Juggling with cards: doing criminal business on ATMs

News

We all know to be aware of pickpockets. Even if early childhood education did not include tips on watching your pockets when outdoors, life itself provides opportunities to learn the simple rules. The same can be said with hackers. Today, widely publicized hacker activities on the Internet are known even to children.

ATM

But carders enjoy less popularity, which is too bad since you run a relevantly high risk of falling victim to their activity. These thieves specialize in stealing card credentials with the help of miniature, stealth hardware installed on ATMs – skimmers. Even with the combined effort of police, banks, and payment systems, the amount of money stolen from card accounts continues to grow.

Carders are a little like pickpockets (they use similar palmistry skills) and, to a lesser degree, they’re a little like hackers, too – what they do is not possible without employing some hi-tech and PC tricks.

To become their target, you just need to use your bank card to withdraw cash. If your card is not equipped with a chip, the situation is worse for you and better for them: non-chipped cards are stripped of money a lot easier. To increase your chances of falling victim to carders, just skip the option of SMS notifications from your bank, insert your card into any ATM you see on the street, and proudly show off the PIN you enter. You’d make criminals extremely grateful.

atm_1

On a serious note, this illicit business has grown and evolved over the years. Its principle remains the same: Use stealth techniques to read data from the magnetic strip on a card, look up the PIN code, clone the card and withdraw the maximum amount of money from the corresponding bank account. However, the data theft techniques evolved greatly.

Just business

There were times when carders used DIY skimmers, installed clumsy hardware on ATM input trays, and risked getting caught in the act when extracting the data manually. Times have changed. The industry has moved on, and DIY skimmer enthusiasts are extinct. Today, skimming is a well-organized and highly automated process.

The first link in the process chain is producers and sellers of ready-made hardware solutions made of massively available components. The deals are made online, and the goods are shipped via courier services – this is safest for the criminals.

To see the proof of how widely popular skimming hardware is, just type in a simple request in any search engine. Kits containing a stealth reader to extract data from a plastic card, a vanity panel to get PIN codes, and a cloning device bundled with corresponding software are sold for as much as $1500 – $2000. A couple of years ago such offers would go as high as $10,000, as estimated by Brian Krebs, an infosec expert.

Buyers of skimming bundles needn’t be proficient hackers: They are offered detailed manuals, some even containing a ‘best practices’ section. The instructions are so detailed they go as far as including recommendations of proper first-time battery use to ensure a reader enjoys a long battery life.

Tech wonders

Tech progress, coupled with massive demand, fueled evolution of electronic components used for illicit activities. Security specialists recommend examining any ATMs for peculiarities, but these recommendations are gradually becoming outdated.

First, experienced criminal vendors sell hardware barely distinguishable from original ATM components. Even a conscientious user wouldn’t be able to tell them apart: The foul input tray is made of the same sort of plastic and is of the same color as the legitimate one. And the shape of the fake is only slightly different.

skimmer-2

This similarity is achieved through a deliberate adaptation of ATM elements in widely used models – any market has major banks serving a lot of clients. Of course, banks use anti-skimming techniques as a counter measure.

Secondly, there are readers installed by carders inside ATMs through the input trays. This novelty was referenced in the recent report issued by European ATM Security Team, a non-profit organization. Even worse, some such devices do not bother to read the magnetic strip — they use ATM’s own computing resources to do that.

Extracting stolen data manually is also an old method. New skimmer models are equipped with a GSM module that serves to send encrypted (yes, carders have to fight competition!) magnetic strip data via ordinary cellular networks.

Watch your PIN

Since then, getting a PIN code remains the weakest link. In order to look up PINs, culprits use miniature stealth cameras or even ordinary mobile devices like an iPod Touch, which is notable for its slim Z-height and powerful battery.

A camera is installed above the keypad or elsewhere in the room. Carders are particularly fond of brochure stands where banks usually exhibit their marketing materials. As an element of any bank interior, they are hardly perceived as something dangerous.

However, if a person trying to withdraw cash covers the pad with their hand, the camera is no longer of any use. Also, video is not very convenient to send or process, and requires a lot of manual labor.

Slim vanity panels for ATM key pads are getting a lot cheaper and are now priced at less than a thousand euros on the black market, further complicating the situation. There is no use covering the pad anymore – the panels will still detect your PIN. Automatically send a 4-digit code in an SMS to a carder’s database is a lot easier than processing long videos, and the whole process is a lot more automated.

Of course, the vanity panel visibly protrudes over the original keypad, but hardly any user would closely examine the pad and look for clearance. From above, the whole construction looks very average – vanity panels are made using the same steel and quality paints as original ATM keypads.

skimmer-1

There is one more technique used in skimming: they guard the software they use for decoding and cloning the information. This is how carders protect themselves from competing criminals and law enforcement officers.

Should an incorrect password be used, the software would not inform the user it’s incorrect – it would simply shut down. Giving any incorrect plausible password to the police, a skimmer says the program is just a harmless small piece of software he recently downloaded. Oh, and what a shame it won’t start…

To prove it was a program used for illicit activity, law enforcement officers have to employ qualified specialists to analyze the code, which is a painstaking and time-consuming process.

With all that said, tech is just part of the story. Many skimming operations remain manual and very risky. We will relate that part of the story in our next article and give you some tips to protect your bank account from the culprits.