Posts Tagged: atm skimmer


11
Aug 15

Chip Card ATM ‘Shimmer’ Found in Mexico

Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards.

The device pictured below is a type of skimmer known as a “shimmer,” so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.

This card 'shimming' device is made to read chip-enabled cards and can be inserted directly into the ATM's card acceptance slot.

This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot.

The chip reading component includes the eight gold rectangular leads seen on the right side of this device; the electronics that power the data storage on the shimmer can be seen in black at the top of the image.

According to information from Damage Control S.A., a security and investigations company based in Mexico, this device was found inside a Diebold Opteva 520 with Dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it). The device is inserted from the outside of the ATM and no access is required to the ATM internals. Damage Control, which disseminated the information via a service called CrimeDex, didn’t say whether this shimmer was accompanied by a component to steal card PINs, such as a hidden camera or PIN pad overlay.

Here’s a look at what this thing looks like while it’s sitting inside a compromised ATM’s reader (notice how the chip-reading components shown in the first image are obscured in this one by the ATM’s chip reader): Continue reading →


22
Jul 15

Spike in ATM Skimming in Mexico?

Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.

On Saturday, July 18, 2015, municipal police in Puerto Vallara arrested a man who had just replaced the battery in a pair of skimming devices he or an associate had installed at an ATM in a busy spot of the town. This skimming kit targeted certain models of cash machines made by Korean ATM manufacturer Hyosung, and included a card skimming device as well as a hidden camera to record the victim’s ATM card PIN.

Here’s a look at the hidden camera installed over the compromised card reader. Would you have noticed anything amiss here?

hyosung-frontatm
The tiny pinhole camera was hidden in a molded plastic fascia designed to fit over top of the area directly above the PIN pad. The only clue that something is wrong here is a gap of about one millimeter between the PIN capture device and the actual ATM. Check out the backside of the false front:

The backside of the false fascia shows the location of the hidden camera.

The backside of the false fascia shows the location of the hidden camera.

The left side of the false fascia (as seen from the front, installed) contains the battery units that power the video camera:

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Continue reading →


20
Oct 14

Spike in Malware Attacks on Aging ATMs

This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR. To learn more about how these attacks are impacting banks and the ATM makers, I reached out to Owen Wild, NCR’s global marketing director, security compliance solutions.

Wild said ATM malware is here to stay and is on the rise.

ncrmalware

BK: I have to say that if I’m a thief, injecting malware to jackpot an ATM is pretty money. What do you make of reports that these ATM malware thieves in Malaysia were all knocking over NCR machines?

OW: The trend toward these new forms of software-based attacks is occurring industry-wide. It’s occurring on ATMs from every manufacturer, multiple model lines, and is not something that is endemic to NCR systems. In this particular situation for the [Malaysian] customer that was impacted, it happened to be an attack on a Persona series of NCR ATMs. These are older models. We introduced a new product line for new orders seven years ago, so the newest Persona is seven years old.

BK: How many of your customers are still using this older model?

OW: Probably about half the install base is still on Personas.

BK: Wow. So, what are some of the common trends or weaknesses that fraudsters are exploiting that let them plant malware on these machines? I read somewhere that the crooks were able to insert CDs and USB sticks in the ATMs to upload the malware, and they were able to do this by peeling off the top of the ATMs or by drilling into the facade in front of the ATM. CD-ROM and USB drive bays seem like extraordinarily insecure features to have available on any customer-accessible portions of an ATM.

OW: What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.

BK: Unattended….meaning they’re not inside of a bank or part of a structure, but stand-alone systems off by themselves.

OW: Correct.

BK: It seems like the other big factor with ATM-based malware is that so many of these cash machines are still running Windows XP, no?

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

OW: Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play. Continue reading →


21
Aug 14

Stealthy, Razor Thin ATM Insert Skimmers

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.

A side view of the stainless steel insert skimmer pulled from a European ATM.

A side view of the stainless steel insert skimmer pulled from a European ATM.

“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”

Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):

The backside of the insert skimmer reveals a tiny battery and a small data storage device (far left).

The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).

Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.

insert-frontside

Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard. Continue reading →


30
May 14

Thieves Planted Malware to Hack ATMs

A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come.

Two men arrested in Macau for allegedly planting malware on local ATMs.

Two men arrested in Macau for allegedly planting malware on local ATMs (shown with equipment reportedly seized from their hotel room).

Authorities in Macau — a Chinese territory approximately 40 miles west of Hong Kong — this week announced the arrest of two Ukrainian men accused of participating in a skimming ring that stole approximately $100,000 from at least seven ATMs. Local police said the men used a device that was connected to a small laptop, and inserted the device into the card acceptance slot on the ATMs.

Armed with this toolset, the authorities said, the men were able to install malware capable of siphoning the customer’s card data and PINs. The device appears to be a rigid green circuit board that is approximately four or five times the length of an ATM card.

According to local press reports (and supplemented by an interview with an employee at one of the local banks who asked not to be named), the insertion of the circuit board caused the software running on the ATMs to crash, temporarily leaving the cash machine with a black, empty screen. The thieves would then remove the device. Soon after, the machine would restart, and begin recording the card and PINs entered by customers who used the compromised machines.

The Macau government alleges that the accused would return a few days after infecting the ATMs to collect the stolen card numbers and PINs. To do this, the thieves would reinsert the specialized chip card to retrieve the purloined data, and then a separate chip card to destroy evidence of the malware. Here’s a look at the devices that Macau authorities say the accused used to insert the malware into ATMs (I’m working on getting clearer photos of this hardware):

Five of the devices Macau police say the thieves used to insert the malware and retrieve stolen data.

Five of the devices Macau police say the thieves used to insert the malware and retrieve stolen data.

Continue reading →


18
Dec 13

The Biggest Skimmers of All: Fake ATMs

This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.

On Saturday, Nov. 23, a customer at a Bank of Brazil branch in Curitiba, Brazil approached the cash machine pictured below, dipped his ATM card in the machine’s slot, and entered his PIN, hoping to get a printed statement of his bank balance.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

When the transaction failed, the customer became suspicious and discovered that this ATM wasn’t a cash machine at all, but a complete fake designed to be seated directly on top of the real cash machine. Here’s what the legitimate ATM that was underneath looked like.

The real ATM.

The real ATM underneath.

When the cops arrived, they pulled the fake ATM off the real cash machine. Here is the fake ATM, set down on the floor.

FakeATMfloor

Continue reading →


3
Dec 13

Simple But Effective Point-of-Sale Skimmer

Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.

In scams, as with most things in life, there is a certain elegance in simplicity. This is doubly true with ATM and credit card skimmer scams: The more components and electronics involved, the greater the chance that the fraud devices will malfunction, lose juice, or else be detected too quickly. In fact, some of the most elegant skimming attacks I’ve seen to date never even touched the cash machine, and relied on very basic components.

Recently, I encountered a fraudster selling a remarkably simple but brilliant POS skimming device that can be installed and removed in the blink of an eye. This video, which was produced by a fraudster who sells these devices for thousands of dollars on semi-private underground forums, shows a late-model Verifone point-of-sale device retrofitted with a skimmer overlay. The underside of the device (not pictured) includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card.

Such a device would be an enticing buy for a crooked employee at a retail store. It might even be installed surreptitiously by thieves posing as customers at a retail establishment. Last month, this blog featured a story about several fraudsters in Florida who did just that, installing hardware-based register skimmers at Nordstrom department stores while co-conspirators distracted sales personnel.

For more on ATM and POS skimmers, check out my series: All About Skimmers.


16
Jul 13

Getting Skimpy With ATM Skimmers

Cybercrooks can be notoriously cheap, considering how much they typically get for nothing. I’m reminded of this when I occasionally stumble upon underground forum members trying to  sell a used ATM skimmer: Very often, the sales thread devolves into a flame war over whether the fully-assembled ATM skimmer is really worth more than the sum of its parts.

Card skimmer device made for Wincor/Nixdorf ATMs

Card skimmer device made for Wincor/Nixdorf ATMs

Such was the fate of an audio-based ATM skimmer put up for sale recently on a private crime forum. The seller, a Ukrainian, was trying to offload a relatively pro-grade skimmer powered by parts cannibalized from an MP3 player and a small spy camera. The seller set the price at $2,450, but made the mistake of describing the device’s various parts, all of which can be purchased inexpensively from a variety of online retailers.

For example, he told forum members that the main component in the card skimmer as an MSR-605, which is a handheld magnetic stripe reader of the sort that you might find attached to a cash register/point-of-sale machine at a retail clothing store, for example.

This ubiquitous device can be had for approximately $200 at a number of places online, including Newegg.com and Amazon.com. The seller went on to describe the inexpensive flash storage drive that was incorporated in his device, and the modified tiny video camera that was hidden on the underside of a fake fascia designed to be affixed to the top of the ATM and record victims entering their PINs.

This tiny spy camera powers the fake ATM fascia that records victims entering their PINs.

This tiny spy camera powers the fake ATM fascia that records victims entering their PINs.

The image below shows the fake fascia as it appears from the side meant to be pointed toward the PIN pad. IMG_1871

Continue reading →


24
Apr 13

How Not to Install an ATM Skimmer

Experts in the United States and Europe are tracking a marked increase in ATM skimmer scams. But let’s hope that at least some of that is the result of newbie crooks who fail as hard as the thief who tried to tamper with a Bank of America ATM earlier this week in Nashville.

Nashville police released a series of still photos (which I made into a slideshow, below) that show a man attaching a card skimming device to a local ATM, and then affixing a false panel above the PIN pad that includes a tiny video camera to record victims entering their PINs. According to Nashville NBC affiliate WSMV.com, this scammer’s scheme didn’t work as planned: The card skimmer overlay came off of the ATM in the hands of the first customer who tried to use it.

As you can see in the image montage, the first would-be victim arrives less than seven minutes after the thief installs the skimmer. The story doesn’t state this, but the customer who accidentally pulled the card skimmer off of the ATM actually drove off with the device. Interestingly, the fraudster returns a few minutes later to salvage what’s left of his kit (and perhaps his pride).

As lame as this ATM skimming attempt was, a few aspects of this crime are worth highlighting because they show up repeatedly in skimming attacks. One is that the vast majority of skimming devices are installed on Saturdays and Sundays, when the crooks know the banks will be closed for at least a day. As a result, you have a much higher chance of encountering a skimmer if you regularly use ATMs on a weekend.

Second, the thieves who install these fraud devices very often are lurking somewhere nearby — to better keep an eye on their investments. If you ever happen to discover a skimming device attached to an ATM, just remember that while walking or driving off with the thing might seem like a good idea at the time, the miscreant who put it there may be watching or following you as you depart the ATM area.

Once or twice a month I am interviewed by various news outlets about ATM skimming attacks, and I’m nearly always asked for recent figures on the incident and cost of these crimes. Those stats are hard to come by; I believe the last time the U.S. Secret Service released figures about the crime, it estimated that annual losses from ATM fraud totaled about $1 billion, but that was for 2008.

Source: Verizon

Source: Verizon

Today’s figures are almost certainly higher. On Tuesday, Verizon Enterprise Solutions released its annual data breach investigations report, a deep dive into more than 620 data breaches from the past year. Interestingly, this year’s report shows that of the Top 20 Threat Actions the company tracked across all of the breaches from 2012, physical tampering was the most frequent cause — present in more than 30 percent of all incidents detailed in the report.

“Physical tampering is our way of categorizing the installation of a skimming device, and that was the number one threat action out of everything we looked at,” said Wade Baker, managing principal of RISK intelligence at Verizon. “If you look at the last two [Verizon annual] reports, a large majority of the data set was the point-of-sale intrusions at small organizations such as retail establishments and restaurants, and those are actually a much smaller portion of our data set this time.”

Continue reading →


28
Mar 13

Cash Claws, Fake Fascias & Tampered Tickets

Credit and debit card skimmers aren’t just for ATMs anymore. According to European anti-fraud experts, innovative skimming devices are turning up on everything from train ticket kiosks to parking meters and a host of other unattended payment terminals.

Recently, at least five countries reported skimming attacks against railway or transport ticket machines, according to the European ATM Security Team (EAST), a not-for-profit organization that collects data on skimming attacks.  Two countries reported skimming attacks at parking machines, and three countries had skimming incidents involving point-of-sale terminals. EAST notes that Bluetooth devices increasingly are being used to transit stolen card and PIN data wirelessly.

Skimming devices found at train ticket kiosks in Europe. Source: EAST

Skimming devices found at train ticket kiosks in Europe. Source: EAST

The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.

Continue reading →