I suspect – hope – many have heard of ATM scammers, people who try to get information about your card while you are withdrawing cash from an ATM. I will usually look at a machine to see if it looks like someone has tampered with it and I always use my other hand to cover the one entering the PIN. Perhaps that’s silly, but it’s not much of an inconvenience and it’s routine for me now. But as far as I know, I have never encountered an actual ATM skimmer, thankfully.
A security expert happened upon one during his travels recently and captured it on video. In addition to reading his account of it, I highly recommend a careful look at this image from another observer who breaks down very carefully how some components of the ATM (most importantly the section next to where you insert the card) was different from the adjacent ATM that did not have a skimmer. That is likely where the camera resided. In addition to the skimmer, there is usually a camera nearby that captures your motions entering the PIN (if I am understanding this correctly, but do correct me if I am wrong), which is why I tend to cover my hand (and have noticed that now some machines supply some coverage themselves). Snopes has pictures of another version, an older model.
I found the video interesting as I find actual examples of such things helpful thus this public service announcement. Hopefully no one here has related experiences, but if you do, please share.
{ 21 comments }
engels 06.28.16 at 2:11 pm
I’ve always wondered about this. One thing I thought about was whether someone who couldn’t see you typing could still narrow down the possible PINs based on the rhythm of the beeps (eg adjacent keys would presumably be pressed more rapidly).
jake the antisoshul soshulist 06.28.16 at 2:29 pm
I think this must have happened to me. I had a couple of bogus charges on my debit card, and had to get a new one. Shortly before that, a skimmer had been discovered on the ATM of my bank. I am pretty paranoid about my PIN, but all the thief needed to do is run the copy as a credit and sign your name.
Eszter Hargittai 06.28.16 at 2:35 pm
Engels, that’s one possibility (I’m pretty sure I use more than one finger when I type in a PIN so not sure adjacency necessarily matters, but I may be unique in that). I myself have wondered if you couldn’t just get the PIN info electronically somehow as that would presumably go through the device as well. But I really don’t know enough about these systems to say.
Ginger Yellow 06.28.16 at 2:38 pm
The problem is how on earth you’re supposed to know ex ante, that, say, a sticker not going all the way to the screen border is a bad thing. I mean, the risk just means that I always cover my hand, but there doesn’t seem to be any kind of widely applicable heuristic to allow punters to assess what is and isn’t safe.
Eszter Hargittai 06.28.16 at 2:51 pm
Agreed, Ginger Yellow, that makes it rather frustrating. I have a couple of take-aways. First, it’s worth looking closely at the device to see if you notice any tampering. I’ve seen people mention that they even pull at the machine to see if it comes loose. I’m sure many are so well done that it would be hard to catch, but it’s something to consider. Second, and maybe this assumption is wrong, but I would hope that ATMs inside banks and other establishments may be less prone to this. I don’t have any evidence of that, but those are perhaps more likely to have security cameras and have limited access hours maybe making it harder for scammers to fiddle with them.
infovore 06.28.16 at 3:02 pm
If you’re interested in the subject, Krebs on Security has a lot of information. (The link goes to his all-about-skimmers posts.)
Cranky Observer 06.28.16 at 4:52 pm
= = = ). I myself have wondered if you couldn’t just get the PIN info electronically somehow as that would presumably go through the device as well. But I really don’t know enough about these systems to say. = = =
Yes – the more modern skimmers have RF readers that read the keypad as you type.
The Raven 06.28.16 at 5:47 pm
Skimming is made much more difficult by the chip-and-pin technology that the banking industry has been avoiding deploying for years.
Security: it’s only important when it’s the bank’s money.
The Raven 06.28.16 at 5:47 pm
Duh. Deploying in the USA; it’s been routine in Europe for a long time.
The Raven 06.28.16 at 5:53 pm
If your bank offers a chipped card, and your regular places of business accept it, that is an excellent method of avoidance.
The Raven 06.28.16 at 6:03 pm
In the USA, identity theft in general is now routine; it happens to my family about every year and a half. So far the damage has been minor, limited to replacing cards and occasional account freezes.
Lowhim 06.28.16 at 8:36 pm
Was a bigger deal with credit card swipes and MTA machines, if I remember the stories in the Bronx. Some ingenious ways of switching out. One wonders if certain people’s innovation was actually harnessed for good how much better we would all be. [1] That being said, after working a Crime Check number for some time, the amount of people getting credit cards swiped is very impressive. Even in a metro of 500,000 people it can be scores of them. mmm Is there a good book to read on the narratives/mechanics of the criminal world/crime?
[1] No, I understand why, I’m just saying
Graham 06.29.16 at 12:39 am
I’m a bit puzzled as to why he says to check for ATM skimmers specifically in Europe. Is it more common in Europe, or is it it aimed mainly at Americans who’d be more vulnerable with unfamiliar models of ATM just as I might be in the States?
Howard Frant 06.29.16 at 5:36 am
Lowhim @22
You understand why? Can you tell me, please ? Can’t think of a more important question.
GHG 06.29.16 at 6:24 pm
I use a chip-and-PIN credit card in Canada and have had my card “compromised” four times in the last 18 months. The financial institution never tells me how this has happened – it could be a mass hack (which I’m pretty sure affected me a few years ago when someone hacked the credit card files of a retailer I shopped at), it could be a skimmer, it could be some other nefarious scheme. But chip-and-PIN is not foolproof, though clearly better than the precursor technology.
Ogden Wernstrom 06.30.16 at 4:35 pm
RE: Chip-and-PIN – At restaurants in Europe, I thought the weak link would be the wireless device that comes to the table – possibly vulnerable to MITM attack on the wireless connection, or an internal hack that might be aided by a restaurant employee.
Anecdata: On last year’s trip to Europe, I used my cards only with stationary devices. I am the only one (of 4 of us) who still has the same card numbers.
Also, I recall a news story about attacks that were specific to a model of ATM; they would remove a piece of the ATM around the card slot and replace it with the skimming device, styled to look like the part that was removed.
ZM 07.02.16 at 6:54 am
I just type in the numbers myself, I have never had a problem. Sometimes at busy ATMs in crime prone areas in the city the ATMs have the plastic covers. I don’t really have any money though. One time I got given a PIN by the bank for my new card that was the year of my birth. It was never any problem remembering it, and it felt like a lucky charm.
Ogden Wernstrom 07.02.16 at 2:07 pm
I felt unlucky when my first chip-and-PIN card was assigned the kind of thing an idiot would have on his luggage!
Hal 07.02.16 at 2:29 pm
Related skimmer scam.
Downstairs doorbell rings in our small (17-unit) apartment building. “FedEx parcel delivery.” We didn’t order anything, but who can remember? Maybe some promotional thing. We respond and young guy in an appropriate uniform walks up the 3 floors to our door. Sorts through a small pile of packages. All exactly the same size (first clue that we missed). But the packaging looks authentic. Shipped (to Montreal) from some company in Seattle. But there’s a small customs fee to be paid. $1.25. He’s shy, sympathetic. He can’t accept cash. Bank debit card only. (Actually against FedEx rules but we didn’t know.) Hands us a portable card reader. With a “FedEx” label on it. Looks legitimate. Insert card (with chip); enter PIN number. The gizmo accepts my number without asking whether I want to pay from my savings or chequing account (another clue missed). It spits out a small receipt for $1.25. Receipt looks authentic. Guy leaves. We tear open the very-well-packaged item and discover a cheap watch (worth $9.95 at Walmart). I notice that its small label has French on it. Huh? From Seattle? We check the FedEx tracking number online. Doesn’t exist. Finally realize we were scammed. The handheld card reader was a very slick, authentic-looking skimmer! Now it has my bank debit card number and its accompanying pin number! Feel very foolish. Call the bank. No charge registered for $1.25 (final clue; it would already have shown up). But pin number can’t be changed by phone or online; must be done at an ATM machine. Make a quick trek to a nearby bank machine; change pin number. Email neighbours to watch out for scam and learn that 2 others were victimized… (Why couldn’t they have warned the rest of us?) Following day, on bank advice, decide to replace debit card entirely. Lesson learned.
Eszter Hargittai 07.03.16 at 4:18 pm
Hal, yikes! Thanks for sharing.
Ogden W, can you clarify what you mean by stationary device? Do you mean not one of those roaming devices you refer to in European restaurants? Something to keep in mind for sure. Generally speaking, my impression is that Europeans tend to have more cash on them and use credit cards less often than people in the US.
Layman 07.03.16 at 4:46 pm
Credit card theft / fraud in the US is very heavily concentrated in the restaurant / hotel / gas station industries. Why? Because these industries are heavily franchised, with each store basically operating as a small business, and with little security expertise, capital, or inclination to improve technology vs. investing in some other part of the business. The franchisers offer some solutions and expertise, but because they have little legal or financial responsibility for the franchisee, they aren’t spending much money to protect them.
Comments on this entry are closed.