Visual Autopsy Of An ATM Card Skimmer

Bert64 writes "A chap at work was recently the victim of an ATM card skimmer which took his card details, cloned them and allowed the fraudster to take 550 pounds out of his account. Having tried to explain how the fraudsters can hide a camera and card reader around the ATM, he decided it would be easier to show one of them after a few drinks down the pub. He was a little surprised to find that the machine he chose had a card reader and camera in place. These were removed and analysed, we believe we have reclaimed about 800 pounds worth of kit. Result: Pictures."

550 Pounds of money?!?!?!?

Holy cow! That's a lotta dollars! Hope he hurt his back carting it all away. ;)

Re:550 Pounds of money?!?!?!?

[Quasar1999]

How much is that in kilos?

Re:550 Pounds of money?!?!?!?

[DeionXxX]

About 250 Kilograms... man I love google...

Re:550 Pounds of money?!?!?!?

[kramer2718]

Holy cow! That's a lotta dollars! Hope he hurt his back carting it all away. ;)

Sadly, with the current exchange rate 550 GBP is almost 550 lbs. of USD.

Re:550 Pounds of money?!?!?!?

[aweraw]

fancy metric system

OT but anyway...

I've never understood how the metric system can be thought of as fancy or tricky by most Americans. It's all base 10. 10 millimetres equals a centimetre, 100 centimetres equals a metre, therefore 1000 millimetres in a meter (milli meaning 1000), and 1000 meters in a kilometre. Simple. Imperial units are all over the damn place... 12 inches in a foot, 3 feet in a yard, 1760 yards in a mile... conversions between different sized metric units is extremely easy compared to imperial.

Now my question is this.. how can the metric systems be seen as complicated when compared to the in consistent imperial system?

Re:550 Pounds of money?!?!?!?

[ShipIt]

"The metric system is the tool of the devil! My car gets forty rods to the hogshead and that's the way I likes it." Abe Simpson

Re:550 Pounds of money?!?!?!?

[-tji]

That's actually true.. If you take your cash in nickels.

Re:550 Pounds of money?!?!?!?

[joedoe]

But I'm sure what we all really want to know is, how much is that in Libraries of Congress?

--joedoe

Re:550 Pounds of money?!?!?!?

[andynz]

Reminds me of one of my favourite Terry Pratchett quotes from Good Omens.

Two farthings = One Ha'penny. Two ha'pennies = One Penny. Three pennies = A Thrupenny Bit. Two Thrupences = A Sixpence. Two Sixpences = One Shilling, or Bob. Two Bob = A Florin. One Florin and one Sixpence = Half a Crown. Four Half Crowns = Ten Bob Note. Two Ten Bob Notes = One Pound (or 240 pennies). One Pound and One Shilling = One Guinea.

The British resisted decimalized currency for a long time because they thought it was too complicated.

Re:550 Pounds of money?!?!?!?

[Charlton+Heston]

Anything that requires me to use all 10 fingers to calculate is definitely fancy.

Re:550 Pounds of money?!?!?!?

[Marvelicious]

You mock the imperial system, yet your sig mentions beer? Don't you understand that all true happiness revolves around pints!

Re:550 Pounds of money?!?!?!?

[aweraw]

You may be onto something... it is my experience that australian kegs come in 2 standard sizes: 9 gallon and 18 gallon.

I will make an allowance for Imperial measurements if they refer to a large amount of aussie amber goodness

Re:550 Pounds of money?!?!?!?

[Ryosen]

I guess it's just easier for you to use all *12* fingers then?

Re:550 Pounds of money?!?!?!?

[adpowers]

I'm American and would love it if we switched to SI units. Unfortunately, there are a lot stubborn, legacy Americans.

Between science in public schools and drugs, most youth know the metric system anyway. Actually, most adults I have met know it as well. Hell, I can't see any reason to hold on to the Imperial system. It really pisses me off. I try to use SI whenever possible.

adpowers

Re:550 Pounds of money?!?!?!?

[FuegoFuerte]

I guess it's just easier for you to use all *12* fingers then?

For those born near Hanford, yes it is. And thank you ever so much for reminding us that we're freakish mutants. Now go away and leave us to count on our 12 fingers. Steenking insensitive metric snob.

Re:550 Pounds of money?!?!?!?

[flossie]

it's only because you are all too stupid that you can't fucking handle the cahnge[sic].

No, it's only because we're so omnipotent, we don't have to.

Mars Polar Lander, anyone?

Re:550 Pounds of money?!?!?!?

[Mjlner]

Holy cow! That's a lotta dollars! Hope he hurt his back carting it all away. ;)

Carting it away???!!! Didn't you read the top post? He used an Asynchronous Transfer Mode network interface, so he didn't need to lift an ounce!

Re:550 Pounds of money?!?!?!?

[really?]

err ...no?
In my part of the US one uses the ten fingers and the two teeth.

Re:550 Pounds of money?!?!?!?

[Pogue+Mahone]

I can count up to 1023 on my fingers :-)

Re:550 Pounds of money?!?!?!?

[EtherMonkey]

Personally, I measure weight in stones and height in hands. But I have to use my left hand when measuring, as my right has swollen to gigantic proportions through use in applying all the manhood enlargement cream I've purchased through email offers. Enhancement cream notwithstanding, I still prefer to measure my "manhood" in millimeters.

Re:550 Pounds of money?!?!?!?

[aastanna]

Watch out when you get to 132, you might upset some passerby.

Mirror in case of /.

[mixy1plik]

This is a bit creepy. I always wonder when I hit those run-down ATMs in the corner of convenience stores if I might have my card nabbed.
I've stopped using some of the sketchier ATMs because of this.

MIRROR HERE IN CASE OF A /.'ING

Re:Mirror in case of /.

The real mirror:

http://pbx.mine.nu/mirror/atm.ev6.net/

(The site does feel kinda slow)

Re:Mirror in case of /.

[Txiasaeia]

Forget sketchy ATMs! $500 was taken from my account using an ATM at a local bank branch machine, in a mall no less! Get this -- they caught the guy after he stole about $64,000 CAD, found out that he entered the country illegally and... sent him to prison? Nope. Our illustrious Canadian gov't deported him. They didn't recover any of the money either. Bastard's living it up in the Caribbean with the cash that he wired there before he was caught.

The bank ate the loss and gave us back our cash, but what kind of justice is it when scammers get to go free with the cash they stole?

Re:Mirror in case of /.

[Bishop]

what kind of justice is it when scammers get to go free with the cash they stole?

The bank did not want to press charges as it would have been bad publicity. This was an easy decision for the bank as the criminal was going to be deported regardless.

Re:Mirror in case of /.

[topham]

Your wrong. They didn't deport him, they sent him back to his riding...

And for those of you who failed to get the joke, check out the Federal government in Canada and the word Scandal.

Re:Mirror in case of /.

[Blymie]

In Canada, it doesn't matter whether or not the bank "wants to press charges". If a crime has been committed, the police can proceed without anyone pressing anything.

Why?

Well, a prime example is if the mob is threatening someone to "withdraw" his charge. In Canada, it doesn't matter _what_ the victim says, if it looks like a crime took place, charges will be laid and courts will be involved.

I imagine this "story" about an immigrant was one of those mouth to ear stories, that tends to get altered every time it is repeated.

Re:Mirror in case of /.

I've stopped using some of the sketchier ATMs because of this.

How bloody stupid. If I were an ATM hacker, why on earth would I attack sketchy gas station ATMs? The real money is in the well-lit, polished, nice-smelling ATMs that make people feel comfy and safe.

Re:Mirror in case of /.

[MKalus]

Try this.

Of course, news.google.ca is your friend.

Re:Mirror in case of /.

[Blymie]

Heh.

The "local news" is not "facts". The local news is entertainment.

The bank manager who handled your case is not very aware of the law, either.

If you have committed a crime, or you are suspect of a crime, no one has to "press" any charges. The police, aka the crown, can charge you directly. They can then force people to testify, whether or not they want to.

Re:Mirror in case of /.

[Hentai]

Ah, yes. This is one of those irregular verbs, isn't it? I Sponsor, you Lobby, he Bribes?

Re:Mirror in case of /.

[Breakfast+Pants]

So what? 64k canadian is what like 4 dollars?

Easy as Ebay

[Xeed]

This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay for a fraction of what you can scam.

What ever happened to "Stick 'em up??"

Re:Easy as Ebay

[mattjb0010]

What ever happened to "Stick 'em up"?

s/up/in/

Re:Easy as Ebay

[petard]

That's not questionably legal in any way; that's for a cash register. Many registers nowadays are just PCs and use one of those (generally affixed to the keyboard) to process credit card transactions. In fact, the legality of all of the items involved in the fraud is unquestionable. Turning them into the fraudulent device and attaching them to the ATM, however, is just as unquestionably illegal. (FYI, in case you're unconvinced about the Ebay auction, you can walk into any office depot and buy the gadget you linked.)

Re:Easy as Ebay

[confuse(issue)]

This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay for a fraction of what you can scam.

What a good post 9-11 American citizen. You are right in calling it 'questionably' legal, unfortunately (for you) the answer to the question is yes it is legal. The government does not need to put Laws on everything that can do bad things, the laws should instead target bad things. DVD recorders should not be illegal...selling (or even just giving) a burned DVD of Star Wars should be illegal. Having a magnetic card reader is a great exercise in driver writing and or learning about it for POS apps (not piece of s&^t apps).

Re:Easy as Ebay

A card reader on ebay: $100
Sony digital camera: $500
Memory stick: $500
Profit: PRICELESS!

Re:Easy as Ebay

[rot26]

Not brain surgery but more sophisticated than a tape head connected to a serial port. Since the speed of the card over the head is expected to have a wide speed range, the reader has to have its own adaptive clock circuitry in it to decode the card, and THEN it's converted to rs-232 or CMOS level signals.

Re:Easy as Ebay

[Cramer]

That can be done on a single, tiny chip these days.

Re:Easy as Ebay

[ianr44]

Why convert to digital when you could just use the mic/line in? The adaptive clock stuff is fairly trivial to do in software.

Re:Easy as Ebay

[damien_kane]

If you're going to go to the trouble to tell people that POS is not an acronym for piece of shit, you could at least have mentioned that it does does stand for Point of Sale (in this case)
Otherwise, I agree wholeheartedly, mod parent up and all that jazz...

Re:Easy as Ebay

[nfras]

selling (or even just giving) a burned DVD of Star Wars should be illegal

I agree, and if that DVD is Attack of the Clones or Phantom Menace, selling any DVD of it should be illegal.

Re:Easy as Ebay

[M.+Silver]

If you're going to go to the trouble to tell people that POS is not an acronym for piece of shit, you could at least have mentioned that it does does stand for Point of Sale (in this case)

If you've ever had to support them (particularly those that some PHB has picked out without consulting his IT people), you'll know that that's generally a fully dual-meaning acronym.

Re:Easy as Ebay

[Alan+Cox]

There are lots of good legitimate uses for card readers - things like swipe card doors, as used by the computer society here, or charging for photocopying (as used by the university)

Makes you wonder

[haRDon]

Just how many ATMs have this equipment in place?

Bit of a worry really..

And just what recourse do victims have? Is there any way to get your money back, or is it gone forever?

Re:Makes you wonder

[mattjb0010]

Is there any way to get your money back, or is it gone forever?

In the terms of my credit/debit card it says if I notify the bank within a reasonable time period of unauthorized transactions I get the money back. I suspect most banks have a similar deal.

Re:Makes you wonder

[big_groo]

This happened to my friends - luckily they were both out of town at the time, and *used* each of their bank cards. The bank gave them an automatic, free overdraft for the amount taken, but it took them about a week to get the money back. (TD Canada Trust, in case you were wondering)

Banks are insured, y'know...but I have to wonder, if they weren't out of town (and able to prove it) would they have been so forthcoming?

Re:Makes you wonder

[TykeClone]

In the US, this is governed by "Reg E" for electronic funds transfers. The customer (victim) has up to 60 days from the cycle date of the statement where the fraudulent charges are reported to contest them - makes for a good reason to at least look over your bank statements when you receive them!

Convenience or security...

[SabrStryk]

This is the sort of thing that makes one wary about the convenience ATMs available in many cities; you'll save more than a surcharge by sticking to your own banking company's systems.

On a side note, this is probably the most clever fraud I've seen in a long while. Great that these folks ripped out the innards of the scam device.

Re:Convenience or security...

[cmowire]

Well, not really.

The skimmer is attached to any arbitrary machine without the cooperation of the ATM owner.

So they can hit even your own bank's machines, if they so desire.

This is the best ATM scam since... well... the last ATM scam, where they put a complete ATM machine in place. Except they got caught because they tried to stiff their ATM machine supplier.

Re:Convenience or security...

[Man+Eating+Duck]

Great that these folks ripped out the innards of the scam device.

I'm not so sure about that. When something similar happened in Norway some time ago, the police was alerted and put the place under surveillance. The culprits were caught in the act of removing the devices.

I think the people who removed it should have done the same, thus helping to catch the bastards. For all they knew, the place could already be under surveillance, giving THEM the blame for the crime...

Re:Convenience or security...

[hoggoth]

> the place could already be under surveillance, giving THEM the blame for the crime...

That was the brilliant part of their scam. After removing the device and cleaning out all the bank accounts, they posted the whole thing to the Internet to create a cover story in case they were watched!

Re:Convenience or security...

[norton_I]

That is strange, every person I know who has been victim of fraud of this sort (4, I think: 1 ATM fraud, 1 check fraud, and a couple of credit card frauds) has gotten their money back. It does not matter if they catch anyone. In fact, in most cases, the victim never knows if the perp was caught -- the bank just wants to take care of it quickly and quietly.

The only person I know who had to do more than that was the check fraud victim, because in addition to dealing with the bank, there were lots of angry merchants who wanted to know why her checks were being bounced.

shouldn't ATM machines be designed better?

[Monty845]

How hard would it be for someone to design an ATM machine that would make it more dificulty to conceal a card reader... or better yet one that made it impossible to insert your card if anything is attached... it would seem that with some common sense a designer good create some pretty good safe guards... or am I just missing something?

Re:shouldn't ATM machines be designed better?

[mcpkaaos]

or am I just missing something?

Maybe the ATM designers just happen to be the same folks that are installing the cameras and readers. :)

Re:shouldn't ATM machines be designed better?

[shird]

Even better would be the use of smartcards instead of current cards. The card simply has its own private key, the ATM machines/bank issue a challenge to the card and verify it against the known public key.

The private key is never divulged yet the authenticity of the card is known. There is no way to scam the system other than steal the physical card and know what the pin is. These really need to be adopted soon.

Re:shouldn't ATM machines be designed better?

[odsign]

That's the thing. The ATM's don't read it. The ATM says, 'Hey, bucko. Encrypt this with your private key.' The card does so, the ATM decrypts it with the public key, and when the result is the same, you know it's the right card, without anybody except the card knowing its key.

Re:shouldn't ATM machines be designed better?

[edp]

"You have a reader that reads everything on the card on the way in, so they get the public key."

You don't send a key, you send a challenge that somebody with the private key can answer. There are challenge-response protocols that reveal zero knowledge to eavesdroppers. One of them works something like this: The card knows secret number X. The bank computer knows secret number X^2. (All arithmetic is done modulo a preselected large number with certain properties.) For one challenge, the card makes up a random number R and transmits (RX)^2. The bank flips a coin and asks the card for either RX or R^2. If the card really knows X, it can easily answer either question. In either case, the eavesdropper sees (RX)^2 and either RX or R^2, but, because of R, these are just random numbers -- if R is uniformally distributed (over the modular domain), then RX is also uniformally distributed; there is no information in it. An eavesdropper can learn what X^2 is, but the numbers are chosen so that it is (believed to be) extremely difficult to find X from X^2 (modulo the preselected number).

Could somebody pretend to know X? Instead of sending RX, they could make up a number S and send S^2. Then if asked for RX, they could send S, and it would pass the check. Alternately, they could spoof in a way that allows them to correctly answer a request for R^2. However, it is as difficult to be able to answer both as it is to find X from X^2, because being able to answer both gives you the information needed to find X.

Since a malicious person could spoof the test half the time, you repeat the test many times, say 30 for a one-in-a-billion chance of passing. Various caveats apply; search for "zero-knowledge proofs" for more details.

hunh...

[mekkab]

Was this the pass through kind? how was the camera attached? If I used one hand to cover the other hand while keying the PIN would that "thwart" it? Great pix but I could also use a little more commentary on what to watch out for.

Re:hunh...

[djeaux]

I did think the "visual autopsy" was a bit sketchy on the way the system was attached to the "host" ATM. It would've been useful if they'd taken a few pix before ripping the thing off the ATM.

The captions, while semi-helpful, left a lot unanswered...

OK, OK, I was using the mirror because the original was already in /. heaven... Maybe the original site had more detail?

Re:hunh...

[M.+Silver]

If someone could break into an ATM and install a camera and reader, why not just take the money inside instead of leaving all that gear around?

Aside from the fact that skimmers generally don't involve getting into the ATM at all, "getting into" the ATM is quite a bit different from getting into the cash safe inside. In fact, in any case where the ATM is serviced by an armored-car service, generally the owning bank can open the ATM but even they can't open the cash safe.

When I worked at the bank, we had someone take an ax to one of our brand-new ATMs. It was annoying all around because on his side, (1) it wasn't live yet, so there wasn't any money to steal, (2) he couldn't get into the safe anyway, (3) he cut himself trying; and on our side (1) the ATM itself was a loss, and worth more than the amount of money it could hold, (2) we'd *just* finished configuring and testing it and now had to start over, and (3) the video camera wasn't live yet so we didn't get to see the guy. (We did have some nice blood samples, and bloody fingerprints, but I never heard if anybody got caught/charged.)

Re:hunh...

[Doyle]

...or if you're three-handed like this guy then you can use two hands to cover the third!

Re:hunh...

[dave1212]

I wear a hat, and drop it on my hand when i enter my pin. would seem to be fine, at least until they start using keypad overlay things..

Re:hunh...

[CreatureComfort]

That's why the new trick here in Texas is to steal an SUV, or pickup with a big grill guard, and smash it into the ATM. Makes a nice big mess, and handily pops the hinges on the safe most of the time. If it doesn't pop the hiinges, it at least breaks the safe free from its mountings so it can be picked up and taken away to someplace with a cutting torch. In addition, it generally makes it easy to take the camera/video system, so they can't see who did it. We've had 12 of these crimes happen in the area so far this year.

Unfortunately, they hit the drive through ATM that I use most, and it still hasn't been replaced. :-(

Great plan

[Papa+Legba]

recover 800 pounds worth of equipment and incurr 2000 pounds of bandwidth costs bragging about it. The guy who lost the 550 pounds is going think that was nice compared to what just got done to him by slashdot.

That's silly

[Rosco+P.+Coltrane]

Making money by having an expensive digital camera to disguise it as ATM chrome, grabbing PIN numbers and making yes-cards out of the process is dumb. The guy would probably have made more money setting his hacked camera in some lady's shower and selling the videos on the net. Or gee, even selling the hacked camera itself to would-be private-eyes, as most of these folks are willing to spend a lot of money on any spy-ish electronic device, and it would be legal too.

Re:That's silly

Are you retarded? One day of skimming numbers and magentic strip codes would net you more than twenty accounts, probably containing thousands of dollars each.

This is how Skimmer works

[maliabu]

in case you're wondering:

To accomplish this task, the thief places an electronic "skimmer" -- a card swipe device that reads the information on the card's magnetic strip -- on the ATM machine. Attached to the device, or placed discreetly elsewhere, is a small camera that captures the customer's PIN number when they enter it. The information is either collected by the device, or transmitted to a remote receiver. The thief then takes the codes and creates a counterfeit ATM card in order to empty the victim's bank account. Some skimmers can even capture the information and send it to the ATM at the same time. Since the machine works normally, the victim is unaware that they have just given a thief the key to their account. copied from here.

Interesting camera

[lukewarmfusion]

Why'd they use a Cybershot? I personally have a DSC-P71, but you could get a much cheaper camera and do the same thing.

Anyway, I remember reading an article (might-a been on /.) about buying an ATM and hacking the software to record the information for him. It's supposed to be much harder to find than this kind of "noticeable" trick.

Re:Interesting camera

[Stephen+Samuel]

This camera captures 15 seconds of video... Card goes in, activate a 15 second video grab... that should be more than enough to catch the 4-6 digit code most people use. (usually 5 seconds or less). the 500MB card means that you could save a LOT of those videos...

The biggest thing seems to have been the size...Once they ripped it out of it's housing, the camera wasn't much bigger than the batteries.

At $1000 per setup, thay'd only have to catch 2 cards to get their money back. After that, the rest is profit.

Another interesting link:

[amarodeeps]

Saw this recently on memepool.com:

http://www.utexas.edu/admin/utpd/atm.html

Questionably Legal??

[PedanticSpellingTrol]

There are plenty of legitimate uses for magnetic stripe readers. Why, here at the University of South Carolina we just installed 3 $1,200 newspaper machines to limit the free newspaper program to students and faculty. I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.

Re:Questionably Legal??

I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.

About $2 from every CD-Burner goes to the record companies. Why not media as well? Heck, I want $1 from every crowbar sold because it could be used to break into my car. I won't get it only because I don't have enough money to bribe^H^H^H^H^Hlobby my congressman. O well dems da breaks.

Re:Teller versus ATM

[nomadic]

I seriously wouldn't have an idea as to how to get money from a teller. You like show your ATM card or something?

Idea!

[Dark+Lord+Seth]

Have all Slashdotters run around ATMs and check for card skimmers. If found, remove card skimmer, take home, disassemble, build into $anything, add keypad and have your own PIN access system to $anything! All the while doing the rest of the world a favour by taking away card skimmers! Woot!

Re:Idea!

[Hi_2k]

This was modded funny, but Vigilante anti ATM-scammers may be a good idea. Freelance geeks who get cool toys in return for making the world safer. Win-Win situation.

Here is what I do

[savagedome]

Two things that I always ask my friends to do too.

1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.

2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.

Re:Here is what I do

[Abcd1234]

Actually, correct me if I'm wrong, but with credit cards, my understanding is that you get nailed for interest the *second* you pull the cash out, unlike purchases, where the interest is calculated at the end of the month.

Re:Here is what I do

[NMerriam]

You are correct, cash advances on a credit card start accruing interest from the moment they are taken.

It used to be that cash and purchases were treated the same, with basically a month interest-free loan as long as you paid your bill in full, but people could just pay one card with a cash advance from another, and be able to borrow money interest-free for as long as they stayed under the credit limit.

Re:Here is what I do

[Cruciform]

As an addition to the first point, if you're going to do it at a store choose one that let's you swipe the card yourself. If they have to swipe don't let your eyes off the card. If the card reader is out of view it's in your best interest to go somewhere else.

Toronto police busted 70 people working at convenience stores for double swiping a few years ago. (Between 98 and 2001, as I lived there at the time). A second reader located beside the primary was used to collect card info. I don't know if cameras were used to collect the pins or not.

Since the story at the time indicated that it was mostly employees that had been approached by people not involved with the store, I'm guessing the machines were portable so they could be brough t in and out with the boss none the wiser.

Re:Here is what I do

[mcheu]

1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.

You then end up paying a debit fee instead. Admittedly, it's lower than a 3rd party ATM fee, but it's still more expensive than going to an ATM owned by your home bank. Further, a lot of stores don't want to do this, because:

a) In one small pissant purchase, you've cleared out the register of cash, which makes it difficult to give change to the next customer.

b) The store has to pay a debit fee with each transaction. Whoopie, you've bought an 80cent pack of gum (on which only 20 cents profit at most), and are asking the guy to incur 50cents to 75cents worth of debit fees on his end. This is why some stores have a minimum purchase requirement to use debit.

Also, your definition of "no risk" may not be the same as mine. There have been instances in Canada where some of these scammers have set up shop in a real shop. This is how it's done. The first time they swipe your card through, they swipe it through a slot near the real one, and claim the card was rejected or didn't read right. The second time, the card is swiped through the real one and a the real transaction happens. All the while, the "clerk" is watching you enter your PIN, and he's got a copy of your card now. Perhaps this is why the store doesn't have a problem with giving you a cash advance and being hit by the vendor debit fees on such a small item.

I'm not saying that every instance where your card gets rejected is a scam, since it does happen that a card will be unreadable or rejected. I'm just saying there's still some risk involved.

2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.

What, do you work for a credit card company? Unlike credit card purchases which hit you with interest only if you pay late, cash advances put interest on what you owe the instant you get the cash. You've already mentioned the high interest rate. Even if you pay quickly and on time, a credit card advance will have a nasty surprise attached.

Re:Here is what I do

[vanillacoke]

The big banks charge no such fee for using ATM (wells fargo, BofA, ect..), unless its a people republic of california thing....

Re:Here is what I do

[InfiniteWisdom]

Ah yes. I really ought to read these things more carfully.

Re:Here is what I do

[cehardin]

Also, remember that many CCs charge a fee for the ATM cash withdraws, usually 1% to 2%, but not to exceed $20.
Why? CCs make a lot of money from these 1% or 2% they charge for ALL transactions. The difference is that when you use your CC at the store to buy something, the CC company charges the retailer this percentage. When you take out cash, they charge you.

So, whether you use a CC to buy stuff or not, you're still paying for it. Retailers spread the charge from the CC company by simply increasing prices for everyone.

Re:Here is what I do

[cyt0plas]

1) Some merchants charge fees. Many don't as it's cheaper than credit.

2) Some merchants offer cashback as an _incentive_ to get your business.

3) If you clean out the register at a medium to large shop (small shops can be different), you've saved them the trouble. That's that much less cash for them to send out to be converted electronically. Also, it's less cash to send out on armored cars (depending on the size of the merchant).

4) For the places that eat the $0.20 fedwire (Automated Clearing House) fees, it's typically less than the cost of a credit card, and they often don't have to pay a percentage. Buying nothing more than a pack of gum means they lose money, but they run that risk with a Credit Card too.

Re:Here is what I do

[yppiz]

mcheu writes:

a lot of stores don't want to do this, because in one small pissant purchase, you've cleared out the register of cash, which makes it difficult to give change to the next customer.

US grocery stores are happy to do this, because it turns dirty, messy cash into nice clean electronic bits.

They are especially happy to get rid of 50s and 100s, which ATMs rarely carry.

For large withdrawals, groceries are better than ATMs. And they really are happy to get rid of physical cash.

--Pat / zippy@cs.brandeis.edu

Re:Here is what I do

[shepd]

>b) The store has to pay a debit fee with each transaction. Whoopie, you've bought an 80cent pack of gum (on which only 20 cents profit at most), and are asking the guy to incur 50cents to 75cents worth of debit fees on his end. This is why some stores have a minimum purchase requirement to use debit.

I dunno about where you are, but my store pays 15 cents CDN per debit transaction. The 50 cents thing is just a way to rip you off in stores that are cutting a thin dime on profits to purposely undercut the competition (such as us). Of course, you only get the customer once when you do nasty tricks like that...

Also, the 3 - 4% some shops charge on non-cash purchases is a load of bunk too. We're a new shop, the worst percentage you should be getting charged is 2.8% (that's what we're charged). However, as we're with the BBB (YAY! More protection fees!), next year it will be the 1.8% that most established shops should be paying.

As far as cashback, if people asked for it, I'd deal with it. Since nobody has asked, I haven't bothered. Even if someone did, they wouldn't get much more than $40, as that's all I try to keep in the till at max.

Change hasn't been a problem. My estimate is about 4 cash transactions out of about 40 - 50 a week (it's the low season right now). We saw a bit more cash at Christmas, but that's how people budget (if they're smart).

If your store is hurting so bad that you have to sqeeze $0.35 or 1.2% extra from a customer, put yourself out of your misery. Seriously. You're screwed.

>Even if you pay quickly and on time, a credit card advance will have a nasty surprise attached.

Ain't that the truth. :-S

Re:Here is what I do

[mashx]

From my experience, the difference is between Mastercard and Visa: others like Amex Blue follow one or the other I suppose:

Mastercard: No interest charged until end of month, and then lowest interest amounts charged first cascading down, unless payments have been made in which case the lowest interest bearing amounts are deducted first (i.e. the highest interest accruing amounts they try to leave until last). Visa: Interest charged from next day

Admittedly I have only experience of UK and US cards, and I know that there are great variations in Europe (no-one in UK would pay an annual fee for a credit card, whereas no-one in France thinks twice about paying it) but that seems to be the general rule. I have had a Mastercard as explained above, where cash started to accrue immediately, but this is the exception in the UK.

Re:Here is what I do

[Elvisisdead]

It's my understanding that on a merchant account, the fee for processing a credit card transaction is only around $.30 USD for Visa, MC, Discover, etc. I'm not sure, but I think American Express always charges a percentage, which is why they're not accepted everywhere.

I agree that they increase prices to cover those expenses, though. That's why my dirt-cheap dry-cleaner only accepts cash. He keeps his prices low because he doesn't have to account for "alternate payment overhead".

Re:Here is what I do

[ShavenYak]

Advanced lesson? Don't use your credit cards at all.

Bzzztttt. Just don't carry a balance.

I have a card which puts 2% of every purchas I make in my daughter's college fund. Since I use this card for basically everything I buy from anyone who takes cards, that ends up being around $40/month that she gets. That's money I'd be leaving on the table if I paid cash or wrote checks. I pay the bill online, paying the entire balance off every other week when I get paid, so I've never paid a penny of interest on this account.

Having been in debt at one time, I can understand why many folks think credit cards are evil. However, if you keep them paid off, there are many perks to using them. Just treat them as you would any other tool - wear your safetly glasses and keep your fingers clear of the moving parts. Oh, sorry, wrong speech.

Re:Here is what I do

[TClevenger]

It's my understanding that on a merchant account, the fee for processing a credit card transaction is only around $.30 USD for Visa, MC, Discover, etc.

All of the major cards charge a percentage plus a per-transaction fee. (Some can price it 'bundled', but the two components are usually there.) Higher rates are charged for manually keyed transactions. ATM fees are a flat $.20 to $.50 per transaction, depending on the merchant's volume.

This only works with poorly designed ATMs

[King_TJ]

My bank uses ATM machines that suck the card completely into the slot, with only a little bit of a metal guide plate exposed below the slot. (Typically, they have a label with arrows printed on it that's affixed just beneath the slot, as well.) If you tried to add some sort of reader device to the front of the ATM, covering the original slot and plate, it would be fairly obvious it didn't belong there. I'm sure it might fool *some* clueless people - but it would surely be ripped from the machine pretty quickly, as someone a little more clueful realized what was going on. (After all, it would obscure part of the label, making it obvious it wasn't part of the original ATM machine.)

I have a feeling these card skimmers only work on specific models of ATMs (most likely, the little privately owned units you see in restaurants and gas stations, as opposed to actual bank-owned ATMs).

Re:This only works with poorly designed ATMs

[Giddeon]

If you look at the site amarodeeps linked to in his comment, a cardstealer like the one shown would be able to steal swipes without too much difficulty. If you haven't seen the ATM before and don't know what it is supposed to look like, it will look quite natural. Most folks don't use the same ATM often enough to remember that the card guides on the sides weren't there last time.

Re:This only works with poorly designed ATMs

[RodgerDodger]

There have been scanner devices found on such "suck-the-card-in" ATMs, at least in Australia.

And you're right: a given type of scanner tends to only work with a given type of ATM. But there are varieties of scanners for most common types of ATMs.

Re:This only works with poorly designed ATMs

[SmallFurryCreature]

I was thinking the same thing but this looks like it would just fit right over such a machine. It is basiclally a block with a slot in it to house the reader. but it wouldn't interfere with the atm at all.

As to how odd it looks. Well that is hard to say without seeing the original setup or even the machine to wich it was attached. Now it looks like an old movie prop. He should have taken a photo as it was in place.

Oh well, better be extra carefull.

Re:This only works with poorly designed ATMs

[newdamage]

You be pretty surprised how gullible and trusting most people are. You could probably make just as much money by hanging an "out of order" sign on the atm, attaching a drop box, and seeing how many people put deposits into it containing actual money. Confidence scams work pretty well no matter low-tech or hi-tech they are, just as long as you make it look official and have plenty of people who are running on autopilot most of the time.

Re:This only works with poorly designed ATMs

[Syclone]

Motorized readers are on the way out most places. The reason the bank/ATM operators don't like them is that if you get a message to capture a card over the network, and your machine has the capability to capture a card, you must capture it. This is a good thing, getting hot cards out of circulation, right?

Wrong, at least for the bank. If you capture a card, that means you have to deal with it later. Somebody has to remove the card from the machine, then you get into all kinds of internal control problems and procedures having to do with said captured card.

Best answer is to have a dip or swipe reader than cannot capture cards. If you cannot capture cards, you aren't violating the ATM network rules by not capturing the cards. All your internal control, security concerns, and logistical problems associated with the captured cards are gone.

Another reason not to capture cards if you can avoid it is that you cut down cutomer complaints from people who leave their cards in the machine (even through the incessant beeping) while distracted or people who screw up their PIN too many times so the machine keeps their card.

BTW, personal pet peeve: "PIN Number" and "ATM Machines" are redundant phrases :) It is like saying "Personal Identification Number Number" and "Automated Teller Machine Machine".

Re:This only works with poorly designed ATMs

[don.g]

This is only the case if you have many dissimilar ATMs. In a small country (New Zealand) with only a handful of major banks and no such thing as a "private ATM" (EFTPOS is hugely popular, though) most people use their own bank's ATMs because they're cheaper... and they're all the same. It'd be harder to put cards in one with a skimmer on (at least for my bank) so I'd notice pretty quickly that there was something odd.

Of course, many people will probably just assume it's a new model of ATM. Sigh.

Death of the PIN

[So+Called+Expert]

I wondered how long the four digit ATM PIN would last. I also realized that with the phone-cameras, it would be fairly simple to snap a shot of someone's PIN over their shoulder.

Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?

ATM bug-detection should be a profitable area of research for the next few years.

Re:Death of the PIN

[26199]

Unfortunately biometics violate one of the most basic principles of passwords... they can't be changed if compromised.

Re:Death of the PIN

[dcam]

Or you lose the thumb in an accident. Equally it could be damaged to an extent that the scanner could not read it (eg you cut it and put a bandaid on).

Re:Death of the PIN

[Chester+K]

Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?

The advantage of a PIN over biometrics is that you can always change your PIN.

Once someone finds out how to fool a biometric scanner into returning your biological data; you're hosed. You can't gouge your own eyes out and replace them with new ones.

Any security system whose keys can't be changed is fatally flawed and should not be used -- ever.

Conversion into European mainland's monetary unit

[tepples]

calculator say: 550 GBP = 1027 USD = 817 EUR

Questionably Legal???

[brunes69]

There are a myrid of legal uses for stripe readers, including computer and home security, and making really cool copies of your bank cards*

I have a friend who has a reader who does this.. he takes a plastic generic card with a cool photo on it, with a blank stripe, and copies your ATM stripe onto it. Fully functional, totally customized ATM card.

You should see the looks he gets using his "superman" debit card.

Re:Questionably Legal???

[Jeremi]

Sounds cool... but just out of curiosity, is it legal to make your own ATM card?

Re:Questionably Legal???

[LostCluster]

Sounds cool... but just out of curiosity, is it legal to make your own ATM card?

To make? Sure. Afterall, an ATM card or credit card is nothing more than a piece of plastic with a standardized magnetic stripe that repeats the same 16 numbers that are on the front of the card over and over.

To use? Uh... well, that's up to your bank. I kinda doubt they'd be to happy with it.

Re:Questionably Legal???

[millette]

actually, your atm card isn't yours - it's still the property of the bank that issued it. I wouldn't be surprised if there were special rules to use an atm, such as only using a bank issued card.

... but who'll notice?

Re:Questionably Legal???

[raphae]

Okay all you Slashdot-hacker-types. Now that you're all going to go out and make your own customized ATM cards as part of the new fad, don't forget to make your own ATM networks to go along with it.

And, while your're at it, why not your own currency system as well?

Just make sure gobs of the new currency doesn't unnecessarily get funneled off into the pockets of corrupt politians and global corporations as is the case with the current system.

Re:Questionably Legal???

[Avakado]

In some countries (or maybe only Norway), whenever your ATM card is used in an ATM machine, the machine writes a new unique code to the magnet strip. The next time you use the card, it must contain that specific code, or it is swallowed.

Sadly, the terminals used in stores cannot do this, so you have to use your card in an ATM every now and then, to make sure nobody has a copy of it (quite the opposite of the problem mentioned in this article).

Re:Questionably Legal???

[Shimbo]

To make? Sure. Afterall, an ATM card or credit card is nothing more than a piece of plastic with a standardized magnetic stripe that repeats the same 16 numbers that are on the front of the card over and over.

I would consult a lawyer before trying it. It might well be considered a counterfeit document.

Alternative approach

[archilocus]

Hate to be a party pooper but didn't you consider leaving it there and calling the cops ?

If you had they might have been able to bust the individuals concerned and saved some innocents down the track a lot of grief.

This way you got 800 quid's worth of stolen electronics, the thief wrote off some capital investment and a couple of thousand /.'ers got some pre-pubescent excitement. Wahooo.

Interesting!!

[annielaurie]

A couple of months ago my Hotmail account was besieged with spams offering to show me how to make my first million by installing and servicing their ATM machines. I kept wondering if they wanted to make me a shill for some skulduggery like that described in the article. The interesting part was that the ATM's so advertised would be located "in my area," which they had pinpointed at Washington, DC (not far from here).

Like others here, I've become very leery of using ATM's located anywhere but at banks. I've been driving on long trips a great deal recently, and I've also learned to be a bit discerning about card-swipers in gas stations and even grocery stores I'm not familiar with. It seems a safer bet to hit a bank occasionally to withdraw my allotment of yuppie food coupons ($20 bills) and spend those instead.

Anne

prevention ...

[another_twilight]

Most of the scams I have seen like this rely on recording your PIN based on what you type.

The earliest versions simply had someone peering over your shoulder, or using a camera/telescope mounted up and behind and stealing the original.

Get in the habit of 'embedding' your PIN within a larger number. Type this longer number too lightly to casue the pressure sensor to register and varying your pressure only on the 'key' digits. It won't fool decent resolution or close observation, but given the angles/lighting conditions and cheaper digitial cameas that are starting to show up, I am guessing that they are going to have trouble working out which hits are the real McCoy.

Sure it relies on making your case more difficult than your neighbours, but to an extent that is all most locks and security devices do. Sure it's paranoid, and it does take some effort to set up, but muscle memory handles most of the work after a while and these days I only get a few false hits. YMMV

Re:prevention ...

[gordguide]

I always do this, although my method is a slight variation. I like it better, but people are free to try anything that works for them.

It's quite easy to do, and if you take the time to practice it each time you enter a PIN for a short while, it becomes second nature and you don't even need to think about it (leaving you free to scope out the area, the people around you, and yes, even look for cameras, as you should do at any ATM). I almost never have received a dialog about an incorrect PIN. Maybe it happened once (I've done this for years), but I can't remember any incidents of bad entries.

What I do is place more-or-less my whole hand on the keypad, with pretty much every finger and my thumb touching a key; and press the relevant numbers with different digits (fingers/thumb).

You hand barely moves when you do it right, and all the fingers, including the unused ones, kind of move a bit when you enter a number; it's really impossible to know which keys were pressed in which order. Try it.

Re:prevention ...

[morcheeba]

good idea, but I'll bet most cameras will record some sort of rudimentary audio, so the loud beeps will inidicate the correct presses. To verify this claim, I just researched the U50 and found it doesn't record sound... but I know eventually the small cameras will. Even the chip in the $11 Ritz Dakota disposable records sound (but it's not bonded out on the package they use).

Insert Your Card Machines Only?

[MBCook]

The hack done (and those you usually hear about) work by modifying a machine where you have to insert your card. Does anyone know of the machines where you just swipe your card yourself are safe from this kind of tampering? I would think it would be VERY hard to add a skimmer without it being noticed unless you had enough physical access to the machine to take the cover off, make another little hole where the card swipes by and position the magnetic reading head in there, etc.

Still, very interesting to see. I'm quite suprised at the digital camera half of it. Of course something like using fingerprints or some other kind of biometric would make things much harder for the thief.

Re:Insert Your Card Machines Only?

[MBCook]

I wouldn't think that that would fix it. The way the sniffer in the article would work it would still get your card number. I think the only real way to fix this would be to move to smart cards because you would need MUCH more physical access to the machine to install something to monitor the smart card access than to simply read a magstripe.

Now if you used the RFID to prevent access, and not reading that could work. That way even if you got the mag stripe data from someone's card and put it on a blank card, you still couldn't withdraw cash from the ATM without the RFID tag being near. That would work great for credit cards and such too.

Withdrawling from a teller is quite safe, but now most banks charge you extra for that becuase it requires them to hire actual people.

Re:Insert Your Card Machines Only?

[Syclone]

"As for swipe ATMs, my major worry (as a bank operator) would be that I would expect that they would be more prone to mechanical failure (from ease of dust building up, people spilling coffee, etc) than an insert ATM."

Actually, it is the opposite. There is a much higher failure rate on motorized readers that take the card into the machine. Moving parts vs no movie parts, and all of that. With a motorized reader, you can get jams, misalignments between the internal reader and the face of the machine, etc. We see much higher failure rates on these.

As I said below in another reply, dip/swipe readers only generally allow one transaction per insertion, and unless you walk away from the machine before doing a transaction and somebody immediately walks up behind you, it is not a likely problem. Also, cash is generally sucked back into the machine after a given interval on most dispensers (around 30 seconds). There are a few machine types that have what we call "spray" dispensers that completely let go of the cash and cannot suck the money back in. Most of these are old models, though.

If a machine sucks your cash in because you didn't get it in time, in the US, you just go to your bank and file a Reg E dispute. This kicks off research of the transaction, and the bank can tell if you didn't get your money and will credit you back.

Re:Teller versus ATM

Well, at my bank you go inside, fill out a withdrawal slip (which is very much like a check, but you also have to write your account number on it).

Then, you get in line behind a large number of old people and people who can barely speak English, and for variety, some old people who can barely speak English-- all of whom have little idea of what they want/need, and all of whom will actually try to haggle with tellers over a few cents of interest.

After waiting for a very long time and getting irritated at the stupid things you overhear the people in front of you say, it's your turn. You give the withdrawal slip and a photo ID (usually a driver's license) to the teller, and they process it and give you your money.

If ATMs didn't exist so I could avoid all of the above, I would probably keep my money in my mattress. The bank needs a special express line for people who are under 50 years old, can speak English well, and have very simple transactions to make. Just like the post office needs one for people who have well-packaged, correctly-addressed outgoing mail and the cash to pay for postage in hand-- because that's another place I hate standing behind clueless retards.

~Philly

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Does anyone remember the 80s cable movie...

[nfotxn]

You don't mean Sneakers, do you?

this reminds me of

[minus_273]

the story of the ATM machine left infront of a convenience store. People whould come up to it insert their card, type the pin and be presented with an error saying there is no more money left in the machine. A week later the machine disappeared. All the people who had used the ATM had given the data form their ATM cards and pin numbers to a fake machine that was logging the info!

metaphotos, thumbprint readers

[summernot]

Too bad they didn't take pictures of the dissected device with the included cybershot.

They should start requiring thumbprints at the ATMs. I'm typically a privacy freak, but I woldn't be averse to something like thumbprint readers installed on my bank's ATMs.

Re:metaphotos, thumbprint readers

Read about the method of replicating someone else's fingerprint here: http://www.schneier.com/crypto-gram-0205.html

For any biometric, once there is a way to trick it, you are screwed. You can't change your fingerprint like you can get a new password, and the massive infrastructure investment in the biometric system pretty much guarantees the bureaucracy will just try to pretend it isn't happening.

Sure...

[dark-br]

Drunk guy: Here, I took this from an ATM machine *hicup*
Police guy 1: Destroing private propriet while drunk uh?! You are under arrest!
Police guy 2: These gang ppl are getting even dumber!

An idea

PIN numbers and the way they are entered have terrible security implications.

Why can't you, say, have a 5 digit number and the ATM machine would ask you something like "What is your first, third and last number?" or "What is your first number plus your fifth number?"?

Or how about you have to look through a keyhole to see the ATM monitor so nobody else can see it. Then, before it asks you to enter your details, it shows you the mapping of the keys on the keypad. So, if you have a 9 digit keypad, it would shuffle the numbers around you look into the keyhole and see:

167
482
539

Then you'd press the button that is in the right position for each number.

Re:An idea

[cortana]

Because--and I know it's been said already, but it's important enough to say again--people are fucking stupid.

Of course, that shouldn't stop the bank from offering my optional security measures such as the ones you detailed above. Oh well.

Re:An idea

[glorf]

Because the Americans with Disabilities Act forces even drive-thru ATMs to have braille. Never mind the fact that the on screen displays aren't standardized and the prompts point to different buttons at different banks. Any system you come up with that requires a sighted person to operate will not work.

Re:An idea

[Lumpy]

actually the US post offices use a entry keypad kind of like that.

all 12 keys have a 7 segment display behind them. every time the keypad is activated the numbers displayed are scrambled, you type your 4 digit pin and voila. someone standing there or recording the keypad will get NOTHING.

Old tech, it's just that ATM's are designed for durability as most people are so stupid as to bash on the things or really stupid kids that get jollies out of destruction...

This happened at a Mall near my house in CT in '93

[phpsocialclub]

At
the Buckland Hills Mall, in Manchester CT, in 1993, some scam artists
installed a fake ATM machine. They had negotiated with the Mall officers,
pretending to be Bank officials, and had gotten permission. Apparently, they
even got the phone company to come in and lay down some lines. Then, they
installed an ATM machine they had stolen.

It was programmed to read off the account numbers, remember the PIN as it was
typed, then claim some kind of error and refuse to give out money. They left
the machine in the mall for a WEEK, collecting PINs, then they came back, took
it machine back to "repair", and have since printed up new cards, and have been using the PINs to siphon off money.....

I think they got about $250,000 before the FBI got them

Re:Teller versus ATM

[stevens]

I seriously wouldn't have an idea as to how to get money from a teller. You like show your ATM card or something?

I can only think of one place to press in my PIN on a teller, and I'm sure she'd slap me.

Rules for ATM Skimmers

[rjamestaylor]

Rule #1: Always remember which machines you've bugged so you don't accidentally expose your work during "investigations."

Rule #2: If you fail to follow Rule #1, act surprised and shocked at your "fortunate discovery."

Rule #3: If your work is exposed, especially in a Rule #2 setting, be sure to dismantle it so the destination can't be traced.

You idiot!

[moosesocks]

You idiot! You just stole your bank's security camera

Re:Covered keypad

[TykeClone]

That must be why they have braile numbers on the drive up atms

Trap?

[samplehead]

Wouldn't have been better to leave the devices in place and stake out the fraudters. They either must be hanging around at times to receive the data remotely or else occasionally pop by to collect the memory stick? Or am I missing something?

For a related article...

[qw(name)]

Check out this advisory put out by the Univ of Texas, Austin.

Comment removed

[account_deleted]

Comment removed based on user account deletion

IR LEDs

[swampa]

Recently I noticed that on Commonwealth Bank ATMs in Australia, that there had been LEDs affixed to the side panels about 3/4 the way up

I hadn't thought to much about them until now, but maybe they are the latest (and cheapest?) defense against these card capture systems (seeing that the IR would ruin the photos)

Re:IR LEDs

[gordguide]

Just a guess here, but if they really were red/infared spectrum LEDs its more likely they are used to illuminate your face to be recorded by an infared camera. Most newer security cameras can switch from daylight to IR as light levels change.

True infared-only lamps appear totally black to humans, by the way, as does the filter over the camera lens. But it's also common to use near-infared systems that will glow/look red to us (they're cheaper).

Smartcards

[StArSkY]

Over here in Australia some of the banks have started a transition to Smart cards. The Idea being that it is a lot harder to duplicate a microchip than to fake a magnetic strip.

ANZ Bank

it also uses the Microchip as part of the auth for web banking. So what if they get your pin, how the hell are they going to duplicate the smartcard.

How not to Get Scammed at the ATM

[bad_fx]

Here's some great tips on how not to get scammed at the ATM. It's also got some images of a modified ATM...

Re:How not to Get Scammed at the ATM

[dave1212]

Everything minus the pic.. it's worth it to visit. Lostbrain rules.

Don't Get Scammed at the ATM

Look for these tell-tale signs to avoid losing your money, or inadvertently handing your PIN number over to the Russian mafia the next time you use an automatic teller:

1. If the ATM appears to be crudely attached to the back of a Toyota Celica, or Ford Ranger Pickup truck, BEWARE!

2. If you see an ATM that has been cleverly modified, as this one has, BEWARE!

3. If there are any Russians nearby, BEWARE!

4. If the ATM machine has three windows on the front displaying spinning fruit, BEWARE!

5. If the ATM machine says "Rubbermaid" anywhere on its exterior, it is likely not an ATM machine, but a cleverly disguised trash can. BEWARE!

6. If, at any point during your transaction the ATM opens to reveal a small naked man inside, BEWARE!

7. If the ATM machine wants you to play a game of three card monte, BEWARE!

8. If the ATM machine is sponsored by Martha Stewart, BEWARE!

9. If the ATM machine promises to "gladly pay you on Tuesday, for a hamburger today," BEWARE!

10. If there is a sign attached to it that says "Beware of ATM Machine," BEWARE!

Recent spat in Canada

[kbahey]

These skimming devices were commonly detected in Canada (Ontario) during the last year or so.

They are becoming more and more sophisticated, and the police busted several people for it, and issued precautions for the public:

- Try to use machines in the bank branch you deal with
- Try to avoid machines in public places (malls, convenience stores, ...etc)
- Report anything that looks suspicious on a machine

No kidding?

[el_munkie]

This makes Canada an ideal vacation place. I might spend Spring Break robbing Canadian banks. See ya soon.

Re:notify authorities?

[timmarhy]

your living in a fools paradise. 1: lift prints from an ATM? are you nuts? do you realise how many people coudl have touched it? it'd be worthless. 2: reporting things like this tend to be a case of the messenger getting shot. they would be NUTS to do anything other then what they did

Fonzy every Machine

[sPaKr]

This just proves that you should smack every machine a few times before and after you use it. If you smack it hard enough you get a few spare parts and protoect your credit. I have taken to kicking, shacking, and hitting every vending maching I use in the name of safty. BTW the same thing applies to people, but with them I have found poking with stick to be the best method.

Re:Fonzy every Machine

[An+Ominous+Cow+Aired]

You poke people with a stick... what extra parts fell off? And what did you do with those parts?

Re:Why use a camera?

[Dnigh]

The scammers don't have full access to the atm...

They can only add hardware in front of the card reader. So they need the camera to read the PIN as it is typed in, they cannot modify the hardware/software inside of the atm.

Personally I would be more worried about the fact that a large number of ATMs in the world still use single DES.

Try a bank/post office in one

[scruffyMark]

Seriously, the German national post office is also one of the largest banks in Germany. Makes sense on a certain level - every little town already has a post office, so why not just add bank services to the existing office.

But, here's the problem: not only do they offer banking and postal services at the same wickets, they also don't seem to have discovered the marvelous North American method of having one line up for multiple tellers. You don't really appreciate having the first available clerk can always help whoever has been in line longest, until you live out the alternative.

So, you go to the post office with your single envelope, correctly addressed, just needs to be weighed and have postage slapped on it... You have to carefully scan the lines, and suss out the people waiting. That fellow with the big fat envelope - is he mailing something in bubble wrap, or is it full of unsorted petty cash and small cheques that need to be deposited into three different accounts? That lady with the shopping bag - is she checking her PO box, or remortgaging her house?

Dusting for Fingerprints

[Zapdos]

Is out of the question now. It is against the law to destroy a crime scene, or tamper with evidence. Regardless of police involvement, the person taking this device knew what it was, he therefore committed the crime of destroying evidence. The person who stole the card info just got away, but how about the people who just destroyed this evidence?

Re:Dusting for Fingerprints

[daveashcroft]

And you are basing this on knowledge of the law in which country? Different countries, different laws.

Re:Why use someone elses machine?

[gordguide]

I know a few people who have delved into the 3rd-party ATM business. Note to non-Canadians: by law the bank has to let authorized independents access the Interac system. You go through quite a bit of verification; it's no way to scam anyone.

The machines usually cost near $C 10K each, I suppose it's possible to buy one for half that used.

The hard parts are:
You need a bunch to really make it worthwhile; one machine is too much trouble for the piddly returns you get.
They don't hold much cash; you have to refill often and it's going to be out-of-order (read: out of money) a lot if it's in a high-demand location. Try the 7-11 or a local bar.
You have to somehow get a good location; usually this means giving a half-cut to the owner of the business you put it in. Indoors, locked at night, basically.
You have to have the cash to keep it full; you need a float of a couple grand a machine, minimum. More is better, saves trips to fill it up, but you can start with that and fill it twice a day if you have to, till you start making money.
After you piece off your retail partner (for the location) you can gross 75cents a transaction. If it's really competitive (as it seems to be where I am) you might end up giving the store a buck to keep the machine on their premises. At 100 transactions a day, that's 75 bucks or less. A hundred transactions requires a float near 10K per machine, or alternately thrice-a-day refills. Now you know why you need to have a dozen or so to start; one machine is just as much trouble as 10, so you may as well make a full-time job of it.
Most of your machines won't average that many transactions. A hundred a week is apparently more common (they're everywhere; and each new one siphons off some of your traffic).
The guys I know recently sold them off; the two of them had 8 altogether. Too competitive, the damn things are everywhere and many bar owners, gas stations and convenience stores just buy their own and keep the whole buck-and-a-half.
They didn't make a killing; but if you were really into it and got up to 20 machines the income would be enough to support a full-time person. Hardly lucrative, but an enterprising individual can do OK.

Yeah for fingerprinting at the very least

[MCRocker]

At the very least the cops, err... bobbies, might have been able to get a finger print or two, trace the purchase of the camera or the serial number on the SD card. Even if it doesn't lead to a direct capture, this sort of thing stays on record and can be used later when these scammers inevitably get nabbed for something else down the road.

Besides, what about the other victims? Now there's no evidence that they were scammed too. They might have to eat the loss themselves without some corroboration that they were scammed.

Also, the equipment may have cost the scammers more than this particular victim lost, but is this junk really worth much at all to the victim other than bragging rights?

Finally, aren't a lot of British cities brimming with cameras these days? If this stuff had been left in place it might have been possible to track the scammers when they picked the equipment up.

not anymore

[sulli]

These days they nail you for interest the week before you take cash out. And sometimes it's as much as a full billing cycle in advance.

How do they know, tinfoil-hat man? Data mining! They know when and where you'll be taking that cash out, oh yes they do.

Did I miss the part where....

[jeaster]

They tell us how they put the devices in place? 1) They put them in place, and hope the surveillance tape is overwritten before anyone knows to look. 2) They obscure or cover the camera long enough to put the devices in place. The second seems more likely, but I also assume maybe all those atm's don't have camera's. Seems like when the reports started coming in of this, you could go back and see when the new "parts" got added? Naive? Missing something? probably, but I want to hear YOU say it.

Explains a lot

[Chuck+Chunder]

This could explain why the people in front of me in ATM queues always take so long.

I'd always assumed they were incompetant morons. Perhaps they are just security concious and are waiting 15 seconds before typing their pin in case a camera is recording.

Debit generally cheaper, mins are NG

[jpellino]

IIRC Debit fees are generally cheaper than the credit fee for the same transaction - it's cheaper for them to let you do debit, and you can shop around for a bank that allows unlimited monthly debit purchases.
and
IIRC MC/V generally do not allow for minimum purchases for transactions - yes, the convenience store just lost 80 cents to make 20 on your pack of gum, but they just sold a case of beer or the 20 gallon truck fillup on 80 cents a minute ago. It more than evens out for most
and
If they are hand entering or mechanically imprinting your card, something's not normal, as they're the most expensive rates (as opposed to just swiping your card). Makes you go hmmmm...

Re:Debit generally cheaper, mins are NG

[FuegoFuerte]

IIRC Debit fees are generally cheaper than the credit fee for the same transaction - it's cheaper for them to let you do debit

At least here in the US (WA state), debit fees are typically around $0.35, and credit card fees are around 1%. So if the purchase is under $35, it works out better for the store to run the card as a credit purchase. If over $35, it works out better to run it as a debit. (This assumes a debit card with a Visa/MC logo like most banks here give out now).

and you can shop around for a bank that allows unlimited monthly debit purchases.

There are banks that don't do this? What country do you live in again? Savages.

IIRC MC/V generally do not allow for minimum purchases for transactions.

I don't think they could really do anything about a minimum purchase requirement. Typically, a retailer is allowed to refuse service to anyone, for any reason (again, this is US-centric. Note that "any reason" does not include things like race). This reason may, however, include "customer has no cash and only wants to buy a $0.20 guitar pick and the transaction fee is going to be $0.35"

If they are hand entering or mechanically imprinting your card, something's not normal, as they're the most expensive rates (as opposed to just swiping your card). Makes you go hmmmm...

I have to hand enter cards all the time at my work... it's simply because customers do all manner of atrocities to their cards and then expect them to work. Stripe readers aren't good at what *was* there before the dog got ahold of the card, or the customer took a belt sander to it, or got bored and drew a tic-tac-toe board into the magstripe with a knife, or whatever. Usually, I'd say if a store (or especially more than one store) imprint your card or punch in the numbers by hand, you should call up your bank or whoever issued the card and say "HEY! Send me a new card!" Since they make money when you use your card, they will gladly send you a new one. There's no excuse for having a mangled worn magstripe on your card. Makes the retailer go "hmmmm.... damn lazy-ass customer making my line back up while I try to swipe his POS card."

Re:How hard can it be.........

[jorgen]

If anything around the card slot looks suspect - just get hold of it and pull!

Getting arrested for vandalizing an ATM: Priceless. :P

ATM security issues in Austin

[caviedrums]

The U.T. Police Department Web site has an interesting article about skimmers in use in the Austin area. Check out where they put the camera!

Re: Metric System

[ArekRashan]

Actually, there is one rather good argument for using "English" measurement, at least when one is evaluating length.

It is far, far easier to split measurements in the English scale into fourths and thirds. The math is much simpler to do in your head. Halves work just as well as in Metric (Decimal). Fifths work better under Metric, but English can do sixths.

This is a simple consequence of their prime factors: 2*5=10 as opposed to 2*2*3=4*3=2*6=12.

Feet to yards brings us to 2*2*3*3=36, which is strange but functional, and then we come to miles which is where it all falls apart. But we can't afford to replace all the signs with kilometers per hour. I'm not sure I'd trust American drivers to make the transition safely, either.

Metric is a perfectly valid scheme to nearly all your measuring in. It is superior in several ways to English measurements, but there are valid reasons for not switching to it.

I believe that most people don't want to swap our convoluted babylonian time system for decimal time, and I consider this an example differing in degree but not type from the English/Metric debate.

Much Love,
ArekRashan

If you're going to complain about grammer...

[MCRocker]

If you're going to complain about 'grammer' [sic], then, at least try to spell ridiculous correctly.

Skimmer with Radio Transmitter

[csk_1975]

The ones in Hong Kong use radio transmitters instead of flash cards. Here is a picture of one installed on an ATM. Pretty hard to see, huh? Also here is the police report:-

Crime Information : Skimming Device Installed in ATM (TW RN04000499)

Location : Two ATMs outside Hang Seng Bank, Tai Ho Road.

Facts: On 2004.01.05, ATM maintenance worker of Hang Seng Bank conducted a routine check and confirmed that 2 metal covers (of same design) were being 'fitted' onto the top ledges of two of the ATM machines.

The Skimming Device:-

• i) the metal covers, 60cm x 4cm x 2cm in size, painted in the same colour as the ATM, were installed perfectly onto the top ledge of the ATM panel;

• ii) a pinhole camera lens was installed inside the metal cover facing the screen panel with a view to reading the pin number. This was connected to a transmitter which has an emitting range of about 200M and could work for 9-12 hours with three 9-watt batteries, and

• iii) a false card reader was believed to have been fixed to the card slot of the ATM but had been removed prior to being discovered.

• iv) This is the first time that a device of this nature was placed in such a busy location. The device was first reported by a bank customer on 2004.01.04 but no action was taken by the bank until 2004.01.05. CCB will follow-up on this issue.

Re:Teller versus ATM

[csk_1975]

• The bank needs a special express line for people who are under 50 years old, can speak English well, and have very simple transactions to make

They tried that, but all the old people who can't read English kept standing in it.

Microwave/Thermal cracking

[quinkin]

I am yet to see a private key style card system that could not be coaxed into seeding subtle bit errors into the authentication encryption through microwave/thermal interference. This can then be used to interpolate the private key.

It would raise the bar, but I don't believe it would prevent the attachment of card readers. They may however need a number of samples, so it could restrict it to regular users of the installation.

Q.

Re:Why use someone elses machine?

Let me break this post down piece by piece, either the author is talking out of his ass, or has morons as friends

I know a few people who have delved into the 3rd-party ATM business. Note to non-Canadians: by law the bank has to let authorized independents access the Interac system. You go through quite a bit of verification; it's no way to scam anyone.

You're kidding me? Quite a bit of verification? Anyone with the $$$ can get hooked up into an ATM network

The machines usually cost near $C 10K each, I suppose it's possible to buy one for half that used.

You can purchase brand-new ATM's for $2.5USD

The hard parts are:
You need a bunch to really make it worthwhile; one machine is too much trouble for the piddly returns you get.

One machine in a decent location will pull $1k/month easy.

They don't hold much cash; you have to refill often and it's going to be out-of-order (read: out of money) a lot if it's in a high-demand location. Try the 7-11 or a local bar.

Yeah, you drive-up with a trunk full of cash and re-fill the machine yourself, right? Loomis Fargo does it with these interesting things called "Amored Vans".

You have to somehow get a good location; usually this means giving a half-cut to the owner of the business you put it in. Indoors, locked at night, basically.

Hahaha, most people are happy to get a couple hundred bucks for a machine a month, 50% is outrageous

You have to have the cash to keep it full; you need a float of a couple grand a machine, minimum. More is better, saves trips to fill it up, but you can start with that and fill it twice a day if you have to, till you start making money.

You don't fill the machine with your *own* cash, what are you talking about? This business only requires you to lease/purchase a machine, not supply funds. That's what banks and cash replenishment services are for.

After you piece off your retail partner (for the location) you can gross 75cents a transaction. If it's really competitive (as it seems to be where I am) you might end up giving the store a buck to keep the machine on their premises. At 100 transactions a day, that's 75 bucks or less. A hundred transactions requires a float near 10K per machine, or alternately thrice-a-day refills.

The average machine cartidge carries $40,000.00 USD in it, where do you fill three times a day?

Now you know why you need to have a dozen or so to start; one machine is just as much trouble as 10, so you may as well make a full-time job of it.

Full-time job? Ahaha, this is passive income (minus establishing a location).

Most of your machines won't average that many transactions. A hundred a week is apparently more common (they're everywhere; and each new one siphons off some of your traffic).
The guys I know recently sold them off; the two of them had 8 altogether. Too competitive, the damn things are everywhere and many bar owners, gas stations and convenience stores just buy their own and keep the whole buck-and-a-half.
They didn't make a killing; but if you were really into it and got up to 20 machines the income would be enough to support a full-time person. Hardly lucrative, but an enterprising individual can do OK.

Your last comment hit the nail on the head

If you want the real scoop on this subject, I suggest you take a look at http://www.mag-card.com

ATM skimmers, also in brazil

[huphtur]

check out this story and pictures of a skimmer at work in brazil.

Re:I'll drink to that

[Bastian]

The worst I've seen is one at a 24-hour restaurant I used to work at. The POS machines were linked to an NT server in the back office, and queried it for data about the tickets so we could scan a bar code on the ticket to have the POS machine automatically register the payment due and such as well as to verify that the bill was paid.

Too bad the NT server had to be rebooted and its software restarted once a day. The whole process took about 10 minutes, and the cash drawers wouldn't open so we could ring anyone up manually and scan the tickets later during that time. Customers had to stand at the counter and wait if they decided to leave at the wrong time.

Granted, I imagine part of the time delay is bad system set-up (Why can't the server software start up automagically when the computer boots, eh?), but still, you can't open the cash drawers if the server is down!?!?

There's an additonal more mundane component

[Sycraft-fu]

The fact that to interact with a smart chip, it has to stay still and have an electrical connection. The reason a false front can work on mag stripe is because the stripe is read by passing it over the reader (eg swiping your card). You just place another reader in front of the real one and as the card passes through it gets read.

A smart card is quite different. You insert it into a recepticle which has contacts for the card. That then powers it and sends it data. The transaction doesn't start until the card is locked in and it is immobile during it.

This is rather more difficult to spoof. You'd need to hold the card in your reader, and then communicate the results to the ATM. Problem is that the ATM easily could (and probably would) be rigged to eat any card left in it for any length of time, and to not start a new transaction until it underwent a release, insert cycle. So now you need to make your front take the real card, insert it's fake card, and process the intermediary transaction.

All this has to be overcome before you even get to try and deal with all the cryptographic stuff, which is the real hard part.

Because that's too hard for many people

[Sycraft-fu]

Some people just suck with numbers. My mom is one of them. She's not stupid, she has her masters and in her fields is quite smart. However numbers are something she's bad with. She'd bad at math and bad at remembering numbers. I've had the same phone number for six years, it's easy, and she still can't remember it.

The real solution is two fold:

1) Better cards. This is the easiest and cheapest. Smart cards are almost impossible to fake since they can work on public key cryptography. Moving over to these would make it such that stealing their number wouldn't really be possible, at least not with a simple man-on-the-middle reader. This is something I think is likely to happen.

2) Biometrics. Add that to a card and a keycode, you've made it pretty hard. Now someone not only has to get your code, replicate your card, but also get and then fake your biometrics. Any one of these alone isn't particularly challenging, but all together would be a real pain.

Combine simple biometrics with smart cards and I think you'd find that high-tech ATM theft would dissappear. While the biometrics may never happen, the smart cards might. They are getting more and more popular.

Re:Centigrade is artificial, Fahrenheit is natural

[BlackHawk-666]

Through the magic of this new "real number" system just now being developed we are able to now handle such tricky numbers as 28.4 and 17.1234. It's cutting edge and not everyone can "get" it, but I have real hope fractional numbers will take off in the future.

Why are US banks still using magnetic cards ?

[dargaud]

Many other countries have been using cards with embedded chips for something like the last 20 years: you cannot copy them and they can contain their own hard wired algorithms to test for challenge/response from the reader.

It may sound like a troll, but why is the US so conservative in regard to their money: card with only a magnetic stripe that you can copy with a 80$ reader, money in 2 colors on plain paper that you can xerox (almost) easily...

Re:Testimony

[God!+Awful+2]

But the case will be built on the testimony of those involved - witnesses. If nobody wants to cooperate, what's Inspector Gadget to do?

Umm... go go gadget sodium pentathol?

-a

Re:I'll drink to that

[Ironica]

Similar to the system we had when I worked at Kinko's, though it was based on an OS/2 server.

It was the graveyard shift's job to wait until around 3 a.m., when there were no customers in the store, to do the daily backup. It took about 15 minutes, and the entire POS system had to be shut down. (I was working graveyard in a giant location with a second floor, so there were 9 machines we had to go around and log out.) The drawers did not open while the system was shut down (there was no way to open them, as you had to log in to use the interface) but sometimes we would leave a cash drawer open in case someone came in just desperate to make their copies quick and pay cash and leave.

One time, we started the backup right after a couple left the store at about 3:30 a.m. They returned about five minutes later, and wanted to do something else. We apologized for the situation, but explained that we would be unable to accomodate them for a couple of minutes. The guy actually threatened to beat up my co-worker for telling him this. (Meanwhile, his girlfriend was mortified by his machismo.)

My co-worker, thinking on his feet, told him he couldn't "take it outside" with him because he was on duty. When asked what time he got off work, he promptly answered 9:00 a.m., and the guy promised to return. I managed to keep a straight face through this exchange, even though I knew for a fact that Bruce clocked out promptly at 7:00 each morning.

In Japan, ...

[KlaymenDK]

... they have some old ATM where the numbers are arranged in one loong row of large buttons ... completely impossible to hide what you're typing.

But then, their new generation of ATM's have a touch-screen LCD to display the number pad -- and the digits are randomly rearranged between uses. Now that's secure (but not so ergonomic).

Re:Centigrade is artificial, Fahrenheit is natural

[sixide]

Living in Minnesota, I assure you, only pansies stop working at 0 degrees. ~30 below is when it starts being a real problem.

Chip and PIN

[MartinB]

Why yes. Which is why the UK is in the process of rolling out Chip and PIN (the trial was last summer). Over the next 18 months, every credit card - and probably most debit cards - in the UK will be replaced, along with upgrades to near enough every ATM and PoS device.

The major enforcement of this is the shifting of liability from the card schemes (MC, VISA and AMEX mostly) to anyone that doesn't comply. By 2006, finding anyone relying on magstripe will be less easy than currently finding someone relying on paper carbons.

IIRC, the verification takes place on the card. The ATM passes the PIN entered to the card, which simply responds pass|fail. No keys pass between reader and card, and the real PIN is held on-card with a sensible level of encryption.

It's a far cry from the Fresno Drop of 1958.

OT: Given that:

1. this is a UK story
2. /. has UK-members a-plenty
3. every UK credit card company has written to all cardholders about it in the last few months
4. it's been well covered in /.-friendly publications like ElReg

I'm fairly gobsmacked that we're re-inventing the wheel here.

Re: Metric System

[csteinle]

(UK currency used to have 12 pennies in a shilling, 12 shillings in a pound, but we've been decimal for years.)

Bzzzt. 20 shillings to the pound. 1 shilling (or 1 bob) is 5 new pence.

Happened to me...

[jbrw]

...almost.

Went to take some money out late one night. There were about three (eastern european) guys huddled around the machine fiddling. Went to get money out, and the machine held out to my card - you could see the card in the slot, but couldn't get it out. Guys reappear and tell me something like "Oh. I've seen this before. Press blah, blah, blah and enter your PIN" while standing over me. Hmm, I don't think so...

So, I step back call my bank, wait on hold for an age, and as soon as they hear me confirm to the bank I want to cancel my card, I get my card thrown back at me by said guys, and they scarper into a car that has subsequently double parked.

I reported it to the local police station, and they said it happens all the time, but it wasn't actually a crime until they withdrew money (!!!).

It's called a "Lebanese Loop". More info here:

http://hoaxinfo.com/atmscam.htm

I see plenty of machines in London with glue residue around the card slot. This must happen all the time...

Re:Centigrade is artificial, Fahrenheit is natural

[grub]

~30 below is when it starts being a real problem.

Come directly north to Manitoba, we only put on clothes at -30. A light jacket at -40. Wool socks and mitts when the temperatures start to be announced in Kelvin.

/. as personal security tool

[alazar]

I am always learning so much on /. Now I'll also consider it as a personal security site.

I will reluctantly admit to not knowing about this sort of scam, although I am not at all surprised. Working in New York City, I'll bet it's an issue. So now I will change my ATM behavior.

1. Only use ATMs at the larger, reputable institutions. Not that that's a panacea, but at least I'd have a machine to talk to should an issue arise. I'd also like to believe that they are more diligent about ATM security.

2. Don't use the stand-alone ATMs anywhere, regardless of the institution on the placard.

3. Conceal my PIN: use false button presses, slow, staggered timing.

4. Be aware of the environment. Is there anything that might be a skimmer and/or camera?

5. Be even more diligent about recording my ATM transaction.

Since my credit union has only 1 ATM, very far from where I live and work, it would be impossible for me to limit myself to their machines, that I'd do that if I could.

I wish there were a way to promote/encourage a more secure technology. But I'd also like to solve world hunger too.

Re:Centigrade is artificial, Fahrenheit is natural

[rev063]

Given that this is a discussion of Fahrenheit versus Centigrade your mention of -40 is amusing. I know it doesn't matter, but what type of degrees did you mean?

Actually, in this specific case it doesn't matter. -40 degrees is the same temperature in both the Centigrade and Fahrenheit scales!

"The biggest thing seems to have been the size"

[bob_jordan]

"The biggest thing seems to have been the size"

I tend to find that as a rule, the biggest thing of most things is its size. If it gets any bigger, its size grows to accomodate it.

Bob.