About Us | Contact Us
View Cart

Taking a Trip to the ATM: Beware of ‘Skimmers’

By Vigilize | Tuesday, July 26, 2011 - Leave a Comment

Skimming typically involves the use of a hidden cameras (top) to record customers’ PINs, and phony keypads (right) placed over real keypads to record keystrokes.

Last fall, two brothers from Bulgaria were charged in U.S. federal court in New York with using stolen bank account information to defraud two banks of more than $1 million.

Their scheme involved installing surreptitious surveillance equipment on New York City ATMs that allowed them to record customers’ account information and PINs, create their own bank cards, and steal from customer accounts.

What these two did is called “ATM skimming”—basically placing an electronic device on an ATM that scoops information from a bank card’s magnetic strip whenever a customer uses the machine. ATM skimming is a growing criminal activity that some experts believe costs U.S. banks hundreds of millions of dollars annually.

How Skimming Works
The devices planted on ATMs are usually undetectable by users—the makers of this equipment have become very adept at creating them, often from plastic or plaster, so that they blend right into the ATM’s façade. The specific device used is often a realistic-looking card reader placed over the factory-installed card reader. Customers insert their ATM card into the phony reader, and their account info is swiped and stored on a small attached laptop or cell phone or sent wirelessly to the criminals waiting nearby.

In addition, skimming typically involves the use of a hidden camera, installed on or near an ATM, to record customers’ entry of their PINs into the ATM’s keypad. We have also seen instances where, instead of a hidden camera, criminals attach a phony keypad on top of the real keypad … which records every keystroke as customers punch in their PINs.

Skimming devices are installed for short periods of time—usually just a few hours—so they’re often attached to an ATM by nothing more than double-sided tape. They are then removed by the criminals, who download the stolen account information and encode it onto blank cards. The cards are used to make withdrawals from victims’ accounts at other ATMs.

Skimming Investigations
Because of its financial jurisdiction, a large number of ATM skimming cases are investigated by the U.S. Secret Service. But through FBI investigative experience, we have learned that ATM skimming is a favorite activity of Eurasian crime groups, so we sometimes investigate skimming—often partnering with the Secret Service—as part of larger organized crime cases.

Some recent case examples:

  • In Miami, four Romanians were charged with fraud and identity theft after they made and placed skimming devices on ATMs throughout four Florida counties … all four men eventually pled guilty.
  • In Atlanta, two Romanians were charged and pled guilty to being part of a criminal crew that stole account information from nearly 400 bank customers through the use of skimming equipment they installed on ATMs in the Atlanta metro area.
  • In Chicago, a Serbian national was arrested—and eventually pled guilty—for attempting to purchase an ATM skimming device, hoping to steal information from ATM users and loot their bank accounts.
  • In New York, a Bulgarian national referenced at the top of this story was sentenced yesterday to 21 months in prison for his role in a scheme that used sophisticated skimming devices on ATMs to steal over $1.8 million from at least 1,400 customer accounts at New York City area banks.

How to Avoid Being Skimmed
There are things you can do to avoid being skimmed.

  • Inspect the ATM, gas pump, or credit card reader before using it…be suspicious if you see anything loose, crooked, or damaged, or if you notice scratches or adhesive/tape residue.
  • When entering your PIN, block the keypad with your other hand to prevent possible hidden cameras from recording your number.
  • If possible, use an ATM at an inside location (less access for criminals to install skimmers).
  • Be careful of ATMs in tourist areas…they are a popular target of skimmers.
  • If your card isn’t returned after the transaction or after hitting “cancel,” immediately contact the financial institution that issued the card.

One Last Note: ATMs aren’t the only target of skimmers—we’ve also seen it at gas pumps and other point-of-sale locations where customers swipe their cards and enter their PIN.


Original Article from the Federal Bureau of Investigation.


same_strip_012513

Posted in Infotex News

Latest News
    Why It Rhymes With SEEM (And its Not the I Before E Rule) Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . It’s the Gestalt. The idea that the whole is greater than the sum of it’s parts. That’s not something that is often brought […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]
    Four Conditions … …For Why a Network Can be Anything But a Network! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . I have to admit that infotex is being called into engineering meetings with larger organizations these days that are NOT community based banks.  We […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    If Zero days need Zero clicks, are there any secure devices in the mix? Tanvee Dhir explores the Pegasus spyware. Another technical post, meant to inspire thought about IT Governance . . . . Introduction Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold […]
    Our Lead Non-Technical Auditor takes a look at the new AIO Guidance… Architecture, Infrastructure, and Operations (AIO) is the latest booklet released by the Federal Financial Institutions Examination Council (FFIEC) in their line of  IT Examination Handbooks. It is an update to their 2004 Operations booklet and, as the name implies, expands into the areas […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Many organizations still fail to consider the unique risks posed by cloud computing… An article review. Last month thousands of Western Digital MyCloud device owners learned about the risks of cloud-based solutions the hard way: their data had been wiped remotely due to a flaw in the internet-facing component of their external hard drives. While […]
    infotex does not use Kaseya… We are protecting our Clients! Another blog post meant to inspire thought about IT Governance . . . . To all infotex managed security service Clients: As you may be aware there was a large ransomware attack recently that leveraged a remote management tool called Kaseya that is used by many […]