05
Dec 17

Anti-Skimmer Detector for Skimmer Scammers

Crooks who make and deploy ATM skimmers are constantly engaged in a cat-and-mouse game with financial institutions, which deploy a variety of technological measures designed to defeat skimming devices. The latest innovation aimed at tipping the scales in favor of skimmer thieves is a small, battery powered device that provides crooks a digital readout indicating whether an ATM likely includes digital anti-skimming technology.

A well-known skimmer thief is marketing a product called “Smart Shield Detector” that claims to be able to detect a variety of electronic methods used by banks to foil ATM skimmers.

The device, which sells for $200, is called a “Smart Shield Detector,” and promises to detect “all kinds of noise shields, hidden shields, delayed shields and others!”

It appears to be a relatively simple machine that gives a digital numeric indicator of whether an ATM uses any of a variety of anti-skimming methods. One of the most common is known as “frequency jamming,” which uses electronic signals to scramble both the clock (timing) and the card data itself in a bid to confuse skimming devices.

“You will see current level within seconds!,” the seller enthuses in an online ad for the product, a snippet of which is shown above. “Available for sale after November 1st, market price 200usd. Preorders available at price 150usd/device. 2+ devices for your team – will give discounts.”

According to the individual selling the Smart Shield Detector, a readout of 15 or higher indicates the presence of some type of electronic shield or jamming technology — warning the skimmer thief to consider leaving that ATM alone and to find a less protected machine. In contrast, a score between 3-5 is meant to indicate “no shield,” i.e., that the ATM is ripe for compromise.

KrebsOnSecurity shared this video with Charlie Harrow, solutions manager for ATM maker NCR Corp. Harrow called the device “very interesting” but said NCR doesn’t try to hide which of its ATM include anti-skimming technologies — such as those that claim to be detectable by the Smart Shield Detector.

“We don’t hide the fact that our ATMs are protected against this type of external skimming attack,” Harrow said. “Our Anti-Skimming product uses a uniquely shaped bezel so you can tell just by looking at the ATM that it is protected (if you know what you are looking for).”

Harrow added that NCR doesn’t rely on secrecy of design to protect its ATMs.

“The bad guys are skilled, resourced and determined enough that sooner or later they will figure out exactly what we have done, so the ATM has to be safe against a knowledgeable attacker,” he said. “That said, a little secret sauce doesn’t hurt, and can often be very effective in stopping specific attack [methods] in the short term, but it can’t be relied on to provide any long term protection.”

The best method for protecting yourself against ATM skimmers doesn’t require any fancy gadgets or technology at all: It involves merely covering the PIN pad with your hand while you enter your PIN!

That’s because the vast majority of skimming attacks involve two components: A device that fits over or inside the card reader and steals data from the card’s magnetic stripe, and a tiny hidden camera aimed at the PIN pad. While thieves who have compromised an ATM you used can still replicate your ATM card, the real value rests in your PIN, without which the thieves cannot easily drain your checking or savings account of cash.

Also, be aware of your physical surroundings while using an ATM; you’re probably more apt to get mugged physically than virtually at a cash machine. Finally, try to stick to cash machines that are physically installed inside of banks, as these tend to be much more challenging for thieves to compromise than stand-alone machines like those commonly found at convenience stores.

KrebsOnSecurity would like to thank Alex Holden, founder of Milwaukee, Wisc. based Hold Security, for sharing the above video.

Are you fascinated by skimming devices? Then check out my series, All About Skimmers, which looks at all manner of skimming scams, from fake ATMs and cash claws to PIN pad overlays and gas pump skimmers.

Tags: , , , ,

36 comments

  1. Brian, you might also be interested in knowing about the free open source Android app that SparkFun released that alerts you when gas pump skimmers are installed in a gas pump:
    https://learn.sparkfun.com/tutorials/gas-pump-skimmers

    • Interesting app, but since it has to use google location, I will not use it. The main thing to be concerned about is the developer’s statement: “There is implicit risk associated with publicly reporting crimes.”. Best to not report a pump that you discover has a skimmer. I am very knowledgeable when it comes to police tactics and their mind set, and it is very dangerous to ever deal with any of the authorities. I have seen many cases where innocent citizens have voluntarily contacted or otherwise willingly assisted law enforcement, only to have been charged and convicted of a crime(s) that they unwittingly had committed. You might consider the mistake of cooperating with prosecutors by Scooter Libby and Martha Stewart. who were questioned over and over with the same questions, until they innocently gave a different answer, thereby being charged and convicted on a process crime. The only other safe way to report something to the authorities is to use a remailer.

  2. I am not sure how effective it is, but I have been using an app called Skimmer Scanner that uses a phone’s bluetooth radio to scan for the bluetooth transmitter that skimmers often use.

    This post made me think of it.

    • Just a heads up Scott, I would be wary of leaving your bluetooth on in a public area with the Blueborne virus. Not sure if skimming or the virus is a bigger threat at this point…

      • Just wait for the two things to be combined. Bluetooth infections via compromised ATMs.

        As an added bonus of leaving bluetooth off you get longer runtimes… one less radio to power…

      • Skimmer Scanner has a setting that turns on Bluetooth just long enough for you to scan and can shut it off as soon as you exit the application.

  3. It’s a little les convenient than using the card slot at the gas pump, but going inside to use a chip reader is a lot safer. If there is no chip reader inside, fill up elsewhere. Regardless, cover the keypad and your hand when you enter your PIN, anywhere.

    • Or do as I always do at gas stations. Go into the store/office and give them cash for more than enough needed for the purchase. They will unlock pump. Go outside and fill it up. Then go back into store and get the change. The card never gets anywhere near anything.

      • The problem with that is not having universal deployment of chip readers. Not only do not all merchants in my area, Southern New Mexico, use chip readers, the number recently shrank: some merchants did POS upgrades that broke the chip readers, forcing them back to swiping.

        I don’t understand why we don’t have chip readers or contactless pay at gas pumps. I know it’s just money that the companies don’t want to pay for upgrades, but it still drives me nuts.

        It all comes down to money: merchants can’t/won’t pay to defend themselves against people who want to rob them electronically.

        • It still boggles my mind why in the US this is such a problem while in Canada this year I happily used my EMV Card in chip-equipped fuel pumps on all my travels.

          • Check prices on chip-enabled gas pumps some time. If a merchant hasn’t had problems with fraud, an upgrade project costing tens of thousands of USD makes them ponder a while.

          • I live in the sticks, and all my cards are Chip-N-PIN now. It has been a while since I’ve seen a merchant that didn’t have the reader out here.

        • Due to complaints from the petro/Cstore industry about the cost and certification time required, the liability shift for failing to use chip card readers for gas pumps in the US got pushed back from Oct. 1, 2017 to Oct. 1, 2020.

    • Or just use a credit card where your liability for fraudulent charges is usually zero. A lot faster and easier than going inside every time you get gas.

  4. Great article, keep them coming Krebs !~

  5. If an ATM in the US was jamming bluetooth signals the FCC would consider that
    “causing intentional interference… a violation of federal law. A lot of hotels and convention centers wound up paying big fines for mucking with wifi signals in an attempt to force people to use their overpriced wifi network.

    • The FCC would just look the other way as they do for other industries. They’ve favored corporate interests, more notably telecom and power, before regulations for years.

      Part 15, which covers bluetooth, is poorly enforced if at all. Unless it’s against an individual.

  6. Meanwhile we just block all mag stripe transactions, leaving skimming a moot point and barely affecting legitimate cardholders (unless they’re in India, but that’s rare). Skimming’s days are numbered, and it’ll be interesting to see what these black-hat electrical engineers find to do with their time next.

  7. The best anti-skimmer device in the world COSTS NOTHING and you ALREADY own it – it’s called CASH!

    • Cash which you have to get out of a potentially compromised ATM

      • Nope, you can get it the same way I do… walk into the bank, present the lovely teller behind the counter with a withdrawal slip (she’s only been there 10 years), stuff your wallet with a wad of filthy lucre. Been doing that for over 40 years… never used an ATM in my life. Also, never paid a bill online. Tried auto-payments a few times. The payees inevitably start slipping in mystery charges, making errors, or double billing . Writing a check (you remember those?) each month gives you a real good feel for where and how your money is going.

        Young’ens these days… sheesh, occasionally get out and meet somebody in real life.

        • Hi Mark,
          What happens when you lose your wallet, or it gets stolen? Don’t think you’ll have much luck having your bank replace your cold hard cash.

          Your checks may give you a good feel for where your money is going, but is it worth the amount of information you are sending out into the world? Take a look at your check before you put it in the mailbox, it has your name, address, maybe even phone number. In addition, your bank’s routing number, your personal account number, and where you are in your series of checks coming out of the account. Best case its everything needed to forge checks on your account, worst case they have enough to take over your account. That is a lot of faith you are putting into the USPS to safeguard your information. Good thing they don’t ever lose checks, or have mail stolen.

  8. Hello Brian, the company I’m working on has developed an sntiskimming system 10 years ago …. it’s a mechanical solution and is 100% efficient.
    Unfortunately we have not succeeded in implementing it. I think for financial institutions skimming is profitable.

  9. Very good, and seasonal article. Did like the skimmer article also. Next step? Remember your RFID wallet adapter. You know, the tinfoil sleeve? Not headwear, but protective.
    As the gangs move to the middle of America, and the become mainstream, they have spread their problems. I’d theft is one of them. Skimmers are on the rise. But, I did like the idea of a app for the detection for Bluetooth skimmers. Now, that has me wondering if there is an Android or Apple firewall app? That would stop unwanted receiving of data? I know, another program running while traveling, but…

  10. As for the Android firewall app, I’ve been using No Root Firewall for about 4 years now, and while it’s not perfect, I can control / completely block either cellular OR WiFi OR both network connections for any app / Google service I want.
    Signals me if / when an app attempts to ‘phone home’ for any reason. Can tailor unique I/O filters for apps too…

  11. Are these devices being sold by those who also happen to make the skimmers? Wouldn’t be a bad way to make extra money lol.

  12. We are back since our takedown in 2014.
    http://doxbin.fun/

    Everyone’s dox has been backed up and uploaded.

  13. Heck, for $200, I might buy one just to find out which banks are taking security seriously and installing anti-skimming tech. 😀

Leave your reply to Vog Bedrog