Reverse Engineering An ATM Card Skimmer

While vacationing in Bali, [Matt South] walked into a nice, secure, air-conditioned cubicle housing an ATM. Knowing card skimmers are the bane of every traveller, [Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad. [Matt] found the PIN pad shield came off very easily and was soon the rightful owner of a block of injection molded plastic, a tiny camera, and a few bits of electronics.

The first thing that tipped [Matt] off to the existence of electronics in this brick of plastic was a single switch and a port with four contacts. These four pins could be anything, but guessing it was USB [Matt] eventually had access to a drive filled with 11GB of video taken from inside this PIN pad shield.

An investigation of the videos and the subsequent teardown of the device itself revealed exactly what you would expect. A tiny pinhole camera, probably taken from a ‘spy camera’ device, takes video whenever movement is detected. Oddly, there’s an audio track to these videos, but [Matt] says that makes sense; the scammers can hear the beeps made by the ATM with every keypress and correlate them to each button pressed.

Of course, the black hats behind this skimmer need two things: the card number, and the PIN. This tiny spy cam only gets the PIN, and there wasn’t a device over or in the card slot in the ATM. How did the scammers get the card number, then? Most likely, the thieves are getting the card number by sniffing the ATM’s connection to the outside world. It’s a bit more complex than sticking a magnetic card reader over the ATM’s card slot, but it’s harder to detect.

47 thoughts on “Reverse Engineering An ATM Card Skimmer

  1. “[Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad.” Brian Krebs would be proud.

      1. shodan isn’t sh1t of all devices. good encryption will solve 99% of shodan crap. That said battery life with even a bulk GSM or 3g upload will cripple it when you can have a crack mug rip it back off for you. P.S got a good connection with a reasonable packet limit? you can scan 1000 ports on all IP’s in under a week, screw the dan of sho

      2. SHODAN’s not some magic tyrannical AI that can get passed any password. IP cameras aren’t instantly vulnerable. Just don’t use the default password and you’re for the better part dandy.

  2. its possible this particular ATM had a card reader skimmer attached to it but the card reader skimmer is now gone (e.g. removed by the crooks at some point without removing the hidden camera, removed by the bank/by the cops, removed by someone else who found it randomly)

    One thing I have seen from some banks that I really like (e.g. the Commonwealth Bank here in Australia) is the ability to withdraw money without using your card. You go to the mobile banking app on your phone and access the feature which then gives you one code on your device screen and another code sent to you via SMS. Then you activate the “cardless cash” feature on the ATM and input both codes and you get money without ever inserting your card so no risk of card/pin number skimming.

    No security problems since the codes are one-time-use-only and are only valid for a short period of time (and people using the feature are likely to do it when they are near the ATM) so there is no risk if an attacker somehow steals the codes as they get input into the ATM and there is very little risk even if a hacker is able to steal the codes somehow before they get used.

    Oh and the feature is protected by the same internet baking security as everything else which means any attacker who can get into the internet baking app and use the feature can just as easily use a direct bank transfer to transfer the funds out to another account and not need to actually go to an ATM to do it)

    1. The rumors are that big banks here in the US are working on Apple/Android pay integration with ATMs rather than adding chip readers. That’s a step in the right direction. I boldly predict that by the time my child has children that those kids will get credit cards without a magnetic stripe on the back at all.

      1. In europe, a lot of cards already lost their magnetic strip…
        we use a chip…. (not swipable, but still skimmable by introducing a stealth chip reader) however: copying the card is near impossible

    1. Or a police officer/bank employee happen to arrive at that exact moment. Being caught taking the skimmers might not be great. A best practice if you’re not planning to reverse engineer the hardware would be to call the bank right there from the ATM if possible. That way you aren’t caught taking it, and the crook won’t come recover it when you go for assistance.

      1. The good news is that bank ATMs are under video surveillance. When they review the footage, they’ll hopefully notice that you aren’t the same guy that stuck it on there in the first place.

          1. This /\ i agree
            If I suspected a device that didn’t belong there, I’m not touching it. Call the cops or the bank. Last thing I want is someone claiming that I’m part of the problem. I’ve never seen a skimmer but the bank once sent me a new card because an ATM at a 7/11 was ‘compromised’.

    2. Talking about this i wonder if it’s a good idea to publish his teardown on his own blog with his full name…
      I wouldn’t have touched this thing, just call the bank or maybe the police.

    3. I’d do what he did and show it being dragged out and waved about unlike an organisation that’ll pocket it right after if you watch the video on link. Then you get to break funny hardware apart. If you informed the police they’d just write up a paragraph and bin it

  3. Seriously, are people using cash anymore?

    But on a more sincere note, magstripe cards are way to weak. Here (Scandinavia) chip has been required for many years, and last year they even stopped having magstripe on cards as default (though you can still get one if you need it). EMV rollout in some parts of the world has gone at a glacial pace (yes, I’m looking at you America!) and has been a serious hinderance for updating payment cards to new and more secure technologies.

    Which might be the explanation why he saw no card reader, they were content with getting the pin, the card would be “acquired” through other means.

    1. >Seriously, are people using cash anymore?
      Using a paycard (what’s the right word?) produces a lot of data. If you worry about NSA and other criminals cash is a really god thing…

    2. Cash is easier to use when the power goes out. I used to carry less than 50 bucks at a time but on February the power was out for a week! Otherwise, I do use bank card for most everything except some stores that I don’t trust. I do wonder if someday the bank network or internet fails and the more complex systems will not work. So, cash on hand just in case.

  4. Air-conditioned booth without surveillance camera, ATM without surveillance camera, bank that doesn’t give a shit about their users being robbed … pretty place that Indonesia.

  5. Do you need need blank atm card with pin? that can help you withdraw Cash at any program atm machine, pay bills, shop online, pay bills via POS? here is your chance to rob the government and become rich.
    Email: atmmachine75@gmail.com or whatsapp on +2349055948786 for more info

  6. i just want to share my experience with everyone. I have being hearing about this blank ATM card for a while and i never really paid any interest to it because of my doubts. Until one day i discovered a hacking guy called Barry Ben. he is really good at what he is doing. Back to the point, I inquired about The Blank ATM Card. If it works or even Exist. he told me
    Yes and that its a card programmed for random money withdraws without being noticed and can also be used for free on-line purchases of any kind. This was shocking and i still had my doubts. Then i gave it a try and asked for the card and agreed to their terms and conditions. Hoping and praying it was not a scam. 3 days later i received my card and tried with the closest ATM machine close to me, It worked like magic. I was able to withdraw up to $11000. i also used it on-line and it was a success, i am very happy i can now put food on my family table and also pay my bills too. For those of you out there who needs financial stability, blank or creaked atm card is what you need, blank ATM has really change my life, try it and see things for yourself, If you want to contact them, Here is the email address crackedatmcards@gmail.com .

  7. My name is Gary jones i’m here to testify about Mr.Harry hacker ATM Blank Card. I was very poor before and have no job.I saw so many testimony about how Harry send them the ATM blank card and use it to collect money in any ATM machine and become rich. I email him also and he sent me the blank card. I have use it to get 700.000 dollars. withdraw the maximum of $ 5000 daily. Harry is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (harrylee62@live.com)for how to get it and its cost,and how to also hack credit cards and send the money to your self..

  8. I got my already programmed blanked ATM card to withdraw the maximum of $50,000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $100,000. Mr Stanley is giving out the card just to help the poor and needy though it is illegal but it is something nice and he is not like other scam pretending to have the blank ATM cards. And no one gets caught when using the card. get yours TODAY. contact him via phone Number (+13152903241) or e-mail him via
    (atmhacker131@gmail.com)

  9. Don’t fall into the hands of scams trying to get the blank ATM card on the internet. I came across so many comments of a blank ATM card worth’s millions, thus i doubted all this but there was this comment made by George corminal including his email for confirmation regarding the card. I contacted George and he told me everything and how he programs the card. immediately i contacted the email address he gave me, {georgecorminal1512.com}. Few hours later i got a response and was told all the processing which i agreed willing to see the end. Three days later i received an email regarding my tracking number to my parcel and before i knew it, the CARD was delivered by the FedEx courier service. I did not believe all this even when i was holding the ATM card, until i was able to withdraw the $5,000.00 he told me i can withdrew per day. Today i am a company owner with so many other properties, all thanks to George corminal. I took time to make this comment to avoid anyone falling into the hands of scam, so i advice you never to contact any other ATM card seller expect this very man because he is for real. Contact him today via email: georgecorminal1512.com

  10. How the blank ATM card experience changed my whole life.
    Hi, i am Ryan Gregory, from Jacksonville FL, USA. I am announcing this amazing testimonial on this blog, about how the blank ATM card experience changed my whole life. I was living in poverty, and couldn’t found any available job that can help me meet up with my needs. Until one faithful day, i was on the internet searching for solutions, so luckily i read about the blank ATM card exercise and how it has made people become rich. I contacted the email address i attached to the testimonial of some beneficiaries and here i am today, all thanks to Global Tech Hackers Team Incorporation world wide for helping me with a blank ATM Card. Now all my financial worries are over. All you need to do is send a message to the email address provided: blankatmcardservices@hotmail.com

    Thank you everyone for this wonderful time to share with you. God Bless!

  11. testimony of my life
    Good day everyone, i am here to testify about how i
    got a real and working blank ATM card from a good
    hacker on the internet, i was very poor before and i
    have been unemployed since 2010, i came across a
    post on the internet concerning the blank ATM card
    and i decided to give it a try,i agreed to the terms and
    conditions to receive the card.
    it worked like magic when i received this card and i
    was able to withdraw 5000$ daily with this card, i have
    a car of my own now and i have gotten a house too.
    if you need a real blank ATM card, contact this good
    hacker on her email marianclarkatm@gmail.com
    i post this here because i know you can also be
    favored by this testimony.
    thanks
    this blank atm card is tested and trusted and i am a
    living witness to this blank atm card because it helped
    me solve all my financial problems
    contact this email to apply for one card and put it to
    test
    Email marianclarkatm@gmail.com
    Thanks.

  12. I got my already programmed and blanked ATM card to
    withdraw the maximum of $50,000 daily for a maximum of 20
    days. I am so happy about this because i got mine last week
    and I have used it to get $100,000. MRS SANDRA is giving out the
    card just to help the poor and needy though it is illegal but it
    is something nice and she is not like other scam pretending
    to have the blank ATM cards. And no one gets caught when
    using the card. get yours from her. Just send her an email
    On atmmachine88@gmail.com

  13. One evening, i was reading a blog of how so many people got this blank card online when i was trying to search for a new job, but it didn’t seem clear to me so i ignored. Three days later, i was so surprised to see a comment by my cousin on how he got the blank card worth Millions of Dollars and without hesitation i gave him a call to come over to the house to tell me more about the card and he told me that its a miracle that i needed to per-take. He gave me the email address of the hackers and i contact them for the card and they responded and told me all the procedures and terms of the card which was also what my cousin told me, i agreed and completed their requirement to get the card. Four days later, i heard knock on my door an behold was the courier agent who brought the parcel to my house and today i am $17,Millionaire richer and i thank God to this hackers and to my cousin brother who lead me to them. It might sounds odd but you can get yours via email:{Johnsonwhitefirm@yahoo.com}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.