Visual Autopsy Of An ATM Card Skimmer
Bert64 writes "A chap at work was recently the victim of an ATM card skimmer which took his card details, cloned them and allowed the fraudster to take 550 pounds out of his account.
Having tried to explain how the fraudsters can hide a camera and card reader around the ATM, he decided it would be easier to show one of them after a few drinks down the pub.
He was a little surprised to find that the machine he chose had a card reader and camera in place. These were removed and analysed, we believe we have reclaimed about 800 pounds worth of kit. Result:
Pictures."
Was this the pass through kind? how was the camera attached? If I used one hand to cover the other hand while keying the PIN would that "thwart" it? Great pix but I could also use a little more commentary on what to watch out for.
In the future, I would want to not be isolated from my friends in the Space Station.
Making money by having an expensive digital camera to disguise it as ATM chrome, grabbing PIN numbers and making yes-cards out of the process is dumb. The guy would probably have made more money setting his hacked camera in some lady's shower and selling the videos on the net. Or gee, even selling the hacked camera itself to would-be private-eyes, as most of these folks are willing to spend a lot of money on any spy-ish electronic device, and it would be legal too.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Well, not really.
The skimmer is attached to any arbitrary machine without the cooperation of the ATM owner.
So they can hit even your own bank's machines, if they so desire.
This is the best ATM scam since... well... the last ATM scam, where they put a complete ATM machine in place. Except they got caught because they tried to stiff their ATM machine supplier.
Gentoo Sucks
There are plenty of legitimate uses for magnetic stripe readers. Why, here at the University of South Carolina we just installed 3 $1,200 newspaper machines to limit the free newspaper program to students and faculty. I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.
Two things that I always ask my friends to do too.
1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.
2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.
Free XBox, PS2
My bank uses ATM machines that suck the card completely into the slot, with only a little bit of a metal guide plate exposed below the slot. (Typically, they have a label with arrows printed on it that's affixed just beneath the slot, as well.) If you tried to add some sort of reader device to the front of the ATM, covering the original slot and plate, it would be fairly obvious it didn't belong there. I'm sure it might fool *some* clueless people - but it would surely be ripped from the machine pretty quickly, as someone a little more clueful realized what was going on. (After all, it would obscure part of the label, making it obvious it wasn't part of the original ATM machine.)
I have a feeling these card skimmers only work on specific models of ATMs (most likely, the little privately owned units you see in restaurants and gas stations, as opposed to actual bank-owned ATMs).
That's not questionably legal in any way; that's for a cash register. Many registers nowadays are just PCs and use one of those (generally affixed to the keyboard) to process credit card transactions. In fact, the legality of all of the items involved in the fraud is unquestionable. Turning them into the fraudulent device and attaching them to the ATM, however, is just as unquestionably illegal. (FYI, in case you're unconvinced about the Ebay auction, you can walk into any office depot and buy the gadget you linked.)
.sig: file not found
I'm not so sure about that. When something similar happened in Norway some time ago, the police was alerted and put the place under surveillance. The culprits were caught in the act of removing the devices.
I think the people who removed it should have done the same, thus helping to catch the bastards. For all they knew, the place could already be under surveillance, giving THEM the blame for the crime...
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay for a fraction of what you can scam.
What a good post 9-11 American citizen. You are right in calling it 'questionably' legal, unfortunately (for you) the answer to the question is yes it is legal. The government does not need to put Laws on everything that can do bad things, the laws should instead target bad things. DVD recorders should not be illegal...selling (or even just giving) a burned DVD of Star Wars should be illegal. Having a magnetic card reader is a great exercise in driver writing and or learning about it for POS apps (not piece of s&^t apps).
Hate to be a party pooper but didn't you consider leaving it there and calling the cops ?
If you had they might have been able to bust the individuals concerned and saved some innocents down the track a lot of grief.
This way you got 800 quid's worth of stolen electronics, the thief wrote off some capital investment and a couple of thousand /.'ers got some pre-pubescent excitement. Wahooo.
Don't look back the lemmings are gaining on you
A couple of months ago my Hotmail account was besieged with spams offering to show me how to make my first million by installing and servicing their ATM machines. I kept wondering if they wanted to make me a shill for some skulduggery like that described in the article. The interesting part was that the ATM's so advertised would be located "in my area," which they had pinpointed at Washington, DC (not far from here).
Like others here, I've become very leery of using ATM's located anywhere but at banks. I've been driving on long trips a great deal recently, and I've also learned to be a bit discerning about card-swipers in gas stations and even grocery stores I'm not familiar with. It seems a safer bet to hit a bank occasionally to withdraw my allotment of yuppie food coupons ($20 bills) and spend those instead.
Anne
DUCT TAPE: The Election Supervisors' Secret Weapon
Most of the scams I have seen like this rely on recording your PIN based on what you type.
The earliest versions simply had someone peering over your shoulder, or using a camera/telescope mounted up and behind and stealing the original.
Get in the habit of 'embedding' your PIN within a larger number. Type this longer number too lightly to casue the pressure sensor to register and varying your pressure only on the 'key' digits. It won't fool decent resolution or close observation, but given the angles/lighting conditions and cheaper digitial cameas that are starting to show up, I am guessing that they are going to have trouble working out which hits are the real McCoy.
Sure it relies on making your case more difficult than your neighbours, but to an extent that is all most locks and security devices do. Sure it's paranoid, and it does take some effort to set up, but muscle memory handles most of the work after a while and these days I only get a few false hits. YMMV
Comment removed based on user account deletion
Even better would be the use of smartcards instead of current cards. The card simply has its own private key, the ATM machines/bank issue a challenge to the card and verify it against the known public key.
The private key is never divulged yet the authenticity of the card is known. There is no way to scam the system other than steal the physical card and know what the pin is. These really need to be adopted soon.
I.O.U One Sig.
what kind of justice is it when scammers get to go free with the cash they stole?
The bank did not want to press charges as it would have been bad publicity. This was an easy decision for the bank as the criminal was going to be deported regardless.
Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?
The advantage of a PIN over biometrics is that you can always change your PIN.
Once someone finds out how to fool a biometric scanner into returning your biological data; you're hosed. You can't gouge your own eyes out and replace them with new ones.
Any security system whose keys can't be changed is fatally flawed and should not be used -- ever.
NO CARRIER
I've stopped using some of the sketchier ATMs because of this.
How bloody stupid. If I were an ATM hacker, why on earth would I attack sketchy gas station ATMs? The real money is in the well-lit, polished, nice-smelling ATMs that make people feel comfy and safe.
Of course, that shouldn't stop the bank from offering my optional security measures such as the ones you detailed above. Oh well.
IIRC Debit fees are generally cheaper than the credit fee for the same transaction - it's cheaper for them to let you do debit, and you can shop around for a bank that allows unlimited monthly debit purchases.
and
IIRC MC/V generally do not allow for minimum purchases for transactions - yes, the convenience store just lost 80 cents to make 20 on your pack of gum, but they just sold a case of beer or the 20 gallon truck fillup on 80 cents a minute ago. It more than evens out for most
and
If they are hand entering or mechanically imprinting your card, something's not normal, as they're the most expensive rates (as opposed to just swiping your card). Makes you go hmmmm...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
check out this story and pictures of a skimmer at work in brazil.
Living in Minnesota, I assure you, only pansies stop working at 0 degrees. ~30 below is when it starts being a real problem.
There are lots of good legitimate uses for card readers - things like swipe card doors, as used by the computer society here, or charging for photocopying (as used by the university)