When A Skimmer Isn’t A Skimmer

I have a confession to make: ever since the first time I read about them online, I’ve been desperate to find an ATM skimmer in the wild. It’s the same kind of morbid curiosity that keeps us from turning away from a car accident, you don’t want to be witness to anyone getting hurt, but there’s still that desire to see the potential for danger up close. While admittedly my interest is largely selfish (I already know on which shelf I would display it), there would still be tangible benefits to the community should an ATM skimmer cross my path. Obviously I would remove it from the machine and prevent others from falling prey to it, and the inevitable teardown would make interesting content for the good readers of Hackaday. It’s a win for everyone, surely fate should be on my side in this quest.

So when my fingers brushed against that unmistakable knobby feel of 3D printed plastic as I went to insert my card at a local ATM, my heart skipped a beat. After all these years, my dream had come true. Nobody should ever be so excited about potentially being a victim of fraud, but there I was, grinning like an idiot in the farmer’s market. Like any hunter I quickly snapped a picture of my quarry for posterity, and then attempted to free it from the host machine.

But things did not go as expected. I spend most of my free time writing blog posts for Hackaday, so it’s safe to say that physical strength is not an attribute I possess in great quantity, but even still it seemed odd I couldn’t get the skimmer detached. I yanked it in every direction, tried to spin it, did everything short of kicking it; but absolutely no movement. In fact, I noticed that when pulling on the skimmer the whole face plate of the ATM bulged out a bit. I realized this thing wasn’t just glued onto the machine, it must have actually been installed inside of it.

I was heartbroken to leave my prize behind, but at the very least I would be able to alert the responsible party. The contact info for the ATM’s owner was written on the machine, so I emailed them the picture as well as all the relevant information in hopes that they could come check the machine out before anyone got ripped off.

An Unexpected Response

By the time I got home, I had a reply from the ATM owner in my inbox. But rather than an apology for the inconvenience and a vow to investigate the matter, it was a message informing me that what I encountered was not a skimmer at all. It was a 3D printed card reader of their own design that replaces the original hardware. The email went on to say that the idea behind this custom card reader was that it would actually prevent the installation of skimmers, by virtue of being unexpected.

One of the key elements of a successful skimmer installation is investigating the ATM you want to target, in this case a Nautilus Hyosung 1800 SE. Once an attacker knows which machine they are dealing with, they can buy a replacement card reader for it online and know that whatever device they design to fit it will work on the “live” machine when they go to install it. For some of these machines, 3D models of the card readers are already available online if you know where to look.

But imagine you show up to an ATM with your ski mask on and skimmer in hand, only to find that the card reader on this particular Hyosung is totally different from the ones you researched. The reader instead looks like it came from the Duplo R&D lab, making all your careful planning worthless. Another criminal foiled by geometry.

I thought the idea was fascinating, and it was certainly the first time I’d heard of it. I responded asking if they would like to discuss the idea for an article here on the site, but they wished to remain anonymous. Identifying the ATM owner or the geographical location they operate in would compromise the point of their modification, so I can understand their reluctance to go on record. But we can still look at the idea itself.

Dynamic Defense for a Constant Threat

Oozing PLA is my spirit animal, so my mind immediately ran with the idea of using 3D printing to produce “keyed” card readers for ATMs. Creating a custom reader like the owners of this machine have done is an excellent first step, but it’s still a static design that can be accounted for eventually. What if, instead of printing out identical card readers for all your ATMs, you made each one unique, making it nearly impossible to anticipate?

The technology is easily imagined. With a parametric CAD tool such as OpenSCAD, the surface of the core card reader design can be augmented based on a randomized seed. Small geometric protuberances could be procedurally generated, and a new reader printed for each machine. New readers could even be generated and printed regularly in high value markets where skimmers are more common.

As a simplified example, I wrote a quick OpenSCAD script that randomizes the number and vertical height of several “pins” on the face of the card reader. Each time a new STL is generated for printing, the layout of the pins will be different. Such an unpredictable surface would make it harder to get a tight and flush fit with a skimmer, making it more difficult to conceal.

A fully realized version of this script could make more drastic changes to the reader, fundamentally changing its geometry each time the STL was generated; making adaptation all but impossible. Imagine a thief coming to attach their skimmer, only to find that the reader has changed into an oval since the last time they were there.

An Unworkable Solution

Obfuscating the card reader of your ATM machine with a 3D printed part (dynamically generated or otherwise) sounds like a relatively cheap and easy way to confound thieves, but there’s a huge problem with this idea. If you’re telling consumers to always be on the lookout for suspect looking hardware attached to ATMs, attaching your own suspect looking hardware to the ATM as a deterrent doesn’t make much sense.

I appreciate the idea that the owner of this ATM had, at least they’re trying to think outside the box. But the realist in me can’t help but think all this will do is cause an uptick in the number of people contacting them about their weird looking ATMs. Lulling consumers into a false sense of security about strange looking components mounted to ATMs just isn’t a viable solution. While there’s been some promising work done recently in detecting skimmers remotely, this is a problem that’s still looking for somebody to come along with a fix.

Got any ideas?

163 thoughts on “When A Skimmer Isn’t A Skimmer

  1. Did you consider that you might have been had?

    The same people who install the skimmer can also change the sticker where the company number is, and pretend to be offical representatives.

    1. Not impossible of course, but unlikely in this case. This company maintains many of the ATMs and vending machines in my area, and have a very recognizable name/logo. Going to their website got me phone numbers and email addresses for customer service. That doesn’t make it impossible that it could be an elaborate scam, but at some point you’d think the real owners of these machines would have started pulling all these stickers off.

      But full disclosure, I have not used this machine since discovering the 3D printed reader. Even after hearing back from the company, there’s just something uncomfortable about using it.

      1. So if you are a Skimmer-Installer and encounter what looks like an ATM that already has a Skimmer installed, you better not touch it! If you replace a skimmer with your own, the gang that installed the original skimmer will be out to find you and KILL you. Talk about deterrence…

        Of-course, there’s a way to avoid all this dangerous Skimmer stuff – and you already have the solution in your pocket. It’s called CASH. Carry a wad of cash with you that you got from a reputable source and USE it for common real-time daily retail transactions. No Skimmers to worry about, and no tracking of what you buy.

    2. See, I hadn’t considered the Social engineering aspect of that which is odd. But it’s very possible. Also, it’s equally possible that (and Why I came to comment) the sticker might have been real and the morons at the ATM “machine place” subscribe to the security by obscurity model of security– which doesn’t work and in this case, only could serve to desensitize people from seeing what looks like a 3d printed part on an ATM machine.

      I’m with the OP… I wouldn’t touch the machine even if I knew it was truly real. In fact, I would leave a not on it to others every day noting the oddness of the reader and the possibility that it is a skimmer. Every. Day.

  2. Btw. a real solution to the problem is to make the card reader slot mechanically retract inside the device so no additional bits can be installed without interfering with the mechanism. A 3D scanner inside the machine can even detect if there’s anything extra tacked on.

      1. That looks to be “static. I believe Dax is saying that the reader itself should actually move. If the reader retracts or folds into the machine after each use then the idea is that there is a finite amount of space inside the machine for the piece to fit. So if someone installs a skimmer then it would jam the machine and render it useless.

        1. I got an inspiration from the pop-up floppy drive of an old Zenith laptop. If the card reader always folds down, with a tight tolerance between the front, then a skimming device cannot be glued on the outside. While the reader is folded down, it is accessibe by other mechanisms which can inspect the interior for any other extra objects and/or insert a cleaning mechanism that removes them.

          http://www.fantasticalandrewfox.com/wp-content/uploads/2011/07/Zenith_ZWL183-93.jpg

        1. What!? No!!
          That’s dumb.
          Thinking for just a second will tell you you’ve just introduced the possibility of an ATM DoS attack. Any Friday night drunkard or downright selfish shit will get the machine locked out just out of spite.

          1. ATMs are already susceptible to monkey button mashing DoS attacks. I’ve seen ones that refuse to operate for some time if you mess with the buttons randomly if you don’t have a card already in the thing.

      1. Yup. Amazed they don’t do this already.

        As for the 3D-printed gubbins here, I’m also surprised the company went with the idea. It looks exactly like some sort of improvised criminal thing. ATMs are expensive, they don’t run them off on home 3D printers, and not even a decent quality print.

        Showing the reader on screen must be possible for the owner, something they can customise. This plastic thing is just stupid. And wouldn’t there be lots of legal liability and insurance problems, surely there are standards that banking equipment has to meet.

        This story is fishy. I really can’t believe that’s the case. Then again all ATMs here are owned by banks, says so on the screen. Portable ones in shops I think have some sort of lease or rental arrangement.

          1. Yeah they wouldn’t. As someone with experience with industrial/manufacturing 3d printing, most users don’t care about print quality (as far as surface quality goes) as hobbyists do. As long as the part is dimensionally accurate, functional, and strong, it really doesn’t matter.

      2. Honestly if it’s just a sticker, the person installing the skimmer could do just as well by putting a sticker of their own on it. If you can trick people into using it by giving them false confidence, then you can still pull this off.

        1. Yes hello we are that company, let me first verify your identity need name, card number and the 3 digits on back. Now enter pin on machine and we’ll dispense your cash remotely! LoL of course you or I would not do that, but Dummy Delores getting cash for grandson birthday would!

      1. Isn’t it already clear that ATM manufacturers and operators are trying to find the cheapest get-out to the skimmer problem. Officially 3D printing a front panel should tell us that. It’s a terrible solution, even if you do change the shape every time.

    1. Many skimmers work by tapping the serial comms wires from the reader to the computer (yes, really). They no longer actually skim the magstripe, as many places in the world are moving away from magstripe reading and are using the chip.

  3. I think some post print finishing would go a long way to instilling user confidence. If it doesn’t look/feel out of place, the user won’t notice. To the average person, PLA feels strange. Printing in ABS would definitely help and be more weather resistant to boot. Finishing to hide the layers would be the next step.

    1. Absolutely right, poor quality prints are supposed to be a thing of the past or a ‘phase’ people go through while they get their printer dialed in. But the number of commercial samples or even finished products that have come across my desk tells me that that finish is normal. The worst example where some Bluetooth beacons claiming to be “sealed for durability by a 3D printer process”. I told them they’d get a better finish AND better seal if they dipped them in epoxy.

    1. Exactly my thought. This whole idea, and using 3D printers for it, is as stupid as stupid gets, Which in turn makes you think that their ATM probably have generic locks that you can open with a screwdriver too, thieves should look into that.

  4. Use molded urethane or vacuformed parts with some sort of modular mold. That could let you generate a large number of shapes with much better fit and finish.

    Alternatively, drill some spots in the card attachment area. One for a photocell to detect if an object has been put over the reader for more than a few minutes, and the second one for a screw-driven rod that extends out when this happens, shoving any skimmer off the machine.

  5. Many of the ATMs in my area have a big green bit of plastic around the card slot. It’s well made, but looks like it was added on. It’s actually part of the ATM, but, like the one in this article, conditions the user to overlook skimmers.

    1. I believe I’ve seen the exact same ones with a very convincing skimmer attached online. It sat right over the existing green bit and allowed the backlight of the original green bit to shine through. Literally an exactly copy of the green bit that nested right on top of the original. Every time I see one like that I walk over and give it a little shake to see if it comes off, no luck (or great luck?) yet.

      1. I know the type you’re talking about. A member of my hackerspace found one of those types. The police actually came by our space and asked us to help them out with it. It was super cool getting to tear it down and look into it.

    2. If I don’t trust an ATM I will pull on that not hard enough to rip it off but enough to see if it’s loose which would suggest it’s a skimmer.
      Also look down in the slot if you can there are chip skimmers that can fit down in there and if there.

  6. On a side note, why don’t contactless cards have a physical clicky dome tacktile switch to enable to coil. You can still tap it to pay but if someone tries to skim it from your pocket in the street, they won’t get any joy.
    Surely the minor additional cost would be greatly offset by the additional security layer.
    [ Filed under, damn I should patient that. ]

    1. Credit cards live a dangerous life. People keep their cards in their nasty wallets (dig around in there, you’ll probably find some crud), they send their cards through the wash, all sorts of things. A dome switch that could stand up to all that for the 2-3 year life of a card, and still be low-profile so it would still fit in all the slots, would be quite a feat.

      1. Dome switches are thin (thinner than 0.25 mm are available) so fitting them inside the card itself isn’t a problem. They are also resilient with a long life so minor disturbances shouldn’t be a problem. Crud and water wouldn’t be a problem when embedded in the plastic.

        The main problem I can see is that there have to be a rigid surface with contacts below the dome itself.
        If the card itself is 0.8mm and the dome is 0.25mm there are 0.55mm for plastic and contacts. There will be a limitation how thin the actuation spot over the dome can be, let’s say 0.15mm (have to be flexible enough to allow depression of the dome while strong enough to withstand use and abuse).
        Then the contact plate and the plastic cover would have to be 0.4mm. Flexible PCBs (which isn’t actually what is wanted here) can be bought with a thickness of <0.25mm which leaves 0.15mm for the outer cover.
        If the combination plastic and PCB (or other type of contact plate) isn't stiff enough use would require two fingers pinching the switch for it to activate but that may be acceptable

        Shouldn't be a problem technically but what would people say if their easy-to-use cards would suddenly be hard to use?

        1. Very close. What you use is a three-layer setup just like how most keyboard switches work: two layers have contacts facing each other, and between them is a separator layer with a hole in it. The user squeezes the indicated spot on the card with a finger and thumb to bring the contacts together. Very low cost, very reliable.

      2. I have a card that has been in my wallet for ~4+ years with two switches, an LCD, and solar cell still going strong. It’s maybe 2x the thickness of a stock card. It generates random PINs for a financial institution I no longer use. In fact, I think it outlasted my old wallet.

      3. Something similar to what’s inside an Atari joystick covered with heavy gauge mylar should last longer than the card.
        Of course this would drive up the BOM but it would be up to the company to decide is it better to pay a little more for cards or deal with losses from skimming.

    2. Get this – If I try to login to google (or facebook etc etc etc) I get a message on my phone in moments, asking if it’s really me. I click yes, I get in….

      Why don’t we have _that_ on cash machines? (with telephone support built into the machine itself in case you don’t have your phone you can answer a security question or two (and enter the pin)).

    3. You know you can buy RF shielded card holders and wallets right?
      Which covers all cards, instead of having to hope that each and every card issuer would get on-board with an annoying and no doubt often failing button.

      For me the concern is not the off chance that someone manages to skim but more that the eternal tracking orgs use it to track you by just dong a handshake to get a unique identifier at entrances and crossings.

    4. From the reports I have read contactless fraud (In the UK anyway) is almost non-existent. I keep hearing people say “oh yeah, they can just walk by you and charge you without noticing”, but in reality the likelihood of someone getting away with that is nil. As I understand it the PAN isn’t sent to the reader so the transaction would have to happen there-and-then, at which point all it takes is a couple of people going “WTF is that transaction”, the terminal issuer will then realise something dogy is going on, and you’ve been rumbled.

    5. Because it’s not that big of an issue. I’ve literally never heard of someone getting their contactless card “skimmed”, not that it doesn’t happen. But considering the 4 centimeters of range and often somewhat restrictive spending parameters (X number of contactless transactions per day, max 100$ per transaction, max 1000$ per day, etc) the losses are somewhat small for banking institutions.

        1. To buy things?

          Why do I need cash though?
          -for backup payment method in case I lose my card, or other technical difficulty

          -to speed things along when they payment processors are being slow and it takes 5 minutes to verify Chip&Pin

          -small festivals and street vendors / markets

          -travelling

          -grey market / trading & doing small odd jobs without having to involve the government and all that bureaucracy. For example, if you give an unemployed person $1000 for christmas here, they’re supposed to make a tax statement and may lose benefits over it, voiding the whole point of the gift. If the social office sees the money in their account statement, they’ll go “what’s that! You’ve got income you didn’t tell us about!” Even bottle return money is -technically- taxable income though everybody ignores the rule.

          -coins/bills are useful for vending machines, taking the trolley in a supermarket, public restrooms, parking meters, bubblegum machines and bag safes at malls, scratching tickets, paying for the bus when you don’t have a travel card, certain gambling games, tips, savings in a piggy bank, kids’ weekly allowance…

          -avoiding constant unwanted tracking and profiling in general, sometimes in particular if the spouse is being stingy or you don’t want the name of a sex shop / jeweller appearing in your account statement

          -tracking and managing your personal money use by physically having the money you’re about to spend, especially when drunk

          -Hoarding piles of small coins and rolling them in your hands, pretending you’re Scrooge McDuck

          1. @GH Initially banks didn’t like doing business with weed orgs I recall hearing (because weed was federally still illegal), but that changed I think and now I hear there are banks that considered it a nice new field of operation, although I’m not sure if the big ones dare go there yet.
            And Trumps DA and people are old religious people who are living in a long past and fear weed, and that darn music the kids are corrupted with… so the future doesn’t look good in that way and I’d be nervous as a bank too.

          2. The long term macro economic reason for abandoning cash is rather more sinister. Once cash is gone central banks can set negative interest rates in order to encourage people to spend rather than save, and thus avoid recessions.

          3. I think that your penultimate point is the most compelling. I draw a certain sum of cash each week for incidental expenses like beer and wine and beer and wine and so on, and when it is gone it is gone and spending stops for the week. Before then at any point. I can take the money out of my wallet and see how much I have left. I did try going cashless for a couple of weeks but it was such a fuss reconciling all the receipts that I gave up.

            Your final point might be even more compelling :-)

          4. I don’t know where you are actively hanging out where these rules apply, but even in a town out in the sticks of the USA have vending machines with cars readers, street vendors have square readers, the bus takes contactless payments, and even the metered parking has you download an app to pay your parking fee. I think the last time I HAD to spend cash for something was because we were donating money to someone in a sympathy card for a death.

            I’d wager in a well developed city, you could leave your cards at home and pay with everything through a tap of your phone. Cash stopped being relevant a few years ago. It’s dirty, can be lost or stolen (with no recourse for recovery!), and it can easily be counterfeited these days with how good garage shops have gotten. Dudes could be laser engraving their own dies for $20 bills with a $4000 fiber laser and start pumping out legit looking fakes.

          1. That’s correct, doing business costs money. Having customers, costs money. Running a server to host Internet banking, costs money. It all costs money.

            You don’t earn money if you don’t invest it in providing products and services that people want to buy. In this day and age of cyber security concerns, a bricks-and-mortar physical presence staffed with competent people and suitably equipped is a great asset for avoiding a lot of problems that Internet banking is yet to solve.

          2. It might be a great asset for *you*, for the bank it’s a huge cash sink.

            It’s not a matter of customer satisfaction, it’s about how much shit you’ll take before you finally walk away. For most people’s bank accounts, that’s a huge amount, as most bank customers will tell you. Particularly when all banks are equally greedy, so there’s not much point going elsewhere.

            Ultimately the problem is capitalism. If doing something ruthless, harmful, or unpleasant, increases profits, then a business has no choice but to do it. Or else some competitor will, and eventually take an “ethical” business’s place. And if not their place, certainly a good few of their stockholders. People don’t often look much at the ethics, or customer service, of companies they invest in. Particularly when those people are computer programs, conducting thousands of trades per microsecond.

            Businesses have to do whatever it takes to make money. Including breaking the law. That just needs the risks and rewards factoring to figure out how much it’s going to affect profits. Of course, high-up businessmen are also rewarded when the company does well, let go when it doesn’t, and they’re also able to move between jobs. So even on a personal level, the selection criterion is just profit.

            People who claim to believe in “compassionate capitalism” or the like, are hopefully just trying to pull the wool over your eyes. If they genuinely believe it, then they’re dangerously nuts, or at least gullible. Take advantage however you will.

            Security problems are just another business issue. You insure against them, or spend money to reduce them, or whatever you think is cost effective. Don’t bother with the meteor insurance but cover customers’ credit cards against fraud. That’s a big deal that most customers would insist on.

            Branches full of human staff are just bigger targets for social engineering. And they’re just so expensive, compared to the benefit they give the bank. Banks hate branches, it’s why they’ve been disappearing en masse. Customers like them, but how much would they pay to keep them? What would they choose to give up instead?

      1. Most places either won’t accept them or look at you funny and insist on a random squiggly line to be drawn on the receipt.

        It will be like China. Walk into a shop, big brother does facial recognition and charges your account for everything you walk out with. No tills.

        Time to invest in a rubber mask of a millionaire me thinks…

      2. The first thing I do to each new credit card is remove the mag stripe with acetone. We don’t use mag stripes here in Canada. It’s mostly chip and pin, and tapping for under $100.

        1. Don’t know about the UK but over here the magstrip readers are a different slot, one that doesn’t swipe but has an slot that holds the card, and when they switched over to chip they put tape over the magstrip reader or pieces of carton in them with ‘use chip’ on it. Although now it’s contactless or chip.

          Oddly enough sometimes (not often) the reader contactless or chip, fails and then the display frequently said ‘use magstrip’,

          Now for machines that temporarily swallow the card you can never tell though.

        2. Funny thing, turns out the US was (is!) super behind in switching off of magstripe. A lot of European countries pretty much only do chip – to the point where the magstripes are purely decorative. I saw a foreign student once attempt to explain to a cashier (at a place that still did not have the chip set up) that his foreign credit card did not have a working mastripe – but the cashier didn’t understand, and kept on trying to swipe it anyway. It did not register as a card at all.

        3. Small correction on my post: I meant to say that the chip requires a slot where your car sits in stationary, the magstrip swipes of course.
          I guess I lost my train of thought there and explained the difference in reverse.
          as for contactless, I’m not sure if there is an agreed upon term for the action:
          you ‘wave’ the item? ‘waver’ it? ‘rflle’ it? ‘shake it off’?

        4. I’ve haven’t used a mag stripe* in like…15 years?

          *Never used mag stripe in Canada under normal circumstance. I’ve had to use it once or twice because the chip reader was broken and it had no contactless payment. I drew a squiggly on the receipt paper thing, then the clerk pointed to me that my card was not even signed…oops

      1. If I walk into one of my bank branches to either deposit or retrieve small (<$1000) amounts they ask me if I want them to go to the ATM with me to show me how to use it. Sometimes I just want to stand in the AC and interact with someone.

        1. If we follow that to its logical conclusion, then there wouldn’t be a shop keeper either since you’d just employ a machine for that.

          That machine might even deliver the goods to your door. Now where have I heard of that before? This leads to a problem, who will pay for the maintenance of the machine?

          Not the person receiving the delivery; because every job they could conceivably do is filled by a machine doing that job.

          1. Going to a ridiculous extreme is not “a logical conclusion”.

            That said, most retail business is make-work and there’s no reason why the cost of products should increase by 5-8x between the producer and the store.

          2. >every job they could conceivably do is filled by a machine doing that job.

            I mean, at that point you’re talking about a post-scarcity society where the machines do everything. No one would need to pay for the maintenance of the machine, since it would be done by another machine. Everything would be done by a machine.

            This scenario could be either a dystopia or a utopia, depending on how the machines are owned.

      2. lol, over here you have a tough time finding actual banks where you can do business and that have a cash service.
        Plus banks have awful opening times, they really don’t seem to like to have branches.

        In fact there are now banks in most western countries that have no physical presence for customers at all, 100% machine and online. Although I don’t approve of that myself.

    1. Are people still naive enough to think crime isn’t just approached like any other business, just with less regard of the law? Investing is not a problem if you expect a return on that investment.

  7. Or just git rid of card reader all together. My bank uses QR code on the display that is read by the banks app on the mobile phone for user verification. No contact, no scanning, etc.

  8. What if instead of using strangely looking readetx to confuse skimmers or randomly generated footprints for each unique reader the manufacturer used a serial number or an ID matching like for example Microsoft did in Xbox 360 with thr dvd drive and motherboard or Apple with the Touch ID module being paired to the chipset.
    For the record, a dvd drive in an Xbox must be matched by the ID with console’s motherboard otherwise th drive will simply not work. Likewise, if you replace the screen on an iPhone that has Touch ID and you put another fingerprint reader from the new screen or out one that is fake, next time you try to restore the device with iTunes you will brick it.
    Same would IMO work on ATMs if done correctly.
    On another note Apple requires new components like trackpads, keyboards and motherboards to be matched with the correct serial number using a special diagnostic system for Macbooks to work after replacing the parts. Same goes for Tesla cars which need authorised services to replace and S/N match the new parts to the car’s computer.

    1. ATM skimmers don’t replace the reader. They sit in front of the reader and capture the card info from the magstripe as it enters the reader. Gas pump skimmers tap into the bus between the card reader and the pump control board, but otherwise leave the reader alone.

      Both problems will be solved once chip-and-pin completely replaces magstripe.

      1. Simply, chip cards store the secret keys inside the chip. Capturing the communications between chip & ATM will not allow you to copy the card.

        I’m sure that it’s possible to devise attacks on this scheme, but at some point it becomes easier for the thief to simply rip the banknotes out of the ATM :)

    2. The serial numbers in parts is one reason why I do not buy Apple products any more and I used to be a big fan of them.
      Though Tesla cars you can swap parts a guy rebuilt a Tesla S on youtube he though it had scum tech up in it when it stopped working but it ended up being a loose nut on the 12V converter.

      1. The iPhone serial number screen thing is to prevent me unlocking your phone by replacing the screen/touchID assembly with one that knows my fingerprint. The fingerprints are stored in the reader and the phone has no access to them.

  9. I’m shocked nobody here is posting the sane advice:
    If you encounter a skimmer in the wild DO NOT UNDER ANY CIRCUMSTANCES TOUCH IT, and definitely do not use the machine.
    Contact the bank immediately using the number on the manufacturer’s website.

    If someone saw you trying to vandalize an ATM or remove a skimmer they might reasonably assume that you’re the perpetrator. You could be arrested. Your fingerprints would be all over it. Most ATMs have cameras in them (and/or around them) so even if you don’t do anything right away, you could be implicated later for a crime you had no involvement in.

    I want to dissect a skimmer as much as the rest of you, but I know I won’t ever have the opportunity, since I’m not a professional, bank/ATM-employed security researcher.

    1. Beyond the complete implausibility of a situation in which a skimmer was installed without anybody noticing but that you attempting to remove it is not only noticed but misinterpreted as the installation of said skimmer, the idea of lifting fingerprints off of an ATM as a way to “prove” who installed it is almost comical.

      What’s next? The cops try and pull some DNA off of a public toilet? Maybe look on the floor of the barber shop for the perp’s hair?

      Are you familiar with the term “Needle in a Haystack”?

  10. If I see any 3d printed part on the atm, I would not only try to destroy it, I would call the cops, F the number on the atm. That 3d printed part doesnt look right and should die at that place.

    But I always try to find a skimmer, for personal collecting. sadly never found one (yet). most of the card inserts here are of metal or some green plastic with light behind it, I always keep pulling and yanking, sometimes ppl look at me, and im like “I misplaced my skimmer, cant find where I put it” – the looks XD

  11. I don’t understand why ATM card reader and keypads are not flush mount. It is difficult to attach even the slimmest of skimmers to a flush mount space without it being at least somewhat obvious. This is one area where an Apple-esque design (at least for the card/pin interface and nearby real estate) would do wonders. Anything not flush mount or out of the ordinary should be suspect.

    1. The newer type of skimmers (actually called shimmers) sit inside the ATM’s cardpath and MITM the chip, you still cant clone the chip but all the info for doing online fraud later is harvested and there is no visible change to the exterior of the machine.

        1. So, Ren, I ponder now, the question’s yes or not, you’d see a slight light shimmer from the scammer’s skimmer’s slot?

          Even more apologies to Theodore Geisel.

  12. There are a few other things worth considering with the situation as-described:
    * if I wanted to install a 3D printed skimmer housing, I’d also put a placard on the machine saying I own the machine, so that when an alert user tries to contact the owner, I’m the MITM.
    * if I wanted to install a traditional, non-3D-printed skimmer housing, _I just would_ – unless there’s something telling the ATM user to look for and expect to find a 3D printed skimmer housing, they would not suspect anything out of the ordinary.
    * if, as a legitimate ATM owner/operator, I wanted to introduce “keyed” unique card readers, I would also have to communicate with my customers somehow about *which keys to expect at which locations*
    * Every single one of these considerations can instead be taken into account by requiring regular as well as randomised periodic rigorous inspections of ATM card reader hardware, either by the owner/operator, or – like fuel dispenser pumps and grocery story checkout aisle scales – by agents of the regulatory jurisdiction in which the equipment is operated.

  13. To combat internal card readers, having a camera inside the card reader to watch for specific things are legitimate card does have ex: specific size, if something is inserted that does not match, it can store the video footage, alert the ATM owner and disable itself until it can be verified (which could be by reviewing the insertion footage for what was inserted).

  14. My bank’s ATMs have a great solution for skimmers. The ATM card is inserted in landscape orientation, (wide edge first) and sucked into the machine. Whether the machine reads the mag stripe or the chip, I don’t know, but a skimmer would have to have sensors across the whole width of the slot in order to capture the mag stripe data.

    The machines are made by Diebold, I doubt it’s exclusive for my local bank.

      1. I can confirm the same with my cards here in the US. I had several cards years ago that did RFID, but they are slowly disappearing now. None of my current cards have RFID anymore. I’m guessing the feature was never really that popular, deemed too much of a security risk, too expensive to produce the cards or all of the above. None of the cards have the typical RFID logo on them anymore, and if you hold them up to a bright light you cannot see a coil in them either. One of my cards, the 1st one I had with RFID is actually totally clear. I can certainly tell there is no longer a coil in that one.

  15. Why not make the card receptacle completely translucent. If someone puts bit of electronic inside it will be simple to spot. Also may add inscription stating the fact, if someone is unaware of skimmers.

  16. I have recognized 3-4 skimmers in the span of 5 years. This along with all the retailers getting hacked, nearly all my transactions are now done in cash now. I just take out $200.00 at the bank (ATM is inside the bank). Take out more money when I need it. Skimmers are defeated.

  17. With the hassle if cash, we.looked firward to the sci’fi card to come; a d which came. Now, some of us look ba k. Remembdr telephone msg recorders with cassettes? In 2 years, auto-dialing vacuum sakesmen discovered thwm and they became more pain tban use, well before tbe cassette became a.memory chipset or cell phone vouce-mail.came to be. I never set mine up. A phone is answered or ignored. That’s how a ohone works… YOU must work It – not the other way around. Ditto, cash.

  18. One way to reduce the likelihood of people thinking the custom reader is a skimmer would be to put a logo or company name on the 3D printed part, so it looks more ‘native’.

    Of course, a skimmer could do that as well, but they’d need to know both the model of ATM and the company running the specific ATM, beforehand.

  19. Dynamic 3d Printed ‘keyed’ slots which are swapped out when updated for maintenance or better yet, when stocked with fresh bills. I assume someone is already on contract to reup various ATMs at some point. Just include, in that drop off, a change in the ‘internal’ 3d printed mold. Rinse and repeat.

    We have unique key ways on every door, everywhere. Why, when it comes to ATM’s, is the keyway the same everytime but only the key changes? If the email you got is true, kudos for a step in the right direction but 1 ATM at a Farmers Market (3rd Party [the kind with hella fees])? Or how bout hundreds of thousands, simultaneously across the country for Well Fuckgo?

  20. There is already technology for ATMS that detect, jam, or both detect and jam skimmers. It’s gas pumps, card entry, and the person you hand your card to at drive thru windows and parking garages that can double swipe your card that you have to worry about. All great ideas on ATM anti-skimming above but it’s not such a problem for ATMS if the institution installs the hardware. It doesn’t matter what it looks like or what is attached, skimmers can be prevented from reading very easily, the phsyical deterrents are low tech and easily defeated since skimmers can be so small and attached to anything. Also people are typically so oblivious that you could put a computer in an ATM looking display that does nothing but read your card, record your pin, and report that the transaction cannot be processed at this time and most wouldn’t give it a second thought.

  21. Doesn’t protect against in-slot or “insert” skimmers which are barely outside the ISO spec with custom made read heads..

    The only challenge is making the read heads the rest you can do with kit hardware..

  22. First, I’ll echo that it’s also something I’d love to have found in the wild, to see how it’s being implemented and see what I could reverse engineer of the criminal hardware. That being said, am I the only one that wouldn’t want to touch it? As in, if it’s been placed there by a criminal, you’d want any forensic evidence (finger prints?) to remain, without yours being mixed in with whatever they find on the insides. I’d alert the police first thing, then the ATM maintainer. Also, the police might already be aware and be waiting for the thieves to come back to the scene*. Granted, the police in some areas are still uneducated, but they’re coming up to speed fast, especially with the younger ones joining the force having friends or family (or themselves) being savvy to some of this stuff.

    I guess what I’m saying is, there might be larger picture things going on that you’d either A) Not want to be mixed up in, or B) not want to disturb. I’m all for foiling criminals, but sometimes the best bet is to notify and stay out of it.

    * Yes, given the bluetooth nature of a lot of skimmers found, you wouldn’t necessarily be able to see the criminal messing with the ATM post-skimmer-install, but… you would be able to see who was in the vicinity when a bluetooth exchange with the skimmer happened, which is something that is required to retrieve the data skimmed. Sniffing that traffic and taking photos, and then comparing photos over time if the data is downloaded more than once might just get you the perp.

  23. What might work is to have some kind of ultra sonic transducer inside the real card reader’s face plate. It could ping periodically confirming that the echo response matches a known signature. And I mean actually having it inside the reader faceplate, not exposed. I would assume this would pick up the echo response of the inside of its face plate and of anything else in the immediate exterior vicinity, but keeps it hidden from criminals knowing exactly where it is inside the face plate. If someone were to stick something onto the front of the reader i would assume the ping echo response would change slightly. If it fails a few of these checks (to filter out errors like people being in the vicinity of the machine) have it power down the ATM.

  24. You already had the right solution in your article, but tripped over it. You were saying that we should 3D print readers at regular intervals and swap them out. If a technician is going to visit the ATM regularly then why can’t they just check for a skimmer? Just replacing the scanner with OEM hardware could work in that case, and keep people from getting desensitized to weird scanners.

  25. As far as the author’s plan with the special pins, wouldn’t you notice any skimmers when you come to install the latest permutation? So you could just pull it off. So you wouldn’t actually need the pins at all.

    Meanwhile our skimmer crook just alters the skimmer so it doesn’t attach to any of the pins. He just glues it on the flat bits instead.

    It’d be like using 512-bit cryptography in your burglar alarm, then a thief just comes and fills the bell box up with expanding foam. Or hits it with an axe. Some problems aren’t best solved with 3D printing! Actually, most problems.

  26. This is 2018. Why is there a long thread of people bickering about physical tampering and not just encouraging the use of end-to-end encrypted cards with chip and NFC? Oh, that’s right… This is the USA. :)

      1. USA rolled out EMV years ago and Europe long before that. US spent EXTRA leaving magstipe on(hence why the black market is still booming).. Big chains in the US refuse to implement EMV till this day which is why magstripe is still on cards. A lot of talented people have *tried* to attack CDA and DDA modes of EMV(both are on all the cards and POSi, and POSi controls which modes are used usually configured based on processor and gatway restrictions).

        The bleeding-edge CC black-market still has no attacks on EMV. There are theories on a future black-market that leaves stolen physical cards in EMV readers and does cloud based services till they are cancelled and then swapped; that’s all.

        NFC is just a 13.56Mhz PHY that generates a token with a chip or host emulation. Unless it’s changed you can still attack it within 4cm which is why everyone limits NFC transactions and there are those stupid Faraday wallets.. You can transceiver close to a POSi and do transactions as an attacker from ANYWHERE. NFC on the non-POSi side is inductive powered(like RFID in modern car keys etc(except car keys have better security by using discreet crypto algo with challenge–response)).

        TL; DR; EMV with CDA or DDA modes exclusively on all systems can instantly kill the “fullz” portion of the black-market. Implement EMV reader browser support(like EU uses for ID validation) and put in on CGI back-ends of internet checkouts and there goes the “virtual” black-market too.. Industries are greedy and lazy; smarter than me have even said this..

        1. Cool! Now.. Show us the white papers, presentation, POC, or whatever you choose to show where DDA or CDA are defeated.. Nothing from CC3, Defcon, or BlackHat finds a bug in either..

        2. Before you read my post, and maybe googled the modes used in EMV you probably didn’t know what either were, or that EMV even had modes or what a POSi was.. Don’t you need to get back to Reddit or 4chan?

  27. An anti-skimmer solution that makes the device look like it has been tampered with, is a terrible solution. If they make tampered devices indistinguishable from legit ones, how will a careful user distinguish them?

Leave a Reply to hacky97Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.