NCR reports in-the-wild sightings of "deep skimmers" (tiny, disposable card-skimmers that run on watch batteries and use crude radios to transmit to a nearby base-station) on ATMs around the world: "Greece, Ireland, Italy, Switzerland, Sweden, Bulgaria, Turkey, United Kingdom and the United States."
Unlike earlier skimmers, which fit over ATM faceplates or card-swipe bezel, deep skimmers fit inside the swipe slot, sometimes holding on with magnets. They're virtually undetectable, and have a very short duty cycle due to their low power reserves and material unsoundness. Some are seemingly intended to be left behind after they run out of juice.
Harrow said NCR suspects that the deep insert skimmer makers are using tiny pinhole cameras hidden above or beside the PIN pad to record customers entering their PINs, and that the hidden camera doubles as a receiver for the stolen card data sent by the skimmer nestled inside the ATM's card slot. He suspects this because NCR has never actually found a hidden camera along with an insert skimmer. Also, a watch-battery run wireless transmitter wouldn't last long if the signal had to travel very far.
According to Harrow, the early model insert skimmers weren't really made to be retrieved. Turns out, that may have something to do with the way card readers work on ATMs.
"Usually what happens is the insert skimmer causes a card jam," at which point the thief calls it quits and retrieves his hidden camera — which has both the card data transmitted from the skimmer and video snippets of unwitting customers entering their PINs, he said. "These skimming devices can usually cope with most cards, but it's just a matter of time before a customer sticks an ATM card in the machine that is in less-that-perfect condition."
The latest model deep insert skimmers, Harrow said, include a tiny memory chip that can hold account data skimmed off the cards. Presumably this is preferable to sending the data wirelessly because writing the card data to a memory chip doesn't drain as much power from the wimpy coin battery that powers the devices.
[Brian Krebs/Krebs on Security]