Ever since ATM machines first appeared back in 1969, thieves have been eagerly lining up to hack them and their users. Today’s ATMs include integrated video cameras, thick steel walls, and silent alarms for security but some also contain the latest in state-of-the-art hacking technology, adding up to more than $2 billion in ATM skimming fraud every year.
Thin Is In
Skimmers are electronic devices usually affixed to the mouth of an ATM that secretly swipe and store unsuspecting customers’ credit and debit cards. In the past, ATM users with a keen eye could notice a plastic bezel that does not look quite right or spot an overlay that protrudes out. Noted security researcher and journalist, Brian Krebs, has made a name for himself on spotting these sketchy ATMs all over the world. Every year, tech industry giants such as Apple, Samsung, and Google release thinner devices and now ATM skimmers have followed suit.
The latest crop of ATM skimmers are razor thin, significantly easier to slip into an ATM than previous generations and remotely accessible through Bluetooth. These Bluetooth skimmers are virtually invisible to even the most conscientious ATM user. Successfully inserting a Bluetooth skimmer into an ATM takes some careful planning on the part of thieves, but once inside offers uninterrupted skimming and convenience to nearby hackers. Thieves look for ATMs located in dimly lit areas with less foot traffic to make illegal skimmer installations go smoothly. And with the addition of Bluetooth wireless connectivity, thieves need not return to the ATM for skimmer retrieval and risk getting caught. The same range we enjoy on our Bluetooth speakers they also exploit when they park nearby with a laptop to capture every card scanned that day, week, or month—all within in a few minutes.
Out of Sight, Out of Mind
Debit cards have little value without their associated security PINs so thieves have turned to tiny, pinhole cameras carefully placed on or inside the ATM. These pinhole cameras are typically affixed to the back of a plastic bezel with a bird’s eye view of the ATM keypad. For years, we’ve already been trained to obstruct the view of the keypad while we enter our PINs so that over-the-shoulder creeps can’t swipe our debit cards and run off to withdraw cash from our accounts. Now we just have to be aware of possible skimmer cameras above our hands looking down but fortunately it only takes one hand to enter the PIN and one to block the view from above.
These security precautions work for debit cards, but what about credit cards? In New Jersey, it’s illegal to pump your own gas so we hand over our credit cards to gas station attendants who operate the pumps and payment systems. Unfortunately, they can also operate personal skimmers so always keep a watchful eye on any cashier, waiter, or gas station attendant in possession of your card. Needless to say, an outbreak of Bluetooth skimmers infecting gas stations all over the country has already begun.
ATM Manufacturers Strike Back
Banks are becoming more proactive by performing daily inspections on their own ATMs. But how can they detect minute flaws in plastic bezels and pinholes in a row of ATMs easily? Some bank security and law enforcement personnel have turned to dedicated Bluetooth sniffers that not only detect all nearby Bluetooth pairings but also instantly locate the most suspicious ones without having to open up every ATM.
Some ATM manufacturers have gone so far as to rotate the card slider hardware lengthwise. “By changing the orientation that cards are fed into an ATM, this solution will render current external skimmers useless,” says Al Pascual of Diebold. This hardware flip of the common ActivEdge card reader should help deter some ATM skimmers, but all security measures are cat and mouse games. It will only be a matter of time until we see skimmers that will work lengthwise.
Visa’s October 2017 EMV (Europay, MasterCard, and Visa) chip compliance deadline offers a glimmer of hope by shifting the liability to the ATM hosts. MasterCard has already implemented the deadline in October 2016 so this new impending deadline for Visa should bring many more ATMs into the more secure, EMV fold. As more of these EMV secured ATMs begin to appear in the wild, it is important for all ATM users to avoid older machines that do not support the newer chip card security updates. Of course you can avoid ATMs altogether by getting your cash the old fashioned way from a bank teller. At least the lines are shorter these days. Stay safe.
Scott Schober, BVS president/CEO, cybersecurity expert, author of Hacked Again www.ScottSchober.com