June 3, 2010

ATM skimmers –or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.

Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).

The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro — shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card’s magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).

The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.

Both the card skimmer and the PIN pad overlay device relay the data they’ve stolen via text message, and each has its own miniature GSM device that relays SMS messages (buyers of these kits are responsible for supplying their own SIM cards). According to the vendor of this skimmer set, the devices are powered by lithium ion batteries, and can run for 3-5 days on a charge, assuming the skimmers transmit on average about 200-300 SMS messages per day.

This skimmer kit even includes an alarm feature so that if it is removed — either by the fraudster or a bank manager or passerby — the devices will immediately transmit any of their stored stolen data.

Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. Also, don’t be shy about covering the PIN pad with your hand so that any shoulder-surfers (or hidden cameras) can’t see your code.  If you find an ATM skimmer or other fraud device attached to an ATM, report it to the bank. If the bank is closed, it’s probably a good idea to leave the device alone and to call the police: There is a good chance that the thief who attached the device is somewhere nearby.

Further reading:

Would You Have Spotted the Fraud?

ATM Skimmers, Part II

Would You Have Spotted This ATM Fraud?

Fun With ATM Skimmers, Part III

[EPSB]

Have you seen:

Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.
[/EPSB]


43 thoughts on “ATM Skimmers: Separating Cruft from Craft

  1. emv x man

    There’s also the practice of using an entirely fake ATM; is that still called skimming?

  2. Lucian Constantin

    Hi Brian,

    Just wanted to mention that Romanian organized crime police busted a large criminal gang that was manufacturing ATM skimmers for both sale and use in Europe.

    I wrote a piece on the whole story, but I don’t want to spam your blog with links 🙂

      1. JCitizen

        Kudos to you Brain for supplying that link; and a gracious thank-you to Lucian as well! 🙂

  3. Eggman

    Simple advice:

    Get cash at the grocery store checkout.

    Mail checks to the bank.

    Pay with cash whenever possible.

    1. JBV

      Not sure where we would be getting this cash, if we followed your advice. Grocery stores and gas stations are popular targets for skimmers.

      Brian’s previous articles have included pictures of skimmers, and posts of suggestions on how to avoid them. Giving the card slot and keypad a good tug is one possible way.

      Better practice would be to use credit cards, not ATM cards, for purchases; there are consumer protections for unauthorized use and there is no instant access to your bank funds.

      1. Donatellbro

        I think his comment is more geared toward how exploitable digital currency is. Sure it’s convenient, but there are many risks that the consumer accepts when they choose plastic over paper.

      2. Jon Seagull

        In the USA, it is common practice to ask a grocery clerk to overcharge you by some amount, pay with a check or ATM card, and be refunded the difference in cash from the till.

        While a grocery store ATM might be a common target for skimmers, I have trouble believing a staffed POS terminal and PIN pad would be.

        1. Louis Leahy

          I read about a group of fraudsters posing as bank technicians who were going around installing replacement eftpos terminals with their own equipment they got found out because one service station (gas station) attendant rang her bank to check if it was authorised. Dont know if it is true or an urban myth.

    2. MrClarke

      Cash?
      Are you serious?
      Get money from the Grocery store?
      Are you serious?

      Get your money from the teller at the counter at the bank,you won’t get any counterfeit currency that way.

      Pay with cash?
      Are you serious?
      Where’s the documentation and traceability of the transaction if you pay with cash?

      Mail checks to the bank?
      are you serious?
      What happened to you to mess with your thinking so badly?
      Use Direct Deposit of all checks,
      That’s the way to do it.
      You must be someone living on the UnderGround Economy or a Tax Rebel who wants his or Her tracks Hidden.
      Get a ride into the 21st Century,
      It will open your eyes.

  4. Matthew

    Just because the ATM is located in a public, well lit area do not assume it’s safe. I was taken after using a “no-name” terminal (by which I mean not belonging to a Bank, Trust Company or other reputable firm) located upstairs in the middle of the Main Subway Station in Toronto – can’t get much more public than that!

  5. Daniel

    What about touch-screen ATMs?

    I would assume a crook would need to use a camera to capture the PIN.

    1. BrianKrebs Post author

      Most of the skimmers I’ve seen for sale target older ATMs. I’ve yet to see one that tries to mess with touch screen ATMs.

    2. Matthew Slyman

      You can get thin transparent layers of touch-sensitive material. It’s not outside the realm of possibility that a criminal could overlay one touch-screen on top of another. An extra shiny bezel around the screen might go unnoticed, if carefully fitted.

  6. george

    In one of the recent newsletters received from local police they mentioned a local ATM got a skimming device attached. They said no “tracks” were successfully stolen because the ATM immediately entered “out-of-order” status upon attaching the rig. They also mentioned if we want to cash money from a (non-skimmed) ATM, never to lay the mobile phone near the keypad as we key-in the pin as it might disable the ATM. Enough to deduce banks and ATM vendors are attempting to fight back this generation of skimming devices with sensors detecting mobile phone close proximity. A good initiative, although I’m afraid skimmers might soon find workarounds – in a previous article Brian reported there are GSM, wifi, Bluetooth as well as cheap(er) versions without remote communication. At least I’m glad to learn, in this particular skimming attempt, they lost a few thousand worth of equipment (which was confiscated by police) without a single card skimmed.

  7. Louis Leahy

    Cameras are often used now to view pin entry this is why I think banks should deploy a keyboard resort on virtual keyboards to make it harder for shoulder browsers etc to identify codes. Also the new chip based cards maybe defeating skimmers has anyone heard anything about their effectiveness in this regard? Are they upgrading card readers in ATMs to read the chip in addition to the magnetic strip many retail outlets in Australia now have readers that use the chip technology. No doubt the fraudsters will devise something for this eventually too. I believe it is possible to dispense with credit cards altogether using correct software routines to correctly validate users. Most point of sale equipment now has the hardware capacity, payments can even be done by mobile phone now.

    1. Matthew Slyman

      “I believe it is possible to dispense with credit cards altogether using correct software routines to correctly validate users.”—Would you mind explaining how you propose to do this?
      http://www.cl.cam.ac.uk/~rja14/book.html
      Check out Chapter 2 of Professor Anderson’s book, which includes some interesting material on user authentication.

      Criminals in Europe have already found ways to circumvent chip and pin security. They pose as terminal engineers, and con shop staff into letting them replace pin entry terminals with modified alternatives.

  8. David Lilja

    What you could do is to destroy the magnetic stripe on the card since it’s not being read when your using the chip. Withdraw money from an ATM with chip possibilities and pay with cash if the merchant can’t offer a chip and PIN solution. In that case the magnetic stripe can’t be read and therefore can’t be cloned. I’m not saying that chip & PIN (sounds like a delicious meal, doesn’t it?) will solve everything, but it will make it a bit harder for the fraudulent organizations.

    Another thing that is really important is knowledge regarding the security issues one can encounter in the everyday life. We all need to be more secure.

    By the way, I really like the little smiley down to the right. Made my geeky day 🙂

    1. Matt

      Part of the problem is that the cards need to be backward compatible with magnetic strip only ATMs which are still in the majority around the world, this means there will always be a switch somewhere and most of the attacks I have seen force the CNP cards to believe they are at a magnetic stripe only one and go into that mode (google Ross Anderson). The CNP smartcards are not cheap, you might be suprised to know that banks pay on average $2 per card so multiply that by many hundreds of millions lets say here in Asia, not to mention the reader upgrade costs and you have a serious bottom line issue.

      The best low cost solution to this problem I have seen is the http://www.magneprint.com idea which has serious penetration in South America and the bank managers say that card fraud went down to zero after implementing the system. The implementation costs I believe apart from software integration involve replacing ATM magnetic strip reader heads with a more sensitive magneprint version which can read the background noise of the magnetic strip. The science seems pretty solid and the implementation is working clearly so banks should give this technology a go before they get dazzeled by the hitech complexity of CNP which to my mind is in many ways the enemy of security. While it is more difficult to setup for a hitech electronic crime once you are actually pulling it off the chances of people noticing it is happening with an overly complex system diminishes.

      1. Louis Leahy

        That’s more or less the same approach as Digital Certificates, Bank Tokens, Digipass, Iron Key, MYPW and Visa Code Secure. Problem with systems like this is the validation is not setup to detect if an unauthorised person is on the client end. Most fraud is in-house not external and the result of parties known to the target obtaining their details and often using their equipment to access to their account. It should allow for a memorable set of credentials for the user and be designed in such a way as to make it difficult for the user to share those credentials even if intentional.

        1. JCitizen

          I wouldn’t be so quick to dismiss Magneprint technology; the magnetic particles are built using nanotechnology in a pattern that is unique to the individual issued the card. It would be technically impossible to copy, and even if they could, there is a back up feature that measures and records the way an individual swipes the card – no poser could possible copy this. This science is similar to the high tech that made the iPod possible as a touchscreen gadget.

          The mathematics involved are likened to chaos theory, but the card system is relatively cheap to make. The best part about it, is the old cards would work in the system until everyone was converted over.

          I do not work for this company – it is just that we discussed and haggled the arguments on Tech Republic and we almost unanimously agreed this was the best next step in two factor authentication; that was economical enough not to become the disaster that chip and pin did.

        2. Matt

          I must admit I cannot see the commonality of your list and how they relate to card cloning fraud. To be clear magneprint has nothing to do with online authentication, it is all about identifying cloned client cards, from what I understand they take a fingerprint of the natural background noise on a magnetic strip. This is all randomly produced at the time of manufacture so its sopposedly impossible to replicate and not possible with off the shelf blank cards which they currently use to write the data to. The ATM’s check this signature and accept or reject the client. Im not affiliated or an expert on their system but there is alot more info on this link.

          http://www.schneier.com/blog/archives/2009/12/magneprint_tech.html

          1. Louis Leahy

            That’s not what their website claims & in any case I wasn’t dismissing anyone, I think they are valid technologies but they are missing the point, I was talking about authentication in particular not card cloning if you have good authentication you don’t have to worry about card cloning because you don’t have to worry about cards. The issue with these technologies is they don’t protect users from those close to them who would steal from them. They may perhaps facilitate the institution denying liability a point that Krebs has highlighted on numerous occasions in regard to hapless victims of fraud finding out where they stand legally after the fact. In regard to cost you can change two factor authentication to three factor relatively cheaply and I understand there has been research by Cambridge University that indicates a significant drop in the potential for loss by having 3 or more pieces of required information in an authentication process.

  9. Amy

    I must admit I cannot see the commonality of your list and how they relate to card cloning fraud. To be clear magneprint has nothing to do with online authentication, it is all about identifying cloned client cards, from what I understand they take a fingerprint of the natural background noise on a magnetic strip. This is all randomly produced at the time of manufacture so its sopposedly impossible to replicate and not possible with off the shelf blank cards which they currently use to write the data to. The ATM’s check this signature and accept or reject the client. Im not affiliated or an expert on their system but there is alot more info on this link.http://www.schneier.com/blog/archives/2009/12/magneprint_tech.html

    1. JCitizen

      Okay Amy;

      How about combining that technology with this:

      http://blogs.techrepublic.com.com/security/?p=2271&tag=nl.e019

      Another good discussion on a simple and relatively cheap solution. Remember – chip and pin was expensive and it was defeated; sometimes the simple cheaper solution, will suffice. It may not be perfect, but would elevate the difficulty in skimming and other poor authentication schemes.

      And wouldn’t put small banks out of business from the cost of implementation!

  10. AlphaCentauri

    Other than it being more difficult for users, how about this strategy: A customer submits his card to start the transaction, but when the screen asks him to enter his PIN number, it instead asks him to slowly enter a longer string of digits with his PIN in the middle, e.g., “Enter 844####76989, where ‘####’ is your PIN number. Then press, ‘ENTER.'” Not only would that number string be randomly generated, the length of the string and the part in which the PIN would be inserted would also vary. The criminals could use a camera or a keypad to record his keystrokes, but they don’t know which keystrokes are the PIN.

    Granted, it is more complicated. The bank might have to have special accounts for blind users that still require only the PIN code. And there might need to be a way for people who find the instructions confusing to click a button that says, “Just let me enter my 4 digit PIN.”

    1. Matt

      I like the idea, it seems like a low cost implementation which could be used at ATM’s which are regularly targeted by skimmers because of their location, like on the outside of buildings in empty carparks. At the very least it would put a psychological question mark over attackers plans when they go to invest several thousand in the skimmer, “what if they start doing this all over the place?”. I think what some people might miss about the scheme is that it doesn’t have to be perfectly secure to deter a massive percentage of potential attackers, just enough to make their time/money investment not worthwhile. The difficult part would be getting the banks to implement it as generally they imagine the average user is far more mentally challenged than I believe they really are.

      I also liked the idea of entering your pin number backwards which would allow the transaction but trigger a silent duress alarm to the police. The whole sorry tale of that idea is outlined here http://www.snopes.com/business/bank/pinalert.asp essentially killed by an ATM banking system which entirely didn’t care despite very little cost to them and a security attitude which would prefer to give people no security rather than confuse a small percentage of potential users.

      1. Matthew Slyman

        “…the idea of entering your pin number backwards”—There are adverse security implications that might actually be part of the reason Michael Boyd’s reverse PIN entry police alert system was not adopted.

        Allowing a transaction to proceed based on an incorrect PIN would increase the probability of criminals succeeding in getting cash (almost doubling an attacker’s chances of success, if I’m not mistaken).

        Accidental mis-entry by legitimate customers would slightly increase the number of false alerts for police.

        Consider also, the possibility of criminals using such a system to deliberately distract the town’s police whilst conducting a real heist in another part of town. There would be no voice recording of a 911 caller to identify the source of the alert…

        Despite the possibility of accidental reverse entry by the senile, or malicious reverse entry; the police might regard the alert as an urgent case—potentially compromising the lives of other people who genuinely need the police at that time.

        Consider alternatively, the malicious use of skimmed card details/PINs to wear down the police with bogus call-outs until they ignore reverse PIN entries as a waste of their time.

        Consider also, how difficult it would be for the average person to mentally reverse their PIN number while a gun is being pointed at their head/ back. Many people in that situation would reverse their PIN incorrectly and end up like these two French PhD students in London:
        http://www.guardian.co.uk/uk/2009/jun/04/french-student-murder-violence-history
        One of the two got marched under duress to an ATM, which rejected his PIN. The two students were murdered by two crack-addicted madmen.

        On the whole, it appears to me that following Michael Boyd’s proposals would actually have increased the range of possible attacks on the ATM system/ police dispatching infrastructure.

        You potentially underestimate the motives and expertise of the committee that rejected that proposal.

    2. Matthew Slyman

      Unless your code was ridiculously (and impractically) long, the probability of an attacker guessing correctly (based on a video recording of your randomly extended PIN entry) would actually be very high. Think about it. There are only 7 (seven) ways to choose four consecutive digits within a 10 (ten) digit number…

      OK—try improving your scheme. Insert digits randomly before, after and BETWEEN the digits of the PIN… Then what? You’re compromising your system in a different way, because you increase the chances that if an attacker gets the PIN wrong, their entry will still be accepted (since your PIN verification routines must now accept random digits in between the digits of the PIN. So any PIN that happens to contain the PIN in the right order, regardless of the other digits, would be accepted.)

      Basically, your method is expensive (in terms of implementation practicality), and gives very little benefit in return. Nice idea, but sorry, there are better alternatives.

  11. Pen Plum

    TTI Guardian provides the best knowledge and experience in Duress Alarms. The setup is completely wireless which makes the operation and installation very simple. The Duress Alarm is designed to improve safety and response times in many different industries including school security, assisted living, and detention center safety. Check out their website for more information at http://ttiguardian.com.

    1. Matt

      You will get red thumbed into oblivion as the readers here are very sensitive about any specific product or company promotion however if you would like to contribute to the conversation you can give your take on the reverse pin number ATM alarm method I mentioned above.

  12. rick

    Why not put all ATM’s in a Faraday enclosure to prevent any wireless communication at all. It would block 3G, WiFi and blue tooth transmissions.

    The bad guys would have to hardwire of come back later and manually download the data.

    ATM locations that are not in such enclosures would be required to be labled as such and “buyer beware”.

    1. Matthew Slyman

      Interesting idea—although perhaps not practical in cases where the ATM is not physically located inside a bank building that is itself a Faraday cage. Look at the pictures of these skimming devices. They’re typically located on the exposed front face of the ATM. This precludes the possibility of securing the ATM inside a Faraday enclosure (unless of course you demand for bank customers to step inside a metal cage before using the ATM.)

Comments are closed.