Join 3,424 readers in helping fund MetaFilter (Hide)


ATM card skimmer removed and examined
April 8, 2009 2:48 AM   Subscribe

In the Netherlands somebody has removed an ATM card skimmer and examined it in detail. This site is in Dutch only, but appears to show high resolution photos of an ATM card skimmer with integrated PIN-capturing video camera.
posted by thewalrus (55 comments total) 11 users marked this as a favorite

 
dat wordt gebruikt door criminelen om bankpasgegevens en pincode te kopieren van argeloze reizigers met de bedoeling om bankrekeningen te plunderen.

I love that you can sort of tell what this means even if you don't speak any dutch!

Imteresting that the camera lens is embedded within a reminder designed to make it useless.
posted by jzed at 2:55 AM on April 8, 2009


I think the reminder is intended to tell people to guard their PIN against people watching over the shoulder...
posted by thewalrus at 3:05 AM on April 8, 2009


A bunch more, in English.

Another one.
posted by Kirth Gerson at 3:15 AM on April 8, 2009 [3 favorites]


A particularly devious detail is that this skimmer wasn't built into a cash ATM, but into a train ticketing machine. In Holland, it is quite common to use your debit card to pay for the train ticket in one of these machines. Hurried commuters are less likely to cover their hand while typing in their PIN codes, never mind notice the skimmer. Moreover, because there is no "cash" involved, people also tend to be less careful.

There is something very, very Dutch in the discoverer's reaction: he warned the train company and the police, but proceeded then to disassemble the skimmer himself, take it home, photograph it, post the pictures on the interwebs, call the journalists, and only then handed the skimmer to the authorities. I doubt the police is amused...
posted by Skeptic at 3:23 AM on April 8, 2009 [3 favorites]


Here is one hell of a story. Bulgarian cyber-criminals install a skimming device on the ATM machine at the Police HQ in Bucharest. The Romanian Cybercrime Fighting Squad (which is responsible for catching skimmers and phishers) of the Romanian Police is located in the same building. One of their agents went downstairs to draw some money and he noticed the skimming device attached to the ATM.

That skimmer is either monumentally stupid, or has such big brass balls that he can easily be apprehended, just by following the sound them banging together with every step he takes.
posted by DreamerFi at 3:28 AM on April 8, 2009 [4 favorites]


OK, the press articles help explain the discoverer's expeditousness: his card had already been skimmed (presumably in the same location) a few months earlier, making him 900 euros poorer. Never underestimate the wrath of a scammed nerd...
posted by Skeptic at 3:30 AM on April 8, 2009


Wow, that fake keypad overlay in Kirth Gerson's first link is pretty scary. I always cover my pin with my free hand or wallet, but there isn't much you could do about that! It's a shame there are no pictures of one in situ, I'd be interested to see how obvious/non-obvious they are.
posted by jzed at 3:39 AM on April 8, 2009


Damn, this is scary stuff. I've never been a victim of any scam like this, but I'll be tugging at every card housing I see from now on.
posted by saysthis at 4:25 AM on April 8, 2009


The thing that bothers me is how hopeless it is for consumer to defend against these attacks. Every merchant has a different brand card reader. Non seem tied to banks here in the UK. Any of these devices could store and steal your information without any need for a double swipe. All of the banks have different ATM styles. It simply isn't possible to know what is legit and what is dubious.

Never mind that the banks are now taking money from you directly via the government.
posted by srboisvert at 4:26 AM on April 8, 2009


I liek to put my PIN number in the ATM machine.
posted by turgid dahlia at 4:36 AM on April 8, 2009 [6 favorites]


I was pwned by a skimmer a few weeks ago and had an account cleaned out. A fraud claim and balance-restore later, I'm now super paranoid about literally every ATM I see. I take my cash out of the bank, when I'm there, in larger chunks - as I'm less worried about getting mugged in industrial neighborhoods in Brooklyn as I am getting my card / pin compromised.

Articles like these don't help the paranoia.
posted by SmileyChewtrain at 4:37 AM on April 8, 2009


Ticketing machines of the Dutch railways have always refused to accept my debit cards for some unknown reason. Which means I always have to buy my train tickets for some extra money at a ticket stall.

Until someone discovered how often the ticketing machines are used for card skimming, this was a nuisance.
posted by ijsbrand at 4:39 AM on April 8, 2009


The thing that bothers me is how hopeless it is for consumer to defend against these attacks.

In the US, bank regulations are so lax that you don't even need this; all you need is an ABA routing and account number, which can be obtained off any check. This is all that a bank needs to allow money to be wired out. I had money stolen out of my Bank of America account several years ago this way (a commercial account at that) which was used by someone to buy porn, and when I went to BoA they said there was nothing they could do to recover it.
posted by crapmatic at 5:12 AM on April 8, 2009


Here is a card skimmer, in place at a Chase in NYC a few days ago. I guess use the ATMs within the branch proper when possible.
posted by shothotbot at 5:28 AM on April 8, 2009


At some point in the last five years there was a ring of criminals in NYC who set up fake ATMs around town. They looked and acted just like ATMs and even allowed you to withdraw money while they captured your card info.
posted by Atom12 at 5:39 AM on April 8, 2009


Never mind that the banks are now taking money from you directly via the government.

That comment has reminded me of this YouTube video of a couple of months back.

(Fortis is/was a large Belgo-Dutch bank which has imploded in a particularly spectacular and acrimonious fashion and been bailed out no less acrimoniously by both the Dutch and Belgian governments. "Aandelen" is "shares". "Dubbel/niks" is "Double/nothing". "Neem ons geld": "Take our money")
posted by Skeptic at 5:41 AM on April 8, 2009


crapmatic, did they seriously do nothing about you being ripped off? apologies if this has been discussed here before.
posted by msconduct at 5:42 AM on April 8, 2009


So far, we haven't been skimmed. One of my rituals is that I never use non-bank ATMs. In Canada, the big banks' ATMs are pretty common, and they're usually massive and well-maintained.

Besides the fact that you're dinged an extra buck or two for using them, the little, often cheesy ATMs with unrecognizable brands or trademarks inspire absolutely no trust in me.

crapmatic - it's my experience that anyone can transfer money IN with an ABA number, but not out except by way of either direct authorization by you (or someone with your ID) at a bank branch, or by something like a cheque. Having the number by itself isn't sufficient, AFAIK.

I was thinking that the new bank cards being rolled out would end skimming, til I read this...
posted by Artful Codger at 5:42 AM on April 8, 2009


I prefer to have my money stolen the old fashioned way: by getting bent over my bankers desk and them ramming it home to the tune of "We're in the money! - We're in the money!"



Kirth - Mucho thanks for those links, btw.
posted by KevinSkomsvold at 5:50 AM on April 8, 2009


I too shall attempt to dismantle the ATM before I use it.
posted by bwg at 5:58 AM on April 8, 2009 [4 favorites]


Times like this, I'm glad I'm broke. Seriously, Bulgarian skimmers, bring it on!
posted by mannequito at 6:22 AM on April 8, 2009 [1 favorite]


I love that you can sort of tell what this means even if you don't speak any dutch!

This is a very confusing phenomenon if you are an English-speaker-who-knows-a-little-German in Holland. You spend the entire time staring at advertisements and posters that hover on the edge of meaning. It's *almost* readable until you run into some unnatural entwining of Ks and Js and Is. It breeds a strange sense of confidence and confusion.

It's a bit like plowing full-speed ahead into conversation with your polite-toddler level French and then having to stop when you realize you have no idea what anyone just said and you try to slink away quietly
posted by The Whelk at 6:24 AM on April 8, 2009 [5 favorites]


Maybe banks should start embedding holographic images in the card slot/keypad. Easy to recognize, very hard to reproduce.
posted by ymgve at 6:35 AM on April 8, 2009


Regarding Artful Codger's remark above, you can actually buy ATM machines... I think they're even sold on eBay. The small freestanding machines you see in convenience stores and gas stations in the USA and Canada are sometimes owned by the establishment and sometimes by a guy who runs a business placing machines around the city and taking a cut of the gross fees (the $2/transaction). Same business model as a "COCOT" pay telephones back in the days when people still purchased and installed non-incumbent-Bell owned phones in public places.

So the machine wasn't really fake, it was just rigged to correctly perform its transaction and also capture the card details. I also avoid using such machines, in Canada it's always going to be HSBC, RBC, BMO, ScotiaBank, etc.

The dutch style skimmer attack would be pretty difficult to pull at a branch of a big international bank, such as Standard Chartered, in Pakistan or India. The machines are usually guarded by a bored looking guy holding a 12 gauge shotgun, who may not be particularly alert but would definitely notice somebody sticking a large device to the front of the machine with double sided tape.
posted by thewalrus at 6:37 AM on April 8, 2009 [1 favorite]


I was a victim of one of these (I assume) a couple of years ago. My credit union called me to ask if I'd recently withdrawn $900 from an ATM a few towns over. I definitely hadn't, in fact, I'd never been there. Fortunately, being University Credit Union instead of Bank of America, they weren't a bucket of douchebags, and they credited my account with a refund after a very short investigation and a minimum of paperwork that I had to fill out.

Sup dawg, I herd u liek credit fraud, so we put a skimmer in your schooner so we can phish while you fish!
posted by explosion at 6:48 AM on April 8, 2009 [5 favorites]


Wow, I had never heard of this before and now I'm all paranoid. Back in the days when we all long distance phone cards linked to our home phones some friends got their numbers stolen on the NJ Parkway, leading to a $800 long distance bill with lots of calls to the middle east; the cops said it was likely a camera aimed at the rest stop payphone from a distance. That was bad enough; this is downright scary.
posted by mygothlaundry at 6:51 AM on April 8, 2009


Wow. I've always stubbornly ignored the warning on ATMs, the little signs on NS ticket machines, and the protestations of my Dutch boyfriend telling me to shield the number pad while I enter my PIN. Maybe I'll rethink that strategy.
posted by transporter accident amy at 6:53 AM on April 8, 2009


Would a tray-loading device (think CD drive) work better than a slot? Damn hard to put something over a tray that would read the card on the way in.

For that matter, those little credit-card sized CDs would seem like an excellent way of storing data instead of a mag stripe, except for the whole scratching thing and the inevitable dirty lenses inside the reader. Heck, with a mini-CD you could slap some major league encryption on the account info, and use much more complicated passkeys than a 4 digit code.
posted by caution live frogs at 6:54 AM on April 8, 2009


This is a great post. I know that these things are quite prevalent in the Netherlands and I thought I was quite aware of them. Seeing these pictures shows me that I still might get fooled.

The standard 'defense' against this by ATM machine companies is to create protruding elements around the card entrance to make it harder to affix the fake front. I'm not sure those are enough though.
posted by jouke at 6:55 AM on April 8, 2009


This is very common in London at the moment. Me and my girlfirend have each been hit a couple of times.
posted by Onanist at 7:02 AM on April 8, 2009


So the machine wasn't really fake, it was just rigged to correctly perform its transaction and also capture the card details. I also avoid using such machines, in Canada it's always going to be HSBC, RBC, BMO, ScotiaBank, etc.


In case you didn't know the majority of those machines are run by the very banks you list. They have been both shutting down and slowing down deployment of their regular ATMs and increasing the number of their shell company "third party" machines so that they can increase their transaction fees in areas that they now deliberately under service.

CIBC for instance owns and operates Ready Cash.

Canadian banks are stable like the way vampires are immortal.

For a comparison there are pretty much no ATM fees in England. I can use almost any bank's ATM for free. Now if only I had money in there to take out...
posted by srboisvert at 7:07 AM on April 8, 2009 [3 favorites]


What I don't understand is, at some point the criminal needs to actually install the skimmer, right? And just about every ATM machine has a video camera on it, right? So why aren't there videos of the perps installing the skimmers? Is this because the tapes are getting wiped before someone notices?
posted by Civil_Disobedient at 7:19 AM on April 8, 2009


I was a victim of one of these (I assume) a couple of years ago. My credit union called me to ask if I'd recently withdrawn $900 from an ATM a few towns over.

I was probably a victim of the same assumed thing, since we used the same ATMs, and uh.. all Bank of America did was shut off my debit card without notifying me.

So why aren't there videos of the perps installing the skimmers?

I was under the impression that the camera built into the ATM only takes a picture of your face when you insert a card and make a transaction. That, and having a picture of someone's face doesn't do much good if you don't have a name to go with it.
posted by giraffe at 7:42 AM on April 8, 2009


Fortunately, being University Credit Union instead of Bank of America, they weren't a bucket of douchebags, and they credited my account with a refund after a very short investigation and a minimum of paperwork that I had to fill out.


In the interest of semi-fairness to BoA...about three years ago someone managed to steal my Debit Card number and go on a rampage through David's Bridal Shops in Upstate, NY and then liquor stores in Baltimore. When I called their fraud department they were the most pleasant, helpful and re-assuring people imaginable and they fronted the full loss while they investigated. Got all my money back no problems. So, you're experiences may vary. I still hate them for other reasons, but...
posted by spicynuts at 7:50 AM on April 8, 2009


So I'm supposed to be on the lookout for a second, hidden camera at my ATM? One that's recording my every move? And that card slot isn't the real card slot but a fake one that records my every action and then passes through to the real card slot?

Paging P.K. Dick. Mr. Dick, your paranoid fantasies are true. Repeat, your paranoid fantasies are true.
posted by Nelson at 7:51 AM on April 8, 2009 [1 favorite]


"Would a tray-loading device (think CD drive) work better than a slot? Damn hard to put something over a tray that would read the card on the way in."
Vandalism would prevent that being practical, I'd bet. Anything that it's easy to snap off will get snapped off.
posted by edd at 8:01 AM on April 8, 2009


I always thought of ATMs as little border forts for capital, bristling with foils and countermeasures. If a scammer can run off with all the account information they need after buying an ATM on eBay, that makes them more like a maginot line.
posted by paul_smatatoes at 8:07 AM on April 8, 2009


Skimming ATM cards really freaks me out, that's why I've developed a personal security protocol designed specifically to protect myself from these criminals; basically what I do is wait for someone else to come up to the ATM I want to use. I then ask them to take out whatever amount I need off of their card (Not mine! Try and get me now you skimming bastards!), I then take the money from them, tell them to stop crying, holster my pistol, and run away before the skimmers get wise to my secret trick.

It's worked pretty well so far, no one has gotten my ATM information.
posted by quin at 8:16 AM on April 8, 2009 [7 favorites]


paul_smatatoes: Or maybe a little border-control shack with a bored, easily bribable guard?

caution live frogs: Smart cards (the kind with a chip embedded in them and a little pattern of contacts on the card) are a mature and cheap technology and are usually designed to deal with this— you can't generally clone the card just by observing the communication with it. (Some are just glorified magstripes, but many do a crypto exchange of some sort. Like your phone's SIM, for example.) I think one problem is the installed infrastructure of magstripe terminals, plus as srboisvert notes, the banks don't really have an incentive to improve the system piecemeal.

(Note that the UK chip-and-pin system doesn't seem to use any crypto authentication, meaning it's vulnerable to attacks analogous to skimmers.)

Bizarrely, a few years ago one of my credit cards issued me a new card with an embedded chip, but I never heard of a situation where it could be used. The next card they issued didn't have smartcard contacts, but had a proximity-card coil instead, which I guess some number of gas stations support, though I haven't encountered one.
posted by hattifattener at 8:41 AM on April 8, 2009


The Bank of America branch near my office actually was in the papers a few months ago for this. I was more surprised that it made it into the papers than that it had happened at all.

I am not real paranoid, but I do take a moment to scan the ATMs I use for extraneous looking paraphernalia around the card slot, and possible camera hiding locations. The mirror camera in the FPP was pretty damn good though, and the swipe device smaller than I would have expected.
posted by Xoebe at 11:13 AM on April 8, 2009


all you need to do to avoid this is to train the muscles in the palm of your hand, so that you can lay your palm flat over the pinpad & press the keys by twitching the appropriate muscles.

this also has the benefit of looking like you're trying to do some kind of sci-fi mind-meld with the ATM, so any muggers loitering nearby with think you're too psycho to be worth the risk, especially seeing as you probably can't have a whole lot of money.
posted by UbuRoivas at 12:51 PM on April 8, 2009


I used to listen to a police scanner in the late 90s before the signals became digital. Easily the most interesting thing I ever heard was the report of "two juveniles attaching a computer device to an ATM."
posted by werkzeuger at 1:18 PM on April 8, 2009


I know it's cool to take photos and send them into Gizmodo and all ... but I wish one of these guys would just quietly leave the skimmer there, call security, and wait for the skimmer to return. That would be a much better blog post ...

If you enjoy even more paranoia, see also Bruce Schneier's post on the chip-and-pin compromise in the UK where the best method of detection is/was weighing terminals to detect if they had been implanted with 4oz. of hijack chips.
posted by bhance at 3:58 PM on April 8, 2009


This sort of thing hasn't hit Hong Kong that much yet, but scammers would be filthy rich if they did set up shop here, because most folks in these parts are notoriously lax about PIN security.

I've watched people punch in their numbers without making any attempt to shield the keypad.

They might as well just withdraw a huge sum and toss the cash into the air.
posted by bwg at 4:22 PM on April 8, 2009


Does anyone else foresee bank ATMs being equipped with thumbprint scanners for cards with built-in smart chips?

Does anyone else foresee scammers figuring out how to collect thumbprints?
posted by bwg at 4:25 PM on April 8, 2009


Does anyone else foresee bank ATMs being equipped with thumbprint scanners for cards with built-in smart chips?

Does anyone else foresee scammers figuring out how to collect thumbprints?


Retina scanners it is, then, unless they start stealing our eyeballs.
posted by kersplunk at 5:43 PM on April 8, 2009


Gizmodo is trying to get an anti-skimmer mob together.
posted by shothotbot at 6:20 PM on April 8, 2009


Meanwhile, people on YouTube are using the site to advertise their skimmer equipment! It's a legitbuziness!

YouTube needs a serious flagging of these videos, as there are lots of criminals trying to use the site to promote skimmers, cardstock, etc. aimed at the criminal market.
posted by markkraft at 6:57 PM on April 8, 2009 [1 favorite]


They might as well just withdraw a huge sum and toss the cash into the air.

And how would that be any different from going to the casino?
posted by UbuRoivas at 7:22 PM on April 8, 2009


Canadian banks are stable like the way vampires are immortal.

Best In Thread.
posted by five fresh fish at 9:43 PM on April 8, 2009


Why are we still allowing any sort of plaintext access to our account details stored on the card? It's so utterly moronic.

It should be like a mobile phone USIM. Data in, cryptoprocessor does the work, encrypted data out. The CPU of the phone never actually knows the seed. It's all done on the USIM.

The only thing that should be passed to the card should be the transaction amount, the merchant's bank details and the PIN. The cryptoprocessor allows and encrypts the transaction with the card's private key, adds the originating bank only. No account details. The reader should only be presented with a signed transaction to be submitted to their bank in return. The merchant's bank confirms the transaction and off you go.

The only way you could ever sniff the private key of a card would be to have physical access to the card for some large amount of time since the details are never allowed outside the card's microprocessor.
posted by Talez at 10:35 PM on April 8, 2009


And how would that be any different from going to the casino?

It ain't, you should see the wads of cash Hong Kongers blow when they go to Macau.
posted by bwg at 1:58 AM on April 9, 2009


>>Retina scanners it is, then, unless they start stealing our eyeballs.

kersplunk, have you seen this movie?

http://www.imdb.com/title/tt0106697/
posted by thewalrus at 2:54 AM on April 9, 2009


bwg: yeah, that was the joke!
posted by UbuRoivas at 4:06 AM on April 9, 2009


Another skimmer found and posted to Consumerist (April 19), with photos.
posted by Kirth Gerson at 7:27 AM on April 19, 2009


« Older What's a soda lover to do when Passover Coke has, ...  |  Thought you guys might want to... Newer »


This thread has been archived and is closed to new comments