The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.
Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.
Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely that the technician simply overlooked it.
Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for example, was manufactured for a specific model of Diebold ATMs, Donaldson said.
Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.
Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.
Interestingly, after my last story on ATM skimmers, I received several spammy comments on the entry directing readers to a site that specializes in selling ATM skimming devices. That site sells a Diebold ATM skimmer that is apparently identical to the one found attached to the Alexandria ATM starting at a base price of $1,500 (see image at right). If the thief wants to have the stolen data sent to him from a safe distance via a wireless technology — such as Bluetooth or cell phone (GSM) — the price for one of these Diebold skimmers increases to $2,000 or even $2,500.
The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.
Employees are instructed to download specialized software written by the employers that pulls the stolen data off of the card skimmer at the end of a day’s “work.” The software also automatically uploads the stolen card data to the employer’s servers. The employee allegedly holds the key to making sure his employers don’t just make off with 100 percent of the stolen data, as he retains stolen PIN information.
“This way, you will have pad numbers we will have track info and we split them 50% each on cashout day,” the site explains. “We have to decide a working day from total amount of tracks you will have send us our % of pin numbers and we will send your % of tracks info, then exactly the same day will do the final job cash out.”
Of course, the entire site could be little more than a very clever scheme to bilk gullible thieves out of $1,000: Not surprisingly, the site owners only accept irreversible forms of payment, such as wire transfers or money orders.
Update, 1:47 p.m. ET: I was just interviewed about this article on The Kojo Nnamdi Show, part of WAMU 88.5 FM, a National Public Radio news station in Washington, D.C. You can listen to a recording of that show at this link here.
Update, March 26, 11:13 p.m.: I was meeting a source in Washington, D.C. today and happened to walk past another Wachovia ATM. I was so struck by the fact that I could not tell the difference between the skimmer-tainted ATM in the post above and this machine in D.C. that I snapped these photos. The ATM in question is right next to the Archives/Navy Memorial Metro Station.
Have you seen:
ATM Skimmers: Separating Cruft from Craft…The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.