KrebsOnSecurity has featured several recent posts on “insert skimmers,” ATM skimming devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. I’m revisiting the subject again because I’ve recently acquired how-to videos produced by two different insert skimmer peddlers, and these silent movies show a great deal more than words can tell about how insert skimmers do their dirty work.
Last month I wrote about an alert from ATM giant NCR Corp., which said it was seeing an increase in cash machines compromised by what it called “deep insert” skimmers. These skimmers can hook into little nooks inside the mechanized card acceptance slot, which is a generally quite a bit wider than the width of an ATM card.
“The first ones were quite fat and were the same width of the card,” said Charlie Harrow, solutions manager for global security at NCR. “The newer ones are much thinner and sit right there where the magnetic stripe reader is.”
Operating the insert skimmer pictured in the video below requires two special tools that are sold with it: One to set the skimmer in place inside the ATM’s card acceptance slot, and another to retrieve it. NCR told me its technicians had never actually found any tools crooks use to install and retrieve the insert skimmers, but the following sales video produced by an insert skimmer vendor clearly shows a different tool is used for each job:
Same goes for a different video produced by yet another vendor of insert skimming devices:
Here’s a close-up of the insert skimmer pictured in the first sales video above:
This video from another insert skimmer seller shows some type of tool I can’t quite make out that is used to retrieve the skimmer. It’s unclear if this one requires a second tool to install the device.
Skimmed card data lets you counterfeit new copies of the card, but to withdraw cash from ATMs using the counterfeit cards the crooks also need to somehow steal each customer’s PIN. That task usually falls to a false keypad or a hidden camera — the latter being far more common and cheaper. The seller of the insert skimmer pictured above also sells a hidden camera setup. Below is a false overhead panel, including a cannibalized vidocamera that peeps through a tiny hole down at the ATM keypad.
Once you know about all the ways that skimmer thieves are coming up with to fleece the banks and consumers, it’s difficult not to go through life seeing every ATM as a potential zombie threat — banging and pulling on the poor machines and half expecting half hoping parts to come unglued. I’m always disappointed, but it hasn’t stopped me all the same.
Truthfully, you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life. So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. Stick to ATMs that are physically installed in a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on a weekend — when they know the bank won’t be open again for more than 24 hours.
Lastly but most importantly, covering the PIN pad with your hand defeats the hidden camera from capturing your PIN — and hidden cameras are used on the vast majority of the more than three dozen ATM skimming incidents that I’ve covered here. Shockingly, few people bother to take this simple, effective step, as detailed in this skimmer tale from 2012, wherein I obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.
For more on how these insert skimmers work, check out Crooks Go Deep With ‘Deep Insert’ Skimmers. If you’re here because you find skimmers of all kinds fascinating, please see my series All About Skimmers.
Is there a reason ATMs use a physical numerical pad for PIN numbers? Couldn’t ATM manufactures just use a touchscreen system with privacy glass? That would require these PIN cameras to be dead center to see the PIN.
Exactly. Is so easy to fix this issue, and ATM manufacturers / Banks are for years pretending to be victims. When in fact they have no interest in fix it. Just put a screen touch, with the numbers appearing like:
1 – 4
2 – 9
3 – 5
6 – 8
7 – 0
Even if the camera gets the screen, they will not know if the person choose 1 or 4, 2 or 9, 3 or 5… Only believe that banks are victims, people who don’t know how the world is.
Back in the days when cameras that could be easily hidden were extremely expensive, I worked in an office where the parking garage elevator security was similar to that. You swiped your card and entered your pin on a keypad. Each key on the keypad had an display in it and the digit displayed in the key was random and changed each time. The only way anyone could capture your pin was to be close enough to read or record the digits displayed on each key. The elevator wall was flat with the exception of the card reader and keypad, so there no place to hide a tiny camera. The modern day equivalent could be much more secure.
We call those “Scramble Pads”, and they’re common on entry systems like Hirsch. A vast majority of the buildings that I go into have a combination reader that reads the mag stripe or RFID tag in the ID, and if it’s outside the normal working hours (6A-6P), then the scramble pad will light up, and you have to enter your 6-digit PIN for entry.
That’s how ATM machines have been working in Brazil since forever. I can’t understand why this isn’t the standard everywhere.
Not to mention that’s almost impossible to find a card without a chip in Brazil.
So, chip + scramble pad for pin makes for a pretty solid solution.
Banks lose $$$MILLIONS$$$ every year to these scams. The consumer gets made whole by the banks. The bank I work for has been hit pretty hard by these skimmers. So your statement that “Banks are for years pretending to be victims. When in fact they have no interest in fix it.” is so not true. We would love to find a fix, but it will be up to the companies that make the ATM’s and their software to find a way to detect when these devices have been inserted and make the banks aware there is an issue so it can be addressed. However, every time they do upgrade their technology, the scammers find a way around it. Bottom line is if these scammers would get a job that pays them money and make themselves useful citizens, we would not have to worry about these issues. Unfortunately, the lure of easy money will always overtake hard honest work.
Is there a reason ATMs use a physical numerical pad for PIN numbers?
Yes, for vision impaired users.
Why not both? Then again, I’m sure the United States ADA lawyers would have a field day with “unfairly exposing the disabled to increased fraud risk” or some such, but if the majority of people were using the on-screen scramblepad it would reduce the number of PINs that crooks could record, reducing the ROI of an expensive skimmer and camera combo.
Integrating a PIN pad into their application would require PCI PTS certification of the entire architecture. No small feat.
Let me re-phrase that; integrating a PIN pad into the application presentation interface “could” require PTS certification for the application architecture. This, unless of course, there is suitable abstraction (HW & SW) between the application interface and the remaining payment application architecture. It is much easier for ATM manufacturers to integrate their stuff with PTS devices that have already been tested and certified to the PTS standards.
It occurs to me that the sticking point might be ADA requirements, i.e. braille touchpads for the vision impaired.
My immediate thought is “accessibility”. Any scramble/semi-random layout will be nearly impossible to use by the blind. ATMs over here have a headphone jack for audio prompts and braille on the screen-side buttons.
Brian-great post. I appreciate the video’s as they give better understanding to many who have not visually seen how covert these skimmers can prove to be.
Brilliant point at the end of the article – cover your hand over the keypad when entering the PIN. This is one step everyone can/should take.
thank you
Scott Schober
Author of Hacked Again
http://www.scottschober.com
Thanks for yet another interesting post. I’m certainly now covering my PIN each time I withdraw now, where as before I wasn’t. Your blog has actually made me kinda paranoid!
I’m rich you see
Alex: it isn’t paranoia. They are really out to get you, Brian, JoeTech, me and everyone else.
Covering the pin pad is much more difficult in drive-up ATMs. Many people can barely reach the machine with their left arm. Maybe put a rectangle of plastic on the back of your hand?
Jonathan
I am starting to just go and use human tellers again. It means a trip to the CU, but that’s a minor inconvenience.
I started doing so as well (when CU is open), since the ATM now requires re-entering the PIN before every transaction. ATMs aren’t the convenience they used to be.
Watch the tellers also. I had one give me a receipt with all zeros and another try to trick me into walking away without a receipt after large cash deposits.
For drive-up ATMs I use my thumb to enter the PIN while keeping my hand over the keypad. I wish I could use both hands but unfortunately all the new drive-up ATMs are designed for our oversized overweight SUVs instead of regular old cars, so I can’t reach the pad with my right hand. Everywhere else I use two hands.
Last week while grocery shopping I tugged on the card reader in the checkout lane and it fell down. With a line of people behind me I valiantly tried to put it back on correctly but I’ll be damned if I could mount it properly, so I just schlepped it back on, probably like the last person who tugged on it did. It actually slid up to install and pulled down to remove, and of course I tugged down.
Great post Brian. Thanks for all you do.
Great post. I now go to bank every week and withdraw cash from a real teller for the week. Pay cash for gas, food, fast food and misc weekly stuff now. My family is cutting way back on using credit/debit cards in any store. There are only two types of stores, ones that have been hacked and the ones about to be hacked.
I’ll go one better. I’m just going to start bartering with live chickens. It’s the only way to be safe.
Thanks for the great post. I’ve been in retail for well over twenty years and to this day I’m still amazed how cavelier folks are with their cards. I would honestly estimate that maybe one out of 20 customers make an effort to cover their PIN entry. Add to that the fact that at the location I’m at right now a good 80 to 85 percent of card use is debit. Ouch
Will we see these skimmers coming to payment terminals in stores?
Funny thing is this all feels very outdated here in the Netherlands. I checked my local paper and this used to be an issue in/arround 2009, unfortunately the article no longer has the pictures but it was a camera strip like in the article and they had a small device that was glued to the front of the atm looking just like the real deal.
When looking if there were ways to snoop laptop keyboards i stumbled across a chinese website that was selling pin terminals that were a copy (or stolen originals?) of the machines in the shops around town. Shortly after i found it shops started putting unique security stickers on their machines to detect swapped out terminals.
Keep in mind the pin can also be lifted with flir cameras but only by the person right behind you.
https://www.youtube.com/watch?v=8Vc-69M-UWk
These days it’s less of a problem here as all transactions are chip based and swipe is no longer used.
Couldn’t you still have a potential vulnerability if your card issuer had a valid magstripe on your card for your convenience when travelling where chip readers were uncommon? Or would your bank/etc. only issue a striped card if you request it for that kind of purpose?
Yup that’s still a vulnerability. I have made it a habit to check my bank balance daily (or more) as that’s easy on a mobile these days 🙂
Those stickers really aren’t that secure
In the third video, the tool used to retrieve the skimmer is small, probably modified chisel.
And great post, of course!
And to reply to myself :), the third video is made in Turkey, judging by the marks on the ATM.
And the second one is from Bulgaria, a neighbor country for the ones that don’t know.
First I was watching without sound and saw the plastic bag’s text, but then turned on my sound and heard him explain in Bulgarian.
Thanks for this Brian – I have shared on Peerlyst, LinkedIn and Facebook – More people that know the better.
I wonder if they have ever thought of skimming petrol pumps? I routinely use my card to pay for fuel and enter my pin. I guess it depends on the ability to get the skimmer in place and removal.
You mean something like this? 🙂
http://krebsonsecurity.com/2015/11/gas-theft-gangs-fuel-pump-skimming-scams/
Or this:
http://www.omaha.com/news/crime/credit-card-skimmers-at-gas-pumps-atms-put-your-accounts/article_fecc20f3-c209-5118-a254-5afea93a74b2.html
Yes, the self-service payment card readers on petrol pumps (gas pumps, they’re called in the US) get skimmed.
I know this because it happened to me.
Step 1. Skim the card and the PIN.
Step 2. Use the card to make a purchase online. In my case it was an Old Navy gift card for $200.
Step 3. Clone the card and start spending my money (my bank’s money) to buy powdered baby formula.
Step 4. Call the bank and ask for transfers from savings to checking. When the bank agent asks for “a recent transaction”, mention the Old Navy purchase.
Step 5. Spend more money, buy more powdered baby formula.
Powdered baby formula is commonly used to adulterate heroin and cocaine before selling it on the street. So, it’s as good as cash in the shadow markets.
Mark, there have been several pump skimmers found here in the last month (Ohio)
Very impressive how well the attackers have miniaturised these devices. The ones shown above are effectively invisible, and only the closest inspection by a trained tech would find them – you’d never spot those even during a routine service of the machine unless you specifically checked.
Hi Brian – great post and fascinating clips. The third clip – or more specifically the device in the 3rd clip – isn’t strictly a deep insert skimmer. I think we would class this as shallow insert, sitting just in the throat just behind the entry slot as opposed to deep in the reader. The position is important when considering the efficacy of solutions – here, for example, good jamming technology would defeat the shallow insert but would have no effect on the deep insert.
Great to finally see the insertion and removal tool.
Great Post Brian. I don’t suppose the video creator was silly enough to use his own LukOil card in the instruction video do you?
Anyone been over to Slashdot or softpedia in the news section, contactless skimmers? It was proof of concept about 2000, now they are being sold online. RFID reader, for a little over a bitcoin.
You mean like this?
http://news.softpedia.com/news/fake-security-alert-no-this-guy-isn-t-skimming-contactless-cards-500685.shtml
Sort of off-topic, but hacking is a wide topic. I had 5 Verizon accounts opened with my SSN in cities in which I’d never lived under names I’ve never had. All wound up on my credit report as unpaid. Working exclusively with cash doesn’t help that at all…
On that videos, the ATMs appear to be on Euro countries. Isn’t that countries totally EMV? Why they still having issues with skimmers?
Non US- I’ve written about this many times. E.g.,
http://krebsonsecurity.com/2014/08/stealthy-razor-thin-atm-insert-skimmers/
Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard.
For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.
This is a total fail on the EMV concept. If we need countries like Cambodia to be fully EMV, the entire concept is over.
Banks should take care of locations where the card is being used. If they can’t control this kind of thing, there’s nothing else that can be done, and no technology can help.
Ok, maybe they are taking care of the location in most of the cards, but if 20% or even 10% of the cards on EU/US (even with CHIP), can be used in Africa / Asia countries, why even bother about EMV? 10% of cards is very enough to pay crooks.
It would be a HUGE problem if all the citizens of the EU would travel to Cambodja every week 😉
EMV is a huge success in the netherlands as skimming went from 31 milion in 2011 to 800 thousand in the first half of 2015.
So the concept is not over 🙂
Decent ATM meant for EMV cards doesn’t need to swallow the whole card – it’s enough to insert just a little bit at the end where the chip is, preventing skimming devices from making contact with enough of the legacy magstripe to read it.
Why banks in so many European countries still use ancient type of ATMs that necessitate “deep insertion” of the card, which makes them – entirely unnecessarily – vulnerable to skimmers I can’t begin to understand.
Security is about understanding all the v variables and scenarios.
Everyone here is thinking about “authorized user” + “correct pin”.
ATM’s were designed to handle another scenario: “unauthorized user” + “guessed pin”. If the pin is guessed wrong three times, the ATM is expected to capture the card instead of allowing the user to keep the card. That’s hard to do if the ATM can’t swallow the whole card.
— speaking as someone who had an ATM in Finland keep my card.
Actually, all banks in the Netherlands (and probably more EU countries) allow you to deactivate the ability to use your card outside the EU. You can toggle this on the website (for specific dates if you want).
This seems to be an effective method (I haven’t heard of any skimming practices in the past few years) even for people like me who travel frequently.
The US skimming issue was all predicted years ago, and avoidable, but head in the sand.
there are banks around that have simply started to decline mag stripe fallback transactions from chip enabled cards. this will continue to grow to combat the mag stripe fraud.
also, more skimming happens at Point of Sale, but ATMs being unattended and self-serve are ‘scarier’ and get the headlines.
It’s a sad state of affairs when the tools used for fraud keep improving. this (old) item caught my attention:
http://petapixel.com/2014/08/29/heres-iphone-thermal-cameras-can-used-steal-pin-codes/
I assume the technology has only improved since then. the advocated way to protect oneself seems reasonable.
I can’t wait for the surge of headless ATMs. Of course, there’ll be a whole new level of fraud that comes with it, but i just think the idea is really interesting.
Using ATMs inside banks is no longer safe since banks have moved their cash machines to the so called self service zones which can be accessed by customers 24/7. What stops the crooks from installing such skimmers in ATMs located in self service area? Nothing.
These zones are being monitored (cctv, etc).
Something like this would be nasty for POS devices (where the PIN is validated Off-line and usually in the clear). Crooks could get mag + pin without need for cameras or pinpad overlay.
Brian, Thanks for the great work on shedding the light on this nasty business…
I have to wonder with such attention placed on the ATM’s themselves is anyone taking the time to scrutinize the “After Hours Access” card readers at the entry doors? These readers are much more accessible and I suspect much less monitored. Although there is no pin needed it is still another point of a potential unmanaged magstripe reader.
Bill, I have worried about this exact thing, too. Ever since I learned about skimming from Brian Krebs’ wonderful articles a few years ago, I wince every time I need to go to an ATM kiosk with the door reader access.
It actually frightens me more than the time there was a homeless person laying on the floor inside (yes, I still got cash, but watched him like a hawk because he could have been pretending, and it was very public.)
Though I try to plan ahead enough to just get my cash from the in-grocery store ATM in full view of everyone, and next to a bank counter, when I need to go to a regular ATM kiosk with an outer door I never know how much banged-up-ness is acceptable. What looks hinky because someone inserted a skimmer? What looks hinky because it’s old, exposed to the elements, and probably gets messed with just so homeless people can get out of the cold? The combo of these factors, and the need for cash at that moment, makes me usually just go for it. But I at least cover my PIN with my hand on the machine. I hope that will save me! 😉
My CU requires partial insertion of a magstripe card to gain entry outside of lobby hours, but it doesn’t care what the magstripe is, so I use an old gift card.
Just so people don’t think banks don’t care:
At least at our CU, we implement tamper detection beyond the normal (motion detection/pwr cycling, visual inspection) we have what is supposed to detect skimmer insert attempts. We had to change out some ATMs that this could not be implemented on.
Our staff takes it very personal when it comes to crooks messing with our business/customers and staff. It is our passion to be as effective as possible. Still personally, I use cash 99% of the time.
There is a lot of Anti Skimming technology that goes on behind the scene, none of which I will post in public, but many larger institutions and manufactures are constantly updating the readers with ways to detect and combat all of these devices being used. Like everything else in life though… You create a roadblock for someone and they will usually find a creative way around it.
The tool used in the third video may be some modified chisel as posted earlier, but it looks more just like a 1 piece version of the interchangeable metal blades commonly sold in cell phone repair tool kits. The tips of the blades are variously notched and curved upward. Not the usually blue iPhone plastic pry tools, but the insert and clamp variety.
EMV effectively “offshores” the fraud due to fallback provisions. If there is no EMV reader, the “fallback” is to revert to the magstripe. And yes, a lot of international fraud has migrated to the USA over the past 10 years.
And before you claim that the EMV experiment is over, remember that Issuers can block entire countries, so if Cambodia hasn’t gone EMV, your Issuer can ensure your card isn’t used there. The problem for years has been the USA – pretty tough to block the United States of Shopping.
That said, please remember that EMV is for card present transactions. So…. if you’re card is skimmed, regardless of where you live, and the data on the magstripe is read, your card can be used for card not present transactions such as online.
The only way to get rid of that risk is to get rid of magstripe. Period.