September 14, 2022

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Here are some variations on deep insert skimmers NCR found in recent investigations:

Image: NCR.

Image: NCR

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Image: NCR.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

Image: NCR

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

Image: NCR

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which it said stops current insert skimmer designs. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

If you enjoyed this story, check out these related posts:

Crooks Go Deep With Deep Insert Skimmers

Dumping Data from Deep Insert Skimmers

How Cyber Sleuths Cracked an ATM Shimmer Gang


127 thoughts on “Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

  1. Charles Wolf

    Instead of all this machine retrofitting nonsense, I suggest the card companies stop storing plaintext on the mag strip.

    Reply
    1. Jay Doubleu

      That would take initive oh, and a desire to stop being a POS thief that’s got no empathy or any future.

      Reply
  2. Miss Lady

    I’m glad I can use apple pay at my chase ATM and a PIN code at my PNC ATM. No need for debit cards. They stay in the safe. I use a credit card or cash only when I’m shopping.

    Reply
    1. Khurt Williams

      Same. I use the ATM inside the bank to get cash and all other transactions are Apple Pay or Apple Card (no information printed on the card) with chip. I just with that US retailer would support chip and pin.

      Reply
    1. JamminJ

      It’s still safer for now. There’s a two-way encrypted communication going on with chip/pin or tap/pay, that prevents simple replay or reuse of card data.

      Magnetic stripe data is clear text and easy to reuse. Pretty much the equivalent of the old imprint the card number on carbon paper.

      Reply
  3. Vincent M

    Here’s a thought, put high reas cameras where the ATM’s are and outside on the street too. Take clear pictures of who is compromising these machines and put them in jail for a very long time. Yes, I am aware that this is not cheap, but it beats spending billions on fraud.

    Reply
    1. Alfonso Barreno Betancort

      Better avoid the cause, ban the use of use unsecured cards, make banks issue secured contactless cards, and stop putting people in jail, we pay from our taxes your suggested long stays incarcerated.

      Reply
      1. Reed Thompson

        Criminals, by definition, do not obey laws… What makes you think these criminals won’t go to other lengths to steal from people? I say we bring back the chain gangs… Tough sentences… Enough of this woke nonsense about not putting criminals in jail and cash free bail.

        Reply
        1. Deterrance doesn't work

          “Banning the use of unsecured cards” doesn’t require criminals to obey.
          Crime is made up of Means, Motive and Opportunity. Since this is financial crime, Motive will always be there, regardless of the punishment if they are caught. Opportunity is very high in the US because so many people have insecure credit cards with static data sitting in clear text on a mag strip. They may try to adapt and go through “other lengths”, but its much harder to steal at such scale as card skimming.

          Take away one of the legs of the 3 leg stool, it falls. Take away the “crime of opportunity”, and crime rates fall.

          Its time to admit that the “War on ….”, “tough on crime”, increase punishment theory has failed.
          Criminals don’t really care how tough prison is, they harder you make prison the more they brag about living that hard life. Deterrence only goes so far. Law abiding citizens can be deterred by prison, but by definition, a criminal doesn’t much care.

          Reply
          1. Deb Engelke

            While I respect your stand, I disagree. Things are different in this country where the punishment is often seen as worth the risk of committing the crime. Elsewhere in the world, I suspect thieves find it harder to steal when they have no hands, and murderers will think twice if they consider retribution will come at the hands of the family of the slain. Just saying. I agree society needs/must move in the direction of mercy and tolerance you hope for, but society will only ever be as good as the lowest common denominator among us. That is the reality of human nature. Criminals do what they believe they can get away with. Change that, and you change the future of humanity.

            Reply
            1. Deterrence doesn't work

              Go visit other places in the world. It’s not intuitively simple as you suggest.
              It’s not that criminals think the punishment is too weak, it’s that they don’t think about punishment at all. Criminals don’t even know what the likely punishments could be until after they are caught and their lawyers start talking about plea deals.
              They think they simply won’t get caught, and thus won’t face any punishment. That’s why increasing punishment has not worked in this country, nor other countries.
              Theft doesn’t go away by taking hands. That is a medieval approach that didn’t have the intuitive effect that kings thought they would. It didn’t work centuries ago, and it won’t work today.

              Most law abiding citizens cannot fathom the mind of a criminal. They somehow think they are rational, calculating people who will do the math of risk vs. reward. That’s not how the criminal mind works. Most murders are not premeditated, and even the ones that are, aren’t planning to get caught and face punishment.

              Yes, criminals will do what they can “get away with”. And “get away” means facing no punishment at all. Not a slap on the wrist, not an amputation at the wrist. Punishment doesn’t impact their decision because they think they will, “get away”.

              Reply
              1. Here-there

                The above person has the in’s and isn’t concerned at all….. must be a lifer many times in & out (not talking about the hamburger “joint”)

                Reply
        2. Bruce Karaus

          Because “tough” sentences never worked. Were they tougher in the 20’s, 30’s, 40’s and beyond when chain gangs were common? Decades with some of the greatest, most widespread and violent gangs and gangsters made headlines and history. You also have to rely on the integrity of law enforce and the judicial system both of which have proven to be rife with racism, political intrigue and violence. If you need money for your family, food, medicine , housing are “tough” sentences going to stop you?

          Reply
        3. Brian G

          When criminals are locked up for a long time, crime rates drop. Levitt and Dubner are economic researchers wrote the Freakonomics books which addressed this subject in some of the chapters. My first sentence is simple and obvious. It is backed up by their research. The following comment is directed at those who put emotional evaluation over logoc : Yes, there are wonderful people who are sometimes unjustly locked up but I’m not addressing anomalies and exceptions. Anomalies are a different subject from what I’m addressing now. In general, lock up the criminals and crime rates will drop. B

          Reply
          1. Deterrence different than Prevention

            Longer sentences aren’t the same thing as crueller, harsher punishment. Longer sentences can reduce crime rates by preventing existing criminals from doing it again.
            But what people here are arguing for, are for punishment to be harder, as a form of deterrence against “other” criminals. And deterrence has generally failed.

            Reply
              1. Deterrence doesn't work

                Exactly. One of the big problems with the US criminal justice system is that they have arbitrary measures of success, like “crime went down” when X percent of the entire population was incarcerated.
                The prison industrial complex is corrupt with this nonsense.
                The US has the highest incarceration rates in the world. A big part of that reason is the war on drugs. Making something that will always be in demand illegal then enforcing with prison time, will lead to this state of perpetually high incarceration.
                During prohibition, the average person in America was a criminal. Even today, other illegal drugs makes millions of people into criminals. Now, incarceration rates can be whatever they deem it to be based on how much they want to arrest people.
                So when you talk about “crime rates”… if we might want to exclude “crimes” that will probably not be a crime in another 10-20 years. Then that eliminates nearly have the prison population.

                Reply
    2. ragey

      you’d have to do this with every ATM, hope they aren’t wearing masks and would still lose billions to fraud and most likely still not catch most fraudsters as well.

      Reply
  4. Vincent M

    Here’s a thought, put high reas cameras where the ATM’s are and outside on the street too. Take clear pictures of who is compromising these machines and put them in jail for a very long time. Yes, I am aware that this is not cheap, but it beats spending billions on fraud.

    Reply
  5. Sal

    I’m thinking I’ll tape over my mag stripe. Haven’t swiped in a long time – either chip or tap nowadays.

    Reply
          1. partyboy@noatmcard.doh

            There’s no chance of tape causing problems.
            I was just trolling, tape yourself secure.

            Reply
          2. Deb Engelke

            Totally agree. Thieves find it harder to steal when they have no hands. Just saying. Criminals do what they believe they can get away with.

            Reply
            1. mealy

              How many hands have you ever cut off fool? Stop talking like that.
              As if anyone over 80 psi would believe it.

              Reply
    1. Scrappy

      Or you could just scramble the mag stripe with a magnetic field. If a machine can’t read it at a mom & pop store, they’ll just type the number in by hand.

      Reply
  6. Noah Guy

    The folks who make these things could probably get very decent legit jobs. Maybe this is being done by state actors or Martin Skrewly.

    Reply
  7. Sean

    These thieves are getting real cheeky with the way they do theft. Hopefully we will have better security processes in place that will deter these criminals from stealing peoples ATM pins.

    Reply
  8. Alfonso Barreno Betancort

    For almost a decade in Europe, the old world, due to EU-wide payment industry regulation, the usage of credit cards’ magnetic strips has been phased out. Every card has a proximity chip that uses encryption to communicate bi-directionally with the vendor terminal or ATM, cards are no longer introduced or swiped but waived at the RFID transceiver and the holder has to key in his pin to finally authorize the transaction. Lately, a couple of years ago, banks have started issuing cards without any visible information about the credit card number, expiration date, and holder on the plastic.

    It is time, for the modern world, to settle their payment industry into phasing out magnetic bands in credit cards.

    Reply
    1. Andreas Saurwein

      So much for the theory. in practice most shops still have and use stripe equiped readers and pretty much all cards I got in the last 5 years have a magnetic strip here in EU.

      Reply
  9. Damon Guinn

    Each card can have a unique stencil embroidered on it’s face plus the strip. Too much too copy unless the reader snaps a whole card picture.

    Reply
    1. Randy

      What would be the point? The store’s point of sale card reader also would not read that unique stencil, and so it won’t have any part in authorizing a transaction.

      Reply
  10. Rene

    Why they dont start using face recognition for ba ks and commercial transactions,may as well usee for something beside what they are using it now. Hell this will beat all the billions they spend on fraud, security camera,security personal, imagine the possibilities. Each transactions have to match your fCe and the chip and gps on you debit or credit card ,pretty sure this will dent to those criminial

    Reply
  11. Rick

    Contactless ATMs which use a one-time token for each event are the way to go. Contact based chip and PIN is over 30 years old technology. There is no need to insert a card (or phone) into an ATM, because all withdrawal attempts are authorized at card issuer/bank level. Put the skimmers out of business by updating all ATMs to contactless only, as is taking place in some European countries. Globally card fraud has been falling dramatically, mainly due to the need for a PIN, the obligatory requirement for multi-factor authentication for online shopping in the EU, and replacing the physical contact chip with a contactless termination mode using one time tokens (contactless + PIN for transactions over EUR 50 approx).

    Reply
  12. IOT Phil

    Surely the number of people using ATMs must be dropping. I can’t recall the last time I withdrew cash for anything. But maybe that’s not the case in the USA.

    To be fair, I live in Canada where things are pretty cashless and virtually nobody swipes anything anyway.

    Reply
  13. by Dr. Kimberly A. McKenzie-Klemm

    Scary! I watched a car in front of me in Greenville, SC steal from an ATM, and screw the pad up for any more users so that “bank errors” would report the theft differently and I was so ticked off. By the time I knew what was going on (they kept withdrawing entry after entry), they were standing point to cover their license plate and waited on me to pull out before leaving. I came back to check the ATM later as it was the only one close to me. It seems ATMs are always vulnerable to different types of theft. One day someone will make a super ATM not vulnerable to such uses, but it will cost a pretty penny to fix all of the time!

    Reply
  14. George O'Brien

    People who steal from other people should be hung. I’m not kidding! It’s so hard to make ends meet and to have someone intentionally steal your money is beyond terrible.

    Reply
    1. Hyperbole

      And people who advocate the death penalty for non-violent crimes should join them.

      Reply
      1. David Travis

        As long as the democrats are in charge they will just walk. No bail allows the crooks to be back on the street before the cops are done writing up the incident. Many of these crooks are right back committing crimes as soon as they get released. Vote democrat and you will get no bail arrests, minimum sentences for crimes IF they ever show up for court and defunded police departments. YES!!!! It matters who you elect.

        Reply
  15. David Travis

    As long as the democrats are in charge they will just walk. No bail allows the crooks to be back on the street before the cops are done writing up the incident. Many of these crooks are right back committing crimes as soon as they get released. Vote democrat and you will get no bail arrests, minimum sentences for crimes IF they ever show up for court and defunded police departments. YES!!!! It matters who you elect.

    Reply
  16. James

    My cards all have a security step involved. It can’t be used without me texting with the company. It’s a hassle, I suppose, but i don’t use cards much. Any money I need to use is transferred to a gift card, and only for the amount I need. So even if they get the card number and pin, only 5 bucks or so will be left on the card. And I will know if anybody tried to hit it.

    Reply
  17. Ray

    In our area debit cards are more vulnerable then credit cards. Merchants need to be held more responsible when fraud is found as they choose who to do business with. Cheap overseas processors are have the blame but this is another problem.
    I’ve never had atm machine theft.

    Reply
  18. John Simmons

    I appreciate the tips on helping to prevent the theft of card pin numbers. One answer to this is not to use the cards at all. Use cash whenever possible and avoid the use of the cards except as noted in the article at an ATM at a bank or other more secure area. Then address the cash itself. In America we are forced to use Federal Reserve notes.
    Then there is other important information to know. Even though criminals attempt to steal our information and what we think is our money the banks defraud us every day that these corporations claim to have made a loan. No bank in America makes loans that is connected with the Federal Reserve and all are in America. These corporations all also use Federal Reserve notes that are not lawful money in the first place. Our best option is to force the banks to recognize and acknowledge this. Title 12 section 411 explains this that all Federal Reserve notes can be redeemed for lawful money. And as consumers do all we can to protect what little we do have as the article gives us information about.

    Reply
  19. Worst Idea Ever

    “One answer to this is not to use the cards at all. Use cash whenever possible”

    Cash has way more problems. Going backwards is not a solution.
    Getting mugged for cash is a much more dangerous issue than getting a credit card skimmed. You can be killed if the thief is a bit antsy.
    Credit cards take away so much human error from cash transactions. Dealing with cash inevitably results in a certain percentage of getting the wrong change. Crooked people behind counters, teenagers handling cash at super fast pace, etc., will often short change you and then you have to fight with them.

    And what the hell are you ranting about? All US currency (cash) is the same thing as a Federal Reserve Note. It says it right on every bill.

    Reply
  20. MOVINGTARGET

    Most ATM’s have Security Cameras, so when the Bad Guy installs the Skimming Device, why don’t they see who he is, or that he has installed these devices…

    Reply
    1. mealy

      Human eyeballs on top of AI would have to be reviewing every single moment in something approaching realtime and even then, there would be successful plants for some length of time. Only after these are discovered do they even go back and look, usually a number of days weeks or months later. They may catch enough identifying footage but it’s well after the fact. Mules may be used with no obvious trace back to the actual operator. They pick their targets and have specialized hardware for them, some of these gangs are pretty sophisticated as the kit might imply. Still, sometimes through all the lucky coincidences and hard work that just happen to line up “enough” they do get caught, profiled, investigated, surveiled, prosecuted. But compared to bank heist clearance rates skimmers are night and day safer for the criminals. Picking the target is probably the difference between success and failure more than anything else.

      Reply
  21. Khurt Williams

    I think we have a solution to reducing most of the risks.

    Banks could issue cards with chips only, with no text on the card except for the name of the card holder and issuing bank/banking network and the remove the magnetic stripe from all newly issued cards. The payment networks could require ALL retailers to support chip and PIN for all transactions over $50.

    Reply

Leave a Reply

Your email address will not be published.