November 20, 2012

Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.

Security experts with the European ATM Security Team (EAST) say five countries in the region this year have reported card trapping incidents. Such attacks involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.

These devices were made to capture the ATM user’s card after the user withdrawals cash. Credit: EAST.

“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country – despite warning messages that appear on the ATM screen or are displayed on the ATM fascia – customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale
transactions.”

According to EAST, most card trapping incidents take place outside normal banking hours with initial fraudulent usage taking place within 10 minutes of the card capture (balance inquiry and cash withdrawal at a nearby ATM), followed by point-of-sale transactions.

A twist on this attack involves “cash traps,” often claw-like contraptions that thieves insert into the cash-dispensing slot which are capable of capturing or skimming some of the dispensed bills. Here are a few pictures of a cash-trapping device from an EAST report released earlier this year.

Claw-like cash trap devices found inserted into ATMs in Europe. Source: EAST.

Not all cash trap devices are so diabolical looking, or made to be inserted into the machine. The images below show a cash trap removed from the face of a cash dispenser (left) and a cash trap as designed to be fitted onto an ATM (right).

Cash trapping devices. The one on the left is shown, removed. The image on the right shows one attached. Credit: EAST.

EAST reports that one of the most common ways that ATM thieves are stealing cash these days involves jamming an oversized fork-like device into the cash dispenser slot to keep it open following a normal ATM transaction. Thieves in Europe reportedly used this method to steal more than a million Euros from French cash machines this year.

These large fork-like “cash claw” devices have been used to steal millions. Credit: EAST.

As in past reports, EAST found that while ATM skimming remains an entrenched problem in Europe, most of the fraudulent transactions that result from skimming attacks on European ATMs occur outside of Europe. EAST believes this is because more than 90 percent of European ATMs now are compliant with the so-called “chip and pin” approach, also known as the EMV (an initialism for Europay, Mastercard and VISA) standard.

ATM cards store account data on magnetic stripes on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them.

Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States.  In response, according to EAST, one or more card issuers in eight European countries have now introduced some form of geo-blocking by which payment cards are blocked for usage  outside of designated EMV Chip liability shift areas.

If you liked this story, please see my entire series on ATM skimmers.


17 thoughts on “Beware Card- and Cash-Trapping at the ATM

  1. JohnP

    Last spring, I traveled from Spain, France, Italy, Austria into the Czech Republic with my USA-based credit and debit cards. None have Chip-n-Pin features. We where never hassled or denied a transaction anywhere.

    Late last month I was in Turkey for some business and 90% of the time my credit cards were rejected. I only used the ATM card at CitiBank kiosks, so I don’t know if other, local banks, would have rejected it. A few dinners were paid by credit card, but only in the extremely touristy areas. Outside the Hippodrome/New Mosque areas of Istanbul, the cards were always rejected. ALWAYS.

    I always let my bank know dates and locations for international travel. While in Turkey, I contacted them concerning the issue and the response talked about … I can’t find it now, but she was trying to group Turkey with countries like Cuba, North Korea, Sudan, Syria, Iran and Russia and implied that there was a law preventing use of USA-based credit cards in those countries using signatures. I requested a chip-n-pin credit card, but that bank does not offer them at this point.

    On the way home, I had an 8 hour layover in Amsterdam. The train ticket kiosks from Schiphol rejected all the credit cards – MC andVisa too. Again an ATM came to the rescue. My so-called “World Mastercard” didn’t work any better than the other cards.

    It is getting harder and harder for Americans to travel in Europe because CC transactions are not being accepted more and more places.

    Any credit card fraud that I’ve seen has not impacted my finances. Never had an card “retained” and can’t seem to recall having any cards skimmed. The worst issue was in 2008 when a MC was used to purchase an iPhone in NYC then again in FLA the same day. I don’t live in either of those locations. Apple called to ask me at home in GA about the transactions. I’m an Apple hater, so clearly I denied the purchases. Apple reversed the charges immediately and my bank canceled the account and sent a replacement card immediately. I’d used that card in Argentina a few months earlier, but not at all inside the USA in about a year. I have different cards for use inside the country vs outside. It helps to limit the fraud issues – at least in my mind. 😉

    Last spring all the BoA cards were replaced by BoA pre-emptively without any reason provided. We use BoA for the business, not personal accounts and I’ve never used them overseas – don’t even carry them with me on those trips.

    1. Uzzi

      You may want to read this on Fodor’s Travel Blog:

      Citi Introduces New Hilton HHonors Credit Card
      “Citibank released a new credit card this week […] With chip technology and no foreign exchange fees, the new premium Hilton Visa is designed to appeal, in particular, to overseas travelers. Credit cards with magnetic strips have become harder to use outside the US since Europe began adopting chip-and-pin cards in 2004.”
      http://www.fodors.com/news/story_5795.html

      Best Credit Cards for International Travel
      http://www.fodors.com/news/story_5428.html

    2. Travis

      When I had a BoA credit card a few years ago I, too, noticed that they would send new cards more frequently than required by the expiration date. I worried (was relieved?) that they were preemptively changing my cards for fraud prevention or similar.

      I have since heard rumor that card companies have discovered that sending new cards spurs spending. Is it because receiving a new card in the mail requires the cardholder to activate it, requiring a contact with the issuer? Does it just remind the cardholder that they have a credit card they could be using?

  2. Kevin MacMillen

    Interesting story. I read with interest the comments concerning Chip & PIN cards. As a manager of an extensive merchant services environment, I am very happy with this evolution in CC security and it continues to bewilder me why the American industry continues to resist this progress. I am led to believe that there are no documented instances of Chip & PIN security being compromised on a card, when the PIN number is not known by the hacker. The article seems to suggest it is “harder, but not impossible”. I would question that point.

  3. dave

    @Kevin MacMillen: The chip & pin terminals could be compromised (due to less then stellar software): http://crave.cnet.co.uk/gadgets/chip-and-pin-terminals-too-easy-to-hack-says-security-expert-50008475/ Certainly not as easy, but still possible. (That was with a quick google, I think there have been other issues to, but not positive.)

    BOA ATMs around me spit the atm card back out before entering a pin. A thief would still get the card (using one of the mentioned devices) but not a pin to use it with.

    1. denmike

      If your ATM is returning your card BEFORE you enter your pin it’s because it’s using the magnetic stripe for your transaction. This is not possible with chip-based cards as a lot of processing is taking place inside the card after you enter your pin.

  4. Kevin MacMillen

    @dave: The hack you point out involves stealing the PIN. There is no doubt that terminal security is an issue however my point is that if a hacker has a Chip & PIN card there is no known way to bust open the PIN data which is embedded in the card. Thus possessing the card is useless unless of course you plan to steal money with an internet (card not present) transaction…

        1. JCitizen

          Thanks Brian; I made some disparaging remarks on that article discussion. I decided to fish for other opinions. That was one good article too! Not that all of your articles aren’t top notch! 😀

  5. SeymourB

    I’m naturally skeptical, so I wonder how much of the drop in reported fraud after switching to chip & pin systems are due to banks changing their reporting policy.

    Previously the fraud was assumed to be the work of third parties if the customer reported it, or at least was investigated in this way to recover funds. With the coming of chip & pin though, the system was assumed to be impenetrable, so the assumption was changed that if any charges occur they are the act of the cardholder. In other words, they’re no longer acts of fraud in the bank’s eyes. You, as a cardholder, may hold a different opinion of course.

    1. Kevin MacMillen

      Card-present credit card fraud has reduced in such a significant manner in Canada since the introduction of Chip/PIN security that it can only be chalked up to it being effective. It’s actually good for our Canadian operations because the crooks go where the money is the easiest – and that happens to be in the US where Chip / PIN has not yet been introduced.

  6. Totio Filipov

    Thieves are getting more and more creative. It’s horrible to know that you can become a victim of an ATM trap without even suspecting no matter how careful you are. I am only withdrawing money from ATMs in banks. I think this is the best way to protect yourself.

Comments are closed.