The evolution of ATM skimmers
We are all used to the phrase “technical progress”. Already quite a few years ago, the change of generations of various devices and gadgets became as familiar as the change of seasons. And it doesn’t surprise anyone, for the most part. We are used to the metamorphoses of mobile phones, home televisions, computer monitors, now the watch and even glasses have pulled up. However, there is a small class of devices that many have heard of, they are afraid of, but few have seen live. It's about skimmers .
In Russia, ATMs are still not so common, despite 23 years of official capitalism. But even with us, skimmers have become a kind of urban horror story. And few people think that these devices using high-tech components also evolve over time. And therefore, of particular interest is the recently published material , which clearly shows the stages of "modernization" of skimmers, up to the latest modern developments of criminal craftsmen.
In essence, skimming is a way of stealing certain information necessary for a transaction from a bank account in order to steal money. Speaking simply, in order to withdraw money from your bank card account through an ATM, fraudsters need to find out your PIN code and read data from the magnetic strip. And for this, devices of various designs and operating principles are used - skimmers.
Skimmers are made to be as inconspicuous as possible for ATM users. Often they mimic under some element of the interface or external design. This greatly complicates not only the detection of skimmers, but also the capture of the attackers themselves. And over the past 12 years, skimmers have undergone serious metamorphoses. At least, judging by the samples that were discovered during this period.
In December 2002, CBS reported the discovery of an unprecedented device that could “record names, account numbers and other identification information from the magnetic strips of bank cards, with the possibility of subsequent downloading to a computer.” Personal computer!
At that time, even legalists believed that skimmers were fiction . When a scam prosecutor, Howard Weiss, himself became a victim of skimming, he was shocked that technology had reached that level.
Of course, a complete disregard for the facts did not last long. In 2003, customers who used an ATM in a New York deli lost a total of about $ 200,000 per day . Subsequently, a warning letter began to go online:
This year, the Naples police received a call about an unsuccessful attempt to place a skimmer:
This rather primitive device consisted of a reader that could be bought legally installed on top of an ATM card reader. And under the plastic visor above the monitor a small camera was installed.
The first generations of skimmers were rather primitive crafts. Below is one of the designs, which includes a battery, a USB flash drive and a miniUSB port.
This skimmer was discovered by one of the readers of the Consumerist website . Vigilant user became suspicious and pulled kartopriomnik into his hands fell out it .
Less than a month later , another skimmer was discovered that did not allow the ATM to correctly read cards and included a fake mirror in which the camera was built.
At that time, for scammers, the key to successful skimming was to find a way to get stolen information from a skimmer:
Early skimmer models sometimes made ATMs work incorrectly. But soon the attackers learned to successfully parasitize on them.
For many years skimmers used cameras to steal PIN codes. But it was not so easy to discreetly place them on an ATM. As a result, overhead keyboards appeared that recorded the sequence of keys pressed:
With the development of technology, it became easier for fraudsters to create compact devices . Outsourcing production services have developed and become cheaper. On the Internet, they began to sell whole sets of skimming, which could be painted on request in the right colors. Prices start at $ 1,500.
But this is just an entry-level set. Top devices went for $ 7000-8000:
Not all kits were so expensive. Many were ready-to-use modules that fraudsters installed on ATMs, and after a while collected data from them. The main drawback of these devices was the need to return for them to collect information.
Below is a skimmer with a wireless function that can transmit information through a cellular module. The skimmer itself is very compact, the collected data is transmitted in encrypted form.
Advanced skimmers like this made skimmer labor less dangerous, reducing the likelihood of being caught red-handed.
In the end, ATM manufacturers began to do something to counter skimming. Firstly, they began to introduce elements of transparent plastic, in particular, hemispherical card readers. But the attackers quickly adapted to this:
As you can see, you can notice the setup only by a small, invisible plastic plate. How many of you would pay attention to her? And soon, affordable 3D printing brought the quality of skimmers to a new level :
Home models of 3D printers were still unsuitable for these purposes, and parts were ordered externally at specialized companies. The above is one of those orders that the manufacturer cautiously refused to fulfill .
Detecting skimmers has become an increasingly difficult task. Below is an almost perfect device. The only drawback is the small hole on the right, through which the small camera took the PIN code typed on the keyboard.
In the end, the skimmers became so tiny that you won’t see them, even if you really try. According to the European ATM Security Team, in July 2012 skimmers as thin as a sheet of thin cardboard were discovered. They were placed inside the card reader, and it is impossible to notice them from the outside.
Now your cards can be scanned not only at ATMs, but also at mobile terminals. The video shows a device that even prints a fake check:
Now, any employee can connect the device brought with him, and at the end of the working day carry it away, filled with data from a large number of bank cards. The functionality of these terminals even allows you to simulate a connection error when the data has been successfully read. Included with them is supplied with software for decrypting information from cards, and all data can be downloaded via USB.
Last year, a number of skimming cases were recorded at the Murphy gas station network in Oklahoma , when a total of $ 400,000 was stolen. fraudsters used readers in combination with overhead keyboards: The
interesting thing about this story is that the skimmers were equipped with Bluetooth modules, and they received power directly from the ATMs themselves. In other words, their service life was practically unlimited, and a direct visit by fraudsters to collect data was not required.
While one “evolutionary branch” of skimmers came to miniaturization, the other followed the path of radical mimicry. The skimmer below is a huge overhead panel with a display. In the wild, this specimen was discovered in Brazil:
The device was made from parts of a disassembled laptop.
But this can be attributed rather to curiosities, or to the features of a hot Brazilian character. Still, compact skimmers are much more likely to go unnoticed. And just last week we found such a skimmer the thickness of a credit card:
The device requires very little time to install and dismantle at an ATM:
Fortunately, manufacturers also do not sit idly by, in particular, using the knowledge and experience of caught hackers to fight scammers. But they adapt quickly, so this situation resembles a shell and armor fight.
But what do we ordinary users do? How to avoid becoming a victim of scammers and save your hard-earned money? Is always. always cover your keyboard when entering a PIN code: in most cases, fraudsters use miniature cameras. And if you use a Chip-and-pin system card , then it is not so easy for attackers to read data from it.
And most importantly, if at least something worries you in the appearance of an ATM, it is better to use another. Try to use ATMs only in bank branches, this significantly reduces the risk. Well, try not to store a lot of money in a "card" account.