ATM hacks: can you trust external cash machines any more?

In the latest part of his ongoing research into the gizmos that criminal hackers are using to 'skim' the magnetic stripe of bank cards – as well as watch the user as s/he enters their PIN – security researcher Brian Krebs says that the skimming technology has ratcheted up several notches.

According to Krebs, investigators have revealed that cybercriminals managed to lever off the plastic cover of the card acceptance slot and replace it with an identical unit that had been compromised.

The compromised unit, which included a modified mag stripe reader and a flash storage device, was glued to the cash machine using silicon.

A cleverly concealed camera was then installed on the machine by attaching a flash piece of ATM trim that was the correct shape and colour. The pin-hole camera was almost invisible, Infosecurity notes.

Krebs reports that, in other skimmer investigation cases, cybercriminals have also been known to modify elements of the cash machine.

"Last week, the Palm Beach Sun Sentinel published a story about crooks in Boynton Beach, Florida, who have been cutting the bottom of ATM card readers to remove the microchip inside and replace it with their own battery-operated card reader", he says in his latest security blog.

Although the security researcher stops short of commenting directly, these ATM modifications are now so sophisticated that most users are unlikely to realise their cash machine has been tampered with.

Krebs recommends:

  • "If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM. And remember, the most important security advice is to watch out for your own physical safety while using an ATM: Use only machines in public, well-lit areas, and avoid ATMs in secluded spots."
  • "Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well", he notes.
  • As one poster to Krebs' report on the problem says, an additional solution may also be to only use ATMs inside bank branches or at supervised locations:
  • "The moral of this (and similar stories) may be to not withdraw your cash from ATMs. Or maybe only from ones in highly public places, like your local supermarket, where it would be extremely difficult for someone to sneak in to install this equipment, and to retrieve it later", said one poster.



What’s hot on Infosecurity Magazine?