51

This question has been bothering me ever since I first heard of ATM skimmers:

Instances of skimming have been reported where the perpetrator has put a device over the card slot* of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user's PIN at the same time. This method is being used very frequently in many parts of the world...

source: Wikipedia

                       ATM skimmer device being installed on front of existing bank card slot

                       * ATM skimmer device being installed on front of existing bank card slot (source: hoax-slayer.com)

Banks have so far responded to such threats by installing all kinds of anti-skimmer fascias and see-through plastic slot covers on their ATMs, spent great deal on educating consumers on how to detect such devices with informative brochoures, warning stickers on ATMs themselves, even added helpful information to ATM displays' welcome screens and whatnot, and yet I still can't think of a single, simple and bulletproof way of establishing whether any particular ATM is safe to use, or it might have been tampered with and devices installed onto it to collect our credit card information and record our PINs.

                       Anti-fraud/anti-skimming device

                       Anti-fraud/anti-skimming device

Here are a few suggestions I've been reading about:

  • Check for cameras: Sometimes hackers looking to get PINs put cameras on the light above the keypad. Feel the top for anything protruding that could be a camera.
  • Pull on the card slot: Card stealers can't spend a long time messing with an ATM, so card skimmers are often easy to instal and remove. If the card reader at the ATM moves or seems loose, don't risk it.
  • Wiggle the keypad: Hackers sometimes put fake keypads over the real one to figure out your PIN. If the keypad seems loose, try a different ATM.

source: consumerist.com

Hackers are getting smarter though, and technology to enable more advanced and harder to detect skimming devices is becoming more widespread (e.g. 3D printers, tiny cameras that can record PINs through a pinhole,...). So how are we, consumers, supposed to detect all of this? ATMs themselves vary greatly bank to bank, country to country. Sometimes, even same banks will use multiple different ATMs, and anti-skimming fascias might be different altogether. Hackers might have super-glued overlaid keyboard and the skimmer, the camera can be so tiny and hidden so well it would be nigh impossible to detect, or the complete circuitry (reader, camera, the whole shebang) extremely well disguised to look nearly identical to ATMs original fascia.

                     enter image description here

                     ATM skimmer showing slot cover and pinhole for PIN camera. Would you have noticed it?

The example in the photograph above could be scarier, if it was in matching colour and texture to the ATM's own plastic fascia, and maybe cut a bit nicer too. Noting too hard to do really. But even as it is, it's still disguised well enough to fool any slightly too casual customer in daylight, and possibly even the most cautious ones during night and under artificial illumination. Notice how tiny the camera pinhole is. Put a smudge of dirt around the pinhole, and it would be unnoticeable.

So with all this in mind, my question is:

How can we detect, in reasonable time and assuming the attackers got in the meantime smarter and better equipped than what we learned so far, if ATM was tampered with and any skimming devices (or other traps) installed onto it?

I've left the question intentionally slightly open to interpretation and am interested in both latest & greatest ATM anti-fraud technology used by banks, as well as any good suggestions on how an average ATM user could detect such fraud schemes and devices, if present.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
  • 1
    That last one looks legitimate. – AbsoluteƵERØ May 18 '13 at 01:41
  • 2
    I've stopped using my ATM card anywhere but my bank's ATM machines (inside the bank when possible) after a local supermarket chain had [skimmers in their in-store POS terminals](http://sanfrancisco.cbslocal.com/2011/12/06/lucky-supermarket-chain-reveals-scope-of-card-reader-scam/) – Johnny May 18 '13 at 04:22
  • 1
    @tidalwave: +1: great question and especially great exemples and research! – Olivier Dulac May 21 '13 at 10:04
  • One thing I do is cover my hand as much as possible with my wallet. This is especially effective if you are able 'touch type' on ATM keypads. No matter where the camera is located your wallet will obscure some of your pin digits unless all the digits are in the same column. – Jonathan Dickinson May 29 '13 at 13:16
  • 2
    Newest form of skimmers are parallel read mylar shims for chipped cards. They're totally invisible as they slide into the slot. Their contacts overlay the card reader contacts. – Fiasco Labs Feb 01 '16 at 00:27

4 Answers4

30

From an end user perspective, i usually give the reader and surrounding plates a good whack with my fist and i try and peel back any of the faceplates with my keys or a knife. The fact of the matter is, the best quality skimmers aren't detectable. POS machines can be hacked which results in an almost undetectable scenario. Your best bet, if you want to avoid being skimmed, is to cash out at a teller at the bank :)

From a company perspective, I've come across two new defenses against skimmers recently from perusing ATM manuals (I'm doing some work with them at the moment and have all the manuals/specifications)

  • 1) Sensors to detect any obstruction in front of the the card-reader for extended periods of time it'll trigger an alert. These sensors are light sensors, proximity sensors and beam sensors depending on the ATM in question. These are both mounted inside the card reader and around the device in general.

  • 2) Sensors to detect constant RF signals. If you transmit for more than xx seconds (i won't mention the exact time frame) it'll trigger an alert. From the manual:

Radio frequency (RF) detection is used for detection of analogue transmitting spy cameras fitted to the ATM for purposes of fraudulently capturing card holder PIN entry. RF detection does not trigger an alert but provides additional supporting information to an alert if a fraud device is detected by a sensor at the same time as an RF detect alert.

Additionally:

HSFD consists of the following elements:

  • Control board

  • RF detect sensor (optional)

  • From one to six sensors
  • Cellular modem(to transmit alerts), with separate antenna (optional).

The following diagram shows an overview of the High Security Fraud Detection (HSFD) feature. Dashed lines indicate optional components: High Security Fraud Detection (HSFD)

Alerts usually go to a back to base central monitoring solution somewhere controlled by the bank that owns the ATM

There's a new proof of concept Anti-Skimming technology called SRS “Secure revolving system” that got announced recently, there's a video of in in action here. Original story here

The actual SRS device looks like this: SRS device

Basically it accepts the card 'side on' (as opposed to the usual card entry method) and then rotates it 90 degrees before accepting it. This basically prevents any face plate being attached over the device and makes it very difficult to position a skimmer.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
NULLZ
  • 11,426
  • 17
  • 77
  • 111
  • Do you have a link or any additional information? – rook May 18 '13 at 01:29
  • @Rook I'll see what i can do about finding it online anywhere. Otherwise, i'll upload the excerpt and link it here. If you have any specific questions i can try and answer – NULLZ May 18 '13 at 01:31
  • yeah if you could push the doc, that would be awesome. – rook May 18 '13 at 01:54
  • 1
    @Rook I've updated with what i've got. The sensor tech i don't have the manuals for but i'll see if i can dig em up – NULLZ May 18 '13 at 17:26
  • None of the answers here mention it (and maybe it's out of scope), but aren't they battling this phenomenon by leaving out the magnetic strip from new cards, leaving them with only a smart chip that can't be copied? – Bart van Heukelom May 20 '13 at 21:58
  • 2
    @bartvanheuklom For credit cards yes. They are trying to use magstrip+plus chip + pin which makes it harder but not impossible. They remove this safety by then allowing contactless payments... – NULLZ May 20 '13 at 23:27
  • 1
    So, does that still depend on the magstrip to work? Meaning, could one make his own card safe by disabling/blocking the magstrip? – Bart van Heukelom May 21 '13 at 12:14
  • 1
    @bart if you'd like to make another question i can answer, its getting a bit off topic otherwise i think – NULLZ May 21 '13 at 12:56
12

The newest skimmers cannot be seen. These skimmers wafer thin and insert into the card reader:

enter image description here

To make matters worse the modification can be purely software. ATMs can be hacked, their software can be modified to log the mag strips and pins of every user.

This is a losing battle and you take a chance every time you use an ATM. Security is relative, that being said I would avoid using ATMs in general, especially in a bad neighborhood. Online banking isn't foolproof either, related: Is accessing bank account on the internet really secure?

gatorback
  • 1,541
  • 2
  • 12
  • 17
rook
  • 46,916
  • 10
  • 92
  • 181
6

The best you can really do is use ATMs you know or ATMs that have good physical security if one you know isn't available. (go to an ATM inside a bank). Even then, I always spot check the machine for any signs of tampering.

A simple trick that can work well is to make sure the keypad isn't compromised (by looking and pulling on it) and then if it appears valid, put one hand over your other hand as you type in the code, so even if there is a camera, it can't see your input.

Ultimately, it's still a losing battle and nothing is perfect, but thats the tips I usually follow. Hopefully in the future, we can move to a system that actually uses OTP (one time password) generation for added ATM security.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

Secure Revolving Systems

This is the latest anti-skimming tech out there. It basically rotates the card as it's being inserted, preventing the skimmers from locking on the magnetic data strip. It's just been recently invented by a card skimmer in prison. It was announced here.
Regardless, as Rook mentioned earlier, security is relative. Software can still be hacked and the SRS can't protect against that. Also there might be card skimmers in future that will try scanning the card while rotating the scanner, matching the same pattern as the SRS. But for now, as an answer to you question, Secure Revolving Systems are things to look forward to.

DarrenVortex
  • 41
  • 1
  • 5