Once you understand how easy and common it is for thieves to attach “skimming” devices to ATMs and other machines that accept debit and credit cards, it’s difficult not to closely inspect and even tug on the machines before using them. Several readers who are in the habit of doing just that recently shared images of skimmers they discovered after gently pulling on various parts of a cash machine they were about to use.
Viewed from less than two feet away, this ATM looks reasonably safe to use, right?
But something fishy comes into view when we change our perspective slightly. Can you spot what doesn’t belong here?
Congratulations if you noticed the tiny pinhole in the upper right corner of the phony black bezel that was affixed over top of the cash dispenser slot. That fake bezel overlay contained a tiny pinhole camera angled toward the PIN pad to record time-stamped videos of people entering their PINs:
How about the card acceptance slot? Looks legit (if a tad shinier than the rest of the ATM), right?
What happens if we apply a tiny bit of pressure to the anti-skimming green bezel where customers are expected to insert their ATM cards? Look at that! The cheap plastic bezel that skimmer thieves placed on top of the real card acceptance slot starts to pull away. Also, you can see some homemade electronics that are not very well hidden at the mouth of the bezel.
ATM card skimmers contain tiny bits of electronics that record payment card data from the magnetic stripe on the backs of cards inserted into a hacked ATM. Most commonly (as in this case), a card skimmer is paired with a pinhole spy camera hidden above or beside the PIN pad to record time-stamped video of cardholders entering their PINs. Taken together, the stolen data allows thieves to fabricate new cards and use PINs to withdraw cash from victim accounts.
Card skimmers designed to look like the green anti-skimming devices found on many ATMs are some of the most common cash machine skimming devices in use today, probably because they are relatively cheap to manufacture en masse and there are many fraudsters peddling these in the cybercrime underground.
Typically, the fake anti-skimmer bezels like the one pictured above are made of hard plastic. However, the reader who shared these images said this bezel card skimming device was made of a semi-flexible, vinyl-like plastic material.
“I immediately went in and notified the manager who shut down the machine,” the reader said in an email to KrebsOnSecurity. “All the tellers were busy so he asked me to stand by the ATM and stop people from trying to use it while he called his security team. In the three minutes I was standing there a young woman came up and started to dip her card in the slot even thought the screen was black. I stopped her and told her and pointed out what was going. She was thankful.”
Normally, these bezel skimmers look more like the hard plastic one that came off of this ATM at a 7-Eleven convenience store in Texas in February, after a customer yanked on the ATM’s card acceptance slot:
Many people believe that skimmers are mainly a problem in the United States, where most ATMs still do not require more secure chip-based cards that are far more expensive and difficult for thieves to clone. However, it’s precisely because most U.S. ATMs lack this security requirement that skimming remains so prevalent in Europe.
Mainly for reasons of backward compatibility to accommodate American tourists, many European ATMs allow non-chip-based cards to be inserted into the cash machine. What’s more, many chip-based cards issued by American and European banks alike still have cardholder data encoded on a magnetic stripe in addition to the chip.
When thieves skim ATMs in Europe, they generally sell the stolen card and PIN data to fraudsters on the other side of the pond. Those fraudsters in turn will encode the card data onto counterfeit cards and withdraw cash at ATMs here in the United States.
Interestingly, even after most U.S. banks put in place chip-capable ATMs, the magnetic stripe will still be needed because it’s an integral part of the way ATMs work: Most ATMs in use today require a magnetic stripe for the card to be accepted into the machine. The main reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time.
Below is part of a skimming device that a reader recently pulled off of a compromised ATM in Dusseldorf, Germany. This component actually cracked off of the hard plastic fake anti-skimming bezel that was placed by a fraudster over top of the card acceptance device of an NCR cash machine there.
Here’s the plastic overlay that the piece pictured in the reader’s hand above broke away from:
It’s fine to tug on parts of an ATM before using it (heck, I’ve been known to do this even for machines I have no intention of using), but just know that doing so doesn’t guarantee that you will detect a cleverly hidden skimmer.
As I’ve noted in countless skimmer stories here, the simplest way to protect yourself from ATM skimming is to cover your hand when entering your PIN. That’s because most skimmers rely on hidden cameras to steal the victim’s PIN. As easy as this is, you’d be amazed at how many people fail to take this basic precaution.
Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).
Also, if you visit an ATM that looks strange, tampered with, or out of place, try to find another cash machine. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Finally, don’t neglect your own physical security while at the cash machine: As common as these skimmers are, you’re probably more likely to get mugged withdrawing cash from an ATM than you are to find a skimmer attached to it.
Did you enjoy this post? Are you fascinated by skimming devices? Check out my series, All About Skimmers.
I assume Wells Fargo’s new ‘cardless’ ATM access is the best way around skimmers? At the most, the skimmer’s camera would capture a one-time code and a PIN that would go to a card they have no details on.
Correct?
At Wells Fargo, the bank skims you
This comment makes me wish I could upvote! Great for a Friday dark chuckle.
this. made my day. thank you!
Consider this an upvote.
Lol, yes
I want to contact you,
please reply me
+1
I do this at gas stations all the time now!
Most gas pump skimmers are actually installed within the gas pump itself, so there is nothing to pull off of the machine. These are becoming more prevalent than ATM skimmers.
Gas station skimmers, both outside and inside the gas station, are almost epidemic in Cincinnati. However, only certain brands of stations are having problems (sorry, I don’t feel comfortable with names). Some brands seem to take their pump security seriously and never have skimmers. It’s bad enough that I use a separate credit card for gas purchases.
I live in 7- mile right outside of Hamilton,and yes it’s bad here also. And thanks for pointing that out that only certain names are getting hit makes me believe that the owners of these stations are the ones responsible I mean how would anybody be able to install inside the store like they have.
Bruce,
Makes me glad I don’t have any family left there. I left almost 30 years ago, but it’s sad to see what’s happening to the city.
That’s usually because the fraudsters have a universal key that opens certain brands of pumps utilized by certain stations.
Great write up and pictures !
Krabs never fails us with awesome articles.
Hey Brian,
I’ve been tugging at ATM parts for a few years, but have never found anything. Have you ever personally uncovered a skimmer just from your casual everyday ATM abuse?
Brain, I am a security major and I work for dieboldnixdorf (in the ATM Division) and I enjoy reading your blog. Thank you for spreading awareness and shedding light on the malicious intent of others while providing information to the reader on how to best protect their assets.
I hope that over time I excel in the field of security as you have. You inspire me to study often, and keep working hard.
Ps- thanks for the autograph!
Your biggest fan,
Kim.
Hey, he’s smart but there’s no need to call him Brain!
Any evidence of skimmers found inside banks (where they might be seen by curious eyes) or are they largely found in the open?
Wouldn’t a mitigating control consist of being inconvenienced by getting your cash or making deposits from inside your bank?
Skimmers are placed on bank ATMS all the time. They can also be found on the card readers most ATM vestibules have to allow customers entry after hours.
Happy hunting!
Just a tip, most of those vestibules don’t check anything, all they do is see if someone swiped a card with magnetic strip. Feel free to open them with a hotel room key.
I once used an expired out-of-state library card to open the door.
I do have to ask. . . Has anyone seen skimmers on the ATM machines that are in the actual lobby of the bank that owns the ATM? By this, I do not mean the vestible that you open with your card. I mean the machine that is inside the lobby of the bank that is available for use ONLY WHEN THE BANK IS OPEN and staff and customers are in the vicinity?
I work with skimmers fairly often, and have never seen an instance of this. Seems like an incredibly stupid risk when there are better options 99% of the time.
I work in security for a bank… The one thing missing from this article: If you DO happen to find something suspicious, LET THE BANK KNOW!!! And try to minimize handling/touching the components, as often they will have fingerprints or other clues that can be used to identify miscreants.
While probably good advice regardless, I find it difficult to believe any fingerprints found could be used as evidence, unless on the inside of the parts maybe. But still, they could be used to ID the individual and catch them in the act in a future crime, so I guess it still makes sense.
What if a corrupt ATM technician is the one planting the skimmers??
just hope the company does an adequate background check on their employees, but even then there will always be a small risk
Thanks Brian for keeping us informed and safer…
Thanks for a great article, Brian – as always! 🙂
I always assume someone is watching so I act like I’m pressing a bunch of random numbers and actually depress my pin number every few presses.
Good advice Rick!
But many of the skimmers record audio as well and will record the beep when the actual key is pressed. A little more work for the thief but they still get your pin. Covering with your free hand is the best way to keep from getting skimmed. Either that or never use atms and just get skimmed at the ones installed at the gas station, grocery store, fast food place, etc…
ATM keypads don’t emit dial tones. The “beep” is the same for every key. Recording audio gets you nothing.
“Recording audio gets you nothing.”
Not so. It gets you which of the apparent key presses on the video are real ones and which are simulated presses to confuse the watchers.
I work with skimmer incidents fairly often, and have never once seen an audio recording device.
Pinhole cameras, keypad overlays, blutooth transponders, insert skimmers… but never an audio recording device
Most bank security cameras don’t even have audio monitoring.
Hiding the pin does not help. Fraudsters already have your card number once it’s bean read by the skimmer. Instead of going to the ATM to cashout, fraudsters will go to Walmart instead and use as Signature. Very common misconception about hiding your pin number. The only help it provides is your Bank who more than likely won’t have dispute rights for the ATM fraud, but a better chance of disputing the Walmart transaction. Additionally, it’s fairly common to see increases in Signature and Pin fraud after a Skimming event at an ATM.
Correction on my previous reply – Additionally, it’s fairly common to see increases in Signature and KEYED fraud after a Skimming event at an ATM.
Matt, I respectfully disagree with your comment. How hard it is to cover the PIN pad? Dealing with getting cash stolen from your checking account because of ATM fraud is a far different beast than dealing with retail fraud, and it’s difficult to really appreciate how different these types of fraud are for the consumer until you’ve experienced each of these personally.
It’s the old perfect as the enemy of the good, argument. In this case, the cost of covering the PIN pad is zero and almost no effort, but the cost of not doing so potentially a huge headache.
It’s very hard to get your second hand near the keyboard if you’re using a drive up ATM. I find the reach difficult enough with my left hand, impossible to get my right hand to the keyboard at the same time.
It isn’t hard to use both hands if you open the car door and get out. Just because you can do it from inside a car doesnt mean you must.
That defeats the whole purpose of a drive-up ATM. At one of the branches at my credit union, the drive-up ATM is in a former drive-thru teller lane. As such, unless the person is driving something like a Smart For 2, or whatever it’s called, the driver would have to either stop short of the ATM or drive past the ATM to have sufficient room to open the driver’s side door and get out. On the other hand, my 6′ 4″ son doesn’t have any trouble reaching the keypad with both hands, but I can’t. I just use the walk-up ATM built into the front of the building.
You can have security or you can have convenience, rarely both. You pay your money and you take your chances. How about just parking and walking to the ATM? Admittedly a strenuous effort, but….
Bob, open the door just enough to lean out to cover the pinpad with both hands. Is this really a hard problem you to solve?
I have a very low daily limit set for merchant transactions versus ATM withdrawals since I don’t use my debit card for purchases. This limits what someone can do without a PIN.
Nobody can use my ATM card at Walmart or any other retailer. My ATM card is not a debit card. Anyone who cares about security should request an ATM card from their bank that is purely an ATM card.
Thus, covering the PIN entry with a hand is sufficient security to prevent all fraudulent uses of a pure ATM card.
Bingo. Use ATM cards for ATM’s only. Use credit cards for gas pumps or other public card processing machines. Never use a debit card at an ATM, gas station, etc. EVER. If you’re ever scammed on a debit card, you are at a disadvantage in the process to get your money back (and it’s gone if/until you’re successful in getting the bank to restore it). With a credit card, you have more legal protections and far better success. Credit card companies are better at detecting fraud and more responsive with disputing fraudulent charges.
I always tell people that if they can get a credit card with no/minimum annual fee and they can afford to pay it down every month, then always use a credit card, never a debit card. Only have the ATM card attached to your bank account.
I saw an interesting Diebold ATM last weekend. Instead of the card slot being narrow and inserting the card the long way, the machine had a wide slot to insert the card “landscape” with your name/account number readable. I wonder how the internals of these work. It would appear that they would be at least different enough to thwart the current crop of skimmers.
Generally with this style of ATM, the mag strip reader moves inside the machine instead of you moving the mag strip across the reader. This limits a fraudsters ability to skim since the skimmer would have to move across the whole strip.
Regarding personal security at ATM machines, I also don’t trust standalone machines out in the middle of nowhere without any recognizable bank name on them. For a while, there was an ATM machine standing alone near a bus stop in the Hollywood neighborhood of Hollywood and Vine. Right there on the sidewalk. This just seemed like a really bad idea waiting to happen.
Brian talked about this on December 18, 2013: “The Biggest Skimmers of All: Fake ATMs.”
https://krebsonsecurity.com/2013/12/the-biggest-skimmers-of-all-fake-atms/
Ha! Probably a skimmer ATM rubbing its proverbial hands, waiting for its next victim.
Fot this reason some European banks simply block ATM access outside the continent. Travelers can enable their ATM/debit card for a short period or if they really want, or iof they insist remove the block completely. But most customers never leave Europe anyway.
That way skimmers who grab magnetic data, are out of luck, as inside the continent it uses chip which cannot be coppied, and in magnetic-strip-holdout US it is blocked. ING Bank mentioned two years ago this system this virtually eliminated all skimming on their European cards.
Most US issuers will automatically block an ATM card from use overseas unless you have put in a specific travel notification.
Excellent article AND the pictures certainly provide further enhancement, Brian!
Interestingly, in reading your various articles, I’ve taken to not only doing what you mentioned (i.e. pulling on POS terminal interfaces), but also checking the brand name of the particular terminal as well. (As you’ve mentioned a couple of POS terminal brands in past articles that were found to be compromised).
With regard to paying for gasoline at a gas station, I ALWAYS pay with cash inside the store, and NEVER use a credit/debit card at all.
The risks of using a card outweigh any ‘convenience benefits’, IMHO.
Cheers!
There’s almost no risk when using a standard credit card, since the card holder isn’t liable for fraudulent charges. In the rare event of a fraudulent charge, a short phone call to the bank resolves it and a new card is issued. The extra work of going inside to pay, repeatedly, far outweighs the risk. You would be much better off taking that time and effort and putting into a more valuable pursuit.
Great posting as always Brian!! Thanks!
Do chip readers that only need to have about 1/3 of card length inserted negate the scam of reading of the magnetic strip? I never really noted how far it goes in.
Put another way, how much data is on the magnetic strip portion of the card that is inserted in these end-on chip readers?
Samy Kamkar is a security researcher/hacker who has built a mag stripe emulating circuit. On this page he has an image of data on a mag stripe revealed by iron oxide particles: http://samy.pl/magspoof/
The stripe he visually decodes is track 2. Track 1 is encoded twice as dense as track 2, so its account number would fit in the same space as the first 8 digits of track 2.
Inserting a card only 1/3 of the way might provide enough of track 1 to reveal the account number, although it probably won’t provide all of the data needed to clone the whole stripe.
I have an additional recommendation (that many people don’t like because of the slight inconvenience.)
Besides the usual pull on slot, shield the keypad, and avoid isolated machines, I only use an ATM card at ATMs. If it does get skimmed, it cannot be cloned and used for retail. [which reduces the risk]
When the bank tries to give me a debit card (“for my convenience”) I demand an ATM card. [I do this at the branch] Both my banks initially told me that I had to have a debit card. When I replied that I am closing my accounts, the managers came over and ordered an ATM card for me.
For my credit cards, I have them set to text me for every charge. If one has a problem, I’ll be reporting the fraud within minutes. [plus, I’m not fighting to get money back – It is a pending charge, not a completed debit on my checking.]
@ B. Lee,
Great minds think alike..
https://krebsonsecurity.com/2017/03/google-points-to-another-pos-vendor-breach/#comment-427743
@Matt R, the bad guys can’t do what you describe with a true ATM card.
Ditch the Debit
I finally switched to a debit cards (VISA network) because I needed them for overseas travel cash withdrawal in local currency. But I use separate bank accounts from my regular checking for those where I can maintain a small balance, and I have an immediate text message whenever used – my phone supports international texting. I may be exposed (although I do take precautions like hiding PIN entry and being very careful of what machine I use), but I try to limit the fallout if something bad happens. Yes, it’s a bit of a pain to have multiple checking accounts, but at least I can isolate my ATM use from the rest of my banking and I have backups if one of my accounts is compromised. I always provide travel notifications – the ATM/debit cards won’t work overseas without that.
While this saves your card being skimmed and cashed out in Retail space, your card could still be skimmed and cashed out at ATMs. So you do protect yourself some, but you’re still left open to someone cashing you out.
Here is an idea (although, knowing big institutions, I doubt that this will be acted upon by banks) – to optionally set your mobile phone as a 2FA device:
1. Issuing bank will let you set a mobile phone number as a 2FA for any ATM use over a user-defined daily withdrawal limit. Bank will SMS you a 4-digits nonce to be used for your next withdrwal over your set limit.
2. New ATM software will ask you, after inserting your card and enter your PIN, for that 4 digit nonce.
3. A nonce will be sent to you after each cash transaction, to be used during the next transaction, to avoid the 30 seconds delay or so for a real-time SMS and inconveniencing waiting customers.
SMS can be compromised. So if they get your card info and your SMS they can go to town on your dime anyway.
If the bank were to provide an app that uses an encrypted connection for 2FA (among other things), they could advertise that as a benefit to their customers.
Any security measure can be compromised. This doesn’t remove the value of using them. It’s a lot harder to compromise a persons SMS path than it is to clone a card and use it on the other side of the world.
Just had a thought this morning reading this…
I’ve lived in Canada and Europe all my life and in the last 10-15 years I can’t remember a single occasion where I have needed the magnetic stripe on any of my cards. Everything has been EMV for so long that magstripe is effectively obsolete. Even still, all the cards still contain it for international and fallback purposes.
Would removing the magnetic stripe data from my cards (either electronically or through physical destruction) not be a good idea for significantly lowering the risk of being compromised with one of these devices?
Probably easier to just ask your bank to restrict use by country…
There are a couple of systems as Brian noted that will look for a stripe anyway.
@Raymond, yes. You can fully prevent mag stripe skimming by rendering the stripe unreadable.
Orient the card so the stripe is facing you and the stripe is across the top of the card. Using a sharp knife, carefully scrape away a 1 cm gap into the black mag stripe, from about 15 mm to 5 mm from the right edge of the card. Scrape until you get down to the colored plastic under the stripe, and expose a full gap in the stripe from top to bottom.
Using high powered magnets is not reliable enough to guarantee degaussing the stripe will be successful.
This does not prevent a thief from skimming the data sent by NFC or by tapping the wires.
Nice article and equally nice forward looking comments. One way to address the vulnerability could be use of biometric verification for ATM transactions instead of PIN and 2F(biometric)A for all retail transactions. Although it may appear to be a costly proposition for banks, weighed from a reputational perspective and infusing confidence in the system, this could be considered by banks as well financial sector regulators.
Biometrics are a terrible idea.
Whatever is being used as a proxy for you could be recorded by a device just as a skimmer records your pin. And just as criminals can create a card and enter your recorded pin, someone will eventually be able to produce an overlay or something to trick a biometric reader into accepting information based on the recording of your biometrics…
Correct. And try to replace your biometrics afterward… :S
Or the bank could add other security measures. Ie: my bank requires both the card, your fingerprint and the password to let you do anything in the ATM. You could go even further by presenting a digital touch keyboard on the screen with scrambled numbers randomly assigned to each button and only a combination of buttons that happen to contain the digits on your pin would allow any operation. Of course, if the banks let me choose passwords with more than numbers and more than 6 digits it would be very helpful too.
Very interesting article. Please explain the “tap” method” I see at some cash registers. Since your card doesn’t “go in” is this safer?
Both stripe and chip-and-pin are relatively obsolete here in Australia. Most over the counter transactions can be completed using a tap (where you tap your card against the card reader briefly) rather than a swipe or insert (though all card readers still allow all these methods.) Purchases under $100 do not require a pin.
ATMs still require you to insert your card. Most cards (and all credit cards) have chips on them here. Some bank account cards only have a magnetic stripe.
In Australia you NEVER sign for any transactions any more. All transactions are verified by pin (unless under $100 and tapping.) Cards are still signed, though, for some reason.
Obviously the main concern is that if your card is stolen, it can be used relatively easily for a number of small purchases. This doesn’t seem to happen very often, though, and consumer protections here are pretty robust and monitoring is pretty intelligent, especially with credit cards.
Stealing a physical card presents more of a difficulty than skimming details from a number of cards. It tends to be detected earlier, and more of a crime of opportunity thing. It’s never happened to me or anyone I know that their card got stolen and then used for a bunch of small purchases.
The short answer is yes.
With tap, your magnetic stripe didn’t have a chance to be cloned.
Ideally with tap, there’s a cryptographic signature step performed by the card using a private key on top of a stored counter and the transaction information. A good implemention of this should be relatively secure.
This doesn’t mean you’re absolutely safe, someone could try to perform a sale to your card without you notifying, but at least for now, such a transaction should be noticed because the reader wouldn’t be doing any innocent transactions.
Eventually, someone will probably create an NFC device that can perform a man in the middle attack, allowing someone to proxy your card to another device at a brick and mortar store which talks to another NFC reader. As soon as that’s discovered, you’ll read about it (and probably here first).
Besides covering the pad with my other hand )or my wallet or whatever), I use two additional methods of concealment. instead of tapping each button with my index finger, I use three fingers –‘one for each column on the pad — so any (remote or nearby) spies don’t see my hand, wrist, or forearm moving from button to button. And after entering the PIN I brush or lightly tap ALL the buttons with the respective fingers I use to press them, to defeat fingerprint scans.
I very rarely use gas pump card readers. My preference is to just walk inside because I know how much gas I need and that only authorizes my card for that amount. I do think eventually most people will be using contactless authorization from their phone using their fingerprint and that will help stop a lot of skimmers.
Again, Australian perspective, gas pump card readers occasionally get launched here by various brand gas stations, but usually within a few months they get withdrawn.
Because they generally require you to authorize your card prior to pumping gas, most people forget to use them. By the time you’ve filled up your car, it’s too late to use them, so you go in anyway, which is what people normally do here. With tap and pay, you are in and out pretty quickly so it doesn’t save much time to pay at the pump.
All gas stations are self service, and there is no concept of mandatory prepayment here, though every so often the industry associations start grumbling about it again.
Thanks for another great article.
Truly enjoy reading your posts – fascinating to say the least
Many Bank of America ATMs use Apple Pay authentication Which is both secure and fast. Since it uses tokenization it’s secure and I do not have to carry my debit card. Your PIN is still entered and you can see which ATMs take contactless on their website or app. Wells Fargo, Citi and Chase are contemplating similar systems. It’s so fast it appears you’re driving off without doing a transaction. I expect by the end of the year they’ll all be like that. You do have to enter your PIN which seems unnecessary.
Exxon/Mobil offers the Speed Pass + app tied to Apple Pay or credit cards so there is no skimming. Many Sunoco, almost all Meijer, many Wawa, many Chevron offer Apple Pay at pump. Valero, Caseys General Store and many others offer Apple Pay in store. And if need be as others said Use cash. I drive across the country and did not have to swipe.
Interesting. I have Apple Pay. I’ll have to look for this.
After reading this and other articles you’ve written on this topic I’m glad to see I’m not the only one pulling on ATM card slots and keypads. I never use free standing ATMS and only use Bank ones that I’ve used before if I can.
Living in Canada a lot of the ATM’s are inside building and a few of vestibules in Calgary actually post guards in them. The one I frequent is usually closed from 10:00 PM to 5:00 AM but when I get there at 6:00 AM there is always a guard on duty. It was kind of creepy the first couple times but it’s better than the annoying claxon they had going off every time you opened the door.
I’d like to tweet this article. You should add a quick share link at the bottom to make it easier 🙂
I’ve started checking ATMs/card terminals of all kinds since reading your articles, and I’m wondering what one would do if you found skimming devices on something after-hours? For instance, going to the bank on a Sunday and the bank is closed. Would you call the police instead?