ATM skimmer that doesn't require any modifications to the ATM

Brian Krebs reports on a new wrinkle in ATM skimmer design: if the ATM is in its own lobby, crooks can steal your card number and PIN without ever touching the ATM. Instead, they attach the skimmer to the door-lock (you know those doors that only open if you swipe your card?) and then use a hidden camera to record you keying in your PIN. Clever, in a horrible way, especially since ATMs in their own lobby feel more secure.
On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an "Out of Order" sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.

Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right...

The attackers hitting this ATM were either very persistent, or varied: A source familiar with the July 24 incident said this particular door lock would be stolen and modified a total of nine times in 2009.

The camera used in this attack retails for about $150, can record up to 2 GB (about two hours worth) of video, and runs on a rechargeable lithium ion battery.

ATM Skimmers That Never Touch the ATM


  1. I’m not sure I understand… aren’t there cameras in ATM lobbies that belong to the banks? Can’t they get the jerks who are setting these things up on camera, or at least be alerted to the fact that there’s been some tampering done?

    Maybe it’s too difficult to go through the footage and separate possible tamperers from clients.

  2. The banks in Toronto have long since removed the exterior door locks to their ATM lobbies, because they were so easily compromised. I can’t remember the last time I saw a card lock on an ATM lobby door.

  3. Never use your bank card to get access. The door readers are not tied into the bank system and you can simply scan anything with a magnetic strip to get in, even gift or gym membership cards.

  4. A couple of years ago my roommate and I decided to try out different cards on the ATM lobby close to our apartment – turns out just about anything with a mag stripe would unlock the door – library card, AmEx gift card, driver’s license, old shopper’s club card – seemed it was more that a stripe was swiped than anything else.

  5. as has been pointed out – CCTV wtf?

    You’d think that having had this done multiple times someone would be checking the security tapes more often, or are the cameras just insurance theatre? ie the bank would be held liable for thefts if it didn’t have CCTV installed.

    1. I have heard from people who work in real estate that CCTV recordings, in the US at least, aren’t usually admissible in court as evidence because the quality is so low. They’re mostly a deterrent.

  6. Easy fix here (for the odd door that still has the lock, as chortick points out, they’re disappearing)…

    Anyway, easy fix is to use one card in the door and a different one at the machine. I have 3 different bank cards, all with different pins, so never swipe the door with the card you’re about to use in the machine.

  7. All those ATMs, there’s really little chance that the guy monitoring 50 or more cameras will notice people jiggering one ATM. So like other security cameras somebody might look at the tape AFTER a crime is committed, but there’s little chance that they’re going tp PREVENT any crime.

  8. Simple way to guard against most skimmers: Operate the keypad under cover of the other hand (or a sheet of paper, or whatever), by touch. Preferably with a few false entry-gestures to further confuse matters.

  9. As pointed out earlier, any card with a magstripe will do for most ATM door locks. I’ve heard that some locks in NYC have been upgraded to be more sensitive, looking for credit cards, specifically because people were using MetroCards to get in and sleep in the ATM rooms on winter nights.

    That being said – I always use my MetroCard to get in, because my MetroCard is more accessible than my debit card. Swipe MetroCard to get entry, then deal with fumbling around for my debit card in the warmth/”safety” of the ATM room.

  10. I’ve never seen an ATM lock door that would require you to key in your PIN. It seems that would be an extremely stupid design: using the same password for two things of vastly different sensitivity. A bit like using the same password you use for home banking for posting comments on BoingBoing or accessing a porn site.

  11. As others have pointed out, it’s not the card but the stripe that does the unlocking most of the time. I’ve used MetroCards, CharlieTickets, store rewards cards, a Las Vegas transit pass…and have never had a problem opening any of the ATM lobbies I’ve used.

    (I’ve been doing that for years, too; I always assumed those door locks were skimmers, and acted accordingly.)

  12. My husband was a banker at a branch that was inside a grocery store. They discovered that all five of the card swipers they have on the counters that they use to verify who you are and access your account had been tampered with and were recording and transmitting card numbers and pins. The ones on the counter! “Hello, welcome to Acme Bank. Please swipe your card and enter your pin.” It had never occurred to the bank officials to remove the swipers at the end of the day when the bank closes up (6pm) but the grocery store is still open (10pm.) The “security” gate closed to the counter but these were left on the other side of the gate. Sometimes I feel we almost make it too easy for criminals.

  13. Americans should just give up and follow the rest of the world. Quit using those easily copied magnetic stripe and switch to smart chips.

    1. Except those ‘smart chips’ don’t do anything to prevent fraud, and are merely a way for your bank to shift blame and responsibility to you once you’re victimized.

  14. Please remember these are the banks we’re talking about here… as far as they’re concerned, they will always try and blame the customer first alleging that you must have lent your card and PIN to a family member or close friend… anything else would require an admission from them that their own security was carp…

    and as for those claiming that chip and PIN would solve it, it won’t… the chip and PIN security is carp as well and can easily be falsified by having devices that fake a yes response to the challenge or other devices that can clone the chip on a card and then the cloned chip can fake a correct reply…

    To put it bluntly, the security is completely FUBAR and has been designed with the stupid assumptions that crackers haven’t got the resources to crack the crypto and that it was sufficient for the chip on the card to simply provide a yes or no answer…

  15. As #1 pointed out so astutely, HOW IN THE HELL ARE THEY NOT CATCHING THIS BEFORE IT HAPPENS? Presumably they have cameras that the thieves would not be able to access or block that would very easily catch someone tampering with locks, placing cameras ON THE CEILING, etc.

    Is it just that they don’t have a security person reviewing them until after the fact? Perhaps they need to do what museums do and employ 24hr security services to monitor a feed.

    This has become a widespread enough problem that we as customers should be demanding better security from our banks, particularly ones that have already been compromised previously.

  16. I’d love to find out what camera they’re using. Presumably it only records when there’s motion, and I can think of lots of uses for that, such as recording the racoons that keep sneaking in through our cat door.

    I don’t imagine anyone has a theory?

    1. The ad shown in the linked article calls it a “Micro DVR with built-in camera”, which runs continuously for up to two hours on a charge.

      Googling the model number yields prices in the $150 to $250 range (with an “MSRP” listed at $500 – clearly the folks are going after law-enforcement budgets). Google “micro dvr” and you can find what appears to be the same thing at Amazon for $30.

  17. I have a fix: banks educate their customers about this threat, and if they can get even a fraction of a percent to always check for skimmers/cameras it would make a huge difference. Then, to make the risk too high for thieves, customers alert the bank or the police who, instead of simply removing the skimmer, stake it out (for at most a couple of hours it sounds like) and grab the criminals when they come to retrieve their device. The second part sounds so simple but for some reason I doubt most police departments are doing it.

  18. I protect myself from this and other forms of identity theft by having no money in the bank and a terrible credit score. No one is getting their hands on my no-money!

  19. I’ve just quit using an ATM card altogether. I had a checking account back in the days before ATMs, and I’ve returned to using my account the way I did then. When I need cash, I walk into the bank and write a check for it.

  20. Aside from the obvious things you can do to protect yourself from this scam, one thing that is often overlooked is that when you’re entering your PIN, you should intersperse every legit keystroke with a fake keystroke in which you don’t actually press the button enough to register, but which from the camera’s POV will look like you pressed the key. So anybody playing back the tape won’t know which keypress was legit and which you faked. Add in two or three fake keystrokes between each legit one and you’ve got the makings of a PIN that’s all but impossible to guess.

    Oh, and I always sidle up real close to the keypad and hunch over it to prevent cameras (and people) from getting a good look. I’m surprised so few people think of that.

    1. A fine strategy, kmoser, except for the fact that the ATM screen helpfully displays an asterisk for every actual keypress.

      1. Not to mention that newer skimmers actually intercept the keypad itself and do not rely on a camera anymore. So all the trickery with fake keypresses, hunching over the pad etc. is useless if you do not spot the compromised keypad.

  21. i reported a suspicious atm to the cops last month which had a piece of cardboard taped over a broken plastic screen.

    one sentence one of the police said was a pretty unforgettable joke for me: “no, skimming looks different” (skimming sieht anders aus).

    yes, i thouhgt. you nailed it, that’s the point.


    p.s.: advice to skimmers: make it look like an unfinished repair of a vandalized atm. use atms in the main branch office building. use cardboard that has the brand name written on it. advice to any reader: the reaction of my bank and police have turned me into a sarcastic bloke.

  22. Here in the UK, my local banks stopped using card-activated lobby doors some years ago, presumably for just this reason.

  23. Dirty little secret of the banking industry (and many industries): Sometimes it’s cheaper to accept the cost of reimbursing the customer rather than prevent the loss.

Comments are closed.