ATM skimmers are electronic devices designed to read financial card information, and they are usually paired with a camera to capture a user’s PIN. These devices always have to hide their presence, and their design has been a bit of an arms race. Skimmers designed to be inserted into a card slot like a parasite have been around for several years, but [Brian Krebs] shows pictures of recently captured skimmer hardware only a fraction of a millimeter thick. And that’s including the battery.
The goal of these skimmers is to read and log a card’s magnetic strip data. All by itself, that data is not enough to do anything dastardly. That’s why the hardware is complemented by a separate device that captures a user’s PIN as they type it in, and this is usually accomplished with a camera. These are also getting smaller and thinner, which makes them easier to conceal. With a copy of the card’s magnetic strip data and the owner’s PIN, criminals have all they need to create a cloned card that can be used to make withdrawals. (They don’t this so themselves, of course. They coerce or dupe third parties into doing it for them.)
Retrieving data from such skimmers has also led to some cleverness on the part of the criminals. Insertable readers designed to establish a connection to the skimmer and download data is how that gets done. By the way, retrieving data from an installed skimmer is also something criminals don’t do themselves, so that data is encrypted. After all, it just wouldn’t do to have an intermediary getting ideas about using that data for their own purposes.
Countermeasures include ATM manufacturers taking advantage of small cameras themselves, and using image recognition to watch the internals of the card area for anything that seems out of place. Another is to alter the internal design and structure of the card slot, preventing insert skimmers from locating and locking into place (at least until they get redesigned to compensate.) Amusingly, efforts to change the design of an ATM’s key components in unexpected ways to prevent criminals from attaching their own hardware led our own Tom Nardi to discover a skimmer, only to find out it wasn’t a skimmer.
So with skimming hardware getting smaller and harder to detect, what’s one to do? [Brian] points out that no matter how cleverly the hardware is hidden, covering the keypad with your hand as you enter your PIN will defeat a critical component of a skimming operation: capturing your PIN. Sadly, after reviewing many hours of video from captured skimmer hardware, [Brian] says that’s apparently a precaution virtually no one takes.