ATM skimmers with SMS

You may want to be more careful where you put that ATM card. There are now ATM skimmers with SMS notification. ATM skimmers are placed over real ATM slots and the information off the cards as they’re inserted. The new models will send the skimmed information via SMS notifications to a phone that’s attached to a computer. This solves the problem of scammers needing to retrieve their skimmers without attracting the attention of police. ATM skimmer manufacturers have so far been really successful because of their commitment to security, from the paint they use to cover their skimmers to their exclusive clientele. The manufacturer of this particular model claims that none of their clients who’ve used this new ATM skimmer has been arrested, and they only accept business from “recommended” clients. We think it’s interesting and ironic how these criminals have adapted their security procedures to deal with institutions we wish were more secure.

Comments

  1. ali Raheem says:

    HAHAHAHAHA!
    From the blurb provided by the makers:

    “The data received by your PC is being coded instantly to prevent it being used and accessed by unwanted persons.”

  2. J says:

    The dark side catches you with cookies; and keeps you with ATM skimmers.

  3. c-man says:

    This is kinda funny, because my mom just had her debit card info jacked. Someone actually made a fake of her card and used it to purchase about $2000 worth of goodies. lol.

  4. twoback says:

    It seems like an easy fix to this would be to encase the entire ATM in Lexan. Except for the touch screen, and a very small slit just for the card to come in and out. This would prevent anyone from placing a skimmer in the first place. This wouldnt stop people backdooring stuff, but ive only heard about the backdooring going on in terms of portable readers and not full fledged ATMS.

  5. Why the hell they use their intellect for stealing? They could make something for the good of mankind and make legal money!

    Is the same with Chinese products, why make a device exactly the same if you can do it different and probably better? (Original has better ads :P)

    I had my card cloned a week ago, the problem is they got my PIN number because they draw money from an ATM in a totally diferent city. How they got my PIN if it was cloned in a gas station when you don’t put your PIN?? Social hacking involved I believe.

  6. I don’t see the special utility of lexan, although admittedly certain design changes could make one of these overlays more obvious. You could just as well do a number of other things, such as make a multitouch display where the order of buttons is randomized with each cycle, or embed inductance sensors.

    Just as well, people could go inside their bank and make withdrawals from an actual teller.

    Anyway, the device seems to do rather well defeating the local police, whose strategy is still to try to wait out the thief returning to the device. However, if specialists were to get involved, it would not be too hard to track down the real physical location of the receiving phone and catch the perp. It would be much better for it to send sms to an email account.

  7. epicelite says:

    Spy sappin my ATM!

  8. rivetgeek says:

    The solution here is obvious and simple. Use PKI to encrypt the magstrip data.

  9. vw says:

    Over here in Europe many skimmers are equipped with microcameras so they can track the card owner typing their code. They don’t always use SMS though; some keep their data in a small memory card, others transmit the data via a rf link to the scumbags van parked two blocks away.

  10. joelanders says:

    @rivetgeek regarding the encryption of magstripe data:

    i don’t think it matters whether or not the baddie can read the info on the magstripe–as long as he can make a bit-for-bit clone of the card, he’s happy (and someone is out of luck).

  11. blueragger says:

    tweakers should just die

  12. monster says:

    well, Insipid Melon, i know with verizon phones at least, you can send texts to an email account. just set the address in the “to” field instead of a cell phone number.

    use tor to read the email and you’re in business, just disable the spam filter =]

  13. Alexander says:

    I did a little research and learned that these things don’t come easy or cheap

    you can buy two for the low price of … $16,000…what a steal! you save $1,000 when buying two.

    I guess the good news is that the price will lower their prolification, but when they have a potential of stealing 1600 cards info, how much will it take to cause real damage.

  14. josh jackson says:

    where are these photos from and where did you see them listed for 16 grand. These things are absolutely terrible, not sure how anyone could do this

  15. noogies says:

    Most ATM’s can be made secure from this type of device by modifying the program which drives the stepper motor which controls the card movement mechanism. By drawing the card into the machine smoothly, a parasitic reader can easily record the data on the magnetic stripe. If the card movement mechanism moved the card in a start/stop motion, moving the card only 1/16 inch at a time, with short randomly timed pauses of about 10 to 50ms, it would be impossible to read data from the magnetic stripe using an externally placed reader.

  16. Coderer says:

    @noogies: Look on thedailywtf.com for an article called “the complicator’s gloves”. You’re thinking way, way too hard. Just get all ATMs to use the vertical-swipe type of reader instead of the one where you “dip” the entire card. AFAIK, nobody has figured out how to build an implant to skim from the swipe-type machines. Problem solved!

  17. Lieven Blancke says:

    Solution: migrate the whole system to chip cards (“impossible” or less easy to copy). But then you would have to change the software and the card readers in all the terminals. In Belgium they use debit cards with magnetic stripe and chip combined.

  18. loup says:

    I repaired ATMs for a while, the only place that I would trust and ATM is at a casino. You even look at those ATMs funny and casino security is all over you.

    Even banks aren’t reliable for watching their ATMs. I had to make a minor upgrade to a bunch of ATMs and at the banks I started by finding the bank manager and letting him know that I would be working on their ATMs, after about a dozen banks I stopped bothering with that cause they didn’t care, I just went straight to the ATM at that point. I wasn’t even wearing a uniform, just street clothes.

  19. jweller says:

    @ monster

    you can do email to SMS with pretty much all of the US carriers. it’s just 10 digit number @ carrier

    Alltel @message.alltel.com
    Cingular @cingularme.com
    Nextel @messaging.nextel.com
    Sprint @messaging.sprintpcs.com
    SunCom @tms.suncom.com
    T-mobile @tmomail.net
    VoiceStream @voicestream.net
    Verizon @vtext.com

    I use this all the time in a bash script to alert me if something is wrong with a server.

  20. rasz says:

    Its a picture set of a hacked together setup to steal peoples pin and magstripe data:
    http://halbot.haluze.sk/?id=4247

    with camera and everything, made with cheap phone

  21. Justin Time says:

    @insipid melon: two thoughts

    a) It’s helpful to give your own blog URL correctly.

    b) Why you hatin’ on skiers? Don’t you know that Black Men Ski? http://www.ted.com/index.php/talks/stew_says_black_men_ski.html

  22. Skeat says:

    Just a though there. If I wanted to be a criminal and read this post I would think twice about even trying to seek this out. As they say to good to be true. All the info you need except how or who to contact is right in the linked article. Almost perfect, too perfect if you ask me. Seems like its a perfect bust opportunity. Cops make a fake product, make it hard to get. So when you seek it out and somehow get the right contact and are told your getting it via some underground bad guy you feel really, really special and wont back out. When you go and pick it up, the blue furry is there waiting. The other part to all of this is I am sure that SMSing your captured CC# isn’t all that new. So this would be something for more like a would-be skimmers I think.

  23. groeber says:

    good luck turning the site into a techie-news blog. there’s already plenty of those, and very few about hardware hacking. time to drop hackaday from my bookmarks. bye

  24. gstar says:

    go to hell you flippin scammers, i’m sick of all these people coming with all the good stuff only to scamm the hell out of me. I want someone with balls and who want serious business coz i so want the damn skimmers not empty promisses and i’m talkin of big flippin orders

  25. cde says:

    @ coderer: Swipe style skimmers do exist.
    http://blog.creditorweb.com/wp-content/uploads/2007/12/skimmer.jpg

    http://www.ou.edu/oupd/skimmer2004.jpg

    http://www.maderatribune.com/content/img/f197030/1006cardskimmer.jpg

    People have been putting them on redbox video rental type machines, so the swipe just looks longer then normal.

  26. Even if it is PKI then the data on it can still be cloned as a mag strip can’t do a challenge response. So you just clone the key stored on the card and it is still yours. The lexen cover would kindda work, but you still need to stick your card somewhere and then they just put suction cups on the back of the reader and stick it to the outside of the lexen cover.
    A screen like old ATM’s had would be better, that only opens when someone comes near, when the screen closes the atm could scan its surface for any anomolies from skimmers to number pad covers.

  27. draeath says:

    @skeat:
    Whats a blue furry? Is it related to the other furries?

  28. Circs says:

    @groeber: Bye, won’t miss you.

    @gstar: You fail at forming a coherent thought.

    @cde: nice find, figured they would exist.

    Oi, this is a pretty interesting nut to crack.

    I have to say I very easily could have been had by this sort of trickery and I’m fairly vigilant.

    However I’m going to ask the obvious question: How come the banks aren’t keeping an eye on this? Let’s say you’re one of the banks with 0% fraud liability, that means the money they stole comes right out of your pocket.

    Just a thought.

  29. jaded says:

    @circs: In the US, credit cards have a $50 liability (if you follow their rules regarding reporting, etc.) but debit cards offer no such protection. A thief could clean out your bank account with one of these and you would simply be poorer. Some banks will honor a sworn affidavit and repay your money, but they are under no legal obligation to do so. Other countries have other laws regarding limitations, of course. That’s why checks, check-cards, and debit cards are horrible financial instruments, and are worse in the hands of ignorant people.

    And to everyone who thinks there is an easy technical solution to these problems (stripe encryption, Lexan, vertical swipe readers, chip and stripe, near-field-RF, etc.) you’re unfortunately wrong. There are a large number of security professionals attempting to find ways to stop these people, but none of the effective ways are “backwards compatible” with the people who have to use them. (That’s my polite way of saying too many people are too stupid to learn another way to use a credit card.) Many are too stupid to spot a skimmer glued to a glass plate, especially when that skimmer has a Wells Fargo logo with a “Swipe card here” sticker on it.

    The problem is credit cards became “easy to use”, and anything that makes them “harder to use” will not be a commercial success. Unfortunately, that ease came without a single thought towards security.

  30. gor says:

    vigilance is the price of freedom from such forms of theft and fraud…

  31. Stephen says:

    First off, I only go to my bank to use my atm card. Ours have a manual reader, push the card into and then pull it out. No place to place a skimmer. A lot of the major banks here are using that method now, as well as gas pump readers. Most of which also have cameras watching everything. Interesting reading though.

  32. Chris says:

    No, the lexan thing would work. If people knew that it had to be a smooth lexan sheet, then none of the superficial skimmers would work, it’s a whole different story if they have access to the internals, and skimmers are the least of your worries. Wait. If you had a skimmer that was an entire lexan sheet…. then the touchpad keypad wouldn’t work. I think that this actually is a solid answer. It won’t start until skimming goes huge, but its good to know there are options.

    @stephen… not really. There have been skimmers on push-pull machines. All they have to do is have a secondary housing 1/2″ thicker around one spot. And camera’s aren’t all that much of a deterrent to this type of crime (gas station camera’s, atleast. Casino camera’s / eye in the sky can get a clear shot of the face, and you can’t walk into a casino wearing a mask.)

  33. spacecoyote says:

    Fight SMS with SMS. Have your bank SMS you whenever your balance changes (some banks do this already).

  34. Emperor says:

    In South Africa, the banks have started installing JITTER, which makes it impossible for skimming devices to function properly. It makes the card slot vibrate at different frequencies each time. The vibration casues the card to move forward and backward, confusing the hell out of any skimming device and since JITTER uses random vibrating frequencies each time (and changes it every second, causing different vibrations in the same card), the skimmer is left with absolute crap.

  35. spiders88 says:

    in holland they’ve put a new part over the card-slot, don’t really “know” what it is, but i think its a procsimmity sensor (sorry for bad english), that way a atm simply stops working if anything is in front of the card-slot…

  36. jeb says:

    I like the proximity sensor idea, combine that with a trap door that lets out a horde of feral badgers and you’ve got a win.

  37. jonhnathon says:

    Man that to me is just amazing. I hate that peopl do it but to have a company that helps out criminals Is kinda new to me. But I was wondering where could I get one of those at.

  38. Vengeance is Mine says:

    Thieves suck.

    The murderer who hung on the cross next to Jesus repented and was saved.

    The thief grumbled, blamed the world, and went to Hell.

    The answer to these criminals is as follows:

    Suppress all phone and radio waves within the area so only a land line works. Think Faraday Cage.

    Build better ATM machines that sense when something touches their face and takes a picture. Then you have the baddy. Also disable the machine with a warning on the screen. I’ve been hacked, push off.

    Sue the ATM and/or bank for not providing security such as cameras. They don’t mind snapping pics of US. Why not THEM? One the ATM companies whose fault this really is, have to start reimbursing victims for their cheesy product failing to protect the public trust, they will join the fight or perish from lack of it.

    Good riddance to those who do not fight.

    A cross awaits you thieves.

  39. daem0nsk33per says:

    Hi all, I just want to birng you some news…if you are interested to buy an atm skimmer even wireless just contact me at daniel.dany3l@yahoo.com

  40. darkforum says:

    Yes, the SMS feature was a wonderfull development in the last 3 years in this business.
    See www . darkforum . net for detailed photos, schematics, etc of our atm skimmers for sale.
    Do not imagine that a real vendor is working from a free US email address….

Follow

Get every new post delivered to your Inbox.

Join 92,339 other followers