To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine.
The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming”.
Once they have your card number, the second part of the equation is getting you PIN. Not surprisingly, the creativity of the criminal mind offers a few ways to do this. Most often, some sort of hidden camera is placed where they can view you typing the PIN. This is harder than it sounds because a camera will need power and a way to download footage to the attackers.
In lieu of a camera, attackers can use PIN pad overlays
PIN pad overlays are devices that sit on top of the pin pad to record typed numbers. Similarly, making an overlay isn’t as easy as it sounds. In addition to looking like a legitimate part of the ATM, these PIN pad overlays need power, storage and download capabilities to be effective. Here is a video of a team of thieves installing a card skimmer overlay at a convenience store:
How do you protect yourself?
Krebs recommends two simple protections.
Jiggle that ATM
Give the card reader area a good yank. Don’t get out your crowbar, just see if any pieces of the ATM come-off easily. Usually the skimmers will snap into place or use light adhesive so they can be easily removed and swapped-out by the thieves.
Cover your PIN with your hand
This will not protect you from PIN overlays, but it will hide your PIN from hidden cameras. Plus it’s so easy to do, why wouldn’t you?
Finding a Skimmer in Bali, Indonesia
Outside of a popular tourist grocery store, there is a bank of ATMs.
Source: Google maps
The photo doesn’t do it much justice, but each ATM has it’s own entrance and tiny, air-conditioned cubicle. Tourists feel safe because no one can see them pocketing cash from the street.
We have used this ATM before. This time, when I went with Elizabeth to get some cash, I jiggled pieces of the ATM. The card reader was solid, but when I pulled on the guard that hides your hands when you type your PIN, it came right off.
Ummm, that’s not supposed to happen…
A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.
A piece of plastic to prevent people from seeing your PIN should not need a switch or a cable.
I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!
We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.
By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.
The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispached a technician to look at the machine.
Read more about Reverse Engineering on Matt South's blog.
Author: Matt South Matt is a penetration tester from Kansas City, MO. He specializes in web and mobile application testing, but loves all things security. Matt's favorite types of exploits to find are business logic flaws that an automated scanner would miss.