22
Jul 15

Spike in ATM Skimming in Mexico?

Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.

On Saturday, July 18, 2015, municipal police in Puerto Vallara arrested a man who had just replaced the battery in a pair of skimming devices he or an associate had installed at an ATM in a busy spot of the town. This skimming kit targeted certain models of cash machines made by Korean ATM manufacturer Hyosung, and included a card skimming device as well as a hidden camera to record the victim’s ATM card PIN.

Here’s a look at the hidden camera installed over the compromised card reader. Would you have noticed anything amiss here?

hyosung-frontatm
The tiny pinhole camera was hidden in a molded plastic fascia designed to fit over top of the area directly above the PIN pad. The only clue that something is wrong here is a gap of about one millimeter between the PIN capture device and the actual ATM. Check out the backside of the false front:

The backside of the false fascia shows the location of the hidden camera.

The backside of the false fascia shows the location of the hidden camera.

The left side of the false fascia (as seen from the front, installed) contains the battery units that power the video camera:

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

The device used to record data from the magnetic stripe as the customer inserts his ATM card into the machine is nothing special, but it does blend in pretty well as we can see here:

The card skimming device, as attached to a compromised ATM in Puerto Vallarta.

The card skimming device, as attached to a compromised ATM in Puerto Vallarta.

Have a gander at the electronics that power this badboy:

hyosung-cardskimmer-back copy

According to a local news clipping about the skimming incident, the fraudster caught red-handed was found in possession of a Carte Vitale card, a health insurance card of the national health care system in France.

The man apprehended by Mexican police. Image: Noticiaspv.com

The French health care card found on the man apprehended by Mexican police. Image: Noticiaspv.com

The man gave his name as Dominique Mardokh, the same name on the insurance card. Also, the picture on the insurance card matched his appearance in real life; here’s a picture of Mardokh in the back of a police car.

According to the news site Noticiaspv.com, the suspect was apprehended by police as he fled the scene in a vehicle with license plates from Quintana Roo, a state nearly 2,500 km away on the Atlantic side of Mexico that is the home of another very popular tourist destination: Cancún.

Ironically, the healthcare card that identified this skimmer scammer is far more secure than the bank cards he was allegedly stealing with the help of the skimming devices. That’s because the healthcare card stores data about its owner on a small computer chip which makes the card difficult for thieves to duplicate.

Virtually all European banks and most non-US financial institutions issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), but unfortunately chip cards have been slow to catch on in the United States. Most US-based cards still store account data in plain text on a magnetic stripe, which can be easily copied by skimming devices and encoded onto new cards.

For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.

This skimmers found in Mexico (where most credit cards also are identified by microchip) abuse that same dynamic: Undoubtedly, the thieves in this scheme compromised ATMs at popular tourist destinations because they knew these places were overrun with American tourists.

In October 2015, U.S. merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers). Unfortunately, that liability shift doesn’t apply to ATMs in the U.S. until October 2017.

Whether or not your card has a chip in it, one way to defeat skimmers that rely on hidden cameras (and that’s most of them) is to simply cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Are you as fascinated by ATM skimmers as I am? Check out my series on this topic, All About Skimmers.

Update, July 28, 8:54 a.m. ET: ATM maker NCR has just released an advisory also warning about a spike in ATM skimming tied to Mexico. See the alert here (PDF).

Tags: , , , , , , , ,

61 comments

  1. Can this be somewhat mitigated by covering the pin pad area with security/tamper tape that would clearly show the damage caused by it being removed and reapplied by the crooks? I’d imaging the damage of a pinhole for a camera on this tape would be a lot easier to see.

    • controltac, I’ve thought of that, too, but working in the fraud business now for a good while, whenever I see a piece of security tape on a gas pump, I can’t help but wonder what’s to prevent an “insider” to apply a new numbered piece after his confederates have installed a skimmer.

      I once asked a Costco employee who was monitoring the pumps if they were checked often to make sure no one had tampered with them. He said “I do. I can’t vouch for my fellow employees.”

      Caveat Emptor is alive and shopping at Costco.

  2. This is why I never use an ATM overseas. Too risky, just pay by credit card.

    • Really?

      Card Skimming is alive and well in the U.S. Of A.

      I’ve been hit twice in the past year, and have not left the country.

      Xenophobia alive and well…

  3. Funny that a security expert doesn’t see what’s the problem about posting the SSN of someone…

  4. As I am in a job that requires a lot of traveling around the world I have learned so far that cash is the safest and easiest way in terms of traveling finances. The only risky part about it is getting from airport to hotel, after that you can keep just the amount in your pockets you need and leave the rest in safe locker. I have been skimmed a couple of times because I was uncautious and I definately learned from those cases.

  5. HA! It seems like a lot of effort for the risk.

    Some other people simple do it the technical way;

    http://www.csoonline.com/article/2953264/vulnerabilities/brinks-safe-can-be-hacked-with-just-a-usb-stick.html#tk.rss_news

    USB + code = Jackpot ! No C4 required.

  6. Hack and take money directly from any ATM Machine Vault with the use of BLANK ATM Programmed Card which runs in automatic mode. email (uwagbalehacker@gmail.com ) or call +2348038498883 for how to get it and its cost,and how to also hack credit cards and send the money to your self..

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (uwagbalehacker@gmail.com ) or call +2348038498883…

    Send these few details to the email..
    Name:
    Age:
    Occupation:
    Gender:
    Country:
    State:
    Phone number:
    await your reply soon…