A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.
The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).
These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.
Here’s what the other side of that insert skimmer looks like:
The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.
To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.
The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.
Here are some variations on deep insert skimmers NCR found in recent investigations:
The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.
Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:
In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:
The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which it said stops current insert skimmer designs. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.
Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.
Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).
For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.
Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.
So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.
Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.
If you enjoyed this story, check out these related posts:
Crooks Go Deep With Deep Insert Skimmers
As always, thank you. Interesting that they go to such thorough design lengths; I infer it’s quite lucrative. Clarification question(s), if you are free to answer: (1) from the photos it looks like this ATM is at a bank. Are you suggesting that only enclosed (interior) ATMs should be used (if possible), and (2) when you say “around” NYC you mean, say, NJ also? Thanks.
PS I have noticed that a number of big box places have removed the little skirt that covered your hand when entering the PIN. Seems a bit strange.
Part of the issue is that those covers are also a prime location for hiding a small camera where you’ll never see it. At least with an ATM having as few concave surfaces as possible, the camera mounting locations are reduced.
As always, you continue to document how so many smart people in the world are intent on using their skills for malicious purposes. I rarely use ATMs at this point, but I’ll definitely take a 2nd look before using the next one.
Don’t think twice at the gas pump though?
I use Costco as much as possible. Tap to pay.
I think three times at a gas station on a road trip. But there are times when you have no choice. The worse part is these gas station have the reader outside. They can do their operation at 4AM.
Gas stations with outside readers that can be skimmed also have a card reader inside which can use a no-contact reader. It is just laziness to not use only the inside contactless reader. Don’t let you gas tank get below 1/4, to avoid the panic of using a risky outside reader which requires fully inserting the credit card. Better yet: switch to a Plugin Hybrid Electric Vehicle or to a fully-electric vehicle and charge at home.
Well, my laziness is because I don’t like to stand in line behind several people waiting to get lotto tickets(which includes coming up with numbers) & all I want is to get a few gallons of gas.
Do you cover your hand on the keypad?
It’s an easy habit to get into really.
We purchased fuel at Costco recently in Davenport, IA. The attendant was walking around and showing everyone and asking for them to use the “touch pay” with CC. They said there was a major increase in CC skimmers in the area. It won’t be long, in my opinion, they’ll skim the wireless method as well.
can’t wait to hear how they’ll defeat the facial recognition pay system coming. 🙂
Always use tap there. Don’t buy froma has station that doesn’t accept tap.
Yes, its amazing the amount of engineering that went into that fraud device.
“Ultra thin”? Is that 1/1000 of a Thin?
No. That would be a milli-thin. Ultra-thin is just an advertising term.
Sneaky bit of kit. You would think they could put a little $10 plastic/rubber hand shield that goes say 6 inches over and around the keypad, open at the front obviously but protected from the inner facia angles of the ATM such that you can only really see into it from the user’s position. Some newer ATM’s have things like that, not a lot. The arms race continues.
Everyone else: Deep State
Krebs: Deep Skim
How strong a magnet is needed to erase the data on the magnetic strip?
It’s not a simple explanation.
kjmagnetics.com/blog.asp?p=magnetic-stripes
Seems like at least this
https://www.kjmagnetics.com/proddetail.asp?prod=D88
If you have an old hard drive and are a little adventurous, those neodymium magnets inside are more than powerful enough to do that – although with any magnet you also are risking damage putting it near the chip in the card.
Use sandpaper
This part quoted confused me so much. “is about half the height of a U.S. dime.” I feel saying, “it is half the THICKNESS of a dime” is much more accurate and easier to follow.
[APPLAUSE] YES!!!
The sps would disable the ATM immediately if one of these were inserted.
Think about it, these guys made so much money they had to invest into newer more sophisticated methods.
I don’t get it at all. I spent 20 years buying and skimming card data. Today if I had your track 2 from your mag stripe and your pin I wouldn’t no what to do with it. The chip stopped all that. Yes today I have a job.
But almost all readers today still have magnetic strip option. The chip only works if its the only method to use. The data on the chip is encrypted, but the mag strip data is plain text and its the same data!
We need to get rid of the mag strip ASAP.
The HSA debit card I has issued a couple of years ago only has a mag stripe. No chip, just mag stripe. It is unconscionable that a company would issue a card like that in this day.
Where I live in Europe, we’ve been using contactless since late 2015, chip for nearly 2 decades and the stripe is still there as a final backup if the other two methods fail to work. The vast majority of people who use credit cards (instead of mobile payment apps) use contactless and then only if that fails use the chip. Both contactless and chip failing to work is extremely rare, I’ve seen it happen like two or three times since contactless was introduced and every time the store clerk has presented it as a fault with the reader.
No, it is not correct. In the EU, introducing cards in the payment terminal only allows wired communication with the card’s chip. The magnetic band in EU-issued cards is no longer a failsafe method, it is only valid to process transactions with vendors in countries outside the EU that do not require the payment terminal to have a wired or wireless chip reader. The band reader you see in EU payment terminals can not process EU-issued cards, it is only valid to process cards issued in third countries that allow the use of the magnetic bands to process transactions.
You never had a job, you POS thief. You mom raised garbage.
I wonder if the skimmer scanner app can detect these types of skimmers.
I think they detect Bluetooth signals.
Can be useful for some skimmers that are powered by hard wire. These ultra thin skimmers seem to battery powered, which wouldn’t work for very long if it needs to transmit a lot. My guess is that these skimmers just record and don’t transmit. The thief will come back and retrieve.
You say, “cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.” Is there a difference with cards issued in Canada and other countries
Yes, the US is the only big country that still relies on magstripe. Everywhere else the chip is used. EMV chip-based transactions keep essential information on the chip without it being accessible so you cannot clone the chip.
The problem is that cards still have the mag strip as a backup.
I am one of those ATM front panel parts tugger’s
There is an easy solution… set the Card up as EMV only! The rest of the world no longer issues cards that will produce cash based on magstrip plus PIN.
No money = no problem. The only residual risk is a little CNP.
I think that since this can cause people financial ruin and life destruction I think anyone caught with a skimmer or installing one should have a mandatory life sentence in prison. This is ridiculous that they somewhat get a slap on the wrist and get out and keep doing it.
im the guy that pulls on all sides and edges of an ATM before i use it, and cup my hand over the pin pad while entering.
then i go to gas station and next thing you know i get the cal from bank asking if i bought an xbox game in mexico city
Username checks out.
Somnambulism. Check your xbox tray.
These thieves need to have their hands chopped off.
100% agree.
The Maryland Emissions testing places still use card readers with swipe only capabilities. A STATE facility in 2022!
Pretty sure Maryland contracts out to 3rd parties for emission testing stations. The mechanics there are not state employees. They are merely given access to a state run portal, but payment processing to include the card readers are purchased and operated by the 3rd party shop.
Suppose I’m willing to forgo small business use. Wouldn’t wiping the magnetic strip with a strong magnet corrupt the data sufficiently yet leave the chip usable?
“These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.”
We are truly “third world” in more ways than one.
Rats will always be found in areas where cheese is available. Three major problems with merchant transactions have not evolved with the times. Account numbers and security cord are printed directly on the card, and it features a magnetic strip and a 4-digit PIN. While this technology improves, criminals will need only a covert camera to get your credit card details as you fill up. I agree that using a wireless transaction like Apple Pay, where the token is only used once, is much better than using a traditional payment method.
The industry has set a date for getting rid of the magnetic stripe but it is a difficult problem. They tell me that there are legacy apps and devices all over the world that rely upon it. In the meantime prefer uses that do not require the card to leave your hand. This includes contactless cards and more. Many Bank of America ATMs allow, not only contactless cards, but also cardless withdrawals using a phone or watch for authentication. In Europe, and in a limited number of restaurants in the US, a wireless point of sale device is brought to the table so that the card does not have to be surrendered to the waiter. In a few efficient restaurants, one’s check comes with a QR tag. Scanning the tag with one’s phone allows one to see a detail of one’s bill and pay it, with tip, automatically. The war will continue but with a minimum of inconvenience one can watch from the sidelines.
If you eliminate the stripe on cards, the industries will adapt. It may not be pretty, people and businesses may bitch, but in the interest of making money adaption would occur rapidly.
Look at California with their emissions reductions / now no gas powered cars… With the worlds 5th largest economy forcing this, car makers are ramping up electrics and charging stations. Again, you may not like it – that’s another discussion but it’s going to happen faster because of the action.
The little mom and pops that make up a big fraction would be overnight screwed.
I’m always surprised that the US never enforced EMV only cards. Usually they’re much faster with new technology, but on this case it’s like a dinosaur. Do shops have so long contracts with the old card terminals, or why are they so hesitant to upgrade the terminals to new ones? Here in Germany most cards don’t have a magnetic stripe since years, and the EMV chip gets used since a very long time. And that in a country where many people still prefer to use cash.
I’m surprised that the US is so slow on this one specific issue.
This continues to be a huge problem. I don’t drive, so I don’t have to deal with gas stations, but I do know a number of people who have swiped their cards and later got hit with fraudulent charges and even withdrawals. Stand-alone ATM I tend to not go near, but you never know when you might need to use one in a pinch. The funny (not) thing is when I pulled up the google bar at the bottom of the screen, there was a link to a skimming site to buy them! Blatant out in the open.
Google would sell ad space to the devil himself. A completely avaricious and ambitious international corporation with no class or soul.
Remember that when you put their live cameras and microphones in your home.
Good article, thanks for the info BK.
“But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.”
Never been mugged, but I’ve been skimmed twice and now no longer use anything that isn’t touchless for payment.
Tell us more.
Often wondered why wires aren’t imbedded in and around the facia and used to determine the characteristic magnetic field, so if anything with metal in it is attached it will be detected and lock up the ATM… yes, will take some engineering, but not impossible to do. if the engineers behind are smart enough, they would code the analysis into a DSP, so they can upgrade its effectiveness without needing to change the hardware – game over I think…
EM would probably false trigger quite a bit and not be worth it. It’s not impossible but you’d likely have to send out a tech every time to really get to the bottom of that (or it’s sort of wasted as an alarm, perhaps allows DDOS also) and it’d turn out to be someone’s e-watch or something 99.99% of the time. I don’t think you’d want it to auto-lock on that all by itself, maybe just go to a secondary state. But not a bad thought for more sensors doing baseline environment monitoring and maybe using machine learning to hone the trip state with a few different measures combined. The problem is these ATMs are relatively so cheap. The better ATMs that cost more and have more going on would tend to be in more physically secure and patrolled places, complementary cameras and eyeballs. You’d have a tough time selling them unless your version could reliably get the humans all the way out of the loop. I think that’s right on the edge of possible and would be… expensive. Replacing the glaring reverse-compat flaw in our current US stripeauth system would render a lot of this moot in a similar amount of time and effort I’d think. Until they hack the chips somehow.
Is it possible to tape over or cover the mag stripe, since my bank’s ATM should be using the chip?
You can. I recommend foil tape (what HVAC techs use on duct work). The metal in the tape is needed interfere with magnetic data. Or, if you don’t care about ruining the mag strip permanently… a bit of sandpaper.
this is why cash is king and will continue to remain so.
Plastic is a PITA.
Umm what? Cash is the most insecure and painful payment method other than bartering. The whole premise of this article is that people who are trying to get cash are vulnerable. I’ve been almost entirely cashless since 1990 and have never had had any major issues. Nowadays I’m probably 90% remote on my purchases – I rarely even use a physical card when I’m in a store. Solves a lot of logistical, accounting and physical security issues too.
Umm what? Cash is the most insecure and painful payment method other than bartering. The whole premise of this article is that people who are trying to get cash are vulnerable. I’ve been almost entirely cashless since 1990 and have never had had any major issues. Nowadays I’m probably 90% remote on my purchases – I rarely even use a physical card when I’m in a store. Solves a lot of logistical, accounting and physical security issues too.
another example of why cash rules $$$
I you get paid in cash maybe. If you get paid by check or direct deposit, you either must visit a branch and withdraw during bank hours or visit the ATM. Paying for gas with cash has its own dangers too.
In order to protect myself from this attack, I erased my card’s magnetic stripe using a strong magnet. Quite successfully it seems, since now most ATMs wont accept my card because they try to read the start of the strip before opening the card slot.
That may have been in an attempt to prevent the insertion of skimmers.