“Grab hold and give it a wiggle” – ATM card skimming is still a thing

It’s been a while since we’ve written about card skimmers, which used to play a big part in global cybercrime.

These days, many if not most cyber-breach and cybercrime stories revolve around ransomware, the darkweb and the cloud, or some unholy combination of the three.

In ransomware attacks, the criminals don’t actually need to approach the scene of the crime in person, and their payoffs are extracted online, typically using pseudoanonymous technologies such as the darkweb and cryptocoins.

And in some cloud-based cybercrimes, notably those generally referred to as supply-chain attacks, the criminals don’t even need to access your network at all.

If they can find a third party to whom you regularly upload precious data, or from whom you routinely download trusted software, then they can go after that third party instead, and do the damage there.

In recent cyberextortion attacks, dozens of major brand names have been blackmailed over stolen employee and customer data, even though that data was stolen indirectly.

In the MOVEit attacks, for instance, the data was stolen from service providers such as payroll processing companies, who had used buggy file transfer software to accept supposedly-secure uploads from their own customers.

Unbeknownst to both the companies that ultimately got blackmailed and to the payroll processing services they used, the MOVEIt file transfer software allowed crooks to perform unauthorised downloads of stored data as well.

In-your-face cybercrime

Credit card skimming, in contrast, is a much more in-your-face crime, both for its perpetrators and their victims.

Card skimmers aim at leeching the private information that’s critical to your bank card, at the very moment that you use the card.

Notoriously, card skimmers don’t just go after data stored on the card itself but also after the PIN that serves as your second factor of authentication.

Whether your card has an easily-cloned magnetic strip, or a secure chip that’s can’t be cloned, or both, your PIN is never stored on or in the actual card.

Skimming criminals therefore typically use miniature hidden cameras to snoop out your PIN live as you type it in.

Ironically, perhaps, bank cash machines, better known as ATMs, make a perfect location for card skimming equipment.

ATMs almost always grab onto your card mechanically and draw it right into the machine, out of sight and reach.

(Apparently, that’s for two main reasons: firstly because that process tends to slice off any rogue wires soldered onto the card that might connect it to the outside world while it’s in use, and secondly because it allows the bank to confiscate the card if it thinks that it might have been stolen.)

In other words, adding a fake magstripe reader to an ATM is generally more effective than doing the same thing on any tap-to-pay or chip-and-PIN terminal, where the full magstripe never passes into or over the reader.

Also, ATMs always ask for your PIN, and often have plenty of convenient surface features where a tiny camera can be hidden in plain sight.

When security precautions have the opposite effect

In another irony, well-lit bank lobbies that aim to provide reassuring surroundings are sometimes a better place for card skimmers than dimly-lit ATMs on side-streets.

In one case that we recall, the ATM lobby in an downtown building that served mulitple banks had been fitted with an after-hours “security” door to make customers feel safer.

The door was meant to prevent just anyone from hanging out amongst the ATMs all night long, because would-be ATM users had to swipe a bank card of some sort at the entrance to get initial access.

Rather than improving security, however, this made matters worse, because the crooks simply fitted a hidden card reader to the door itself, thus leeching the data from cards of all banks before any customers reached the actual ATMs.

Furthermore, the crooks were able to use a hidden camera in the lobby, rather than glued onto any specific ATM, to watch out for users’ PINs.

Like the abovementioned MOVEit attacks, where companies had their trophy data stolen without their own computers being accessed at all, these crooks recovered ATM card data and matching PINs for multiple different banks without physically touching a single ATM.

In another case we know of, the crooks secretly filmed PINs at an ATM on a bank’s own premises by placing their surveillance camera not on the ATM itself, which staff were trained to check regularly, but at the bottom of a corporate brochure holder on the wall alongside the cash machine.

Staff, it seemed, inadvertently assisted the criminals by dutifully refilling the brochure holder every time it ran low on marketing material, providing literal cover for the hidden compartment at the bottom where the spy camera hardware was tucked away.

Skimmers still in business

Well, ATM skimming is still very much a cybercrime-in-progress, as reported over the weekend by the Brisbane police in Queensland, Australia, where three men were arrested recently for a range of skimming-related offences.

The bust seems to have gone down something like this:

• 2023-07-31: Skimming devices found in an intercepted postal package. It looks as though the package was addressed to a non-existent person, presumably giving the residents at the delivery address plausible deniability if they were raided when the parcel arrived.
• 2023-08-02: Compromised ATM reported to police by a local bank. As mentioned above, financial insitutions regularly sweep their cash machines for signs of tampering or stuck-on parts. Skimming devices are typically made to order, typically 3D-moulded out of plastic to fit closely over specific models of ATM, and adorned with any words, symbols or brand marks needed to match the ATM they’re going to be attached to.
• 2023-08-03: Cybercrime detectives on watch noticed two men approaching the compromised ATM. We’re assuming that the bank deliberately took the compromised ATM out of service, thus not only preventing customers from actively being skimmed, but also suggesting to the crooks that if they wanted to retrieve the skimmer, they should act quickly before the ATM was visited for “repair” and the device found and confiscated.

After a short but swift foot-chase through Brisbane’s popular Queen Street Mall, the fleeing suspects were apprehended and arrested.

With a search warrant now in hand for the delivery address on the intercepted package, the cops paid a visit and allege that they found “two pin-hole cameras and several fraudulent identification items, including bank cards, and images of a licence and passport.”

The cameras, say the police, were hidden inside bank-branded ATM parts.

Also, according to the cops, one of the fake IDs recovered in the raid just happened to match the name on the intercepted package containing skimming devices.

That’s when the third suspect was arrested.

What to do?

To get an idea of what to look out for on suspicious ATMs, why not watch selected video footage from the bust, as posted by the Queensland Police?

The skimming hardware components appear at the end, after some bodycam footage of the suspects getting overhauled and nabbed in the foot-chase, complete with the sound of handcuffs clicking shut:

The police didn’t put any known objects in with the skimming panels for a sense of scale, but we’re guessing that the blue plastic panels you will see, inside one of which is hidden what looks like an off-the-shelf embedded system-on-chip motherboard, are designed to sit alongside the slot into which you insert your ATM card.

We’re guessing that the two-tone blue matches the bank’s own colour scheme, with the yellow arrow pointing at the card slot.

As mentioned above, skimming devices are often made to order to match the current branding of the bank and the ATMs that the crooks are targeting, thus making them harder to spot than some of the the generic, beige-coloured panels that we’ve seen in the past, like this one from a Queensland Police bust back in 2012:

Or advice is:

• Don’t be shy to inspect ATM hardware and your surroundings closely. Put your eyes right up to the surface if you’re not certain whether any particular part really belongs.
• Always cover the keypad fully when entering your PIN. Do this even when you’re inside a bank and there’s apparently no one else around.
• Grab hold and give it a wiggle if you’re not sure. Look out for parts that don’t quite fit properly, that don’t match the original design, or that are apparently not part of the original ATM’s construction.
• If you see something, say something. Don’t enter your PIN. Recover your card, walk away quietly, and contact your local police or call the bank concerned. Use a number from your card or a previous statement, or at worst a contact number shown on the ATM’s own screen. Don’t call any numbers attached to or displayed next to the ATM, because the crooks could have put them there themselves.

As always, look before you leap..