Schneier on Security
A blog covering security and security technology.
« Cheating on Tests, by the Teachers |
| The Real Risk: Traffic Deaths »
June 22, 2010
Buying an ATM Skimmer
ATM skimmers -- or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data -- are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.
The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.
Generally, these custom-made devices are not cheap, and you won't find images of them plastered all over the Web.
EDITED TO ADD (6/23): Another post.
Posted on June 22, 2010 at 6:49 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"...are little more than scams designed to separate clueless crooks from their ill-gotten gains."
Haha, you saved my day, almost poetic.
And parasites have smaller parasites and they have 'em smaller still.
Scamming skimmers--lovely alliteration.
It's the perfect crime. Who's going to report that they were taken?
I still really want to see detailed breakdowns of the electronics behind these. Some of them seem very miniaturised with exceptionally long battery life.
What components do they use? What processors? Can the code be pulled from the processors? What frequency do the links use? How do they pull the data from them?
That's it, next time I'll just have to check that the seller is registered with the BBB!
"What components do they use? What processors Can the code be pulled from the processors? What frequency do the links use? How do they pull the data from them"
First off there are two main parts,
1, The mag stripe reader
2, The pin grabber.
The second comes is two forms,
2.1, Micro CCTV either wirless or SD card.
2.2, Keypad overlay / replacment.
The mag strip reader (1) is quite simple to make with a "barber pole" "magneto resistive sensor or inductive "tape head". Both need a couple of opamps to amplifiy and clean up the signal.
The conditioned signal is fed into the analoge input of something lic a PIC microcontroler with real time clock. -ou can run this part off little more than hearing aid batteries.
The designs to do this are almost certainly up on the Internet for amongst other things electronic locks, time card readers or even head ends for digital tape recorders.
The code again has been around for well over a quater of a century as have the specs for the Mag stripes (see American Bankers Asc and ISO standards).
As for the camera two types are prevalent and you can by them as finished items from the likes of Swan Electronics in Australia for as little as 20USD on the internet.
Have a scan around for the MD80 micro camera if you want an SD card system or any of the micro 2.4GHz wireless cctv cameras.
Keypad overlays are way way more difficult but are happening because people are learning to put their hand / wallet over what they are typing.
Have a look at the Cambridge Labs UK web site as they have some pictures of examples used to overlay EPOS units to do a bit of "shimming".
@cybergibbons: trivially easy for any modern electronics/ embedded software people. Magnetic head, modern microcontroller, I could program you one up in about an hour...
Interesting that 99% of engineers could wreak havoc in society, but a very high proportion don't
"Interesting that 99% of engineers could wreak havoc in society, but a very high proportion don't"
But, supposedly a disproportionate number of terrorists are engineers.
Since hearing about skimmers several years ago I've taken to giving the readers a solid "tug" before I insert my card, on the theory that a skimmer faceplate would come off in my hand.
Just another one of the little things (like covering my hand while typing) I do for security.
I haven't found a skimmer yet, but I live in hope...
@Rajstennaj: Hope that you never actually find one--and if you do, get help immediately. As BK warns at the end of his article, the guy who mounted the skimmer is likely to be lurking nearby. Some newer skimmers send text messages, but most still just store data and must be physically retrieved for the data to be collected.
I attended an ISO17799 training class many years ago led by an ex US intelligence guru. He stated very clearly that no one should ever use Debit cards since it was so easy to compromise the readers (at ATM's or in a store) and that the banks do nothing to protect or reimburse the customers when fraud/theft occurs.
He advice was to use credit cards only, not because they are much more secure but because the banks stand behind them and reimburse when fraud/theft occurs.
Still seems like the best advice.
Your ex-intelligence guru is a little behind the times. That was true when debit cards first came out, but after it got covered in the news, most banks agreed to cover them like credit cards. If your bank doesn't, then find a new bank.
"... use credit cards only ..."
Is still good advice irespective of what your particular bank does on home territory.
What you have to watch out for is using them "away from home" you would be surprised at just how badly you get stung with a debit card firstly as the money is taken from your account immediatly. Secondly your bank for various reasons may take for ever to put the money back (I've known banks hold out untill actually walking through the court room door for a recesse).
The other advantage of credit and charge cards is that often they come with insurance for free so purchases that turn out not to for fill the implied contract (ie airline goes bust etc or goods payed for don't get delivered to spec) are usually covered.
What you have to be carefull of is the combined cardsz as often they default to whichever is most adventageous for the merchant or bank (think taking money out the bank can and has put it on the credit card section, and merchants generaly default to debit as they don't get hammered with charge back costs and all sorts of other nasties the customer gets it instead).
I think his point was that Credit Cards are covered as part of the agreement and by law. and that Debit cards are covered voluntarily.
Hey Bruce. Thanks for the link love. I published another piece last week that provides a pretty deep dive into a $7,000-$8,000 custom-made skimmer that sends the stolen credentials via text message using an onboard GSM module.
The bigger question is .. is it illegal to falsely advertise an illegal product. If someone admitted to be a victum of a misleading advertising to an illegal product could they be charged with conspiracy to commit a crime. Further more maybe we are all missing the boat maybe we should all get into the business of selling bogus equipment for illegal purposes therefore reducing the chance someone will actually get their hands on the real thing.
Or am I simply ranting.
but I carry a .40 caliber pistol with me at all times. If I happen to pop off an ATM skimmer, I shall hope and pray that the thief is waiting nearby.
Well I am an avid reader of Bruce's blog and also an executive in bank technology. While reading this article one one tab and doing some research on an unrelated banking topic, I see this post on the detailed counter measures taken against skimming:
That last guy was not me.
I don't carry a pistol, but I'm not defenseless either. Most people are vulnerable and - justifiably - shouldn't be expected to handle a confrontation.
This raises an interesting point. *Should* average people be tugging at card readers to verify security?
The answer "no, because the possibility of a confrontation" applies in virtually any civilian involvement with crime.
If I see a crime, should I report it? (No, because the possibility of a later confrontation.) Should I be a state's witness at trial? (No - for similar reasons.)
If taken to the extreme, our only defense against the bad guys is to do nothing and hope that law enforcement keeps their activity to a minimum.
This does not work in practice.
I'm not comfortable getting involved with a store robbery, but I know of people in my area who are (and have). I feel that it's my duty as a civilian to make it harder for the bad guys to operate - to the level at which I feel comfortable.
Should civilians be tugging at card readers? If this became a widespread practice, it would certainly make the bad guys' job harder.
I always tug on the card readers but have yet to notice a skimming device, I have always wanted to come accross one though. Where are these things most prevelant?
It's nice to see a Krebs article on here, really good blog.
I think the quote you are looking for is:
"big fleas have little fleas
upon their backs to bite them.
And little fleas have lesser fleas
and so, ad infinitum."
Clive has it right on this one -- at least for any debit card that carries a Visa or Mastercard logo. They're backed the same way any credit card is. I've heard conflicting reports that you may get better protections in fraudulent transactions where it's processed with signature rather than PIN, which doesn't make any sense to me (harder to fake the signature? seems unlikely.) so I always sign instead of use the PIN, but otherwise I use my debit card regularly without fear.
I've had both one credit card and one debit card compromised, and the bank's reactions were nearly identical: close the account, reverse the charges immediately, give me a new card in two days. I suppose if I was right at the edge on the debit or if the charges had triggered insufficient funds charges it might have been an issue getting through the day or two before charges reversed, but I could have lived on the credit card as backup during that time.
What's so interesting? This is common knowledge to people following online fraud. To add to the knowledge, here's some common prices for other things: $1000 for card writer; $25 per blank card (same price for CC numbers); $100 for full info cards; $300-500 for card track with PIN number; a whole bank account costs 15-20% of its contents, with those available averaging $30,000-$60,000 (yikes).
Most online thieves use Western Union or Liberty Dollars. Reputable cashers will cash out ATM cards for you and Western Union you 50% of the take. Using an ebay account and abandoned spots for receiving merchandise, I've estimated crooks can get started in online CC fraud for $200, a truck and initial shipping. From there, it pays for itself. As for ATM fraud, the most profitable setup needs ten blank cards, card writer and at least one usable tracks for a startup cost of up to $1,600. It's better to purchase multiple cards in case one doesn't work, adding $300-$500 to initial cost for each card. Bank account cashing requires one dumb ass responding to a Craigslist job offer and a reliable thug to show his face on camera receiving the stolen funds, probably taking a cut. Again, it pays better than most IT jobs even with little success and actually has lower risk than many jobs. Risk can be reduced to near zero if one is willing to murder their accomplices after a certain period of time... something many of these sociopaths will have no problem with.
To be clear, the purpose of this post isn't to get people into online crime. I'm just showing how easy, anonymous, low risk and profitable it is. So long as these remain true, new crooks will continue to show up and steal our money. It's just so cost-effective for them. Any good solution will require making the cost per target outrageously high and each transaction well-authenticated. This poses challenges for both privacy and infrastructure. In the mean time, we can all sleep soundly at night [with the help of our kind breweries].
"I always tug on the card readers but have yet to notice a skimming device, I have always wanted to come accross one though. "
You probably never will. There may be a lot of these things out there, but there are so many more ATMs that the odds of being at the right one are very small.
Consider the risk analysis the same way we would look at any other risk.
@Nick "Risk can be reduced to near zero if one is willing to murder their accomplices after a certain period of time..."
I don't know enough to debate your earlier points, but a string of murders is not low risk. Even criminals have people who will miss them, and report the fact that they are missing to the police. And while the police may ignore some crimes, I don't know of any that ignore murder.
Also I don't think there is a statute of limitations on murder so not only is there risk, but the risk will never end.
I wonder what the procedure is for renting an ATM skimmer. Do you have to fill out an application? Show them your driver''s license? Do they run a credit check?
Interesting though is that the pin is stored on the magnetic strip using a weak from of encryption.
It's a debatable point and most say it's high risk. I think if it's orchestrated properly it's low risk and one can look to organized crime for the answer. The use of disposable middlemen is common there. The middlemen only know enough and have enough association to make the cops look at the organization as suspect, but they can't prove anything. "It's not what you know but what you can prove."
Here's one potential low risk approach that would involve murder. You use a true "bottom feeder" thug that the cops would only work so hard for if he were murdered. Communication/transfers is done through anonymous prepaid phones, a "netbook" via open/cracked WiFi hotspots, and a bunch of dead drops, one with a drop box safe. The target is told no calls and minor details are changed at the last minute to reduce risk. The take might be $50k-$80k pulled out over two days in small (several K) amounts, but he will be told it will be $250k over a week. This means he's more likely to attempt a steal in the later days to maximize his take. Every day's drop location would be different, but on Day 2 the final meetup (post-drop) spot would be more isolated.
He would be killed and his cut/possessions left on him so one mustn't be in close proximity. The cops would have almost nothing to go on, especially as the computers and phones were bought by another intermediary in Mexico and shipped to a [now-]vacant house in the States. This scheme came right off the top of my head and can probably be refined more. I think with a similar, but refined, scheme a crook could get away with a string of murders so long as a prospective middleman didn't get suspicious. If it was done once every six months, most people would have forgotten the news and even that risk is low, but the crook still makes $160k+ per year before laundering costs with almost zero traceability (except perhaps the cash itself, but that's part of laundering).
Gangs in my city do less work covering things up, even publicly shooting people, and still survive police investigations more often than not. Investing significantly in reducing traceability can proportionally reduce the risk of getting caught for murder. The indirection does increase the risk of having the money stolen, but that risk is still acceptable and even profitable in most cases. Perverse, these criminal incentives.
@Nick P. at June 23 1:48 AM
Even carefully planned string of murders is risky, even in the countries having less funded and less high-tech police forces than the Top 3 Police States :-). One real-world recent example from Poland:
Three men are currently tried, charged with several murders committed over last five years - and some newspapers say there are more than 40 murder cases in total that are investigated in connection with them, but the evidence is not (yet) good enough to be admissible in court.
The three were neighbours living in a quiet countryside - one strawberry farmer, one worker of a local ammunition company and one unemployed guy. They have planned and carefully executed at least five cases of murder and robbery of the owners of small currency exchange businesses (there are still plenty of them in Poland). They observed the victims, their habits, driving patterns, if they carry their daily earnings by themselves (many such businesses do not hire armed security guards for this purpose, probably to cut costs) etc. If they saw some pattern, they hit.
They first shot to kill (to head or chest), from a short distance, without any warning, than took the victim's posessions - various currency in cash. They have modified the firearm's barrel and/or firing pin after each kill so the police had trouble connecting the killings by the markings on the bullets. They have also killed, or attempted to, any witnesses (at least one survived, so the police had some - if vague - descriptions of the attackers). They have carefully planned the times and places, choosing rainy or snowy days of early spring or late autumn, quiet residential neighbourhoods (often near victim's homes), and the escape routes.
Finally they were caught by a special group of investigators going over the backlog of old unresolved cases. The three are allegedly involved in killing several Ukrainian businessmen, clients of currency exchanges, several other murder cases, arson, bombing a car and blackmail of the owner of a local trash recycling and reprocessing business, etc. etc.
Otherwise, they were seen in their village as good neighbours, even if they seemed to be a bit more well-to-do than the average - but it's not so unusual as quite many people in the rural areas with large unemployment work illegally or half-legally.
@ JimFive "...fleas..."
Yeah that's the likely source. But the image I had was of an intestinal track...fleas in my gut? Yuck.
I wouldn't advice people to "tug" the opening of an ATM in Holland, the newer ATMs can detect this and will shut down/set of some alarm, thinking someone is messing with the ATM.
"Interesting though is that the pin is stored on the magnetic strip using a weak from of encryption."
Err not these days (or should not).
It goes back to the old "off line" ATM mode and the PIN was fixed (if I remember correctly basically the PIN was based on the last fews bits of the card number encrypted by a default key).
This gave rise to the first cloned card attacks and most banks etc stoped "off line" mode 20 to 30 years ago.
If your bank alows you to change your PIN then as far as I'm aware it is an online only use for the magstripe mode (chip mode is different and can still work in an off line mode).
@ Nick P,
"You use a true "bottom feeder thug that the cops would only work so hard for if he were murdered."
The death does not have to be murder in the eyes of the Police...
Use a junkie and give them slightly more adulterated than street level drugs as payment. After a very short while they get use to jacking up on the increased volume. Street level is often 1 part drug to nine parts something else such as baking powder / drain cleaner / rat poison or other "filler" (yes including wall paper past or fine plaster powder).
When you want to off them give them the pure drug. The result is another junkie has overdosed and nobody tries very hard after that provided the drugs in his system did not contain an obvious poison.
And no I did not think this up it has already been done in Europe a number of times...
Similar can be done with sex workers but the risk is higher (but has been done in places like Russia).
"...is it illegal to falsely advertise an illegal product..."
Selling a baggie full of oregano, and claiming it's pot, will get you charged with a drug crime. At least in some US states.
I like the simple design of this ATM card reader which claims to be skim proof. http://webwereld.nl/nieuws/63504/... (article in dutch but has a nice picture) I just cannot imagine how a skimmer could be attached. Anyone have any ideas?
Along a similar line, I saw some magnetic stripe card reader/writers for sale with helpful pictures of credit cards next to them.
I've been watching ATM skimmers since early this year with Google Alerts. Early on everything was news stories. I saw Eastern European gangs fanning out around the world, including the U.S. Now, 2/3 of the results from Google Alerts are from sales of ATM skimmers. Search for "ATM skimmers" on YouTube. Yikes! I guess Google's "Do no evil" doesn't extend to "Support no evil." Or maybe YouTube doesn't subscribe to the Google mantra. Shame on you Google for supporting criminal activity.
@ Peter A
Excellent description of some very professional work. The first problem is that you haven't given a link to verify the story. The second is that you didn't mention how they got caught. They were thorough, but their methodology was inherently very risky. The person following mine hardly exposes himself to anyone or anything in the process, while the group you mentioned were exposed to a great many witnesses, cameras, and victims, along with trust/performance risks between members. That's inherently very risky regardless of rigorous approach: just too many variables to consider and plenty of room for chance mistake. Who were they and how did they get caught? What of their sentencing?
Actually, that's a good idea. A requirement that comes to mind would be that the junky has a relatively stable mind and performance unless they suffer from withdrawls. A high quality, steady supply of drugs could be part of the compensation package, then the "accidental" overdose happens when getting rid of the junkie.
Your mention of sex workers jogged my memory of a recent (very awesome) movie: Taken. *spoiler alert* Although there's plenty of BS in it, the use of drugs to force women into prostitution is well-established in the real world. One girl in the movie dies from an overdose. In retrospect, knowing about your scheme makes me wonder if she accidentally overdosed, killed herself, or was "disposed of" by her handlers via an overdose. The movie leaves us to assume suicide, but if we were talking about a random addict there wouldn't be any reason to infer murder by overdose. It's scary how much potential that scheme has in the wrong hands. :(
@ Nick P. at June 24 9.08: PM
Who they were: look my previous post, start of 3rd paragaph.
As for sentencing: the case is in court still (for more than a year already). Potentially they can get sentenced to life in prison.
As for a link to the story: I couldn't find anything in English and haven't bothered to check if some online translator would make any sense of the web news articles. There was some TV news coverage about it lately and I have googled up more info about it on Polish news web sites and compiled my blog post from what I've found.
If you're still interested there are some news articles (in Polish):
The last one contains some info on how they were caught:
"We are checking unresolved cases starting from the beginning of the 90s" - said deputy appeals prosecutor of Kraków district, Marek Wełna. As he explained, the key was modus operandi: killings associated with robbery using specific weapon and connected to specific behavior of the perpetrators. [my translation]
Looks like the good old-fashioned police work. Later the article mentions using DNA checks to connect an old 1991 triple-murder and rape case to the chief of the gang, using some biological material collected 19 years ago.
We are taking strict action against such listings at tradekey.com and are de-listing them.
Thank you Bruce for highlighting the above concerns regarding the products you've mentioned.
TradeKey.com does its best to screen all products being posted in order to ensure their compliance with international laws. We regret that these products particular products were being promoted by sellers under false pretenses, however we've ensured that not only all existing products of this nature are removed, but also preventing any future postings of a similar nature at TradeKey.
TradeKey.com endeavors to hold all international regulations in the highest esteem and ensure that no products or content being posted on our portal is in any way of an unlawful or criminal nature. We appreciate that you've provided us with information regarding these products, and in fact welcome any such observations from our visitors & members to make TradeKey a better & reliable portal for online business.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.