Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
This is a fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.
It’s hard to know whether this was a homemade skimmer, or one that was purchased from online criminal forums. Some of the skimmers sold on these forums are extremely sophisticated, incorporating features such the ability to send an SMS text message to the thieves’ mobile phone whenever a new card is swiped.
This type of fraud is actually far more common that you might think: A quick query on Twitter for “ATM skimmer” usually brings up plenty of local news reports about these devices being found on ATMs.
Practice basic ATM street smarts and you should have little to fear from these skimmers: If you see something that doesn’t look right — such as a odd protrusion or off-color component on an ATM — consider going to another machine. Also, stay away from ATMs that are not located in publicly visible and well-lit areas.
Update, 12:10 p.m: Mikko Hypponen from F-Secure sent in a few fascinating Twitter pics of other ATM skimmers that include ingenious ways to send the stolen credentials to the scammers.
If you liked this post, please check out my follow-up posts on ATM skimmers:,
ATM Skimmers Part II, includes an entire gallery of ATM skimmer images.
Would You Have Spotted This ATM Fraud? Delves into some of the rent-to-own skimmer models.
Fun With ATM Skimmers, Part III Examining the skimmer problem in Europe (+ more skimmer photos!).
ATM Skimmers: Separating Cruft from Craft Skimmer scammers are everywhere! Only buy your skimmer devices from real thieves!
Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message Skimmers with embedded cell phones allow thieves to continue stealing credentials without ever returning to the scene of the crime.
Skimmers Siphoning Card Data at the Pump Skimmers aren’t just for ATMs.
Yeah, I am totally fascinated by these things to. Keep hoping I will find one in the wild. Every time I got the ATM I spend like 10 minutes trying to pull the reader off, not so much as a security thing but just because it would be cool to actually see one working.
– SR
Hi everyone. Just a quick note to say that many of you (>500) have signed up for RSS updates to the comments on this post. If you instead meant to sign up for the RSS feed on this blog, that URL is:
http://www.krebsonsecurity.com/feed/
Yeah, thats a good idea. So next thing you know you get arrested for tampering with the ATM. Darwin Award winner in the making.
Unless he dies in the attempt, no Darwin Award.
Start checking gas station pumps as well. Really, any unattended card reader, not just feral ATMs. But skimmers are pocket-sized or smaller, so even attended readers are at risk.
Another card trick, detected at a fast food joint, had the cashier dip the card beneath the counter, just for an instant, where it was skimmed before coming back up and run through the real card reader.
I have over 35 years experience in electronics design etc.
I can strip a cheap tape recorder and with little effort make a skimmer.
I don’t have either the time or inclination to make a fancy package to stick it on a legitimate card reader.
Sure I could make money like this.
I just have a little higher morrals than the new generation of gimme, gimme, gimme kids.
I had an older father like friend who never had a credit card until he was 83 years old.
His was skimmed under the counter by a friend of a lady who hew was helping out, “she said she needed goods to cook for her home business.” The skimmer and friend who skimmed it were in JC Penny. They cleaned him for over $4000.00 before he asked me about it.
I almost caught the bitch.
If I had I quite probably would be in jail right now.
I believe in cruel punishment for people like that. That old man lived on $800.00 a month SS and in housing provided by me.
i understand how your dad lived,my dad was the same type of person,never got a pension,died on the job and i worked for him most of my life for room and board,never much profit,thinking things might get better,but they didn’t,the rich families screwed the poor/common people,stole all the profits and left us out here to survive for ourselves,i understand why there are so many small crooks today,i just wish they would smarten up and go after the rich families…they have all the wealth,not us poor/common people..!
D@mn kids! Get off my lawn! Grumble!
Another reason why fast food restaurants are bad for your health!
London Heathrow to sell the option to install credit card skimmer
details : topupmoney@yahoo.co.uk
mi potreste dire in quale negozio o sito posso comprare uno skimmer atm ( nn x scopo non legale ma x miei scopi di ricerca grz vene saro grado aiutatemi perfavore )
Brian, great write up! I talked about this on my podcast recently and I’m going to link them to this article to give them a better idea of what these skimmers look like. Thanks!
Twitter- @cybercrime101
WOW…. I had no idea they looked so normal. Had no idea. Can’t believe I have been so trusting. Thanks for the great article
Gina – You’re a step ahead of me!!!! Boy, talk about feeling like a dinosaur!!! Ididn’t even know things like those ATM scam-devices existed!!
Sheesh! I probably would not have noticed this device on the ATM.
If I used the same ATM every time I use an ATM I may have noticed, but I travel a lot and use a variety of machines in all kinds of places.
Thank you for the write-up! I will use this as a reminder to be more aware.
This sort of thing partly depends on the wide variety of ATM hardware out there. It may be mostly cosmetic differences, to suit a particular bank’s house style at the time the machine was installed, but it does keep changing. We might spot this on a machine we use every week, but some of us are moving around, and using different machines all the time.
Are you a trucker, for instance?
I carry enough small bills in cash to eliminate ATM machines.
Um – just wondering…where you get the small bills? Most of us get them from ATMs. Do you go to the bank or use cash-back on debit transactions at the store?
Surprisingly, there are many resources for ATM skimming devices readily available online. A quick search on YouTube turns up a wide variety of people advertising skimming devices. One even currently offers a 20 percent discount.
There are also YouTube videos that show how to hack wireless routers and just about any other criminal enterprise one can think of. In many cases, the videos show URL’s for purchasing “tools of the trade”.
The manufacturers of these devices should be criminally prosecuted. There are no legitimate uses for these things.
that is not right – there should be no censorship of anything, including manufacturing of devices that may have criminal uses, even if you cannot think of a non-criminal use for them immediately (since just because you cant think of a legal use, doesnt mean it doesnt exist).
the people to blame are: 1) the banks – they should install video survelence into atms to prevent skim readers from being installed, and upgrade cards to be a smart card, not a magnetic card. 2) customers who get phished – its natural selection at work. You cannot eliminate people trying to steal or defraud, you ought to learn to live smarter.
Disagreed, everyone has the right to protect themselves.
In this case that means taking down those who perpetrate malicious activities against innocent users of the banking system.
Those who install these devices should be arrested and jailed, and the manufacture of such devices should be outlawed and those who make them also arrested and jailed for producing these fraudulent devices. They are fraudulent because they are fundamentally deceitful about the introduction of a third-party observer to a private electronic transaction.
I agree on utility if not on principle. These devices exist whether there is a video for it on youtube or not. The people who create them should certainly be prosecuted but not banned from advertising. Frankly if you are stupid enough to advertise on a public domain website then like you say – natural selection should step in and get them arrested pretty sharpish.
There should also be a burden of responsibility on those who provide the services to ensure that they provide safe and secure facilities. If that were the case then the usage of the skimmers would be far less of an issue.
Criminality is becoming so sophisticated it’s frightening. The authorities have the means to track these individuals that sell them online, what the hell are they waiting for? It’s obvious their greed exceeds common sense. When I was just coming around to setting the alarm on my vehicle. Gina, a wonderful world we live in. As is said, only in America.
Nonsense – this has been around for years (!) in Europe, where they actually started with complete fake fronts – but they became more sophisticated, now only needing a false slot. In that sense you might be seeing only the newer ‘generation’ in the States…
They’re now so sophisticated, they’re factory made.
Not long ago an entire shipment of card readers for storefronts (yes, the ones your bank installs at the supermarket) was intercepted that had skimmers built into them by the Chinese factory, as well as cellphones preprogrammed to send the data to some number in eastern Europe or Russia.
These things are professionally designed, manufactured on the same lines as the regular ones (are those even being made any longer?), packaged, and shipped to the banks or their handling companies who install them in stores and ATMs.
Wow, the things crooks think of. Just imagine if the bankers started stealing money! Can you imagine it….service fees, bailouts…they could take the tax paying suckers for trillions!
I guess I am not so crazy in thinking that it is a good idea to get in the habit of planning ahead and stopping by the bank and have a teller give me the cash I am going to need for given trip or shopping spree. It also helps not to overspend.
Amen, brother . cash is cool. & how long do we wait for some people at a checkout mucking about with their card , then find they have to use another one, sucks.!!!!
My bank has warning signs on all their ‘magic tellers’, I am diligent each time I use them & always use a machine belonging to my bank. If I travel overseas I take Travellers cheques , or get my bank to give me US $ as everyone will accept their currency.
@Ed Johnson: *not* everyone in the world will accept US dollars in payment, nor are they required to. I am 100% certain that all merchants in my country (which is in Europe) would refuse US dollars in payment for anything.
As I write this, it is July 3, 2010, several months later after your comment was posted. The euro has crashed in value. I am sure the vendors and retail stores will be quite happy to accept American currency – as long as those bills are not counterfeit.
A vanishingly small percentage of traders accept US$ in the UK, and most of them will /not/ accept travellers cheques either.
(A few tourist hot-spots will take Euros, but don’t bet on it.)
Travelers Checks@ yikes did I slip into a void in the time continuum!!!!
Yeah, not everyone accepts American money, and places that do will not accept large bills due to an increasing percentage of fraudulence. Most countries do not accept traveler’s checks either.
The best thing to do is have your cash converted to whatever type suits the country you are going to, so that you avoid disagreements.
I wouldn’t have seen them… Now I’m really going to start looking.
Thanks Brian!
WOW,
Guess I’m going to have to speand some time (like Space Rogue) trying to see if I can find one.
I’d love to find one in the “wild”
Great article.
b, give me a call
Another thing to remember when using ATMs:
If it asks you “do you want a receipt” DO NOT WALK AWAY when you collect your money and receipt.
At least in the ATM I use (at 7-11’s) after you take the $ and receipt it asks, “Do you want another transaction?”. If you’ve already left, the next person to use the ATM can access your account!
I warned somebody just last month about this after he walked away too early
You are wrong, if you do another transaction, the machine always asks for your PIN again.
I used to program ATM “loads”. At one time it was common for machines with motorized card readers (that hold your card until the end of the transaction) to allow transaction chaining without re-entering a PIN. PIN re-entry was only required on dip or swipe card readers.
Sometimes a load for a motorized reader would be sent to a dip reader, leading to people walking away and allowing the next person to perform another transaction.
Eventually we required PIN re-entry on all ATMs regardless of card reader type.
mine don’t
> At least in the ATM I use (at 7-11’s) after you take the $ and receipt it asks, “Do you want another transaction?”. If you’ve already left, the next person to use the ATM can access your account!
Bank of America added that to the ATM flow (at least in the Northeast US), and it struck me as particularly risky in the same manner. To test it out I pressed “yes, I want another tx” and it asked me to swipe my card again. Are you sure the one you use at 7-11 doesn’t do the same thing?
I frequently use the machine at the post office to avoid standing in long lines to ship a small package or buy books of stamps and I use my debit card. I have completed more than one transaction without re-swiping my card – I use my debit as a credit here and do not enter a pin, but if I walked away too soon without tapping “no” for “do you want to complete another transaction,” the next customer could ship & purchase with it all being charged to my account.
As a general rule, I think if you’re going to use a charge card or debit card at any machine, it’s a good idea to make sure the machine has ended your session. Cliche, but: Better safe than sorry!
@Gary: FWIW, I can remember when ATMs were new, and the Wells Fargo ATM routine would not give the card back until the customer answered “no” to the question “Do you want to do another transaction?”. Many customers walked away with the money and the receipt(s) but left their card in the ATM.
Eventually Wells Fargo changed the routine. If you withdrew cash, it would first return your card, then output the money and print the receipt. So if you had any other transaction(s) it was better to do them before withdrawing any cash. People then started walking away with their card and the cash, but leave the receipts littering the area around the ATM.
I *heard* (may be a rumor) about particular type of ATM asking this question, which had time out couple of seconds. If you were fast enough to hit the “cancel” button on the keypad while the question was present, you could have withdrawn money from the customer account without pin. At the time I heard this it should have been already fixed by ATM vendor, so I never seen it for real. But the described behavior would well fit a careless programmer’s mistake.
Since then I never leave from ATM before it turns into the “demo mode” asking for card, just to be sure. It takes just couple of seconds more anyway.
as a tech for NCR, the worlds largest atm manufacturer, i can tell you there is no way to withdraw cash from an atm without the correct pin…the process occurs well before the dispenser even starts moving. as far as the skimming goes, look for mismatched paint…NCR uses a custom blend of several bases and materials thats damn near impossible to fake…If something looks off, look at another machine on the site…see if theyre all the same, or if there all aligned properly…bottom line if something seems off, dont use the machine – contact the banks security department… Quite personally i have seen some pretty shady atms out there…if its not for a reputable bank, i avoid using them as well…you never know who’s maintaining them or weather they can be trused…the best defense we all have is our eyes and hands…if something looks off, feel it…does it feel to be made of the same material as the rest of the machine…look to the side, are there gaps, or paint scrapes? bottom line is common sense
NCR CE
Brian: Great write-up! Thanks!!
NCR TECH: Appreciate your confidence in NCR’s design and manufacturing quality, but Brian’s pics show that skimmer with sophisticated design and construction are out there and are difficult to detect. How does “common sense” enable the average person to notice an overlay skimmer that matches color and format to the extent shown here? And are you suggesting that citibank in Woodland Hills, CA, is not a “reputable” bank? (The neighborhood looks pretty clean, too; check GoogleMaps street view.) I’m not reassured by your analysis. So where does that leave us? Your employer probably doesn’t want users dismantling ATMs to check for parasite devices … although I suppose that would be job security for you. 🙂
speaking as a moron who actually got his account cleaned out, I can say that you are wrong.
When in a rush to pay off a bill in cash, I ended up forgetting my card and dashing off after the money had been delivered. Someone walked up behind me and cleaned out my account. The ATM was a Citizens Bank machine. It took the guy’s picture, and the money was reimbursed to me by the bank after three months of investigation.
Here’s the kicker, though. After three months my wife and I found out that the bank had not contacted the police, as we had been told. When we contacted the police, we were told that banks generally don’t want to get involved in prosecuting these crimes, as it is not cost effective for them (?)
That’s the reason these crimes continue. The banks won’t prosecute. They just return the money to the victim and call it even.
Wow, that’s a pretty slick job. I definitely wouldn’t have noticed that.
Brian, Nice article. I love the pictures. I don’t use ATM that much but I will surely be checking them out first from now on.
Romania is the source of this kind of ‘equipment’.
Brian-
Great pics & writeup, as usual.
I rare use cash anymore, so I never need to make a withdrawal at an unfamiliar ATM. I make deposits at the ATM at my bank’s branch inside my local grocery store. The store is open, and fairly busy, 24/7.
Despite all that, I look at it pretty closely every time I use it… and I just showed these pictures to my wife, so she’ll be more suspicious of ATMs in general.
I don’t know if I would have spotted this.
But geez – can’t Mikko find a better way to upload pictures than with twitter??
Nope. I wouldn’t have known about this. I always use the same ATM machine. Thanks for the info. And @Gary, thanks also for your info.
I usually use familiar ATM machines, but gas stations are another story.
The Dutch railways suffer from the same problem, because their ticket machines take bank cards too. They tried to fix it by attaching plates with big studs over the ATM entry, but failed: http://www.youtube.com/watch?v=dHW8nVUY39g
(At 00:21 the voiceover says “We weren’t allowed to film you installing the plate, why was that” and the rest speaks for itself I think.)
Even at machines you think you trust, always, always, always cover the hand keying your PIN with something else. Doesn’t solve the skimming problem, but it does make your account a less-desirable target because they’d have to work a lot harder for the half of the information they don’t have.
Not sure if the PIN is encrypted on the card (I hope not), but if so, brute-force might be ‘easy’ – max. 10.000 – 1 combinations…
I was just wondering if the machine still spit out cash with the skimmer attached? In other words if you could have a normal transaction and never even know you’d just had your bank card compromised.
Very scary. Thanks for giving me something new to worry about! :p
Yes, the machine still functions normally, so as to not arouse suspicion and remain in use without detection for as long as possible.
Wouldn’t the fraud be detected each time a bank employee refills the machine”s supply of currency???
I wouldn’t have noticed it. But I always ask myself what a person that knows my card information and pin wants to do with the data. He would still need to personally get in contact with me, right?
Dorian, I think you may have missed the point. When someone has recorded your card information and your pin code, then someone can make a new card and withdraw money from your account. Over here (Europe) we are mostly using cards with chips nowadays, which are more safe, however the cards with chips are not more secure as long as the magnetic stripe can be used as well.
Great article and awesome pictures. This was a perfect to the point explanation/tutorial/awareness blog post on the subject of card skimmers. Well done!
@dorian: If a thief has a record of your debit card number and the associated PIN, he can make a duplicate card and then use a regular ATM to withdraw money from your account. He does not need to have your actual card in order to rob you blind.
@Pete, Yes, you can still withdraw money from an ATM that’s been tampered with. If it didn’t dispense cash, customers would know something was wrong with it, and someone would probably report it to the ATM operator.
Saw this linked from boingboing, and so I’ll give the same advice here. Develop the habit of pretending to enter many more numbers than are in your pin. This way the camera, should the ATM you are using turn out to be compromised, will not be able to tell what your actual pin is.
It takes some time to develop the habit but once you do it is very easy. I don’t even think about it anymore. I usually appear to enter a random pattern of 10 to 12 numbers (of which only 4 are actual keypresses, of course, but if done right any camera (or person looking over your shoulder for that matter) won’t be able to tell).
Was this ATM in front of a bank branch, or was it a Citibank owned ATM in a less supervised location? I’m impressed by the boldness of the thieves if they managed to attach the skimmer to an ATM that is right in front of a bank.
I don’t know whether the ATM was in front or inside. Looks like it was inside. Here’s the address:
22000 Ventura Blvd., Woodland Hills, Calif. 91364.
Here it is on Google Street View:
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22000+ventura+blvd,+woodland+hills,+calif+91364&sll=37.0625,-95.677068&sspn=49.043149,61.347656&ie=UTF8&hq=&hnear=22000+Ventura+Blvd,+Woodland+Hills,+Los+Angeles,+California+91364&z=17&iwloc=A&layer=c&cbll=34.168498,-118.606298&panoid=ubZV4t9lJkr-g9TjIBV_3g&cbp=12,188.51,,0,5.05
Thanks for the street view link. It looks like the ATM was outside, at the back of the bank on the Topanga Canyon Blvd side of the building.
The ATMs at my bank have surveillance cameras attached to the machines, as well as other cameras mounted to the walls. Do banks ever proactively review the footage captured from these cameras? In the few reports I’ve read about this type of attack, it seems that bank physical security teams only look at what was recorded after a theft has occurred. I’m assuming this means that they don’t lose enough money to this type of fraud to consider paying for constant monitoring?
I live in Calabasas (right next to Woodland Hills) and my Dad used that ATM on December 5th. I asked him about it and he said they sent him a new ATM card right after they found out. He didn’t know why they sent it to him, thanks for the info!
I just wrote a post on my site about it too. Its just way too close for comfort…
If you “walk” around the back on street view there are a couple of ATMs visible. Not clear if they’re drive-up or not (there’s a truck blocking part of the view).
Drive-thru’s are probably easier to compromise. People aren’t as close and they’re often in a great hurry.
hi, very impressed with the information here! if i do ever find one it will be put under my 12 size boot. keep up the good work krebsonsecurity.
Important note: If you do see one of these on an ATM, beware, the criminals may well still be around (in my experience they like to hang around to keep an eye on their skimmer). If they notice you noticing it, they will probably come to remove it; it’s up to you whether or not you want to be in their way when they do!
Also never move it, I ripped one off the bank machine in anger after finding it and the cops sounded shocked when I called them. They told me to not go back to my car yet and wait in a public area till they got there. Usually the criminals monitor them and have beat up a few ppl in my area when their devices were discovered.
My bank was useless. They didn’t know what to do when I called them (Sat morning when branch was closed), and they just told me to call their ATM department. The ATM guy sounded like he was annoyed that I was calling him and asked me for the ATM serial number. After searching for a few mins, he then told me that’s actually located behind the machine…
I went to get a new ATM card the next week, and showed the pictures to clerk and he showed them to all his coworkers and the branch manager as none of them had seen one before. The only training they got was a paragraph in an email memo…
My ATM card was hacked in just this way a few years ago. I had never heard of it and only discovered the actual problem after researching online. The thieves (or folks who had purchased the info from the thieves) were having a merry ol’ time renting cars and dining out in Brazil–I watched their progress when I reviewed my bank statement. My former bank was absolutely NO help at all and, while they replaced my money eventually (even though they observed transactions were occurring in BRAZIL while I was standing in front of them in OHIO) I will never bank with them again.
OH yeah… welcome to Brazil we are high tech on this kind of fraud. Probally a brazilian did it there.
Yeah I’ve seen pics of these before. Looks like they are much more sophisticated now. Thankfully I’ve stopped using ATM’s – I only take out cash from the teller about once a month.