Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 9 submissions in the queue.

Submission Preview

Link to Story

ATM Insert Skimmers: A Closer Look

Accepted submission by exec at 2016-11-30 01:29:31
News

"exec" writes:

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [Krebs]

Time: 2016-11-27 18:39:31 UTC

Original URL: https://krebsonsecurity.com/2016/11/atm-insert-skimmers-a-closer-look/ [krebsonsecurity.com] using UTF-8 encoding.

Title: ATM Insert Skimmers: A Closer Look

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
 
 

ATM Insert Skimmers: A Closer Look

Arthur T Knackerbracket has found the following story [krebsonsecurity.com]:

KrebsOnSecurity has featured multiple stories about the threat from ATM fraud devices known as “insert skimmers,” wafer-thin data theft tools made to be completely hidden inside of a cash’s machine’s card acceptance slot. For a closer look at how stealthy insert skimmers can be, it helps to see videos of these things being installed and removed. Here’s a look at promotional sales videos produced by two different ATM insert skimmer peddlers.

Traditional ATM skimmers are fraud devices made to be placed over top of the cash machine’s card acceptance slot, usually secured to the ATM with glue or double-sided tape. Increasingly, however, more financial institutions are turning to technologies that can detect when something has been affixed to the ATM. As a result, more fraudsters are selling and using insert skimming devices — which are completely hidden from view once inserted into an ATM.

The fraudster demonstrating his insert skimmer in the short video above spends the first half of the demo showing how a regular bank card can freely move in and out of the card acceptance slot while the insert skimmer is nestled inside. Toward the end of the video, the scammer retrieves the insert skimmer using what appears to be a rather crude, handmade tool thin enough to fit inside a wallet.

A sales video produced by yet another miscreant in the cybercrime underground shows an insert skimmer being installed and removed from a motorized card acceptance slot that has been fully removed from an ATM so that the fraud device can be seen even while it is inserted.

In a typical setup, insert skimmers capture payment card data from the magnetic stripe on the backs of cards inserted into a hacked ATM, while a pinhole spy camera hidden above or beside the PIN pad records time-stamped video of cardholders entering their PINs. The data allows thieves to fabricate new cards and use PINs to withdraw cash from victim accounts.

Covering the PIN pad with your hand blocks any hidden camera from capturing your PIN — and hidden cameras are used on the vast majority of the more than three dozen ATM skimming incidents that I’ve covered here. Shockingly, few people bother to take this simple and effective step, as detailed in this skimmer tale from 2012 [krebsonsecurity.com], wherein I obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

Once you understand how stealthy these ATM fraud devices are, it’s difficult to use a cash machine without wondering whether the thing is already hacked. The truth is most of us probably have a better chance of getting physically mugged after withdrawing cash than encountering a skimmer in real life. However, here are a few steps we can all take to minimize the success of skimmer gangs.

-Cover the PIN pad while you enter your PIN.

-Keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible.

-Stick to ATMs that are physically installed in a bank. Stand-alone ATMs are usually easier for thieves to hack into.

-Be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on a weekend — when they know the bank won’t be open again for more than 24 hours.

-Keep a close eye on your bank statements, and dispute any unauthorized charges or withdrawals immediately.

If you liked this piece and want to learn more about skimming devices, check out my series All About Skimmers [krebsonsecurity.com].


                                 

                                                                     



                   



Tags: ATM Skimmers [krebsonsecurity.com], insert skimmer [krebsonsecurity.com]


                                       
                                                This entry was posted on Sunday, November 27th, 2016 at 1:29 pm and is filed under Other [krebsonsecurity.com].
                                                You can follow any comments to this entry through the RSS 2.0 [krebsonsecurity.com] feed.

                                                                                                        You can skip to the end and leave a comment. Pinging is currently not allowed.

                                               
                                       
                               


I always use cash!

(Because I’m so poor, I can easily carry all the money I have with me)

It’s so convenient.

Once again – nice article Brian. I always avoid non-bank based machines… I don’t know what it is like in the US and the rest of the world, but I’m sure 3rd party (non-banked owned) are owned by pirates here in Canada given the fee they charge to make any sort of transaction. That alone should be enough to discourage most people from using them.

Actually – this article brings up a question I need to contact my bank for – do today’s bank owned ATMs (atleast here in Canada) still actually use the magnetic strip, or do they just use the chip? If they only use the chip, then perhaps a magnet to the strip on my debit card is in order. In Canada we have different cards for credit cards versus bank cards for chequeing and savings account access.

It takes a pretty powerful magnet to ‘demagnetize’ the strip on a credit card. Anything you’re likely to find around the house will NOT be strong enough to wipe the data.

What about those neodymium magnets from out of hard drives those are pretty strong?

Hmm, Tarek, what’s your source for this? Dare you to try dragging a magnet along the mag stripe on your debit card and telling us the results. Remember the warnings not to store cards so their stripes are facing each other? And mag tapes imprinting their information on layers above and below? Having lost info just looking cross-eyed at a card I can’t believe this.

The bank I use here in New York City uses the strip to grant access to the atm facility, as the one closest to my home is just an atm location (4 are in the site). At the atm itself, you put the card in & remove it and during that process it detects the chip and tells you to reinsert it and leave it in through the transactions.

To your point about the fees & third-party owners, yeah, pirates is a good term; I have never used an outside-the-network atm. In Manhattan, at least, and nowadays the other boroughs, there are bank branches that rival Starbucks in their number. If I somehow found myself in need of actual cash, and my bank doesn’t have a branch around, I’d rather go to a actual bank (and pay their almost-piratey fees) rather than one at a deli.

Thank you, Brian for the story.

Great read as always

The above post is a fake , imposter

How about the death penalty for skimmer fraud? I know liberals are jumping up and down, but think about what will happen to the fraud.

One other aspect is that NONE of the anti-skimming tech in the market for the primary OEMs (NCR and Diebold Nixdorf) can prevent or defeat inserts … except for Diebold’s Active-Edge (which makes the user insert the card long-ways). Larger banks avoid the Active-Edge because it tends to confuse customers.

Also – all of the above-referenced card readers are motorized. These inserts also work on dip-readers.

As stated in the article: the number one thing to do is cover the hand during PIN entry. As EMV becomes more-n-more a thing banks are less likely to even invest in anti-skim – leaving customers in a position for the next 4-6 years waiting for mag-stripe card readers to slowly die & fade away in the overall marketplace.

BTW: skimming cards and cashing out at ATMs is only one platform of cashing-out. Apparently, the USPS still hasn’t converted to EMV – so the crooks are hitting the cash-out limit at ATMs then going ot the Post Office and getting more from there. Big $ being lost there and no one has been reporting on that.

Finally: Gas-pump skimming is leading ATM losses 4-1 in 2016. Banks are laser focused on using velocity verification and active monitoring with their fraud management – eyeballing all POS-gas purchases. But the volume of gas purchases is overwhelming. Again, the average user hits an ATM 3-4x month. Gas purchases average 4-6x month.

A New York Times Bestseller!

Please use your primary mailbox address, not a forwarded address.

Click image for my skimmer series.

Badguy uses for your PC

Tools for a Safer PC

Spammers Duke it Out

Your email account may be worth far more than you imagine.

eBanking Best Practices for Businesses

Innovations from the Underground

ID Protection Services Examined

The reasons for its decline

File 'em Before the Bad Guys Can

A crash course in carding.

Sign up, or Be Signed Up!

Finding out is not so easy.

...For Online Safety.


                © 2016 Krebs on Security.
                 Powered by WordPress [wordpress.org].
Privacy Policy [krebsonsecurity.com]
       

-- submitted from IRC

Original Submission