ATM skimmer -- could you spot it in the wild?

Brian Krebs's "Krebs on Security" features an ATM skimmer that is chillingly well-camouflaged. After seeing photos of early, crude skimmers -- devices that capture your card number and work in concert with a hidden camera that records you punching in your PIN -- I assumed that I could rely on my own powers of observation to keep from falling victim to one. Now I don't think I can be so sanguine. Be sure to follow some of the links in the post for some hair-raising examples of the form.

This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
This is fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim's movements as he or she enters their PIN at the ATM.

Would You Have Spotted the Fraud? (via Neatorama)

Previously:

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Gadgets

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

InsertFingerHere

In Canada with the CIBC (at least where I’ve used them) the ATM’s have a green translucent front on the card reader, shows there’s nothing inside. Can’t recall if there is a light in there or not.

In any case, before I put my cards in, I give that snout a good hard tug… enough that something would snap off if it were affixed lightly.

I worry more when the clerk at the gas station has the swiper below the counter. If I don’t see it, I’ll ask them to hold the swiper up so I can see it.

The other thing that is happening now is the crooks will steal the keypad off the counter, and replace it with one that has BT inside. Considering these are attached with a simple phone-jack connector, I mean.. holy crap, I saw that trick coming YEARS ago.

Best Buy used the same connectors to trigger an alarm if something gets lifted. Duhhhh…

Seems like the physical security of your card is almost an afterthought.
- Ted8305
  
  Yep, I always give the card reader slot a firm wiggle and shake. Not enough to damage real ATM hardware, but hopefully enough to dislodge counterfeit parts stuck to the front.
  
  When entering PINs, always cover the keypad with your off hand. Faking a couple of key-presses before, during and after the actual key pressing sequence is also a great idea.
darren

The only machine I ever stick my debit card into is my bank’s own machines. Royal Bank machines have this green glowing anti-fraud thing, but really it’s just to avoid utterly absurd service changes. I stopped making point-of-sale debit card purchases way back in the 20th century.

I use only my credit card for day-to-day shopping. If my credit card number gets swiped then who cares.
Anonymous

The easy solution is chipped cards. They’re widespread in Europe and being introduced in Canada. It makes this sort of crime much harder by using encrypted data that cannot me copied.
- Tynam
  
  Anon @33: Sadly, there’s nothing particularly secure about the European chip-based cards. (There’s some security features that protect the bank, very few that protect the customer.) Usually, Chip and PIN is one more excuse the banks have to blame the customer and refuse to pay.
  
  The data encryption on these things doesn’t give you any real protection against man-in-the-middle attacks like the one in Cory’s post. And nothing banks do now even begins to protect you against suppy-chain attacks. The criminals are pretty sophisticated these days. And the banks aren’t.
buddyh

I happened to have been skimmed a year and a half ago at a gas station, which by the way is one of/or maybe the most frequent place that skimmers are applied to.

Since then, I only use credit at gas pumps – these skimmers primarily go after debit cards, and this after inspecting the reader at each pump.
Anonymous

There’s only one person on here who had the right idea.

Only way to counteract the theft of your account is through optics and extremely well encrypted transmissions through a secured network that’s NOT in use with telephone, the internet, or wireless connection.

Thumb prints, Chip and Pin, and even chip in body (see bible). can all be compromised, chips more so because RFID can be read wireless.
desiredusername

How about flat card swipe surfaces instead of a jutting ones?
Anonymous

This happened a month ago at a Citibank in Brooklyn, NYC.
Mitch

That’s pretty impressive. The braille adds a nice touch.

Maybe they ought to have ATM machines display a picture of what the machine is supposed to look like before it prompts for your pin.
Anonymous

Random thought: When will we have our finger prints as our ATM pins. that will be a lot more difficult to fool.
zumdish

I used to program ATMs and have tons of experience with the hardware of nearly every manufacturer – that sucker would probably fool me! It looks really slick.

@Mitch: That braille IS a perfect touch, somehow it gives it just the right note of authenticity.
Anonymous

@TYR

This has also happened to a friend of mine. A word of advice people, if you find one walk away from the machine before calling the popo.
jfrancis

Tug on every card reader before you use it. If it comes off in your hand…
TYR

In about 2003 I found a roughly similar skimmer (without the INSERT CARD misdirection) attached to my usual ATM. I removed it – it was secured by neat,thick strips of BluTack – and saw various electronic components I couldn’t identify in sodium lighting. I was about to dial 999 on my mobile when I was assaulted by two men who wanted the device back quite badly:-) I elbowed one in the balls, but the other tore the gadget out of my hand and ran. I called the police, who left a message promising to call me but never did.

However, I did notice that all the ATMs in town were switched off that evening.
Gag Halfrunt

Chip and PIN cars still have magnetic stripes, so card numbers can be collected with a skimmer and used to make fraudulent mail order purchases. Which is where other security measures are supposed to come in, such as card security numbers (the three digit code printed on the signature strip) and looking for unusual transactions.
adamnvillani

Damn, I live in Woodland Hills. Thankfully I bank with Chase instead of Citibank, but still…
ecobore

For some years I have used my other hand and wallet to cover the hand entering the PIN. I do this in shop Chip and PIN machines too, so that anybody standing behind is stumped in the event they want to steal your wallet and use your card.
Adam Johanningmeier

One thing I would definately do is pull on the card reader to make sure it is securely in place if it feels loose in any way DO NOT USE that ATM.
Aurophobia

I didn’t spot it in the wild when it was on the ATM outside my local bank. $1500 was stolen from my account before I noticed. Fortunately, my bank returned the funds but it was more than a little stressful.

Now, I always cover my fingers when I enter my PIN.
Anonymous

I get most of my cash from inside stores with a cash back option. Hopefully this is safer. I don’t even know anymore!
Anonymous

I found one about a year ago on a CIBC bank machine in Canada. They have a transparent green card slot with an odd shape with LED’s inside. When I walked up this lady took the bank machine to my left. I looked at it and thought “Those LED’s look really dim.” so I did what I usually do, gave the card slot a tug. Only this time it came off in my hand. Inside the transparent green plastic was 4 watch batteries and a chip. It was held on with double sided foam tape. I was thinking of taking the batteries out and smashing it on the floor but I thought someone might be watching, so I tossed it in the garbage and asked the other person if they had a card reader on their machine. When I did they jumped and then asked me where it was. I said I tossed it in the garbage and walked out.

She didn’t follow me out even though she was finished on the machine. I then called the cops and told them about it so I’m sure they grabbed the security camera footage and probably found her digging it out of the garbage.
Anonymous

That ATM went out of service minutes after having the skimmer attached.
Anonymous

Many, many years ago someone designed a keypad for ATM machines that randomly placed the numbers on the keypad, so that the numbers where in different places for each use.

I thought it was brilliant but banks didn’t want to *confuse* customers by having the numbers in different places every time the ATM was used.

I think with that method it would be pretty hard to tell which number someone was pressing just by watching their fingers though.
Uncle Geo

Interestingly, there have been some solutions, most notably iris scanning, that are difficult to hack (and work better than other biometric solutions like fingerprint scanners).

People, though, are squeamish about it (and maybe rightfully so -think Minority Report). There is no easy answer. Do we protect our biological identity or give it up to secure our money? We have a similar dilemma with terrorism which seeks to undermine our freedoms through fear. In the US after 9/11 the Bush administration made this decision for us.

I’m grateful for the common sense solutions I’ve heard here that I never would have thought of!
Jack

Chase has flashing green ATM card slots. Also, this kind of stuff mainly happens at non-bank ATMs. Like those machines outside of bodegas and other non-bank places. I’d recommend never using those.
Anonymous

Heh, I love in that all of those comments, every one of you posted more and more invasive forms of stopping all of this. Not one of you mentioned the method that I’ve used for 16 years. Use cash. I haven’t had a bank account since 1994. I’ve been perfectly fine.
_wsh

The problem isn’t with ATMs, guys…it’s with permanent tokens in general. The way to solve this is with a card-based OTP (or even SecurID-style token) in addition to your PIN.
Buk

Personally I don’t know why anyone even uses ATM’s. I haven’t used an ATM in about 10 years. My debit card and/or credit card is excepted everywhere I go. I see no need to carry any cash. Sure there’s those odd times when I buy something under a dollar. But they are far and few between. The business still accepts my card even when they are loosing money due to processing fees. They know I’ll be back and spend more next time. I even pay for pizza delivery via debit card on the phone when I order and include the tip. I can’t think of a single time in those past 10 years when I actually needed cash for anything.
- Courtney
  
  I use the ATM (at my bank) to deposit random checks – credit card rebates, birthday/christmas, work reimbursements, etc about 10 times more than for getting cash.
solstone

An easy security measure to use, which I have been in the habit of for years now, is to pretend to push a much longer series of buttons when entering your pin while only actually pressing the buttons for your pin itself. This way even if they have skimmed the card they don’t have a pin to use (at least if you are doing it right, since it will be really difficult for the little camera to determine when you were actually pressing and when you were just moving you finger over the button). I usually do a varying pattern of about 10 or 12 numbers, of which only four are the actual pin of course. It takes a little getting used to, but now that I am in the habit I don’t even think about it.

That said, if it looks like an ATM has been tampered with I won’t go near it.
- technogeek
  
  I’ve been combining fake keystrokes and keying with one hand held over the other for a long time. A good reason to continue that practice.
- Anonymous
  
  This will be defeated with a sound recorder. Most ATMs beep when you press the keys.
  - misterfricative
    
    True, but on the ATMs I use, the beeps don’t correspond to when I hit the keys; they come back at me with a delayed randomized rhythm all of their own. Which I actually find really off-putting. It’s like trying to play the harmonium or trying to speak with a half-second delay of your own voice being piped back to your ears.
- Anonymous
  
  In my opinion the best thing to do is use ATMs that are in doors like a shop. They’re far less lightly to get set up for skimming because of the risk of cameras and such
knoxblox

Just once, I’d like to find one in the wild so I could pull it off, stomp on it, and leave it as an example for the ATM thieves.
fartle

At least they diddnt exclude the blind from being scammed :)
Anonymous

@knoxblox if you ever do find one, please don’t make as easy for the thieves to get away as you suggest doing.
Nylund

Could this problem be solved by using chip and PIN technology for ATMs? I mean, in non-US countries since the US doesn’t seem to have any inclination of updating their technology like everyone else.
- Anonymous
  
  Chip and pin has been broken…
- gollux
  
  Read up on the various ways chip and PIN has been circumvented. If there’s a way, it will be broken or circumvented.
  - Jonathan Badger
    
    Well obviously. Chip & Pin were losers. Fish & Cushion, now…
    - solstone
      
      Mitchell & Webb FTW!
http://face hndspn

Here is an extensive post on ATM skimming operations uncovered in Australia and New Zealand >> http://aeonics.blogspot.com/2009/08/scamwatch-how-to-spot-rigged-atm.html
Anonymous

solution: go inside a bank and deal with a meat-based ATM unit.
- Antinous / Moderator
  
  go inside a bank and deal with a meat-based ATM unit.
  
  But check for the nictitating membrane.
- Anonymous
  
  hahaha! that’s hilarious!
ginatrujillo

Honestly couldn’t say that I would notice this thing. It looks just like any other card reader, in fact, because of the little diagram attached I would be more inclined to thinking it was the real one out of the two.

It is pretty scary when you think about it. Just imagine how many identities could be stolen in a single day at a busy atm and nobody would be the wiser. I am in the process of getting my california real estate license, so I really can’t afford to be robbed at this point!lol

Not that anyone would be happy about it!
LiudvikasT

Unfortunately theres nothing much you can do, except for not going to desolate atm’s and demanding money back from the back when you happen to become a victim.
Anonymous

ATMs here, down in the great South, use 5 randomized combos of two numbers, in no particular order, on-screen when asking you to type your PIN.
Anonymous

Just today I was withdrawing large chunk of cash from ATM. As I was withdrawing the cash I looked around carefully if I am not followed, I inspected the card slot, gave it a strong pull, then I inserted my card (with chip), covered keypad with both my hands and with many, many ‘false’ moves of my hands I blindly typed my pin. I took my printed receipt with me. I always do it that way. As I was going through my routine I was thinking whether I was being a little bit too paranoid or not.
It looks like you can not be careful enough.
Anonymous

Anon delivers. Just go inside a bank. The only sure way.
Jonathan Harford

I’d be able to tell, but only because that braille reads “GOT UR CASH SUCKA”