ATM skimmers that fit in the card-slot

Police in an unidentified European nation have retrieved wafer-thin ATM skimmers that are so small that they can be fitted inside the credit-card insertion slot. Brian Krebs describes the finding:

That’s according to two recent reports from the European ATM Security Team (EAST), an organization that collects ATM fraud reports from countries in the region. In both reports, EAST said one country (it isn’t naming which) alerted them about a new form of skimming device that is thin enough to be inserted directly into the card reader slot. These devices record the data stored on the magnetic stripe on the back of the card as it is slid into a compromised ATM.

Another EAST report released this week indicates that these insert skimmers are continuing to evolve. Below are two more such devices. Insert skimmers require some secondary component to record customers entering their PINs, such as a PIN pad overlay or hidden camera.

ATM Skimmers Get Wafer Thin


    1.  Considering that these were found on ATMs, I’d say that it’s our reluctance to give up on physical currency that makes these devices a problem in the first place.

      1. I would counter that our reluctance to give up electronic forms of currency (which are inherently flawed, vulnerable to electronic hacking) makes these devices attractive to criminals.

        One good development I have seen is that my credit union’s new atm’s have a clear green plastic card scanner that lights up when being used… this lets you see that nothing has been added, modified or inserted to skim numbers.

        I got stung by a card scanner while driving through Oregon a few years ago… they don’t let you pump your own gas… and I didn’t get out of the car to watch the attendant. By the time I had returned to Northern California someone had passed on my numbers and made purchases somewhere in Southern California. Now I just take out enough cash to pay for gas and meals before I leave.

        1. You mean like this one?:

          Or this one?:

          Cash is a good idea.

        2. But you have to admit that we can’t just abandon electronic currency.  Physical currency can be lost, destroyed, or stolen, costs money to produce, and is horrible for long-distance transactions.  I think the answer lies in less fallible security.  Chipped cards, two-factor authentication via a mobile device, etc. 

          Note that when you got hit by the card scanner, it was not due solely to a flaw in the electronic currency, but also due to a flaw in the purchasing process: you literally handed the attendant everything he or she needed to make purchases against your card (not that that’s your fault, many vendors put us in this position on a regular basis).  If making purchases against your card required authorization via a temporary PIN — generated based on a security token on your phone, for example — the scan of your card would have been worthless.

        3. You think physical money is safer?? Keep $10,000 under your mattress and something happens to it (fire, theft) you are SOL. Keep $10,000 in the bank and it gets stolen electronically in most countries you are not liable and you can easily get the money back.

          1.  Yeah, try to get that $10,000 out of the bank during a blackout or true economic crisis and you’ll see the value of cash. Anyone who doesn’t have at least a month of living expenses in cash, in their home, will find themselves in a serious situation should the worst happen. Anybody who trusts banks 100% is a fool. The whole system is way more unstable than most people think. All it takes is one news item about a bank run and you will have mass panic. It’s happened already in Spain on a large scale

          2. That’s why you should keep the $10,000 under your mattress in the form of gold bars.

            That way if it melts due to fire, its still gold. :)

      2. I suppose inkfumes could always go in and talk to the teller directly, but then he has to give up his information to a person who could just memorize it and sell it on the black market.  Nothing we do today would be considered safe if you are paranoid enough. 

    2. Cash has its inherent problems too. If you lose your card, you can get it invalidated. If you lose cash, no such luck. If you want to make a large value purchase, you’d have to carry large amounts of cash, which is more risky.

      And that’s to say nothing for the amount of money it costs to print it. All those security features, the technology, the highly intricate engraving,… Doesn’t come cheap!

      I think electronic currency should be made more effective, instead of abandoning it.

      1.  cash is king. I think society’s growing attitude towards replacing hard currency is a dangerous one. say the cellular system goes down or there’s a blackout like the DC storm a few weeks ago – poof, all of a sudden you have nothing, no access to all the assets you’ve worked so hard for. You can’t even afford a sandwich after a few days

        1. While electronic systems are obnoxiously fragile(I’m not bitter and in IT or anything), a pile of fiat currency may not be your best hedge against a serious systemic collapse(even a temporary and fairly localized one).

          Ye Olde contemporary supply chain is frequently efficient(but taut) enough that it isn’t as though there will be any sandwiches on the shelves surprisingly soon after a disruption occurs(nor, in businesses with electronic POS systems, will there necessarily be any employees willing and authorized to sell them to you).

          I prefer paying cash, when dealing in person, if only to reduce the Visa tithe extracted from the economy; but if I were hedging against any sort of disruption that takes down the electronics, I’d be much more confident with a supply of actually-intrinsically-useful nonperishable goods, rather than a stack of US Treasury Gift Certificates…

        2. The phrase “cash is king” refers to liquid assets (your checking account), not physical currency (under your mattress).

    3. ○  I’ve been mugged and had cash stolen.
      ○  The corner mailbox was raided and checks that I had mailed were stolen, erased and re-used.
      ○  I’ve experienced credit card fraud.

      Nothing is 100% safe, but cards are a lot easier and more flexible to use.

      1. In a modern setting, the second point should be replaced by somebody intercepting your internet banking. (Hasn’t happened to me yet, despite my bank being notoriously bad.)

    4. They just need to update the ATM machines to detect these things and make detection standard on most machines.  They already implement this technology, it just needs to become more widespread.

      1. For in-slot systems like this, I suspect that a mechanical engineer could come up with a modest modification to the card-eject mechanism that more aggressively shoves everything out of the card slot pretty quickly and easily…

        Getting something that will reliably perform a zillion cycles without jamming is why engineers are trained professionals; but having a little ejector ram that fills the entire card slot, expelling foreign objects, during the ejection phase isn’t conceptually tricky…(Nor, if you really have to have it solid state, would adding a cheapy webcam-style camera system, with IR illuminator, that continually inspects the card slot for foreign objects and automatically summons repair minions over the network if an anomaly is detected…

  1. The best prevention is keeping as little money in your bank account as possible, and as little room on your credit card as possible. I’m golden. 

    1. I know you’re being humorous, but I sort of did something like this because I was tired of having my credit cards I use for my recurring bills jacked.  I have one credit card that I use for purchases that are “fishy,” with a one grand limit.  It’s the one I don’t mind handing to a waiter or using at a weird gas station.  I just pay it frequently.

        1.  They are, but it’s a pain to go to all the sites I have automatic recurring payments on and change the card or shuffle the payments around when they cancel the card and send me another.

          Now I have one only for recurring payments, one for things where I feel I might get ripped off and others with higher limits for buying where I feel like I might not get ripped off (although I know that’s entirely possible on any of them).

        2. It used to be fairly easy to make a claim for a fraudulent charge, but they’ve made it more complicated in the last half-decade or so. The last time that I had a problem, I had to receive, then fill out actual paperwork which I then had to mail back to the card company. Probably a lot of people won’t bother doing that for a small fraudulent charge.

  2. The problem lies more with these vendors that sell “secure” solution that haven’t been audited, analyzed or publicized before being marketed, when after that they become an easy target with big pay day and large scale.

  3. As someone who has been victimized recently and often by credit card number thieves, it’s just a matter of time I’m sure before someone gets my ATM number.

    The assault from the crooks above and the crooks below is really intensifying, and I’m finding it very hard not to surrender to the perennial philosophy that everyone is a crook, except maybe my wife, my daughter, and two or three very nice people I know.

  4. Are those things made to be pushed in the slot but then removed the same way, with a convenient tab e.g.? Or are they made to be left in place until found by ATM maintenance staff?

  5.  *sigh* This isn’t an issue with skimmer creators or inherent issues with electronic currency. This is an issue with our financial system.
    From a security standpoint this is unacceptable.
    Banks are still using the same dated technology and won’t update their machines and processes to use any more security.
    We should have already had enough time to transition away from the magnetic stripe and be using chip-only cards with ATMs that use the chip. And yet banks are still relying on the same insecure magnetic stripe.
    We should also have already had the time to migrate to full mini-qwerty keyboards on these devices instead of this ridiculousness of using a 4-digit numeric pin.

    Security is a constant battle of building things more and more secure step by step. Each step eventually gets broken but you do what you can to keep a step ahead of the attackers and minimize the possible damage they can do.

    But the bank systems are not doing this at all. The first step is broken. The second step has been created. And they’re not even dropping the first step and moving to the second step. They should already be working on developing the third step before the second one gets broken.

Comments are closed.