January 17, 2011

Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and to steal ATM card and PIN data from bank customers. I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Also, this seller’s profile showed that he was a longtime member, and had been vouched for as a “verified” vendor. This meant that forum administrators had vetted him by checking his reputation on other fraud forums, and that he’d paid a fee to use its escrow service if any potential buyers insisted.

Anyway, I wasn’t looking to purchase his skimmers, just to check out his wares. I chatted him up on ICQ, and he said he only sold the plastic housings for the skimmer devices, but that he could show me pictures and videos of what some of his customers had done with them. Above is a video of the seller demonstrating how one of his card skimmer housings fits over the mouth of the card slot on a working Diebold Aptiva ATM.

Below are images he sent that demonstrate two very different skimmers made with his housings. The device on the top in the picture below is a flash-based spy camera nested in a beige plastic molding meant to be attached directly above the ATM PIN pad to steal the customer’s personal identification number. The image on the bottom is the skimmer itself. To the right of each are instructions for configuring the skimmer devices and for harvesting the stolen data stored on them.

A hidden camera (top) and ATM card skimmer (bottom), along with instructions for their use.

As part of the instructions to download stolen card data from the card skimmer pictured directly above, buyers are told to install a hardware driver and software program on their Windows PC (both are safe and virus free, trust us!). After that, users are instructed to enter the password “0000” when prompted, but this seller doesn’t include instructions for changing the default password. It’s nice to know that computer crooks make the same flawed security design decisions as many mainstream manufacturers of consumer electronics.

The images below show an all-in-one ATM card skimmer housing that harbors both a card reader and a mini flash-based spy camera (top, with putty). The picture on the right shows the same skimmer from the front (customer/victim facing) view.

[EPSB]

Have you seen:

ATM Skimmers That Never Touch the ATM…Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.

[/EPSB]


36 thoughts on “ATM Skimmers, Up Close

  1. Manoa Kahuna

    Criminals are dangerous. Please be careful.

    How much do they charge for these things?

  2. xAdmin

    The coloring on the front where the card is inserted looks odd. It’s a weird yellow color and has a bit of a strange shape to it, both of which would definitely throw up red flags for me. Then again, I’ve gotten into a habit of pulling hard on the front of the ATM to ensure it doesn’t have one of these skimmers on it. If anyone wants to question why I’m doing that, I’ll be more than happy to explain it to them. 🙂

    A couple other points, I always try to stick to using the ATM at my local bank branch, which is also located in a very well lit, high traffic area. I also keep a close eye on my account and balance it to the penny. So if there are any suspicious transactions, I can report it to the bank immediately!

    1. pboss

      I’ve seen that yellow thing on local ATMs, it’s supposed to hold a blinking light when you insert your card. It’s advertised as an anti-skimmer attachment, but obviously when the bad guys essentially replace the entire ATM slot, it doesn’t do much good.

      1. xAdmin

        The ATM’s I’m accustomed to have clear plastic and are concave (curved in) around the card reader area. That’s why this skimmer looks odd to me since it looks yellow and has a protruding card insertion point. As to the flashing LED’s around the card reader, typically you can see each individual LED behind the clear plastic, whereas the skimmer you don’t and just see the glow coming from the LED’s in the actual card reader.

      2. J

        What’s impressive is that the yellow tinted, plastic coating is channeling the light from the original slot behind it. It’s a really nice touch. I would be tempted to use my card because I might think, “Who would take the time to make a skimming device light up.” Nice craftsmanship.

        1. xAdmin

          I have the opposite reaction. To me, it looks cheap and unprofessional, not something I would expect on an authentic ATM. It looks like a yellow gel, something that was molded by an amateur. While it does illuminate from the actual card reader LED’s, you can’t see the actual individual LED’s like you typically can on a real card reader. Unfortunately, most people probably won’t notice that detail. 🙁

    2. Jane

      I also try to use the same ATM in the hopes I would notice if something changed.

      However, just trusting the branch’s ATM because it is at the bank rather than a gas station or something doesn’t necessarily work. My workplace’s security team sent out an “alert” last week about skimmers found around town recently — ALL on branch ATMs. And those are just the ones we’ve heard about.

      1. Rabid Howler Monkey

        This is most frightening.

        Here’s an article with more photos of ATM skimmers:

        http://www.lowtechcombat.com/2010/02/atm-card-skimmers-exposed.html

        How can consumers without photographic memory combat this? Especially, those that use multiple ATM machines? Take close-up, photographs of the ATM machine(s) you use with your smart-phone (or 7″ tablet). And from that time forward, closely compare the photo with the ATM machine before use.

        And what if banks were to provide up-to-date, close-up photos of each of their ATMs, search-able on the internet? Available for smart-phone (or 7″ tablet) ATM location apps to grab and display the photo for an individual ATM at the user’s request.

        Consumers without smart-phones (or 7″ tablets) can keep the photos, downloaded from their bank’s web site and printed, in their cars or purses for quick access.

        How many of us would recognize that pamphlet holder, hiding a camera, which should not be there? That long strip with the hidden camera covering the top of the screen? Or a slightly different card reader shape, color, etc.?

        Would this work? Or would this just force the miscreants to up their game?

          1. Rabid Howler Monkey

            [Red-faced]

            I admit to not holding the mouse cursor above the sources at the end of the article, two of which link to your site. Kudos to you and your site. But, alas, I have only recently come to appreciate your blog. Here are those links to your site:

            http://www.krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/

            http://www.krebsonsecurity.com/2010/02/atm-skimmers-part-ii/

            Brian, given that humans have good innate pattern-recognition skills, do you think that ATM photos could provide consumers with any substantial protection from skimming?

        1. Ray Butlers

          A limited number of customers could be bothered with this. Further, it would simply provide many more thieves with many more resources to simply improve their skimmers.

          I think you should give the card reader a nice hard tug before using it. If it comes off, you’ve got a skimmer. Thieves really don’t have the time for welding or clamping.

          Most importantly, you are protected by Regulation E. The burden for unauthorized transactions falls on the bank, not on the customer.

    3. Omar

      I also have the habit pulling/shaking the “dashboard” of ATM, I’m glad I’m not the only one 🙂

      + I always withdraw same amount of money and I always try to pay with my debit card. This way I can easily scan my bank transactions – it should be only same amount of money all the time.

      I wish my bank will send SMS whenever there is any transaction.

      When I was living, I could setup my creditcard company to send SMS whenever there is a transaction.

      Nowadays almost everybody has cell phone, it would be really really great if all banks and credit card companies provide the option to send SMS for every transactions.

      This way we can detect any illegitimate withdrawals much much earlier – preventing further theft, which eventually benefit the banks as well.

      I don’t understand why banks do not provide SMS notification service, I’m willing to change bank for this service, hey I’m willing to pay for this service.

      ciaomarg

      1. Dead

        When did you stop living? I had to laugh at your comment, as you are writing post-mortem.

  3. dehaul

    Brian, I am curious if you ever worry about your safety after releasing this kind of information to the public?

    It seems like this is dangerous.

      1. Alex

        Тебя легко можно вычислить, Брайан. Твоя самонадеянность тебя подведёт когда-нибудь.

          1. Alex

            Да что уж хорошего, скоро Брайана будут узнавать на всех хакерских форумах и гнать оттуда в шею.
            Надеюсь он хоть не разговаривает там на своём ужасном русском языке и пользуется анонимайзером. Хотя бы и так, всё равно там каждый новичок, особенно задающий подозрительные вопросы, как на ладони.

        1. JCitizen

          Hmm! ZDNet has been strangely silent about Dancho, of whom I used to read a lot. However, that forum has become so irritating I dropped my subscription.

          I may have to revisit said reviled site!

          1. Insert Name Here

            I’ve been wondering about Dancho for a long time now. I initially thought he was in trouble since his blog had not been updated(which I checked everyday). It now looks like my assumption was correct. I suspect this goes deep with a lot of powerful people involved. Keep very aware Brian.

          2. BrianKrebs Post author

            I checked on the reports of Dancho’s whereabouts last week and heard from a top cyber security investigator in Bulgaria that he had been admitted to a psychiatric facility at the request of his mother.

  4. Moike

    I got a start the other day as I was scanning the ATM area for skimmers, etc, and I caught Cyrillic font on the screen. They proudly advertise that the ATM can now conduct operations in Russian!

  5. EdT.

    Brian – given that default password, it looks like they are using Bluetooth to network the skimmers to the PC/controllers! If this is the case, it probably means the skimmers are continuously looking for a PC to pair to, which is something that can be used against them (or at least to help locate them.)

    Or am I somehow reading this wrong?

    ~EdT.

  6. C Nash

    Hey, the way I see it is you have to go into your bank to withdraw money or otherwise withdraw money at a grocery store while purchasing items … the only place that is safe is a machine which is monitored by a real person.

    1. george

      @ C Nash,

      Unfortunately, this is not completely true, here in Europe were also cases with skimmers letting themselves locked in shops after hours to replace POS machines with skimmed ones. In one case I know of (Aug. 2009) they were wildly successful in harvesting thousands of debit cards details in a supermarket branch. All customers were fully refunded by their banks (which probably charged in turn the supermarket for the security breach. Still an inconvenient event since reimbursement takes up to 2 months during which you have to ensure there are sufficient founds in your account for the automated payments to go on. In a subsequent attempt, in a different branch of the same supermarket chain someone noticed the PIR sensors were taped over and called police with a canine unit. It took hours of search, during 3 full-sweeps (the dogs were ultimately not useful) but in the end were able to apprehend an East-European hiding in the diary products fridge room. I have photos from the dismantling of the skimmed POS, Brian, if you are interested, drop me an email.

  7. SeaBee

    Lots of posts on skimmers recently, and flash attacks. Came across a technology that can read the mag stripes “fingerprint”, and it’s supposed to tell a real card “fingerprint” from a skimmed card’s. FYI — http://www.magneprint.com/

    Brian, does this work??

    1. BrianKrebs Post author

      Yes, it does. And that technology has been around for a while. The problem is that you have this huge install base of card readers, point of sale systems, etc. that also rely on the technology not changing, so that’s kind of a tall barrier to entry for a technology like this, if I’m not mistaken.

      1. SeaBee

        Thanks, Brian. I just thought it was interesting becasue, if we adopt EMV, it seems the whole system would have to be blown up; whereas with this, readers would have to be upgraded but at least we’d get to use the same cards.

        I know change is good sometimes, but I don’t like change just so some smart card issuers can make a bundle on the overhaul of the system. If it really is all about security — at least skimming — and if this magneprint is effective, it seems cost effective and low impact.

        Anyway, great blog. Keep it up.

  8. Jose NAVARRO

    One of the only things that still defeats these skimmers and their cameras (as long as they do not capture the PIN on a fake keyboard)

    A) Is covering the keyboard as you enter the PIN with your hand.

    B) Place your fingers on other numbers without applying pressure and only press the keys that match your PIN, when you seem to enter 8 numbers, they won’t know which ones are the ones that match your PIN (Make sure that you place your finger on a number that does not match your first PIN number right from the beginning, so the capture of the video recording will not be of any use).

    The other solution, migrate to chip technology and erase the mag stripe of your card with a magnet, so that it only works with the chip, so that even if they place a skimmer on the ATM, they will not be able to capture the mag stripe info.

Comments are closed.