September 29, 2012

ATM Skimmers

Imagine you are on a lovely vacation to a small Tuscan hill town in Italy. Just before stopping at the local café you use the ATM across the square. You don’t remember anything peculiar about the machine at the time, but several days later you get a phone call from your bank inquiring about unusual activity on your account. Your bank’s representative informs you that over 3000 Euros have been withdrawn from your checking in just the past week. Although it seems impossible, the withdrawals all seem to have been made with your ATM card and pin number.

Most people have never heard of ATM skimming; however it is a crime occurring with increasing frequency across the world. Basically, skimmers are devices that criminals attach to bank machines. They are capable of recording information from a card’s magnetic strip as well the pin number associated with the card. By retrieving this data, criminals are able to make duplicate ATM cards that can be used to withdraw money from the victims account. In other cases, the criminals are content to simply sell the card’s information over the Internet.

A typical skimmer consists of at least two components (see image below). One is the skimmer itself, which lifts data off of the ATM card’s magnetic strip. The second part is a hidden camera that captures the pin number as it is being punched in. Although this is the most common arrangement, skimmers are changing and changing fast. In some instances, a false pin pad is used instead of a hidden camera. In other cases, the skimmers are entire facades of the ATM itself, designed to be overlain on to the machine, covering its face entirely. However, this is not the only technological advancement to be concerned about. There have also been reports of so-called shimmers. These are skimming devices so small that they can fit entirely within a card reading slot, making them very difficult to detect.

Although the devices may vary, ATM skimming is becoming increasingly widespread. According to the US Secret Service, ATM skimming accounts for 80% of ATM fraud, a crime that costs the United States more than $1 billion each year. The losses from skimming in Europe may amount to as much as €500 million. In fact, more than 10,000 incidents of skimming were reported in Europe in 2008 alone according to krebsonsecurity.com.

While the threat of ATM skimmers continues to evolve, there are precautions individuals can take in order to protect themselves. For starters, it is best that individuals only use ATMs situated in secure locations, such as those found inside banks or stores, as machines located outdoors are much more vulnerable to criminals. Travelers also should be cautious of ATMs set near tourist destinations, as these are significantly more at risk of being tampered with.

Secondly, individuals should check to see if there is anyone looking over their shoulder before punching in their pin at an ATM. Even if there is no one nearby, it is still a good idea to cover the keypad with a hand in the event that there is a hidden camera. If the pin pad seems to stick or gives more resistance than normal this could be a keypad overlay and should not be used.

Another step that individuals can take is to inspect an ATM before using it. They should look to ensure that there is nothing on the machine that appears overlain, protruding, or crooked. Components that do not match the overall color scheme of the machine may indicate that it has been compromised. Travelers should also understand that, in many instances, ATM skimmers are secured only with flimsy double-sided tape. As a result, a light tug on the machine or entry card slot will often be enough to dislodge the skimming device. Finally, people should regularly check their financial statements and notify their institution immediately if there are any irregularities.

Although ATM skimmers will be a problem for some time to come, there are many steps individuals can take to protect themselves. Perhaps the most important of these is simply being aware that such threats exist in the first place.