Forgot your password?
typodupeerror
Security The Almighty Buck Hardware

Visual Autopsy Of An ATM Card Skimmer 880

Posted by timothy
from the picture-taker-worth-a-thousand-bucks dept.
Bert64 writes "A chap at work was recently the victim of an ATM card skimmer which took his card details, cloned them and allowed the fraudster to take 550 pounds out of his account. Having tried to explain how the fraudsters can hide a camera and card reader around the ATM, he decided it would be easier to show one of them after a few drinks down the pub. He was a little surprised to find that the machine he chose had a card reader and camera in place. These were removed and analysed, we believe we have reclaimed about 800 pounds worth of kit. Result: Pictures."
This discussion has been archived. No new comments can be posted.

Visual Autopsy Of An ATM Card Skimmer

Comments Filter:
  • hunh... (Score:5, Insightful)

    by mekkab (133181) * on Monday February 23, 2004 @10:14PM (#8369398) Homepage Journal
    Was this the pass through kind? how was the camera attached? If I used one hand to cover the other hand while keying the PIN would that "thwart" it? Great pix but I could also use a little more commentary on what to watch out for.
  • That's silly (Score:3, Insightful)

    by Rosco P. Coltrane (209368) on Monday February 23, 2004 @10:16PM (#8369408)
    Making money by having an expensive digital camera to disguise it as ATM chrome, grabbing PIN numbers and making yes-cards out of the process is dumb. The guy would probably have made more money setting his hacked camera in some lady's shower and selling the videos on the net. Or gee, even selling the hacked camera itself to would-be private-eyes, as most of these folks are willing to spend a lot of money on any spy-ish electronic device, and it would be legal too.
  • Re:hunh... (Score:3, Insightful)

    by djeaux (620938) on Monday February 23, 2004 @10:17PM (#8369421) Homepage Journal
    I did think the "visual autopsy" was a bit sketchy on the way the system was attached to the "host" ATM. It would've been useful if they'd taken a few pix before ripping the thing off the ATM.

    The captions, while semi-helpful, left a lot unanswered...

    OK, OK, I was using the mirror because the original was already in /. heaven... Maybe the original site had more detail?

  • by cmowire (254489) on Monday February 23, 2004 @10:18PM (#8369427) Homepage
    Well, not really.

    The skimmer is attached to any arbitrary machine without the cooperation of the ATM owner.

    So they can hit even your own bank's machines, if they so desire.

    This is the best ATM scam since... well... the last ATM scam, where they put a complete ATM machine in place. Except they got caught because they tried to stiff their ATM machine supplier.
  • by PedanticSpellingTrol (746300) on Monday February 23, 2004 @10:20PM (#8369449)
    There are plenty of legitimate uses for magnetic stripe readers. Why, here at the University of South Carolina we just installed 3 $1,200 newspaper machines to limit the free newspaper program to students and faculty. I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.
  • Here is what I do (Score:5, Insightful)

    by savagedome (742194) on Monday February 23, 2004 @10:22PM (#8369466)
    Two things that I always ask my friends to do too.

    1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.

    2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.
  • by King_TJ (85913) on Monday February 23, 2004 @10:23PM (#8369474) Journal
    My bank uses ATM machines that suck the card completely into the slot, with only a little bit of a metal guide plate exposed below the slot. (Typically, they have a label with arrows printed on it that's affixed just beneath the slot, as well.) If you tried to add some sort of reader device to the front of the ATM, covering the original slot and plate, it would be fairly obvious it didn't belong there. I'm sure it might fool *some* clueless people - but it would surely be ripped from the machine pretty quickly, as someone a little more clueful realized what was going on. (After all, it would obscure part of the label, making it obvious it wasn't part of the original ATM machine.)

    I have a feeling these card skimmers only work on specific models of ATMs (most likely, the little privately owned units you see in restaurants and gas stations, as opposed to actual bank-owned ATMs).
  • Re:Easy as Ebay (Score:5, Insightful)

    by petard (117521) on Monday February 23, 2004 @10:23PM (#8369477) Homepage
    That's not questionably legal in any way; that's for a cash register. Many registers nowadays are just PCs and use one of those (generally affixed to the keyboard) to process credit card transactions. In fact, the legality of all of the items involved in the fraud is unquestionable. Turning them into the fraudulent device and attaching them to the ATM, however, is just as unquestionably illegal. (FYI, in case you're unconvinced about the Ebay auction, you can walk into any office depot and buy the gadget you linked [officedepot.com].)
  • by Man Eating Duck (534479) on Monday February 23, 2004 @10:26PM (#8369510)

    Great that these folks ripped out the innards of the scam device.

    I'm not so sure about that. When something similar happened in Norway some time ago, the police was alerted and put the place under surveillance. The culprits were caught in the act of removing the devices.

    I think the people who removed it should have done the same, thus helping to catch the bastards. For all they knew, the place could already be under surveillance, giving THEM the blame for the crime...
  • Re:Easy as Ebay (Score:5, Insightful)

    by confuse(issue) (750477) on Monday February 23, 2004 @10:29PM (#8369532)
    This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay for a fraction of what you can scam.

    What a good post 9-11 American citizen. You are right in calling it 'questionably' legal, unfortunately (for you) the answer to the question is yes it is legal. The government does not need to put Laws on everything that can do bad things, the laws should instead target bad things. DVD recorders should not be illegal...selling (or even just giving) a burned DVD of Star Wars should be illegal. Having a magnetic card reader is a great exercise in driver writing and or learning about it for POS apps (not piece of s&^t apps).
  • Re:That's silly (Score:4, Insightful)

    by Anonymous Coward on Monday February 23, 2004 @10:30PM (#8369538)
    Are you retarded? One day of skimming numbers and magentic strip codes would net you more than twenty accounts, probably containing thousands of dollars each.
  • by archilocus (715776) on Monday February 23, 2004 @10:32PM (#8369562) Homepage

    Hate to be a party pooper but didn't you consider leaving it there and calling the cops ?

    If you had they might have been able to bust the individuals concerned and saved some innocents down the track a lot of grief.

    This way you got 800 quid's worth of stolen electronics, the thief wrote off some capital investment and a couple of thousand /.'ers got some pre-pubescent excitement. Wahooo.

  • Interesting!! (Score:4, Insightful)

    by annielaurie (257735) <annekmadison@nOsPaM.hotmail.com> on Monday February 23, 2004 @10:33PM (#8369569) Journal
    A couple of months ago my Hotmail account was besieged with spams offering to show me how to make my first million by installing and servicing their ATM machines. I kept wondering if they wanted to make me a shill for some skulduggery like that described in the article. The interesting part was that the ATM's so advertised would be located "in my area," which they had pinpointed at Washington, DC (not far from here).

    Like others here, I've become very leery of using ATM's located anywhere but at banks. I've been driving on long trips a great deal recently, and I've also learned to be a bit discerning about card-swipers in gas stations and even grocery stores I'm not familiar with. It seems a safer bet to hit a bank occasionally to withdraw my allotment of yuppie food coupons ($20 bills) and spend those instead.

    Anne

  • by 26199 (577806) * on Monday February 23, 2004 @10:34PM (#8369577) Homepage

    Unfortunately biometics violate one of the most basic principles of passwords... they can't be changed if compromised.

  • prevention ... (Score:5, Insightful)

    by another_twilight (585366) on Monday February 23, 2004 @10:35PM (#8369587)
    Most of the scams I have seen like this rely on recording your PIN based on what you type.

    The earliest versions simply had someone peering over your shoulder, or using a camera/telescope mounted up and behind and stealing the original.

    Get in the habit of 'embedding' your PIN within a larger number. Type this longer number too lightly to casue the pressure sensor to register and varying your pressure only on the 'key' digits. It won't fool decent resolution or close observation, but given the angles/lighting conditions and cheaper digitial cameas that are starting to show up, I am guessing that they are going to have trouble working out which hits are the real McCoy.

    Sure it relies on making your case more difficult than your neighbours, but to an extent that is all most locks and security devices do. Sure it's paranoid, and it does take some effort to set up, but muscle memory handles most of the work after a while and these days I only get a few false hits. YMMV
  • by Anonymous Coward on Monday February 23, 2004 @10:38PM (#8369616)
    get a grip.. security through obscurity isn't security.
  • by slobarnuts (666254) on Monday February 23, 2004 @10:38PM (#8369618) Homepage
    i mean i know it does in the name of science and interest and all. But should'nt you have notified the cops? and the bank/owner of the ATM. the cops could have tried to lift prints. Maybe tracked down the persons doing this and arrested them.
  • by shird (566377) on Monday February 23, 2004 @10:52PM (#8369725) Homepage Journal
    Even better would be the use of smartcards instead of current cards. The card simply has its own private key, the ATM machines/bank issue a challenge to the card and verify it against the known public key.

    The private key is never divulged yet the authenticity of the card is known. There is no way to scam the system other than steal the physical card and know what the pin is. These really need to be adopted soon.
  • Trap? (Score:2, Insightful)

    by samplehead (538012) on Monday February 23, 2004 @10:59PM (#8369764)
    Wouldn't have been better to leave the devices in place and stake out the fraudters. They either must be hanging around at times to receive the data remotely or else occasionally pop by to collect the memory stick? Or am I missing something?
  • by Bishop (4500) on Monday February 23, 2004 @11:03PM (#8369797)
    what kind of justice is it when scammers get to go free with the cash they stole?

    The bank did not want to press charges as it would have been bad publicity. This was an easy decision for the bank as the criminal was going to be deported regardless.
  • by Anonymous Coward on Monday February 23, 2004 @11:06PM (#8369812)
    how can the metric systems be seen as complicated when compared to the in consistent imperial system?

    It's new.
  • Re:An idea (Score:2, Insightful)

    by MrP- (45616) <rob.elitemrp@net> on Monday February 23, 2004 @11:06PM (#8369815) Homepage
    Because people are stupid.. my mom doesnt even know how to use an ATM machine, everyone i know doesnt know how to use ATM machines.. They're really simple to use but most people get confused, now you expect them to understand key mapping and be able to perform simple addition in order to take out money? Yeah right!
  • by newdamage (753043) on Monday February 23, 2004 @11:08PM (#8369825) Homepage Journal
    You be pretty surprised how gullible and trusting most people are. You could probably make just as much money by hanging an "out of order" sign on the atm, attaching a drop box, and seeing how many people put deposits into it containing actual money. Confidence scams work pretty well no matter low-tech or hi-tech they are, just as long as you make it look official and have plenty of people who are running on autopilot most of the time.
  • by timmarhy (659436) on Monday February 23, 2004 @11:27PM (#8369964)
    your living in a fools paradise. 1: lift prints from an ATM? are you nuts? do you realise how many people coudl have touched it? it'd be worthless. 2: reporting things like this tend to be a case of the messenger getting shot. they would be NUTS to do anything other then what they did
  • by Anonymous Coward on Monday February 23, 2004 @11:27PM (#8369968)

    This was an easy decision for the bank as the criminal was going to be deported regardless.

    The downside is that they demonstrated you could get clean away with it, making it much more likely for others to attempt the same thing.

  • by Chester K (145560) on Monday February 23, 2004 @11:28PM (#8369970) Homepage
    Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?

    The advantage of a PIN over biometrics is that you can always change your PIN.

    Once someone finds out how to fool a biometric scanner into returning your biological data; you're hosed. You can't gouge your own eyes out and replace them with new ones.

    Any security system whose keys can't be changed is fatally flawed and should not be used -- ever.
  • by Anonymous Coward on Monday February 23, 2004 @11:30PM (#8369992)
    I've stopped using some of the sketchier ATMs because of this.

    How bloody stupid. If I were an ATM hacker, why on earth would I attack sketchy gas station ATMs? The real money is in the well-lit, polished, nice-smelling ATMs that make people feel comfy and safe.

  • by Anonymous Coward on Monday February 23, 2004 @11:35PM (#8370023)
    but who touched the camera internals if no one knew it was there? who tocuh the back end of the skimmer that is not exposed to the public?
  • by Anonymous Coward on Monday February 23, 2004 @11:39PM (#8370059)
    I wonder how long it will be before such a mechnism is built for card-pump gas stations and other outdoor card swipe machines?
  • by Anonymous Coward on Monday February 23, 2004 @11:53PM (#8370159)
    Weak dollar during an economic recovery? Who could have asked for better conditions? People will be snapping up American goods since they're cheaper than ever. It's great timing, actually.
  • by InfiniteWisdom (530090) on Monday February 23, 2004 @11:56PM (#8370182) Homepage
    Ah yes. I really ought to read these things more carfully.
  • Re:An idea (Score:4, Insightful)

    by cortana (588495) <sam@NOSPaM.robots.org.uk> on Tuesday February 24, 2004 @12:02AM (#8370235) Homepage
    Because--and I know it's been said already, but it's important enough to say again--people are fucking stupid.

    Of course, that shouldn't stop the bank from offering my optional security measures such as the ones you detailed above. Oh well.

  • by jpellino (202698) on Tuesday February 24, 2004 @12:05AM (#8370260)
    IIRC Debit fees are generally cheaper than the credit fee for the same transaction - it's cheaper for them to let you do debit, and you can shop around for a bank that allows unlimited monthly debit purchases.
    and
    IIRC MC/V generally do not allow for minimum purchases for transactions - yes, the convenience store just lost 80 cents to make 20 on your pack of gum, but they just sold a case of beer or the 20 gallon truck fillup on 80 cents a minute ago. It more than evens out for most
    and
    If they are hand entering or mechanically imprinting your card, something's not normal, as they're the most expensive rates (as opposed to just swiping your card). Makes you go hmmmm...
  • by cehardin (163989) on Tuesday February 24, 2004 @12:22AM (#8370365)
    Also, remember that many CCs charge a fee for the ATM cash withdraws, usually 1% to 2%, but not to exceed $20.
    Why? CCs make a lot of money from these 1% or 2% they charge for ALL transactions. The difference is that when you use your CC at the store to buy something, the CC company charges the retailer this percentage. When you take out cash, they charge you.

    So, whether you use a CC to buy stuff or not, you're still paying for it. Retailers spread the charge from the CC company by simply increasing prices for everyone.
  • by daveashcroft (321122) on Tuesday February 24, 2004 @12:42AM (#8370485)
    And you are basing this on knowledge of the law in which country? Different countries, different laws.
  • by yppiz (574466) on Tuesday February 24, 2004 @01:19AM (#8370687) Homepage
    mcheu writes:
    a lot of stores don't want to do this, because in one small pissant purchase, you've cleared out the register of cash, which makes it difficult to give change to the next customer.

    US grocery stores are happy to do this, because it turns dirty, messy cash into nice clean electronic bits.

    They are especially happy to get rid of 50s and 100s, which ATMs rarely carry.

    For large withdrawals, groceries are better than ATMs. And they really are happy to get rid of physical cash.

    --Pat / zippy@cs.brandeis.edu

  • by Anonymous Coward on Tuesday February 24, 2004 @01:20AM (#8370695)
    Let me break this post down piece by piece, either the author is talking out of his ass, or has morons as friends

    I know a few people who have delved into the 3rd-party ATM business. Note to non-Canadians: by law the bank has to let authorized independents access the Interac system. You go through quite a bit of verification; it's no way to scam anyone.

    You're kidding me? Quite a bit of verification? Anyone with the $$$ can get hooked up into an ATM network

    The machines usually cost near $C 10K each, I suppose it's possible to buy one for half that used.

    You can purchase brand-new ATM's for $2.5USD

    The hard parts are:
    You need a bunch to really make it worthwhile; one machine is too much trouble for the piddly returns you get.

    One machine in a decent location will pull $1k/month easy.

    They don't hold much cash; you have to refill often and it's going to be out-of-order (read: out of money) a lot if it's in a high-demand location. Try the 7-11 or a local bar.

    Yeah, you drive-up with a trunk full of cash and re-fill the machine yourself, right? Loomis Fargo does it with these interesting things called "Amored Vans".

    You have to somehow get a good location; usually this means giving a half-cut to the owner of the business you put it in. Indoors, locked at night, basically.

    Hahaha, most people are happy to get a couple hundred bucks for a machine a month, 50% is outrageous

    You have to have the cash to keep it full; you need a float of a couple grand a machine, minimum. More is better, saves trips to fill it up, but you can start with that and fill it twice a day if you have to, till you start making money.

    You don't fill the machine with your *own* cash, what are you talking about? This business only requires you to lease/purchase a machine, not supply funds. That's what banks and cash replenishment services are for.

    After you piece off your retail partner (for the location) you can gross 75cents a transaction. If it's really competitive (as it seems to be where I am) you might end up giving the store a buck to keep the machine on their premises. At 100 transactions a day, that's 75 bucks or less. A hundred transactions requires a float near 10K per machine, or alternately thrice-a-day refills.

    The average machine cartidge carries $40,000.00 USD in it, where do you fill three times a day?

    Now you know why you need to have a dozen or so to start; one machine is just as much trouble as 10, so you may as well make a full-time job of it.

    Full-time job? Ahaha, this is passive income (minus establishing a location).

    Most of your machines won't average that many transactions. A hundred a week is apparently more common (they're everywhere; and each new one siphons off some of your traffic).
    The guys I know recently sold them off; the two of them had 8 altogether. Too competitive, the damn things are everywhere and many bar owners, gas stations and convenience stores just buy their own and keep the whole buck-and-a-half.
    They didn't make a killing; but if you were really into it and got up to 20 machines the income would be enough to support a full-time person. Hardly lucrative, but an enterprising individual can do OK.

    Your last comment hit the nail on the head

    If you want the real scoop on this subject, I suggest you take a look at http://www.mag-card.com [mag-card.com]
  • by huphtur (259961) on Tuesday February 24, 2004 @01:29AM (#8370742)
    check out this story [snopes.com] and pictures of a skimmer at work in brazil.
  • by Blymie (231220) * on Tuesday February 24, 2004 @01:35AM (#8370771)
    Heh.

    The "local news" is not "facts". The local news is entertainment.

    The bank manager who handled your case is not very aware of the law, either.

    If you have committed a crime, or you are suspect of a crime, no one has to "press" any charges. The police, aka the crown, can charge you directly. They can then force people to testify, whether or not they want to.
  • by Sycraft-fu (314770) on Tuesday February 24, 2004 @02:33AM (#8371071)
    Some people just suck with numbers. My mom is one of them. She's not stupid, she has her masters and in her fields is quite smart. However numbers are something she's bad with. She'd bad at math and bad at remembering numbers. I've had the same phone number for six years, it's easy, and she still can't remember it.

    The real solution is two fold:

    1) Better cards. This is the easiest and cheapest. Smart cards are almost impossible to fake since they can work on public key cryptography. Moving over to these would make it such that stealing their number wouldn't really be possible, at least not with a simple man-on-the-middle reader. This is something I think is likely to happen.

    2) Biometrics. Add that to a card and a keycode, you've made it pretty hard. Now someone not only has to get your code, replicate your card, but also get and then fake your biometrics. Any one of these alone isn't particularly challenging, but all together would be a real pain.

    Combine simple biometrics with smart cards and I think you'd find that high-tech ATM theft would dissappear. While the biometrics may never happen, the smart cards might. They are getting more and more popular.
  • by millette (56354) <robin@millett[ ]nfo ['e.i' in gap]> on Tuesday February 24, 2004 @02:39AM (#8371102) Homepage Journal
    actually, your atm card isn't yours - it's still the property of the bank that issued it. I wouldn't be surprised if there were special rules to use an atm, such as only using a bank issued card.

    ... but who'll notice?

  • by FuegoFuerte (247200) on Tuesday February 24, 2004 @03:33AM (#8371289)
    IIRC Debit fees are generally cheaper than the credit fee for the same transaction - it's cheaper for them to let you do debit

    At least here in the US (WA state), debit fees are typically around $0.35, and credit card fees are around 1%. So if the purchase is under $35, it works out better for the store to run the card as a credit purchase. If over $35, it works out better to run it as a debit. (This assumes a debit card with a Visa/MC logo like most banks here give out now).

    and you can shop around for a bank that allows unlimited monthly debit purchases.

    There are banks that don't do this? What country do you live in again? Savages.

    IIRC MC/V generally do not allow for minimum purchases for transactions.

    I don't think they could really do anything about a minimum purchase requirement. Typically, a retailer is allowed to refuse service to anyone, for any reason (again, this is US-centric. Note that "any reason" does not include things like race). This reason may, however, include "customer has no cash and only wants to buy a $0.20 guitar pick and the transaction fee is going to be $0.35"

    If they are hand entering or mechanically imprinting your card, something's not normal, as they're the most expensive rates (as opposed to just swiping your card). Makes you go hmmmm...

    I have to hand enter cards all the time at my work... it's simply because customers do all manner of atrocities to their cards and then expect them to work. Stripe readers aren't good at what *was* there before the dog got ahold of the card, or the customer took a belt sander to it, or got bored and drew a tic-tac-toe board into the magstripe with a knife, or whatever. Usually, I'd say if a store (or especially more than one store) imprint your card or punch in the numbers by hand, you should call up your bank or whoever issued the card and say "HEY! Send me a new card!" Since they make money when you use your card, they will gladly send you a new one. There's no excuse for having a mangled worn magstripe on your card. Makes the retailer go "hmmmm.... damn lazy-ass customer making my line back up while I try to swipe his POS card."
  • by sixide (643991) on Tuesday February 24, 2004 @05:20AM (#8371625)
    Living in Minnesota, I assure you, only pansies stop working at 0 degrees. ~30 below is when it starts being a real problem.
  • Re:Easy as Ebay (Score:4, Insightful)

    by Alan Cox (27532) on Tuesday February 24, 2004 @05:35AM (#8371671) Homepage
    There are lots of good legitimate uses for card readers - things like swipe card doors, as used by the computer society here, or charging for photocopying (as used by the university)

  • Chip and PIN (Score:3, Insightful)

    by MartinB (51897) on Tuesday February 24, 2004 @05:55AM (#8371718) Homepage

    Why yes. Which is why the UK is in the process of rolling out Chip and PIN [chipandpin.co.uk] (the trial [chipandpin.co.uk] was last summer). Over the next 18 months, every credit card - and probably most debit cards - in the UK will be replaced, along with upgrades to near enough every ATM and PoS device.

    The major enforcement of this is the shifting of liability from the card schemes (MC, VISA and AMEX mostly) to anyone that doesn't comply. By 2006, finding anyone relying on magstripe will be less easy than currently finding someone relying on paper carbons.

    IIRC, the verification takes place on the card. The ATM passes the PIN entered to the card, which simply responds pass|fail. No keys pass between reader and card, and the real PIN is held on-card with a sensible level of encryption.

    It's a far cry from the Fresno Drop [fortune.com] of 1958.

    OT: Given that:

    1. this is a UK story
    2. /. has UK-members a-plenty
    3. every UK credit card company has written to all cardholders about it in the last few months
    4. it's been well covered in /.-friendly publications like ElReg [theregister.co.uk]

    I'm fairly gobsmacked that we're re-inventing the wheel here.

  • by Shimbo (100005) on Tuesday February 24, 2004 @08:06AM (#8372061)
    To make? Sure. Afterall, an ATM card or credit card is nothing more than a piece of plastic with a standardized magnetic stripe that repeats the same 16 numbers that are on the front of the card over and over.

    I would consult a lawyer before trying it. It might well be considered a counterfeit document.
  • by ShavenYak (252902) <bsmith3.charter@net> on Tuesday February 24, 2004 @12:00PM (#8373943) Homepage
    Advanced lesson? Don't use your credit cards at all.

    Bzzztttt. Just don't carry a balance.

    I have a card which puts 2% of every purchas I make in my daughter's college fund. Since I use this card for basically everything I buy from anyone who takes cards, that ends up being around $40/month that she gets. That's money I'd be leaving on the table if I paid cash or wrote checks. I pay the bill online, paying the entire balance off every other week when I get paid, so I've never paid a penny of interest on this account.

    Having been in debt at one time, I can understand why many folks think credit cards are evil. However, if you keep them paid off, there are many perks to using them. Just treat them as you would any other tool - wear your safetly glasses and keep your fingers clear of the moving parts. Oh, sorry, wrong speech.

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...