Skimmer’s Delight: Countering the Rise of ATM Hacks

I spend a lot of thinking about how money is changing. To be specific, I’m curious and concerned about the security of our digital money. Along with my team, I’ve found flaws in BitCoin and compromised chip-enabled EMV card readers. But what I’m writing about today isn’t the ways you’ll be attacked in the future but one of the oldest tricks in the card thief’s toolset: a skimmer.

Russian hacker Roman Seleznev has been sentenced to 27 years in prison following his conviction on 38 counts relating to fraud and theft. If that name looks familiar to Seattle resident it’s because he was behind Broadway Grill’s bankruptcy[1] and related ATM and Point of Sale (PoS) hacks worth an estimated $169M in losses across 3,700 financial institutions. Over the course of four years, he perpetrated numerous successful skimmer and malware installations, then trading the stolen information on carding websites to other criminals and organizations who would in turn counterfeit the cards and go on costly spending sprees.

Skimming, responsible for an estimated 97 to 98% of all ATM fraud losses, has been around for some time now. And in case you thought you could wish it away, this persistent threat is actually experiencing a sharp rise. FICO reported a 574% increase in incidents between 2014 and 2015 alone. As skimming equipment becomes cheaper and more available, and adapts to newer technologies, the crime will likely continue to become more common.

These incidents are geographically widespread, affecting ATMs and other EMV terminals throughout the U.S. and elsewhere. Recently, police warnings were issued in Texas, Indiana, Glasgow (Scotland) and Victoria (BC, Canada), just to name a few hotspots.

Two recent incidents further emphasized that we aren’t immune to this scourge in Washington First, a few months ago, one of my company’s credit cards fell prey to skimmer and was used by a fraudster at area Apple and Microsoft Stores (thankfully we were able to reverse the charges). Second, in the last few weeks a security-conscious citizen reported a suspected skimmer installed on an ATM they occasionally used (See photo).

So, what is Skimming?

At its simplest, skimming is placing a device on an ATM or EMV terminal that is hidden from the user’s perspective. The intruding device executes a passive Man in the Middle (MITM) attack to read and store card numbers and other sensitive card information that can be later retrieved, downloaded, and sold illegally - often online. The end result of these compromises netted Seleznev an estimated $2.9 million over four years as just one (albeit extreme) example. In some cases, the devices are paired with some method of PIN extraction: counterfeit PIN pads and pinhole cameras installed in the facade of the machine being two examples.

An ATM Skimmer found in Seattle

By capturing this data, cybercriminals expose a consumer to more than just financial loss. Victims of this crime may find themselves at direct risk of identity theft, impersonation, additional data breaches, and ruined credit history. Anywhere that those debit or credit card numbers are used, they can also be leveraged against the consumer. Oh yeah, criminals can place a skimmer in seconds (seriously, watch the video).

Defenses Against Skimming

Typically, this how a skimmer may be discovered. You visit an ATM, and notice that something ‘feels off’ about the machine. A physical inspection may reveal nothing of note. It’s not until you feel the card reader and notice an unusual protrusion that makes confirms your suspicion. You then notify the bank’s customer service and immediately cancel your card

This is the advice I give to my friends and family about using an ATM:

●      Avoid unfamiliar and standalone ATMs
●      Use familiar ATMs recessed into the building that houses them
●      Look for physical signs of tampering to the card reader, PIN pad, or ATM in general
●      Pay attention to how much force it takes to swipe or insert your card
●      Give the card reader a tug -- it should remain solidly fixed in place
●      Always cover the PIN pad while you enter your PIN
●      If you’re unsure, trust your gut. Don’t be afraid to walk away and use another ATM or the teller window.

Mostly, don’t use debit cards unless you must. Apple Pay, Google Wallet are more secure than your debit card.

You may also be wondering: what can organizations do about this? After all, it wasn’t just customers that got hit in the wallet, but Broadway Grill and other businesses and financial institutions.  Recommendations are a little more involved at the organizational level. I’d recommend the following basic steps:

●      Add anti-skimmer protections, such as those recommended by the ATM Security Association
●      Designate and post a clear contact responsible for security issues
●      Ensure strict compliance with data encryption and storage requirements
●      Monitor access and to the device
●      Regularly inspect the device for tampering

Countering the rise of skimming and related criminal techniques for stealing sensitive card-encoded data is vital, and not as difficult as it may first seem. Combined with increased awareness and vigilance, the techniques above can help you regain your financial peace of mind.

-Akshay Aggarwal

Akshay is a founder of two Seattle area cybersecurity firms – Deja vu Security and Peach Fuzzer. His firms focus on issues ranging from cloud and application security, to blockchain and hardware security. Currently, he is tinkering with microservices and API Security.

[1] Incredibly, it was found that credit card information was being stored to a text file in the business’ computer, making it that much easier to capture.