners, but the person at the bank was unaware that people could do this.

        1. A.D.

          You simply spoke to the wrong person. I’m sure there are people at bank that are well aware and informed about such scams, but they are unlikely to sit behind a counter handing new credit cards..

  16. Scarboni

    So my takeaway from this is just use a library, laundry, or some other relatively useless (non-financial) card to open the door and – as per usual – cover your hand when entering the pin. Problem solved. And I really doubt the perps are going to determine they got a library card mag-strip and try to do something with it. They are looking for debit and credit cards and can make more money off of them than they can with some other

  17. Dan Cremins

    The problem seems to be that banks are installing card access systems to prevent undesirable people from entering but it has provided another avenue for criminal skimming. An alternate approach is to leave the doors open and find a solution that detects loitering in an ATM vestibule. In other words, an alarm is created when a person enters but there is no transaction for a set period of time.

Comments are closed.