Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.
According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said.
Click the individual images below for an enlarged version.
-
- An ATM skimmer that fits over the card insert slot
-
- An ATM skimmer panel that fits directly on top of the real ATM
-
- Image at left shows a PIN capture device overlay. The image on the right shows the actual card skimmer attached (right edge)
-
- A closeup of the ATM card skimmer removed from the face of the ATM
-
- Some ATMs are in building lobbies that require visitors to swipe their ATM card at the door. This device was found attached to the reader at a lobby entry. This ATM door skimmer was originally flush with the device. The skimmer and the real reader have been pulled away from the face to better show the two devices.
-
- ATM PIN capture overlay device pulled back to reveal the legitimate PIN entry pad.
-
- A brochure rack was outfitted with a spy camera to record PINs in conjunction wtih a skimmer.
-
- By the end of 2004, 70 percent of all new ATMs shipped worldwide were Windows-based, according to Lockheed’s Rick Doten
-
- A Diebold spokesperson estimates that 90 percent of Diebold’s global shipments are now Windows-based ATMs — Rick Doten
[EPSB]
Have you seen:
Would You Have Spotted This ATM Fraud?…The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.
[/EPSB]
OH NOES! WINDOWS ON AN ATM! WERE DOOOOOOOOOOOOMED
Worse than that–Windows on a Diebold ATM! All that’s leff is to have Halliburton provide the tech support and Blackwater providing the security.
It’s a shame, the few OSX-based ATMs out there are not only impossible to hack, but deeply and spiritually beautiful to use.
NOTHING is impossible to hack, especially osx
He was joking. For your reference, “deeply and spiritually beautiful to use” was your flag.
erm, surely the flag was “OSX-based ATM”, I’ve never seen a white ATM 😉 Maybe you have them over in the US?
Flash is an abomination.
Thanks Brian –
What does the ATM OS have to do with anything?
There’s not a single skimmer I saw that has any connection to the OS. They all appear to be brilliantly and frighteningly designed masterpieces of physical overlays that are a “physical man-in-the-middle” attack.
Holy cr@p that’s scary!
Hi Ohio. The OS has nothing to do with these skimmers, you are correct. I just thought it was interesting, I had no idea that so many ATMs were Win-based. In the context of my interview with Doten, it came up because he was telling me that several years back it threw the technicians responsible for servicing these ATMs for a loop, because now they had to be Windows admins as well. Before Windows started taking over as the dominant OS on ATMs, he said, most technicians needed only to understand IBM’s OS/2.
Off-topic, but many supermarket checkout scanners are Windows as well. Always fun to see the scanner booting up into a Windows CE or XP screen.
Microsoft made a big push into the embedded space several years back. Windows (especially CE and CE.Net) is in many devices.
Also fun to see is your order screen at McDonald’s drive through fail to boot, show you a bios error indicating failure to start Windows NT and then system reboot.
What’s really scaring is many ATMS, checkout machines, etc are still using NT.
Not just CE:
http://www.microsoft.com/windowsembedded/en-us/products/readyproducts/posready/default.mspx
Of course, I’d seen Windows on registers for a while before that ever came out.
I don’t see why DOS or Unix wouldn’t suffice for an ATM or any point-of-sale device. Do you really need multitasking? Do you really need a full-scale graphics user interface? No mouse is present.
Yes, most Point-of-Sale units need multitasking because multiple things are going on. They also need GUI because most use touchscreens (which default to being mice in the OS). The POS must be able to communicate with all the assorted devices attached to the unit (Magnetic Stripe Readers, Receipt Printers, Network connections to the backend server)–sometimes simultaneously. And things can happen in the background even as you ring transactions (product price updates, configuration changes, etc.). Oh, BTW, any device with an MSR, per PCI-DSS rules, requires strong encryption and vendor support in both the POS and backend server. This pretty much requires commercial software, and if the links up the chain use Windows Server software, it makes the most sense to use Windows software at the backend and at the POS for tighter integration (leading to better security) and less liability for the store (adhering to a preferred system structure is considered good security practice).
DOS is obviously a bad solution, but if you use a standardised protocol, unix (which is much more secure from all fronts) would do a much better job. Less power consumption, smaller install base (less hardware), full encryption support (encrypt the FS!), better remote management (though that probably wouldn’t be needed or wanted) and absolutely no licensing fees that need to be renewed per machine per year.
Tighter integration is often said to exist only in windows, but if you are using a stack that requires windows for proper integration, you are in a very dangerous possition. What happens if the backend you are using stops being supported? With an open design (sql, ssl, ssh, vpn, etc) you could easily replace an obsolete system with a new one if something goes wrong.
Just look what’s happening to all the corporations that introduced IE6-specific systems for “integration” reasions. They are now facing *very* hard decisions about how to “un” integrate those systems so they can move to something that is actually going to have security updates in 2 years!
When I was looking to buy a downtown coffee shop location (and thereby graduate from IT) I had located some refurbished IBM POS machines and a Linux-based OS/POS system. Multi-tasked, handled the printer, the screen (keyboard entry), could remap keyboard fairly easily. It made the older machines work quick like a bunny, which was the important during the morning go-to-work coffee rush.
Ohio, the OS became relevant when malware was found in the wild on 20 Windows-based ATM’s in Eastern Europe, according to a report by Trustwave:
http://www.networkworld.com/news/2009/060409-cybercriminals-refine-data-sniffing-software-for.html
The malware acts as a virtual skimmer, collecting details of all cards and PINs entered. These can be printed off from the inbuilt receipt printer when a specially-made ‘trigger card’ is inserted. The trigger card can also access other functions of the malware, including apparently the ejection of the cash cassette.
Presumably, the malware was installed on the ATM before installation by someone with physical access to the machine.
Now THAT’S scary stuff!
Benedict.
That’s more the work of insiders since most ATM malware has to be installed directly into the ATMs or sent through channels internal to the bank. AFAIK, most bank-provided ATMs don’t connect to the Internet. Those that use modems connect to bank-owned stations. Others employ closed-loop intranets via leased or subscriber lines. I hear they’re considering going through the Internet (through a VPN tunnel) but in the interests of public image they’re a little skittish.
Malware only attack would not work as the OS at no point sees the users PIN. The PIN is encrypted upon entry in the PIN entry device, which is a tamper resistant security module, and is not decrypted until it reaches the issuing bank. You would need some sort of hardware modification (keypad overlay, camera) to record the PIN.
Do you have any links to verify this claim? Since the screen (which is handled by the OS) displays feedback when keys are hit, i’d be interested to know exactly what the keypad DOES tell the OS. The same keypad is also used for numbers (pin) and selections (enter, cancel, etc) so unless the keypad (which appears to be one piece) is physically split inside, I would instinctively think the OS is doing the encryption.
Agreed. What exactly would prevent the OS from not having access to the PIN, given the screen-based GUI nature of most modern pin-entry ATM systems?
I’m sure they use Windows now because it’s “easier,” which /does/ tend to equal “less secure.” However, that’s not my point…
What strikes me about this is the numbers…80%? I didn’t realize skimming had exploded like that–I would have guessed more like 15%. I’d only seen a couple of those photos before, and the keypad overlay was completely new to me.
I’ve been mostly emphasizing identity theft and scams to our credit union’s members. I think I’m going to have to start hammering on skimming again. Thanks!
The keypads and skimmers look perfect; I think I would be conned. One way to combat this is to give the ATM user a photo of what the ATM should look like, perhaps during the wait-screen when the ATM is verifying the PIN. “If this ATM does not look as pictured, call XXX-XXX-XXXX immediately.”
I think this is a great idea for helping protecting consumers from rogue ATMs, but I think that the banks need to do more. I always explain to clients that, when deploying a new system, always have “misuse” cases to go with their use case testing. ATM skimming has been a problem for a long time, so these kinds of things should be news. For example, an ATM chassis could include a sensor (proximity or light, perhaps) to detect that a device has been placed over the card reader. With a positive detection, it could flag the system to alert the user or just go into a service mode. Image-based PINs could prevent PIN-capture pads from being useful.
Unfortunately, it all comes down to money. $1B sounds like a big number, but it really isn’t big enough for banks to consider investing to change a system that consumers are well accustomed to.
well.. if one would care to slap the silly thing just once when walking up to it.. would that suffice as a discovery method ???
I’ll slap ’em all now, and try a pry before insertion
Skimmers are a deeply troubling vector for fraud. They are just the small tip of the iceburg. If small cons are running by installed skimmers, bigger and more elaborate cons are in place now.
Gaspumps, Venue ticket kiosks, Self-service Checkouts at the grocery, Photo printing kiosks, etc are also “at risk.”
Obviously the only real defense is vigilance and open discussion. The financial community in the name of security has been allowed not to answer for fraud too long. A billion dollars in ’08 written off for fraud out to have been cause for congressional investigations. However the country was focused on other events at the time.
As it is, a decentralized criminal attack of de-stabilization of the monetary system by undermining trust in said system _is_ underway. The banking regulatory system is not working in the analog spaces: if 80% of all “in bank” fraud crimes were of type X, wouldn’t the regulatory agencies then enforce certain protocols and countermeasures to element or at least minimize the risk of crime X?
I’d like to see reporting on the prosecution of any skimmers, and if the are being held to USA’s RICO or EU equivalent for collusion, possession and trafficking in devices intended for decryption or bypass of encryption. What would be the charges & punishments? It seems obvious that the disincentive is not present.
At some point in the near future the entire electronic transfer system is going to be suspect, at which point the monetary system has tipped to chaos.
The Obama Administration could get some credibility back by having some teeth in this space.
If 350K/day was written off in ’08. Stopping that artery bleeding for 1 day could in fact employ about 10 Americans at about 30k that year or 33,333,333 persons that year at that take home income.
Why isn’t banking being forced to have a full-time employees driving around all day patrolling for skimmers? Instead Banks are allow allowed to write it off and they lose nothing, the cost is passed on to consumers in terms of service fees.
In the end fraud write-offs are just a way for the criminal orgs to get funded gratis for their other activities of immigrant trafficking, white slavery, drug trafficking, terrorism (domestic or otherwise), and theft of copyrighted materials (movies, videos, games, books), running contraband (land,sea, undersea, air) which require investment in real estate, technology and cash payments.
The fix, of course, is smart cards with chips embedded in them like they have in Europe. This way there is a physical/ encrypted object AND a PIN for which skimmers don’t work. until losses are such that they exceed the cost of replacing all scanners and cards, we’ll be stuck with ancient mag stripe card technology. Fortunately, this is a bank problem and not mine.
The problem with chip and pin is that the cards have a backup for when the chip fails. A magstripe. So in addition to going to chip and pin you have to get rid of the magstripe. Which instantly destroys backwards compatibility. Which pisses off the merchants.
The wide use of chip+pin in Europe has helped to reduce fraud but those devices have been hacked too.
The main reason banks switch to chip+pin is that doing this transfers the liability for fraud from them to you. With mag stripe the bank carries the loss unless they can prove you were involved. With chip+pin *you* have to prove to the bank that it was fraudulent.
Not a good plan, if you ask me.
This may have cut down cloning cards etc, but just pushes the fraudulent activity into the “cardholder not present” sales, such as online.
Always tug, poke, pull, jiggle and otherwise examine the ATM you are considering using. Oh, and never use an ATM that is not located on bank property. Those no-name ATM machines are more likely to be suspect.
Good suggestions, Matthew, but even ATMs on bank property aren’t exempt from the problem. A Bank of America in Cocoa Beach, Florida was found to have had a skimmer attached to the ATM inset in the front wall of its building last weekend. See http://www.floridatoday.com/article/20100201/BREAKINGNEWS/302010003/1006/NEWS01/Cocoa+Beach+police+find+ATM+skimmer+
Skimmers are magnitudes more likely at bank on premise ATMs than off premise ATMs. More cards are skimmed at on premise than off premise ATMs because on premise ATMs have higher transaction levels, on average.
Avoiding off premise ATMs to avoid skimming is a red herring, false sense of safety.
A Slashdot article from 6 years ago on ATM Skimmers, http://slashdot.org/it/04/02/24/0034234.shtml , so this is not a new problem.
I’d loved to see the electronics parts that they used. Do they make their own PCB or do they get parts from something else ? How do they get the data back (GSM, wireless, data stored on memory, etc.) ?
Smart cards are (as mentioned before) the solution to the “card duplication” problem. Smart chip cards have a private key that NEVER leaves the card; the message is “signed” inside it.
I’m not completely in agreement that “this is a bank problem not mine”, though; Yes, when I spot bad transactions in my statement AND a skimmer is proven to have captured my information, I can get my money back, but getting to that point will be irritating and slow. There is also the argument that, as a consumer without a better choice, I am paying for these losses in bank fees and interest rates. Even if it’s my problem, though, there’s nothing I can Do about it, but complain that the US is long past due to move to smart cards.
How big is the key? A 64 or 128bit key can easily be cracked in a couple minutes/hours depending on your setup. All you need to do is send a bunch of requests to the card, read the responses and then do the math later. Once the math has been done, you simply clone a new card with the reverse-engineered key.
Modded ATM’s could easily send 100 requests to the card during the 10 seconds the card is in front of it. You could even embed the reader into the bottom part of the atm, where people tend to “set down” their cards while going through the menus.
There’s a reason all my keys are 1024+ bits long.
“How big is the key? A 64 or 128bit key…”
Now you are mixing things around; Smart cards usually use public key (asymmetric) cryptography, which has key lengths more like 512, 1024, or 2048. What size key is used depends on the technology of the card. While symmetric key cryptography may Also be used, a key would typically only be used for a given session. Breaking 1024 may be possible soon… given enough hardware… but probably not profitably for this application, especially since moving to 2048 bits will be relatively easy.
As far as using exhaustive techniques to break the card; few are “contactless”, so just setting the card down someplace (on the counter) isn’t going to allow it to be read. As far as “trying 200 times during the 10 seconds of the transaction”, that isn’t going to make any kind of dent in the key space necessary. Additionally, (and this part is a crying shame) many smart cards are actually QUITE slow and can only manage a transaction per second. If the machine itself is internally compromised with a virus, then it could intercept your input (chip, pin) and do its own transaction, within the limits of the ATM’s functions. (if the ATM can only issue cash, not transfer money between foreign accounts, then all the thieves could do is make it issue more or less cash. If they could get to the cash inside the machine, they wouldn’t need your card.)
to bad smart cards and have been hacked and the encryption on most is not useless
imo it would be easyer to skim a smart card just have to get near it
It’s pretty funny that people think this isn’t “their” problem – those banks are charging you for service, and if they’re writing off a billion dollars a year and not doing anything about it they’re damned sure not *losing* that billion dollars, they’re making it up somewhere else. Out of your pocketbook, either directly by fees/service charges or out of the taxpayers wallet.
All ATMs have cameras in them. They take a picture of YOU when you want YOUR money. Why do they not take pictures of the criminals installing these devices. I mean, that security measure is already there, why are they only photographing law abiding citizens? I almost want to wear a ski mask and a t-shirt that says “I am stealing” when I get money from my ATM to see if anyone notices anything.
Also, ATM stands for “automated teller machine” so saying ATM machine is a little redundant.
These things have also been used on gas pumps for a long time. Again, these places are under video surveillance. Why does no one notice these criminals? WTF good is video surveillance if it only monitors the law abiders?
There’s a distinct difference between “video monitoring” and “video surveillance.” Usually, cameras are only in place to provide a deterrent factor and to provide some level of evidence following a detected event. The camera’s at most ATMs, gas stations, retail stores, etc. fall into this category. A company can easily pick up a DVR with a bunch of cameras for $5-10K. But, they’re stupid systems that have no real detection mechanism, and typically record at a very low frame rate. In fact, one of the leading systems on the market can have as many as 16 cameras attached to it, but can only record a total of 30 fps. So, the more cameras you have, the worse the evidence following an incident.
Full human surveillance would require a substantial recurring charge that most businesses (including banks) would be unable to support. But, I am familiar with one security organization that is developing a system to electronically monitor for routine activities and flag abnormal ones. If this could be done at a much lower recurring rate, it might be something to look into.
Wow, what a great post! In December there were two such devices placed around town. While the respective institutions found the devices, the media did not report the names of said financial institutions. They also didn’t take the time to educate anyone about the devices — or even show them. Where I bank at, I doubt they have two ATMs that are the same type of devices. So, you don’t really know what you’ll see at any location. And if they switch to a newer type of ATM, they don’t inform us of that either. I have always covered the keypad when I enter my number, now I’ve got to see if I can remove the keypad to ensure I’m using the correct one! If only banks would step up…
Have you seen them on the DVD redboxes yet? most of them are in-store, but out local walgreens has it outside. I’m always paranoid about skimmers…. or does it not matter becuase you are not using a pin?
Also, is it more out-door atms with this problem? or do the ones in stores face this problem as well?
Not only are Diebold ATMs Windows based, but until mid 2008 or early 2009 there was no procedure (that was actually followed) for ensuring a firewall was applied to the system. Now Diebold ATMs are either Win2000 with a software firewall added or Windows XP with the XP firewall enabled. Also until Diebold introduced their approved patching service, ATMs were not patched for any of DCOM/LSASS/UPnP and any attacks against the Server service.
The ATM has a simple user account and password combination that would never be guessed in a 1,000 years and stores a local transaction log in clear text that includes your account number and the deposit or withdrawal amount. It also has a web management interface that can be used to alter the denominations of bills.
So yes, while Windows has nothing to do with being skimmable, people should still be scared of using ATMs.
What amazes me is how easy it is to find the hardware used. A search on YouTube for “atm skimmer” returns over 7 pages. Many of the videos are ads by those who make the hardware and offer it for sale worldwide.
Making, selling, or possessing ATM and POS skimming devices should be illegal. Makes me wonder if that’s truly the case.
Somehow, the idea of making a specific item (i.e. ATM skimmers) illegal when the action that the items are used for (i.e. stealing account information) is already illegal doesn’t seem to make a whole lot of sense. Making illegal things “more illegaler” hasn’t worked well with drugs, illegal firearms, etc.
Then there’s the whole issue that criminals don’t, by definition, obey the law. Making yet another thing illegal will likely have minimal effect.
Technical solutions are the key here. Chip-and-PIN is the way to go.
I can point out a very simple area wherein your logic of making something “more illegaler” fails to consider current laws.
Fake IDs.
Look at many states laws for using, possessing, manufacturing and selling fake IDs.
Virginia:
Illegal to use. Illegal to possess. Illegal to distribute.
In the last week 3 people have been arrested in the Boston area in a skimmer case.
http://www.boston.com/yourtown/somerville/articles/2010/01/30/two_more_arrested_in_alleged_atm_scheme/
http://www.boston.com/news/local/massachusetts/articles/2010/01/29/man_charged_in_theft_of_atm_data_in_quincy/
@charlie – thanks for the articles. It appears that the video monitoring does have some benefit.
Also as a side note, since we’re all criticizing the banks rather heavily, I should add that I made an online purchase for a small amount once from a company I hadn’t done business with before and my bank rejected it. They sent me an email telling me that the purchase didn’t appear legitimate, but if it was I could log in to my account and verify that I did indeed make that purchase. I was glad to see that.
When that happens to me, my mobile rings 3 seconds later and I can respond to an automated service, approve the purchase & retry within a minute.
Freaking awesome if you ask me.
The reason for that, of course, is that the bank is liable for fraudulent personal transactions, so they try harder. They have no incentive at all to implement something like that for small business accounts.
Great post! I haven’t seen any of these in the wild, but now you have me sufficiently paranoid 🙂
One small note, that script on the photo captions is damn-near impossible to read.
They wanted to have cashless society. thats why they scaring people.
Diebold makes voting machines too!
Diebold _made_ voting machines. Voting machines of such execrable quality/reputation that after being disused/replaced in several states and/or under heavy investigation for dodgy results and company practices, that spinning the voting machine business off to a separate company couldn’t even save it. This separate business was sold to one of the other voting machine companies sometime last year.
Brian-
I am assuming that you would immediately know if you were a victim of one of these skimmers because you would not get any cash. Or are they set up to give you cash while your info is stolen, so that the stolen info can be used later?
Thanks as always for great info.
@David: No, the machine works normally. The skimmer just reads the magnetic stripe as the card goes into the machine, but doesn’t have any effect on the ATM itself.
For prevention, what about a light sensor in an inconspicuous place near the card slot (in a place where light would fall from night lighting). If the sensor stops “seeing” light for more than x minutes, the security camera goes on and bank security is alerted.
You might need decoy sensors around the slot, with one randomly chosen to be the active sensor. Otherwise you’d start getting skimmers designed with cutouts that leave the sensor exposed. With multiple possible positions, they would have trouble making skimmers that could be attached securely without blocking any of them.
Alternatively, the ATM could call for help if the weight of the portion of the machine with the card slot were too high. The automatic checkout lanes in the supermarket seem to be able to sense very small weight differences, yet the hold up to heavy use.
As stated above, the banks are just writing the losses off… this is a problem for us plebians, just raise account fees and let them worry about it.
The best way to avoid skimmers is to do transactions in person. Go inside the gas station, go inside the bank. If it’s afterhours, you run the risk of skimming.
True story – My spouse forgot to take her card out of the DRIVE UP ATM AT THE BANK in broad daylight with all the cameras they have. The person behind her, withdrew $100 and left with the card. About 15 minutes later she called me and said she lost her card, so logged in to the bank and saw that $100 was missing. I went to the very branch where the theft happened, showed the transaction reported it. The bank immediately locked the card. WHen I asked about prosecution, or needing to file a police report, the branch manager told me not to bother because it would be cost prohibitive to prosecute the perpetrator even with all the of the video eveidence (including the license plate number) they had.
The lesson would be that it’s easy to look at the sheer size and total magnitude of the dollar amount and say why aren’t they doing anything until you realize that with a few exceptions most of the frad happens a numerous small transactions spread out all over the banking landscape. Not to mention that they have to discover the skimmer and connect the criminal to it. then they have to relate all of the fraudulent transactions to the Skimming ativity – which may be unproveable. Moreover, there have to be large numbers of people who have absolutely no clue that fraudulent transactions have occured on thier accounts at all. (they probably don’t balance thier checkbooks either).
Another facet that’s not necessarily been identified in the comments here is that (this is a guess) the vast majority of the card numbers and PINs are being resold by the people operating the skimmer also making it difficult to link the Skimming to the fraud.
so when we start talking about the banks being negligent in prosecuting the criminals, we need to be fair because for them to spend $30K to capture and punish a person for perpetrating $100.00 fraud would be just as negligent from the perspective of fiduciary responsiblilty to the share holders. Additionally, we haven’t taken into account all of the smaller banks, Credit Unions, S&Ls and so forth that are present in North America which lack the resources of a CitiBank or WellsFargo. FWIW I don’t think it would be even remotely beneficial to our society to make it less expensive to prosecute someone for an alleged $100 fraud because that reduction in the standards will have (probably unintended )ramifications elsehwere and elsewhen, such as when independent thinking becomes a felony…
Just a couple thoughts.
Nothing is ever as simple as it seems.
“Moreover, there have to be large numbers of people who have absolutely no clue that fraudulent transactions have occured on thier accounts at all. (they probably don’t balance thier checkbooks either).”
This.
I don’t agree with you about where the bank’s responsibility lies though. We pay a substantial transaction fee for withdrawals, and the banks must take some responsibility for the security of those transactions.
I’ve dealt with a couple of large organizations (not banks) where they had the opportunity and evidence to prosecute clients or employees for fraud, but didn’t. Their argument was that yes we can spend $30k to get a judgement on this $100 loss and hold that up as a deterrent to future incidents, but we’re going to lose big time in the court of public perception. That may be true, but they (and the banks) are taking the easy way out, and we the customers are footing the bill.
I’d kind of prefer to go inside and do my transactions there too, but I don’t think that’s any guarantee – my card got skimmed inside a gas station (Abbotsford, BC) this Spring while prepaying for gas.
I can’t see the slide show at all.
FF2 OSX10.3.9 – too old?
I don’t know if it’s true about the CitiBank ATM last December but these photos I received by forwarding emails more than a year ago and for sure the yellow ATM is from Bank of Ayuthaya, Thailand (even the letters shown on the screen are Thai).
If they made the entire front of the machine one solid piece with no seems, skimmers would need to carry around a 6×4 foot chunk of plastic in order to skim a machine.
Obviously, it would need to be made known to people that the machine is only *supposed* to have 1 piece.
Or they could make the front of the interface part of the machine (but probably not of the cash counting part!) out of thick glass, so everyone could see the internals, and people would be able to notice if anything was added or different.
funny i assume crooks watch those late nite commericials like bath fitters and just thought hey wonder if this will work on atm’syour money is going to be gone soon enough the goverment cannot print to much more so we will see more and more hi-tech thieves
New Scientist just printed an article on how they use a cache feature in windows to copy all info from your transaction, and are able to print it out on the receipt printer after inserting a “repair tech” card.
It is using a legit program withing the op system, so doesn’t show up on antivirus software.
And thats why windoze matters…..
That was happened in TAIWAN about seven years ago.
Found the link to this page referred by the register. It’s amazing how much effort goes into some of these skimmers.
Recent WI pin read fraud involving 2 stores (currently known of within Hancock Fabric chain). So, having made a recent fabrics purchase at a competitor’s chain, called “that” chain and spoke with a mgr. who has “head in sand” and feels as “her” staff is “bonded” that nothing like this could “ever” happen “there!” (I didn’t take the time to explain there is always a % of “honest” persons who are “not”; the mgr. will have to find that out the “hard way.”) Found your site, checking out pin reader fraud (also the sig.oth. does “not” understand how this could “ever” happen!). Looks as tho there needs to be “business mgmt.” and “educ. to the public, to protect us (from mgrs. having “head in sand.”). g.