10
Mar 19

Insert Skimmer + Camera Cover PIN Stealer

Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.

And sometimes, the scammers just hijack the security camera built into the ATM itself.

Below is the hidden back-end of a skimmer found last month placed over top of the customer-facing security camera at a drive-up bank ATM in Hurst, Texas. The camera components (shown below in green and red) were angled toward the cash’s machine’s PIN pad to record victims entering their PINs. Wish I had a picture of this thing attached to the ATM.

This hidden camera was fixed to the underside of a fake lens cover for the skimmed ATM’s built-in security camera. Image: Hurst Police.

The clever PIN grabber was paired with an “insert skimmer,” a wafer-thin, usually metallic and battery powered skimmer made to be fitted straight into the mouth of the ATM’s card acceptance slot, so that the card skimmer cannot be seen from outside of the compromised ATM.

The insert skimmer, seen as inserted into the card acceptance device in the hacked ATM. Image: Hurst PD.

For reference, here’s a similar card acceptance slot, minus the skimmer.

An unaltered ATM card acceptance slot (without insert skimmer).

Police in Hurst, Texas released a photo taken from footage showing what appears to be a young woman affixing the camera skimmer to the drive-up ATM. They said she was driving a blue Ford Expedition with silver trim on the lower portion of the vehicle.

The skimmer crooks seem to realize that far fewer people are going to cover their hand when entering a PIN at drive-up ATMs. Often the machine is either too high or too low for the driver-side window, and covering the PIN pad to guard against hidden cameras can be a difficult reach for a lot of people.

Nevertheless, covering the PIN pad with a hand, wallet or purse while you enter the PIN is one of the easiest ways to block skimming attacks. The skimmer scammers don’t just want your bank card: They want your PIN so they can create an exact copy of the card and use it at another ATM to empty your checking or savings account.

So don’t be like the parade of people in these videos from hidden cameras at hacked ATMs who never once covered the PIN pad.

Further reading: Woman Caught on Video Installing Skimmer Outside Bank’s ATM in Hurst

Tags: ,

61 comments

  1. Man, I wish you put some red arrows on those pictures for dummies like me. I’m struggling to understand what’s what on those images.

    • Hillary Clinton's Chin Hair

      That’s what I thought too, it’s hard to tell exactly what’s going on.

  2. The Sunshine State

    Cool photo’s

    • One reason we decided to use cash for everything and go to the bank during business hours was because of photos like these. I still have a couple of cards, but almost never use them. Which reduces my exposure. Cash is still king and it allows some fun negotiation with larger purchases.

  3. I used gasbuddy to find the lowest price fuel along I-5 near Tacoma WA and found an independent fuel seller that was .10/gal less on fuel than anywhere else local. The on pump card readers were taped off with a note to come inside to pay. Once inside a sign at the POS read debit cards only and just after I finished the sale I happened to glance up and there was a security camera pointed directly down on the PIN pad. Whoops. I cancelled my card as I drove away. Lesson learned.

    • More than likely that was to catch people trying to put in an overlay onto the terminal to steal cards.
      I mean it’s possible the people running it were crooks, but more likely it was just security.

      Next time always cover your hand when you enter a pin and it won’t matter as much 🙂

    • And you called the cops and reported it, right? To catch the thieves and protect other customers who didn’t notice the camera?

    • Touchdown In Sight

      @ Ron M.. #GlassHalfFull but also kind of not is that there was a recent article about the Kroger grocery store chain doing something similar. It’s about credit card fees for credit versus debit card transactions.

      A few years ago, a local small town store told me they pay a much higher fee to credit card companies when customers use the credit option instead of debit. It looks like that was apparently a fact and is now becoming much more common knowledge thanks to one credit card possibly becoming increasingly greedy over the same.

      @ Brian, #ThankYou as always! You write so very cognitively friendly.

      I followed your 3D skimmer link there. Today’s digital cameras offer Wifi capability on regular occasion. I’ve had at least 2 OLDER secondhand cameras I bought that had that capability. Sorry, I can’t remember the make/model.

      That Samsung [chip]… digital cameras again maybe. A quick search of “samsung digital camera specs wii” landed the following without even visiting the actual website:

      “Wireless Connection. IEEE 802.11b/g/n, NFC (Near Field Communication)”

      That’s from personal fave CNet regarding the “Samsung Smart Camera WB350F”.

      You know… I’ve seen used Samsung cameras go for what felt like a little bit of a high price. You possibly have shed some light as to why if for some reason quality and capability don’t already put the question to rest.

      PS… I’ve been contemplating writing you to ask your opinion about something. I received a PDF file about the same time *YOU* wrote about that topic here. Mine.. I think *possibly* has something to do with….

      Child trafficking.

      At the very least, it’s about a (security affecting, maybe??) HIPAA violation that a doctor’s office should know is occurring…

      Except that…

      The doctor’s office, that DOES have a believable Internet presence, sent an email to a (fake) pseudonym of *mine*. The email author addressed that pseudonym by (fake) first name while presenting a brief but still somewhat involved scenario about a pediatrician’s office visit.

      Word up to same said email author: I only buy into hook, line, and sinker when it involves Red-tailed Snappers… and the occasional Barracuda or three *chomp!*

      PPS The mention about an online presence was to distinguish from the apparent fake… pharmacy that called the last Friday in 2018 to advise me that my drug order was there and that they’d be closing at 1:00pm that day.

      So far, I’ve not found the alleged pharmacy name online, even with a few creative twists that led nowhere. How often does THAT happen in this Internet crazed day and age, you know?

      This isn’t the first time for this, but it’s approximate the most creative so far.

      My impression was that the caller was notably tripping over his words. There appeared to be… fake… muzak playing in the background. My perception of that detail is certainly tainted by years of exposure to this ordeal, but I can’t shake my initial impression that the “muzak” was potentially generated… by a child’s toy.

      The PDF file, I haven’t opened it. I’m dealing with highly organized sexual predators. I’m just not up for their… ongoing garbage… just this sec should that PDF include predatory images instead of an alleged patient medical update 🙂

      Well, there’s that and that YOU *NEVER* OPEN *ANY* EMAIL FILE ATTACHMENTS WHATSOEVER when they arrive unsolicited from absolute and total strangers residing clear across on the other side of the country right over there…….

  4. I don’t understand why the ATM manufacturers make the slot big enough for a skimmer …. I mean people put their card into the slot after the skimmer is installed so that tells me there is way too much space in that slot.
    They need to add a detection device that throws a net on the perp if anything other than a plastic credit card is inserted into that slot ;-). Those devices are made with metal with electronics on it so that should set off alarms and a stun gun deployed. ATM makers you are welcome to modify my outrageous ideas to stop the madness!

    • Well they don’t have the auto deployed stun gun, but there are plenty of detection items for ATMs, all at added cost. Which we have them. Detects inserts that aren’t cards, vibration detection if someone drills/cuts into it, circuit monitoring. (among other methods) There is enough profit from ATMs to implement them all, if the owner chooses to.

  5. Sue the banks as there are several solutions to avoid this since 2012.
    If they don’t solve the problem, they are responsible!
    If at least they were replacing those which have been already hacked, because they are in the perfect places…

    See previous article
    https://krebsonsecurity.com/2012/09/a-handy-way-to-foil-atm-skimmer-scams/

    Search for ‘Diebold manufactures’ and just above it another answer ‘Roman Iakoubtchik’.

    • Customers aren’t responsible for ATM card fraud, as long as they check their bank statements and report discrepancies. Problem solved many years ago.

      • That does not solve the problem; it merely transfers the cost to the bank, which, in turn passes it along to ALL of their customers.

        • Actually….Banks do cost benefit analysis, it obviously costs more to implement all the security features, thus, why they choose to not do them. If they did implement them, and you state the costs would be passed along to customers, then we are actually saving money. Something I do not know, WHO is actually responsible? The ATM owner? Which may not be the issuing bank?

      • Watch yourself.. There is a big difference in the liability between a compromised DEBIT card and a compromised CREDIT card..

        First and foremost.. with DEBIT card fraud.. you money is gone until you can get it covered.. with CREDIT card fraud.. the charges are reversed immediately upon dispute…

        • Jim obviously needs a lesson on Reg E here in the US.

          • As you do in the practical matters of how things work in real life.

            Credit cards you aren’t responsible to pay fraud, cost burden is on the banks. You are never out any money, and don’t have to pay that part of bill.

            Debit cards the money is already gone from your account, and banks hate giving it back. They can make you do forms and paperwork and wait weeks to give back your money. Meanwhile your house payment is bouncing along with all your other bills. And you have to argue to get them to refund the bounced check fees, etc.

            Yes the laws protect both, but that doesn’t stop the money from being gone, and taking a while to get replaced, and possibly costing you money or credit dings in the meantime.

            • Who, in their right mind, has a debit card attached to their money accounts? That is possibly the least safe method, spend some time at CVS, another bank, and get an old fashioned, you have to put money in there, debit card. It only takes one bad apple, to steal from you, so, separate your apples from them. Keep your money safe for your use.

              • “Who, in their right mind, has a debit card attached to their money accounts?”

                Almost everyone.
                The ATM card says on it “DEBIT”
                It is linked, say, to a checking account.
                But most people do not turn off overdraft protection. So when the checking account gets emptied it is the turn of the account that is designated to cover overdrafts.

                My bank, actually a Credit Union, has a daily max. ATM withdrawal rate of $500, combined from all of your accounts.
                I learn from Brian to be safe:
                I have overdraft protection turned off. I have a password for my at-window or by phone transactions.
                When using an ATM I cover the pin pad so well that I sometimes really have to bend down to see the keys.

              • I have a debit card from my bank. With their phone app, I’m able to transfer money into the debit card. I always keep it at $50 tops.

                It has worked very very well for me. No fee from my bank for the card nor for the app use.

            • somguy, actually a bank cannot require you to fill out or complete forms. It is governed by Regulation E, which is the most consumer friendly regulation there is. You merely have to inform the bank. They have ten days to respond. They can grant you provisional credit, which gives them more time to investigate. However, if the fraud is true, then the overdraft charges are required to be reversed. Most banks that I know will immediately grant provisional credit to allow themselves more time to investigate.

              • Brian, yes, but the bank won’t reimburse you for fees you incur due to bounced checks, late payments, etc.

        • Jim, I would have to disagree. While there are differences between Reg E and Reg Z by no means do funds get reversed instantly for all situations on a credit card. If the dollar amount is low…probably as it is going to be written off. Most institutions do not care about a $14.37 charge to Chipotle (clearly an example), however will take note on the amount of claims per account. A high dollar claim/dispute is likely not going to get reversed instantly. There actually might be some questions, investigators, police reports, and further research. This is how 1st party fraud exists in this realm by fictitious claims/disputes for egregious amounts on practically impossibly and/or super suspect situations which the card holder cannot explain and only brings more questions than answers.

          • @Jordan – The difference with a Credit Card fraud issue is that I only have to review my statement once a month. I review it, flag any transactions as fraud and submit the required online forms stating I’m not lying. Then when I schedule my monthly ebill payment, I first subtract the fraud total from my statement balance, and only pay the remaining portion. While the dispute is being processed, the charges are “on hold” and I’m not liable for them. The credit card company is out the money, not me, while things are getting settled.

            It is the opposite with a transaction tied to a checking account. I’m out the temporarily money while the process slowly winds its way.

            I’ve never been near my credit card limits, but I imagine that might be the only problem one might have is during the investigation of credit card fraud charges you might have that amount unavailable from your credit line.

            It’s really less of an issue these days as both my banking and credit cards are set to send me text and email alerts for transactions over $200. It’s amazing how fast this texts come through as well – often literally seconds after I’ve dipped my credit card and hit “yes/approve”.

          • You guys need a new bank – NFCU gives you the cash back instantly on debit fraud while they investigate. On credit fraud they take the charge off your bill instantly. You have to contact them but you should check your account every few days anyway.

    • Stephane, that’s a ridiculous comment. If all ATMs had all existing security measures installed, it would take about 60 days for a fraudster to figure out a way around them. Then what? And good luck trying to sue the bank. You’d have to prove willful blindness, or at best, neglect. And banks spend millions annually on anti fraud precautions at their ATMs, and can show it easier than you can show neglect.

  6. Maybe it’s time to have Multi-Factor Authentication for ATMs and do away with the stripe / PIN method.

    • I Want a Waffle

      I like y0ur thinking here, though if they do implement MFA at ATMs, my concern is they would have to be on some sort of network or Bluetooth — which means that is just another avenue of attack for attackers.

    • MFA, like something you have and something you know? Hummm… Maybe a physical card and a PIN?
      Troy.
      #

      • I see where you’re coming from, but technically the whole transaction is taking place at one machine, which is a single-point-of-failure, i.e., you are using the ‘something you have’ (card), inserting it into the machine, and then inputting the ‘something you know’ (PIN) into the same machine. I believe Patrick’s thought was something like this:

        1. User inserts card into the machine
        2. There is no PIN entered anymore
        3. The machine then sends a code to a device you have
        4. You verify the code on your device
        5. The payment goes through

        I think that’d be well and good, but if this were the case, there are still obvious flaws such as network connectivity. Those devices would then have to be on some network which is another added vulnerability. Heck, if they put that technology into all gas pumps, can you imagine the damage that could be done if ransomware or other malware entered into those machines now that they’d be connected to a network?

      • I see where you’re coming from, but technically the whole transaction is taking place at one machine, which is a single-point-of-failure, i.e., you are using the ‘something you have’ (card), inserting it into the machine, and then inputting the ‘something you know’ (PIN) into the same machine. I believe Patrick’s thought was something like this:

        1. User inserts card into the machine
        2. There is no PIN entered anymore
        3. The machine then sends a code to a device you have
        4. You verify the code on your device
        5. The payment goes through

        I think that’d be well and good, but if this were the case, there are still obvious flaws such as network connectivity. Those devices would then have to be on some network which is another added vulnerability. Heck, if they put that technology into all gas pumps, can you imagine the damage that could be done if ransomware or other malware entered into those machines now that they’d be connected to a network?

    • FWIW, Bank Of America supports Apple Pay at their ATMs. You still need to enter a PIN after tapping your phone (and authenticating the tap with a fingerprint), but that PIN won’t be useful to a thief if there’s no inserted card to skim.

    • Make it more difficult for thieves and they’ll just go back to old fashioned muggings outside the bank.

      ATM card cloning is good, because it’s easy and no one gets injured.

      When a bank is robbed during the day, staff know to not resist. Comply and it’s unlikely anyone gets hurt.

      Same for stores with shoplifting. Major retailers have policies disallowing physically interference with shoplifters to prevent injuries to staff, customers, and thieves.

      It’s much safer to let police do their job and insurance cover the loss.

      So you want to interfere with ATM card cloning? That’s only going to increase other crimes.

      • Your statements presume a fixed supply of criminals, whereby if one criminal path is blocked, they will use another criminal path. I don’t think that’s accurate. Skimmers and muggers have a very different set of “skills”.

        Also, you’re missing the risk/reward motivation. Skimming is low risk and high reward. Mugging is high risk an low reward. Also, if mugging someone with a concealed carry firearm, the risk includes the loss of your life. Skimming carries no such risk.

  7. That circuit board looked like a little camera board from a laptop. Easy to come by.

  8. Skimmers in gas pumps are pervasive at least in the eastern half of the USA – assume the pump you just used has a skimmer if you are east of the Mississippi. Gas pump consortium got themselves exempted from chip readers until 2020, so for at least another year gas pumps will be a criminals best friend. If your bank has an “app” like SecurLOCK, turn on Geo referencing so in person transactions only work where you/your phone is. And/or ask for a 2nd card with different number and only enable that card via the app for fuel then disable it again afterward. And, ask bank why they still have “chip fallback” enabled for EMV cards at all since that allows skimmed mag strip to be used for fraud.

  9. Our bank in CT changed the card insert method from shortest side in to the widest side in. Does that decrease the vulnerability to skimmers at all?

    We do have the same problem where it’s difficult to cover the pin when entering. The banks usually have a sign saying only drive-ups are allowed – no walking which I gather has to do with the individual banks insurance coverage. Thank you for the insightful articles.

  10. It is very difficult to cover the pad while typing the pin from many cars.

    I am no longer swiping my card to get the PIN prompt screen. I have been using my Samsung Pay App to get to the screen. It is much easier to reach from my car. I am sure there will come a day that this process will be vulnerable to some skimming too.

    • “It is very difficult to cover the pad while typing the pin from many cars. ”
      Get out of the car and use the ATM in the lobby/entrance/etc.
      That is what I do all the time.

  11. Rube Goldberg's Razor

    Smith and Wesson makes a blood skimmer that handily prevents these attacks.

  12. Hardest thing to sink into customers minds is that they have to cover their hand as they enter in thier pin. This alone would address most ot the pin fraud out there. Also don’t be fooled by ATMs with pin covers. I’ve seen them placing the pin under the covers making them even harder to spot.

  13. Park your car, and walk to the pedestrian ATM. Feels good and avoids the drive-thru.

    • People have become sooo lazy that they refuse to get out of their cars to go inside a Starbucks store. I live in a area where there are ridiculous lines blocking traffic because they all want to sit in their cars waiting in line for their coffee. They all drive huge SUVs pumping out CO2 while idolling.

  14. Alrighty, I think it’s about time we suggest feasible solutions to the skimmer attack on physical ATM hardware. I’m thinking it must be cheap af or it will never take. So, what’s stopping us from using software-based object recognition from ATM camera data… I’m thinking as objects/read skimmer/ is placed it can be detected with camera data fed to proper software..I mean it’s a thought…talk me off this cliff??

  15. While many skimmers are getting harder to detect I seen a video a few years ago that shows a person who used there phone and turned on the Bluetooth device and actually was one way of determining if a skimmer was present if the Bluetooth on the phone was trying to connect to the skimmer it would try to connect. Another way to protect yourself from this fraud is to check with your bank and see if they have any way to turn your debit and credit card information off and also has the ability to set buying limits on both cards. I have set my limit to 10.00 dollars on both cards when making a purchase with either one. Everytime I use either card I get an email alert from the bank on my phone within 30 seconds and no more than 1 minute. If something is going on you will know very quickly to take action and disable the card that has been compromised. Check with your bank and see if they have these features that you can setup for your debit card and credit card. I hope this information will help you!

  16. The most remarkable part of this story is that the skimmer lady didn’t know that she was being video taped.

    I can’t wait to hear her excuses when she’s apprehended.

  17. If you have a bank card with a chip — as we do in Canada — doesn’t that defeat the skimmer? Can a chipped card be cloned?

    • The chip can’t be cloned, no. A chipped card can still have its magnetic stripe skimmed, so it’s still possible to experience counterfeit card fraud if the crooks can find somewhere that still accepts the mag stripe without checking for the chip and the issuing bank still authorizes mag stripe transactions. I put controls in place at the bank where I work to decline mag stripe transactions, and we’ve had no counterfeit fraud for years now (we’re not US-based so this was practical for us). Seeing chip & PIN work as intended is glorious.

      • It is true, but if your cards (or the clones of your cards) do a transaction in countries like India, Indonesia or even USA where there are lots of terminals without chip support your chips controls won’t work. Chip capable terminals have to be enforced everywhere in order to be globally useful… Unless you completely unable your clients to do transations on those countries/terminals. Security versus service … a difficult decision.

    • Any ATM (or similar) that captures a card as part of the auth prompt is just as vulnerable to skimming in Canada as it is in the US.

      Any reader that doesn’t completely accept a card in theory should be fine.

      Personally, I mostly bank in person. When I insert my card into a card reader inside TD Canada Trust, it only goes in far enough for the chip to be read.

      When I was in Finland, there were actually two card readers at ATMs, yellow (magstripe) and blue (chip) [1]. That model ensured that chip users could avoid risking their magstripes being cloned.

      [1] https://www.tripadvisor.com/ShowTopic-g189896-i442-k5787631-Cards_with_magnetic_stripes-Finland.html

  18. I went to my local Safeway grocery store some months ago and was pleased to see security tape on the ATM terminals at each register. It was not holographic tape or stickers that i have seen at some gas stations.

    Within two months i noticed that the tape was broken across the device. Even though i was using a chip I felt a need to check (I pulled and tugged) to see if there was an overlay device. The cashier asked me what i was doing and i explained. The cashier had no idea about skimmers. I pointed out that the purpose of the security sticker was to identify if a skimmer was placed there. Again the cashier had no idea. I asked if store management made any effort to teach the cashiers to check the security sticker on the device at the beginning of shift. The answer was no.

    Kinda of defeated the usefulness of having and using the security stickers on the device to indicate any tampering. I looked at all the ATM devices as the cashier stations and they all had broken stickers.

    • Jean-Ralphio Saperstein

      That story legitimately annoyed me. Kudos to them for placing the security tape on the terminals, but shame on them for not educating the employees. That makes no sense to me. “Hello, I’m Dr. Dingbat, roll up your sleeve, I got a massive needle I’m going to shove in your arm.” What’s the sense of doing something if you’re not going to explain why you’re doing it?

      How hard is that to educate them? You have to figure, they have some sort of meeting with their teams, so tell the team leaders and they can relay it to all the employees. Literally takes less than 5 minutes. People wonder why users are often the weakest link in security — there’s a total lack of education or awareness.

  19. I sorta wanted to see what this thing looked like from the outside. How well does it present itself? These photos all show it from the guts side.

  20. So, we can get a pic of the criminal but we can’t get a pic of their license plates? C’mon!!!

  21. The circuit board in the second picture looks very much custom made, almost DIY. That’s interesting in itself as where is the talent coming from that makes the skimmers in the first place. Or it this something that you can purchase on the dark web?

  22. Notsofastmyfraud

    So I have seen the smaller deep insert skimmers, but picture number two I dont buy it. That card reader is inserted from the inside of the ATM. It is impossible to replace or even sauder any electronic components from the outside. The problem today is that banks want to sub their ATM servicing to third party companies at a lower cost to save money. Most of those companies hire inexperienced employees that can’t tell their left hand from their right. Yet the bank puts their trust on these companies to maintain ATM’s above their skill set safe and operational for customer use. That skimmer looks like inside scheme in Hurst TX.

  23. Many ATM’s now have high resolution screens.
    Why don’t they take advantage of these screens and have a picture of that ATM with what it should look like and a warning not to use it if anything in the picture looks different than the ATM being used.
    It *may* help.

  24. I say this every time. You can cover the pin pad all you want. The crooks still have your card data, and now instead of going to the ATM they are headed straight to Walmart to purchase gift cards or other high value merchandise.

  25. Is this sort of skimming possible at contactless terminals?

    In Australia, contactless is pervasive in retail. When withdrawing cash at an ATM I cover the pin pad but realised I never do at contactless terminals…

  26. I could definitely explain what is shown in these images considering I work for an ATM company.

    This particular insert skimmer is made of what appears to be some sort of black plastic/silicon material. I assume to help disguise it from being noticed if a customer were to squat down and look, like, “hey, what seems to be stuck in here?”

    So, the card reader is a dip reader. This is where it pulls the card in and clamps down to read the chip.

    The camera panel (with only seeing the rear side of it and shape) appears to be a black panel overlay that you would typically see on the top right part of a Diebold machine.

    I would love to see what this camera looked like on the machine, to see how really “well blended” it possibly was. Typically cameras are not that NICE and NEAT. Just easily looked past as unsuspected.