
Finding an ATM Skimmer: It pays to be paranoid - prostoalex
https://www.linkedin.com/pulse/finding-atm-skimmer-pays-paranoid-benjamin-tedesco-gcih-pmp
======
jonah
I actually found a similar one today at my bank![1] Thanks to reporting by
Brian Krebs and others, I'm pretty tuned in to anything suspicious. This was
on the ATM I use most frequently so I immediately noticed the translucent
green card receptacle was shinier than usual. Sure enough, it was a flexible
plastic cap over the real slot. The PIN camera was the typical fake bezel with
pinhole.

I notified the branch manager and he immediately deactivated the machine and
called their security team and the police. I didn't hang around to see their
response, but happily they were very thankful and took it seriously.

[1] [http://imgur.com/a/KGoBM](http://imgur.com/a/KGoBM)

~~~
seanp2k2
Sounds like a good course of action for getting the appropriate attention on
the issue (the bank obviously doesn't want their customers getting robbed
electronically) without wasting your own time dealing with police or putting
yourself at risk of them thinking you did it. How did you find the branch
manager?

~~~
SolarNet
A lot of ATMs are on the outside face of a bank branch.

~~~
jonah
This one was exactly there. I had also dealt with the manager previously
setting up business accounts and what not.

------
patcheudor
Finds ATM skimmer in the wild, doesn't call the police.

As a security professional I cringe at this sort of thing every time it
happens. Fundamentally this isn't something to go reverse engineer, to show
off to the person next to you to show how smart you are, it's evidence of a
crime and needs to be handled as such by contacting the authorities. Perhaps
there are fingerprints on the inside. Maybe the police have stopped someone
who was suspicious around that ATM previously and would now have evidence to
bring them in for further questioning. Maybe they could pull video. By not
calling the authorities all of those potential angles to find the perpetrator
are lost. Further, in many jurisdictions, not immediately calling the police
can get you in a lot of trouble:

1) What if the police were watching, waiting for the criminal to return to
remove it? You're now their prime suspect and a video of your 'discovery'
isn't going to help you as you sit in jail for a few days.

2) This is directly tampering with evidence of a crime. Removing it is fine,
that's discovery, but keeping it without contacting the authorities? That
could be criminal.

~~~
valine
Perhaps I'm wrong about this, but I can't really imagine the police are well
equipped to handle this sort of thing. I guess don't have much faith in the
authorities when it comes to cyber crime. The police can only do so much.
Giving people knowledge to protect themselves is far more beneficial imho.

~~~
cisstrd
Watch a Crime Series like Forensic Files (even if the cases might be cherry-
picked) and your attitude might change.

Sure regarding technology they are not always up to industry standards, they
might have to deal with too much workload, they might be under-funded, and
someone working for the police will most likely not be smart enough to work
for Google and earn 200000$ a year. But they can take fingerprints, they do
have databases where they collect such information, they certainly can analyse
video material, and it's stupid to think that in a country like Austria this
won't be investigated (it's also Vienna we are talking about).

Even if they just take some fingerprints, analyse the video material, maybe
notify the bank and send out a memo, how is this not worth reporting it
immediately?! The bank being notified can warn customers, change pins for
customers they think might be victims, are paying more attention, ...

I won't name other countries as I don't want to insult anyone, so let's just
say in a "tourist-heavy corruption-ridden non-1st world country" I could
sympathize a little bit more with your sentiment, but in this case I think you
are just wrong and should re-think your attitude.

~~~
rjbwork
> But they can take fingerprints

We've had a rash of car break-ins in my neighborhood. My roomate had a large
metal ball hucked through his car window, and when the police called, the dude
refused to bag it for evidence, take it with him, fingerprint it, or anything.
I'd say to consider yourself lucky if your local beat police give a damn about
collecting evidence of a crime that's not drugs, violence, or human
trafficking.

EDIT: Just remembered, instead, he picked up the metal ball and started
tossing it around, from hand to hand, into the air, etc. All casual like - as
if it were a toy. Callous disregard for his job and totally destroyed the
evidence.

~~~
cisstrd
I don't doubt the story at all and I am sad to hear that, but I have to make
the following points:

-) Even if no fingerprints are taken, the other points I made stand.

-) Anecdotal evidence is weak/no evidence, though I will not disregard it completely.

-) Not sure where this happened, call me biased (I really don't want to open a can of worms here), but I have more believe in the police of Austria compared to many other (including the USA for example) countries. [1]

[1] I don't mean to imply the capabilities are different, I want to say that I
think the police in the USA, especially on the level of "normal" police
officers, seems to get away with far more misconduct / inappropriate behaviour
than a police officer in Austria ever would. Crime rates also have a huge
impact, in areas of high crime rates or under-funded police especially
"smaller" cases will not be investigated properly, et cetera...

~~~
rjbwork
Yeah. Two worlds I guess. Large southern US city vs Austria.

To make matters worse, it was most likely payback from a person who previously
vandalized his car and got arrested for it. The cop wouldn't even listen.

------
white-flame
While I've seen skimmers that cover the entire front of the ATM, it boggles my
mind that the credit card acceptor isn't designed to be flush with the front
face. That would make it much harder to plant an additional device on top
without it looking more conspicuous.

~~~
lucb1e
I'm sorry, but what does "flush" mean here? I only know it in the context of
toilets and computer caches. (I'm not a native speaker.)

Looking it up, you might mean it glows in some color?

~~~
civilian
Like the other people are saying, it means" flat" or "broken outer surface".

Are you familiar with poker? We have another use of the word `flush` in that
context,
[https://en.wikipedia.org/wiki/List_of_poker_hands#Flush](https://en.wikipedia.org/wiki/List_of_poker_hands#Flush)
where all of the cards are the same suit. So it's a similar use of flush in
this instance, that everything is the same. It's similar to this thread's use
of "flush".

~~~
ChristianGeek
The poker analogy is terrible.

~~~
civilian
It's not an analogy! It's another similar use of the word. As long as he's
learning one more definition for the word flush, why not one more?

~~~
back_beyond
We should not forget that flush also refers to the time when a person's face
becomes red.

As in, your face will go flush if you realize your credit card reader is not
flush because you might have just flushed all your winnings from having a
poker flush down the toilet.

------
lotharbot
A friend of mine points out:

there's a blue sticker on the front of the ATM, above the PIN pad. On the
woman's ATM the sticker goes up to the edge of the screen; on his ATM there's
a small white/gray strip covering it. He hypothesized that's a pinhole camera
to capture PINs.

Paranoid, but maybe not paranoid enough?

~~~
billh
I think this picture captures what you're friend saw:
[https://i.imgur.com/z5p3M2f.png](https://i.imgur.com/z5p3M2f.png)

~~~
lotharbot
yeah, that's the one he showed me. I couldn't find a public link to it. Thanks
for passing it on.

------
hackeraccount
I thought they used Chip & Pin in Europe? Wouldn't that make skimmers a much
less useful proposition? Also the women next to him was hilarious. Clearly
thinking "Who is this nutbag and why is he grabbing at me?"

~~~
yardie
They do but if you are a tourist getting money from this machine it might not
have a chip (i.e. most US debit cards). Even if you are using a chip and pin
they still use the ancient magnetic strip and PIN when getting money abroad.
As I learned when I used my Eurocard in Puerto Rico. The machine was the older
dipping kind; it felt odd to have the card in my hand while typing in the PIN.

~~~
patcheudor
Yup! It's reading the magstripe of the card and that means it gets the account
holder name, card number, expiration, and CVV. Being in a tourist location it
will get that information from a lot of cards which can then be used to make
online purchases, etc.

~~~
amenghra
You are missing a step between the stealing and the online purchase.

For online purchases, banks validate the CVV2, which is not the same as the
CVV on the magstripe.

------
iLoch
_Launches into nerd talk and drops company name to indifferent stranger._

------
mattmiller
Do the skimmers save card info to be retrieved later or can they call home
somehow?

~~~
lbotos
Krebs has a ton of skimmer breakdowns:

[http://krebsonsecurity.com/?s=skimmers&x=0&y=0](http://krebsonsecurity.com/?s=skimmers&x=0&y=0)

Check them out. Be warned, it's a black hole!

------
biafra
ATMs in Europe probably should not be able to read the mag stripe except when
the chip does not work. Why do I have to insert the card fully, so that a
skimmer can read the mag stripe? Why not have a way to only insert the chip
and only if it can't be read make it possible to insert the whole card?

I only need the mag stripe in the US. Every terminal or ATM in Germany I ever
encountered the last few years would read the chip. Only ATMs (most likely
being undetected attacked by skimmer) swallow the whole card.

I don't get this industry.

On a related note: Is there something I can cover the mag stripe with that
makes it unreadable, but can be removed easily if I need it?

~~~
joosters
Because the ATMs also accept cards from elsewhere in the world.

~~~
biafra
Mag stripe should be the inconvenient (two tries) exception. Not the default.

------
placeybordeaux
Just go ahead and reach out for her debit card.

------
heywire
I'm surprised it was effective. Supposedly NCR ATMs have an anti-skimmer
feature:

[https://youtu.be/vH-iyhACUnE](https://youtu.be/vH-iyhACUnE)

------
bcjordan
What's the safest approach if you come across one of these in the wild? If you
had already put your card in, you wouldn't want to just leave the device
around waiting for the thief to pick it up. But you probably also don't want
to be the person pocketing the memory chip with other people's debit card
info.

I suppose taking a cell phone video describing your thought process and
recording your interactions with the device is a good precaution to take
whatever you end up doing with it.

~~~
jjrh
Call the bank or who ever is in charge of the terminal.

I think they would be pretty eager to get down there and recover the device
and remove the pin capturing method (camera, keypad overlay, etc).

If for whatever reason that didn't work I would probably call the police.

~~~
jonah
I actually found a similar one today on the ATM outside my bank. Went in and
notified the manager - he immediately disabled the ATM and posted someone
outside to stop people from using it until his security team and the police
could arrive.

------
codezero
Sorry for being obtuse... when he says he checked it with his hand – is that
just jostling it? Is there a good technique for checking for a skimmer?

------
misiti3780
Does anyone know how common this is in the US ?

~~~
tjohns
It's definitely common.

I'm not sure about the relative likelihood in the US vs Europe, but they
certainly do exist. I've personally had my card stolen via skimmer before.

My suspicion is they're more prevalent in the US, since more merchants will
accept legacy magstripe cards there.

------
jsudhams
Time has come to avoid card all together in ATM why not use OTP to take money
out , when you put some number and code

~~~
superuser2
American banks have continuously made a conscious choice to ignore more secure
designs (one-time passwords, signing transactions, push-based methods of
sending money rather than authorizing someone else to pull it, etc) because it
is cheaper to eat the fraud than to revamp the payment networks.

This is only now changing with the advent of Chip + Signature, with a tiny
portion of stores now accepting it years after the deadline.

------
BrandiATMuhkuh
I life just 10min away from this station. I'll have now a special look for
skimmers.

------
matt_wulfeck
This is why we need to move to Apple/android Pay type systems. The security is
in the protocol. Somebody can "skim" the packets all day long and it doesn't
matter.

~~~
kalleboo
That's why Europe moved to Chip-and-PIN years ago. Sadly the magstripe has to
remain for backwards compatibility with countries that haven't adopted it yet
(the USA).

I still don't get why ATMs in the EU don't let you just dip the chip in
instead of sucking in the whole card.

~~~
icebraining
Someone could surreptitiously watch the PIN being introduced and then grab the
card and run. You want the ATM to keep it locked while the user is distracted
typing numbers and such.

~~~
kalleboo
That's obviously possible but it seems a lot more risky and less efficient for
the criminal - at that point they almost might as well just mug or pickpocket
people.

And it also seems like there are several physical (or software) locking
designs you could use to work around the problem.

~~~
icebraining
Risky and less efficient, but also doable by someone without any tech
knowledge, and probably more lucrative than pickpocketing, since few people
carry as much cash as one can withdraw.

------
chdir
Takeaway : Make an Uber/AirBnB/<Unicorn> for ATMs

------
55555
he didn't find the pin camera though ;) This is a two part skimmer, no? There
should be a camera somewhere collecting PINs.

------
giorgosts
Fake (i.e. promotional) video

------
mynewtb
This is a marketing stunt.

~~~
patcheudor
Whatever it was, it was highly irresponsible to not immediately call the
authorities and not, in the video instruct people to immediately call the
authorities if they find a skimmer. Tampering with evidence of a crime is a
crime in most places.

~~~
ryanlol
> Tampering with evidence of a crime is a crime in most places

This would absolutely not qualify as evidence tampering in most jurisdictions.

------
FuturePromise
I don't understand why he accosted that woman at the ATM next to him.

1\. I would be very suspicious of anyone approaching me at at ATM, especially
at a major tourist area. There's no reason to bother someone

2\. There's a chance she's in on it! She may have come up there because she
saw someone fiddling with the skimmer.

He should have either called the Bank or the Police. Don't bother strangers.

