Pictured here is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and
secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around
for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills,
Calif. Would you have been able to spot this?
Real card slot on left, skimmer on right.
Would You Have Spotted the Fraud?
PPictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly
swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of
course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
This is a fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below),
ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.
This is the back side of the device. The card reader is tucked into the right side as shown below.
The device may have been constructed with parts from an MP3 Players.
It was attached with several small pieces grey double-sided tape. The part wa well made and fit nicely over the original card reader.
It’s hard to know whether this was a homemade skimmer, or one that was purchased from online
criminal forums. Some of the skimmers sold on these forums are extremely sophisticated, incorporating features such the ability to send an SMS text message
to the thieves’ mobile phone whenever a new card is swiped.
This type of fraud is actually far more common that you might think: A quick query on Twitter for “ATM skimmer”
usually brings up plenty of local news reports about these devices being found on ATMs.
Practice basic ATM street smarts and you should have little to fear from these skimmers:
If you see something that doesn’t look right — such as a odd protrusion or off-color component on an ATM — consider going to another machine. Also, stay away from ATMs that are not located in publicly visible and well-lit areas.
Feb. 2, 2010: ATM Skimmers, Part II
The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in
2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than
80 percent of ATM fraud. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation.
Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.
ATM PIN capture overlay device pulled back to reveal the legitimate PIN entry pad.
ATM Skimmers, Part II
Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly
disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist
at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of
the more interesting images he uses in his presentations.
According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled
about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts
for more than 80 percent of ATM fraud, Doten said.
March 25, 2010: Would You Have Spotted This ATM Fraud?
The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get
their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a
$1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.
ATM PIN capture overlay device pulled back to reveal the legitimate PIN entry pad. The backside end of a standard, $1,500 Diebold skimmer sold online.
Would You Have Spotted this ATM Fraud?
The stories I’ve written on ATM skimmers - devices criminals can attach to bank money machines to steal customer data - remain
the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.
Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside -recently were alerted to a skimmer found on an ATM at a Wachovia
Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain
why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device
attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a
few minutes later, the skimmer had been removed.
Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a
customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such
as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use
it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely
that the technician simply overlooked it.
ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.
ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.
Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors
depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for
example, was manufactured for a specific model of Diebold ATMs, Donaldson said.
Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.
Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.
The business end of a standard, $1,500 Diebold skimmer sold online.
Interestingly, after my last story on ATM skimmers, I received several spammy comments on the entry directing readers to a site that specializes in
selling ATM skimming devices. That site sells a Diebold ATM skimmer that is apparently identical to the one found attached to the Alexandria ATM starting
at a base price of $1,500 (see image at right). If the thief wants to have the stolen data sent to him from a safe distance via a wireless technology — such as
Bluetooth or cell phone (GSM) — the price for one of these Diebold skimmers increases to $2,000 or even $2,500.
The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our
Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and
PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.
The backside end of a standard, $1,500 Diebold skimmer sold online.
Employees are instructed to download specialized software written by the employers that pulls the stolen data off of the card skimmer at the end of a day’s “work.”
The software also automatically uploads the stolen card data to the employer’s servers. The employee allegedly holds the key to making sure his employers don’t
just make off with 100 percent of the stolen data, as he retains stolen PIN information.
“This way, you will have pad numbers we will have track info and we split them 50% each on cashout day,” the site explains. “We have to decide a working day
from total amount of tracks you will have send us our % of pin numbers and we will send your % of tracks info, then exactly the same day will do the final job
A bogus Diebold ATM PIN pad overlay sold online for $1,700.
Of course, the entire site could be little more than a very clever scheme to bilk gullible thieves out of $1,000: Not surprisingly, the site owners only accept irreversible forms of payment, such as wire transfers or money orders.
Would You Have Spotted the Fraud?
ATM Skimmers, Part II
Update, 1:47 p.m. ET: I was just interviewed about this article on The Kojo Nnamdi Show, part of WAMU 88.5 FM, a National Public Radio news station in Washington, D.C. You can listen to a recording of that show at this link here.
Update, March 26, 11:13 p.m.: I was meeting a source in Washington, D.C. today and happened to walk past another Wachovia ATM. I was so struck by the fact that I could not tell the difference between the skimmer-tainted ATM in the post above and this machine in D.C. that I snapped these photos. The ATM in question is right next to the Archives/Navy Memorial Metro Station.
June 3, 2010: ATM Skimmers: Separating Cruft from Craft
The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have
built up a reputation in this business and chances are eventually you will hit upon the real deal.
A bogus PIN pad overlay
ATM Skimmers: Separating Cruft from Craft
ATM skimmers –or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.
The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.
Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro — shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card’s magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).
The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.
Both the card skimmer and the PIN pad overlay device relay the data they’ve stolen via text message, and each has its own miniature GSM device that relays SMS messages (buyers of these kits are responsible for supplying their own SIM cards). According to the vendor of this skimmer set, the devices are powered by lithium ion batteries, and can run for 3-5 days on a charge, assuming the skimmers transmit on average about 200-300 SMS messages per day.
This skimmer kit even includes an alarm feature so that if it is removed either by the fraudster or a bank manager or passerby the devices will immediately transmit any of their stored stolen data.
Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. Also, don’t be shy about covering the PIN pad with your hand so that any shoulder-surfers (or hidden cameras) can’t see your code. If you find an ATM skimmer or other fraud device attached to an ATM, report it to the bank. If the bank is closed, it’s probably a good idea to leave the device alone and to call the police: There is a good chance that the thief who attached the device is somewhere nearby.
Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).
Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).
Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).
June 17, 2010: Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message
Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.
This latest entry in my series on skimmers includes a number of never before published pictures of a cell-phone based skimmer set that sends stolen bank card data to the attacker using encrypted text messages. The following images were obtained directly from a skimmer maker who sells them on a very well-protected online fraud forum. This particular craftsman designs the fraud devices made-to-order, even requesting photos of the customer’s targeted ATMs before embarking on a sale.
Just as virus writers target Windows in large part because it is the dominant operating system on the planet, skimmer makers tend to center their designs around one or two ATM models that are broadly deployed around the globe. Among the most popular is the NCR 5886, a legitimate, unadulterated version of which is pictured below.
This skimmer I’m writing about today sells for between $7,000 and $8,000 USD, and includes two main components: The actual card skimmer device that fits over the card acceptance slot and records the data that is stored on the back of any ATM cards inserted into the device; and a metal plate with a fake PIN pad that is designed to sit directly on top of the real PIN pad and capture the victim’s personal identification number (PIN) while simultaneously passing it on to the real PIN pad underneath.
Not all skimmers are so pricey: Many are prefabricated, relatively simple devices that fraudsters attach to an ATM and then collect at some later point to retrieve the stolen data. The trouble with these devices is that the fraudster has to return to the compromised ATM to grab the device and the stolen data stored on it.
In contrast, wireless skimmers like the one pictured below allow the thief to receive the stolen card data from anywhere in the world, provided he or she has a working cell phone signal.
The actual card skimmer in this seller’s model is quite small, and yet includes both a magnetic strip reader and a tiny radio that sends the collected data (known as “dumps” in fraud circles) in an encrypted format to a device built into the PIN pad (more on that in a moment).
Here are a few photos of the razor thin skimmer that comes with this kit:
The backside of a GSM-based PIN pad overlay
The backside of a GSM-based PIN pad overlay
Card skimmer with track reader and radio, front side.
And here’s a view of the electronics that powers this little thief. The card skimmer, reverse view
Now, let’s have a look at the brains behind this custom skimming combo. Fake PIN pad overlay, front view.
And if we turn the bogus PIN pad overlay around, we get a glimpse of what really makes this thing tick. Fake PIN pad overlay, reverse view
Although you cannot really tell from this picture, the PIN pad overlay contains its own GSM module, basically the guts of a cell phone that is capable of sending text messages to any phone of the customer’s choosing that operates under the GSM mobile communications standard. According to the maker of this kit, to whom I spoke briefly via online chat, the GSM module is responsible for collecting the skimmed card data from radio transmissions sent by the skimmer, and then bundling that data with the corresponding PIN into an encrypted text message.
The designer says it typically takes between 2 to 4 text messages to send the encrypted output from a single dump and PIN combination.
We didn’t get too chummy in our chat, but one of the pictures this guy shared with me provides a clue to his potential home country. Check out the photograph below, which includes a pencil ostensibly designed to give a point of reference for the size of the bogus PIN pad.
The markings on the pencil show it to be a “Koh-I-Noor” drafting pencil, a brand of writing utensil first introduced in 1890, according to leadholder.com, which bills itself
as the online “pencil museum.” Leadholder.com says this writing stick established a number of trends in pencil design that we now take for granted, most notably the yellow finish, a trait that other pencil manufacturers would later imitate. More importantly, the maker of the Koh-I-Noor, a company called L&C Hardmuth, is based in the Czech Republic.
Leadholder curator Dennis Smith said the pencil in the photo is a Czech-made model 1500 that has not been distributed in the U.S. since before World War II.
“The type shown in the picture is of recent vintage, 1990s to present. There was an American made 1500 that died with the [now defunct] U.S. company in the 1990s,” Smith wrote in an e-mail to KrebsOnSecurity. “A company called Chartpak now owns the rights to the trademark in the U.S. They import and distribute products of the Czech company, but not the 1500 for some reason.”
At any rate, below is a photo of both devices attached to a working ATM (the photo has been retouched by the designer, probably to hide markings that might identify the location of the machine).
The designer's devices, attached to a working ATM
July 20, 2010: Skimmers Siphoning Card Data at the Pump
Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.
Bluetooth-enabled gas pump skimmer.
Skimmers Siphoning Card Data at the Pump
Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with KrebsOnSecurity.com on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.
Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.
Mark Gallick, a Secret Service agent with the Denver field office, confirmed that a bulletin on skimmers was circulating among gas stations in the area, but refused to comment further.
Similar attacks on gas station pumps recently have hit other parts of the country: Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting Gov. Janice Brewer this month to urge the Arizona Department of Weights and Measures to increase their inspection efforts in looking for skimmers at gas stations.
Bluetooth based wireless skimmers have been found attached to a slew of gas station pumps throughout the Southeast, particularly in Florida. Wireless skimmers allow thieves to pull up to the compromised station and download stolen card data with a laptop while sitting in their car. Many wireless skimmers run on rechargeable batteries, but skimmers attached to the insides of a gas pump can easily be made to draw on the pump’s power source in order to continue stealing card data indefinitely.
“Our device is not the traditional skimmer but rather a Bluetooth enabled equivalent of a thumb drive programmed to capture the data as it was transmitted from point A to point B inside the gas pump itself,” said Lt. Stephen Maynard, the public information officer for the Alachua County, Fla. Sheriff’s Office, which dealt with skimmer compromised pumps earlier this year.
Bluetooth-enabled gas pump skimmer. Photo: Alachua County, Fla. Sheriff's Office
Gas pump skimmer. Photo: Arizona Dept. of Weights & Measures
The gas pumps compromised in the Denver-area attacks showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.
My source said the hacked pumps in Denver tended to be on the outside edges of the gas station, those hardest to see by clerks in the station. In a wrinkle that could be part of an effort to drive customers to the compromised pumps, the source said, customer service representatives at the bank also received complaints from victim account holders who reported getting phone calls promising them gift cards if they purchased gas at specific stations in the Denver area.
“The caller ID on those calls — 727-712-0382 — was a number that probably originated from a Florida provider,” my source said.
Unlike most skimmers affixed to ATMs — which can often be spotted because they rely on fraud devices that are attached to the exterior of the cash machines — gas station skimmers are planted after the thieves have gained access to the interior of the pumps. As result, there are rarely any signs that a gas pump has been compromised. However, consumers can and should keep a close eye on their monthly bank statements and report any unauthorized charges immediately.
The Truth In Lending Act limits consumer liability to $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, if you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you may be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.
Fun With ATM Skimmers, Part III
ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Past posts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.
According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.
EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.
ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.
Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.
While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).
Nov. 10, 2010: All-in-One Skimmers
ATM skimmers come in all shapes and sizes, and most include several components such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.
Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.
The model displayed here is designed to work on specific Diebold ATMs, and can hold a battery charge for two to four days, depending on ambient temperature and the number of customers who pull money out of the hacked ATM.
Functionally, it is quite similar to the all-in-one model pictured in the very first skimmer post in this ATM skimmer series, although its design indicates it may be identical to the one pictured here, which was found on a Wachovia ATM just a couple of miles from my home earlier this year.
The tiny pinhole camera in the image above is angled so that it points at the PIN pad below and to the left, recording the victim’s 4-digit personal identification number to a flash-based memory card.
The real danger for the thief comes when he has to return to the scene of the crime to retrieve the skimmer, which contains not only the stolen card data that allows him to make counterfeit copies of the swiped cards, but also short, timestamped videos of each victim’s PIN.
Thieves interested in hoovering up the captured data remotely might seek to invest in a skimmer that can transmit the purloined data wirelessly via Bluetooth or SMS/text message, as I wrote about in this post. However, wireless skimmers tend to cost quite a bit more than this model, which I found advertised on an exclusive underground forum: It is hand made to the customer’s specifications, and costs slightly more than $5,000 USD. Ah, but don’t count on paying for this badboy with a credit card: The seller only accepts cash (Western Union/Moneygram) or virtual currencies, such as WebMoney.
Nov. 23, 2010: Crooks Rock Audio-based ATM Skimmers
Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns.
The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs. EAST said it also discovered that a new type of analogue skimming device using audio technology has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).
In the somewhat low-res pictures supplied by EAST here, the audio skimming device is mounted on a piece of plastic that fits over the ATM’s card reader throat. A separate micro camera embedded in the plastic steals the victim’s PIN
Audio skimmer for Diebold ATMs
The use of audio technology to record data stored on the magnetic stripe on the backs of all credit and debit cards has been well understood for many years. The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37). Since then, other electronics enthusiasts have blogged about their experiments with sound skimmers; for example, this guy discusses how he made a card reader device out of an old cassette recorder.
Recently, I had a chance to chat via instant message with a hacker in Eastern Europe who sells both audio-based ATM skimmers and the technology needed to decode audio skims or “dumps.” Below are some of the pictures of his wares that he sent me:
Image courtesy mreader.free.fr
Audio skimmer for Diebold ATMs
Audio skimmer for Diebold ATMs
Audio skimmer for Diebold ATMs
Dec. 13, 2010: Why GSM-based ATM Skimmers Rule
Earlier this year, KrebsOnSecurity featured a post highlighting the most dangerous aspects of GSM-based ATM skimmers, fraud devices that let thieves steal card data from ATM users and have the purloined digits sent wirelessly via text message to the attacker’s cell phone. In that post, I explained that these mobile skimmers help fraudsters steal card data without having to return to the scene of the crime. But I thought it might be nice to hear the selling points directly from the makers of these GSM-based skimmers.
So, after locating an apparently reliable skimmer seller on an exclusive hacker forum, I chatted him up on instant message and asked for the sales pitch. This GSM skimmer vendor offered a first-hand account of why these cell-phone equipped fraud devices are safer and more efficient than less sophisticated models that is, for the buyer at least (I have edited his sales pitch only slightly for readability and flow).
Throughout this post readers also will find several images this seller sent me of his two-part skimmer device, as well as snippets from an instructional video he ships with all sales, showing in painstaking detail how to set up and use his product. The videos are not complete. The video he sent me is about 15 minutes long. I just picked a few of the more interesting parts.
One final note: In the instruction manual below, “tracks” refer to the data stored on the magnetic stripe on the backs of all ATM (and credit/debit) cards. Our seller’s pitch begins:
“Let say we have a situation in which the equipment is established, works — for example from 9:00 a.m., and after 6 hours of work, usually it has about 25-35 tracks already on hand (on the average machine). And at cashout if the hacked ATM is in Europe, that’s approximately 20-25k Euros.
A GSM-based ATM card skimmer.
The back of a GSM-based PIN pad skimmer
So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.
And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer – you lose equipment, and tracks, and money.
That’s not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.
However have worked all the day and all the evening, and only by night the police has removed the equipment. As a result they thought to catch malicious guys, but it has turned out, that we have lost the equipment, but results have received in full. That day we got about 120 tracks with PINs. But if there was equipment that needs to be removed to receive tracks? We would earn nothing.”
And what about ATM skimmers that send stolen data wirelessly via Bluetooth, a communications technology that allows the thieves to hoover up the skimmer data from a few hundred meters away?
Front view of a GSM-based PIN skimmer
“Then after 15 minutes police would calculate auto in which people with base station and TV would sit,” says our skimmer salesman. “More shortly, in my opinion, for today it is safely possible to work only with GSM equipment.
Aside from personal safety issues, skimmer scammers also must be wary of employees or co-workers who might seek to siphon off skimmed data for themselves. Our man explains:
“Consider this scenario: You have employed people who will install the equipment. For you it is important that they do not steal tracks. In the case of skimmer equipment that does not transfer dumps, the worker has full control over receiving of tracks.
Well, you have the right to be doing work in another country. And so, people will always swear fidelity and honesty. This normal behavior of the person, but do not forget with whom you work. And in our situation people have no tracks in hands and have no PINs in hands. They can count quantity of holders which has passed during work and that’s all. And it means that your workers cannot steal any track.
I have listed only some situations in which GSM skimmers have obvious and total advantage before all other models. Do not ask me why I sell the equipment. I do not like this question. It’s my business why I drink coffee in the mornings why I go on trainings every day, and why I sell that or I do not sell. It’s my business.”
In the first video, we see our masked skimmer maker using a mock-up ATM to illustrate how to attach and reset his skimmer devices. The second movie shows the GSM card attached to the PIN pad overlay. In the final video, our skimmer seller demonstrates how to attach the SIM card to the ATM card skimmer module.
Jan. 17, 2011: ATM Skimmers, Up Close
Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and to steal ATM card and PIN data from bank customers. I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.
Also, this seller’s profile showed that he was a longtime member, and had been vouched for as a “verified” vendor. This meant that forum administrators had vetted him by checking his reputation on other fraud forums, and that he’d paid a fee to use its escrow service if any potential buyers insisted
Anyway, I wasn’t looking to purchase his skimmers, just to check out his wares. I chatted him up on ICQ, and he said he only sold the plastic housings for the skimmer devices, but that he could show me pictures and videos of what some of his customers had done with them. Above is a video of the seller demonstrating how one of his card skimmer housings fits over the mouth of the card slot on a working Diebold Aptiva ATM.
Below are images he sent that demonstrate two very different skimmers made with his housings. The device on the top in the picture below is a flash-based spy camera nested in a beige plastic molding meant to be attached directly above the ATM PIN pad to steal the customer’s personal identification number. The image on the bottom is the skimmer itself. To the right of each are instructions for configuring the skimmer devices and for harvesting the stolen data stored on them.
As part of the instructions to download stolen card data from the card skimmer pictured directly above, buyers are told to install a hardware driver and software program on their Windows PC (both are safe and virus free, trust us!). After that, users are instructed to enter the password “0000¨ when prompted, but this seller doesn’t include instructions for changing the default password. It’s nice to know that computer crooks make the same flawed security design decisions as many mainstream manufacturers of consumer electronics.
The images below show an all-in-one ATM card skimmer housing that harbors both a card reader and a mini flash-based spy camera (top, with putty). The picture on the right shows the same skimmer from the front (customer/victim facing) view.
Jan. 31, 2011: ATM Skimmers That Never Touch the ATM
Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.
The most common of these off-ATM skimmers can be found near cash machines that are located in the antechamber of a bank or building lobby, where access is controlled by a key card lock that is activated when the customer swipes his or her ATM card. In these scams, the thieves remove the card swipe device attached to the outside door, add a skimmer, and then reattach the device to the door. The attackers then place a hidden camera just above or beside the ATM, so that the camera is angled to record unsuspecting customers entering their PINs.
The crooks usually return later in the evening to remove the theft devices. Armed with skimmed card data and victim PINs, skimmer thieves are able to encode the information onto counterfeit cards and withdraw money from compromised accounts at ATMs across the country.
On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an “Out of Order” sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.
Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right.
Here’s a front view of the hidden camera, which probably would appear to most ATM users as nothing more than a parabolic mirror designed to give customers a view of anyone standing behind them.
Behind the glass, however, was a battery-operated hidden camera. A tiny hole was cut out of the bottom of the mirror housing to enable the camera to record PIN entries.
Below are several images showing the key card door lock that was compromised in this attack. The top left image shows the device as it would appear attached to the door securing access to the ATM lobby. The other two pictures show the skimmer device with the electronic components added by the thieves.
The attackers hitting this ATM were either very persistent, or varied: A source familiar with the July 24 incident said this particular door lock would be stolen and modified a total of nine times in 2009.
The camera used in this attack retails for about $150, can record up to 2 GB (about two hours worth) of video, and runs on a rechargeable lithium ion battery.
Feb. 16, 2011: Having a Ball With ATM Skimmers
On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users. But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.
But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.
The camera was discovered more than a day later by a maintenance worker who was servicing the ATM. The device, pictured below with the boxy housing in which it was discovered, was designed to fit into the corner of the ATM framework and painted to match.
The self-contained camera and box attached to the Bank of America ATM
The ATM pictured on the right below is shown with the card skimmer and video camera attached
California police say the video camera and skimmer were installed by the person pictured below. The entire scam ran only for about three hours, and was reported about 11 AM. Police recovered both the skimmer and video camera, so no customer or bank losses ensued as a result of the attack. Meanwhile, the crook responsible remains at large.
A constant stream of ATM customers used the machine. According to California authorities, below is a freeze frame from a video of the first customer/victim to use the compromised ATM.
The image below shows some of the manufacturer’s specs on the “Camball-2¨ camera that was used in this attack, which retails for around $200 and runs for about 48 hours on motion detection mode.
Here’s a closer look at the relatively crude device attached to the mouth of the card insert slot, designed to steal data recorded on the magnetic stripe on the back of all bank cards. Criminals can then encode the information onto counterfeit cards, and — armed with the victim’s PIN — withdraw money from the victim’s account from ATMs around the world.
The authorities I’ve been interviewing about skimmer scams say the devices are most commonly installed on weekends, when many banks are closed or have limited hours. It’s difficult — once you know about the existence of these fraud devices — not to pull on parts of ATMs to make sure they aren’t compromised. If something comes off of the machine when you yank on it, and the bank is closed or the ATM isn’t attached to a financial institution, it’s probably best just to leave the device at the scene and not try to make off with it. Otherwise, consider the difficulty in explaining your actions should you be confronted by police after walking away. What’s more, in many skimmer cases, the fraudster who placed it there is monitoring the scene from somewhere within viewing distance of the compromised ATM.
It’s easy to be frightened by ATM skimmers, but try not to let these fraud devices spook you away entirely: Stick to machines in well-lit areas, places where you feel relatively safe physically. On top of that, cover your hand when entering your PIN, as many skimmers rely on hidden cameras and can’t steal your account credentials without recording those digits. Also, remember that any losses you may incur from skimmers should be fully reimbursable by your bank (at least in the United States).
While the temporary loss of funds may not cover the cost of any checks that bounce because of the incident, these also are losses that your financial institution should cover if they were incurred because of a skimmer incident.
Mar. 11, 2011: Green Skimmers Skimming Green
To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.
Earlier this year, authorities in Ireland began dealing with a rash of ATM skimmers like the one picture directly below. The green anti-skimming device is backlit and oddly-shaped, a design intended to confound skimmer makers. But as can been seen from the first picture here, the only obvious difference between a compromised ATM and an unadulterated one in this case is a small plastic lip at the top, which the crooks in this attack used to house the electronic brains for their skimmer.
The second picture below shows the underside of the skimming device, removed from a compromised machine in the background.
A representative from the Garda (Irish Police) declined to discuss the skimming photos, saying that for legal reasons they were unable to comment on ongoing court cases. But a source close to the investigation said identical skimmers have been found attached to ATMs across the country. The source said a 33-year-old Moldovan man has been arrested in Limerick in connection with the attacks, which authorities have called part of a global ATM fraud operation.
Last fall, while lurking on some underground criminal forums, I encountered another type of skimmer masquerading as an anti-skimming device for cash machines made by NCR. The skimmer pictured below is sold for several thousand dollars by a Russian guy who has a presence on at least two major carding forums. His advertising literature claims the battery-operated device will hold a charge for about three days. He also claims his skimmer won’t work on Russian ATMs: “It will immediately disrupt those wishing to operate via Russian ATMs: A majority of the BINs [Bank Identification Numbers] of Russian banks are hardwired into the chip; they are not processed.”
When I first saw his skimmer photos, I wasn’t too impressed. I’d never seen anti-skimming devices that looked even remotely like his in real life. But that changed in December, when the wife and I traveled to Costa Rica for some friends’ destination wedding. While we were there, we had a chance to stay in and hike through the gorgeous Monteverde Cloud Forest, and at the end of a guided tour through the forest I needed to stop by the ATM to tip our guide. When I got to the town’s bank and saw the ATM pictured below, I took a step back. For one thing, the NCR ATM looked like it had one of these fake anti-skimmer devices attached.
I grew more nervous when I noticed that the only other ATM at this bank was out of order (skimmer thieves often place out-of-order signs on nearby ATMs that are not compromised, in a bid to steer people to the hacked ATM). I yanked pretty hard on the green device affixed to the ATM, and it remained attached. Left with the choice between stiffing our driver and excellent guide without a tip and taking out cash from this machine, I chose the latter. I haven’t seen any suspicious charges yet, but it just goes to show you how even a little knowledge of these ATM skimmers really can make you paranoid.
Picture of a anti-skimmer skimmer for sale on underground forums.
April 10, 2001: ATM Skimmers: Hacking the Cash Machine
Most of the ATM skimmers I’ve profiled in this blog are comprised of parts designed to mimic and to fit on top of existing cash machine components, such as card acceptance slots or PIN pads. But sometimes, skimmer thieves find success by swapping out ATM parts with compromised look-alikes.
On May 16, 2009, a company representative from ATM maker Diebold was servicing an ATM at a Bank of America branch in Sun Valley, Calif., when he discovered a skimming device and a camera that were attached to the machine. The technician took pictures of the camera and card skimmer (click picture at right for larger image), and then went into the branch to contact his supervisor.
But when the Diebold employee returned, the camera had been removed from the ATM, suggesting that the skimmer scammer was lurking somewhere nearby and had swooped in to salvage his remaining equipment. This is similar to what happened when an ATM technician discovered a compromised ATM a year ago.
Investigators of the present scam learned that the thief had somehow pried off the plastic cover of the ATM’s card acceptance slot and replaced it with an identical, compromised version that included a modified magnetic stripe reader and a flash storage device. The new card slot came with its own clear plastic face that was situated in front of the plastic one that was already attached to the ATM’s internal card reader (see picture below). The entire fraudulent device was glued onto the ATM with silicon.
ATM Card skimmer, using modified ATM component
Below are a few close-ups of the silicon-based magnetic stripe reader attached to the compromised card acceptance slot overlay.
The camera was in a trim piece that was attached above the PIN pad, cleverly designed to match the rest of the ATM in color and contour. Although the camera was removed by the thief, investigators said the trim piece was similar to a hidden camera found attached to an identical ATM at a Washington Mutual bank branch in the area.
In other skimmer cases, ATM thieves also have been known to hack apart and modify portions of the ATM. Last week, the Palm Beach Sun Sentinel published a story about crooks in Boynton Beach, Fla. who have been cutting the bottom of ATM card readers to remove the microchip inside and replace it with their own battery-operated card reader.
If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM. And remember, the most important security advice is to watch out for your own physical safety while using an ATM: Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well.
May 18, 2011: Point-of-Sale Skimmers: Robbed at the Register
Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud.
This paper-thin membrane fits under the real PIN pad.
Sept. 20, 2011: Gang Used 3D Printers for ATM Skimmers
An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. In June, a federal court indicted four men from South Texas (PDF) whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer.
3D printer firm i.materialise received and promptly declined orders for these skimmer devices.
Oct. 13, 2011: ATM Skimmer Powered by MP3 Player
Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the
criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices.
The vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10-15 seconds).” But the catch with this skimmer is that the price
tag is misleading. That’s because the audio files recorded by the device are encrypted. The Mp3 files are useless unless you also purchase the skimmer maker’s decryption service,
which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.
An audio skimmer for a Diebold ATM.
Dec. 7, 2011: Pro Grade (3D Printer-Made?) ATM Skimmer…
In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.