Posts Tagged: wiretapping skimmers

Dec 14

More on Wiretapping ATM Skimmers

Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a “tiny” hole cut in the ATM’s front through which thieves insert devices capable of eavesdropping on and recording the ATM user’s card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny.

Not long after that post went live, I heard from the folks at NCR, one of the world’s largest cash machine manufacturers. NCR had put out a bulletin on the emergence of this very threat in Sept. 2014, saying the activity had first been spotted in the United Kingdom against NCR 5877 and 5887 models.

As I noted in my original story, the attackers use a plastic decal to cover up the hole, but NCR’s photos of one ATM compromised by this method offer a better look at what’s going on here. Take a look at the size of that hole:

A hole left by crooks who added "wiretapping" or "eavesdropping" theft devices to a compromised ATM.

A hole left by crooks who added “wiretapping” or “eavesdropping” theft devices to a compromised ATM. Image: NCR.

“In this attack, the ATM fascia is penetrated close to the card reader to create a hole large enough for the attacker to reach inside the ATM and place a tap directly onto the card reader in order to skim card data as it is read by the ATM,” NCR said in an advisory it produced on the increasingly common attacks.

According to NCR, the emergence of this type of skimming attack is a response to the widespread availability of third party anti-skimming technology which is successful at preventing the operation of a traditional skimmer, placed on the outside of the ATM.

“Card reader eavesdropping skimmers are placed in a location that third party anti-skimming technology necessarily cannot protect, since the ATM must be capable of reading the card,” the advisory notes. “This [technique] has previously been seen in Ireland and the Netherlands, and can be expected to grow as traditional skimming is prevented.”

NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

“Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

If the idea of ATM bandits taking a blowtorch to the cash machine sounds extreme, at least they’re not trying to blow the ATM to smithereens. According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise. Continue reading →

Nov 14

Skimmer Innovation: ‘Wiretapping’ ATMs

Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries, financial institutions in two countries recently reported ATM attacks in which the card data was compromised internally by “wire-tapping” or “eavesdropping” on the customer transaction. The image below shows some criminal equipment used to perpetrate these eavesdropping attacks.

Equipment used by crooks to conduct "eavesdropping" or "wiretapping" attacks on ATMs.

Equipment used by crooks to conduct “eavesdropping” or “wiretapping” attacks on ATMs. Source: EAST.

“The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
[pictured, bottom right].

Pictured above are what appear to be wires that are fed into the machine with some custom-made rods. It looks like the data is collected by removing the decal, fishing out the wire attached to the ATM’s card reader, and connecting it to a handheld data storage device.

I sought clarification from EAST about how the device works. Most skimmers are card slot overlay devices that work by using a built-in component which reads the account data off of the magnetic stripe when the customer inserts the card. But Lachlan Gunn, EAST’s executive director, suggested that this device intercepts the card data from the legitimate card reader on the inside of the ATM. He described the wiretapping device this way:

“It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”

The last report in my ATM skimming series showcased some major innovations in so-called “insert skimmers,” card-skimming devices made to fix snugly and invisibly inside the throat of the card acceptance slot. EAST’s new report includes another, slightly more advanced, insert skimmer that’s being called an “insert transmitter skimmer.”

Like the one pictured below, an insert transmitter skimmer is made up of two steel plates and an internal battery that lasts approximately one to two weeks. “They do not store data, but transmit it directly to a receiving device — probably placed less than 1 meter from the ATM. Continue reading →