
Why I Always Tug on the ATM - ca98am79
https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/
======
Matthias247
My card was once copied - but not at an ATM but from a self-service pay
terminal inside a large mall. Like this one:
[http://www.blattus.de/oldies/scans/2012/lesegeraet.jpg](http://www.blattus.de/oldies/scans/2012/lesegeraet.jpg)

Apparently some criminals broke into the mall, and manipulated all terminals
to record and wirelessly transmit the card information. The skimming devices
were not visible from the outside, since they were mounted on the inside of
the terminals. Therefore they haven't been found for multiple months - until
finally money was withdrawn with cloned cards. In my case it was around 100€
that were withdrawn somewhere in India. Fortunately my bank immediately
detected it, locked the card and notified me and also gave me my money back
later. When I reported it to the police I learned that thousands of people
where affected. Since that point of time the mall has locks and anti-tempering
seals around all card reader terminals.

------
thomasahle
> I’ve noted in countless skimmer stories here, the simplest way to protect
> yourself from ATM skimming is to cover your hand when entering your PIN.
> That’s because most skimmers rely on hidden cameras to steal the victim’s
> PIN. As easy as this is, you’d be amazed at how many people fail to take
> this basic precaution.

I wonder how hard it is for a trained eye to guess the PIN when typed this
way. Perhaps you could even do it with a neural network.

~~~
SteveNuts
I think according to HN, anything is solvable using a neural network

~~~
BoorishBears
Didn't a NN extract pins from Wi-Fi signal strength?

------
soyiuz
I enter my pins with at all least three fingers touching the keypad at once
(with only one finger doing the pressing) for an extra layer of obfuscation.

Many banks also allow multiple accounts under the same umbrella. It then
becomes possible to maintain a shallow petty cash account with a dedicated
debit card (the other cards stay at home without activation).

~~~
hdhzy
In my country is possible to withdraw money from most ATMs by typing 6 digit
code from mobile banking app (generated randomly). The withdrawal then is
confirmed in the app (you see the detailed address of the ATM). The only
downside is that you need internet access but that's usually not a problem.

Another option that's starting to be widely available in ATMs is just using
NFC payments (HCE, Android Pay).

------
draw_down
Interesting! Maybe not good advice though. I can see this backfiring and
someone who tries it getting busted for something stupid like destruction of
property, or even being accused of trying to install a skimmer themselves.

------
jwilk
[https://media.ccc.de/v/33c3-8273-atms_how_to_break_them_to_s...](https://media.ccc.de/v/33c3-8273-atms_how_to_break_them_to_stop_the_fraud)

~~~
devwastaken
i really want to listen to this, but I honestly cannot make out what she is
saying. It sounds like a combination of english and another language, and
there aren't subtitles.

------
anotheryou
Why do atms not have a perfectly flat front? This would require the atacker to
carry around a big unconcielable front cover.

------
teh_klev
This is something I've been doing for the last two years, that and shielding
the keypad with my hand. If anyone were to ask or notice then I'd explain I'm
checking for skimmers and maybe they'll start doing the same.

------
mc32
What have ATMs not yet instituted chip readers rather than the three track
magstripes? Why are bank ATMs so slow to deploy? If most PoPs can deploy chip
readers, so should banks, no? Is something else holding them back?

~~~
5555624
While my bank (credit union) has deployed ATMs with chip readers, they've been
slow to deploy cards with chips. As near as I can tell, they're replacing the
debit cards on their regular cycle.

------
nsxwolf
I would love to encounter one of these in real life some day and take it home
as a trophy.

~~~
pzh
Bad idea!

This is when the police may belatedly show up in all their glory and detain
you with the device in your possession, and you'll have a hard time explaining
that you're not part of a skimming gang.

The other possibility is that the skimmers may be watching and once they see
you're taking their device, they may decide to recover it, beat you up, or
even call the police on you claiming that you're the criminal.

If you see something like this, the best course of action is to leave it alone
and discreetly report it to the police.

