Slashdot Mirror
Visual Autopsy Of An ATM Card Skimmer
Bert64 writes "A chap at work was recently the victim of an ATM card skimmer which took his card details, cloned them and allowed the fraudster to take 550 pounds out of his account.
Having tried to explain how the fraudsters can hide a camera and card reader around the ATM, he decided it would be easier to show one of them after a few drinks down the pub.
He was a little surprised to find that the machine he chose had a card reader and camera in place. These were removed and analysed, we believe we have reclaimed about 800 pounds worth of kit. Result:
Pictures."
This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay for a fraction of what you can scam.
What ever happened to "Stick 'em up??"
...don't question it!!!
This is the sort of thing that makes one wary about the convenience ATMs available in many cities; you'll save more than a surcharge by sticking to your own banking company's systems.
On a side note, this is probably the most clever fraud I've seen in a long while. Great that these folks ripped out the innards of the scam device.
"A group of words expressing something other than their literal intention. Now that... is... irony!" - Bender
How hard would it be for someone to design an ATM machine that would make it more dificulty to conceal a card reader... or better yet one that made it impossible to insert your card if anything is attached... it would seem that with some common sense a designer good create some pretty good safe guards... or am I just missing something?
Was this the pass through kind? how was the camera attached? If I used one hand to cover the other hand while keying the PIN would that "thwart" it? Great pix but I could also use a little more commentary on what to watch out for.
In the future, I would want to not be isolated from my friends in the Space Station.
in case you're wondering:
To accomplish this task, the thief places an electronic "skimmer" -- a card swipe device that reads the information on the card's magnetic strip -- on the ATM machine. Attached to the device, or placed discreetly elsewhere, is a small camera that captures the customer's PIN number when they enter it. The information is either collected by the device, or transmitted to a remote receiver. The thief then takes the codes and creates a counterfeit ATM card in order to empty the victim's bank account. Some skimmers can even capture the information and send it to the ATM at the same time. Since the machine works normally, the victim is unaware that they have just given a thief the key to their account. copied from here.
Saw this recently on memepool.com:
http://www.utexas.edu/admin/utpd/atm.html
There are plenty of legitimate uses for magnetic stripe readers. Why, here at the University of South Carolina we just installed 3 $1,200 newspaper machines to limit the free newspaper program to students and faculty. I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.
Banks are insured, y'know...but I have to wonder, if they weren't out of town (and able to prove it) would they have been so forthcoming?
I seriously wouldn't have an idea as to how to get money from a teller. You like show your ATM card or something?
Two things that I always ask my friends to do too.
1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.
2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.
Free XBox, PS2
My bank uses ATM machines that suck the card completely into the slot, with only a little bit of a metal guide plate exposed below the slot. (Typically, they have a label with arrows printed on it that's affixed just beneath the slot, as well.) If you tried to add some sort of reader device to the front of the ATM, covering the original slot and plate, it would be fairly obvious it didn't belong there. I'm sure it might fool *some* clueless people - but it would surely be ripped from the machine pretty quickly, as someone a little more clueful realized what was going on. (After all, it would obscure part of the label, making it obvious it wasn't part of the original ATM machine.)
I have a feeling these card skimmers only work on specific models of ATMs (most likely, the little privately owned units you see in restaurants and gas stations, as opposed to actual bank-owned ATMs).
There are a myrid of legal uses for stripe readers, including computer and home security, and making really cool copies of your bank cards*
I have a friend who has a reader who does this.. he takes a plastic generic card with a cool photo on it, with a blank stripe, and copies your ATM stripe onto it. Fully functional, totally customized ATM card.
You should see the looks he gets using his "superman" debit card.
Hate to be a party pooper but didn't you consider leaving it there and calling the cops ?
If you had they might have been able to bust the individuals concerned and saved some innocents down the track a lot of grief.
This way you got 800 quid's worth of stolen electronics, the thief wrote off some capital investment and a couple of thousand /.'ers got some pre-pubescent excitement. Wahooo.
Don't look back the lemmings are gaining on you
Most of the scams I have seen like this rely on recording your PIN based on what you type.
The earliest versions simply had someone peering over your shoulder, or using a camera/telescope mounted up and behind and stealing the original.
Get in the habit of 'embedding' your PIN within a larger number. Type this longer number too lightly to casue the pressure sensor to register and varying your pressure only on the 'key' digits. It won't fool decent resolution or close observation, but given the angles/lighting conditions and cheaper digitial cameas that are starting to show up, I am guessing that they are going to have trouble working out which hits are the real McCoy.
Sure it relies on making your case more difficult than your neighbours, but to an extent that is all most locks and security devices do. Sure it's paranoid, and it does take some effort to set up, but muscle memory handles most of the work after a while and these days I only get a few false hits. YMMV
Comment removed based on user account deletion
PIN numbers and the way they are entered have terrible security implications.
Why can't you, say, have a 5 digit number and the ATM machine would ask you something like "What is your first, third and last number?" or "What is your first number plus your fifth number?"?
Or how about you have to look through a keyhole to see the ATM monitor so nobody else can see it. Then, before it asks you to enter your details, it shows you the mapping of the keys on the keypad. So, if you have a 9 digit keypad, it would shuffle the numbers around you look into the keyhole and see:
167
482
539
Then you'd press the button that is in the right position for each number.
"The metric system is the tool of the devil! My car gets forty rods to the hogshead and that's the way I likes it." Abe Simpson
Two farthings = One Ha'penny. Two ha'pennies = One Penny. Three pennies = A Thrupenny Bit. Two Thrupences = A Sixpence. Two Sixpences = One Shilling, or Bob. Two Bob = A Florin. One Florin and one Sixpence = Half a Crown. Four Half Crowns = Ten Bob Note. Two Ten Bob Notes = One Pound (or 240 pennies). One Pound and One Shilling = One Guinea.
The British resisted decimalized currency for a long time because they thought it was too complicated.
Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?
The advantage of a PIN over biometrics is that you can always change your PIN.
Once someone finds out how to fool a biometric scanner into returning your biological data; you're hosed. You can't gouge your own eyes out and replace them with new ones.
Any security system whose keys can't be changed is fatally flawed and should not be used -- ever.
NO CARRIER
I know a few people who have delved into the 3rd-party ATM business. Note to non-Canadians: by law the bank has to let authorized independents access the Interac system. You go through quite a bit of verification; it's no way to scam anyone.
The machines usually cost near $C 10K each, I suppose it's possible to buy one for half that used.
The hard parts are:
You need a bunch to really make it worthwhile; one machine is too much trouble for the piddly returns you get.
They don't hold much cash; you have to refill often and it's going to be out-of-order (read: out of money) a lot if it's in a high-demand location. Try the 7-11 or a local bar.
You have to somehow get a good location; usually this means giving a half-cut to the owner of the business you put it in. Indoors, locked at night, basically.
You have to have the cash to keep it full; you need a float of a couple grand a machine, minimum. More is better, saves trips to fill it up, but you can start with that and fill it twice a day if you have to, till you start making money.
After you piece off your retail partner (for the location) you can gross 75cents a transaction. If it's really competitive (as it seems to be where I am) you might end up giving the store a buck to keep the machine on their premises. At 100 transactions a day, that's 75 bucks or less. A hundred transactions requires a float near 10K per machine, or alternately thrice-a-day refills. Now you know why you need to have a dozen or so to start; one machine is just as much trouble as 10, so you may as well make a full-time job of it.
Most of your machines won't average that many transactions. A hundred a week is apparently more common (they're everywhere; and each new one siphons off some of your traffic).
The guys I know recently sold them off; the two of them had 8 altogether. Too competitive, the damn things are everywhere and many bar owners, gas stations and convenience stores just buy their own and keep the whole buck-and-a-half.
They didn't make a killing; but if you were really into it and got up to 20 machines the income would be enough to support a full-time person. Hardly lucrative, but an enterprising individual can do OK.
Actually, there is one rather good argument for using "English" measurement, at least when one is evaluating length.
It is far, far easier to split measurements in the English scale into fourths and thirds. The math is much simpler to do in your head. Halves work just as well as in Metric (Decimal). Fifths work better under Metric, but English can do sixths.
This is a simple consequence of their prime factors: 2*5=10 as opposed to 2*2*3=4*3=2*6=12.
Feet to yards brings us to 2*2*3*3=36, which is strange but functional, and then we come to miles which is where it all falls apart. But we can't afford to replace all the signs with kilometers per hour. I'm not sure I'd trust American drivers to make the transition safely, either.
Metric is a perfectly valid scheme to nearly all your measuring in. It is superior in several ways to English measurements, but there are valid reasons for not switching to it.
I believe that most people don't want to swap our convoluted babylonian time system for decimal time, and I consider this an example differing in degree but not type from the English/Metric debate.
Much Love,
ArekRashan
So what? 64k canadian is what like 4 dollars?
--
WHO ATE MY BREAKFAST PANTS?
... they have some old ATM where the numbers are arranged in one loong row of large buttons ... completely impossible to hide what you're typing.
But then, their new generation of ATM's have a touch-screen LCD to display the number pad -- and the digits are randomly rearranged between uses. Now that's secure (but not so ergonomic).
"Good news, everyone!"