Slashdot Mirror
Visual Autopsy Of An ATM Card Skimmer
Bert64 writes "A chap at work was recently the victim of an ATM card skimmer which took his card details, cloned them and allowed the fraudster to take 550 pounds out of his account.
Having tried to explain how the fraudsters can hide a camera and card reader around the ATM, he decided it would be easier to show one of them after a few drinks down the pub.
He was a little surprised to find that the machine he chose had a card reader and camera in place. These were removed and analysed, we believe we have reclaimed about 800 pounds worth of kit. Result:
Pictures."
Holy cow! That's a lotta dollars! Hope he hurt his back carting it all away. ;)
I've stopped using some of the sketchier ATMs because of this.
MIRROR HERE IN CASE OF A
This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay for a fraction of what you can scam.
What ever happened to "Stick 'em up??"
...don't question it!!!
Just how many ATMs have this equipment in place?
Bit of a worry really..
And just what recourse do victims have? Is there any way to get your money back, or is it gone forever?
This is the sort of thing that makes one wary about the convenience ATMs available in many cities; you'll save more than a surcharge by sticking to your own banking company's systems.
On a side note, this is probably the most clever fraud I've seen in a long while. Great that these folks ripped out the innards of the scam device.
"A group of words expressing something other than their literal intention. Now that... is... irony!" - Bender
How hard would it be for someone to design an ATM machine that would make it more dificulty to conceal a card reader... or better yet one that made it impossible to insert your card if anything is attached... it would seem that with some common sense a designer good create some pretty good safe guards... or am I just missing something?
Was this the pass through kind? how was the camera attached? If I used one hand to cover the other hand while keying the PIN would that "thwart" it? Great pix but I could also use a little more commentary on what to watch out for.
In the future, I would want to not be isolated from my friends in the Space Station.
recover 800 pounds worth of equipment and incurr 2000 pounds of bandwidth costs bragging about it. The guy who lost the 550 pounds is going think that was nice compared to what just got done to him by slashdot.
Papa Legba come and open the gate
Making money by having an expensive digital camera to disguise it as ATM chrome, grabbing PIN numbers and making yes-cards out of the process is dumb. The guy would probably have made more money setting his hacked camera in some lady's shower and selling the videos on the net. Or gee, even selling the hacked camera itself to would-be private-eyes, as most of these folks are willing to spend a lot of money on any spy-ish electronic device, and it would be legal too.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
in case you're wondering:
To accomplish this task, the thief places an electronic "skimmer" -- a card swipe device that reads the information on the card's magnetic strip -- on the ATM machine. Attached to the device, or placed discreetly elsewhere, is a small camera that captures the customer's PIN number when they enter it. The information is either collected by the device, or transmitted to a remote receiver. The thief then takes the codes and creates a counterfeit ATM card in order to empty the victim's bank account. Some skimmers can even capture the information and send it to the ATM at the same time. Since the machine works normally, the victim is unaware that they have just given a thief the key to their account. copied from here.
Saw this recently on memepool.com:
http://www.utexas.edu/admin/utpd/atm.html
There are plenty of legitimate uses for magnetic stripe readers. Why, here at the University of South Carolina we just installed 3 $1,200 newspaper machines to limit the free newspaper program to students and faculty. I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.
I seriously wouldn't have an idea as to how to get money from a teller. You like show your ATM card or something?
Have all Slashdotters run around ATMs and check for card skimmers. If found, remove card skimmer, take home, disassemble, build into $anything, add keypad and have your own PIN access system to $anything! All the while doing the rest of the world a favour by taking away card skimmers! Woot!
Hate me!
Two things that I always ask my friends to do too.
1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.
2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.
Free XBox, PS2
My bank uses ATM machines that suck the card completely into the slot, with only a little bit of a metal guide plate exposed below the slot. (Typically, they have a label with arrows printed on it that's affixed just beneath the slot, as well.) If you tried to add some sort of reader device to the front of the ATM, covering the original slot and plate, it would be fairly obvious it didn't belong there. I'm sure it might fool *some* clueless people - but it would surely be ripped from the machine pretty quickly, as someone a little more clueful realized what was going on. (After all, it would obscure part of the label, making it obvious it wasn't part of the original ATM machine.)
I have a feeling these card skimmers only work on specific models of ATMs (most likely, the little privately owned units you see in restaurants and gas stations, as opposed to actual bank-owned ATMs).
Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?
ATM bug-detection should be a profitable area of research for the next few years.
There are a myrid of legal uses for stripe readers, including computer and home security, and making really cool copies of your bank cards*
I have a friend who has a reader who does this.. he takes a plastic generic card with a cool photo on it, with a blank stripe, and copies your ATM stripe onto it. Fully functional, totally customized ATM card.
You should see the looks he gets using his "superman" debit card.
Hate to be a party pooper but didn't you consider leaving it there and calling the cops ?
If you had they might have been able to bust the individuals concerned and saved some innocents down the track a lot of grief.
This way you got 800 quid's worth of stolen electronics, the thief wrote off some capital investment and a couple of thousand /.'ers got some pre-pubescent excitement. Wahooo.
Don't look back the lemmings are gaining on you
A couple of months ago my Hotmail account was besieged with spams offering to show me how to make my first million by installing and servicing their ATM machines. I kept wondering if they wanted to make me a shill for some skulduggery like that described in the article. The interesting part was that the ATM's so advertised would be located "in my area," which they had pinpointed at Washington, DC (not far from here).
Like others here, I've become very leery of using ATM's located anywhere but at banks. I've been driving on long trips a great deal recently, and I've also learned to be a bit discerning about card-swipers in gas stations and even grocery stores I'm not familiar with. It seems a safer bet to hit a bank occasionally to withdraw my allotment of yuppie food coupons ($20 bills) and spend those instead.
Anne
DUCT TAPE: The Election Supervisors' Secret Weapon
Most of the scams I have seen like this rely on recording your PIN based on what you type.
The earliest versions simply had someone peering over your shoulder, or using a camera/telescope mounted up and behind and stealing the original.
Get in the habit of 'embedding' your PIN within a larger number. Type this longer number too lightly to casue the pressure sensor to register and varying your pressure only on the 'key' digits. It won't fool decent resolution or close observation, but given the angles/lighting conditions and cheaper digitial cameas that are starting to show up, I am guessing that they are going to have trouble working out which hits are the real McCoy.
Sure it relies on making your case more difficult than your neighbours, but to an extent that is all most locks and security devices do. Sure it's paranoid, and it does take some effort to set up, but muscle memory handles most of the work after a while and these days I only get a few false hits. YMMV
Still, very interesting to see. I'm quite suprised at the digital camera half of it. Of course something like using fingerprints or some other kind of biometric would make things much harder for the thief.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Well, at my bank you go inside, fill out a withdrawal slip (which is very much like a check, but you also have to write your account number on it).
Then, you get in line behind a large number of old people and people who can barely speak English, and for variety, some old people who can barely speak English-- all of whom have little idea of what they want/need, and all of whom will actually try to haggle with tellers over a few cents of interest.
After waiting for a very long time and getting irritated at the stupid things you overhear the people in front of you say, it's your turn. You give the withdrawal slip and a photo ID (usually a driver's license) to the teller, and they process it and give you your money.
If ATMs didn't exist so I could avoid all of the above, I would probably keep my money in my mattress. The bank needs a special express line for people who are under 50 years old, can speak English well, and have very simple transactions to make. Just like the post office needs one for people who have well-packaged, correctly-addressed outgoing mail and the cash to pay for postage in hand-- because that's another place I hate standing behind clueless retards.
~Philly
Comment removed based on user account deletion
the story of the ATM machine left infront of a convenience store. People whould come up to it insert their card, type the pin and be presented with an error saying there is no more money left in the machine. A week later the machine disappeared. All the people who had used the ATM had given the data form their ATM cards and pin numbers to a fake machine that was logging the info!
The war with islam is a war on the beast
The war on terror is a war for peace
Drunk guy: Here, I took this from an ATM machine *hicup*
Police guy 1: Destroing private propriet while drunk uh?! You are under arrest!
Police guy 2: These gang ppl are getting even dumber!
PIN numbers and the way they are entered have terrible security implications.
Why can't you, say, have a 5 digit number and the ATM machine would ask you something like "What is your first, third and last number?" or "What is your first number plus your fifth number?"?
Or how about you have to look through a keyhole to see the ATM monitor so nobody else can see it. Then, before it asks you to enter your details, it shows you the mapping of the keys on the keypad. So, if you have a 9 digit keypad, it would shuffle the numbers around you look into the keyhole and see:
167
482
539
Then you'd press the button that is in the right position for each number.
I can only think of one place to press in my PIN on a teller, and I'm sure she'd slap me.
Rule #1: Always remember which machines you've bugged so you don't accidentally expose your work during "investigations."
Rule #2: If you fail to follow Rule #1, act surprised and shocked at your "fortunate discovery."
Rule #3: If your work is exposed, especially in a Rule #2 setting, be sure to dismantle it so the destination can't be traced.
-- @rjamestaylor on Ello
You idiot! You just stole your bank's security camera
-- If you try to fail and succeed, which have you done? - Uli's moose
The biggest thing seems to have been the size...Once they ripped it out of it's housing, the camera wasn't much bigger than the batteries.
At $1000 per setup, thay'd only have to catch 2 cards to get their money back. After that, the rest is profit.
Free Software: Like love, it grows best when given away.
Here's some great tips on how not to get scammed at the ATM. It's also got some images of a modified ATM...
These skimming devices were commonly detected in Canada (Ontario) during the last year or so.
...etc)
They are becoming more and more sophisticated, and the police busted several people for it, and issued precautions for the public:
- Try to use machines in the bank branch you deal with
- Try to avoid machines in public places (malls, convenience stores,
- Report anything that looks suspicious on a machine
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
This makes Canada an ideal vacation place. I might spend Spring Break robbing Canadian banks. See ya soon.
This just proves that you should smack every machine a few times before and after you use it. If you smack it hard enough you get a few spare parts and protoect your credit. I have taken to kicking, shacking, and hitting every vending maching I use in the name of safty. BTW the same thing applies to people, but with them I have found poking with stick to be the best method.
But, here's the problem: not only do they offer banking and postal services at the same wickets, they also don't seem to have discovered the marvelous North American method of having one line up for multiple tellers. You don't really appreciate having the first available clerk can always help whoever has been in line longest, until you live out the alternative.
So, you go to the post office with your single envelope, correctly addressed, just needs to be weighed and have postage slapped on it... You have to carefully scan the lines, and suss out the people waiting. That fellow with the big fat envelope - is he mailing something in bubble wrap, or is it full of unsorted petty cash and small cheques that need to be deposited into three different accounts? That lady with the shopping bag - is she checking her PO box, or remortgaging her house?
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
I know a few people who have delved into the 3rd-party ATM business. Note to non-Canadians: by law the bank has to let authorized independents access the Interac system. You go through quite a bit of verification; it's no way to scam anyone.
The machines usually cost near $C 10K each, I suppose it's possible to buy one for half that used.
The hard parts are:
You need a bunch to really make it worthwhile; one machine is too much trouble for the piddly returns you get.
They don't hold much cash; you have to refill often and it's going to be out-of-order (read: out of money) a lot if it's in a high-demand location. Try the 7-11 or a local bar.
You have to somehow get a good location; usually this means giving a half-cut to the owner of the business you put it in. Indoors, locked at night, basically.
You have to have the cash to keep it full; you need a float of a couple grand a machine, minimum. More is better, saves trips to fill it up, but you can start with that and fill it twice a day if you have to, till you start making money.
After you piece off your retail partner (for the location) you can gross 75cents a transaction. If it's really competitive (as it seems to be where I am) you might end up giving the store a buck to keep the machine on their premises. At 100 transactions a day, that's 75 bucks or less. A hundred transactions requires a float near 10K per machine, or alternately thrice-a-day refills. Now you know why you need to have a dozen or so to start; one machine is just as much trouble as 10, so you may as well make a full-time job of it.
Most of your machines won't average that many transactions. A hundred a week is apparently more common (they're everywhere; and each new one siphons off some of your traffic).
The guys I know recently sold them off; the two of them had 8 altogether. Too competitive, the damn things are everywhere and many bar owners, gas stations and convenience stores just buy their own and keep the whole buck-and-a-half.
They didn't make a killing; but if you were really into it and got up to 20 machines the income would be enough to support a full-time person. Hardly lucrative, but an enterprising individual can do OK.
At the very least the cops, err... bobbies, might have been able to get a finger print or two, trace the purchase of the camera or the serial number on the SD card. Even if it doesn't lead to a direct capture, this sort of thing stays on record and can be used later when these scammers inevitably get nabbed for something else down the road.
Besides, what about the other victims? Now there's no evidence that they were scammed too. They might have to eat the loss themselves without some corroboration that they were scammed.
Also, the equipment may have cost the scammers more than this particular victim lost, but is this junk really worth much at all to the victim other than bragging rights?
Finally, aren't a lot of British cities brimming with cameras these days? If this stuff had been left in place it might have been possible to track the scammers when they picked the equipment up.
Signatures are a waste of bandwi (buffering...)
How do they know, tinfoil-hat man? Data mining! They know when and where you'll be taking that cash out, oh yes they do.
sulli
RTFJ.
This could explain why the people in front of me in ATM queues always take so long.
I'd always assumed they were incompetant morons. Perhaps they are just security concious and are waiting 15 seconds before typing their pin in case a camera is recording.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
IIRC Debit fees are generally cheaper than the credit fee for the same transaction - it's cheaper for them to let you do debit, and you can shop around for a bank that allows unlimited monthly debit purchases.
and
IIRC MC/V generally do not allow for minimum purchases for transactions - yes, the convenience store just lost 80 cents to make 20 on your pack of gum, but they just sold a case of beer or the 20 gallon truck fillup on 80 cents a minute ago. It more than evens out for most
and
If they are hand entering or mechanically imprinting your card, something's not normal, as they're the most expensive rates (as opposed to just swiping your card). Makes you go hmmmm...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Getting arrested for vandalizing an ATM: Priceless. :P
The U.T. Police Department Web site has an interesting article about skimmers in use in the Austin area. Check out where they put the camera!
Actually, there is one rather good argument for using "English" measurement, at least when one is evaluating length.
It is far, far easier to split measurements in the English scale into fourths and thirds. The math is much simpler to do in your head. Halves work just as well as in Metric (Decimal). Fifths work better under Metric, but English can do sixths.
This is a simple consequence of their prime factors: 2*5=10 as opposed to 2*2*3=4*3=2*6=12.
Feet to yards brings us to 2*2*3*3=36, which is strange but functional, and then we come to miles which is where it all falls apart. But we can't afford to replace all the signs with kilometers per hour. I'm not sure I'd trust American drivers to make the transition safely, either.
Metric is a perfectly valid scheme to nearly all your measuring in. It is superior in several ways to English measurements, but there are valid reasons for not switching to it.
I believe that most people don't want to swap our convoluted babylonian time system for decimal time, and I consider this an example differing in degree but not type from the English/Metric debate.
Much Love,
ArekRashan
Crime Information : Skimming Device Installed in ATM (TW RN04000499)
Location : Two ATMs outside Hang Seng Bank, Tai Ho Road.
Facts: On 2004.01.05, ATM maintenance worker of Hang Seng Bank conducted a routine check and confirmed that 2 metal covers (of same design) were being 'fitted' onto the top ledges of two of the ATM machines.
The Skimming Device:-
check out this story and pictures of a skimmer at work in brazil.
Through the magic of this new "real number" system just now being developed we are able to now handle such tricky numbers as 28.4 and 17.1234. It's cutting edge and not everyone can "get" it, but I have real hope fractional numbers will take off in the future.
All those moments will be lost in time, like tears in rain.
It may sound like a troll, but why is the US so conservative in regard to their money: card with only a magnetic stripe that you can copy with a 80$ reader, money in 2 colors on plain paper that you can xerox (almost) easily...
Non-Linux Penguins ?
But the case will be built on the testimony of those involved - witnesses. If nobody wants to cooperate, what's Inspector Gadget to do?
Umm... go go gadget sodium pentathol?
-a
Similar to the system we had when I worked at Kinko's, though it was based on an OS/2 server.
It was the graveyard shift's job to wait until around 3 a.m., when there were no customers in the store, to do the daily backup. It took about 15 minutes, and the entire POS system had to be shut down. (I was working graveyard in a giant location with a second floor, so there were 9 machines we had to go around and log out.) The drawers did not open while the system was shut down (there was no way to open them, as you had to log in to use the interface) but sometimes we would leave a cash drawer open in case someone came in just desperate to make their copies quick and pay cash and leave.
One time, we started the backup right after a couple left the store at about 3:30 a.m. They returned about five minutes later, and wanted to do something else. We apologized for the situation, but explained that we would be unable to accomodate them for a couple of minutes. The guy actually threatened to beat up my co-worker for telling him this. (Meanwhile, his girlfriend was mortified by his machismo.)
My co-worker, thinking on his feet, told him he couldn't "take it outside" with him because he was on duty. When asked what time he got off work, he promptly answered 9:00 a.m., and the guy promised to return. I managed to keep a straight face through this exchange, even though I knew for a fact that Bruce clocked out promptly at 7:00 each morning.
Don't you wish your girlfriend was a geek like me?
... they have some old ATM where the numbers are arranged in one loong row of large buttons ... completely impossible to hide what you're typing.
But then, their new generation of ATM's have a touch-screen LCD to display the number pad -- and the digits are randomly rearranged between uses. Now that's secure (but not so ergonomic).
"Good news, everyone!"
Living in Minnesota, I assure you, only pansies stop working at 0 degrees. ~30 below is when it starts being a real problem.
...almost.
Went to take some money out late one night. There were about three (eastern european) guys huddled around the machine fiddling. Went to get money out, and the machine held out to my card - you could see the card in the slot, but couldn't get it out. Guys reappear and tell me something like "Oh. I've seen this before. Press blah, blah, blah and enter your PIN" while standing over me. Hmm, I don't think so...
So, I step back call my bank, wait on hold for an age, and as soon as they hear me confirm to the bank I want to cancel my card, I get my card thrown back at me by said guys, and they scarper into a car that has subsequently double parked.
I reported it to the local police station, and they said it happens all the time, but it wasn't actually a crime until they withdrew money (!!!).
It's called a "Lebanese Loop". More info here:
http://hoaxinfo.com/atmscam.htm
I see plenty of machines in London with glue residue around the card slot. This must happen all the time...
~30 below is when it starts being a real problem.
Come directly north to Manitoba, we only put on clothes at -30. A light jacket at -40. Wool socks and mitts when the temperatures start to be announced in Kelvin.
Trolling is a art,