The evolution of ATM skimmers

We are all accustomed to the phrase "technical progress". Already quite a few years ago, the change of generations of all kinds of devices and gadgets became as common as the change of seasons. And no one is surprised, for the most part. We are used to the metamorphosis of mobile phones, home TVs, computer monitors, now we’ve got hours and even glasses. However, there is a small class of devices, about which many have heard, they are feared, but few have been seen alive. We are talking about skimmers .

In Russia, ATMs are still not as common, despite 23 years of official capitalism. But even our skimmers have become some kind of urban horror story. And few people think that these devices that use high-tech components also evolve over time. And because of this, recently published material is particularly interesting, in which the stages of the “modernization” of skimmers are vividly presented, right up to the latest modern developments of criminal craftsmen.

In essence, skimming is a way to steal some information necessary to complete a transaction from a bank account in order to steal money. Speaking of simple, in order to withdraw money from an ATM from your bank card, scammers need to find out your PIN-code and read data from a magnetic strip. And for this purpose, devices of various designs and principles of operation are used - skimmers.
')
Skimmers are made to be as inconspicuous as possible for ATM users. Often they mimic a certain element of the interface or appearance. This greatly complicates not only the detection of skimmers, but also the capture of the intruders themselves. And over the past 12 years, skimmers have undergone serious metamorphosis. At least, judging by the samples that were found during this period.

2002-2007

In December 2002, CBS reported on the discovery of a device unseen before, which could “record names, account numbers and other identification information from magnetic strips of bank cards, with the possibility of later downloading to a computer.” Personal computer!

At that time, even legalists believed that skimmers were fiction . When attorney Howard Weiss, who specializes in fraud, himself became a victim of skimming, he was shocked that technology had reached that level.

Of course, the complete ignoring of the facts did not last long. In 2003, customers who used an ATM in one New York grocery store lost a total of about $ 200,000 per day . Subsequently, the network began to go warning letter:

2008

This year, the police of the city of Naples (Naples) received a call about the unsuccessful attempt to deploy a skimmer:



This rather primitive device consisted of a reader, which could be bought quite legally , mounted on top of the ATM card reader. A small camera was installed under the plastic canopy above the monitor.

2009

The first generation of skimmers were fairly primitive crafts. Below is one of the designs, which includes a battery, a USB flash drive and a miniUSB port.



This skimmer was discovered by one of the Consumerist readers . The vigilant user suspected something was wrong, pulled the card reader and it fell into his hands.

Less than a month later , another skimmer was discovered, which did not allow the ATM to correctly read the cards and included a fake mirror into which the camera was embedded.



At that time, for scammers, the key to successful skimming was to find a way to get stolen information from a skimmer:



Early models of skimmers sometimes forced ATMs to work incorrectly. But soon the attackers learned to parasitize them successfully.

2010

For many years, skimmers have used cameras to steal PIN codes. But they were not so easy to place on the ATM. As a result, overhead keyboards appeared that recorded a sequence of keystrokes:



With the development of technology, it has become increasingly easy for scammers to create compact devices . Outsourced production services have developed and become cheaper. On the Internet, we started selling entire skimming kits, which could be painted on request in the correct colors. Prices start at $ 1500.



But this is just an entry level kit. Top devices went for $ 7000-8000:

Not all kits were so expensive. Many were ready-to-use modules, which fraudsters installed at ATMs, and after a while collected the data collected from them. The main disadvantage of these devices was the need to come back for them in order to collect information.

Below is a wireless skimmer capable of transmitting information through a cellular module. The skimmer itself is very compact, the collected data is transmitted in encrypted form.

Advanced skimmers like this made skimmer work less dangerous, reducing the chance of being caught red-handed.

2011

In the end, ATM manufacturers began to do something to counteract skimming. First, they began to introduce elements of transparent plastic, in particular, hemispherical card collectors. But the attackers quickly adapted to this:



As you can see, it is possible to notice the bases only on a small inconspicuous plastic lining. How many of you would pay attention to her? And soon, affordable 3D printing brought the quality of skimmers to a new level :



Homemade models of 3D printers were still unsuitable for this purpose, and parts were ordered on the side in specialized companies. Above is one of such orders, which the manufacturer has cautiously refused to carry out .

2012

Detecting skimmers has become an increasingly difficult task. Below is an almost perfect device. The only drawback is the small hole on the right, through which the small camera took off the PIN typed on the keyboard.





In the end, skimmers have become so diminutive that you will not see them, even if you really try. According to the European ATM Security Group (European ATM Security Team), in July 2012 skimmers with a thickness of a sheet of thin cardboard were discovered. They were located inside the card reader, and it is impossible to notice them from the outside.



Now your cards can scan not only in ATMs, but also in mobile terminals. The video shows the device, even printing a fake check:



Now, any employee can connect the device brought with them, and at the end of the working day carry it out, filled with data from a large number of bank cards. The functionality of these terminals even allows you to simulate a connection error when the data is successfully read. Included with them is supplied the software for decrypting information from the cards, and all data can be downloaded via USB.

2013

Last year, a number of skimming cases were recorded at the Murphy gas station in Oklahoma, when a total of $ 400,000 was stolen. fraudsters used readers in combination with keyboards:



The interesting thing about this story is that the skimmers were equipped with Bluetooth-modules, and they received power directly from the ATMs themselves. In other words, their lifespan was virtually unlimited, and no scammers had to go directly to collect data.

While one “evolutionary branch” of skimmers came to miniaturization, the other followed the path of radical mimicry. The skimmer below is a huge overhead panel with a display. In the “wild” this pattern was discovered in Brazil:





The device was made from parts disassembled laptop.

2014

But this can be attributed more to the curiosities, or to the features of a hot Brazilian character. Still, compact skimmers are much more likely to go unnoticed. And just last week, a skimmer as thick as a credit card was discovered:





The device requires very little time for installation and disassembly at an ATM:



Fortunately, the manufacturers also do not sit on their hands, in particular, using the knowledge and experience of hackers caught to deal with fraudsters. But they quickly adapt, so this situation is reminiscent of the fight of the projectile and armor.

And what do we, ordinary users? How to avoid becoming a victim of fraudsters and save their blood? Is always. always cover the keypad when typing the PIN: in most cases, fraudsters use miniature cameras. And if you use a Chip-and-pin system card, then it is not easy for attackers to read data from it.

And most importantly, if you are at least something alarming in the appearance of an ATM, it is better to use another. Try to use ATMs only in bank branches, this significantly reduces the risk. Well, try not to keep a lot of money on the "card" account.