Hidden Credit Card Skimmers

New credit card skimmers are hidden inside the card readers, making them impossible to spot.

EDITED TO ADD (3/11): Brian Krebs on this from over a year ago.

Posted on March 10, 2016 at 8:26 AM • 20 Comments

Comments

BytopiaMarch 10, 2016 10:11 AM

Where I live it is near impossible to tell if the reader has been `spiked' anyway. Each bloody ATM card port has different plastic shit on it. Hard to tell if it's supposed to be there or it's a skimmer.

keinerMarch 10, 2016 10:30 AM

Chip or magnet strip?

"the advice remains the same: Don’t use any card machine that looks suspicious, and report unusual activity on your account to the bank as soon as you can."

...or pay cash, get happy...

BillMarch 10, 2016 11:31 AM

What I don't understand is why bank owned ATMs still suck your card in to the reader and hold it until the session is complete. It would seem that the swipe readers like gas station or third party ATMs use would be much better since you could return the card to your pocket/wallet/purse immediately after it is read and before you continue with the transaction.

Not that this would prevent skimming, but it never made sense to me.

JeffPMarch 10, 2016 11:55 AM

@Bill It used to be that if you failed to enter the correct PIN, the ATM kept the card. Once, I had to go to my bank a few days later to recover my card after the ATM kept it. It was supposed to prevent someone from stealing the card and trying to guess the PIN.

gianlucaMarch 10, 2016 11:55 AM

what about leveraging that tiny chip and use some asymmetric secret exchange instead of the naive 'here my card number'' protocol. skimmers would not be able to read the secret

ScottMarch 10, 2016 12:40 PM

@Bill, I read that ATMs with swipers, or that return the card early, had a problem with people walking away before the ATM "logged them out", either by timeout or the user pressing a 'done' button.

Bob JohnsonMarch 10, 2016 12:47 PM

Yeah, it ridiculous that ATM machines don't use the chip. They are one of the most appropriate places for the chip, which seems essentially worthless because most retail places don't even utilize the chip. A person could then have the option of only allow withdraws with chip based transactions and if they were traveling overseas or needed to use a non-chip based machine they could call the bank and ask for regular swipe based use to be turned on temporarily while the use the ATM.

DavidMarch 10, 2016 2:58 PM

So these devices that are *inside* the ATM are either getting there pre-delivery, by the service folks, or on the spot. Where is the OPSEC while the ATMs are in play? Why aren't these banks regularly monitoring the ATM's surroundings? Obviously this won't solve all the problems, but I'd imagine its pretty difficult to get an *internal* skimmer in place after the ATM's been deployed. Of course, that's only if someone is actually _watching_.

GrowingUpUnderSurveillanceMarch 10, 2016 4:13 PM

Time to bring out the fake cards with fake information and see what happens.

Jonathan WilsonMarch 10, 2016 4:58 PM

Here in Australia several banks have introduced or are introducing new systems. The Commonwealth Bank is introducing a cardless system whereby you use the app on your phone as a way to withdraw funds (you go to the app and make the cardless request then you get a number displayed in the app and another number sent to you via SMS, then you go to the ATM and input both numbers and get cash).

Other banks are doing similar things.

No need to worry about card skimming with these systems (the risk of card skimming is also lower by using EFTPOS and EFTPOS Cash Out rather than ATMs)

AnuraMarch 10, 2016 5:03 PM

@Bill

With the Chase ATMs around here, you slide in the card and pull it out immediately.

@Scott

I went to an ATM once many years ago, and the lady in front of my left the card in the slot. I pressed one button to say no more transactions, and it ejected the card. I yelled her down before she could get in her car and drive off, but had it been a malicious citizen they could have easily taken it and started making purchases.

With the Chase ATMs I mentioned above, transactions are cancelled after inactivity, and you have to enter a pin for every transaction, so I think it's a bit better than the old system.

blakeMarch 11, 2016 6:28 AM

@Jonathan Wilson
> No need to worry about card skimming with these systems

Now the system is as secure as your phone!

Who?March 11, 2016 12:17 PM

@ GrowingUpUnderSurveillance

Time to bring out the fake cards with fake information and see what happens.

I must confess it happened to me. The card is automatically retained by the ATM, that shows a message asking the owner of the card to talk to the people at the bank. ;-)

A few years ago my old ATM card was withdrawn and replaced by a new one. Instead of destroying the old card I choosed to be "ecological" and reprogrammed it to allow access to my Sun Blade 2000 with chipcard reader. All fine, for a few months. Until one monday I was in need of some money and put the wrong card in the ATM reader. I had no chance to even type a PIN.

I understand the IT people at the bank must be looking at the card yet...

Marcos El MaloMarch 12, 2016 6:23 PM

@Anura
Way back when I was a majorly shitty excuse for a human being (but trying to improve) something similar happened to me. However, I hit the fast cash button and it spit $40 bucks out. Yay, free money. Then it occurred to me that there was a surveillance camera and the people at this bank knew me. I wish I could say it was purely out of the goodness of my heart, but it was fear of getting caught that compelled me to march into the bank, hand over the cash and card, and explain that I accidentally hit the fast cash button.

While I can laugh it off as being due to my wild and misspent youth, I still feel slightly ashamed about it. I hope that's a good sign that I'm a slightly less shitty excuse for a human being. The truth is, I did worse, although I've never killed anyone (yet). I still think like a criminal, but I confine the acting like a criminal to my writing.

I also know criminals get caught because they think they are smarter than they really are. And I'm fairly certain that holds true for me as well.

Marcos El MaloMarch 12, 2016 6:25 PM

@Bill
After being away for a while, I was surprised to see my bank's ATM spit out my card immediately after insertion. For a brief moment I thought something was wrong with my card.

Having left my card in an ATM while traveling, I rather like this idea.

FOKMarch 16, 2016 3:07 AM

I am wondering why we are still reading such stories? It is time to change your bank probably. Or maybe start asking your bank about ATM's and POS terminals accpeting chip cards.
Where I live, all major banks finished transition of their ATM's to accept chip cards 10 years ago. My debit card contains chip on it for more than 4 years without specifically asking for it. So if it is correctly implemented, then it is virtually impossible to fall for skimming here.
The only problem I see is that they still contain magnetic strip. So any skimmer can read it and take out cash from ATM where chip is not required. Solution for this is to kill magnetic stripe with permanent magnet. I tried it and it still worked in my ATM, so I had virtually unskimmable card :-).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.