15
Jan 10

Would You Have Spotted the Fraud?

Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.

This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?

This is a fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.

It’s hard to know whether this was a homemade skimmer, or one that was purchased from online criminal forums. Some of the skimmers sold on these forums are extremely sophisticated, incorporating features such the ability to send an SMS text message to the thieves’ mobile phone whenever a new card is swiped.

This type of fraud is actually far more common that you might think: A quick query on Twitter for “ATM skimmer” usually brings up plenty of local news reports about these devices being found on ATMs.

Practice basic ATM street smarts and you should have little to fear from these skimmers: If you see something that doesn’t look right — such as a odd protrusion or off-color component on an ATM — consider going to another machine. Also, stay away from ATMs that are not located in publicly visible and well-lit areas.

Update, 12:10 p.m: Mikko Hypponen from F-Secure sent in a few fascinating Twitter pics of other ATM skimmers that include ingenious ways to send the stolen credentials to the scammers.

If you liked this post, please check out my follow-up posts on ATM skimmers:,

ATM Skimmers Part II, includes an entire gallery of ATM skimmer images.

Would You Have Spotted This ATM Fraud? Delves into some of the rent-to-own skimmer models.

Fun With ATM Skimmers, Part III Examining the skimmer problem in Europe (+ more skimmer photos!).

ATM Skimmers: Separating Cruft from Craft Skimmer scammers are everywhere! Only buy your skimmer devices from real thieves!

Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message Skimmers with embedded cell phones allow thieves to continue stealing credentials without ever returning to the scene of the crime.

Skimmers Siphoning Card Data at the Pump Skimmers aren’t just for ATMs.

Tags: , ,

257 comments

  1. Love the article on ATM skimmers. How about gas pumps as well. Just heard from someone that works for a major gas company they are having a significant problem with people breaking into gas pumps and hiding skimmer in the inside of the pump. No amount of tugging on the gas pump will find that skimmer. Evidently the crews doing it are sophisticated and very quick at their work, easily bypassing the locks on the pumps. Just in case people were tired of only being afraid of their atm’s :)

  2. will the camaras show the person who is using a card
    i had mine stolen and i wanna no will i see who took my money

    • Wouldn’t the fraud be detected each time a bank employee refills the machine”s supply of currency???

      • I would guess that the thief has been casing the ATM to see when someone services/refills the unit. Then he removes the skimmer before the scheduled time.

      • No, because they are refilled from the back so the teller would not normally see the front of the machine.

        • Not all ATM’s are refilled from the back. Most in fact are filled by either pulling out a draw type system from the bottom or a large portion of the front opens as a door. To answer the question, these ATM’s are serviced by bank employees and they are servicing many machines a day. one small detail such as an “insert card here” sign will go unnoticed by the servicing employee’s. the people that SHOULD catch it, are the people who are working inside the stations etc. where the atm’s are placed. (yes i know some are outside, but if you look them up, most of the ones targeted are inside stores. ) My wife had her physical card stolen last year and a person used it at three different stores in Virginia Beach. The employees at one of them stores actually new the person and was obviously covering for him since he used it at 2:30 in the morning and the station locks its doors at midnight and rarely lets anyone in after. The other two stores attempted to help but both erase their video logs after two days. Now they have skimmed her credit card and charged $1300 to the card. The money is still on hold and has not been paid out but the law requires the bank to pay it out anyway even though they know it is going to a criminal. And i cant file a claim until the money has been paid for them. The law is LITERALLY protecting the criminal and making things impossible for the victim to correct. It will take laws being changed to fix this and not a “quick check” every time you go to the atm.

      • Not really – the bankers are checking the amount of physical cash left in the machine vs. the money withdrawn/deposited by consumers.

        The skimmers directly withdraw money from your account – like it was your ATM card. So the problem is not noticed, usually, until people start complaining about missing funds and fradulent withdrawls from their accounts.

  3. April 2, WESH 2 Orlando – (Florida) Ocoee Publix employees find skimmer on ATM. Employees at one Orange County Publix said they found a skimming device on the store’s ATM. Police were called to the store on South Maguire Road in Ocoee April 1. The device steals data from users who put a card into the machine. Police said it’s not known how long the skimmer was there. Anyone who has used the machine is advised to call their bank. Source: http://www.wesh.com/news/23033295/detail.html

  4. pat w kingman

    Being old & old fashioned, I go to the neighborhood branch of the locally owned bank at the beginning of every month, go inside, write & cash a check, which I try to make last the month (it nearly always does). I say hello to the tellers & sometimes chat a moment with them &/or the manager, and then put all but $30-$40 in a safe place at home until I need it.

    I also try to pay cash at restaurants & places where the card gets taken out of sight (altho I am fully aware that as noted elsewhere the card can get snookered in my presence in the wink of an eye — why make it easier). My card typically has 5-8 transactions a month, none of them ATM’s.

    I realize this isn’t possible for a lot of folks, and I do travel occasionally (last time I used an ATM for cash was in Port Aux Basques, Newfoundland!), but it is possible to plan and minimize ATM (and card) use, especially for small transactions. Rewards aren’t very rewarding if you get your identity snarfed, and paying cash for small transactions helps to keep spending under control.

    Sorry for the wet-blanket lecture ;-), and yes, I do have lots of fun, too!

  5. model so I want,I want so please buy myself skimmer model (silvia85@rambler.ru)

  6. Thanks for taking the opportunity to talk about “Would You Have Spotted the Fraud? — Krebs on Security”, I benefit from learning about this subject. If possible, as you gain data, please update this blog with new information. Thanks, Hier

  7. I have been reading a lot on here the topic Would You Have Spotted the Fraud? — Krebs on Security inspired me, i have picked up some really great ideas. Thanks and i hope to see more soon.

  8. Calgarynighthawk

    The Calgary Police where alerted to this type of stuff by a bank customer. The video is very good at showing how complex and yet simple these things are.

    http://www.cbc.ca/canada/calgary/story/2010/04/27/calgary-debit-machine-bank-skimming-scam-td-steal.html

  9. The cameras show the person who is using a card
    i had mine stolen and i wanna no will i see who took my money

  10. Wouldn’t the fraud be detected each time a bank employee refills the machine”s supply of currency?

  11. I created a Starcraft 2 web site found here:

    Starcraft 2
    http://www.thedarkshrine.com

    I am going to be adding a lot of things to the site, such as replays, vods, maps, fpvods, live streams, tools, esports info and much more. There is a wiki there and really could use helpers to assist. I hope you fellas can register as my goal is for this website to be one of the strongest SC2 sites online. Please register asap as there will be a tournament. If you have any feedbacl please feel free to let me know!

    Thx. Great board by the way!

  12. I ran into this kind of gizmo in Stockholm when I was gonna make a withdrawal from the closest ATM. I called the mall police who closed it down on the spot.

    Sneaky bastards!

    http://www.itmoln.se
    Molntjänster

  13. thanks everybody for their valuable information

  14. This is not our “fathers’ country” Times are way different like the Oldsmobile :(

  15. There should also be a burden of responsibility on those who provide the services to ensure that they provide safe and secure facilities. If that were the case then the usage of the skimmers would be far less of an issue.

  16. Wow, really makes you realize how careful you have to be in the days of electronic cash transactions.

  17. I always use the same machine, and always look at the card slot to see if there is a difference. Once I tried grabbing it, but couldn’t pull it off :)….so…How hard should I have to pull? I hate to get arrested for breaking the darn thing. I assume they use double sided tape. Some of which is quite strong…like carpet tape. Also….Is there a way to find out if ATM’s in your locality have been hit? From what I’ve read…consumer law needs to force banks to provide this data, before their customers start destroying their machines as a test of validity.

  18. I NEED atm skimmer gsm i m from india so tell me price and detail and i need camara jamar also how to i fit in atm that product

  19. WorldWallReader

    I’m white but I go around speaking only spanish to hispanics just to see what happens to me can you post your comments about it?

  20. that’s why all ATMs have transparent and/or embedded card intakes here, not opaque protruding ones.

  21. crazy what bad guys use today. i think worldwide the same problems with ATM skimmers.

  22. If the banks would spend the money (some are) to update to current security measures readily available, this would be a thing of the past. Criminals would have to completely start over or find something else to steal. A magstripe is VERY easy to read and copy. The pin # is not that hard to get. A smart chip enabled card does not transmit until inside the machine, and it cannot be read from the outside. It is also flashable so the encryption can be changed. This technology has been out for years. All we need to do it petition the banks to start putting some effort in hiring qualified security personnel to implement the current security measures available today, and most of this theft would be a thing of the past

    • Why not have a straight flat front from top to bottom with touch technology, nothing protruding so that nothing can be attached, or if it is then it will show as obvious protrusion, and of course embedded chip technology.

      • I thought of this idea. Have both monitor and keypad on touch screen so nothing can be easly attacht to it. Have a scan device on the ATM like they do at stores. Then no pin number needed. On Youtube people are advertising skimming devices for sale. I do not know how Youtube allow them to advertise the skimming devices. I think youtube should not allow this on their website. This makes me mad.This encourages would be thief to steal money from others.

    • Most cards with chips also have a mag-stripe in order to be compatable with older machines or to be used in other countries. In the UK we went over to chip and pin a few years ago but the cards still have the mag-stripe.

  23. Dear Brian,
    I just came across your blogging site and am really impressed with it and your history on how you got into information security. I’ve been a practitioner for awhile now myself and am around the same age as you. I maitain my CISSP and really just consider myself a jack of all trades but master of none as there are so many areas in computer security that my real goal is to always just help educate those that are not in the field. Your blogs have some really good material and definitely the info on the ATM skimmers will be a nice collection to add to my talks as I try to educate others on all the dangers out there and how to combat it. Keep up the good work !!!!

    Sincerely,
    Alex Levin

  24. One thing people are not realizing, is that some of the people who are servicing the machines are not actual technicians for that particular device. Take for instance ATM’s at a bank. The people who restock the machines and take out the deposits are not qualified to actually service the machines (this means they do not know what is or is not supposed to be inside the machine) these people who open the machine on a daily or semi daily basis are only trained to open the machine to restock it or to pull the deposits, not inspect the machine for abnormalities. If you really want to stop this kind of fraud, We should force the banks and other companies to have qualified people technicians check their devices every day. Maybe even twice a day.

  25. I am really thankful to this topic because it really gives up to date information :*-

  26. I have to agree with the posting about going to the bank and trying to use the cash for the rest of the week/month! It is about the best solution of all. The side benefit of not leaving traces for marketing ploys is an added bonus. As soon as the skimmers have these overlay panels you are doomed! I have done extensive research for years on the topic and though the skimming of POS machines in markets and gas stations, which used bluetooth transmission to a cellphone nearby, which sent an SMS with the dump data to another cellphone was top until I cam across a story in the UK where a whole batch of POS fresh from the factory in china was infected with a GSM device THAT ONLY SENT THE DUMP IF A GOLD OR PLATINUM CARD WAS INSERTED! This GSM device then sent the dump data to a cellphone in PAKISTAN! I think this tops the tech part so far. Brian maybe you can do some research on the story? Greetings Rod.

  27. I sell ATM SKIMMER, price 1000 dollars. I can show on webcam. my id on yahoo mesenger is: acces.denied

  28. I just simply don’t understand…

    why do the ATM manufacturer’s make their machines with so uneven surfaces, gaps, notches making skimmers easy to be put on….?

    They can use a transparent plastic cover with a spherical shape which would cover the entire machine and impossible to put on any other external element on it…leaving only 3 slits for card, cash n receipt and touchscreen interface.

    Isn’t it practical ?

  29. Well I was just a victim and it must have been from one of several retailers because I have not used an ATM in several months. I agree rod flemming. My parents don’t have an ATM Debit Card and have never been victims. I suppose its back to cash and checks, but my mom pointed out not to carry much cash ’cause you’ll get robbed!

  30. John Sanderson

    I left a comment earlier. Banamex bank in Tijuana got me. Just cleaned me out. The ATM is outside and on weekends the theives hang around all day…waiting for americans . Comerica is refusing to reembures me. Those bastards have zillions and will give me a nickle. The Mexican Police just laugh at you…and claim,”no speak english” the banks say “do not use the ATM” After the fact. Our banks are surely insured for theft …but they are acting like the Mexicans…do not give a damn. Social security says the bank should return the loss…but our rich banker says FU. NICE.