I have a confession to make: ever since the first time I read about them online, I’ve been desperate to find an ATM skimmer in the wild. It’s the same kind of morbid curiosity that keeps us from turning away from a car accident, you don’t want to be witness to anyone getting hurt, but there’s still that desire to see the potential for danger up close. While admittedly my interest is largely selfish (I already know on which shelf I would display it), there would still be tangible benefits to the community should an ATM skimmer cross my path. Obviously I would remove it from the machine and prevent others from falling prey to it, and the inevitable teardown would make interesting content for the good readers of Hackaday. It’s a win for everyone, surely fate should be on my side in this quest.
So when my fingers brushed against that unmistakable knobby feel of 3D printed plastic as I went to insert my card at a local ATM, my heart skipped a beat. After all these years, my dream had come true. Nobody should ever be so excited about potentially being a victim of fraud, but there I was, grinning like an idiot in the farmer’s market. Like any hunter I quickly snapped a picture of my quarry for posterity, and then attempted to free it from the host machine.
But things did not go as expected. I spend most of my free time writing blog posts for Hackaday, so it’s safe to say that physical strength is not an attribute I possess in great quantity, but even still it seemed odd I couldn’t get the skimmer detached. I yanked it in every direction, tried to spin it, did everything short of kicking it; but absolutely no movement. In fact, I noticed that when pulling on the skimmer the whole face plate of the ATM bulged out a bit. I realized this thing wasn’t just glued onto the machine, it must have actually been installed inside of it.
I was heartbroken to leave my prize behind, but at the very least I would be able to alert the responsible party. The contact info for the ATM’s owner was written on the machine, so I emailed them the picture as well as all the relevant information in hopes that they could come check the machine out before anyone got ripped off.
An Unexpected Response
By the time I got home, I had a reply from the ATM owner in my inbox. But rather than an apology for the inconvenience and a vow to investigate the matter, it was a message informing me that what I encountered was not a skimmer at all. It was a 3D printed card reader of their own design that replaces the original hardware. The email went on to say that the idea behind this custom card reader was that it would actually prevent the installation of skimmers, by virtue of being unexpected.
One of the key elements of a successful skimmer installation is investigating the ATM you want to target, in this case a Nautilus Hyosung 1800 SE. Once an attacker knows which machine they are dealing with, they can buy a replacement card reader for it online and know that whatever device they design to fit it will work on the “live” machine when they go to install it. For some of these machines, 3D models of the card readers are already available online if you know where to look.
But imagine you show up to an ATM with your ski mask on and skimmer in hand, only to find that the card reader on this particular Hyosung is totally different from the ones you researched. The reader instead looks like it came from the Duplo R&D lab, making all your careful planning worthless. Another criminal foiled by geometry.
I thought the idea was fascinating, and it was certainly the first time I’d heard of it. I responded asking if they would like to discuss the idea for an article here on the site, but they wished to remain anonymous. Identifying the ATM owner or the geographical location they operate in would compromise the point of their modification, so I can understand their reluctance to go on record. But we can still look at the idea itself.
Dynamic Defense for a Constant Threat
Oozing PLA is my spirit animal, so my mind immediately ran with the idea of using 3D printing to produce “keyed” card readers for ATMs. Creating a custom reader like the owners of this machine have done is an excellent first step, but it’s still a static design that can be accounted for eventually. What if, instead of printing out identical card readers for all your ATMs, you made each one unique, making it nearly impossible to anticipate?
The technology is easily imagined. With a parametric CAD tool such as OpenSCAD, the surface of the core card reader design can be augmented based on a randomized seed. Small geometric protuberances could be procedurally generated, and a new reader printed for each machine. New readers could even be generated and printed regularly in high value markets where skimmers are more common.
As a simplified example, I wrote a quick OpenSCAD script that randomizes the number and vertical height of several “pins” on the face of the card reader. Each time a new STL is generated for printing, the layout of the pins will be different. Such an unpredictable surface would make it harder to get a tight and flush fit with a skimmer, making it more difficult to conceal.
A fully realized version of this script could make more drastic changes to the reader, fundamentally changing its geometry each time the STL was generated; making adaptation all but impossible. Imagine a thief coming to attach their skimmer, only to find that the reader has changed into an oval since the last time they were there.
An Unworkable Solution
Obfuscating the card reader of your ATM machine with a 3D printed part (dynamically generated or otherwise) sounds like a relatively cheap and easy way to confound thieves, but there’s a huge problem with this idea. If you’re telling consumers to always be on the lookout for suspect looking hardware attached to ATMs, attaching your own suspect looking hardware to the ATM as a deterrent doesn’t make much sense.
I appreciate the idea that the owner of this ATM had, at least they’re trying to think outside the box. But the realist in me can’t help but think all this will do is cause an uptick in the number of people contacting them about their weird looking ATMs. Lulling consumers into a false sense of security about strange looking components mounted to ATMs just isn’t a viable solution. While there’s been some promising work done recently in detecting skimmers remotely, this is a problem that’s still looking for somebody to come along with a fix.
Got any ideas?