Danish ATM-Card Skimming

Criminals are breaking into stores and pretending to ransack them, as a cover for installing ATM skimming hardware, complete with a transmitter.

Note the last paragraph of the story -- it's in Danish, sorry -- where the company admits that this is the fourth attempt they know of criminals installing reader equipment inside ATM terminals for the purpose of skimming numbers and PINs.

Posted on March 9, 2006 at 1:40 PM • 17 Comments


RaindeerMarch 9, 2006 2:45 PM

This has been a problem in The Netherlands a couple of years ago. Putting new plastic slots on it, basically killed of the skimming. Heck, it was a CSI show. So a bank claiming it is only the fourth one, is not too smart.

1915bondMarch 9, 2006 2:52 PM

Considering the huge investment in data mining operations coming from Eastern Europe, I'd suspect much of the compromised accounts are from r00ted joes and janes who bill-pay and bank online.

KiritMarch 9, 2006 10:12 PM

The last paragraph says: "IT/Communications consultant Søren Winge from PBS tells us his company currently knows of four examples where criminals have attempted to install card reading hardware in ATMs to try to gain customer's card details."

dracMarch 9, 2006 10:54 PM

All these attacks on credit cards are because the current security standards are year out of date. Only a move to full smart card support will reduce the risk of fraud via technical hacks leaving the old faithfull social engineering

Erik NMarch 10, 2006 2:59 AM

I recall this is not the first such story in Denmark. Only that previously there were no transmitter. Instead the criminals would break in again later to steal the terminals to get the data.

I have no reference for this though (and anyway it would be in danish).

Erik NMarch 10, 2006 3:05 AM

Not in the news: The banks in Denmark issue chipcards as of more than a year ago, they still have the magnetic code also for backwards compatibility, and the new terminals also have magnetic code readers as well.

The mentioned attack attacks the magnetic code so this may push for faster enrolment of chip readers.

Dimitris AndrakakisMarch 10, 2006 3:52 AM

Criminals here (in Greece) have a simpler way of doing bussiness:

They install tiny cameras above or near the ATMs. The vast majority of the people don't cover the keypad when entering the PIN, so the criminals get to record it. The account balance is also recorded if requested.

The victim is robbed shortly after the ATM transaction, usually by a couple of men riding a motorcycle. With the ATM card in hand, the crinimals go right away to an ATM, make the largest withdrawal they can (for most banks its €900 to €1200) and dispose the card immediately after that.

AkosMarch 10, 2006 5:44 AM

In Hungary some fraudsters put a sticker onto the ATM with a nearby payphone number as the contact phone number for the bank, and made the ATM (half)swalow the card.
When the card didn't come back the victim called the number they believed to be the bank's and to identify themself they were asked the PIN.
Then they were told not to worry and that they can have the card back the next day in their bank.
After the victim had gone the fraudsters retrieved the card and used the PIN to withdraw as much money as they could.

Caught on tape!March 10, 2006 2:08 PM

I know you don't like video surveillance systems, but in this situation, a video surveillance system could catch the ATM-skimming-installation activity of the criminals.

The criminals could theoretically disable the surveillance system, but that's another addition to their breakin plan, and not necessarily an easy thing to do, and may provide a deterrent, influencing them to strike elsewhere.

nantucketMarch 14, 2006 4:49 PM

Remember money is a fictional abstract concept used as a base of exchange for goods and services.

The more fictional and abstract the money becomes, the less meaningful theft becomes.


Peter the PainterMarch 16, 2006 2:56 AM

I don't this would be worth doing in the UK as we now have C&P universally. Correct me if I am wrong.

Peter the PainterMarch 16, 2006 2:57 AM

I don't think this would be worth doing in the UK as we now have C&P universally. Correct me if I am wrong.

Dyslexia rules, KO.

KobusPJune 6, 2006 7:09 AM

Soon physical credit cards will be something of the past, have a look at www.unetan.com

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.