ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs.
Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.
The model displayed here is designed to work on specific Diebold ATMs, and can hold a battery charge for two to four days, depending on ambient temperature and the number of customers who pull money out of the hacked ATM.
Functionally, it is quite similar to the all-in-one model pictured in the very first skimmer post in this ATM skimmer series, although its design indicates it may be identical to the one pictured here, which was found on a Wachovia ATM just a couple of miles from my home earlier this year.
The tiny pinhole camera in the image above is angled so that it points at the PIN pad below and to the left, recording the victim’s 4-digit personal identification number to a flash-based memory card.
Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.
[NOTE TO READERS: The Today Show this morning ran an interview with me for a segment they produced on ATM skimmers.]
This latest entry in my series on skimmers includes a number of never before published pictures of a cell-phone based skimmer set that sends stolen bank card data to the attacker using encrypted text messages. The following images were obtained directly from a skimmer maker who sells them on a very well-protected online fraud forum. This particular craftsman designs the fraud devices made-to-order, even requesting photos of the customer’s targeted ATMs before embarking on a sale.
Just as virus writers target Windows in large part because it is the dominant operating system on the planet, skimmer makers tend to center their designs around one or two ATM models that are broadly deployed around the globe. Among the most popular is the NCR 5886, a legitimate, unadulterated version of which is pictured below.
This skimmer I’m writing about today sells for between $7,000 and $8,000 USD, and includes two main components: The actual card skimmer device that fits over the card acceptance slot and records the data that is stored on the back of any ATM cards inserted into the device; and a metal plate with a fake PIN pad that is designed to sit directly on top of the real PIN pad and capture the victim’s personal identification number (PIN) while simultaneously passing it on to the real PIN pad underneath.
Not all skimmers are so pricey: Many are prefabricated, relatively simple devices that fraudsters attach to an ATM and then collect at some later point to retrieve the stolen data. The trouble with these devices is that the fraudster has to return to the compromised ATM to grab the device and the stolen data stored on it.
In contrast, wireless skimmers like the one pictured below allow the thief to receive the stolen card data from anywhere in the world, provided he or she has a working cell phone signal.
The actual card skimmer in this seller’s model is quite small, and yet includes both a magnetic strip reader and a tiny radio that sends the collected data (known as “dumps” in fraud circles) in an encrypted format to a device built into the PIN pad (more on that in a moment).
Here are a few photos of the razor thin skimmer that comes with this kit:
Card skimmer with track reader and radio, front side.
And here’s a view of the electronics that powers this little thief:
ATM skimmers –or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.
Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).
The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.
Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro — shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card’s magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).
The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.
Both the card skimmer and the PIN pad overlay device relay the data they’ve stolen via text message, and each has its own miniature GSM device that relays SMS messages (buyers of these kits are responsible for supplying their own SIM cards). According to the vendor of this skimmer set, the devices are powered by lithium ion batteries, and can run for 3-5 days on a charge, assuming the skimmers transmit on average about 200-300 SMS messages per day.
ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Pastposts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.
According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.
EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.
ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.
Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.
While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).
Image courtesy IBM. Hidden camera in false panel above PIN pad.
Courtsey ENISA: A type of fraud device called a cashtrap siphons off bills as they exit the machine.
Image courtesy IBM: False ATM front-mount that includes card skimmer.
Image courtesy IBM: The back of the false ATM front-mount w/ skimmer.
Image courtesy ENISA: False ATM top with camera + ATM card skimmer
Have you seen:
All-in-one Skimmers…ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.
ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.
The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.
Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.
ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.
Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely that the technician simply overlooked it.
Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for example, was manufactured for a specific model of Diebold ATMs, Donaldson said.
Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.
Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.
Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.
According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said.
Click the individual images below for an enlarged version.
An ATM skimmer that fits over the card insert slot
An ATM skimmer panel that fits directly on top of the real ATM
Image at left shows a PIN capture device overlay. The image on the right shows the actual card skimmer attached (right edge)
A closeup of the ATM card skimmer removed from the face of the ATM
Some ATMs are in building lobbies that require visitors to swipe their ATM card at the door. This device was found attached to the reader at a lobby entry. This ATM door skimmer was originally flush with the device. The skimmer and the real reader have been pulled away from the face to better show the two devices.
ATM PIN capture overlay device pulled back to reveal the legitimate PIN entry pad.
A brochure rack was outfitted with a spy camera to record PINs in conjunction wtih a skimmer.
By the end of 2004, 70 percent of all new ATMs shipped worldwide were Windows-based, according to Lockheed’s Rick Doten
A Diebold spokesperson estimates that 90 percent of Diebold’s global shipments are now Windows-based ATMs — Rick Doten
Have you seen:
Would You Have Spotted This ATM Fraud?…The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.
Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
Subscribe to RSS
Follow me on Twitter
Join me on Facebook
ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs.
Functionally, it is quite similar to the all-in-one model pictured in the very first skimmer post in this ATM skimmer series, although its design indicates it may be identical to the one pictured here, which was found on a Wachovia ATM just a couple of miles from my home earlier this year.
