ATM skimmers: man, these things are scary

Brian Krebs continues to scare the pants off of me with his ongoing series on sophisticated ATM skimmers (devices that capture your card number, working with a hidden camera to catch your PIN). His slideshow of next-gen skimmers has me convinced that there's no way I'd notice a skimmer on an ATM that I was using: "According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said."

ATM Skimmers, Part II

Previously:

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Gadgets

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Anonymous

All your card numbers are belonging to us?
KeithIrwin

At this point, I really think that what we need is a geotagged database where banks (and only banks) can upload pictures of their ATMs including close-ups of the areas around the card reader. That way people can pull it up on their iPhone. It won’t make this impossible, but it would make it tougher.

Also banks should seriously consider moving to some more “shoulder-surfing”-proofed methods of PIN entry. There was a good one presented in a research paper a few years back where to enter a digit, the user was presented with a screen which showed the 10 digits and they were each colored black or white. After each button press, the pattern changed. To identify a digit, the user would simply press the black or white button appropriately four times. This would require observing both the screen and the user’s hand movement. Plus with only two buttons, the user could simply put one hand on each button, so it would be tougher to see which was being pressed at a given time (although they didn’t evaluate that possibility in the paper).
gollux

Remember when skinning your applications was all the rage? Make WinAmp look just exactly like your stereo system?

Well take it to a new renumerative level. Use your Tek Skillz to rip off the rubes!
cymk

Damn it Cory, your making me more paranoid! Its bad enough I get funny looks for tugging on the various parts of the ATM (to make sure they aren’t skimmers), now I have to be wary of the key pad too?
Anonymous

Until recently, the only ATM I used was in the lobby of a big company, next to the guard desk. It was out of convenience with the added bonus of reduced chance of mugging. Maybe I should go back to using it to avoid skimming.
greenup

The solution is out of our hands.

We need to have cards that cannot be duplicated by passing through a reader; a true “what you have” identifier. Smart chip cards have a private key that NEVER leaves the card; the message is “signed” inside it.

Replacing mag-stripe readers across the US is a HUGE issue, and the parties that Could encourage it are not motivated. They are only motivated to shift the liability/losses away from themselves.

I think it would be sweet if, while they were replacing the mag-stripe readers, they replaced the receipt printers to put the “receipt” in an XML file on the smart card to import into quicken. Unfortunately smart cards are 64K (yes, not meg or gig?!) so without moving to something like an IronKey, completely new technology is necessary.
Anonymous

FYI
http://www.identitytheft.info/credit-card-skimmer-pictures.aspx
dainel

It is extremely simple for the bank to counter this.

1) the skimmers have to fit on top of the card slot. Have a few light sensors sprinkled around this area. If it’s completely covered with plastic, it will be dark all the time. Ring the alarm on HQ, show an “out of order” message on the screen, and block the card slot so that customers cannot push in any more cards (to prevent the skimmer reading any more numbers). In normal use, there’ll be some variation in lighting, especially when the customer push the card in, there’ll be some shadow on the sensors.

2) Camera on the ATM machine. Snaps photos of people standing at the machine. Instead of only taking photos when customers insert a card, also take photos of people who touch the machine but do not insert a card. This will include the people installing the skimmer.

3) Another camera snaps a photo of the ATM machine itself. The photo could be sent electronically back to HQ, so that they can check if it looks like what it is supposed to.
Marcel

It’s not only the bank ATM machines that form a security risk.
Criminals have been known to lock themself in overnight in a supermarket to rig the machines at the check out counter.
There are even instances where they have set up a complete shop only to steal your card data.

So everytime you stick your card into any machine, it’s a security risk.
Anonymous

So, why are the US banks still rejecting chip & pin technology?
Anonymous

Maybe it’s time to do away with gray soul destroying plastic? If each ATM had a hand painted mural on it at least the skimmers would have a worse time getting the lines to match up right.
masamunecyrus

@greenup:

Asia’s had those chips for quite a while. I lived in Japan several years ago and they had them on everything then, and Taiwan has them, too. In fact, my friend’s credit card has a huge chip on it and a photo of her face right on the front of the card.

Why is the US so far behind? There’s more money to steal in the US and everyone knows it, and in many parts of the world Mastercard and Visa distribute those very cards I’ve just described. It’s pitiful.
Latente

In Italy is a quite common fraud
see here
http://www.youtube.com/watch?v=Is_I48dgA9E from 1:00

here the “camera view” of the numeric pad
http://www.youtube.com/watch?v=Mmzf68pKRvM

the solution? pay attention at the atm machine (lousy keyboard,etc etc) cover the pin code with the other hand, an ask to the bank the sms alert service.
kevinsky

I’ve got a chip card that they assure me is skim-proof, but only if the ATM or debit reader is chip-enabled. They seem to be rolling it out in stages here in Canada, as almost all merchants have had chip readers in my town for several years now, but as soon as I’m in another town, I get comments about my fancy “new” chip card when store clerks see the chip.

Anyhoo, there was an issue here with some of the remaining mag-stripe readers. Somehow, some criminal geniuses had managed to swap out one or two debit machine key pads with one that was wi-fi or bluetooth enabled. All they had to do was pull into the parking lot of the store whenever they felt like it, and download the data.
Anonymous

It is so scary how the more advanced we become, the more advanced our crooks become. I have been ripped off at an ATM machine probably using something exactly like that! It is so hard to tell. Now I only draw money from the teller at the bank… much more inconvenient, but safer i think!
Anonymous

Go to a shop and get cashback they cant get to the tills to scam you
oscar

I figured Cory of all people would have warned us about that abhorrent Flash slideshow.
- Kerov
  
  If your browser has Flash disabled, Brian Krebs’ site serves up an alternate non-Flash display of the images. Which increases my already immense respect for him.
baccaruda

I prefer to use my debit card to get cash back after purchases at my neighborhood grocery store. No ATM fees, no risky withdrawals in weird places, no skimming my card.
Anonymous

I think these ATM-skimmers were first used here in Brazil

And so, my Brazilian bank (bradesco.com.br) not only have a smart-chip in the card (along with the Magnetic Strip), and you PIN, but also ask you to use the side-screen keypad to match two letters you assigned previously that appear at random places on the screen

e.g.: if your code-letters are ‘A’ and ‘M’, on the screen you’ll see (the numbers are the side-screen keys):
1=asd evu=5
2=frt qwh=6
3=zxc nom=7
4=ipk lyb=8
(and so on; randomly positioning 3-letters-groups at every logon)
You’ll press side-screen keys 1 and 7

Even if some camera records you pressing these keys, what are your 2 Code-Letters among ‘a s d m o n’?

A third security measure (your choice to use it or not) is a LCD Key with randomly assigned 6-digit code when you press the button

So, you have:
- SmartChip Card
- PIN – using the numeric keypad
- two-letters-code – using the side-screen keypad
- LCD Key – using the numeric keypad

Just trying to outsmart the wise-guys. No easy task
Nermal

I just hold my wallet over my other hand while I type my PIN in. Even if there is a skimmer, they won’t get the PIN.
- Nermal
  
  Argh! Just seen the keypad overlay devices that capture the pin without a camera. Time to be more vigilant…
- SamSam
  
  @Nermal: That won’t help. Many of the pictures in the link were of fake number pads which overlaid the original number pad and recorded your button pushings. No need for as camera.
  
  I’m assuming that the ones on the banks own property, e.g. in the anteroom of the bank, are safer than random ones on street corners or supermarkets? Are there any statistics on this?
  - jackie31337
    
    Maybe, maybe not. One of the skimmers in that slideshow was the magstripe reader you have to slide your card through to get into the bank’s ATM vestibule after hours.
MrDC

I just found one stuck on a Bank of America ATM outside of a souvenir shop in Washington DC. I wouldn’t have noticed anything wrong except there was a lot of resistance when inserting my card. I looked closely, thought maybe it was a skimmer (cuz I read this article) and so I pulled on the corner of the thing. It came off! Here’s a pic: http://tweetphoto.com/11808849
DOuglas3

Re: the skimmer on the vestibule entry door. Decades ago I was curious if the vestibule door was tied to any authentication of the card, so I tried my campus ID, which opened the door. Since then I’ve always pulled out whatever card seemed least-likely to authenticate my access to the bank vestibule, such as a metro-card, store-loyalty program card, obsolete gift card, etc.
My experience in Europe, UK, Canada, and the US is that there is never a need to use a valid debit or credit card to gain entry to the vestibule. You just need a card of the right size with a mag-stripe in the right place.
Parker51

I’ve been thinking lately of only getting cash directly from a human teller. I’m assuming it would be more difficult for a scammer to jump through the hoops needed to become a bank teller than it is to hack an ATM.

Also, this would keep someone employed during a recession, and the greater difficulty of getting cash may end up influencing me to spend less.

Thanks BoingBoing. Long time reader, first time poster.
Anonymous

Punch the ATM. Punch Punch Punch. Punch the slot, punch the keypad, punch the buttons. bwahahaha.

No really, it’d work. But what I’m wondering is, what do you do when you find one of these devices? I don’t want any troubles with criminals, I don’t want any troubles with the law, and I’d feel slightly obligated to report the incident. But I’d love to take one of these apart.
Anonymous

When you use your debit card at a gas pump, always process it as credit. No PIN, no cry.
Patrick Dodds

Because I’m so freakin’ paranoid and believe everything the secret service says, I’ve recently started to mine my own silver and only conduct transactions in museum-verified dubloons.
Anonymous

I don’t worry about it anymore. If I need cash, I go to a machine located physically inside a bank branch where (presumably) there is a lower chance of a skimmer being installed to one located outside the branch or in another location. Mostly though, I just use a credit card to pay everywhere, and then pay it off at the end of the month.
- Steaming Pile
  
  Or at least, use the same machines for all your ATM withdrawals. That way, you are more likely to notice when your machine looks “funny.”
mcpherrinm

The trend on ATMs around here seems to be a translucent, illuminated thing around the ATM card slot that stick out. That way, you can see there’s nothing in it and makes it harder to attach skimmers.

Chip cards seem to be rolling out more, but I’m not sure if they really prevent skimming, since I haven’t examined the crypto involved yet. But cards stil have the magstripe on them, so until they replace them, you can still skim.

Also, I don’t understand the need for the machine to draw the card inside it: If you had a normal mag swiper, you could look and see that there’s only one read head on it. (But you could just hook a skimmer up to that, or feed it back to the original still, I guess).
Anonymous

If your card gets skimmed it doesn’t read it into the machine right?

If this is the case, swipe your card and nothing happens, time to start pulling on panels.
- gollux
  
  Umm, no…
  
  Card skimmers read the card as they slide through into the ATM. Your card gets read twice, first by the skimmer and then by the ATM.
  
  They essentially are keyloggers, something you won’t discover on your computer for exactly the same reason. Unless you look for it.
SamSam

Why don’t we have those security cards which produce a pseudo-randomly-generated number every time you push the button, valid for 30 seconds?

Then the bank could link up to those numbers and

1) you could use a 4-digit random number as your PIN, and

2) you could use a 16-digit random number as your credit card number when making online purchases
bolamig

Kids, your grandfather didn’t have no fancy card skimmers when I was growing up. Why I remember the days when stealing someone’s identity required a ballpoint pen, paper, and the time to copy down sixteen digits. And we liked it!
http://techokarma.blogspot.com Anonymous

Dont know about US, but there are places around to world where old ATM systems are still in operation. While using these old systems you don’t have to swipe your card but just feed it into one slit and the ATM machine takes the card completely inside till the transaction is complete. Could it help to overcome the ongoing fraud with skimmers ?
zandar

Along with the flying car, the obsolescence of the ATM is yet another thing that really should have happened by now.

Thanks to debit cards, we are about there… I’ve been surprised more than a few times by businesses other than grocery stores willing to dispense cash when you transact with a debit card.

One day soon, we can all declare ATMs history, and get our cash at the bank, or alongside other legit transactions. Not that those transactions are completely infallible, but, in the absence of 24/7 armed security, the factors are much more managable than getting cash at an open-air money kiosk.