I spent the past week vacationing (mostly) in Southern California, traveling from Los Angeles to Santa Barbara and on to the wine country in Santa Ynez. Along the way, I received some information from a law enforcement source in the area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer.

The skimmer pictured below is the backside of a card acceptance slot overlay. It was recovered by a customer at a bank in the San Fernando Valley who called the cops upon her discovery. Police in the region still have no leads on who might have placed the device. The numeral “5″ engraved in the upper right portion of this skimmer suggests that it was one in a series of fraud devices produced by this skimmer maker.

Backside of an all-in-one ATM skimmer found this year at a bank in the San Fernando Valley area of California.

The skimmer appears to be powered by a phone battery, which connects to the card reader device and to the circuit board for a video camera. Here’s a close-up of the video card+skimmer connection.

Flip the device around, and you can see the tiny pinhole where the attached camera peers through the skimmer front to capture timestamped footage of victims entering their PINs.

Notice the pinhole for the built-in camera, upper right.

Of course, looking straight on at the skimmer as it would appear attached to a compromised ATM, it might be difficult to spot the pinhole, as shown in the following picture.

A few tips about ATM skimmers and skimming scams. It’s difficult — once you’re aware of how sophisticated some of these skimmers can be — to avoid being paranoid around ATMs; friends and family often tease me for stopping to tug at ATMs that I pass on the street, even when I have no intention of withdrawing money from the machines.

Still, it’s good and healthy to be somewhat paranoid while at an ATM. Make sure nobody is “shoulder surfing” you to watch you enter your PIN. A simple precaution defeats shoulder surfing and many other types of video-based PIN stealing mechanisms: Cover the PIN pad with your hand or another object when you enter your PIN.

If you are withdrawing cash after hours, visit only well-lit ATMs and those that are in plain view of other public spaces. In the unlikely event that you discover a skimming device attached to the ATM, alert the bank or proprietor immediately. Do not attempt to walk away from a compromised ATM with a skimmer in hand. For one thing, thieves who place skimmers often lurk nearby to prevent such occurrences. Also, consider how you might explain to a police officer that the device you just removed from the ATM is not yours. If you must leave with evidence, take a picture of the compromised ATM using your mobile phone (and if you get a nice picture, please consider sending it to me!).

In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.

Below is a front view image of the device. It is an all-in-one skimmer designed to fit over the card acceptance slot and to record the data from the magnetic stripe of any card dipped into the reader. The fraud device is shown sideways in this picture; attached to an actual ATM, it would appear rotated 90 degrees to the right, so that the word “CHASE” is pointing down.

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.

The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.

Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of  PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here.

Here’s a closer look at the circuit board on top, which looks like some type of Flash storage device:

Here’s another look at the electronic parts wedged into the back of the skimmer:

It appears from the following image that the data storage capacity on the device is connected directly to the mag stripe reader (top, silver wire), while the device’s video camera is wedged behind the pinhole (bottom, gold wires).

The investigator I spoke with about the incident didn’t know much about the innards of the device, and said that those responsible have not yet been caught. But he did have something interesting to tell me about the origins of the skimmer: “It is believed that the green skimmer was made with the Stereolithography process.” Translation: The cops think thieves produced the card skimmer molds with the help of 3D printers.

These hi-tech and costly machines take two dimensional computer images and build them into three dimensional models by laying down successive layers of powder that are heated, shaped and hardened. In September, I detailed how U.S. investigators had arrested four men in Texas who allegedly built their ATM skimmers using a 3D printer they’d purchased with the proceeds of their skimming business.

In related news, New York County District Attorney Cyrus Vance earlier this month announced an 81-count indictment against three men suspected of planting skimmers at ATM machines in Manhattan. The indictment alleges that the men used the skimmers to steal the debit card numbers of nearly 1,500 individuals, and then exploited the stolen debit card numbers to make more than $285,000 in fraudulent transactions.

In the press release that accompanied the indictment, the district attorney released several images of the skimmer devices allegedly planted by the Manhattan trio. While these devices relied on a separate façade that held a hidden video camera to record customer PINs, there is little question that the same Chase ATM design was targeted. In the picture below, the hidden camera is the squarish silver block mounted vertically to the left of the PIN pad. An enlarged picture of the camera façade follows this one.

A compromised ATM in Manhattan. Image: NYCDA.

A hidden camera and card skimmer part seized by authorities in Manhattan.

Hidden camera footage of a customer entering his PIN. Image: NYCDA.

If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM. And remember, the most important security advice is to watch out for your own physical safety while using an ATM: Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well.

If you liked this post, consider checking out the other stories in my ATM skimmer series, All About Skimmers.

Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices.

Using audio to capture credit and debit card data is not a new technique, but it is becoming vogue: Square, an increasingly popular credit card reader built for the iPhone, works by plugging into the headphone jack on the iPhone and converting credit card data stored on the card into audio files.

An audio skimmer for a Diebold ATM.

The device pictured here is a card skimmer designed to fit over the card acceptance slot on a Diebold Opteva 760, one of the most common ATMs around. The green circuit board on the left was taken from an MP3 player (no idea which make or model). When a card is slid past the magnetic reader (the small black rectangle at the end of the black and red wires near the center of the picture), the MP3 player “hears” the data stored on the card’s magnetic stripe, and records it as an audio file to a tiny embedded flash memory device.

The card skimmer comes with a false panel that fits snugly into the top of the ATM; it contains a miniature video camera that records victims entering their PIN when the card skimmer slot is activated. The battery included in the hidden camera lasts for six hours, according to the ad posted by the skimmer’s designer. The entire package costs $1,500, payable via virtual currencies such as WebMoney and Liberty Reserve.

The vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10-15 seconds).” But the catch with this skimmer is that the price tag is misleading. That’s because the audio files recorded by the device are encrypted. The Mp3 files are useless unless you also purchase the skimmer maker’s decryption service, which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.

In fairness, the seller does note in the fine print that third party software is required to decrypt the audio files, and that he is “working closely with another partner for this service.” That partner is a different fraudster who will decrypt the audio files in exchange for 20 percent of the stolen card numbers and PINs.

Most of the ATM skimmers I’ve profiled in this blog are comprised of parts designed to mimic and to fit on top of existing cash machine components, such as card acceptance slots or PIN pads. But sometimes, skimmer thieves find success by swapping out ATM parts with compromised look-alikes.

ATM Card skimmer, using modified ATM component

On May 16, 2009, a company representative from ATM maker Diebold was servicing an ATM at a Bank of America branch in Sun Valley, Calif., when he discovered a skimming device and a camera that were attached to the machine. The technician took pictures of the camera and card skimmer (click picture at right for larger image), and then went into the branch to contact his supervisor.

But when the Diebold employee returned, the camera had been removed from the ATM, suggesting that the skimmer scammer was lurking somewhere nearby and had swooped in to salvage his remaining equipment. This is similar to what happened when an ATM technician discovered a compromised ATM a year ago.

Investigators of the present scam learned that the thief had somehow pried off the plastic cover of the ATM’s card acceptance slot and replaced it with an identical, compromised version that included a modified magnetic stripe reader and a flash storage device. The new card slot came with its own clear plastic face that was situated in front of the plastic one that was already attached to the ATM’s internal card reader (see picture below). The entire fraudulent device was glued onto the ATM with silicon.

Below are a few close-ups of the silicon-based magnetic stripe reader attached to the compromised card acceptance slot overlay.

A close-up of an ATM card reader

Here’s a closer look at the electronics inside this handmade reader:

The camera was in a trim piece that was attached above the PIN pad, cleverly designed to match the rest of the ATM in color and contour. Although the camera was removed by the thief, investigators said the trim piece was similar to a hidden camera found attached to an identical ATM at a Washington Mutual bank branch in the area.

Backside of hidden camera for ATM skimmer

In other skimmer cases, ATM thieves also have been known to hack apart and modify portions of the ATM. Last week, the Palm Beach Sun Sentinel published a story about crooks in Boynton Beach, Fla. who have been cutting the bottom of ATM card readers to remove the microchip inside and replace it with their own battery-operated card reader.

If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM. And remember, the most important security advice is to watch out for your own physical safety while using an ATM: Use only machines in public, well-lit areas, and avoid ATMs in  secluded spots. Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well.

To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

Earlier this year, authorities in Ireland began dealing with a rash of ATM skimmers like the one picture directly below. The green anti-skimming device is backlit and oddly-shaped, a design intended to confound skimmer makers. But as can been seen from the first picture here, the only obvious difference between a compromised ATM and an unadulterated one in this case is a small plastic lip at the top, which the crooks in this attack used to house the electronic brains for their skimmer.

The second picture below shows the underside of the skimming device, removed from a compromised machine in the background.

A representative from the Garda (Irish Police) declined to discuss the skimming photos, saying that for legal reasons they were unable to comment on ongoing court cases. But a source close to the investigation said identical skimmers have been found attached to ATMs across the country. The source said a 33-year-old Moldovan man has been arrested in Limerick in connection with the attacks, which authorities have called part of a global ATM fraud operation.

Last fall, while lurking on some underground criminal forums, I encountered another type of skimmer masquerading as an anti-skimming device for cash machines made by NCR. The skimmer pictured below is sold for several thousand dollars by a Russian guy who has a presence on at least two major carding forums. His advertising literature claims the battery-operated device will hold a charge for about three days. He also claims his skimmer won’t work on Russian ATMs: “It will immediately disrupt those wishing to operate via Russian ATMs: A majority of the BINs [Bank Identification Numbers] of Russian banks are hardwired into the chip; they are not processed.”

Picture of a anti-skimmer skimmer for sale on underground forums.

When I first saw his skimmer photos, I wasn’t too impressed. I’d never seen anti-skimming devices that looked even remotely like his in real life. But that changed in December, when the wife and I traveled to Costa Rica for some friends’ destination wedding. While we were there, we had a chance to stay in and hike through the gorgeous Monteverde Cloud Forest, and at the end of a guided tour through the forest I needed to stop by the ATM to tip our guide. When I got to the town’s bank and saw the ATM pictured below, I took a step back. For one thing, the NCR ATM looked like it had one of these fake anti-skimmer devices attached.

I grew more nervous when I noticed that the only other ATM at this bank was out of order (skimmer thieves often place out-of-order signs on nearby ATMs that are not compromised, in a bid to steer people to the hacked ATM). I yanked pretty hard on the green device affixed to the ATM, and it remained attached. Left with the choice between stiffing our driver and excellent guide without a tip and taking out cash from this machine, I chose the latter. I haven’t seen any suspicious charges yet, but it just goes to show you how even a little knowledge of these ATM skimmers really can make you paranoid.

On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users.

But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.

The camera was discovered more than a day later by a maintenance worker who was servicing the ATM. The device, pictured below with the boxy housing in which it was discovered, was designed to fit into the corner of the ATM framework and painted to match.

The self-contained camera and box attached to the Bank of America ATM

The ATM pictured on the right below is shown with the card skimmer and video camera attached (click the image for a slightly larger look).

California police say the video camera and skimmer were installed by the person pictured below. The entire scam ran only for about three hours, and was reported about 11 AM. Police recovered both the skimmer and video camera, so no customer or bank losses ensued as a result of the attack. Meanwhile, the crook responsible remains at large.

A constant stream of ATM customers used the machine. According to California authorities, below is a freeze frame from a video of the first customer/victim to use the compromised ATM.

Close-ups of the card skimmer found attached to the BofA ATM

 

The first customer to use the compromised ATM.

The image below shows some of the manufacturer’s specs on the “Camball-2″ camera that was used in this attack, which retails for around $200 and runs for about 48 hours on motion detection mode.

Here’s a closer look at the relatively crude device attached to the mouth of the card insert slot, designed to steal data recorded on the magnetic stripe on the back of all bank cards. Criminals can then encode the information onto counterfeit cards, and — armed with the victim’s PIN — withdraw money from the victim’s account from ATMs around the world.

The authorities I’ve been interviewing about skimmer scams say the devices are most commonly installed on weekends, when many banks are closed or have limited hours. It’s difficult — once you know about the existence of these fraud devices — not to pull on parts of ATMs to make sure they aren’t compromised. If something comes off of the machine when you yank on it, and the bank is closed or the ATM isn’t attached to a financial institution, it’s probably best just to leave the device at the scene and not try to make off with it. Otherwise, consider the difficulty in explaining your actions should you be confronted by police after walking away. What’s more, in many skimmer cases, the fraudster who placed it there is monitoring the scene from somewhere within viewing distance of the compromised ATM.

It’s easy to be frightened by ATM skimmers, but try not to let these fraud devices spook you away entirely: Stick to machines in well-lit areas, places where you feel relatively safe physically. On top of that, cover your hand when entering your PIN, as many skimmers rely on hidden cameras and can’t steal your account credentials without recording those digits. Also, remember that any losses you may incur from skimmers should be fully reimbursable by your bank (at least in the United States). While the temporary loss of funds may not cover the cost of any checks that bounce because of the incident, these also are losses that your financial institution should cover if they were incurred because of a skimmer incident.

Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.

The most common of these off-ATM skimmers can be found near cash machines that are located in the antechamber of a bank or building lobby, where access is controlled by a key card lock that is activated when the customer swipes his or her ATM card. In these scams, the thieves remove the card swipe device attached to the outside door, add a skimmer, and then reattach the device to the door. The attackers then place a hidden camera just above or beside the ATM, so that the camera is angled to record unsuspecting customers entering their PINs.

The crooks usually return later in the evening to remove the theft devices. Armed with skimmed card data and victim PINs, skimmer thieves are able to encode the information onto counterfeit cards and withdraw money from compromised accounts at ATMs across the country.

On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an “Out of Order” sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.

Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right.

Here’s a front view of the hidden camera, which probably would appear to most ATM users as nothing more than a parabolic mirror designed to give customers a view of anyone standing behind them.

Behind the glass, however, was a battery-operated hidden camera. A tiny hole was cut out of the bottom of the mirror housing to enable the camera to record PIN entries.

Below are several images showing the key card door lock that was compromised in this attack. The top left image shows the device as it would appear attached to the door securing access to the ATM lobby. The other two pictures show the skimmer device with the electronic components added by the thieves.

The attackers hitting this ATM were either very persistent, or varied: A source familiar with the July 24 incident said this particular door lock would be stolen and modified a total of nine times in 2009.

The camera used in this attack retails for about $150, can record up to 2 GB (about two hours worth) of video, and runs on a rechargeable lithium ion battery.

Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and to steal ATM card and PIN data from bank customers. I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Also, this seller’s profile showed that he was a longtime member, and had been vouched for as a “verified” vendor. This meant that forum administrators had vetted him by checking his reputation on other fraud forums, and that he’d paid a fee to use its escrow service if any potential buyers insisted.

Anyway, I wasn’t looking to purchase his skimmers, just to check out his wares. I chatted him up on ICQ, and he said he only sold the plastic housings for the skimmer devices, but that he could show me pictures and videos of what some of his customers had done with them. Above is a video of the seller demonstrating how one of his card skimmer housings fits over the mouth of the card slot on a working Diebold Aptiva ATM.

Below are images he sent that demonstrate two very different skimmers made with his housings. The device on the top in the picture below is a flash-based spy camera nested in a beige plastic molding meant to be attached directly above the ATM PIN pad to steal the customer’s personal identification number. The image on the bottom is the skimmer itself. To the right of each are instructions for configuring the skimmer devices and for harvesting the stolen data stored on them.

A hidden camera (top) and ATM card skimmer (bottom), along with instructions for their use.

As part of the instructions to download stolen card data from the card skimmer pictured directly above, buyers are told to install a hardware driver and software program on their Windows PC (both are safe and virus free, trust us!). After that, users are instructed to enter the password “0000″ when prompted, but this seller doesn’t include instructions for changing the default password. It’s nice to know that computer crooks make the same flawed security design decisions as many mainstream manufacturers of consumer electronics.

The images below show an all-in-one ATM card skimmer housing that harbors both a card reader and a mini flash-based spy camera (top, with putty). The picture on the right shows the same skimmer from the front (customer/victim facing) view.

Earlier this year, KrebsOnSecurity featured a post highlighting the most dangerous aspects of GSM-based ATM skimmers, fraud devices that let thieves steal card data from ATM users and have the purloined digits sent wirelessly via text message to the attacker’s cell phone. In that post, I explained that these mobile skimmers help fraudsters steal card data without having to return to the scene of the crime. But I thought it might be nice to hear the selling points directly from the makers of these GSM-based skimmers.

A GSM-based ATM card skimmer.

So, after locating an apparently reliable skimmer seller on an exclusive hacker forum, I chatted him up on instant message and asked for the sales pitch. This GSM skimmer vendor offered a first-hand account of why these cell-phone equipped fraud devices are safer and more efficient than less sophisticated models — that is, for the buyer at least (I have edited his sales pitch only slightly for readability and flow).

Throughout this post readers also will find several images this seller sent me of his two-part skimmer device, as well as snippets from an instructional video he ships with all sales, showing in painstaking detail how to set up and use his product. The videos are not complete. The video he sent me is about 15 minutes long. I just picked a few of the more interesting parts.

One final note: In the instruction manual below, “tracks” refer to the data stored on the magnetic stripe on the backs of all ATM (and credit/debit) cards. Our seller’s pitch begins:

“Let say we have a situation in which the equipment is established, works — for example from 9:00 a.m., and after 6 hours of work, usually it has about 25-35 tracks already on hand (on the average machine). And at cashout if the hacked ATM is in Europe, that’s approximately 20-25k Euros.

The back of a GSM-based PIN pad skimmer

So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.

And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer – you lose equipment, and tracks, and money.

That’s not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.

However have worked all the day and all the evening, and only by night the police has removed the equipment. As a result they thought to catch malicious guys, but it has turned out, that we have lost the equipment, but results have received in full. That day we got about 120 tracks with PINs. But if there was equipment that needs to be removed to receive tracks? We would earn nothing.”

Front view of a GSM-based PIN skimmer

And what about ATM skimmers that send stolen data wirelessly via Bluetooth, a communications technology that allows the thieves to hoover up the skimmer data from a few hundred meters away?

“Then after 15 minutes police would calculate auto in which people with base station and TV would sit,” says our skimmer salesman. “More shortly, in my opinion, for today it is safely possible to work only with GSM equipment.

Aside from personal safety issues, skimmer scammers also must be wary of employees or co-workers who might seek to siphon off skimmed data for themselves. Our man explains:

“Consider this scenario: You have employed people who will install the equipment. For you it is important that they do not steal tracks. In the case of skimmer equipment that does not transfer dumps, the worker has full control over receiving of tracks.

Well, you have the right to be doing work in another country. And so, people will always swear fidelity and honesty. This normal behavior of the person, but do not forget with whom you work. And in our situation people have no tracks in hands and have no PINs in hands. They can count quantity of holders which has passed during work and that’s all. And it means that your workers cannot steal any track.

I have listed only some situations in which GSM skimmers have obvious and total advantage before all other models. Do not ask me why I sell the equipment. I do not like this question. It’s my business why I drink coffee in the mornings why I go on trainings every day, and why I sell that or I do not sell. It’s my business.”

In the first video, we see our masked skimmer maker using a mock-up ATM to illustrate how to attach and reset his skimmer devices. The second movie shows the GSM card attached to the PIN pad overlay. In the final video, our skimmer seller demonstrates how to attach the SIM card to the ATM card skimmer module.

Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns.

The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs.

EAST said it also discovered that  a new type of analog skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).

In the somewhat low-res pictures supplied by EAST here, the audio skimming device is mounted on a piece of plastic that fits over the ATM’s card reader throat. A separate micro camera embedded in the plastic steals the victim’s PIN.

The use of audio technology to record data stored on the magnetic stripe on the backs of all credit and debit cards has been well understood for many years. The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37). Since then, other electronics enthusiasts have blogged about their experiments with sound skimmers; for example, this guy discusses how he made a card reader device out of an old cassette recorder.

Recently, I had a chance to chat via instant message with a hacker in Eastern Europe who sells both audio-based ATM skimmers and the technology needed to decode audio skims or “dumps.” Below are some of the pictures of his wares that he sent me:

Audio skimmer for Diebold ATMs

Audio skimmer for Diebold ATMs

Audio skimmer for Diebold ATMs

Image courtesy mreader.free.fr