Meet The Card Skimmer That Might Make You Think Twice About Ever Using An ATM Again

Once upon a time, identity thieves hoping to capture victims’ debit and credit card information had to resort to clunky, sometimes obvious skimming devices. But as consumers have grown more savvy about how to identify a possible skimmer, the devices have evolved to a point where some are all but impossible to detect by the naked eye.

Security expert Brian Krebs recently posted some photos and info about a skimmer that looks exactly like the card slot on an ATM machine, but will give the ID thief both your card number and your PIN.

The device is powered by a cell phone battery and contains technology to skim your card and the guts of a digital video camera that peeks out through a tiny pinhole in the plastic shell and records time-stamped footage of victims punching in their pin so that the scammers can match up the information later on.

a4-12skimback.png
As Krebs points out, the best way to defeat the PIN-recording aspect of the skimmer is to simply cover your hand when entering the information.

Check out KresbsOnSecurity.com for more photos of this skimmer and more information on how to protect yourself.

PREVIOUSLY:
Shield Yourself From Credit Card Skimmers
Check Out This Nearly Undetectable ATM Skimmer
Customer Discovers Card Skimmer On Bank ATM
Those Anti-Skimming Gas Pump Stickers Don’t Work If You Do It Like This

Comments

Edit Your Comment

  1. gman863 says:

    This is one of the reasons why I prefer getting cash back on a purchase at a supermarket or drug store instead of using an ATM.

    Two more +1s for the supermarket or drug store:

    * Less chance of getting mugged or robbed, especially after dark.

    * Even if I have to buy a .99 cent pack of gum to get cash back, my bank still treats it as a “debit” transaction with no fees from either my bank or the one that owns the ATM.

    • coujo says:

      my CC info was stolen via a dubious pay station at the super market. it happened at the one i worked at. we even saw the guys who replaced the CC Scanners doing it and my boss even stamped they’re paperwork. its not that your info is unsafe, its that any determined criminal WILL get it, regardless of safe practices and eagle eyed consumers.

      everything can be free, you just need to be determined and smart enough to get it.

      • gman863 says:

        any determined criminal WILL get it, regardless of safe practices and eagle eyed consumers.

        Agreed, especially in the face of large companies like TJX (T.J. Maxx/Marshall’s) getting hacked.

        I just feel the odds of it happening are much lower in a grocery or drug store point-of-sale transaction versus using an ATM.

    • Rena says:

      +1. Much rather get it at the store, where the machines are less likely to be tampered with and there are no extra fees.

    • jleonar says:

      http://www.reddit.com/r/IAmA/comments/subal/hi_reddit_i_was_the_mastermind_of_a_credit_card/

      Does that make you feel better now? It can happen anywhere and you can take some precautions at an ATM, you can’t protect yourself when an employee at the store is in on it.

  2. Costner says:

    Newer Wells Fargo ATMs have this rather odd shaped round thing that is translucent and therefore anything put over the top of it would also need to be clear – and due to the odd shape I don’t see how a skimmer could ever attach to it.

    I suppose the crooks will eventually figure out a way, but perhaps the only way around this is to one day use a retinal scan or other biometric scanning device to verify we are who we say we are.

    • Cat says:

      Nope, that won’t work either. The meth heads will just start stealin’ people’s eyeballs.

      • Costner says:

        I always thought that about thumbs for the biometric thumb reader, but honestly if it requires a thumb or retinal scan plus PIN, such thefts would be pretty rare – and probably less common than regular thefts today.

        The skimmers only work because there is no interaction with the actual card holder. These are rather organized thieves.

        • mischlep says:

          Until the thumb print/retinal scan system is broken. Then it’s game over.

          The problem with bioinformatics is that once the system is broken, you can’t change the password.

    • belsonc says:

      Same with newer CapitalOne ATMs…

    • majortom1981 says:

      Chase atms have it also in blue. Also the chase ones blink blue

  3. palace_gypsy says:

    “looks exactly like the card slot on an ATM machine”
    Automated
    Teller
    Machine
    machine???

  4. amuro98 says:

    So…aren’t the banks or the owners of the ATM responsible for theft-by-skimmer?

    And yet another reason I’m glad I have a branch of my credit union nearby so I can get cash directly from them, instead of from a machine. No possibility of a skimmer being involved.

  5. PhiTauBill says:

    Amazing that this practice is actually profitable given the necessary engineering and existing safeguards, but as noted by other commenters, the banks generally take on the bulk of the risk here, so as scary as it is, can’t see a need for consumers to become paranoid.

    • KyBash says:

      I still think the practice peaked very early: the most audacious, innovative, and admirable venture was when they put a fake ATM in a shopping mall — after it read their card and people punched in their PIN, it always said it was out of cash.

      • tungstencoil says:

        Little note on this courtesy of a co-worker who used to work for a company that developed ATM software:

        If a machine can’t dispense funds (either out, or can’t contact your bank, or can’t verify your account, etc) it will notify you BEFORE it asks for your PIN. In virtually every instance (except catastrophic mechanical failure whilst dispensing), if you enter your PIN and at any time afterword get an error, you should call your bank. Immediately. You have been pwnd.

        • Coyote says:

          That is not entirely true. A lot of independant ATMs such as you might find in gas stations, bars, clubs, etc… will not connect to the bank until after you have swiped your card, entered your PIN, and selected your withdrawl. This is because they use dial-up modems that might share a line with a fax or alarm.

          If the machine is jammed or out of cash, it should say out of order before you can even swipe your card. If the phone line is down or your PIN is wrong it won’t know until after it tries to contact the bank.

        • KyBash says:

          I’ve entered my PIN and then been notified that I can’t get the cash I want. I have been able to do other things (check my balance, buy stamps, etc.).

    • j2.718ff says:

      The average skimmer doesn’t require much more technology than your average cell phone. Card reader + camera + just enough computing power to read the data from these things, and send it to the person who will use it. And they can do it using cell technology, such that the information is sent to an anonymous e-mail address. Now the scammer doesn’t even need to return to the site of the crime to collect the data.

      If anything, I’d say the problem is that such technology / engineering is so simple/cheap to obtain.

  6. Straspey says:

    “As Krebs points out, the best way to defeat the PIN-recording aspect of the skimmer is to simply cover your hand when entering the information.”

    “As Krebs points out, the best way to defeat the PIN-recording aspect of the skimmer is to simply cover THE NUMERIC KEYPAD WITH your hand when entering the information.”

    There – I fixed it for you.

    • CubeRat says:

      picky, picky…..

    • Applekid ‚îÄ‚îÄ‚î¨ Ôªø„Éé( „Çú-„Çú„Éé) says:

      How do you enter your PIN with the hand on top of the keypad? Surely you need to cover the hand that’s actually entering digits.

    • alexwade says:

      I read about some skimmers that used an infrared camera to determine which buttons you pushed. They were able to determine the order by how warm the button was after you left, warmer buttons were pressed last. To fix that issue, I use a very long pin and the same number more than once. Then the person analyzing the infrared image will be one or more digits short when entering the PIN.

      Between duplicate numbers, covering your hand, and long PIN’s, that should stop skimmers.

      • Awesome McAwesomeness says:

        I have a long pin where the same number appears 3 times, and not together. I also touch other keys without pressing them, while covering my hand if I think something seems fishy.

      • HogwartsProfessor says:

        You could just lay your hand over the entire keypad when you’re done entering it, thus warming them all and thwarting the infrared.

  7. KyBash says:

    I really like US Bank’s ATMs — the slot is in a recess that would be hard to fit a skimmer into and there’s a band of flashing green LEDs around it. If you’ve used one once, you know what it should look like, and you’d instantly notice any change.

    I do think, however, that instead of splash screens advertising services, every ATM should display a picture of what the card slot should look like before people insert their cards. It’s not chic, but it could save a lot of people a lot of hassle.

    • wickedpixel says:

      what’s to stop the scammer from covering the picture with something?

      • Elizabeth B says:

        I think the idea is that the screen displays the picture of how the card reader should look. If the screen has a big sticker over it, then I wouldn’t be using that ATM anyway. The screen would change once a card was swiped.

    • SharkD says:

      This skimmer is designed to fit around BoA ATMs, which have the same LEDs.

      In this case, the LEDs shine through the clear bezel around the card slot, just like on an unmodified ATM.

  8. Happy Tinfoil Cat says:

    If I were to build a skimmer, it would not be visible at all. Credit cards would not be a problem, it’s the PIN on the debit card I’d have to work at. The PIN can be derived in 15 guesses worst case.

    The good news is the US banks are finally, FINALLY switching to a more secure PIN system. When my bank was setting up a new account a couple weeks ago, they offered me the new PIN system. This is a big deal because every ATM had to be retrofitted to accept them and the entire system had to be rebuilt.

    • CubeRat says:

      What is the new pin system your bank is using? If it uses more than 4 digits, you are limited to using your bank’s atm.

      • Happy Tinfoil Cat says:

        It allows many more digits. My assumption is, VISA is transitioning but since I can’t find any news about it I guess I could be wrong.

      • Southern says:

        My PIN is 6 digits, and I use it everywhere. Supermarkets, other bank ATMs, gas stations.. In fact they wouldn’t even let me create a 4 digit PIN, it *had* to be 6 digits.

        This was 3 years ago, BTW.

    • mojoshtudd says:

      Its 4 digits not 4 bits. You need 10000 guesses.

  9. XianZomby says:

    A small camera attached to the ATM that is pointed at the card slot.

    A split screen on the ATM that shows on the left what is coming live off the small camera, and on the right, a still shot of what the camera should see if the card slot has not been tampered with.

    As the ATM user, you are instructed to first validate visually that the left image matches the right image, disregarding lighting differences and smudges and wear.

    Then you hit a button to approve, and you can move on to conducting a transaction.

  10. Gehasst says:

    Hmm, Gizmodo had this either yesterday or the day before. You are slacking Consumerist!

  11. IphtashuFitz says:

    Every ATM I use has green flashing lights encircling the card slot, and the slot is somewhat oddly shaped. I think it would be extremely difficult to attach a skimmer to those – either they’d have to include their own green flashy lights or you’d likely notice the light bleeding out around the edges of the skimmer.

  12. tungstencoil says:

    I *always* grasp the card slot mechanism, and yank it around pretty roughly. The skimmers don’t do such a great job attaching them, and if it comes loose, I move on.

    Real ATMs have the plastic injection molded as part of the overall unit, it isn’t ever an attachment.

    • Supes says:

      Has it ever come lose for you? For all these stories, I know I’ve never seen a card skimmer in the wild.

      • tungstencoil says:

        Nope. While I think they’re common in terms of “this is something that happens way more frequently than it did 10 years ago” it’s like car accidents: there may be lots of them in the world, but that doesn’t mean everyone who drives is crashing every day.

    • Kuri says:

      That’s been my method too, hell, if it came off I’d turn it into security

  13. HogwartsProfessor says:

    Grr. Well, the ATM I like to go to that dispenses tens had a sticker on it saying and the screen asked me before I put my card in, “Is this sticker intact? If not, don’t use me!” I looked but didn’t see anything odd. I’m just going to get cash back from now on.

  14. Southern says:

    This is why I’ve always advocated an ATM card with a digital 4-6 digit number on the front of it that cycles every 60 seconds, that must be used in addition (or in conjunction) with the customers PIN..

    Such as PIN+4digits on the front of the card whenever you swipe it.

    Or hell, even a keychain device like the RSA tokens that many companies require to remote into their network, or that PayPal uses to log into your account (optional).

    Then, if someone skims the card, so what? Unless they have physical possession of the card and can get the current 6 digits, my PIN does a crook no good whatsoever.

    Would also greatly increase security for online purchases, as they could require that number, instead of the 3 digit “security code” on the back that NEVER CHANGES.

    • Happy Tinfoil Cat says:

      I have one of those RSA tokens; my company is killing it tomorrow due to the fact they’ve been compromised. Great idea, but we always have to stay one step ahead.

    • Rena says:

      But that would cost money.

  15. luusyphre says:

    I always cover up my hands these days when entering my pin. You guys have gotten me paranoid. I also have 2 cards: one for fairly safe and regular transactions (like for bills and trusted online retailers), and one for the scum of the earth! When my scum card gets stolen, I don’t have to go around changing all my recurring payments. I’ve had my card stolen a few times and the 2 card strategy makes the ordeal a lot less inconvenient.

  16. Happy Tinfoil Cat says:

    I was looking at the circuit in the photo and was questioning some of the design choices when I realized what it was. It looks a lot like the circuit out of one of those ‘spy’ camera’s made to look like a cigarette lighter. Have they converted the mic input to be a mag head pickup?

  17. GuyGuidoEyesSteveDave‚Ñ¢ says: