ATM skimming comes to non-ATM payment terminals in train stations, etc

ATM skimming isn't limited to ATMs! There are lots of terminals that ask you to swipe your card and/or enter a PIN, and many of them are less well-armored and -policed than actual cashpoints. Skimmers have been found on train-ticket machines, parking meters and other payment terminals. Once a crook has got your card number and sign-on data, they can use that to raid a your account at an ATM. Brian Krebs has a look at some of these devices, including a full-on fascia for a cheapie ATM discovered in latinamerica.

The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.

This reminds me a little of the evolution of payphones -- the armadillos of the device world! -- and the look-alike COCOTS (customer-owned coin-operated telephones) that presented very soft targets if you could scry through their camouflage.

Cash Claws, Fake Fascias & Tampered Tickets


    1. I have a solution: keep the big money in the Cayman Islands, and the chump change in the checking account with the debit card.  I have implemented one half of this plan myself, and already successfully avoided being robbed of millions.

  1. I got skimmed last month at the automated ticket pickup window at Islands of Adventure in Orlando, Florida. I only swiped that card for ID, not a purchase. I only figured it out when later in the day I got a call from my bank asking about 3 $400 purchases in Seattle, clear opposite corner of the country. I went back to the machine and noticed the card swiper was much smaller and now had an LED where it didn’t before.

    I told security, and they thought I was crazy. They had never heard of such a thing. I felt sorry for them, because this surely wasn’t the first time it happened.

  2. Be fun if you came across a crime-modded ATM: to rip the skimmer off the machine itself (they’re generally held in place by adhesive), smash the chip on the ground, and go about your business. And keep in mind it’s usually a skimmer plus hidden micro-camera (which captures your finger movements) combo. Smash both.

    1.  Yeah, except the problem there is that nobody just puts a skimmer on and leaves the area.  Usually someone sits nearby watching it so they can make off with it quickly, or in case the cops find out and try to set up a sting or, as in your case, someone decides to remove or break the skimmer.  This then leads to what some might call “an altercation” and others might call “being attacked by a thug”.

      No, walking away while dialing 911 is the right move there.  Being a hero is for suckers.

  3. I’m curious to know how much of a problem this is in countries like the UK, France where Chip&Pin has completely taken over. Does it actually make it impossible to skim like this or is the problem just covered up? Because the systems are well on the way to making us cashless with virtually every retail transaction over about £1 and outside bars being done by debit card. 

    1. It still exists.  Usually they try and use the card in another country without PIN authentication, i.e. the USA, or for “cardholder not present” transactions (online/telephone purchases).  I’ve had automated phone calls from the bank while waiting for a transaction to complete before, if the spending pattern is in some way suspicious.

      Cards still include a magnetic strip so they work in other countries, but it’s not feasible to clone the chip, so they won’t be accepted by a machine here, and using one in a shop will raise suspicion and require some explanation (e.g. being American).

    2. Don’t know about other EU countries but in Belgium payments outside of the EU through the magnetic strip of your card are blocked by default, you have to ask for the service to be unblocked if you take a trip. I’ve never heard of someone being skimmed, though there’s plenty of shoulder surfing & card grabs.

      1. A quick google suggests there are some possible vulnerabilities but they’re either not widespread yet or being hushed up because there’s a LOT of money now wrapped up in Chip&Pin and because C&P is (mostly) secure the banks shifted all liability to the consumer except under extreme duress.

        The puzzle as usual is why the US is now decades behind Europe. But as one commenter says, magstripe plus bank liability is slightly better for the consumer than mostly secure P&C plus consumer liability. And as always incomplete security is not secure.

  4. I used to get skimmed every few months. I use my cards for everything and hate carrying cash. Since they switched over to chip and pin I haven’t had to deal with fraud once. It’s only a matter of time until crooks catch up with the technology but I’m happy that they aren’t there yet.

  5. >payphones — the armadillos of the device world!
    A bit puzzled by this comparison. Do American payphones roll in a ball when in danger?

    1. You’re asking BoingBoing if they’re cool?  You’re lucky it wasn’t a curated fascia with ukulele sauce.

Comments are closed.