ATM Skimming

11 May 2009

Tags: security|skimming

Digg! Delicious! Technorati! StumbleUpon! Facebook! Google! Yahoo! Windows Live! Ask Jeeves! Mister Wong! Fark! Reddit! Spurl! NetVouz! SlashDot! Furl!

The recent discovery of skimming devices on Australian ATMs has left many people wondering if they're safe to use anymore.

Last month, five men were arrested over an ATM skimming scam in Melbourne. ANZ declared more than $500,000 had been stolen from over 5,000 cards as a result of the scam, which used an ATM skimming device attached to the card reader of an inner-city ATM.

But how does it work and how can consumers be sure the ATM they're using is safe?

The technology required for ATM skimming is typically very simple. A miniature card reader is stuck to the outside of the ATM's card reader, so the device can read and store the card information as the card passes through it. The PIN number is recorded either with a tiny pin-hole camera directed at the numeric keypad, or by using a substitute keypad which sits over the top of the real keys and logs the customer's PIN when they enter it.

The devices can be difficult to spot. The reader can be so small that it looks like the ordinary plastic lip around the card slot. A fake keypad is usually a very thin plate which sits above the normal keypad. Both are usually adapted to match the colour of the ATM. A pin-hole camera can be easier to spot and will typically be positioned directly above the keypad, sometimes inside a light cover.

The data is stored on a solid state memory device, similar to an ordinary USB drive. The device may be configured to simply store the data and await collection by the criminals, who remove the entire device and the upload the data to a normal PC, or it may have a wireless transmitter so it can be accessed by the scammers with a wireless laptop from nearby.

Sometimes, the entire ATM is a skimming device. In Connecticut in 1993, Gerald Greenfield manufactured and installed an ATM at a shopping mall. He then glued up the ATM slot on other ATMs in the mall to drive more customers to his machine, which recorded the information of every card which was used in it. Greenfield later used the data to steal over US$100,000.

Once the criminals have your card data, they can construct a clone card, with an identical magnetic strip and, using your PIN, withdraw money from your account at a legitimate ATM.

The scam is notoriously difficult to police as the scammers very rarely get caught. Once the card data has been used, the bank can correlate fraud reports and use data mining techniques to isolate the common origin (such as a single ATM), but it's a case of shutting the gate after the horse has bolted. For the data to have been used, the criminals have already collected the information, so the device has probably been removed.