ATM Skimming Gets Slick

ATM Skimming Gets Slick and Your Money Is At Stake

Last updated on June 17, 2019
The scary news: ATM skimming suddenly has gotten very, very slick.  And the numbers of incidents are exploding.

In late July, giant ATM maker NCR even issued an alert warning its bank customers about an explosion in attacks on bank owned ATMs,

Worse, the skimming devices are getting much better.

That means your money is at risk. With a skimmer, a thief captures the card data and, usually, a pinhole camera is also involved so the thief also grabs the PIN.  Then the data is pressed into a new card and the crook can get busy emptying your account.

Flashback a decade ago and most skimmers were crude plastic objects, haphazardly slapped on the card slot at an ATM, generally one in a dark corner of a hotel or convenience store, rarely at banks because banks were known to routinely visually inspect – and physically shake – card slots.  The old rule of thumb was that 99% of the time a skimmer would come off in your hand.

Things are different today

For one:  attacks on bank owned ATMs are way up, especially in the US.

For two:  if you think the attacks only grab data from old fashioned magnetic stripe cards, think again. Security blogger Brian Krebs has reported on new tools that have surfaced in Mexico that allow the criminal to grab data from chip and PIN cards (aka EMV cards) using a device called a shimmer that literally reads the chip data exactly when the ATM is reading it.

What this means is that just about every ATM, including ones at banks, and every card, is now in the cross-hairs of cyber-criminals.

It gets worse.  Criminals now are using skimmers that fit inside – not over – the card slot. Shake the slot as vigorously as you wish. It’s factory issued, nothing is amiss. This skimmer cannot be detected with a visual inspection.

In most cases the criminal forfeits that skimmer. Which is unlike the old-style slide on skimmers that, in most cases, the criminal retrieved after a day or two.

The new, inside skimmers also are pricey – $2000 is a number we heard for such skimmers for sale on cyber-criminal markets – but think about it. That internal skimmer will escape detection for days and, according to a Philadelphia police captain, as many as 600 to 1000 people will use a single busy ATM in a two day period.  Do the math.  If that criminal gets even 500 card grabs with usable PINs – that easily generates  $100,000 (500 x $200). Maybe a lot more.

NCR has also talked about cases where criminals drill a large hole in the front of an ATM, insert a skimming device, and cover the mess with a decal.  It has acknowledged such cases in the United Kingdom.  But criminals swap – and share – data across borders.  If it is in the UK, it will show up in Australia, Canada, Ireland, New Zealand, the United States, and still more.

Neither the skimmer shoved down the card slot nor the one inserted into a drilled hole is detectable by a casual inspection of the device and, said NCR, at least some OEM anti-skimmer technology also appears to have missed them.  (NCR said its anti-skimming tools would have detected such skimmers.)

Experts predicted more of the same. That is because there are more online sites selling high quality skimmers, probably because 3D printing is making production of them much easier, said sources.  This site claims to have skimmers that will read chip and PIN cards for around $2600. Many, similar sites are easily found on the Internet.

Used to be that getting into the skimming trade required having some ability to fabricate a skimmer. Now a handful of Bitcoin is plenty to buy a skimmer that just may evade most anti skimming technologies.

Here is where all this becomes a horror movie: It is not always easy for victims to quickly reclaim money stolen from their accounts by an ATM skimmer.

Think about it. The crook has what looks to be your card. He has the PIN.  How can you prove it’s not you – or not a person to whom you lent your card and credentials?  Many victims have told us they were denied fund restoration by their banks which insisted they had to be complicitous.  (We don’t know the facts and don’t claim to know the full story. Just understand that money taken out of an account in an ATM skim is not always immediately restored.)

In conclusion

The next time you slide a card into an ATM, remember a criminal may be skimming and a camera watching your PIN.  Your best self-defense:  Always use one hand to cover what the other hand is punching into the machine. That usually will block the PIN – so you have foiled the crook.

Is that guaranteed to work? Nope. But, sadly, it’s the best advice we can presently offer. That or stop using ATMs but who wants to go there?