Crafty devices designed to steal your credit card information when you use cash machines are getting increasingly compact and difficult to spot, according to reports, with the latest “razor thin” models able to slip totally out of sight inside the card slot
Crafty devices designed to steal your credit card information when you use cash machines are getting increasingly compact and difficult to spot, according to reports, with the latest “razor thin” models able to slip totally out of sight inside the card slot.
These “skimmers” have been a growing problem for several years, but new pictures leaked by an unnamed bank show that hackers are becoming ever more sophisticated and their machines are now virtually impossible to detect. They are often attached to the outside of cash machines, disguised to look like part of the facade, but new models hide within the machines themselves.
The images show a device which is still being investigated by a bank operating cash machines in southern Europe, says security expert Brian Krebs on his blog, where the images were first published. The device was found by an employee after the cash machine detected possible tampering and set off its “fatal error” alarm to summon help.
“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee told Krebs.
Such machines fitted to cash machines can read the magnetic code embedded in the black strip on the back of your bank card, while also allowing the machine to function as normal so as to not raise suspicion.
A tiny camera fitted elsewhere on the cash machine also records your PIN by watching you type it in to the keypad. Alternatively, thin overlays which sit above, and mimic, the keypad can also be used – again, these allow the machine to be used as normal, but transparently record PINs.
To protect against this type of attack it is wise to cover your PIN entry with your second hand, blocking the view of the buttons from any camera that may be hidden above.
These two pieces of information (the magnetic data and the PIN) can together be used to create a cloned card and extract money from it using another cash machine at a later date.
There have been instances where the skimmer hardware used wireless transmission to beam that data back to a hidden criminal, thereby minimising the risk of capture. Some have even been built with a mobile phone inside, so they can SMS details to a thief remotely. But much of the hardware requires a criminal to install the machine, wait for users to fall victim to it, and then retrieve it.
These machines are often fitted to the outside of the card slot on cash machines, and disguised as part of the machine. This makes them possible to spot for those who know what they are looking for. However, a new breed of skimmer is now being fitted entirely within the card slot itself, making it almost impossible to detect – even for those aware of the problem.
Banks have begun using data mining techniques to track down the perpetrators of card skimming operations. By looking at large collections of users who have reported theft, banks can analyse their records for common activity – for example, having all used the same cash machine on the same day, or visited the same shop.
The non-profit European ATM Security Team’s latest fraud report suggested that card skimming was widespread across Europe, with devices typically being left in place for four to five days at a time.
There were also reports from four countries of cash machines being infected with malware by hackers to perform “jackpot” attacks where the machine is tricked into dispensing large amounts of cash.