November 27, 2016

KrebsOnSecurity has featured multiple stories about the threat from ATM fraud devices known as “insert skimmers,” wafer-thin data theft tools made to be completely hidden inside of a cash’s machine’s card acceptance slot. For a closer look at how stealthy insert skimmers can be, it helps to see videos of these things being installed and removed. Here’s a look at promotional sales videos produced by two different ATM insert skimmer peddlers.

Traditional ATM skimmers are fraud devices made to be placed over top of the cash machine’s card acceptance slot, usually secured to the ATM with glue or double-sided tape. Increasingly, however, more financial institutions are turning to technologies that can detect when something has been affixed to the ATM. As a result, more fraudsters are selling and using insert skimming devices — which are completely hidden from view once inserted into an ATM.

The fraudster demonstrating his insert skimmer in the short video above spends the first half of the demo showing how a regular bank card can freely move in and out of the card acceptance slot while the insert skimmer is nestled inside. Toward the end of the video, the scammer retrieves the insert skimmer using what appears to be a rather crude, handmade tool thin enough to fit inside a wallet.

A sales video produced by yet another miscreant in the cybercrime underground shows an insert skimmer being installed and removed from a motorized card acceptance slot that has been fully removed from an ATM so that the fraud device can be seen even while it is inserted.

In a typical setup, insert skimmers capture payment card data from the magnetic stripe on the backs of cards inserted into a hacked ATM, while a pinhole spy camera hidden above or beside the PIN pad records time-stamped video of cardholders entering their PINs. The data allows thieves to fabricate new cards and use PINs to withdraw cash from victim accounts.

Covering the PIN pad with your hand blocks any hidden camera from capturing your PIN — and hidden cameras are used on the vast majority of the more than three dozen ATM skimming incidents that I’ve covered here. Shockingly, few people bother to take this simple and effective step, as detailed in this skimmer tale from 2012, wherein I obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

Once you understand how stealthy these ATM fraud devices are, it’s difficult to use a cash machine without wondering whether the thing is already hacked. The truth is most of us probably have a better chance of getting physically mugged after withdrawing cash than encountering a skimmer in real life. However, here are a few steps we can all take to minimize the success of skimmer gangs.

-Cover the PIN pad while you enter your PIN.

-Keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible.

-Stick to ATMs that are physically installed in a bank. Stand-alone ATMs are usually easier for thieves to hack into.

-Be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on a weekend — when they know the bank won’t be open again for more than 24 hours.

-Keep a close eye on your bank statements, and dispute any unauthorized charges or withdrawals immediately.

If you liked this piece and want to learn more about skimming devices, check out my series All About Skimmers.


49 thoughts on “ATM Insert Skimmers: A Closer Look

  1. Mewn

    I always use cash!
    (Because I’m so poor, I can easily carry all the money I have with me)
    It’s so convenient.

    1. Peter

      So how do you get teh cash. From the ATM? Well, then … oops.

  2. DCC

    Once again – nice article Brian. I always avoid non-bank based machines… I don’t know what it is like in the US and the rest of the world, but I’m sure 3rd party (non-banked owned) are owned by pirates here in Canada given the fee they charge to make any sort of transaction. That alone should be enough to discourage most people from using them. 🙂

    Actually – this article brings up a question I need to contact my bank for – do today’s bank owned ATMs (atleast here in Canada) still actually use the magnetic strip, or do they just use the chip? If they only use the chip, then perhaps a magnet to the strip on my debit card is in order. In Canada we have different cards for credit cards versus bank cards for chequeing and savings account access.

    1. Tarek

      It takes a pretty powerful magnet to ‘demagnetize’ the strip on a credit card. Anything you’re likely to find around the house will NOT be strong enough to wipe the data.

      1. Sam

        What about those neodymium magnets from out of hard drives those are pretty strong?

        1. Michael

          I tried degaussing a Visa smart card strip, with a ~15-sec. “soak” against a video tape “bulk eraser” followed by a longer soak directly against a magnet from a hard drive motor. Later that morning I used said card to deposit a check at an ATM.

          1. Wis

            Interesting…I’ve heard all you had to do was lay it next to your cell phone. I know how magnetic a harddrive magnet is and if that didn’t clean it…. not sure what would, maybe one of those magnets that pick up cars 🙂

      2. IRS ITUNE cards (another fake)

        Hmm, Tarek, what’s your source for this? Dare you to try dragging a magnet along the mag stripe on your debit card and telling us the results. Remember the warnings not to store cards so their stripes are facing each other? And mag tapes imprinting their information on layers above and below? Having lost info just looking cross-eyed at a card I can’t believe this.

        1. Bugged

          They told people that because the old mag strips were easier to scratch off. The idea was that the raised letters of the cards would make a little gap to protect the strip. Strip to strip had zero gap. It didn’t work, but that was the reasoning. But you are right, the average fridge magnet passed over it a few dozen times might be enough to degrade it.

        2. IRS ITUNE cards (real)

          You can also use a magnetic wire coil and create induction to so the same thing. I mean if you are going to power the insert skimmers then why not a small coil? All you would need is a surface mount dc-dc converter that has a buck converter to increase the rail voltage to make enough induction to create a large enough magnetic field.

        3. The Phisher King

          Back in the day banks used cheap, low coercivity cards. This meant it was easy to encode the information on to the card and also easy to accidently erase some of the information, by, say putting two cards together with their magnetic stripes touching and leaving them that way for a few weeks.
          Eventually the banks realised that replacing the cards every few months was more expensive than using much higher coercivity cards where it is both harder to encode the information and harder to erase it.
          So now, erasure of a modern high corecivity card is difficult and to do it quickly you need a very strong magnetic field.

          1. Patrick

            I once put a HiCo card up on the fridge with a reasonably strong magnet due to not thinking… still worked fine when realizing my mistake a day or so later!

    2. Stephen

      The bank I use here in New York City uses the strip to grant access to the atm facility, as the one closest to my home is just an atm location (4 are in the site). At the atm itself, you put the card in & remove it and during that process it detects the chip and tells you to reinsert it and leave it in through the transactions.
      To your point about the fees & third-party owners, yeah, pirates is a good term; I have never used an outside-the-network atm. In Manhattan, at least, and nowadays the other boroughs, there are bank branches that rival Starbucks in their number. If I somehow found myself in need of actual cash, and my bank doesn’t have a branch around, I’d rather go to a actual bank (and pay their almost-piratey fees) rather than one at a deli.
      Thank you, Brian for the story.

      1. Vog Bedrog

        Criminals are not above attaching their skimming devices to the door readers you describe (PIN is still obtained while using the ATM). Anywhere the mag stripe is swiped it is at risk.

        If the EMV mandate had any teeth to it this would all be a moot point by now.

      2. DC

        Those access door card readers are typically looking for anything with a magnetic strip – not a bank card specifically. Run anything that isn’t a payment card to be safe.

        1. PJJ

          I’ve kept the card from a defunct store rewards programs for just this purpose.

    3. somguy

      Why bother with the magnet?
      Physically scratch the thing enough to corrupt the data.

    4. Jose Navarro

      Unfortunately Canadian banks are still coding information on the mag stripe, even though the have chips on the debit and credit cards. The reason behind this is to allow Canadians that travel to the U.S. Or other countries that do not support the chip, to still allow them to use their credit and debit cards in ATMs and POS machines. If you destroy the mag stripe on your card, it will protect you against cloning of the card and being used in the U.S. However, remember to have a card reissued before you travel outside of Canada, otherwise good luck accessing your money outside the country!

  3. Hai Phan

    How about the death penalty for skimmer fraud? I know liberals are jumping up and down, but think about what will happen to the fraud.

    1. K Z

      You can do anything you like to the guilty that you consent to suffer as an innocent.

      1. Rarrgh

        KZ wrote” You can do anything you like to the guilty that you consent to suffer as an innocent.” – this is the best, most succinct way to state the argument I have ever encountered. Kudos!

  4. Firelighter

    One other aspect is that NONE of the anti-skimming tech in the market for the primary OEMs (NCR and Diebold Nixdorf) can prevent or defeat inserts … except for Diebold’s Active-Edge (which makes the user insert the card long-ways). Larger banks avoid the Active-Edge because it tends to confuse customers.

    Also – all of the above-referenced card readers are motorized. These inserts also work on dip-readers.

    As stated in the article: the number one thing to do is cover the hand during PIN entry. As EMV becomes more-n-more a thing banks are less likely to even invest in anti-skim – leaving customers in a position for the next 4-6 years waiting for mag-stripe card readers to slowly die & fade away in the overall marketplace.

    BTW: skimming cards and cashing out at ATMs is only one platform of cashing-out. Apparently, the USPS still hasn’t converted to EMV – so the crooks are hitting the cash-out limit at ATMs then going ot the Post Office and getting more from there. Big $ being lost there and no one has been reporting on that.

    Finally: Gas-pump skimming is leading ATM losses 4-1 in 2016. Banks are laser focused on using velocity verification and active monitoring with their fraud management – eyeballing all POS-gas purchases. But the volume of gas purchases is overwhelming. Again, the average user hits an ATM 3-4x month. Gas purchases average 4-6x month.

  5. Jim B

    Recently I’ve seen more ATMs with PIN pad shields. I guess the ATM manufacturers are trying to cover your hand for you, but these seem like a perfect place to hide a hidden camera. Often, I find you can’t easily get your other hand under some of them to hide your typing. Also, seeing legit ones on some machines means you are desensitized to potential fakes on others. Google image search for “ATM pin pad shields” and you can find several different models for sale. Seems like the best practice should really be not to put these on machines.

  6. jbmartin6

    Another tip: reduce your risk by limiting the balance accessible with your ATM card, move out any surplus cash to a different account.

    1. Ollie

      If you’ll use a second account to reduce the funds available to a miscreant who cloned your debit card, be careful.

      Contact your financial institution and ask them to make it difficult for a miscreant to transfer funds from your backup account to your main account. You should make it impossible to do this by telephone. The institution can flag your account.

      Without this, you can telephone your bank, authenticate yourself by describing a recent transaction, and then order a transfer from one account to another. Somebody who cloned your card can easily perform a transaction, then use that transaction for authentication.

      In my case it was buying a $100 Old Navy gift card at a CVS store.

      1. JasonR

        My credit union allows me to set any “passphrase” I like on my accounts. No one can call in via the phone and access my accounts without this passphrase. They won’t help over the phone if you forgot it either (oops, been there), but instead require you to come in with ID.

        Also, my credit union allows me to have a login which has access to my primary accounts, and transfer funds to my secondary account which I use for ATM-only access. The ATM-only account has no access back to my primary account.

    2. Catwhisperer

      After being hit by a $500 ATM theft at a local bank, I lowered my ATM cash limit to $118 so that I could draw cash but not empty out the account. The other thing I would recommend is enable notifications on your banking app so that you have immediate notifications of ATM withdrawals if you have a need for a higher cash limit, and set the notification limit low. That saved me with on the $500 ATM theft, because I immediately called the card theft line, and I was miles away from the location of the theft, so the bank couldn’t argue the claim…

  7. James

    Simple answer – threefold wallet, opened up over hand inputting PIN. Works a treat.

  8. wayne

    There is one thing I am curious to know, is it possible for skimmers to copy the magnetic strip on a debit card which contains both the magnetic strip and the microchip? can they make a clone card which only using the magnetic strip and of course knowing the pin, can they use an atm to draw money (with only having the magnetic strip info even though the card that was cloned had both features)

    1. Joe Public

      When a chip-card’s mag strip is copied it can still be written to a blank/old card and used at any merchant (including a bank ATM) that doesn’t yet use the chip, either with PIN or in the case of retail merchants, as a signature purchase (“run as credit”). I lost all but $14 of my bank balance a few weeks ago to skimmer-scammers who ran my card-copy at a department store and signed for the purchase.

    2. Beeker

      It is easy. All you need is the mag strip to copy data, however, banks have put in codes on the mag strip to use chip when inserted in POS. To get around it, all the person have to do is alter the code to run it as a non chip card transaction.

  9. Rute Madeira

    Dear Krebs, can you install a responsive theme here on your blog, so one could read it in a smartphone, please?
    Thank you.

  10. Robbie MacGillivray

    One-armed guy here chiming in my method in case helps others.

    I lay my wallet down on keypad then poke my fingers through. Keeping the hand slightly tilted the wallet rests on top and covers keypad.

    I make a few random false movements to hopefully add some extra difficulty in detecting my pin.

  11. TJ

    FYI the 4-digit pin is actually on track-two on at least 68% of credit and debit cards world wide. It’s just encrypted and encoded with a standardized encryption&encoding for each network like Cirrus, Plus etc..

    Interbank and similar entities just relay exchanges the encrypted pin is used internally on origin networks only. I’m not sure the policy around them.

    With these in-slot skimmers it looks like they just shave down or make three-head reader-heads, and probably broadcast to near by computers with a simple RF modulator PCB circuit, because they can’t manufacture a PCB thin enough with a cpu+battery+storage(BGA or COB manufacturing is super expensive and complex to design and code). With a 3d printer and the right material(like acetal or delrin) or a cheap miller you could make one of these pretty easy.

    An idiot could get the physical part down and just throw in a FM radio circuit made up of SMD components and use SDR or even a voice recorder to log remotely.. There is actually a market for dumps withou pins too.

    1. TJ

      BTW it’s still the same stripe on *all* EMV cards in the US.. It’s like the banking plutocracy wants there to be a black market if you look at how they support insecure EMV modes on most POSi and leave the card clone-able…

    1. TJ

      There is no magnet.. The stripe itself is magnetized(dip it in black iron oxide powder to see the encoding with your own eyes).

      The cheap 3-head reader heads are too big so the better skimmer makers like these use battery powered circuits that sense the data from tiny strips at very low power to get PWM of each of the 3 tracks. Kind of like a hall effect sensor does.

      They tie that to a RF circuit to transmit to a local server or they could, but I haven’t seen this, use a digital audio recorder circuit that uses a NAND or NOR chip for storage.

  12. Beeker

    That’s why some banks have switch to using NFC to withdraw cash thereby avoiding the use of the card. It is much faster.

    1. TJ

      You’ll now see a spike in SWIFT attacks do to better POSi security. On the back-end there is a lot of old ISO spec stuff with poor privilege handling on the software level..

  13. Joe

    How could an owner of the ATM know if this device had been installed? I could imagine looking from the outside, that it would look like it was part of the machine.

    1. TJ

      They can’t. Physical sensors on the slots for this don’t exist so any software or firmware is blind to it. It’s take a physical swap of a newly engineered slot.

      Lock pick scope or flashlight and magnifier.

Comments are closed.