Sales pitch from an ATM-skimmer vendor

Brian Krebs tracked down a black-market retailer of mobile-phone-based ATM skimmers that capture your PIN and transmit it to fraudsters over the GSM network. The vendor gave him the whole sales-pitch for the efficiency and safety (for the criminals) of GSM-based skimmers. It's a fascinating read, unless you use ATMs, in which case, it's a terrifying one.

So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.

And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer - you lose equipment, and tracks, and money.

That's not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.

Why GSM-Based ATM Skimmers Rule

29

  1. This is scary … i have been aware of this issue for some time now … but I have not seen this level of sophistication yet …

    Just last week at the ATM, i wiggled at the parts (keyboard and such) to make sure it is not an add-on … but that actually drew the attention of the security guy …

    So, what can one do? My best bet still is to select ATMs where people cannot easily attach extra parts (then again, throw on a uniform of sorts and nobody will question you if you are really there for maintenance)

  2. Every time we have an ATM skimmer post, we get spam from people selling ATM skimmers. They’re not the slightest bit secretive about it.

  3. This is scary … i have been aware of this issue for some time now … but I have not seen this level of sophistication yet …

    Just last week at the ATM, i wiggled at the parts (keyboard and such) to make sure it is not an add-on … but that actually drew the attention of the security guy …

    So, what can one do? My best bet still is to select ATMs where people cannot easily attach extra parts (then again, throw on a uniform of sorts and nobody will question you if you are really there for maintenance)

  4. one is wondering if the original copyright holder of those ATM skimmer “manual” videos is going to use the DMCA to take them down…

  5. Umm hello, $50 fix here… an arduino-based GSM signal detector. Banks mount it inside the atm between the keyboard and card slot. Even a person with a cell phone will have a weaker signal than a device 2 inches away, transmitting. Not that effen hard to figure out.

    1. “Umm hello, $50 fix here… an arduino-based GSM signal detector. Banks mount it inside the atm between the keyboard and card slot.”

      but that would require the banks spending money kitting out ATMs with this kit… it would affect their profits… can’t have that!!!

      don’t forget, the first thing they do when you report an unauthorised transaction is to accuse YOU of being slack with your card and pin…

      fitting skimmer detectors would be admitting there’s a problem…

      1. haha, you’re on the money. The customer is always right, EXCEPT when you are a bank customer. Two years ago, I deposited a check at my bank and got cash back. Two days later my statement has another $100 charge on it. I call the branch manager and she says the teller tacked on another $100 because she THOUGHT she handed me an extra Franklin. I said hell no, I got what I wrote on my slip and that’s IT, check your ^(&*$^% video feed. I even called HER boss, whom I know, to complain about that garbage. They insisted that I show them the paper receipt I got that day. Luckily I still had it. They checked their tapes. And fired that teller. Jesus. Effin BANKS. Even banks you’re a customer at for 20 years…. I retract my $50 statement. There is no solution to this except to fire all the banks. Why is WikiLeaks taking so freakin LONG???? Release the BofA stuff already!!

    2. You are making the false assumption that banks actually care about stopping skimming and/or protecting their customers (either fiscal or data).

      Protection costs money. The customer’s money. Not the bank’s.

    3. Umm hello, $50 fix here… an arduino-based GSM signal detector. Banks mount it inside the atm between the keyboard and card slot. Even a person with a cell phone will have a weaker signal than a device 2 inches away, transmitting. Not that effen hard to figure out.

      It’s even easier to figure out that 5c of shielding will make your fix wholly ineffective.

  6. So… the police will sit and watch people have their card info stolen while they wait for the skimmers to return for their gear?

    1. For non-GSM skimmers, that’s reasonable — the criminals don’t have the info until they physically retrieve the skimmer.

      1. For non-GSM skimmers, that’s reasonable — the criminals don’t have the info until they physically retrieve the skimmer.

        I’m not certain that it is reasonable. Even with a store-and-retrieve device, my data is being captured unnecessarily. A lot of people along the chain of evidence are now going to get access to my information who otherwise would not have, and I am uncomfortable with that happening when it can be prevented.

        The police could disable the storage mechanism before the stakeout, perhaps, but I’d be happy with a simple warning being given to the cardholders after using the machine. I just don’t find any indication of that happening.

    2. The point is that they can do so with a normal skimmer which stores the data for later retrieval, as once the guy returns to collect it they arrest him and take it as evidence, but if they don’t realise that it’s a GSM one they can be sitting there eating donuts and waiting all day in vain for the guy to return, while peoples’ details are still successfully stolen without their knowledge.

      1. Why the hell can’t the bank see them installing these in the first place? I thought they all had security cameras. And how about putting a flat plate up around the card slot and keyboard that blocks anything from being attached and makes any attempt to glue or bolt something on look obvious?

  7. Criminals certainly seem to be becoming very sophisticated. The technological war seems about even at the moment, but what happens if the criminals win?

    John

  8. One has to wonder if ATM skimmer equipment vendors accept credit cards for sales transactions or not. Obviously if you were in the market for stuff like this, you would not be coming out of (your own) pocket for stuff like this.

  9. I gotta say, that spam website has some decent deals… I wonder how bad a $78 suit really is…. very tempting.

    1. Good news: It’s made of quality craftsmanship and excellent cloth.
      Bad news: They use little people as midgets, the suits are made only for children.

        1. Models. I totally said models there, the internets messed up.

          Or something.

          I too use little people as midgets as well, you are entirely correct sir. It’s really the only way.

  10. Don’t use ATM’s, people. Just make a habit of getting cash out when you use your card to pay for groceries, etc. It’s worked for me for the last 8 years.

  11. “Criminals certainly seem to be becoming very sophisticated. The technological war seems about even at the moment, but what happens if the criminals win?”

    If they are any kind of smart, they have already won. There has got to be a pain point where the banks would “do something” and as long as the skimmers stay just below that (I am certain very lucrative) threshold, this will go on forever.

    The perfect example of this is the fact that the airlines flat out refused for years to install armored cockpit doors on passenger planes. The pain point? 911. Look what that got us into … yeesh.

    The moral of the story? Today’s profit is today’s profit, screw tomorrow.

Comments are closed.