08-16-2013 02:44 PM
If you're in Australia and use ATM's, this story should interest you. It should also interest anyone using an ATM just generally as this sort of attack becomes more and more prevalent in all regions. Credit card thieves are utilizing advanced 3D printers to create sophisticated credit card skimming devices that they attach to ATM's to capture the card number, as well as the pin number. This gives them enough data to start draining money out of accounts almost immediately.
Good luck catching this with only your eyesight.
A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture “sophisticated” ATM skimming devices used to fleece Sydney residents.
NSW Police recently arrested and charged a Romanian national with fraud after a money transfer officer contacted police over a suspicious transaction.
Police said they established a dedicated taskforce to address the skimming issue in June after seeing an increase in alleged offences.
The taskforce found one gang that had allegedly targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and nabbing around $100,000.
“These devices are actually manufactured for specific models of ATMs so they fit better and can’t be detected as easily,” he said.
“Parts of the devices are internally fitted, either by the offenders moving part of the slot and replacing it with their own, and pushing circuitry into the machines. [Another model] is so small it’s entirely self-contained and entirely pushed in, with some force, into the card slot.”
The devices are accompanied by a video camera which is attached above the location of the skimmer, and is tailored to the design of the particular ATM.
“They’re getting smaller and smaller with time,” Dyson said. “They’re trained down at the keypad where the pin is entered.”
The focus of skimming gangs is to obtain both the credit card and the PIN. Without the PIN, the credit card data has little value as the criminals will be unable to transfer money, make purchases or withdraw cash.
Like any good technology, it was only a matter of time until 3D printing was exploited by criminals. If you see one of these devices attached to an ATM, call the police. Since the devices typically operate via wi-fi, the criminals are probably nearby.
Although the linked article states the best way to deal with this kind of problem is to cover the keypad, that's not really true. There are types of keypad skimmers that fit over the top of the existing keypad and look just like the normal one. These can be practically impossible for the average person to detect, just like many of the fake card readers that fit over the top of the real card reader. You can cover up the keypad as best as you can, but that won't help if there is a fake keypad affixed to the top of the real one.
The truth is, the best way to protect yourself when it comes to ATM's is to use a live teller instead. Annual losses from ATM fraud total about $1 Billion dollars, 92% of which was from ATM skimming attacks like these.
08-19-2013 06:36 PM - edited 08-19-2013 06:43 PM
Stuff like this is why I now pull on, try to budge anything I insert my card into. And I make a purposeful note to remember exactly what the card reader looks like on the few ATMs I pick as safe.
However, I find that the biggest weakness of ATM skimmers is the usual need for a camera. The camera module is the most likely to stick out as weird. But they get a pass because people don't usually look in the top corners.
If you want to be as scared as I am by skimmers, try reading the awesome Brian Kreb's stories about them. He really helped bring these stories out.
Also, change your PINs, people. As the stories say, sometimes it can be months before they bother trying to use the credentials. I cycle my card numbers yearly and change my PIN...less often than I should.
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise and WSAWSS administrator of 1400+ computers
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Find me on Twitter!
08-20-2013 10:40 AM
Thanks for the post Jim. I think I’ll start making it a habit to withdraw and deposit money in the Bank / Credit Union by way of the bank teller. ATM’s are a convenience but not worth the hassle when your private information is exposed.
WEBROOT SecureAnywhere Complete. Beta Tester.
No Wait For Security Updates ~ It's Done In The "Cloud"