All About Skimmers


11
Aug 15

Chip Card ATM ‘Shimmer’ Found in Mexico

Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards.

The device pictured below is a type of skimmer known as a “shimmer,” so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.

This card 'shimming' device is made to read chip-enabled cards and can be inserted directly into the ATM's card acceptance slot.

This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot.

The chip reading component includes the eight gold rectangular leads seen on the right side of this device; the electronics that power the data storage on the shimmer can be seen in black at the top of the image.

According to information from Damage Control S.A., a security and investigations company based in Mexico, this device was found inside a Diebold Opteva 520 with Dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it). The device is inserted from the outside of the ATM and no access is required to the ATM internals. Damage Control, which disseminated the information via a service called CrimeDex, didn’t say whether this shimmer was accompanied by a component to steal card PINs, such as a hidden camera or PIN pad overlay.

Here’s a look at what this thing looks like while it’s sitting inside a compromised ATM’s reader (notice how the chip-reading components shown in the first image are obscured in this one by the ATM’s chip reader): Continue reading →


22
Jul 15

Spike in ATM Skimming in Mexico?

Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.

On Saturday, July 18, 2015, municipal police in Puerto Vallara arrested a man who had just replaced the battery in a pair of skimming devices he or an associate had installed at an ATM in a busy spot of the town. This skimming kit targeted certain models of cash machines made by Korean ATM manufacturer Hyosung, and included a card skimming device as well as a hidden camera to record the victim’s ATM card PIN.

Here’s a look at the hidden camera installed over the compromised card reader. Would you have noticed anything amiss here?

hyosung-frontatm
The tiny pinhole camera was hidden in a molded plastic fascia designed to fit over top of the area directly above the PIN pad. The only clue that something is wrong here is a gap of about one millimeter between the PIN capture device and the actual ATM. Check out the backside of the false front:

The backside of the false fascia shows the location of the hidden camera.

The backside of the false fascia shows the location of the hidden camera.

The left side of the false fascia (as seen from the front, installed) contains the battery units that power the video camera:

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Continue reading →


4
May 15

Foiling Pump Skimmers With GPS

Credit and debit card skimmers secretly attached to gas pumps are an increasingly common scourge throughout the United States. But the tables can be turned when these fraud devices are discovered, as evidenced by one California police department that has eschewed costly and time-consuming stakeouts in favor of affixing GPS tracking devices to the skimmers and then waiting for thieves to come collect their bounty.

One morning last year the Redlands, Calif. police department received a call about a skimming device that was found attached to a local gas pump. This wasn’t the first call of the day about such a discovery, but Redlands police didn’t exactly have time to stake out the compromised pumps. Instead, they attached a specially-made GPS tracking device to the pump skimmer.

A gas pump skimmer retrofitted with a GPS tracking device. Image: 3VR's Crimedex Alert System.

A gas pump skimmer retrofitted with a GPS tracking device. Image: 3VR’s Crimedex Alert System.

At around 5 a.m. the next morning, a computer screen at the Redlands PD indicated that the compromised skimming device was on the move. The GPS device that the cops had hidden inside the skimmer was beaconing its location every six seconds, and the police were quickly able to determine that the skimmer was heading down a highway adjacent to the gas station and traveling at more than 50 MPH. Using handheld radios to pinpoint the exact location of the tracker, the police were able to locate the suspects, who were caught with several other devices implicating them in an organized crime ring.

A GPS tracking device manufactured by 3SI Security Systems (3sisecurity.com)

A GPS tracking device manufactured by 3SI Security Systems (3sisecurity.com)

This story in October 2014 the U.S. Justice Department‘s “COPS Office” indicates that the Redlands PD has taken the lead in using GPS technology to solve a variety of crimes, and had credited the technology with helping secure at least 139 arrests. Continue reading →


6
Apr 15

Hacking ATMs, Literally

Most of the ATM skimming attacks written about on this blog conclude with security personnel intervening before the thieves manage to recover their skimmers along with the stolen card data and PINs. However, an increasingly common form of ATM fraud — physical destruction — costs banks plenty, even when crooks walk away with nothing but bruised egos and sore limbs.

An ATM technician and KrebsOnSecurity reader shared photos of a recent attack in which three would-be robbers went to town on a wall-mounted cash machine with crowbars and hammers.

Thieves with crowbars did massive and costly damage to this ATM, but were thwarted in cracking the safe.

Thieves with crowbars did massive and costly damage to this ATM, but were thwarted in cracking the safe.

According to the technician, the burglars ruined a $13,000 cash acceptor, a $5,000 check scanner, a $900 monitor, and a $700 card reader, among many other pricey items. Hardly any part of the machine escaped damage.

This thief-ravaged ATM is totaled.

This thief-ravaged ATM is totaled.

The carnage from this incident looks like something out of a bad Transformers movie.

Decepticons, attack!

Decepticons, attack!

Continue reading →


17
Mar 15

Door Skimmer + Hidden Camera = Profit

If an ATM you’d like to use is enclosed in a vestibule that requires a card swipe at the door, it might be a good idea to go find another machine, or at least use something other than a payment card to gain entry. Thieves frequently add skimmers to these key card locks and then hide cameras above or beside such ATMs, allowing them to steal your PIN and card data without ever actually tampering with the cash machine itself.

One recent skimming incident began when fraudsters placed a card skimmer directly on top of this key card “dip” device, which managed access to a bank ATM vestibule:

Locks secured by mag stripe readers typically aren't very discriminating or physically secure.

Locks secured by mag stripe readers typically aren’t very discriminating or physically secure.

The attackers in this incident then placed a hidden camera in a false panel above the ATM.

A tiny pinhole lets the hidden video camera record customers entering their PINs.

A tiny pinhole lets the hidden video camera record customers entering their PINs.

Here’s the backside of the phony door card reader the thieves placed on top of the legitimate card reader: Continue reading →


6
Jan 15

Thieves Jackpot ATMs With ‘Black Box’ Attack

Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack.

The attackers responsible for this "black box" ATM attack relied on a mobile device and a USB-based circuit board.

The attackers responsible for this “black box” ATM hack relied on a mobile device and a USB-based circuit board.

At issue is a form of ATM fraud known as a “black box” attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM’s cash dispenser from the “core” (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash.

In this particular attack, the thieves included an additional step: They plugged into the controller a USB-based circuit board that NCR believes was designed to fool the ATM’s core into thinking it was still connected to the cash dispenser.

“They didn’t have to do this [to get away with the money] but our guess is they thought this component would buy them some time,” before the ATM’s owners figured out something was wrong, said Charlie Harrow, solutions manager for global security at NCR.

NCR says the crooks then attached a smart phone (a virgin, out-of-the-box Samsung Galaxy 4), which they used as a conduit through which to send commands to the cash dispenser remotely. According to Harrow, the mobile phone was set up to relay commands through a dynamic IP service.

“Which meant that the real attacker sending the commands was somewhere remote from the ATM,” Harrow said.

Why would the ATM thieves set it up so that the dispense commands could only be issued remotely, when co-conspirators would still need to be present at the hacked cash machine to retrieve the money? Harrow believes it’s so that the boss running the crime operation can call the shots.

“There is no honor among thieves, and these guys will delegate responsibility,” Harrow observed. “That way, you have the Mr. Big back at the hideout who’s sending the commands, and the mules are the ones at the ATMs. So the mule who has the black box is unable to activate the attack unless he gets the command from the Mr. Big, and the mobile phone is the best way to do that.” Continue reading →


9
Dec 14

More on Wiretapping ATM Skimmers

Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a “tiny” hole cut in the ATM’s front through which thieves insert devices capable of eavesdropping on and recording the ATM user’s card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny.

Not long after that post went live, I heard from the folks at NCR, one of the world’s largest cash machine manufacturers. NCR had put out a bulletin on the emergence of this very threat in Sept. 2014, saying the activity had first been spotted in the United Kingdom against NCR 5877 and 5887 models.

As I noted in my original story, the attackers use a plastic decal to cover up the hole, but NCR’s photos of one ATM compromised by this method offer a better look at what’s going on here. Take a look at the size of that hole:

A hole left by crooks who added "wiretapping" or "eavesdropping" theft devices to a compromised ATM.

A hole left by crooks who added “wiretapping” or “eavesdropping” theft devices to a compromised ATM. Image: NCR.

“In this attack, the ATM fascia is penetrated close to the card reader to create a hole large enough for the attacker to reach inside the ATM and place a tap directly onto the card reader in order to skim card data as it is read by the ATM,” NCR said in an advisory it produced on the increasingly common attacks.

According to NCR, the emergence of this type of skimming attack is a response to the widespread availability of third party anti-skimming technology which is successful at preventing the operation of a traditional skimmer, placed on the outside of the ATM.

“Card reader eavesdropping skimmers are placed in a location that third party anti-skimming technology necessarily cannot protect, since the ATM must be capable of reading the card,” the advisory notes. “This [technique] has previously been seen in Ireland and the Netherlands, and can be expected to grow as traditional skimming is prevented.”

NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

“Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

If the idea of ATM bandits taking a blowtorch to the cash machine sounds extreme, at least they’re not trying to blow the ATM to smithereens. According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise. Continue reading →


26
Nov 14

Skimmer Innovation: ‘Wiretapping’ ATMs

Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries, financial institutions in two countries recently reported ATM attacks in which the card data was compromised internally by “wire-tapping” or “eavesdropping” on the customer transaction. The image below shows some criminal equipment used to perpetrate these eavesdropping attacks.

Equipment used by crooks to conduct "eavesdropping" or "wiretapping" attacks on ATMs.

Equipment used by crooks to conduct “eavesdropping” or “wiretapping” attacks on ATMs. Source: EAST.

“The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
[pictured, bottom right].

Pictured above are what appear to be wires that are fed into the machine with some custom-made rods. It looks like the data is collected by removing the decal, fishing out the wire attached to the ATM’s card reader, and connecting it to a handheld data storage device.

I sought clarification from EAST about how the device works. Most skimmers are card slot overlay devices that work by using a built-in component which reads the account data off of the magnetic stripe when the customer inserts the card. But Lachlan Gunn, EAST’s executive director, suggested that this device intercepts the card data from the legitimate card reader on the inside of the ATM. He described the wiretapping device this way:

“It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”

The last report in my ATM skimming series showcased some major innovations in so-called “insert skimmers,” card-skimming devices made to fix snugly and invisibly inside the throat of the card acceptance slot. EAST’s new report includes another, slightly more advanced, insert skimmer that’s being called an “insert transmitter skimmer.”

Like the one pictured below, an insert transmitter skimmer is made up of two steel plates and an internal battery that lasts approximately one to two weeks. “They do not store data, but transmit it directly to a receiving device — probably placed less than 1 meter from the ATM. Continue reading →


20
Oct 14

Spike in Malware Attacks on Aging ATMs

This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR. To learn more about how these attacks are impacting banks and the ATM makers, I reached out to Owen Wild, NCR’s global marketing director, security compliance solutions.

Wild said ATM malware is here to stay and is on the rise.

ncrmalware

BK: I have to say that if I’m a thief, injecting malware to jackpot an ATM is pretty money. What do you make of reports that these ATM malware thieves in Malaysia were all knocking over NCR machines?

OW: The trend toward these new forms of software-based attacks is occurring industry-wide. It’s occurring on ATMs from every manufacturer, multiple model lines, and is not something that is endemic to NCR systems. In this particular situation for the [Malaysian] customer that was impacted, it happened to be an attack on a Persona series of NCR ATMs. These are older models. We introduced a new product line for new orders seven years ago, so the newest Persona is seven years old.

BK: How many of your customers are still using this older model?

OW: Probably about half the install base is still on Personas.

BK: Wow. So, what are some of the common trends or weaknesses that fraudsters are exploiting that let them plant malware on these machines? I read somewhere that the crooks were able to insert CDs and USB sticks in the ATMs to upload the malware, and they were able to do this by peeling off the top of the ATMs or by drilling into the facade in front of the ATM. CD-ROM and USB drive bays seem like extraordinarily insecure features to have available on any customer-accessible portions of an ATM.

OW: What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.

BK: Unattended….meaning they’re not inside of a bank or part of a structure, but stand-alone systems off by themselves.

OW: Correct.

BK: It seems like the other big factor with ATM-based malware is that so many of these cash machines are still running Windows XP, no?

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

OW: Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play. Continue reading →


21
Aug 14

Stealthy, Razor Thin ATM Insert Skimmers

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.

A side view of the stainless steel insert skimmer pulled from a European ATM.

A side view of the stainless steel insert skimmer pulled from a European ATM.

“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”

Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):

The backside of the insert skimmer reveals a tiny battery and a small data storage device (far left).

The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).

Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.

insert-frontside

Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard. Continue reading →