Gaze Upon Just How Thin ATM Skimmers Are Getting

ATM skimmers are electronic devices designed to read financial card information, and they are usually paired with a camera to capture a user’s PIN. These devices always have to hide their presence, and their design has been a bit of an arms race. Skimmers designed to be inserted into a card slot like a parasite have been around for several years, but [Brian Krebs] shows pictures of recently captured skimmer hardware only a fraction of a millimeter thick. And that’s including the battery.

As hardware gets smaller, cameras to capture PIN entry are more easily hidden in things like fake panels.

The goal of these skimmers is to read and log a card’s magnetic strip data. All by itself, that data is not enough to do anything dastardly. That’s why the hardware is complemented by a separate device that captures a user’s PIN as they type it in, and this is usually accomplished with a camera. These are also getting smaller and thinner, which makes them easier to conceal. With a copy of the card’s magnetic strip data and the owner’s PIN, criminals have all they need to create a cloned card that can be used to make withdrawals. (They don’t this so themselves, of course. They coerce or dupe third parties into doing it for them.)

Retrieving data from such skimmers has also led to some cleverness on the part of the criminals. Insertable readers designed to establish a connection to the skimmer and download data is how that gets done. By the way, retrieving data from an installed skimmer is also something criminals don’t do themselves, so that data is encrypted. After all, it just wouldn’t do to have an intermediary getting ideas about using that data for their own purposes.

Countermeasures include ATM manufacturers taking advantage of small cameras themselves, and using image recognition to watch the internals of the card area for anything that seems out of place. Another is to alter the internal design and structure of the card slot, preventing insert skimmers from locating and locking into place (at least until they get redesigned to compensate.) Amusingly, efforts to change the design of an ATM’s key components in unexpected ways to prevent criminals from attaching their own hardware led our own Tom Nardi to discover a skimmer, only to find out it wasn’t a skimmer.

So with skimming hardware getting smaller and harder to detect, what’s one to do? [Brian] points out that no matter how cleverly the hardware is hidden, covering the keypad with your hand as you enter your PIN will defeat a critical component of a skimming operation: capturing your PIN. Sadly, after reviewing many hours of video from captured skimmer hardware, [Brian] says that’s apparently a precaution virtually no one takes.

63 thoughts on “Gaze Upon Just How Thin ATM Skimmers Are Getting

  1. I though that magnetic strip was no more use in ATMs, at least that’s the case in France. Well that’s what the bank said in 1997 when a French hacker, Serge Humpich, was trapped when he demonstrated the “Yes card” principle: they said that the chip inside credits cards were safe, and that the magnetic strips were no more used. Of course they lied because magnetic strips are still in use, particularly for paying the highway.
    From my point of view, the banks are responsible that such an attack is possible: I can’t understand that ATMs still use magnetic strips, and that they don’t use the cryptographic systems embedded in the card’s chip. They will say that it’s expensive to replace the ATMs, but they make huge profits at the same time.
    Bankers are really stupid … or professional liars … (I’ll bet on the second hypothesis).

    1. Most CC companies in most countries have implemented a change of liability for strip reading, quite some time ago. Businesses that use strip readers are liable for the cost of fraudulent charges, or rather won’t be reimbursed, if it’s caught.

        1. The ATM near me (in Canada) doesn’t fall back to mag-strip. I disabled the RFID by drilling out the antenna traces and it stopped working in my local ATM (still works in chip&pin devices). Then again, chip&pin has been the standard for about a decade up here.

      1. I’ve definitely some card that have a printed black line where a magnetic strip would be but that clearly aren’t magnetic tracks, yes. it’s definitely not used any more in my country, I haven’t seen any payment device with the slot to wipe the card….

      2. So a year or 3 ago, my ATM card started peeling, and I took off the whole plastic layer which apparently included the magnetic strip.
        After that, the local ATM wouldn’t open up anymore so I couldn’t use it to withdraw cash.
        I was flabbergasted that it required (at least the first part) of the magnetic strip before it actually accepts the whole card.

        1. I was an ATM engineer for about 16 years. The ATM card reader is equipped with a width switch, a mag stripe ‘pre read’ head and a metal gate( some also have thickness switch). The mag stripe and width switch together opens the gate.This prevent people from inserting all sort of garbage and cause a jam in the reader, ultimately it keep the ATM functional for you.

        2. ATM manufacturers still use the magnetic stripe as a security feature. You wouldn’t believe the number of people who just shove popsicle sticks, quarters, receipts and other random objects in the slot. The ATM’s no longer functional at that point.

    2. In Canada stripe cards only function at a terminal that the card belongs to (RBC at RBC, TD at TD, etc) they will never work at stores (and that’s debit/atm cards). Credit cards can be swiped sometimes, but normally just to activate. The logic with the ATM debit cards is that, all branch arms are in house and very much monitored. Third party ATMs and stores, not so much.

  2. “So with skimming hardware getting smaller and harder to detect, what’s one to do? [Brian] points out that no matter how cleverly the hardware is hidden, covering the keypad with your hand as you enter your PIN will defeat a critical component of a skimming operation: capturing your PIN. ”

    Seems a tinted shield over the keypad would help.

    1. Not sure if they use IR cameras too. They can see the heat signature your fingers left on the keys. The coolest key is first and the warmest key is the last one pressed. After I make any transactions on keypads I place my hand over other keys.

  3. To be fair. The whole payment card system is fairly flawed at its very core.
    A system shouldn’t be built on the end users having to trust a random terminal. A good system should embrace the fact that this isn’t secure, and instead move the security to the control of the one’s who needs it.

    Considering how these payment cards effectively needs an internet connection to be useful, then it isn’t unreasonable to take the step to separate out the authentication from the card itself.

    A proper system in my own opinion would be implemented as follows:

    Only use the card to store 1 number, and 1 bank. (Like: 1234 5678 9012 3456 @ card.example.bank (yes, that is effectively an “email address”.)) There is no need for any security measures here.

    This card number is then used to make a payment request to said bank. Often through one’s own bank, unless it is the same bank. Said payment request is generated by the payment terminal, ATM, or server, encrypted with a pre shared key (that is shared with the store’s own bank). This encrypted request is then processed by the bank. (Likewise encrypted and sent to the card holder’s bank if it isn’t the same bank as the store. Since if it is the same the bank don’t have to contact itself about it.)

    The bank the card is referencing knows who is the card owner, and knows what authentication method/device the owner prefers/uses. The request is forwarded to the card holder’s authentication device over an encrypted connection using pre shared keys. This will allow the end user to deny or accept the request on their own trusted device.

    There is simply little useful information on the card itself. It isn’t a key to the card owner’s bank account that is valid for years at a time. All it contains is a single number, that also would be printed on the card, on the magnetic strip as well, and likely a QR code too.

    Now, some banks (like my own) does have 2FA for “internet purchases”, with moderate success. And to a large degree, the proposed system is just “2FA”. (card number is first factor, and the response from the app/device is the second one, nothing special here.)

    However, with the above mentioned system there is the risk of the number getting “leaked” and attackers starting to spam the card with requests. This is though easy to notice, and if the end user denies many requests it is good reason to send out a new card to the end user to replace to old.

    Another major attack vector is good old social engineering and sending out requests that seems legit already is a working strategy. To a degree one can solve this, at least for major brands where the well established nature of the business makes it easy for banks to know who the request is from, but also work on spotting copycats impersonating the larger brand. (When I say “large” this can still be quite small companies.)

    I am not saying it is a perfect system.
    It does require an internet connection for the card holder’s authentication device of choice. (For some countries, a low bandwidth data plan likely should be provided to all citizens due to how central the internet has gotten in daily life in these countries.)
    Likewise is there the issue of trust. Most would inherently trust their app riddled smart phones for this task. Perhaps even have the card number itself stored on the same phone. But a more standalone security device would be an ideal option for more security minded individuals. (and no, a chip and pin card in a random payment terminal isn’t a particularly trustworthy system, bring your own authentication device.)

    And yes, card skimmers would still be a good way to collect card numbers for an attacker to later send socially engineered requests to.

    1. Instead of a pin, have a pseudorandom 2fa code like a lot of us already use to log into email/games. It’s weird that my RuneScape/wow/sw:tor bank accounts are more secure than the one I store real money in. Solves problem of me needing cell service at the PoS.

      1. That rather depends on the quality of the implementation and security practices/code quality.

        No login/verification method means beans if the service provider is leaking their secrets everywhere some other way…

        While you would think entering your pin at an atm is riskier, in many ways its not – as the banks have a huge vested interest in keeping all their/your money so they are actively working to catch the fraudster, make it harder etc – your online game really doesn’t have any reason to give a monkeys if your account is stolen – you already paid them, and their goods cost them nothing to just print more – eventually they can give you your account recovered to whatever state on the preceding backup. But anything the thief did with it, which may well include paying them yet more money didn’t cost them anything or meaningfully break the in game economy, so they only care enough to avoid really bad publicity..

        Also 2fa can be good, or can be nearly pointless – for instance even if you can’t unlock the smartphone that is inevitably part of 2fa you can usually see enough of the message on the lock screen – and that is assuming that message chain from provider to your device has no man in the middle.

        Where if your 2fa is a one time pad type arrangement, likely with a date-time element as some banks have done with their card reader you need to have that OTP, understanding of how it works, and quite likely a full clone of the chip on the card itself as part of how it works – many fewer folks you need to trust in the message relay chain than the sms message – obviously its still got risks, as nothing is truly secure. But its far better than trusting every part of the telecom giants your sms is passed through is secure and you haven’t had your phone stolen/cloned..

        1. 2FA over SMS is indeed far from ideal.

          An app is a bit better, but still not ideal.

          A dedicated device for authentication is far more ideal. Since we can ensure end to end encryption between the device and its bank and that nothing else runs on said device.

          Pin codes for cards is however requiring that every single payment terminal is secure, else it can gather the needed information to make actual card transfers without the card owner’s approval. And ensuring that every payment terminal is secure is a hard task.

          Meanwhile, having the card only being an ID for stores to make requests to. And then handle the authentication and approval of said requests separately. Then it doesn’t matter what level of security the payment terminal has, since the card itself doesn’t provide the security. (it literally becomes an “here is my address.” As an example, you can’t hack an email account by simply knowing the address of it, even if it helps narrowing down where to search.) However, payment terminal security is still important for the store, else a man in the middle can redirect founds elsewhere, and that is obviously not good for business.

          In this sort of system the authentication and approval of requests would instead take place on a device of the user’s choosing. (Either app or dedicated device.) Yes, this can still be attacked, but realistically it would be harder and the attacker would only gain access to that one account, not every card used in a given terminal.

          Effectively speaking, suddenly skimming card details is about as useful as skimming email addresses. Good for spamming, good for socially engineered requests, but not a direct key to the money.

          Skimming phones for the authentication app would be a new field to attack. And this is already the case, at least here in Sweden where the apps “Swish” and “bankID” is common as mud, one used to transfer money and the other used to authenticate oneself in practically everything. So far, security has been decent, but personally phone apps just doesn’t sit right with me. (Even a Bluetooth connected authentication device with just an app to relay the data would sit a lot better with me personally.)

          1. Banks and everywhere else are pretty much adopting 2FA over SMS (or paypal’s even better instant phone you system) for authentication.
            ATM’s just need to catch up.

            But here they are solving that problem by removing ATM’s from circulation.
            Since Irish “travellers” (AKA pikey scum here) tend to like taking them out of the wall they are mounted into with stolen backhoes the losses are costly when they can have a few 10K worth of currency in them.

    2. That’s how Online EFTPOS works, you enter your bank and mobile number and that sends a payment request to your mobile banking app on your phone to authorise.

      It works fine most of the time. Sometimes it takes a few minutes.
      The website needs to offer it and your back to support it too. It’s not very common.

      It’s not fast enough for use in a busy shop.

    3. Cards with chips have secure elements inside them. Even if someone manages to modify the payment terminal (which is hard and would quickly get caught), the data they get is only valid for a single transaction, and a skimmed pin would still need the physical card – the system is already two factor (three if your bank decides that buying 3 TVs at 2am in a city you never made a transaction in is suspicious and decides to call you to check).

      Doing what you described is not needed and downgrades security by allowing brute-force attacks – just stop using magstripes (I erase mine on every card I get).

      1. Don’t know where you got the idea from, but Sweden doesn’t have “basic income” and pretty much no political party is for implementing it. Most people need fulfilling work in their life.

      2. When you grow up and earn your money instead of getting it from mum and dad you’ll appreciate why most people that put in effort dont really wish to give their money they earned away to people that cant be arsed.

      3. I think that was a Finnish experiment that went pretty well. But there are large cultural differences between Scandinavia and North America and many years of wildly different policies conditioning people to react differently.

  4. I am a bit amazed that an old technology hasn’t shown up for keypads. A randomized pad. Each key has a display (preferably with a limited field of view) that displays a randomized number. An observer can tell which keys are being pressed but can’t tell what numbers have been selected because the numbers change every time.

      1. And also for a lot of people who remember their pin at least partially by its pattern and some muscle memory. I’m noticing this more and more since contactless payment is now available almost everywhere and I enter my pin at most once per month, probably less.

        1. Yes! I have trouble remembering some pins to say the numbers but my fingers know.

          Still, I like the idea.

          But what about sight-impaired at the drive-thru ATM? Randomized Braille dots on the keys? Idiotic question but a cool engineering challenge (no doubt already solved to my ihnorance).

    1. This *is* done in some places. I can’t find the link at the moment, but I recall an individual somewhere in Europe complaining about how it was impossible to type their PIN after a couple of drinks because the numbers change on the keypad.

    2. In addition to the other comments about this, one well known payment terminal manufacturer actually has the touchscreen pin entry pad move to a random spot on the screen when used to avoid fingerprints being used to easily discern a PIN, though obviously this isn’t completely fool proof. This is disabled if you use their physical cover with rubber buttons for accessibility reasons.

  5. Maybe 2 factor ATM’s, instead of “enter pin” it could say “enter pin, or press enter to get a code to your phone”.
    If you select “phone” then it prompts for the code. It would only go to the phone # you have attached to the bank.

        1. I got caught by this when travelling. It sucks, and as far as I can tell there’s no way to opt-out of the security theatre of SMS authorisation. It sucks after being in transit for 50+ hours to be unable to check in to one’s accommodation because the bank sent an SMS to a phone with no roaming!

          (The hotel’s “fix” for this was interesting though. They just leave their reception office unlocked overnight, and all the late check-ins are in envelopes on the desk!)

    1. ATM are two factor already, something you have and something you know.
      The problem with the magic strip is that it can easily be turned into something you know and therefore it becomes one factor.

      If I understand the chip/contact less part of the card, it is a call and response. You give the card the “transaction id” and it responds with a hashed/encrypted message that later on gets compared with what the bank expects and if it matches the transaction goes through. So even if you intercept the communication it should only be valid for that specific transaction.

      1. Yup, that’s right. And the mag stripe readers don’t *need* an internet connection (though many use it); they can take the card on trust and batch process transactions later – especially with credit cards.

  6. Wasn’t there a HaD article a while back on devices found inside gas pumps, plugged into the unencrypted RS232C connection between the reader and keypad and the rest of the electronics? They used Bluetooth so the crooks didn’t have to physically access anything to retrieve the stolen account codes and PINs. There was a Smartphone app to scan Bluetooth for the common device IDs used in the recovered examples of the skimmers. The crooks were mostly too lazy (or incompetent) to change the IDs.

    With a decent fake of an inspection sticker, a criminal could open the panel on a pump, unplug the connection, plug in the skimmer, close it up, slap on the fake sticker and off he goes. If the pump is a type where the access panel to the reader and keypad hardware isn’t ‘secured’ by an inspection sticker, the crook would only need to pick the lock. Skimmers in such pumps would be more likely to be discovered since gas station employees would be able to open the panel without requiring some official to come and replace the seal sticker.

    1. We have that here with some banks. it started as emergency use in case you forgot your card or lost it, but now has turned into a thing so that you no longer need your card, just your phone and the app.
      Some banking apps have even forced you into using face recognition for approving some transactions – mainly so they can say “look, YOU approved this”.

  7. Amazed scammers can still make money on this. Does anyone use ATMs any more? Hardly anyone uses cash, it’s all contactless, especially since covid. Even our local chip shop now takes contactless. And cat parking is now contactless or more usually apps, which saves the council on maintenance and collecting cash.

    And banks don’t want to invest in massive changes to ATMs; even without fraud, they lose money on running ATMs, due to the costs in installing, maintaining, and stocking them.

    1. Where I live, it’s common to be charged up to 2% for using EFTPOS. Cash all the way for me. Although i do still see a lot of other people using eftpos (often via their phones) I guess they are jusg richer than I am.

  8. Hey the encrypted data on he card was not even checked back n the day. The crooks figured they could cash out with just he track 2 data as long as the checksum was correct. Its was there to protect anyone just using information off the card. They didnt even check, as long as it was there.

  9. Unfortunately hiding your pin entry by covering it with your other hand doesn’t help. There had been a study two years ago showing that pin entry can be recovered by capturing the ankle of your hand. This can even be simplified using ai

  10. Bottom line is the capital investment in present infrastructure isn’t going to be abandoned unless an external force makes it mandatory. That external force could be the users of the system or a governing body. Until such time the cheapest band-aid that keeps the ball rolling will sticks.

  11. Covering your pin entry, “that’s apparently a precaution virtually no one takes” is very likely because most just read the warning that makes them think some shady character across the street with a long lens is spying on them so they might glance around and not see one.

    It’s understandable why machine makers dont want people to think there might be spy cams but it needs to be spelled out.

    1. There was actually a case years ago where someone who lived in an apartment across the street from an ATM was watching people with a telescope to get their PIN numbers, then taking their receipts from the trash at the ATM to get their account numbers.

      And more than once, I’ve caught the person behind me in line trying to shoulder-surf my PIN number.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.