Visual Autopsy Of An ATM Card Skimmer

Bert64 writes "A chap at work was recently the victim of an ATM card skimmer which took his card details, cloned them and allowed the fraudster to take 550 pounds out of his account. Having tried to explain how the fraudsters can hide a camera and card reader around the ATM, he decided it would be easier to show one of them after a few drinks down the pub. He was a little surprised to find that the machine he chose had a card reader and camera in place. These were removed and analysed, we believe we have reclaimed about 800 pounds worth of kit. Result: Pictures."

Easy as Ebay

[Xeed]

This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay [ebay.com] for a fraction of what you can scam.

What ever happened to "Stick 'em up??"

Makes you wonder

[haRDon]

Just how many ATMs have this equipment in place?

Bit of a worry really..

And just what recourse do victims have? Is there any way to get your money back, or is it gone forever?

Convenience or security...

[SabrStryk]

This is the sort of thing that makes one wary about the convenience ATMs available in many cities; you'll save more than a surcharge by sticking to your own banking company's systems.

On a side note, this is probably the most clever fraud I've seen in a long while. Great that these folks ripped out the innards of the scam device.

shouldn't ATM machines be designed better?

[Monty845]

How hard would it be for someone to design an ATM machine that would make it more dificulty to conceal a card reader... or better yet one that made it impossible to insert your card if anything is attached... it would seem that with some common sense a designer good create some pretty good safe guards... or am I just missing something?

Interesting camera

[lukewarmfusion]

Why'd they use a Cybershot? I personally have a DSC-P71, but you could get a much cheaper camera and do the same thing.

Anyway, I remember reading an article (might-a been on /.) about buying an ATM and hacking the software to record the information for him. It's supposed to be much harder to find than this kind of "noticeable" trick.

Death of the PIN

[So Called Expert]

I wondered how long the four digit ATM PIN would last. I also realized that with the phone-cameras, it would be fairly simple to snap a shot of someone's PIN over their shoulder.

Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?

ATM bug-detection should be a profitable area of research for the next few years.

Questionably Legal???

[brunes69]

There are a myrid of legal uses for stripe readers, including computer and home security, and making really cool copies of your bank cards*

I have a friend who has a reader who does this.. he takes a plastic generic card with a cool photo on it, with a blank stripe, and copies your ATM stripe onto it. Fully functional, totally customized ATM card.

You should see the looks he gets using his "superman" debit card.

Insert Your Card Machines Only?

[MBCook]

The hack done (and those you usually hear about) work by modifying a machine where you have to insert your card. Does anyone know of the machines where you just swipe your card yourself are safe from this kind of tampering? I would think it would be VERY hard to add a skimmer without it being noticed unless you had enough physical access to the machine to take the cover off, make another little hole where the card swipes by and position the magnetic reading head in there, etc.

Still, very interesting to see. I'm quite suprised at the digital camera half of it. Of course something like using fingerprints or some other kind of biometric would make things much harder for the thief.

Re:This only works with poorly designed ATMs

[RodgerDodger]

There have been scanner devices found on such "suck-the-card-in" ATMs, at least in Australia.

And you're right: a given type of scanner tends to only work with a given type of ATM. But there are varieties of scanners for most common types of ATMs.

Re:Here is what I do

[NMerriam]

You are correct, cash advances on a credit card start accruing interest from the moment they are taken.

It used to be that cash and purchases were treated the same, with basically a month interest-free loan as long as you paid your bill in full, but people could just pay one card with a cash advance from another, and be able to borrow money interest-free for as long as they stayed under the credit limit.

Re:Mirror in case of /.

[Txiasaeia]

Forget sketchy ATMs! $500 was taken from my account using an ATM at a local bank branch machine, in a mall no less! Get this -- they caught the guy after he stole about $64,000 CAD, found out that he entered the country illegally and... sent him to prison? Nope. Our illustrious Canadian gov't deported him. They didn't recover any of the money either. Bastard's living it up in the Caribbean with the cash that he wired there before he was caught.

The bank ate the loss and gave us back our cash, but what kind of justice is it when scammers get to go free with the cash they stole?

Re:Here is what I do

[Cruciform]

As an addition to the first point, if you're going to do it at a store choose one that let's you swipe the card yourself. If they have to swipe don't let your eyes off the card. If the card reader is out of view it's in your best interest to go somewhere else.

Toronto police busted 70 people working at convenience stores for double swiping a few years ago. (Between 98 and 2001, as I lived there at the time). A second reader located beside the primary was used to collect card info. I don't know if cameras were used to collect the pins or not.

Since the story at the time indicated that it was mostly employees that had been approached by people not involved with the store, I'm guessing the machines were portable so they could be brough t in and out with the boss none the wiser.

metaphotos, thumbprint readers

[summernot]

Too bad they didn't take pictures of the dissected device with the included cybershot.

They should start requiring thumbprints at the ATMs. I'm typically a privacy freak, but I woldn't be averse to something like thumbprint readers installed on my bank's ATMs.

An idea

[Anonymous Coward]

PIN numbers and the way they are entered have terrible security implications.

Why can't you, say, have a 5 digit number and the ATM machine would ask you something like "What is your first, third and last number?" or "What is your first number plus your fifth number?"?

Or how about you have to look through a keyhole to see the ATM monitor so nobody else can see it. Then, before it asks you to enter your details, it shows you the mapping of the keys on the keypad. So, if you have a 9 digit keypad, it would shuffle the numbers around you look into the keyhole and see:

167
482
539

Then you'd press the button that is in the right position for each number.

Re:Makes you wonder

[TykeClone]

In the US, this is governed by "Reg E" for electronic funds transfers. The customer (victim) has up to 60 days from the cycle date of the statement where the fraudulent charges are reported to contest them - makes for a good reason to at least look over your bank statements when you receive them!

Re:Easy as Ebay

[ianr44]

Why convert to digital when you could just use the mic/line in? The adaptive clock stuff is fairly trivial to do in software.

Re:Interesting camera

[Stephen Samuel]

This camera captures 15 seconds of video... Card goes in, activate a 15 second video grab... that should be more than enough to catch the 4-6 digit code most people use. (usually 5 seconds or less). the 500MB card means that you could save a LOT of those videos...

The biggest thing seems to have been the size...Once they ripped it out of it's housing, the camera wasn't much bigger than the batteries.

At $1000 per setup, thay'd only have to catch 2 cards to get their money back. After that, the rest is profit.

Re:Idea!

[Hi_2k]

This was modded funny, but Vigilante anti ATM-scammers may be a good idea. Freelance geeks who get cool toys in return for making the world safer. Win-Win situation.

IR LEDs

[swampa]

Recently I noticed that on Commonwealth Bank ATMs in Australia, that there had been LEDs affixed to the side panels about 3/4 the way up

I hadn't thought to much about them until now, but maybe they are the latest (and cheapest?) defense against these card capture systems (seeing that the IR would ruin the photos)

Smartcards

[StArSkY]

Over here in Australia some of the banks have started a transition to Smart cards. The Idea being that it is a lot harder to duplicate a microchip than to fake a magnetic strip.

ANZ Bank [anz.com]

it also uses the Microchip as part of the auth for web banking. So what if they get your pin, how the hell are they going to duplicate the smartcard.

Re:550 Pounds of money?!?!?!?

[andynz]

Reminds me of one of my favourite Terry Pratchett quotes from Good Omens.

Two farthings = One Ha'penny. Two ha'pennies = One Penny. Three pennies = A Thrupenny Bit. Two Thrupences = A Sixpence. Two Sixpences = One Shilling, or Bob. Two Bob = A Florin. One Florin and one Sixpence = Half a Crown. Four Half Crowns = Ten Bob Note. Two Ten Bob Notes = One Pound (or 240 pennies). One Pound and One Shilling = One Guinea.

The British resisted decimalized currency for a long time because they thought it was too complicated.

Re:Insert Your Card Machines Only?

[MBCook]

I wouldn't think that that would fix it. The way the sniffer in the article would work it would still get your card number. I think the only real way to fix this would be to move to smart cards because you would need MUCH more physical access to the machine to install something to monitor the smart card access than to simply read a magstripe.

Now if you used the RFID to prevent access, and not reading that could work. That way even if you got the mag stripe data from someone's card and put it on a blank card, you still couldn't withdraw cash from the ATM without the RFID tag being near. That would work great for credit cards and such too.

Withdrawling from a teller is quite safe, but now most banks charge you extra for that becuase it requires them to hire actual people.

Re:Death of the PIN

[dcam]

Or you lose the thumb in an accident. Equally it could be damaged to an extent that the scanner could not read it (eg you cut it and put a bandaid on).

Re:prevention ...

[gordguide]

I always do this, although my method is a slight variation. I like it better, but people are free to try anything that works for them.

It's quite easy to do, and if you take the time to practice it each time you enter a PIN for a short while, it becomes second nature and you don't even need to think about it (leaving you free to scope out the area, the people around you, and yes, even look for cameras, as you should do at any ATM). I almost never have received a dialog about an incorrect PIN. Maybe it happened once (I've done this for years), but I can't remember any incidents of bad entries.

What I do is place more-or-less my whole hand on the keypad, with pretty much every finger and my thumb touching a key; and press the relevant numbers with different digits (fingers/thumb).

You hand barely moves when you do it right, and all the fingers, including the unused ones, kind of move a bit when you enter a number; it's really impossible to know which keys were pressed in which order. Try it.

Re:Questionably Legal???

[Jeremi]

Sounds cool... but just out of curiosity, is it legal to make your own ATM card?

Re:shouldn't ATM machines be designed better?

[edp]

"You have a reader that reads everything on the card on the way in, so they get the public key."

You don't send a key, you send a challenge that somebody with the private key can answer. There are challenge-response protocols that reveal zero knowledge to eavesdroppers. One of them works something like this: The card knows secret number X. The bank computer knows secret number X^2. (All arithmetic is done modulo a preselected large number with certain properties.) For one challenge, the card makes up a random number R and transmits (RX)^2. The bank flips a coin and asks the card for either RX or R^2. If the card really knows X, it can easily answer either question. In either case, the eavesdropper sees (RX)^2 and either RX or R^2, but, because of R, these are just random numbers -- if R is uniformally distributed (over the modular domain), then RX is also uniformally distributed; there is no information in it. An eavesdropper can learn what X^2 is, but the numbers are chosen so that it is (believed to be) extremely difficult to find X from X^2 (modulo the preselected number).

Could somebody pretend to know X? Instead of sending RX, they could make up a number S and send S^2. Then if asked for RX, they could send S, and it would pass the check. Alternately, they could spoof in a way that allows them to correctly answer a request for R^2. However, it is as difficult to be able to answer both as it is to find X from X^2, because being able to answer both gives you the information needed to find X.

Since a malicious person could spoof the test half the time, you repeat the test many times, say 30 for a one-in-a-billion chance of passing. Various caveats apply; search for "zero-knowledge proofs" for more details.

Re:Convenience or security...

[norton_I]

That is strange, every person I know who has been victim of fraud of this sort (4, I think: 1 ATM fraud, 1 check fraud, and a couple of credit card frauds) has gotten their money back. It does not matter if they catch anyone. In fact, in most cases, the victim never knows if the perp was caught -- the bank just wants to take care of it quickly and quietly.

The only person I know who had to do more than that was the check fraud victim, because in addition to dealing with the bank, there were lots of angry merchants who wanted to know why her checks were being bounced.

Re:hunh...

[M. Silver]

If someone could break into an ATM and install a camera and reader, why not just take the money inside instead of leaving all that gear around?

Aside from the fact that skimmers generally don't involve getting into the ATM at all, "getting into" the ATM is quite a bit different from getting into the cash safe inside. In fact, in any case where the ATM is serviced by an armored-car service, generally the owning bank can open the ATM but even they can't open the cash safe.

When I worked at the bank, we had someone take an ax to one of our brand-new ATMs. It was annoying all around because on his side, (1) it wasn't live yet, so there wasn't any money to steal, (2) he couldn't get into the safe anyway, (3) he cut himself trying; and on our side (1) the ATM itself was a loss, and worth more than the amount of money it could hold, (2) we'd *just* finished configuring and testing it and now had to start over, and (3) the video camera wasn't live yet so we didn't get to see the guy. (We did have some nice blood samples, and bloody fingerprints, but I never heard if anybody got caught/charged.)

Re:Why use someone elses machine?

[gordguide]

I know a few people who have delved into the 3rd-party ATM business. Note to non-Canadians: by law the bank has to let authorized independents access the Interac system. You go through quite a bit of verification; it's no way to scam anyone.

The machines usually cost near $C 10K each, I suppose it's possible to buy one for half that used.

The hard parts are:
You need a bunch to really make it worthwhile; one machine is too much trouble for the piddly returns you get.
They don't hold much cash; you have to refill often and it's going to be out-of-order (read: out of money) a lot if it's in a high-demand location. Try the 7-11 or a local bar.
You have to somehow get a good location; usually this means giving a half-cut to the owner of the business you put it in. Indoors, locked at night, basically.
You have to have the cash to keep it full; you need a float of a couple grand a machine, minimum. More is better, saves trips to fill it up, but you can start with that and fill it twice a day if you have to, till you start making money.
After you piece off your retail partner (for the location) you can gross 75cents a transaction. If it's really competitive (as it seems to be where I am) you might end up giving the store a buck to keep the machine on their premises. At 100 transactions a day, that's 75 bucks or less. A hundred transactions requires a float near 10K per machine, or alternately thrice-a-day refills. Now you know why you need to have a dozen or so to start; one machine is just as much trouble as 10, so you may as well make a full-time job of it.
Most of your machines won't average that many transactions. A hundred a week is apparently more common (they're everywhere; and each new one siphons off some of your traffic).
The guys I know recently sold them off; the two of them had 8 altogether. Too competitive, the damn things are everywhere and many bar owners, gas stations and convenience stores just buy their own and keep the whole buck-and-a-half.
They didn't make a killing; but if you were really into it and got up to 20 machines the income would be enough to support a full-time person. Hardly lucrative, but an enterprising individual can do OK.

Re:This only works with poorly designed ATMs

[Syclone]

Motorized readers are on the way out most places. The reason the bank/ATM operators don't like them is that if you get a message to capture a card over the network, and your machine has the capability to capture a card, you must capture it. This is a good thing, getting hot cards out of circulation, right?

Wrong, at least for the bank. If you capture a card, that means you have to deal with it later. Somebody has to remove the card from the machine, then you get into all kinds of internal control problems and procedures having to do with said captured card.

Best answer is to have a dip or swipe reader than cannot capture cards. If you cannot capture cards, you aren't violating the ATM network rules by not capturing the cards. All your internal control, security concerns, and logistical problems associated with the captured cards are gone.

Another reason not to capture cards if you can avoid it is that you cut down cutomer complaints from people who leave their cards in the machine (even through the incessant beeping) while distracted or people who screw up their PIN too many times so the machine keeps their card.

BTW, personal pet peeve: "PIN Number" and "ATM Machines" are redundant phrases :) It is like saying "Personal Identification Number Number" and "Automated Teller Machine Machine".

Yeah for fingerprinting at the very least

[MCRocker]

At the very least the cops, err... bobbies, might have been able to get a finger print or two, trace the purchase of the camera or the serial number on the SD card. Even if it doesn't lead to a direct capture, this sort of thing stays on record and can be used later when these scammers inevitably get nabbed for something else down the road.

Besides, what about the other victims? Now there's no evidence that they were scammed too. They might have to eat the loss themselves without some corroboration that they were scammed.

Also, the equipment may have cost the scammers more than this particular victim lost, but is this junk really worth much at all to the victim other than bragging rights?

Finally, aren't a lot of British cities brimming with cameras these days? If this stuff had been left in place it might have been possible to track the scammers when they picked the equipment up.

Did I miss the part where....

[jeaster]

They tell us how they put the devices in place? 1) They put them in place, and hope the surveillance tape is overwritten before anyone knows to look. 2) They obscure or cover the camera long enough to put the devices in place. The second seems more likely, but I also assume maybe all those atm's don't have camera's. Seems like when the reports started coming in of this, you could go back and see when the new "parts" got added? Naive? Missing something? probably, but I want to hear YOU say it.

ATM security issues in Austin

[caviedrums]

The U.T. Police Department Web site has an interesting article [utexas.edu] about skimmers in use in the Austin area. Check out where they put the camera!

Re: Metric System

[ArekRashan]

Actually, there is one rather good argument for using "English" measurement, at least when one is evaluating length.

It is far, far easier to split measurements in the English scale into fourths and thirds. The math is much simpler to do in your head. Halves work just as well as in Metric (Decimal). Fifths work better under Metric, but English can do sixths.

This is a simple consequence of their prime factors: 2*5=10 as opposed to 2*2*3=4*3=2*6=12.

Feet to yards brings us to 2*2*3*3=36, which is strange but functional, and then we come to miles which is where it all falls apart. But we can't afford to replace all the signs with kilometers per hour. I'm not sure I'd trust American drivers to make the transition safely, either.

Metric is a perfectly valid scheme to nearly all your measuring in. It is superior in several ways to English measurements, but there are valid reasons for not switching to it.

I believe that most people don't want to swap our convoluted babylonian time system for decimal time, and I consider this an example differing in degree but not type from the English/Metric debate.

Much Love,
ArekRashan

Re:Questionably Legal???

[LostCluster]

Sounds cool... but just out of curiosity, is it legal to make your own ATM card?

To make? Sure. Afterall, an ATM card or credit card is nothing more than a piece of plastic with a standardized magnetic stripe that repeats the same 16 numbers that are on the front of the card over and over.

To use? Uh... well, that's up to your bank. I kinda doubt they'd be to happy with it.

Microwave/Thermal cracking

[quinkin]

I am yet to see a private key style card system that could not be coaxed into seeding subtle bit errors into the authentication encryption through microwave/thermal interference. This can then be used to interpolate the private key.

It would raise the bar, but I don't believe it would prevent the attachment of card readers. They may however need a number of samples, so it could restrict it to regular users of the installation.

Q.

Re:550 Pounds of money?!?!?!?

[Anonymous Coward]

True, although many (if not most) Canadians still measure weight in pounds and height in feet and inches.

Re:I'll drink to that

[Bastian]

The worst I've seen is one at a 24-hour restaurant I used to work at. The POS machines were linked to an NT server in the back office, and queried it for data about the tickets so we could scan a bar code on the ticket to have the POS machine automatically register the payment due and such as well as to verify that the bill was paid.

Too bad the NT server had to be rebooted and its software restarted once a day. The whole process took about 10 minutes, and the cash drawers wouldn't open so we could ring anyone up manually and scan the tickets later during that time. Customers had to stand at the counter and wait if they decided to leave at the wrong time.

Granted, I imagine part of the time delay is bad system set-up (Why can't the server software start up automagically when the computer boots, eh?), but still, you can't open the cash drawers if the server is down!?!?

There's an additonal more mundane component

[Sycraft-fu]

The fact that to interact with a smart chip, it has to stay still and have an electrical connection. The reason a false front can work on mag stripe is because the stripe is read by passing it over the reader (eg swiping your card). You just place another reader in front of the real one and as the card passes through it gets read.

A smart card is quite different. You insert it into a recepticle which has contacts for the card. That then powers it and sends it data. The transaction doesn't start until the card is locked in and it is immobile during it.

This is rather more difficult to spoof. You'd need to hold the card in your reader, and then communicate the results to the ATM. Problem is that the ATM easily could (and probably would) be rigged to eat any card left in it for any length of time, and to not start a new transaction until it underwent a release, insert cycle. So now you need to make your front take the real card, insert it's fake card, and process the intermediary transaction.

All this has to be overcome before you even get to try and deal with all the cryptographic stuff, which is the real hard part.

Re:550 Pounds of money?!?!?!?

[adpowers]

I'm American and would love it if we switched to SI units. Unfortunately, there are a lot stubborn, legacy Americans.

Between science in public schools and drugs, most youth know the metric system anyway. Actually, most adults I have met know it as well. Hell, I can't see any reason to hold on to the Imperial system. It really pisses me off. I try to use SI whenever possible.

adpowers

Re:Questionably Legal??

[Anonymous Coward]

I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.

About $2 from every CD-Burner goes to the record companies. Why not media as well? Heck, I want $1 from every crowbar sold because it could be used to break into my car. I won't get it only because I don't have enough money to bribe^H^H^H^H^Hlobby my congressman. O well dems da breaks.

Re:hunh...

[dave1212]

I wear a hat, and drop it on my hand when i enter my pin. would seem to be fine, at least until they start using keypad overlay things..

Why are US banks still using magnetic cards ?

[dargaud]

Many other countries have been using cards with embedded chips for something like the last 20 years: you cannot copy them and they can contain their own hard wired algorithms to test for challenge/response from the reader.

It may sound like a troll, but why is the US so conservative in regard to their money: card with only a magnetic stripe that you can copy with a 80$ reader, money in 2 colors on plain paper that you can xerox (almost [slashdot.org]) easily...

In Japan, ...

[KlaymenDK]

... they have some old ATM where the numbers are arranged in one loong row of large buttons ... completely impossible to hide what you're typing.

But then, their new generation of ATM's have a touch-screen LCD to display the number pad -- and the digits are randomly rearranged between uses. Now that's secure (but not so ergonomic).

Re:hunh...

[CreatureComfort]

That's why the new trick here in Texas is to steal an SUV, or pickup with a big grill guard, and smash it into the ATM. Makes a nice big mess, and handily pops the hinges on the safe most of the time. If it doesn't pop the hiinges, it at least breaks the safe free from its mountings so it can be picked up and taken away to someplace with a cutting torch. In addition, it generally makes it easy to take the camera/video system, so they can't see who did it. We've had 12 of these crimes happen in the area so far this year.

Unfortunately, they hit the drive through ATM that I use most, and it still hasn't been replaced. :-(

Re:550 Pounds of money?!?!?!?

[JeremyALogan]

I suppose all new signs would have both systems used could be a start.

Here, in Alabama (go ahead and make the jokes), they put up metric roadsigns for the 1996 Summer Olympics (in Atlanta). The idea was that it would help all of the foreigners that would, invariably, be here. After the Olympics were over, and after spending millions on the signs, they promptly took them back down leavin only the traditional imperial signs. I finally thought we were making progress. Turns out our government was just wasting more of our money.

Note that Section 331 of Fiscal Year 1994 DOT Appropriations Act, signed by President Clinton, restricts use of funds for highway signs using metric measurements. They're just trying to make it harder.