30
Jun 17

So You Think You Can Spot a Skimmer?

This week marks the 50th anniversary of the automated teller machine — better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think you’re good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.

The first cash machine opened for business on June 27, 1967 at a Barclays bank branch in Enfield, north London, but ATM transactions back then didn’t remotely resemble the way ATMs work today.

The first ATM was installed in Enfield, in North London, on June 27, 1967. Image: Barclays Bank.

The first ATM was installed in Enfield, in North London, on June 27, 1967. Image: Barclays Bank.

The cash machines of 1967 relied not on plastic cards but instead on paper checks that the bank would send to customers in the mail. Customers would take those checks — which had little punched-card holes printed across the surface — and feed them into the ATM, which would then validate the checks and dispense a small amount of cash.

This week, Barclay’s turned the ATM at the same location into a gold color to mark its golden anniversary, dressing the machine with velvet ropes and a red carpet leading up to the machine’s PIN pad.

The location of the world's first ATM, turned to gold to commemorate the cash machine's golden anniversary. Image: Barclays Bank.

The location of the world’s first ATM, turned to gold and commemorated with a plaque to mark the cash machine’s golden anniversary. Image: Barclays Bank.

Chances are, the users of that gold ATM have little to worry about from skimmer scammers. But the rest of us practically need a skimming-specific dictionary to keep up with today’s increasingly ingenious thieves.

These days there are an estimated three million ATMs around the globe, and a seemingly endless stream of innovative criminal skimming devices has introduced us over the years to a range of terms specific to cash machine scams like wiretapping, eavesdropping, card-trapping, cash-trapping, false fascias, shimming, black box attacks, bladder bombs (pump skimmers), gas attacks, and deep insert skimmers.

Think you’ve got what it takes to spot the telltale signs of a skimmer? Then have a look at the ATM Fraud Inspection Guide (PDF) from cash machine giant NCR Corp., which briefly touches on the most common forms of ATM skimming and their telltale signs.

For example, below are a few snippets from that guide showing different cash trapping devices made to siphon bills being dispensed from the ATM.

Cash-trapping devices. Source: NCR.

Cash-trapping devices. Source: NCR.

As sophisticated as many modern ATM skimmers may be, most of them can still be foiled by ATM customers simply covering the PIN pad with their hands while entering their PIN (the rare exceptions here involve expensive, complex fraud devices called “PIN pad overlays”).

The proliferation of skimming devices can make a trip to any ATM seem like a stressful experience, but keep in mind that skimmers aren’t the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.

You are far more likely to encounter ATM skimmers over the weekend when the bank is closed (skimmer thieves especially favor long holiday weekends when the banks are closed on Monday). Also, if you have the choice between a stand-alone, free-standing ATM and one that is installed at a fixed location (particularly a bank) opt for the fixed-location machine, which is typically more secure against physical tampering.

"Deep insert" skimmers, top. Below, an ATM "shimming" device. Source: NCR.

“Deep insert” skimmers, top. Below, ATM “shimming” devices. Source: NCR.

Tags: , , ,

47 comments

  1. IRS iTunes Card

    Euro Cops Cuff Suspected Payment Card Fraudsters
    31 Arrested in Spain and Bulgaria; Skimmers and Card-Forging Equipment
    Seized
    http://www.bankinfosecurity.com/euro-cops-cuff-suspected-payment-card-fraudsters-a-9994

  2. My debit card got hacked a couple of years ago and since then I use to cover my PIN input with my hands. However, I don’t know how long this security tip will last. I think we should try to avoid ATMs by depositing checks via phone apps and by going to the bank and cashing a check in our name if we need cash.

    • Robert.Walter

      My 84 y/o mom is an expert at depositing cheques via her CU iPhone app. She then shreds her he cheque after confirming it was posted to her account.

      It saves her time and gas as well as exposure on the road and at an ATM.

      I recommend this methodology to everybody.

      • Robert I hope she is waiting at least a week before she shreds her check. I’ve seen banks ask for the check just to double check and people lose a lot of money that way. If not money, then time.

        • Which banks have you seen do this? I have deposited many, many checks via my phone app and have never had the bank ask to see the check. Once they confirm the deposit, I shred the check. They confirmed it, it’s on them.

          • Read the fine print of the Terms of Service of using the bank’s app, confirmation doesn’t mean crap. They tell you to retain the check for a certain period and write something across the front like “deposited electronically”

            You heard of the overpayment check scam? That scam only works because a bank will “clear” the money but then find out there’s a problem, then they will take back that money even after the clear. Stupidly enough a check clearing doesn’t mean it’s actually cleared.

            Moral of the story, read the fine print and follow it. Don’t just shred immediately. Otherwise it’s on you for not following what your bank says and what YOU agreed to as part of using that app.

      • Krebs had an article on here a couple years back on one of his computer-savvy reporter colleagues having his entire Mac system (laptop plus iPhone) hacked, locked, and ransomed. I think it’s always risky to do anything financial across a cell phone, and I never connect cell phone to LAN (since you don’t own a firewall between the phone and the outside world – you’re risking putting your LAN online).

  3. James Schumaker

    I’m not a big believer in ATM’s. Fortunately, now that I am retired, any time I need cash, I can get it by cashing a check at my local bank. I know all the tellers, and they know me.

  4. There are some advantages to depositing a check at an ATM as compared to a human teller. Especially in the case of a “lost” of “mishandled” deposit.

    The differences are cover in Reg E. If you make a deposit via an ATM the bank must prove that they did not get it. But if you make a deposit with a teller, then you must prove that you deposited it.

    This difference in proof of deposit is not insignificant. At one time I deposited two checks at an ATM and they only credited me for one. I called the bank, and they began to hem and haw, but once I mentioned Reg E they changed their tune and quickly “found” the missing check.

    • Michael Martin

      You know your stuff David. Reg E is a bright spot for the individual in keeping banks accountable and acting right.

      • Richard Turnbull

        If it protects consumers’ rights against banks, watch for it to be on the repeal and replace with nothing agenda.

    • … not to be a drip, but my mom always said to use credit unions. Banks’ job, being a for-profit, is to make money from you. CU’s job, being non-profit, is not to make money from you.

  5. Luckily, my credit union has convenient branches. Thanks to your research I no longer use its ATMs and instead I go inside to a teller.

  6. Regardless of how bad they are in other ways, both Wells and BOA are in the vanguard of using Apple Pay to authenticate ATM cash withdrawals.

    The advantage of this is one never has to inset a card into an ATM with this methodology. In so doing, nobody can be skimmed.

    • Wells and BOA? There are two fine upstanding institutions./s Credit Union anyone? I seem to recall a time the USG tried to get rid of them.

      • Richard Turnbull

        Wells Fargo, Bank of America, Goldman Sachs and more — are we into trillions of dollars in fines for financial fraud, or only billions?
        A billion here, a billion there, pretty soon you’re talking about real money!
        (Credit Everett Dirksen)

    • I work in the banking-side of the ATM industry. Wells and BoA’s NFC and cardless (no NFC) ATM transaction options are some of the most secure ATM processes in the world. And I work at a competitor. The cardless is the least expensive to the FI and every bit as secure as Apple Pay. Tokenization is the new norm.

      Credit Unions, which I also worked at one for over 10 years, are notorious for outsourcing too much of their services – especially ATMs. You’re not likely to see NFC or Apple Pay at a CU ATM anytime soon.

      • Robert.Walter

        I have accounts at CU’s, with one still in the process of trying to implement AP, the other already has.

        From discussions with the one CU, on their website and their app (I wanted 2FA and a better functioning TouchID feature), I agree on the outsourcing issue.

        I’m hoping that the National Assn of CU’s will be forced to recognize the competitive disadvantage of card based ATM’s and embark on an upgrade of their shared national ATM network.

        If the Assn has any kind of marketing group, they could use this to reach out to customers and potential customers and sell an upgrade to contactless authentication along with all the other customer advantageous programs CU’s have to offer.

      • Interesting comment about Credit Unions (i.e., not-for-profits) outsourcing services. I suppose this means that they don’t offer as much protection from for-profit financial institutions as they used to (except for a few of the much larger and older Credit Unions).

        • No, in general, the Credit Union offers the same types and amounts of protection that a regular bank does.

          Because most smaller Credit Unions have to outsource some services doesn’t make you more vulnerable as a customer. It just means that the Credit Union won’t necessarily be able to customize an application, or be cutting-edge on the latest technology. Their IT departments are typically small, and they generally use software purchased and supported by 3rd-party vendors. Huge banks like BofA and Wells have in-house developers and coders, and can do a lot more customization in their platforms. It’s not a good/bad thing’; it’s just a reality.

          In general, I think you get MUCH better service at a Credit Union.

          • You’re right, CU’s IT departments are smaller, as are their security teams. But this means they are generally _unable_ to provide the same levels of protection as a regular bank, and will not have the same level of fraud detection and prevention tools.

      • Cardless rocks–a great (and rare) example of how security and UX can win at the same time. Once my driver license becomes an app (or a photo), I won’t even need my wallet any more. Yes, please!!

    • Ah? Right! But don’t bet your life savings on it. Apple pay is only as secure as your device. Remember all communications is monitored. How long before the least secure Apple device is hacked? Oops, already done, and in the wild. How long till they find one with apple pay? Probably yesterday? Remember, your security is an illusion, that someone is trying to violate. But who?

      • Apple device hacked? In the wild? Without physical access to the device? Running iOS 10.3.2? [citation needed] and not some Wikileaks speculation.

        • From my IT experience, it isn’t IF you’ve been hacked or not, but rather WHEN will the hacker use your information? It’s sad, but it’s a reality in today’s moral-less world

        • Just passin by

          Well it’s still July and last night news says “yes, your IOS 10.3.2 device is hackable via wifi” – so without physical access.

    • Hah! Funny! We sure didn’t get The Jetson’s future the TV promised us, did we? LOL!

    • I remember Varney on the Benny Hill show! Very funny man! So he was the 1st customer on the very machine sited in this article? Amazing!

  7. “Chances are, the users of that gold ATM have little to worry about from skimmer scammers. ”

    Good point Brian. Distinctive complex surface finishes with techniques such as holograms would make it harder for criminals to substitute fake devices.

  8. And, to add to it, Mastercard is coming out with new credit card(s) that start with a “2”. Should be within the next 6-12 months. If you have a old terminal, you need to upgrade/replace it soon.

    • That’s bunk. That’s BIN programming – nothing more. No one needs to upgrade terminals.

  9. I deposit all my checks thru a phone app now.

  10. Perhaps you just hit on something, if every ATM was slightly different (colour and design) skimmers would be less universal. Let not make it easy for them.

  11. A question, or two, on Reg. E

    Is the “bank must prove it did not get the check” also true for credit unions?
    And, is that true only for the bank’s (or CU’s) own ATMs,
    or also for ATMs within the associated network (such as
    Allpoint, for example) ?

    • I think I found the answer to my second question.
      I read a summary of Reg. E.
      Section 205.14 seems to imply that the regulation applies as well to ATMs of banks not associated with the account.

  12. this is a huge problem, i think

  13. Why the paranoia about ATM’s? Card skimming is only the 3rd most common card fraud type (in the UK).

    Once you have rolled out chip and pin fully in the US all your card fraud will move to CNP.

    There was only c.100k of cloned/skimmed cases in the UK in 2016. Compare that to CNP which was c.1.4m *source FFA UK

    The risk and reward in card skimming is dying it will all be CNP fraud soon in the US.

  14. Here is a link to a great video that shows skimmers being found and removed. http://www.cbs46.com/clip/13471890/woman-discovers-skimmer-attached-to-atm-card-reader Shows you how hard you can test to see if its been adulterated. “don’t use a tire iron, but almost anything short of that is fine”

    • And yet that video didn’t at all mention to just cover the pin pad when you use it to help thwart camera attacks.

      And as far as zip code – I personally hate it that the pumps that ask for that display it in large type on the video screen of the pump – you could see that from several feet away and I can’t cover the pin pad AND screen at the same time – epic fail on that one to the pump software designers!