By Jeremy Wagstaff
For those of you nervous about doing your banking online, here are some comforting words: It may be just as dangerous to do it at an ATM machine.
That’s because scammers have figured out how to steal your account details and PIN number straight from the machine. And they’ve been doing it for a while. And they’re getting better at it: Think of it as an industry with its own standards, supply chain and, well, ethics.
Here’s, roughly, how it works. A scammer walks up to an ATM machine. He chooses one in a place that’s not too busy, where there aren’t too many surveillance cameras, and where there are lots of tourists or rich people. He reaches into a plastic shopping bag and pulls out what looks like the card slot of an ordinary ATM machine—the bit on the panel where you slide in your ATM card.
Actually, it is the slot of an ATM machine, only it’s got an extra card reader built in. He sticks this over the top of the existing slot; it fits so well that unless you look carefully you won’t see anything odd. The only thing is that now the magnetic strip on your card would be read twice as it goes in—once by the bad guy’s reader and once by the bank’s machine.
The other part is the PIN reader. This can be done in a couple of ways: either by laying an extra key pad over the existing one, in much the same way he’s laid an extra card reader over the legitimate one. This will just capture your PIN number as you key it in.
Another way is to hide a little camera somewhere near the screen to record you tapping in your PIN number. This could be hidden in a fake speaker—which is where an alert customer found one in Pennsylvania last year—or a leaflet holder, or over the customer’s head.
(If you’re interested, you can watch some alleged bad guys installing this gear in less than a minute here: http://is.gd/41XO.)
All this information is stored on a flash card or something inside the fake keypad or card slot. Now the scammer has all the information necessary to make a fake card, program it with your account, waltz up to an ATM machine and enter your PIN number.
(Oh, and before you ask, you can buy a machine that makes a credit or ATM card, complete with magnetic strip, online for a few hundred dollars. Legitimately.)
This may be news to you, but it’s certainly not new. ATM skimming, as it’s called, has been on the go for quite a few years—at least 2004, but probably earlier. And it’s big business: Turkish police last month (Sept) arrested a man who, they said, had sold skimming devices to 10 countries including in North America and Europe. The police footage of his house—which has a swimming pool, by the way—includes boxes of ATM slot covers, keypads, and what looks like either a sun-bed or an ATM card maker. (You can watch the raid here: http://is.gd/41Xz.)
He also ran an online network which had details of at least 15,000 credit cards. Members bought gear, swapped stories, sold and bought credit card numbers, bitched about the neighbors and the FBI. The web-site was shut down earlier this month, but there’s bound to be another one up soon.
Now you may think that your visit to an ATM should be safer than this. OK, you might say, I can understand that my bank can’t be sending folk around to my house to check my computer is free of viruses, trojans and key-loggers, but surely they can have someone go around and periodically check that their ATM machines don’t have dodgy bits stuck on them, like extra card readers or keypads?
And if that’s too tricky, how about looking out for the more obvious stuff like speakers and brochure holders that weren’t part of the original design? Surely if a customer can spot these things, an employee should be able to? If you thought that I think you’d be thinking straight.
The thing is that banks do seem to be getting smarter. The problem for bad guys is that until recently they would have to go back to the ATM machine to pick up their gear and download the data. This is the risky bit, because the banks are beginning to wise up, figured out something is amiss and may be waiting for them.
So now they’re getting smarter. (The bad guys, not the banks.) They are putting cellphones or wireless chips inside the card slots or keypads or speakers or brochure holders to transmit the data back to Starbucks or wherever they’re waiting.
Now they don’t need to pick up their gear. Skimmers, as these people are called, can now buy a complete device which would transmit more than 1,800 cards via short message service before needing a re-charge. The whole kaboosh for $8,000. Or they could dial into the device when they like and download the data. By then they’ve probably got enough ATM data to buy their own bank.
In other words, you got to feel slightly sorry for the banks. This is sophisticated stuff. And it’s getting more so; according to some security consultants, there are indications that the slot covers that these guys use so closely match the ATM machines in color, material and dimensions that they well be made by the same manufacturer. As the blurb to one skimmer’s brochure put it:
Thus, we achieved the full and precise compliance of the paint’s tone, gleam, hue at the different light angles, the paint’s surface feelings to the touch etc. In the real situations the skimmers really look like an integral part of ATM.
The scammers are clearly getting smarter—either by being in cahoots with the employees of the companies that make these machines, or else by studying the material very carefully.
Either way, it looks like the banks are woefully out-gunned. They’re trying a few things—one is ‘jitter’, which moves the card around while it’s being read, confusing a scammer’s reader—but this means replacing all the old ATM machines. I can’t see that happening any time soon.
Bottom line? This may not happen everywhere, and it may not happen very often. But it makes sense to use ATM machines that are in your bank (i.e. not in a mall or the middle of a red light district), that you’re familiar with, and that you’ve thoroughly inspected for oddities—from extra card readers to brochure holders with little cameras coming out of them.
©2008 Loose Wire. All rights reserved.
Jeremy Wagstaff is a commentator on technology. He can be found online at loosewireblog.com or via email at jeremy@loose-wire.com.
