05
May 16

Crooks Go Deep With ‘Deep Insert’ Skimmers

ATM maker NCR Corp. says it is seeing a rapid rise in reports of what it calls “deep insert skimmers,” wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine.

KrebsOnSecurity’s All About Skimmers series has featured several stories about insert skimmers. But the ATM manufacturer said deep insert skimmers are different from typical insert skimmers because they are placed in various positions within the card reader transport, behind the shutter of a motorized card reader and completely hidden from the consumer at the front of the ATM.

Deep insert skimmers removed from hacked ATMs.

Deep insert skimmers removed from hacked ATMs.

NCR says these deep insert skimming devices — usually made of metal or PCB plastic — are unlikely to be affected by most active anti-skimming jamming solutions, and they are unlikely to be detected by most fraudulent device detection solutions.

“Neither NCR Skimming Protection Solution, nor other anti-skimming devices can prevent skimming with these deep insert skimmers,” NCR wrote in an alert sent to banks and other customers. “This is due to the fact the skimmer sits well inside the card reader, away from the detectors or jammers of [NCR’s skimming protection solution].

The company said it has received reports of these skimming devices on all ATM manufacturers in Greece, Ireland, Italy, Switzerland, Sweden, Bulgaria, Turkey, United Kingdom and the United States.

“This suggests that ‘deep insert skimming’ is becoming more viable for criminals as a tactic to avoid bezel mounted anti-skimming devices,” NCR wrote. The company said it is currently testing a firmware update for NCR machines that should help detect the insertion of deep insert skimmers and send an alert.

A DEEP DIVE ON DEEP INSERT SKIMMERS

Charlie Harrow, solutions manager for global security at NCR, said the early model insert skimmers used a rudimentary wireless transmitter to send card data. But those skimmers were all powered by tiny coin batteries like the kind found in watches, and that dramatically limits the amount of time that the skimmer can transmit card data.

Harrow said NCR suspects that the deep insert skimmer makers are using tiny pinhole cameras hidden above or beside the PIN pad to record customers entering their PINs, and that the hidden camera doubles as a receiver for the stolen card data sent by the skimmer nestled inside the ATM’s card slot. He suspects this because NCR has never actually found a hidden camera along with an insert skimmer. Also, a watch-battery run wireless transmitter wouldn’t last long if the signal had to travel very far.

According to Harrow, the early model insert skimmers weren’t really made to be retrieved. Turns out, that may have something to do with the way card readers work on ATMs.

“Usually what happens is the insert skimmer causes a card jam,” at which point the thief calls it quits and retrieves his hidden camera — which has both the card data transmitted from the skimmer and video snippets of unwitting customers entering their PINs, he said. “These skimming devices can usually cope with most cards, but it’s just a matter of time before a customer sticks an ATM card in the machine that is in less-that-perfect condition.”

The latest model deep insert skimmers, Harrow said, include a tiny memory chip that can hold account data skimmed off the cards. Presumably this is preferable to sending the data wirelessly because writing the card data to a memory chip doesn’t drain as much power from the wimpy coin battery that powers the devices.

The deep insert skimmers also are designed to be retrievable:

“The ones I’ve seen will snap into some of the features inside the card reader, which has got various nooks and crannies,” Harrow said. “The latest ones also have magnets in them which are used to hold them down against the card reader.” Harrow says the magnets are on the opposite side of the device from the card reader, so the magnets don’t interfere with the skimmer’s job of reading the data off of the card’s magnetic stripe.

Many readers have asked why the fraudsters would bother skimming cards from ATMs in Europe, which long ago were equipped to read data off the chip embedded in the cards issued by European banks. The trouble is that virtually all chip cards still have the account data encoded in plain text on the magnetic stripe on the back of the card — mainly so that the cards can be used in ATM locations that cannot yet read chip-based cards (i.e., the United States).

When thieves skim data from ATMs in Europe, they generally sell the data to fraudsters who will encode the card data onto counterfeit cards and withdraw cash at ATMs in the United States or in other countries that haven’t yet fully moved to chip-based cards. In response, some European financial institutions have taken to enacting an anti-fraud mechanism called “geo-blocking,” which prevents the cards from being used in certain areas.

“Where geo-blocking has been widely or partially implemented, the international loss profile is very different, with minimal losses reported,” wrote the European ATM Security Team (EAST) in their latest roundup of ATM skimming attacks in 2015 (for more on that, see this story). “From the perspective of European card issuers the USA and the Asia-Pacific region are where the majority of such losses are being reported.”

east-lossesbycountry

Even after most U.S. banks put in place chip-capable ATMs, the magnetic stripe will still be needed because it’s an integral part of the way ATMs work: Most ATMs in use today require a magnetic stripe for the card to be accepted into the machine. The principal reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time.

Tags: , , , , ,

73 comments

  1. I am curious to know if this type of attack is being leveraged at ATMs located at bank locations.

    • Given how many card machines are available at non-bank locations (with less effective security and possibly no cameras at all, so little risk) it is hard to imagine thieves bothering with trying to skim at an actual bank. They are after just the easy to grab fruit, after all.

      Almost all of the stories of recovered skimmers involve gas station pumps, given their high throughput and already beat-to-hell appearance making it easy for malicious devices to blend in. Of the ones that are found in actual ATMs, so far all the reports Ive read have involved remote locations.

    • My local branch of BoA has two ATM’s installed on their exterior walls, and I have seen similar in setups of BoA branches throughout the country. These would, IMO, be as likely a target as other non-bank ATM’s. I suppose they have security cams mounted, but knowing BoA,(an entity which has given new meaning to the phrase “bank robbery, with their cascading fees and other fee-inducing practices), I wouldn’t put it past them to skimp on that.

      I am wondering if some sort of fix wouldn’t be to have some sort of sensor that is activated when a foreign object(anything that is not a debit card) is placed into the card accepting cavity.

  2. Where would one go to purchase one of these skimming devices?

  3. This is highly interesting. What is NCR’s “Skimming Protection Solution”? I’m sure its thoroughly cat-and-mouse with NCR and the like trying desperately to stay ahead of miscreants, while having an attack surface of tens of thousands of physical devices across the US in every kind of nook and cranny imaginable. But still, one would guess that a concerted effort could mitigate a lot of the risk with a few simple design changes.

  4. Chinese cards are starting to not include the magstripe and presumably work fine at ATMs there. There’s probably nothing stopping banks in other countries from doing the same thing once sufficiently switched over to EMV, assuming the right ATM hardware’s in place.

  5. >I am curious to know if this type of attack is being leveraged at >ATMs located at bank locations.

    Inside the bank, no probably not, outside the bank at a hole in the wall outside of business hours on a busy Friday night yes. These guys know there is CCTV and cover up. Usually the guy installing it is low down on the food chain and often this person does not have the ability to read the data. Think homeless/uneducated.

    >What is NCR’s “Skimming Protection Solution”?
    I assume it is something to mess up the magnetic reader in the skimmer such as a wire loop at the “mouth” generating magnetic noise. The magnetic reader deep inside the ATM is not affected by this, not the genuine one nor the deep insert models. They probably also have some sort of “something attached” detector such as a “stud locator”, that sends an alert if something is stuck near the card slot or pin pad.

    In countries where all ATMs have these counter measures, they have moved on to not sticking something on to the slot, but in the slot, or sniff the data on the line at the back. Shoulder surfing can always be used for the PIN too, although many countries have warnings on the ATM screens, and yellow stand back zones and CCTV to try deter this method. Remember if the average cash out per card is say $200 and you can get 5 or 6 an hour that is a lot of money. Hell people blow up ATMs or attack them with bull dozers in the chance of fast cash, and it often works. Many ATMs in Ireland now dye the money if they detect a shock. Once someone figures out a method that works they milk it as fast as they can before counter measures can be implemented.

    • Wrong to assume that. Security investigators, must realize that these are puzzle people. And just because you don’t have a degree, it don’t make you dumb. I’ve met dumber degreed people then including scientists and, etc… And like every puzzle there is a solution. It may be as simple as monitoring the card insert slot. In the old days, there used to be a switch to activate the reader at the front of the slot, now it’s generally at the rear to protect it from weathering. Maybe a second switch? Both have to shut down between activations?

  6. My chipped debit and credit cards no longer have anything embossed on them.

    Maybe sometime in my lifetime, the mag stripe on the cards will finally disappear.

    • Different in Canada. All credit cards and debit cards still have all their numbers embossed.

    • Only if you’re quite young.

      Embossing is not meant for electronic reading, it’s meant to enable those old non-electronic manual things, where it would imprint onto a physical piece of paper.

      • I remember using credit cards before they had mag stripes when taking an imprint of the embossed data on the card was the only way to pay with a credit card, so yeah, I may not see the second coming of credit cards without a mag stripe.

        • Yes, embossed characters (other than pen in a pinch) was first generation card tech. A chore in college was as night manager/closer was to total checks and credit slips for night deposit.

      • Affectionately known as “knuckle-busters”

    • It depends on the card co. I have some chip cards that are still embossed but my Discover card is flat.

    • Robert.Walter

      Chipped debit cards… I’m a member of two different credit unions and neither will commit to a roll out date for chipped debit cards. Although I rarely use my debit card, in part because it has no chip, I envy you.

  7. Does anyone knows, if any of TMD anti skimming pack solution protects from this type of skimming?

    • Yes its called the CPP
      Card Protection Plate, it works very good
      i have seen it in function

  8. Yeah, why not do that inside the branch? Folks generally feel much more assured that bank has taken good care of security, etc. we found one skimmer a while ago attached to the ATM inside branches’ self service area albeit I must note it is accessible after branches business hours

  9. Couple things:

    1. Mash all PIN pad digits before entering your card to make sure they all depress.
    2. Make sure to cover your hands when entering your PIN.
    3. When entering your PIN you can ‘fake tap’ multiple digits (either lightly tap and not depress, or depress but before and after the PIN entry screen) to help obfuscate which numbers you actually press. This will help camera based PIN loggers, but of course you are SOL if there is a physical PIN pad logger.

    Also, who here is going to use the apple pay/android pay integration for bank owned ATMs that are rolling out (BofA for one)? I seem to prefer this as this will deter most basic physical card attacks. Of course now your ATM card will be linked to your Google/Apple account, so you better have top notch security practices for your accounts with them!

    • itsmeitsmeitsddp

      Your advice is good however there are a couple of caveats to note. Some skimmers record audio to associate the beep with the actual pressing of the key so while better than nothing a fake press won’t always work. Not mentioned but in some setups the privacy screen is compromised/fake and contains a camera to catch the pin so don’t rely on the so called privacy screen to protect either. I have gotten most of my family in the habit of tugging on card readers and covering the pin as well as avoiding any odd looking gas pumps and atms.

    • “3. When entering your PIN you can ‘fake tap’ multiple digits (either lightly tap and not depress, or depress but before and after the PIN entry screen) to help obfuscate which numbers you actually press.”

      Some skimmers record audio as well, so they can hear the beep when a button is properly pressed.

      https://trustfoundry.net/reverse-engineering-a-discovered-atm-skimmer/

      • “beeping when keys are pressed” this is why some atms have this feature disabled. you still see an “x”on the screen each time you press a key, but each key press is silent.

    • Thanks for the heads up on the audio recording. Next time I go to the ATM I will check whether mashing keys before or after the PIN entry screen make the same audio tones as valid ones. Also, on the PIN entry screen I will try entering incorrect digits, clearing/backspacing, and entering correct ones to see if they all make the same audio tones. This might help obfuscate the correlation between valid keypresses and the audio track.

    • Robert.Walter

      I can’t wait until authentication via Pay is available and I can ditch my ATM card; as it is, I use my AMEX-linked Pay account to pay for as much as I can, in non AMEX-friendly places I use my Pay-linked visa credit card, reserving the debit/ATM for rare cash withdrawals at the bank’s own ATM (after a good eyeballing.)

      In my mind, getting current ATM units NFC ready should be no harder than each vendor building a plug and play NFC module (or buying it from a vendor specializing in such), developing the new software to make all work together, and then installing in existing units. (Much easier I would think than having to design hardware that can cope with dispensing bills of various sizes and conditions.). I would think vending machine companies would already be doing this.

      • Your post uses some symbols that do not come through. While it’s interesting you can’t wait to ditch your ATM card, what all you’re talking about is not clear. Can you use regular words instead of graphics?

        Did you put emot-icons in your post?

        • Robert.Walter

          Sorry Mike. The symbol is just an apple symbol taking the place of the word Apple in the word Apple Pay. Didn’t realize there might be some devices on which it doesn’t display.

  10. Edward Tomchin

    What will happen, as the $$ losses increase, people using ATMs will decrease and the banks will be inclined to purchase better and better ATM security. I’m fortunate in that very few of my transactions are cash, so I hardly ever need any. The only reason for ATMs is to get cash. Just about everything else can be done with your phone or online.

    • ATM’s are unlikely to vanish anytime soon. In much of the world, they are used to get cash by both locals and travelers. In Western Europe, for example, ATM’s are virtually the only way to obtain euros, as banks no longer exchange currency or cash travelers checks, and exchange bureaus, such as Travelex, are inconveniently located in airports and main train stations, and charge exorbitant fees. ATM’s also are used to deposit checks, for those of use who receive them. Insurance companies, for example, generally send checks. Bottom line, don’t throw away your ATM card quite yet. BTW, since ATM cards come with a PIN, they are readily usable in other parts of the world to obtain cash.

      • Bard of Bumperstickers

        The international banking cartel is making decisive moves toward a cashless society. ATMs will be a thing of the past soon enough. Whatever form the new, non-paper, digital money takes, surely the stickup hackers will adapt.

        I’d kill to have their electro-mechanical engineering skills and computer savvy, but not their morals. I’d be a legitimately wealthy machinist/maker entrepreneur, but not on the lam in an ill-gotten Porsche next to an anorexic, bleached-blonde coke whore.

        • crock-0-dial

          >I’d be a legitimately wealthy machinist/maker
          >entrepreneur, but not on the lam in an ill-gotten
          >Porsche next to an anorexic, bleached-blonde coke
          >whore.

          You guys from Galt’s Gulch have rather twisted imaginations.

  11. Wouldn’t Diebold’s Active Edge readers prevent against this? The stripe never gets read on the way into the reader.

    • @Rich, Yes. this kind of skimming is exactly what the Active Edge card reader is designed to prevent. By inserting the card sideways, there is no way to skim data on insertion.

      https://www.youtube.com/watch?v=OytcKPCQWZM

      @ Harry, Not if you are in the US. Writing to cards went away in the 80’s.

      TMD will prevent most of the skimming, expectantly on conventional insertion. but not as well as the Diebold Active Edge.

      • If there is absolutely no room in that slot to put another sideways reading mechanism, then yeah – it will make if more difficult – for a while. Seems to me a clever criminal familiar with science could simply read the strip all at once, using some kind of magnetic frequency modulation. This would read the entire strip in one operation, and algorithms to convert the data.

        Think how radar no longer needs to move back and forth with the old dish technology in military radars, they do it electronically with plates that sit passively. This would be similar but using magnetic resonance.

      • Check this site : http://www.csptec.nl/
        they had already in 2009 the card sieways in functional in the Netherlands.
        but thes anti skimmers are added on on existing machines, no high costs.
        the result were that there was no skimming anymore.

    • It might if there were more of them. I have yet to see one in the wild.

    • The orientation change strikes me as “kicking the can down the road”… Just because *current* skimmers don’t read it when the card is turned sideways doesn’t mean they can’t be quickly invented!

      • Inside the “Active edge” machine it has a moving scanner to read the stripe. It would be pretty damn difficult to make a skimmer with the same mechanism, without putting a whole new ATM in front of the existing ATM. This is definitely a game changer but since they have so many thousands of ATMs already installed, there will always be old style ATMs around.

  12. My bank’s ATM machines rewrite the magnetic strip each time you insert the card. Would that be an effective mitigation against these devices?

  13. Keith Rockhold

    Man, what is up with that chart?

  14. All Card skimming POS and ATM alike requires contact.
    So the obvious universal solution is to go contactless (paypass etc) with PIN.
    And beyond Security contactless is also more convenient and faster.

  15. I mainly use ATM’s at airports post security, do you think these are any safer than out in the “wild”?

  16. Dave from Toronto

    @Kieth – ya me too … a bit too minimalist …
    “percentage of reporting countries reporting losses in each location”

    So of 17 countries at the EAST meeting, 87% of them reported losses in the US. Which could also be 87% reported at least 1 loss in the US.

    Nice to know a bit more about the numbers of frauds reported and the dollar values.

    I’m know that EAST has other useful charts and information, I’d just like to know a bit more specifically where that one came from.

  17. I saw that you mentioned that the mag strip is necessary for the card to be accepted in (most) ATMs. My question is: could I erase the info on the magstripe in my bank card that has chip, and still use ATMs that accept chip, or do the ATMs read both chip and mag stripe and compare?

    • This is a good question Barf. I’ve noticed that my chip’d ATM card requires a dip and out before it will do a chip read (would not be surprised it’s finding out if the chip is there from reading the mag stripe).

      • Maybe I’ll try messing with the strip of a card once it’s close to expiring. If I don’t have to live or travel to somewhere backwards, why should I need to put up with backwards compatibility issues?

  18. Every time I see an article on these skimmers it always has lousy pictures. It would be better to see them in HD video and how they look in the ATM’s. Looking at fuzzy low res pictures and video is of no help.

  19. So this morning I needed some cash. Rather than use any sort of ATM, I went to my credit union, went to a human teller, and got my cash that way. A little further than I used to go, but not too bad – I got enough cash for about a month or so.

    Somehow my credit card (with chip) got hacked. Somehow or another they figured it wasn’t me, so the “purchase” was declined, so nobody is even out any money (except perhaps the crook). Possibly because the credit card was a chip card, and they cloned it to a non-chip credit card. Don’t know – they never tell you these sorts of things. I can only guess where the thing got hacked, but I am even more inclined to use cash anywhere that doesn’t support either EMV or NFC payments.

  20. Many banks are moving towards NFC to cut down on the use of cards to prevent skimming. Chase is going the QR route while BoA is going the NFC route It will be some time before it becomes prevalent. Banks in Spain started this back in 2011 and we are just starting to catch up.

    ATM will still be around however it will be going through an upgrade to replace bank operation so the person can transact via video and get change right down to the coins. Chase started the process where customer go into branch to transact on the ATM with little human intervention save for the problem solving needing a person to help.

  21. This reveals a frustrating design problem with ATMs in general – because of the ongoing need to maintain legacy support for mag stripes (due to all the regions still playing catch-up with chips) they still swallow the entire card, which allows skimming to remain prevalent. If chip-enabled ATMs allowed ‘dipping’ only, there would be no opportunity to read the entire mag stripe and hence no opportunity to skim the card. Looking forward to the day we see the last of mag stripes.

  22. I have seen a very good solution to prevent deep insert skimming from the company TMD security
    the solution is called the CPP (card protection plate).

    It is placed inside the cardreader and consumes all space needed for deep insert skimmers, after that is the placing a deep insert skimmer is not possible anymore.
    the plate cannot be removed.

  23. hello everyone, i am so very excited to post this here, i was sacked from work and i have been very poor and frustrated until i meant Mr Navarro Gabriel a good ATM hacker who gave me a Blank ATM with which i have used to withdraw up to about 40000$ till now without any fault or blockage, if you need a real blank ATM contact him now navarrogabriel531@gmail.com

  24. I use Discover to get cash out at grocery stores (no fees if you pay your bill every month in full – https://www.discover.com/credit-cards/member-benefits/cash-over-purchases.html )

    If I have to use an ATM I use my bluebird checking account.
    First I pull up the app on the phone and transfer money from my checking acct to my bluebird acct (instant transfer).
    Then I use the bluebird checking card to take the money out with the ATM.. (I use ATM maybe once every 3 months so I’m not too bothered by transferring the money first.. )

  25. How long before the ATM makers build in a TRANSPARENT section for the card reader? It seems to me, the easiest way to defeat this whole mess is make it so the card and the system reading it is visible so that nothing can be attached without being noticed. This is inspired looking at the transparent case I got for my Raspberry Pi: the guts are right there, easily visible.

    It would even help if the machine played video of what the card reader should look like encouraging the users to compare. Heck they could do this now! Film the machine at install and integrate that into the “attract mode” display. It would at least help detect added-on readers.

  26. Brian, you run a very popular blog and it has zero mobile optimisation. Get it sorted.

  27. I don’t worry about skimmers any more because I just freeze my Discover card account between uses. It takes about 20 seconds from my iPhone to unfreeze and then freeze when I need to use it. I suppose during those 3 minutes when the account is unfrozen when pumping gas or paying for my dinner that a thief may be able to charge something against the card, but that is the only time it will work for them. I think that if my card number has been stolen and they discover it won’t work they probably just through the number away and move on to another. I leave them a very small window of opportunity to profit. And even if the hit it right at the moment I’m pumping gas to make a purchase, the credit card company will be taking the loss not me.

  28. What does the skimmer retrieval tool look like?
    I’d like to carry around one of these and stick it in the slot before I put my card in.

  29. BE SMART AND BECOME RICH IN LESS THAN 3DAYS… Are you tired of living a poor life,then here is the opportunity you have been waiting for. Get the new ATM BLACK CARD that can hack any ATM MACHINE and withdraw money from any account. You do not require anybody’s account number before you can use it. Although you and I knows that its illegal,there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card,and its transaction is can’t be traced . You can use it anywhere in the world. With this card,reach the hackers via email address :fredmorgan22555@gmail.com