Commercially available ATM skimmers

Brian Krebs continues his excellent series of posts on ATM skimmers, this time with a report on the state of the art in commercially available artisan-crafted skimmers that can be bought through the criminal underground (accept no imitations!):
Generally, these custom-made devices are not cheap, and you won't find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro -- shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card's magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).

The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.

ATM Skimmers: Separating Cruft from Craft


  1. How do you attach the skimmer without the security camera seeing you?

    (I know I know – trade secret!

    (In other news, an Australian initiative, IIRC, to reduce LEGAL skimming from POS transactions, on cards, was quietly absorbed by retailers, who did not lower their prices for consumers..;)

    1. Camera doesn’t help – they can just install them in the middle of the night while wearing a mask. Nobody looks at security tapes until after they’ve realized something is wrong.

      Problem is, the bloody things look real enough that they can stay installed for some time without anyone noticing.

  2. Time for a tech update? RFID on cc? Is the magnetic stripe on the way out? Hrmm.
    I know.. We can make them blu-ray compatible.

  3. I always inspect the machine, but I was looking for a camera, I had never heard of pad overlays.

    Chip and pin may help, but here in the UK that has been cracked more than once. A line of garages was targeted and “engineers” replaced many of their c&p readers with dodgy versions, the whole chain had to switch back to signatures for several months.

  4. There is a technology that surpasses the common mag stripe, Citicorp used it extensively during the 1980’s; it’s the “Magic Middle” which uses a series of metal bits laminated between the CC or Debit card layers. The pattern is unique to the master account to which the card is linked, the number sequence the pattern represents is huge, on the order of 4k bytes, and is encrypted prior to transmission upline for verification and authentication of the card and the linked access code or PIN. (aka “cracking Magic Middle”)

    The card reader is essentially a sequence magnetometer which evaluates both the bit position and relative field strength reading of each bit. This could be improved with the addition of a unique holographic image, and/or making the bit pattern an array, rather than a simple sequence. (Patent Pending!)

    This technology is vastly more secure than mag stripe and prevents the skimmers from doing anything like what we’ve been seeing.

    I expect this could replace the mag stripe in a very few years..providing of course there is some substantial fiscal reward for the patent holders to do so!

Comments are closed.