Posts Tagged: atm skimmer

A Little Sunshine / All About Skimmers / Other21 Comments
16
Feb 11

Having a Ball with ATM Skimmers

On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users.

But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.

The camera was discovered more than a day later by a maintenance worker who was servicing the ATM. The device, pictured below with the boxy housing in which it was discovered, was designed to fit into the corner of the ATM framework and painted to match.

The self-contained camera and box attached to the Bank of America ATM

The ATM pictured on the right below is shown with the card skimmer and video camera attached (click the image for a slightly larger look).

California police say the video camera and skimmer were installed by the person pictured below. The entire scam ran only for about three hours, and was reported about 11 AM. Police recovered both the skimmer and video camera, so no customer or bank losses ensued as a result of the attack. Meanwhile, the crook responsible remains at large.

The image below shows some of the manufacturer’s specs on the “Camball-2″ camera that was used in this attack, which retails for around $200 and runs for about 48 hours on motion detection mode.

Here’s a closer look at the relatively crude device attached to the mouth of the card insert slot, designed to steal data recorded on the magnetic stripe on the back of all bank cards. Criminals can then encode the information onto counterfeit cards, and — armed with the victim’s PIN — withdraw money from the victim’s account from ATMs around the world.

The authorities I’ve been interviewing about skimmer scams say the devices are most commonly installed on weekends, when many banks are closed or have limited hours. It’s difficult — once you know about the existence of these fraud devices — not to pull on parts of ATMs to make sure they aren’t compromised. If something comes off of the machine when you yank on it, and the bank is closed or the ATM isn’t attached to a financial institution, it’s probably best just to leave the device at the scene and not try to make off with it. Otherwise, consider the difficulty in explaining your actions should you be confronted by police after walking away. What’s more, in many skimmer cases, the fraudster who placed it there is monitoring the scene from somewhere within viewing distance of the compromised ATM.

It’s easy to be frightened by ATM skimmers, but try not to let these fraud devices spook you away entirely: Stick to machines in well-lit areas, places where you feel relatively safe physically. On top of that, cover your hand when entering your PIN, as many skimmers rely on hidden cameras and can’t steal your account credentials without recording those digits. Also, remember that any losses you may incur from skimmers should be fully reimbursable by your bank (at least in the United States). While the temporary loss of funds may not cover the cost of any checks that bounce because of the incident, these also are losses that your financial institution should cover if they were incurred because of a skimmer incident.

Have you seen:

Green Skimmers Skimming Green…To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

A Little Sunshine / All About Skimmers / Web Fraud 2.059 Comments
31
Jan 11

ATM Skimmers That Never Touch the ATM

Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.

The most common of these off-ATM skimmers can be found near cash machines that are located in the antechamber of a bank or building lobby, where access is controlled by a key card lock that is activated when the customer swipes his or her ATM card. In these scams, the thieves remove the card swipe device attached to the outside door, add a skimmer, and then reattach the device to the door. The attackers then place a hidden camera just above or beside the ATM, so that the camera is angled to record unsuspecting customers entering their PINs.

The crooks usually return later in the evening to remove the theft devices. Armed with skimmed card data and victim PINs, skimmer thieves are able to encode the information onto counterfeit cards and withdraw money from compromised accounts at ATMs across the country.

On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an “Out of Order” sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.

Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right.

Here’s a front view of the hidden camera, which probably would appear to most ATM users as nothing more than a parabolic mirror designed to give customers a view of anyone standing behind them.

Behind the glass, however, was a battery-operated hidden camera. A tiny hole was cut out of the bottom of the mirror housing to enable the camera to record PIN entries.

Below are several images showing the key card door lock that was compromised in this attack. The top left image shows the device as it would appear attached to the door securing access to the ATM lobby. The other two pictures show the skimmer device with the electronic components added by the thieves.

Continue reading →

A Little Sunshine / All About Skimmers36 Comments
17
Jan 11

ATM Skimmers, Up Close

Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and to steal ATM card and PIN data from bank customers. I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Also, this seller’s profile showed that he was a longtime member, and had been vouched for as a “verified” vendor. This meant that forum administrators had vetted him by checking his reputation on other fraud forums, and that he’d paid a fee to use its escrow service if any potential buyers insisted.

Anyway, I wasn’t looking to purchase his skimmers, just to check out his wares. I chatted him up on ICQ, and he said he only sold the plastic housings for the skimmer devices, but that he could show me pictures and videos of what some of his customers had done with them. Above is a video of the seller demonstrating how one of his card skimmer housings fits over the mouth of the card slot on a working Diebold Aptiva ATM.

Below are images he sent that demonstrate two very different skimmers made with his housings. The device on the top in the picture below is a flash-based spy camera nested in a beige plastic molding meant to be attached directly above the ATM PIN pad to steal the customer’s personal identification number. The image on the bottom is the skimmer itself. To the right of each are instructions for configuring the skimmer devices and for harvesting the stolen data stored on them.

A hidden camera (top) and ATM card skimmer (bottom), along with instructions for their use.

Continue reading →

A Little Sunshine / All About Skimmers / Web Fraud 2.055 Comments
13
Dec 10

Why GSM-Based ATM Skimmers Rule

Earlier this year, KrebsOnSecurity featured a post highlighting the most dangerous aspects of GSM-based ATM skimmers, fraud devices that let thieves steal card data from ATM users and have the purloined digits sent wirelessly via text message to the attacker’s cell phone. In that post, I explained that these mobile skimmers help fraudsters steal card data without having to return to the scene of the crime. But I thought it might be nice to hear the selling points directly from the makers of these GSM-based skimmers.

A GSM-based ATM card skimmer.

So, after locating an apparently reliable skimmer seller on an exclusive hacker forum, I chatted him up on instant message and asked for the sales pitch. This GSM skimmer vendor offered a first-hand account of why these cell-phone equipped fraud devices are safer and more efficient than less sophisticated models — that is, for the buyer at least (I have edited his sales pitch only slightly for readability and flow).

Throughout this post readers also will find several images this seller sent me of his two-part skimmer device, as well as snippets from an instructional video he ships with all sales, showing in painstaking detail how to set up and use his product. The videos are not complete. The video he sent me is about 15 minutes long. I just picked a few of the more interesting parts.

One final note: In the instruction manual below, “tracks” refer to the data stored on the magnetic stripe on the backs of all ATM (and credit/debit) cards. Our seller’s pitch begins:

“Let say we have a situation in which the equipment is established, works — for example from 9:00 a.m., and after 6 hours of work, usually it has about 25-35 tracks already on hand (on the average machine). And at cashout if the hacked ATM is in Europe, that’s approximately 20-25k Euros.

The back of a GSM-based PIN pad skimmer

So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.

And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer – you lose equipment, and tracks, and money.

That’s not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.

However have worked all the day and all the evening, and only by night the police has removed the equipment. As a result they thought to catch malicious guys, but it has turned out, that we have lost the equipment, but results have received in full. That day we got about 120 tracks with PINs. But if there was equipment that needs to be removed to receive tracks? We would earn nothing.”

Front view of a GSM-based PIN skimmer

And what about ATM skimmers that send stolen data wirelessly via Bluetooth, a communications technology that allows the thieves to hoover up the skimmer data from a few hundred meters away?

“Then after 15 minutes police would calculate auto in which people with base station and TV would sit,” says our skimmer salesman. “More shortly, in my opinion, for today it is safely possible to work only with GSM equipment.

Aside from personal safety issues, skimmer scammers also must be wary of employees or co-workers who might seek to siphon off skimmed data for themselves. Our man explains:

“Consider this scenario: You have employed people who will install the equipment. For you it is important that they do not steal tracks. In the case of skimmer equipment that does not transfer dumps, the worker has full control over receiving of tracks.

Well, you have the right to be doing work in another country. :-) And so, people will always swear fidelity and honesty. This normal behavior of the person, but do not forget with whom you work. And in our situation people have no tracks in hands and have no PINs in hands. They can count quantity of holders which has passed during work and that’s all. And it means that your workers cannot steal any track.

Continue reading →

A Little Sunshine / All About Skimmers / Web Fraud 2.026 Comments
23
Nov 10

Crooks Rock Audio-based ATM Skimmers

Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns.

The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs.

EAST said it also discovered that  a new type of analog skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).

In the somewhat low-res pictures supplied by EAST here, the audio skimming device is mounted on a piece of plastic that fits over the ATM’s card reader throat. A separate micro camera embedded in the plastic steals the victim’s PIN.

The use of audio technology to record data stored on the magnetic stripe on the backs of all credit and debit cards has been well understood for many years. The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37). Since then, other electronics enthusiasts have blogged about their experiments with sound skimmers; for example, this guy discusses how he made a card reader device out of an old cassette recorder.

Continue reading →

A Little Sunshine / All About Skimmers26 Comments
10
Nov 10

All-in-One Skimmers

ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay.  The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs.

Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.

The model displayed here is designed to work on specific Diebold ATMs, and can hold a battery charge for two to four days, depending on ambient temperature and the number of customers who pull money out of the hacked ATM.

Functionally, it is quite similar to the all-in-one model pictured in the very first skimmer post in this ATM skimmer series, although its design indicates it may be identical to the one pictured here, which was found on a Wachovia ATM just a couple of miles from my home earlier this year.

The tiny pinhole camera in the image above is angled so that it points at the PIN pad below and to the left, recording the victim’s 4-digit personal identification number to a flash-based memory card.

Continue reading →

All About Skimmers / The Coming Storm45 Comments
17
Jun 10

Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message

Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.

[NOTE TO READERS: The Today Show this morning ran an interview with me for a segment they produced on ATM skimmers.]

Visit msnbc.com for breaking news, world news, and news about the economy

This latest entry in my series on skimmers includes a number of never before published pictures of a cell-phone based skimmer set that sends stolen bank card data to the attacker using encrypted text messages. The following images were obtained directly from a skimmer maker who sells them on a very well-protected online fraud forum. This particular craftsman designs the fraud devices made-to-order, even requesting photos of the customer’s targeted ATMs before embarking on a sale.

Just as virus writers target Windows in large part because it is the dominant operating system on the planet, skimmer makers tend to center their designs around one or two ATM models that are broadly deployed around the globe. Among the most popular is the NCR 5886, a legitimate, unadulterated version of which is pictured below.

This skimmer I’m writing about today sells for between $7,000 and $8,000 USD, and includes two main components: The actual card skimmer device that fits over the card acceptance slot and records the data that is stored on the back of any ATM cards inserted into the device; and a metal plate with a fake PIN pad that is designed to sit directly on top of the real PIN pad and capture the victim’s personal identification number (PIN) while simultaneously passing it on to the real PIN pad underneath.

Not all skimmers are so pricey: Many are prefabricated, relatively simple devices that fraudsters attach to an ATM and then collect at some later point to retrieve the stolen data. The trouble with these devices is that the fraudster has to return to the compromised ATM to grab the device and the stolen data stored on it.

In contrast, wireless skimmers like the one pictured below allow the thief to receive the stolen card data from anywhere in the world, provided he or she has a working cell phone signal.

The actual card skimmer in this seller’s model is quite small, and yet includes both a magnetic strip reader and a tiny radio that sends the collected data (known as “dumps” in fraud circles) in an encrypted format to a device built into the PIN pad (more on that in a moment).

Here are a few photos of the razor thin skimmer that comes with this kit:

Card skimmer with track reader and radio, front side.

And here’s a view of the electronics that powers this little thief:

The card skimmer, reverse view

Continue reading →

A Little Sunshine / All About Skimmers / Web Fraud 2.043 Comments
3
Jun 10

ATM Skimmers: Separating Cruft from Craft

ATM skimmers –or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.

Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).

The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro — shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card’s magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).

The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.

Both the card skimmer and the PIN pad overlay device relay the data they’ve stolen via text message, and each has its own miniature GSM device that relays SMS messages (buyers of these kits are responsible for supplying their own SIM cards). According to the vendor of this skimmer set, the devices are powered by lithium ion batteries, and can run for 3-5 days on a charge, assuming the skimmers transmit on average about 200-300 SMS messages per day.

Continue reading →

A Little Sunshine / All About Skimmers / Other44 Comments
7
May 10

Fun with ATM Skimmers, Part III

ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Past posts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.

According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.

ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.

Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.

While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).

Have you seen:

All-in-one Skimmers…ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.

A Little Sunshine / All About Skimmers / Other91 Comments
25
Mar 10

Would You Have Spotted this ATM Fraud?

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.

Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely that the technician simply overlooked it.

Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for example, was manufactured for a specific model of Diebold ATMs, Donaldson said.

Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.

Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.

Continue reading →

← Older Entries
Newer Entries →