According to Krebs, in February 2009, a Sun Valley, California, customer of a Bank of America cash machine spotted a silver, plexiglass device had been attached to the ATM's card acceptance slot, and was being used to steal card data from unsuspecting ATM users.
But, he explained, the customer and the bank's employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery-operated and motion-activated camera designed to record victims entering their PINs.
"The camera was discovered more than a day later by a maintenance worker who was servicing the ATM. The device, with the boxy housing in which it was discovered, was designed to fit into the corner of the ATM framework and painted to match", says Krebs in his latest security blog posting.
Krebs went on to note that California police say the video camera and skimmer were installed on the machine for just three hours, with police recovering both the skimmer and video camera, so no customer or bank losses ensued as a result of the attack.
The bad news, however, is that the criminal responsible for the scam remains at large.
Because police were able to intercept the skimming kit whilst it was in use, Krebs has been able to publish details of what data was being lifted during the scam.
A constant stream of ATM customers, he says, used the machine, with a relatively crude device attached to the mouth of the card insert slot, designed to steal data recorded on the magnetic stripe on the back of all bank cards.
"Criminals can then encode the information onto counterfeit cards, and – armed with the victim's PIN – withdraw money from the victim's account from ATMs around the world", he said.
Krebs reports that the authorities he has been interviewing about skimmer scams say the devices are most commonly installed on weekends, when many banks are closed or have limited hours.
"It's difficult – once you know about the existence of these fraud devices – not to pull on parts of ATMs to make sure they aren't compromised. If something comes off of the machine when you yank on it, and the bank is closed or the ATM isn't attached to a financial institution, it's probably best just to leave the device at the scene and not try to make off with it", he said.
"Otherwise, consider the difficulty in explaining your actions should you be confronted by police after walking away. What's more, in many skimmer cases, the fraudster who placed it there is monitoring the scene from somewhere within viewing distance of the compromised ATM", he added.
Krebs noted that it is easy to be frightened by ATM skimmers, but added that cash machine users should try not to let these fraud devices spook you away entirely.
"Stick to machines in well-lit areas, places where you feel relatively safe physically. On top of that, cover your hand when entering your PIN, as many skimmers rely on hidden cameras and can't steal your account credentials without recording those digits", he advises.
In addition, he said that users need to remember that any losses you may incur from skimmers should be fully reimbursable by your bank – at least in the United States.
"While the temporary loss of funds may not cover the cost of any cheques that bounce because of the incident, these also are losses that your financial institution should cover if they were incurred because of a skimmer incident", he said.