Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck Hardware

Visual Autopsy Of An ATM Card Skimmer 880

Bert64 writes "A chap at work was recently the victim of an ATM card skimmer which took his card details, cloned them and allowed the fraudster to take 550 pounds out of his account. Having tried to explain how the fraudsters can hide a camera and card reader around the ATM, he decided it would be easier to show one of them after a few drinks down the pub. He was a little surprised to find that the machine he chose had a card reader and camera in place. These were removed and analysed, we believe we have reclaimed about 800 pounds worth of kit. Result: Pictures."
This discussion has been archived. No new comments can be posted.

Visual Autopsy Of An ATM Card Skimmer

Comments Filter:
  • by Anonymous Coward on Monday February 23, 2004 @09:10PM (#8369347)
    Holy cow! That's a lotta dollars! Hope he hurt his back carting it all away. ;)
  • Mirror in case of /. (Score:4, Informative)

    by mixy1plik ( 113553 ) * <mhunt.ecin@net> on Monday February 23, 2004 @09:11PM (#8369367)
    This is a bit creepy. I always wonder when I hit those run-down ATMs in the corner of convenience stores if I might have my card nabbed.
    I've stopped using some of the sketchier ATMs because of this.


    MIRROR HERE IN CASE OF A /.'ING [sr20.net]

    • Here is what I do (Score:5, Insightful)

      by savagedome ( 742194 ) on Monday February 23, 2004 @09:22PM (#8369466)
      Two things that I always ask my friends to do too.

      1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.

      2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.
      • Re:Here is what I do (Score:5, Informative)

        by Abcd1234 ( 188840 ) on Monday February 23, 2004 @09:28PM (#8369520) Homepage
        Actually, correct me if I'm wrong, but with credit cards, my understanding is that you get nailed for interest the *second* you pull the cash out, unlike purchases, where the interest is calculated at the end of the month.
        • Re:Here is what I do (Score:5, Interesting)

          by NMerriam ( 15122 ) <NMerriam@artboy.org> on Monday February 23, 2004 @09:38PM (#8369614) Homepage
          You are correct, cash advances on a credit card start accruing interest from the moment they are taken.

          It used to be that cash and purchases were treated the same, with basically a month interest-free loan as long as you paid your bill in full, but people could just pay one card with a cash advance from another, and be able to borrow money interest-free for as long as they stayed under the credit limit.
        • not anymore (Score:4, Funny)

          by sulli ( 195030 ) * on Monday February 23, 2004 @10:58PM (#8370194) Journal
          These days they nail you for interest the week before you take cash out. And sometimes it's as much as a full billing cycle in advance.

          How do they know, tinfoil-hat man? Data mining! They know when and where you'll be taking that cash out, oh yes they do.

        • by cehardin ( 163989 ) on Monday February 23, 2004 @11:22PM (#8370365)
          Also, remember that many CCs charge a fee for the ATM cash withdraws, usually 1% to 2%, but not to exceed $20.
          Why? CCs make a lot of money from these 1% or 2% they charge for ALL transactions. The difference is that when you use your CC at the store to buy something, the CC company charges the retailer this percentage. When you take out cash, they charge you.

          So, whether you use a CC to buy stuff or not, you're still paying for it. Retailers spread the charge from the CC company by simply increasing prices for everyone.
      • Re:Here is what I do (Score:5, Interesting)

        by Cruciform ( 42896 ) on Monday February 23, 2004 @09:44PM (#8369662) Homepage
        As an addition to the first point, if you're going to do it at a store choose one that let's you swipe the card yourself. If they have to swipe don't let your eyes off the card. If the card reader is out of view it's in your best interest to go somewhere else.

        Toronto police busted 70 people working at convenience stores for double swiping a few years ago. (Between 98 and 2001, as I lived there at the time). A second reader located beside the primary was used to collect card info. I don't know if cameras were used to collect the pins or not.

        Since the story at the time indicated that it was mostly employees that had been approached by people not involved with the store, I'm guessing the machines were portable so they could be brough t in and out with the boss none the wiser.
      • Re:Here is what I do (Score:5, Informative)

        by mcheu ( 646116 ) on Monday February 23, 2004 @10:03PM (#8369796)
        1. If you can, go to a supermarket or any store nearby that gives you cashback on your debit card. I can buy a pack of gum instead of paying stupid ATM fee AND get cashback with NO risk.

        You then end up paying a debit fee instead. Admittedly, it's lower than a 3rd party ATM fee, but it's still more expensive than going to an ATM owned by your home bank. Further, a lot of stores don't want to do this, because:

        a) In one small pissant purchase, you've cleared out the register of cash, which makes it difficult to give change to the next customer.

        b) The store has to pay a debit fee with each transaction. Whoopie, you've bought an 80cent pack of gum (on which only 20 cents profit at most), and are asking the guy to incur 50cents to 75cents worth of debit fees on his end. This is why some stores have a minimum purchase requirement to use debit.

        Also, your definition of "no risk" may not be the same as mine. There have been instances in Canada where some of these scammers have set up shop in a real shop. This is how it's done. The first time they swipe your card through, they swipe it through a slot near the real one, and claim the card was rejected or didn't read right. The second time, the card is swiped through the real one and a the real transaction happens. All the while, the "clerk" is watching you enter your PIN, and he's got a copy of your card now. Perhaps this is why the store doesn't have a problem with giving you a cash advance and being hit by the vendor debit fees on such a small item.

        I'm not saying that every instance where your card gets rejected is a scam, since it does happen that a card will be unreadable or rejected. I'm just saying there's still some risk involved.

        2. Use your credit card to withdraw cash (but make sure that you pay it in the next billing cycle as cash withdrawls have very high APR) as the liability on credit cards is very low.

        What, do you work for a credit card company? Unlike credit card purchases which hit you with interest only if you pay late, cash advances put interest on what you owe the instant you get the cash. You've already mentioned the high interest rate. Even if you pay quickly and on time, a credit card advance will have a nasty surprise attached.
        • by jpellino ( 202698 ) on Monday February 23, 2004 @11:05PM (#8370260)
          IIRC Debit fees are generally cheaper than the credit fee for the same transaction - it's cheaper for them to let you do debit, and you can shop around for a bank that allows unlimited monthly debit purchases.
          and
          IIRC MC/V generally do not allow for minimum purchases for transactions - yes, the convenience store just lost 80 cents to make 20 on your pack of gum, but they just sold a case of beer or the 20 gallon truck fillup on 80 cents a minute ago. It more than evens out for most
          and
          If they are hand entering or mechanically imprinting your card, something's not normal, as they're the most expensive rates (as opposed to just swiping your card). Makes you go hmmmm...
        • Re:Here is what I do (Score:5, Informative)

          by cyt0plas ( 629631 ) * on Monday February 23, 2004 @11:52PM (#8370540) Journal
          1) Some merchants charge fees. Many don't as it's cheaper than credit.

          2) Some merchants offer cashback as an _incentive_ to get your business.

          3) If you clean out the register at a medium to large shop (small shops can be different), you've saved them the trouble. That's that much less cash for them to send out to be converted electronically. Also, it's less cash to send out on armored cars (depending on the size of the merchant).

          4) For the places that eat the $0.20 fedwire (Automated Clearing House) fees, it's typically less than the cost of a credit card, and they often don't have to pay a percentage. Buying nothing more than a pack of gum means they lose money, but they run that risk with a Credit Card too.
    • by Txiasaeia ( 581598 ) on Monday February 23, 2004 @09:39PM (#8369637)
      Forget sketchy ATMs! $500 was taken from my account using an ATM at a local bank branch machine, in a mall no less! Get this -- they caught the guy after he stole about $64,000 CAD, found out that he entered the country illegally and... sent him to prison? Nope. Our illustrious Canadian gov't deported him. They didn't recover any of the money either. Bastard's living it up in the Caribbean with the cash that he wired there before he was caught.

      The bank ate the loss and gave us back our cash, but what kind of justice is it when scammers get to go free with the cash they stole?

  • Easy as Ebay (Score:5, Interesting)

    by Xeed ( 308294 ) on Monday February 23, 2004 @09:13PM (#8369375) Journal
    This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay [ebay.com] for a fraction of what you can scam.

    What ever happened to "Stick 'em up??"
    • by PedanticSpellingTrol ( 746300 ) on Monday February 23, 2004 @09:20PM (#8369449)
      There are plenty of legitimate uses for magnetic stripe readers. Why, here at the University of South Carolina we just installed 3 $1,200 newspaper machines to limit the free newspaper program to students and faculty. I suppose you also think taxing blank CD-R and giving the proceeds to record companies is a good idea, because nobody would ever want to, say, back up data with them.
    • Re:Easy as Ebay (Score:5, Insightful)

      by petard ( 117521 ) on Monday February 23, 2004 @09:23PM (#8369477) Homepage
      That's not questionably legal in any way; that's for a cash register. Many registers nowadays are just PCs and use one of those (generally affixed to the keyboard) to process credit card transactions. In fact, the legality of all of the items involved in the fraud is unquestionable. Turning them into the fraudulent device and attaching them to the ATM, however, is just as unquestionably illegal. (FYI, in case you're unconvinced about the Ebay auction, you can walk into any office depot and buy the gadget you linked [officedepot.com].)
    • by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Monday February 23, 2004 @09:25PM (#8369502)
      There are a myrid of legal uses for stripe readers, including computer and home security, and making really cool copies of your bank cards*

      I have a friend who has a reader who does this.. he takes a plastic generic card with a cool photo on it, with a blank stripe, and copies your ATM stripe onto it. Fully functional, totally customized ATM card.

      You should see the looks he gets using his "superman" debit card.
      • by Jeremi ( 14640 ) on Monday February 23, 2004 @10:31PM (#8369998) Homepage
        Sounds cool... but just out of curiosity, is it legal to make your own ATM card?
        • by LostCluster ( 625375 ) * on Monday February 23, 2004 @11:21PM (#8370362)
          Sounds cool... but just out of curiosity, is it legal to make your own ATM card?

          To make? Sure. Afterall, an ATM card or credit card is nothing more than a piece of plastic with a standardized magnetic stripe that repeats the same 16 numbers that are on the front of the card over and over.

          To use? Uh... well, that's up to your bank. I kinda doubt they'd be to happy with it.
      • by Avakado ( 520285 ) on Tuesday February 24, 2004 @06:30AM (#8371963)
        In some countries (or maybe only Norway), whenever your ATM card is used in an ATM machine, the machine writes a new unique code to the magnet strip. The next time you use the card, it must contain that specific code, or it is swallowed.

        Sadly, the terminals used in stores cannot do this, so you have to use your card in an ATM every now and then, to make sure nobody has a copy of it (quite the opposite of the problem mentioned in this article).
    • Re:Easy as Ebay (Score:5, Insightful)

      by confuse(issue) ( 750477 ) on Monday February 23, 2004 @09:29PM (#8369532)
      This is a growing trend. Along with other questionably legal items, you can find a card reader from Ebay for a fraction of what you can scam.

      What a good post 9-11 American citizen. You are right in calling it 'questionably' legal, unfortunately (for you) the answer to the question is yes it is legal. The government does not need to put Laws on everything that can do bad things, the laws should instead target bad things. DVD recorders should not be illegal...selling (or even just giving) a burned DVD of Star Wars should be illegal. Having a magnetic card reader is a great exercise in driver writing and or learning about it for POS apps (not piece of s&^t apps).
      • by nfras ( 313241 ) on Monday February 23, 2004 @10:17PM (#8369900)
        selling (or even just giving) a burned DVD of Star Wars should be illegal

        I agree, and if that DVD is Attack of the Clones or Phantom Menace, selling any DVD of it should be illegal.
    • by Anonymous Coward
      A card reader on ebay: $100
      Sony digital camera: $500
      Memory stick: $500
      Profit: PRICELESS!
    • Re:Easy as Ebay (Score:4, Insightful)

      by Alan Cox ( 27532 ) on Tuesday February 24, 2004 @04:35AM (#8371671) Homepage
      There are lots of good legitimate uses for card readers - things like swipe card doors, as used by the computer society here, or charging for photocopying (as used by the university)

  • Makes you wonder (Score:3, Interesting)

    by haRDon ( 712926 ) on Monday February 23, 2004 @09:13PM (#8369376)
    Just how many ATMs have this equipment in place?

    Bit of a worry really..

    And just what recourse do victims have? Is there any way to get your money back, or is it gone forever?
    • Re:Makes you wonder (Score:4, Informative)

      by mattjb0010 ( 724744 ) on Monday February 23, 2004 @09:17PM (#8369422) Homepage
      Is there any way to get your money back, or is it gone forever?

      In the terms of my credit/debit card it says if I notify the bank within a reasonable time period of unauthorized transactions I get the money back. I suspect most banks have a similar deal.
    • Re:Makes you wonder (Score:5, Informative)

      by big_groo ( 237634 ) <groovis.gmail@com> on Monday February 23, 2004 @09:21PM (#8369454) Homepage
      This happened to my friends - luckily they were both out of town at the time, and *used* each of their bank cards. The bank gave them an automatic, free overdraft for the amount taken, but it took them about a week to get the money back. (TD Canada Trust, in case you were wondering)

      Banks are insured, y'know...but I have to wonder, if they weren't out of town (and able to prove it) would they have been so forthcoming?

  • by SabrStryk ( 323739 ) <sabrstryk AT carolina DOT rr DOT com> on Monday February 23, 2004 @09:14PM (#8369392)
    This is the sort of thing that makes one wary about the convenience ATMs available in many cities; you'll save more than a surcharge by sticking to your own banking company's systems.

    On a side note, this is probably the most clever fraud I've seen in a long while. Great that these folks ripped out the innards of the scam device.
    • by cmowire ( 254489 ) on Monday February 23, 2004 @09:18PM (#8369427) Homepage
      Well, not really.

      The skimmer is attached to any arbitrary machine without the cooperation of the ATM owner.

      So they can hit even your own bank's machines, if they so desire.

      This is the best ATM scam since... well... the last ATM scam, where they put a complete ATM machine in place. Except they got caught because they tried to stiff their ATM machine supplier.
    • by Man Eating Duck ( 534479 ) on Monday February 23, 2004 @09:26PM (#8369510)

      Great that these folks ripped out the innards of the scam device.

      I'm not so sure about that. When something similar happened in Norway some time ago, the police was alerted and put the place under surveillance. The culprits were caught in the act of removing the devices.

      I think the people who removed it should have done the same, thus helping to catch the bastards. For all they knew, the place could already be under surveillance, giving THEM the blame for the crime...
  • by Monty845 ( 739787 ) on Monday February 23, 2004 @09:14PM (#8369393)
    How hard would it be for someone to design an ATM machine that would make it more dificulty to conceal a card reader... or better yet one that made it impossible to insert your card if anything is attached... it would seem that with some common sense a designer good create some pretty good safe guards... or am I just missing something?
    • by mcpkaaos ( 449561 ) on Monday February 23, 2004 @09:18PM (#8369428)
      or am I just missing something?

      Maybe the ATM designers just happen to be the same folks that are installing the cameras and readers. :)

    • by shird ( 566377 ) on Monday February 23, 2004 @09:52PM (#8369725) Homepage Journal
      Even better would be the use of smartcards instead of current cards. The card simply has its own private key, the ATM machines/bank issue a challenge to the card and verify it against the known public key.

      The private key is never divulged yet the authenticity of the card is known. There is no way to scam the system other than steal the physical card and know what the pin is. These really need to be adopted soon.
  • hunh... (Score:5, Insightful)

    by mekkab ( 133181 ) * on Monday February 23, 2004 @09:14PM (#8369398) Homepage Journal
    Was this the pass through kind? how was the camera attached? If I used one hand to cover the other hand while keying the PIN would that "thwart" it? Great pix but I could also use a little more commentary on what to watch out for.
    • Re:hunh... (Score:3, Insightful)

      by djeaux ( 620938 )
      I did think the "visual autopsy" was a bit sketchy on the way the system was attached to the "host" ATM. It would've been useful if they'd taken a few pix before ripping the thing off the ATM.

      The captions, while semi-helpful, left a lot unanswered...

      OK, OK, I was using the mirror because the original was already in /. heaven... Maybe the original site had more detail?

  • Great plan (Score:5, Funny)

    by Papa Legba ( 192550 ) on Monday February 23, 2004 @09:15PM (#8369402)
    recover 800 pounds worth of equipment and incurr 2000 pounds of bandwidth costs bragging about it. The guy who lost the 550 pounds is going think that was nice compared to what just got done to him by slashdot.

  • That's silly (Score:3, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Monday February 23, 2004 @09:16PM (#8369408)
    Making money by having an expensive digital camera to disguise it as ATM chrome, grabbing PIN numbers and making yes-cards out of the process is dumb. The guy would probably have made more money setting his hacked camera in some lady's shower and selling the videos on the net. Or gee, even selling the hacked camera itself to would-be private-eyes, as most of these folks are willing to spend a lot of money on any spy-ish electronic device, and it would be legal too.
    • Re:That's silly (Score:4, Insightful)

      by Anonymous Coward on Monday February 23, 2004 @09:30PM (#8369538)
      Are you retarded? One day of skimming numbers and magentic strip codes would net you more than twenty accounts, probably containing thousands of dollars each.
  • by maliabu ( 665176 ) on Monday February 23, 2004 @09:16PM (#8369413)
    in case you're wondering:

    To accomplish this task, the thief places an electronic "skimmer" -- a card swipe device that reads the information on the card's magnetic strip -- on the ATM machine. Attached to the device, or placed discreetly elsewhere, is a small camera that captures the customer's PIN number when they enter it. The information is either collected by the device, or transmitted to a remote receiver. The thief then takes the codes and creates a counterfeit ATM card in order to empty the victim's bank account. Some skimmers can even capture the information and send it to the ATM at the same time. Since the machine works normally, the victim is unaware that they have just given a thief the key to their account. copied from here [state.fl.us].
  • Interesting camera (Score:3, Interesting)

    by lukewarmfusion ( 726141 ) on Monday February 23, 2004 @09:16PM (#8369415) Homepage Journal
    Why'd they use a Cybershot? I personally have a DSC-P71, but you could get a much cheaper camera and do the same thing.

    Anyway, I remember reading an article (might-a been on /.) about buying an ATM and hacking the software to record the information for him. It's supposed to be much harder to find than this kind of "noticeable" trick.
    • by Stephen Samuel ( 106962 ) <samuel AT bcgreen DOT com> on Monday February 23, 2004 @10:02PM (#8369783) Homepage Journal
      This camera captures 15 seconds of video... Card goes in, activate a 15 second video grab... that should be more than enough to catch the 4-6 digit code most people use. (usually 5 seconds or less). the 500MB card means that you could save a LOT of those videos...

      The biggest thing seems to have been the size...Once they ripped it out of it's housing, the camera wasn't much bigger than the batteries.

      At $1000 per setup, thay'd only have to catch 2 cards to get their money back. After that, the rest is profit.

  • by amarodeeps ( 541829 ) <dave@[ ]itable.com ['dub' in gap]> on Monday February 23, 2004 @09:18PM (#8369423) Homepage

    Saw this recently on memepool.com:

    http://www.utexas.edu/admin/utpd/atm.html [utexas.edu]

  • Idea! (Score:5, Funny)

    by Dark Lord Seth ( 584963 ) on Monday February 23, 2004 @09:21PM (#8369465) Journal

    Have all Slashdotters run around ATMs and check for card skimmers. If found, remove card skimmer, take home, disassemble, build into $anything, add keypad and have your own PIN access system to $anything! All the while doing the rest of the world a favour by taking away card skimmers! Woot!

  • by King_TJ ( 85913 ) on Monday February 23, 2004 @09:23PM (#8369474) Journal
    My bank uses ATM machines that suck the card completely into the slot, with only a little bit of a metal guide plate exposed below the slot. (Typically, they have a label with arrows printed on it that's affixed just beneath the slot, as well.) If you tried to add some sort of reader device to the front of the ATM, covering the original slot and plate, it would be fairly obvious it didn't belong there. I'm sure it might fool *some* clueless people - but it would surely be ripped from the machine pretty quickly, as someone a little more clueful realized what was going on. (After all, it would obscure part of the label, making it obvious it wasn't part of the original ATM machine.)

    I have a feeling these card skimmers only work on specific models of ATMs (most likely, the little privately owned units you see in restaurants and gas stations, as opposed to actual bank-owned ATMs).
  • Death of the PIN (Score:4, Interesting)

    by So Called Expert ( 670571 ) on Monday February 23, 2004 @09:23PM (#8369478)
    I wondered how long the four digit ATM PIN would last. I also realized that with the phone-cameras, it would be fairly simple to snap a shot of someone's PIN over their shoulder.

    Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?

    ATM bug-detection should be a profitable area of research for the next few years.

    • by 26199 ( 577806 ) *

      Unfortunately biometics violate one of the most basic principles of passwords... they can't be changed if compromised.

    • by Chester K ( 145560 ) on Monday February 23, 2004 @10:28PM (#8369970) Homepage
      Could this be the death of the PIN? What's next - biometrics? Will this last only as long as it also cannot be spoofed?

      The advantage of a PIN over biometrics is that you can always change your PIN.

      Once someone finds out how to fool a biometric scanner into returning your biological data; you're hosed. You can't gouge your own eyes out and replace them with new ones.

      Any security system whose keys can't be changed is fatally flawed and should not be used -- ever.
  • by archilocus ( 715776 ) on Monday February 23, 2004 @09:32PM (#8369562) Homepage

    Hate to be a party pooper but didn't you consider leaving it there and calling the cops ?

    If you had they might have been able to bust the individuals concerned and saved some innocents down the track a lot of grief.

    This way you got 800 quid's worth of stolen electronics, the thief wrote off some capital investment and a couple of thousand /.'ers got some pre-pubescent excitement. Wahooo.

  • Interesting!! (Score:4, Insightful)

    by annielaurie ( 257735 ) <annekmadison@hotmai[ ]om ['l.c' in gap]> on Monday February 23, 2004 @09:33PM (#8369569) Journal
    A couple of months ago my Hotmail account was besieged with spams offering to show me how to make my first million by installing and servicing their ATM machines. I kept wondering if they wanted to make me a shill for some skulduggery like that described in the article. The interesting part was that the ATM's so advertised would be located "in my area," which they had pinpointed at Washington, DC (not far from here).

    Like others here, I've become very leery of using ATM's located anywhere but at banks. I've been driving on long trips a great deal recently, and I've also learned to be a bit discerning about card-swipers in gas stations and even grocery stores I'm not familiar with. It seems a safer bet to hit a bank occasionally to withdraw my allotment of yuppie food coupons ($20 bills) and spend those instead.

    Anne

  • prevention ... (Score:5, Insightful)

    by another_twilight ( 585366 ) on Monday February 23, 2004 @09:35PM (#8369587)
    Most of the scams I have seen like this rely on recording your PIN based on what you type.

    The earliest versions simply had someone peering over your shoulder, or using a camera/telescope mounted up and behind and stealing the original.

    Get in the habit of 'embedding' your PIN within a larger number. Type this longer number too lightly to casue the pressure sensor to register and varying your pressure only on the 'key' digits. It won't fool decent resolution or close observation, but given the angles/lighting conditions and cheaper digitial cameas that are starting to show up, I am guessing that they are going to have trouble working out which hits are the real McCoy.

    Sure it relies on making your case more difficult than your neighbours, but to an extent that is all most locks and security devices do. Sure it's paranoid, and it does take some effort to set up, but muscle memory handles most of the work after a while and these days I only get a few false hits. YMMV
    • Re:prevention ... (Score:5, Interesting)

      by gordguide ( 307383 ) on Monday February 23, 2004 @10:26PM (#8369960)
      I always do this, although my method is a slight variation. I like it better, but people are free to try anything that works for them.

      It's quite easy to do, and if you take the time to practice it each time you enter a PIN for a short while, it becomes second nature and you don't even need to think about it (leaving you free to scope out the area, the people around you, and yes, even look for cameras, as you should do at any ATM). I almost never have received a dialog about an incorrect PIN. Maybe it happened once (I've done this for years), but I can't remember any incidents of bad entries.

      What I do is place more-or-less my whole hand on the keypad, with pretty much every finger and my thumb touching a key; and press the relevant numbers with different digits (fingers/thumb).

      You hand barely moves when you do it right, and all the fingers, including the unused ones, kind of move a bit when you enter a number; it's really impossible to know which keys were pressed in which order. Try it.
  • by MBCook ( 132727 ) <foobarsoft@foobarsoft.com> on Monday February 23, 2004 @09:35PM (#8369588) Homepage
    The hack done (and those you usually hear about) work by modifying a machine where you have to insert your card. Does anyone know of the machines where you just swipe your card yourself are safe from this kind of tampering? I would think it would be VERY hard to add a skimmer without it being noticed unless you had enough physical access to the machine to take the cover off, make another little hole where the card swipes by and position the magnetic reading head in there, etc.

    Still, very interesting to see. I'm quite suprised at the digital camera half of it. Of course something like using fingerprints or some other kind of biometric would make things much harder for the thief.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday February 23, 2004 @09:38PM (#8369618)
    Comment removed based on user account deletion
  • by minus_273 ( 174041 ) <aaaaa@NOspam.SPAM.yahoo.com> on Monday February 23, 2004 @09:45PM (#8369672) Journal
    the story of the ATM machine left infront of a convenience store. People whould come up to it insert their card, type the pin and be presented with an error saying there is no more money left in the machine. A week later the machine disappeared. All the people who had used the ATM had given the data form their ATM cards and pin numbers to a fake machine that was logging the info!
  • An idea (Score:5, Interesting)

    by Anonymous Coward on Monday February 23, 2004 @09:47PM (#8369691)
    PIN numbers and the way they are entered have terrible security implications.

    Why can't you, say, have a 5 digit number and the ATM machine would ask you something like "What is your first, third and last number?" or "What is your first number plus your fifth number?"?

    Or how about you have to look through a keyhole to see the ATM monitor so nobody else can see it. Then, before it asks you to enter your details, it shows you the mapping of the keys on the keypad. So, if you have a 9 digit keypad, it would shuffle the numbers around you look into the keyhole and see:

    167
    482
    539

    Then you'd press the button that is in the right position for each number.
    • Re:An idea (Score:4, Insightful)

      by cortana ( 588495 ) <sam@robots.orRASPg.uk minus berry> on Monday February 23, 2004 @11:02PM (#8370235) Homepage
      Because--and I know it's been said already, but it's important enough to say again--people are fucking stupid.

      Of course, that shouldn't stop the bank from offering my optional security measures such as the ones you detailed above. Oh well.

    • Re:An idea (Score:4, Informative)

      by glorf ( 94990 ) on Monday February 23, 2004 @11:45PM (#8370503)
      Because the Americans with Disabilities Act forces even drive-thru ATMs to have braille. Never mind the fact that the on screen displays aren't standardized and the prompts point to different buttons at different banks. Any system you come up with that requires a sighted person to operate will not work.
  • by rjamestaylor ( 117847 ) <rjamestaylor@gmail.com> on Monday February 23, 2004 @09:51PM (#8369721) Journal
    Rule #1: Always remember which machines you've bugged so you don't accidentally expose your work during "investigations."

    Rule #2: If you fail to follow Rule #1, act surprised and shocked at your "fortunate discovery."

    Rule #3: If your work is exposed, especially in a Rule #2 setting, be sure to dismantle it so the destination can't be traced.
  • You idiot! (Score:5, Funny)

    by moosesocks ( 264553 ) on Monday February 23, 2004 @09:54PM (#8369738) Homepage
    You idiot! You just stole your bank's security camera
  • by bad_fx ( 493443 ) on Monday February 23, 2004 @10:17PM (#8369903) Journal
    Here's some great tips on how not to get scammed at the ATM [lostbrain.com]. It's also got some images of a modified ATM...
  • by sPaKr ( 116314 ) on Monday February 23, 2004 @10:27PM (#8369965)
    This just proves that you should smack every machine a few times before and after you use it. If you smack it hard enough you get a few spare parts and protoect your credit. I have taken to kicking, shacking, and hitting every vending maching I use in the name of safty. BTW the same thing applies to people, but with them I have found poking with stick to be the best method.
  • by caviedrums ( 755267 ) on Monday February 23, 2004 @11:15PM (#8370316)
    The U.T. Police Department Web site has an interesting article [utexas.edu] about skimmers in use in the Austin area. Check out where they put the camera!
  • by dargaud ( 518470 ) <slashdot2@nOSpaM.gdargaud.net> on Tuesday February 24, 2004 @03:38AM (#8371495) Homepage
    Many other countries have been using cards with embedded chips for something like the last 20 years: you cannot copy them and they can contain their own hard wired algorithms to test for challenge/response from the reader.

    It may sound like a troll, but why is the US so conservative in regard to their money: card with only a magnetic stripe that you can copy with a 80$ reader, money in 2 colors on plain paper that you can xerox (almost [slashdot.org]) easily...

  • In Japan, ... (Score:5, Interesting)

    by KlaymenDK ( 713149 ) on Tuesday February 24, 2004 @03:53AM (#8371543) Journal
    ... they have some old ATM where the numbers are arranged in one loong row of large buttons ... completely impossible to hide what you're typing.

    But then, their new generation of ATM's have a touch-screen LCD to display the number pad -- and the digits are randomly rearranged between uses. Now that's secure (but not so ergonomic).
  • Happened to me... (Score:5, Informative)

    by jbrw ( 520 ) on Tuesday February 24, 2004 @07:10AM (#8372076) Homepage
    ...almost.

    Went to take some money out late one night. There were about three (eastern european) guys huddled around the machine fiddling. Went to get money out, and the machine held out to my card - you could see the card in the slot, but couldn't get it out. Guys reappear and tell me something like "Oh. I've seen this before. Press blah, blah, blah and enter your PIN" while standing over me. Hmm, I don't think so...

    So, I step back call my bank, wait on hold for an age, and as soon as they hear me confirm to the bank I want to cancel my card, I get my card thrown back at me by said guys, and they scarper into a car that has subsequently double parked.

    I reported it to the local police station, and they said it happens all the time, but it wasn't actually a crime until they withdrew money (!!!).

    It's called a "Lebanese Loop". More info here:

    http://hoaxinfo.com/atmscam.htm [hoaxinfo.com]

    I see plenty of machines in London with glue residue around the card slot. This must happen all the time...

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...