ATM skimmer that doesn't require any modifications to the ATM


30 Responses to “ATM skimmer that doesn't require any modifications to the ATM”

  1. Anonymous says:

    I’ve never seen an ATM lock door that would require you to key in your PIN. It seems that would be an extremely stupid design: using the same password for two things of vastly different sensitivity. A bit like using the same password you use for home banking for posting comments on BoingBoing or accessing a porn site.

  2. ckd says:

    As others have pointed out, it’s not the card but the stripe that does the unlocking most of the time. I’ve used MetroCards, CharlieTickets, store rewards cards, a Las Vegas transit pass…and have never had a problem opening any of the ATM lobbies I’ve used.

    (I’ve been doing that for years, too; I always assumed those door locks were skimmers, and acted accordingly.)

  3. PDXgirl says:

    My husband was a banker at a branch that was inside a grocery store. They discovered that all five of the card swipers they have on the counters that they use to verify who you are and access your account had been tampered with and were recording and transmitting card numbers and pins. The ones on the counter! “Hello, welcome to Acme Bank. Please swipe your card and enter your pin.” It had never occurred to the bank officials to remove the swipers at the end of the day when the bank closes up (6pm) but the grocery store is still open (10pm.) The “security” gate closed to the counter but these were left on the other side of the gate. Sometimes I feel we almost make it too easy for criminals.

  4. foop says:

    Here in the UK, my local banks stopped using card-activated lobby doors some years ago, presumably for just this reason.

  5. Nivalsj says:

    I have a fix: banks educate their customers about this threat, and if they can get even a fraction of a percent to always check for skimmers/cameras it would make a huge difference. Then, to make the risk too high for thieves, customers alert the bank or the police who, instead of simply removing the skimmer, stake it out (for at most a couple of hours it sounds like) and grab the criminals when they come to retrieve their device. The second part sounds so simple but for some reason I doubt most police departments are doing it.

  6. dainel says:

    Americans should just give up and follow the rest of the world. Quit using those easily copied magnetic stripe and switch to smart chips.

    • jungletek says:

      Except those ‘smart chips’ don’t do anything to prevent fraud, and are merely a way for your bank to shift blame and responsibility to you once you’re victimized.

  7. Anonymous says:

    i reported a suspicious atm to the cops last month which had a piece of cardboard taped over a broken plastic screen.

    one sentence one of the police said was a pretty unforgettable joke for me: “no, skimming looks different” (skimming sieht anders aus).

    yes, i thouhgt. you nailed it, that’s the point.


    p.s.: advice to skimmers: make it look like an unfinished repair of a vandalized atm. use atms in the main branch office building. use cardboard that has the brand name written on it. advice to any reader: the reaction of my bank and police have turned me into a sarcastic bloke.

  8. manicbassman says:

    Please remember these are the banks we’re talking about here… as far as they’re concerned, they will always try and blame the customer first alleging that you must have lent your card and PIN to a family member or close friend… anything else would require an admission from them that their own security was carp…

    and as for those claiming that chip and PIN would solve it, it won’t… the chip and PIN security is carp as well and can easily be falsified by having devices that fake a yes response to the challenge or other devices that can clone the chip on a card and then the cloned chip can fake a correct reply…

    To put it bluntly, the security is completely FUBAR and has been designed with the stupid assumptions that crackers haven’t got the resources to crack the crypto and that it was sufficient for the chip on the card to simply provide a yes or no answer…

  9. HaltingPoint says:

    As #1 pointed out so astutely, HOW IN THE HELL ARE THEY NOT CATCHING THIS BEFORE IT HAPPENS? Presumably they have cameras that the thieves would not be able to access or block that would very easily catch someone tampering with locks, placing cameras ON THE CEILING, etc.

    Is it just that they don’t have a security person reviewing them until after the fact? Perhaps they need to do what museums do and employ 24hr security services to monitor a feed.

    This has become a widespread enough problem that we as customers should be demanding better security from our banks, particularly ones that have already been compromised previously.

  10. Anonymous says:

    I’ve just quit using an ATM card altogether. I had a checking account back in the days before ATMs, and I’ve returned to using my account the way I did then. When I need cash, I walk into the bank and write a check for it.

  11. technogeek says:

    Dirty little secret of the banking industry (and many industries): Sometimes it’s cheaper to accept the cost of reimbursing the customer rather than prevent the loss.

  12. kmoser says:

    Aside from the obvious things you can do to protect yourself from this scam, one thing that is often overlooked is that when you’re entering your PIN, you should intersperse every legit keystroke with a fake keystroke in which you don’t actually press the button enough to register, but which from the camera’s POV will look like you pressed the key. So anybody playing back the tape won’t know which keypress was legit and which you faked. Add in two or three fake keystrokes between each legit one and you’ve got the makings of a PIN that’s all but impossible to guess.

    Oh, and I always sidle up real close to the keypad and hunch over it to prevent cameras (and people) from getting a good look. I’m surprised so few people think of that.

    • Boondocker says:

      A fine strategy, kmoser, except for the fact that the ATM screen helpfully displays an asterisk for every actual keypress.

      • Anonymous says:

        Not to mention that newer skimmers actually intercept the keypad itself and do not rely on a camera anymore. So all the trickery with fake keypresses, hunching over the pad etc. is useless if you do not spot the compromised keypad.

  13. Candice says:

    I protect myself from this and other forms of identity theft by having no money in the bank and a terrible credit score. No one is getting their hands on my no-money!

  14. Boondocker says:

    I’m not sure I understand… aren’t there cameras in ATM lobbies that belong to the banks? Can’t they get the jerks who are setting these things up on camera, or at least be alerted to the fact that there’s been some tampering done?

    Maybe it’s too difficult to go through the footage and separate possible tamperers from clients.

  15. chortick says:

    The banks in Toronto have long since removed the exterior door locks to their ATM lobbies, because they were so easily compromised. I can’t remember the last time I saw a card lock on an ATM lobby door.

  16. Anonymous says:

    Never use your bank card to get access. The door readers are not tied into the bank system and you can simply scan anything with a magnetic strip to get in, even gift or gym membership cards.

  17. pupdog says:

    A couple of years ago my roommate and I decided to try out different cards on the ATM lobby close to our apartment – turns out just about anything with a mag stripe would unlock the door – library card, AmEx gift card, driver’s license, old shopper’s club card – seemed it was more that a stripe was swiped than anything else.

  18. a_user says:

    as has been pointed out – CCTV wtf?

    You’d think that having had this done multiple times someone would be checking the security tapes more often, or are the cameras just insurance theatre? ie the bank would be held liable for thefts if it didn’t have CCTV installed.

    • Anonymous says:

      I have heard from people who work in real estate that CCTV recordings, in the US at least, aren’t usually admissible in court as evidence because the quality is so low. They’re mostly a deterrent.

  19. wrybread says:

    I’d love to find out what camera they’re using. Presumably it only records when there’s motion, and I can think of lots of uses for that, such as recording the racoons that keep sneaking in through our cat door.

    I don’t imagine anyone has a theory?

    • howaboutthisdangit says:

      The ad shown in the linked article calls it a “Micro DVR with built-in camera”, which runs continuously for up to two hours on a charge.

      Googling the model number yields prices in the $150 to $250 range (with an “MSRP” listed at $500 – clearly the folks are going after law-enforcement budgets). Google “micro dvr” and you can find what appears to be the same thing at Amazon for $30.

  20. turthalion says:

    Easy fix here (for the odd door that still has the lock, as chortick points out, they’re disappearing)…

    Anyway, easy fix is to use one card in the door and a different one at the machine. I have 3 different bank cards, all with different pins, so never swipe the door with the card you’re about to use in the machine.

  21. Anonymous says:

    OR, OR, OR, I could hide all of my money in a shoebox under my bed–or use ING.

  22. Anonymous says:

    All those ATMs, there’s really little chance that the guy monitoring 50 or more cameras will notice people jiggering one ATM. So like other security cameras somebody might look at the tape AFTER a crime is committed, but there’s little chance that they’re going tp PREVENT any crime.

  23. technogeek says:

    Simple way to guard against most skimmers: Operate the keypad under cover of the other hand (or a sheet of paper, or whatever), by touch. Preferably with a few false entry-gestures to further confuse matters.

  24. Anonymous says:

    This happened to my wife about eight years back, so it’s not exactly new, I think.

  25. sadpanda says:

    As pointed out earlier, any card with a magstripe will do for most ATM door locks. I’ve heard that some locks in NYC have been upgraded to be more sensitive, looking for credit cards, specifically because people were using MetroCards to get in and sleep in the ATM rooms on winter nights.

    That being said – I always use my MetroCard to get in, because my MetroCard is more accessible than my debit card. Swipe MetroCard to get entry, then deal with fumbling around for my debit card in the warmth/”safety” of the ATM room.

Leave a Reply