All About Skimmers
Direct Link: http://krebsonsecurity.com/all-about-skimmers/
The series I’ve written about ATM skimmers, gas pump skimmers and other related fraud devices have become by far the most-read posts on this blog. I put this gallery together to showcase the entire series, and to give others a handy place to reference all of these stories in one place. Click the headline or the image associated with each blurb for the full story.
Pictured here is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipecredit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution. This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.
The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.
The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.
Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.
Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.
According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.
ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.
The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs. EAST said it also discovered that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).
So, after locating an apparently reliable skimmer seller on an exclusive hacker forum, I chatted him up on instant message and asked for the sales pitch. This GSM skimmer vendor offered a first-hand account of why these cell-phone equipped fraud devices are safer and more efficient than less sophisticated models — that is, for the buyer at least (I have edited his sales pitch only slightly for readability and flow).
I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.
Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.
On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users. But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.
To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.
Most of the ATM skimmers I’ve profiled in this blog are comprised of parts designed to mimic and to fit on top of existing cash machine components, such as card acceptance slots or PIN pads. But sometimes, skimmer thieves find success by swapping out ATM parts with compromised look-alikes.
Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud.
An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. In June, a federal court indicted four men from South Texas (PDF) whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer.
Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices. The vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10-15 seconds).” But the catch with this skimmer is that the price tag is misleading. That’s because the audio files recorded by the device are encrypted. The Mp3 files are useless unless you also purchase the skimmer maker’s decryption service, which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.
In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.
I spent the past week vacationing (mostly) in Southern California, traveling from Los Angeles to Santa Barbara and on to the wine country in Santa Ynez. Along the way, I received some information from a law enforcement source in the area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer.
It’s getting harder to detect some of the newer ATM skimmers, fraud devices attached to or inserted into cash machines and designed to steal card and PIN data. Among the latest and most difficult-to-spot skimmer innovations is a wafer-thin card reading device that can be inserted directly into the ATM’s card acceptance slot.
I spent several hours this past week watching video footage from hidden cameras that skimmer thieves placed at ATMs to surreptitiously record customers entering their PINs. I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code.
Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.
This blog has featured stories about a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine.
If you hand your credit or debit card to a merchant who is using a wireless point-of-sale (POS) device, you may want to later verify that the charge actually went through. A top vendor of POS skimmers ships devices that will print out “transaction approved” receipts, even though the machine is offline and is merely recording the customer’s card data and PIN for future fraudulent use.
Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.
Experts in the United States and Europe are tracking a marked increase in ATM skimmer scams. But let’s hope that at least some of that is the result of newbie crooks who fail as hard as the thief who tried to tamper with a Bank of America ATM earlier this week in Nashville.
Cybercrooks can be notoriously cheap, considering how much they typically get for nothing. I’m reminded of this when I occasionally stumble upon underground forum members trying to sell a used ATM skimmer: Very often, the sales thread devolves into a flame war over whether the fully-assembled ATM skimmer is really worth more than the sum of its parts.
Scam artists who deploy credit and debit card skimmers most often target ATMs, yet thieves can also use inexpensive, store-bought skimming devices to compromise modern-day cash registers. Just this past weekend, for instance, department store chain Nordstrom said it found a half-dozen of these skimmers affixed to registers at a store in Florida.
Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.
This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.