December 9, 2014

Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a “tiny” hole cut in the ATM’s front through which thieves insert devices capable of eavesdropping on and recording the ATM user’s card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny.

Not long after that post went live, I heard from the folks at NCR, one of the world’s largest cash machine manufacturers. NCR had put out a bulletin on the emergence of this very threat in Sept. 2014, saying the activity had first been spotted in the United Kingdom against NCR 5877 and 5887 models.

As I noted in my original story, the attackers use a plastic decal to cover up the hole, but NCR’s photos of one ATM compromised by this method offer a better look at what’s going on here. Take a look at the size of that hole:

A hole left by crooks who added "wiretapping" or "eavesdropping" theft devices to a compromised ATM.

A hole left by crooks who added “wiretapping” or “eavesdropping” theft devices to a compromised ATM. Image: NCR.

“In this attack, the ATM fascia is penetrated close to the card reader to create a hole large enough for the attacker to reach inside the ATM and place a tap directly onto the card reader in order to skim card data as it is read by the ATM,” NCR said in an advisory it produced on the increasingly common attacks.

According to NCR, the emergence of this type of skimming attack is a response to the widespread availability of third party anti-skimming technology which is successful at preventing the operation of a traditional skimmer, placed on the outside of the ATM.

“Card reader eavesdropping skimmers are placed in a location that third party anti-skimming technology necessarily cannot protect, since the ATM must be capable of reading the card,” the advisory notes. “This [technique] has previously been seen in Ireland and the Netherlands, and can be expected to grow as traditional skimming is prevented.”

NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

“Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

If the idea of ATM bandits taking a blowtorch to the cash machine sounds extreme, at least they’re not trying to blow the ATM to smithereens. According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise.

A gas cylinder and pipe found fitted at a compromised ATM before it could be detonated. Source: EAST.

A gas cylinder and pipe fitted at a compromised ATM. Source: EAST.

EAST reports that explosive gas attacks were reported by eight countries in Europe this year. Why would thieves risk their lives and that of innocent passers-by on such a brute-force attack? EAST says the attacks are generally successful at busting open the ATM about 40 percent of the time.

“Two of the countries also reported attacks using solid explosives,” EAST warned. “Collateral damage for solid explosive attacks is a major concern. In one country, the average overall frequency of ATM related physical attacks is five incidents per week. Three countries reported significant collateral damage from physical attacks, in addition to cash losses suffered.”

Fortunately, many countries in Europe are fighting back against these incredibly dangerous skimming attacks, both with improved ATM technology and stiffer sentences for crooks caught in the act.

“In one country no such attack s have been reported since the introduction of ink staining technology,” EAST noted. “In another, significant sentences have been given to criminals convicted of such attacks (the longest was 18 years in prison and the shortest 14 years!). This is an important step for Europe as, overall, sentences for such attacks are deemed by the industry to be too lenient.”

28 thoughts on “More on Wiretapping ATM Skimmers

  1. Haggis

    Great Story

    one small edit needed

    saying the activity had first been spotted in the United Kingdom against NCR 5877 and 5877 models.

    two model numbers are the same

    1. kybelboy


      If your going to volunteer your proofreading skills, it is important that you are right. You better check those numbers again.

      1. BrianKrebs Post author

        He was right. I updated the story. I saw this shortly after I posted this last night, but could not change it because the site was down from being under sustained DDoS,

        1. kybelboy

          Ok, apologies to Haggis. At the same time maybe the self appointed editors on this blog should consider a private email to you on the punctuation, capitalization, grammatical and other errors. Sometimes it seems like a lot of Sheldons from “The Big Bang Theory” read this blog and are overly focused on the medium instead of the subject. In short, some of the corrections are nit picky and could be handled on another channel. I’m assuming you would correct the offending error with a note, much like this one. Merry Christmas!

          1. JJ

            But if he’d fixed your code you’d say ‘thank you.’ How can you take his correction more personally than the author himself? I also am against ‘death by misdirection’, where an argument dies because of a typo, but sometimes a ‘thank you’ is really more appropriate.

  2. steeplebadger

    Incredibly dangerous, maybe, but I am not sure blowing up an ATM can be classified as a skimming attack…

    1. JCitizen

      HA! That’s for sure! 😀
      Now I suppose we’ll be seeing ATMs built like M1 tanks!

  3. Clive

    This is an interesting article – thank you for publishing. The most fascinating aspect for me is the relative vulnerability of the ATM hardware itself. This type of equipment has been in use for what? More than 20 years… We still have instances of thieves trying to tow them away with trucks… So how can an ATM manufacturer offer up a design that has nothing more than a cheap and flimsy plastic fascia?

    This article doesn’t say, but I wonder if exploits are being directed towards older, in-situ machines, or whether the market is still producing vulnerable examples?

    Security through obscurity again…

    1. Caffeineguru

      towing ATM’s away are rarely successful. While the fascia is cheap, the entire thing is quite heavy (other than mobile ATM’s which are still heavy, but a little less so). Plus many are surrounded by alarmed bollard poles. Physical security has to be balanced with cost- gas attacks, hinge cutting, towing, etc are one-time costs and depending on the amount of cash in the machine, the one-time loss is usually less than the institution’s deductible. In those cases, that risk is simply accepted.

      Skimming can be much more damaging overall, but a number of controls are generally in place to lo lower the likelihood that it happens. Again, the cost of controls gets to the point where the residual risk of isolated skimming attacks is simply accepted.

      ATM manufacturers generally offer a plethora of controls that can be implemented, but they don’t come cheap and aren’t worth the cost to the institution.

  4. Andy

    Interesting in the different motivations of the criminal. One is highly skilled and is interested in the card data and avoiding detection. The other group is less skilled and is only interested in the cash inside the machine and isn’t too concerned with detection.

  5. Dr. Zackary Smith

    The ATM machines need an-tamper type devices found in P.O.S machines, where any attempt to dissemble the device causes the memory chips to be wiped clean.

    1. Bruce Hobbs

      So you’re saying that, when an ATM is under physical attack, it should destroy the money? I’ll bet that’s popular with the banks!

      1. Dave Brooks

        Not destroying exactly, but rendering it useless by spraying with dye. That’s widely done in the cash handling industry: the money is unusable, but still identifiable to support an insurance claim.

  6. jim

    So, I speculate, reason for blowing up an ATM? Simple, like the story of the mobster son in k.c. Working for the company that serviced ATM’s. And was caught shortchanging, why would a security company hire a mob boss? Access to the ATM lines? They, the mob big boys, with ties elsewhere, may have started the next NSA. Attacking around town by town, looking for nodes of entry on that circuit. He was caught with money, but what else was he adding to the circuit while legally in on the job?

  7. petepall

    Why so many varied attacks on ATMs? Well, as Willie Sutton said when asked why he robbed banks: “It’s where the money is.” Duh! I agree these ATMs need to be made more like safes, rather than open trays on a buffet line.

    1. meh

      There is a point where just staying open during normal people hours would be cheaper. The whole point of an ATM is to replace the $8/hr cashiers they had working during the day.

  8. Eric

    Cat-and-mouse. I guess the next thing is that ATM machines will need gas sensors so they sound an alarm as soon as the crooks start to pump propane into the machine.

    But I suppose the real outcome is likely to be that ATM machines will disappear from certain types of locations and will remain indoors where it will be harder for the bad

  9. Rick

    Brian, have you heard of a breach at Navy Federal? Apparently some info was accessed which may include credit card data.

  10. Dave

    There is some confusion amongst the comments which is understandable given what is protected and what is exploited.

    ATM security has traditionally been concerned with theft of money and PIN skimming. The card number and even the mag stripe in some cases were considered less important.

    * ATMs are equipped with an encrypting PIN PAD or EPP. It’s a certified device that is responsible for encrypting your PIN. The PC and the communications lines aren’t ever supposed to see your PIN in the clear. Nor the payment switching computers. Just your bank and special purpose encryption devices called HSMs. The criminals still need cameras or overlays to get your PIN.

    * The big hole and electronics is to tap the cable from the card reader to get your card data and combine it with the PIN.

    * The money is inside a safe. The gas/explosive is to blow that and get access to the money. Totally different attack. Some ATMs have safes resistant to some of the gas attacks. I would suspect not so much in the case of industrial explosives.

    Now where you have a magnetic stripe bank card the tap works fine for the criminal. But what if you have a chip bank card like in Canada. The data presented is dynamic. The criminal shouldn’t be able to get much of use of the tapped data. So unless I’m missing something, this is a problem where the bank cards are still just mag stripe or there is legacy mag stripe being phased out.

Comments are closed.