It’s always frustrating when you know there are ways your identity could get stolen, yet there’s nothing you can do to stay safe. ATM skimming is one of few ways you could become a victim, without having much control over whether it happens.
If you are fearing this identity theft threat, then here are some things you might want to know!
What’s the Definition of ATM Skimming?
“ATM skimming” is defined as the act of grabbing debit or credit card information from unsuspecting ATM users.
This tactic could get used to steal someone’s debit card or credit card information. The skimming could take place at an automated bank machine, in a gas station ATM machine, or even at the point-of-sale payment device in a retail store or restaurant. It can happen at home, or when traveling abroad, though tourist destinations are ‘plucking grounds’ for identity thieves.
These criminals are also getting smarter. Gone are the days of sticking tape in the card slot and watching over a stranger’s shoulders for their PIN. The threats are much more real now; fraudsters even have the power to force ATMs to give out all their cash at once. So, ATM skimming has evolved to include many different types of vulnerability-exploiting technology.
Common Examples of ATM Skimming Techniques
Regardless, the ways a criminal can pull off ATM skimming techniques are limited. There are specific approaches that these fraudsters rinse and repeat. The illicit practices have proven to work, and card companies are far from creating an infrastructure that prevents against such wide-scale attacks.
How it works: According to LifeLock, an ATM overlay consists of, “a device that is placed over the keypad of an ATM.” and it is used, “to capture your PIN number as you enter it.” Yet, it’s hard to detect for the fact that the machine makes an accurate reading of your PIN entry.
How it’s stopped: Banks face around $1 billion per year in losses due to ATM skimming schemes. Most of the time, the user of the bank machine will not be able to tell any skimming equipment was installed. Only security footage and guards have a real shot at stopping the crime. But, avoiding the less public and small business owned machines is a good way to lower your exposure to all potential ATM skimming threats.
‘Black Box Hack’
How it works: A hacker sets up a smartphone to breach the security of an ATM system. It orders the machine to give out money by writing and executing a command from the smartphone. The command is done remotely, but the device must first get installed into the machine.
How it’s stopped: These devices must be installed into ATM machines before they can work. This means it’s more of a threat to machines that are not monitored well. As such, you can see a drastic reduction to your risk exposure by sticking to machines in populated locations.
How it works: An almost invisible skimming device gets set up inside of the machine. It grabs information and sends it to a nearby device through Bluetooth technology. The information gets relayed to the identity thief, who then can start to create the stolen cards.
How it’s stopped: This tactic is not as common, but it is a growing threat. The best thing you can do is avoid using your credit card at gas pumps. Just last year, 13 were indicted after a year-long Bluetooth skimming spree against gas pumps all across the country. Yet, this tactic has caused quite a ruckus in recent months with the developing Bluetooth skimming investigation.
How it works: A device is installed in or over the card reader slot and grabs information from every card that enters it. It’s typical to see this combined with a hidden camera or keypad overlay. When the two pieces of information are put together, the fraudster can then create their own copy of the card and cash out the compromised account.
How it’s stopped: You can feel around the card reader slot for any abnormalities. A mounted panel is often easy to detect, even when installed flush with the normal panel. By wiggling around the card reader slot a bit, you should have a feel for whether there’s any additional equipment installed. If warning signs are there, just look for another ATM to use. You can also contact the support number posted of the machine, if you are confident the machine was compromised in any way.
How it works: As you would imagine, this technique involves hiding a camera for the purpose of stealing PIN numbers. The hidden camera could get placed within a fake panel that’s mounted to the machine, or it could even get placed nearby. For example, a brochure holder right next to the ATM machine often serves as an easy spot to hide a camera.
How it’s stopped: You really have to take the time to examine the machine and its surroundings. Watch out for any tiny holes in the panels of the machine, and also look for possible equipment positioned in your peripherals. Further, take the extra precaution and use your other hand to keep your button presses as hidden as possible.
How it works: Malware gets installed to the ATM through an infected USB stick. This stick contains all the right viruses to trigger the ATMs cash balance to show. Even worse, the user can trigger the machine to dispense cash from a remote distance. This is similar to the Black Box attack, except the criminal does not need to install the hardware inside the machine.
How it’s stopped: ATM owners need to take a proactive approach to ensure their customers are not at risk of malware attacks. This is especially true for those who have yet to upgrade from Windows XP, which is now unsupported by Microsoft. In fact, European victims alone lost over $1.32 million from ATM malware attacks. Regardless, the user of the machine has no real way to avoid becoming a victim of an ATM malware attack.
Businesses outside of the United States are not always well monitored and regulated. Sometimes it’s easy for a ‘bad apple’ employee to slip through the cracks, whether it’s a police officer or a McDonald’s manager.
Real Cases of Identity Theft by ATM Skimming
Identity thieves are everywhere, so you do not have to leave your city to put yourself at risk of an ATM skimming attack. This is easy to notice by looking at some of the more recent cases of ATM skimming identity theft. Many victims resulted from few bad actors, which goes to show how dangerous these skimming devices can be if left in the wrong hands.
Below are some examples of real, sizable cases of ATM skimming identity theft.
International ATM Fraud (June 2013) – over 5,000 victims
Zoltan Deak, Marius Zegrean were all working together in an organized identity theft crime ring. The group installed ATM skimming equipment into machines in many locations across the world, though most were in Europe. While there’s no telling how many victims there really were, the amount of card numbers found on Deak and Zegrean accounted for close to 5,000 victims.
New York ATM Fraud (Dec 2007 – June 2009) – over 1,400 victims
Radostin Paralingov received 21 months imprisonment as a result of his involvement in a large-scale ATM skimming scheme. These devices were ran on ATMs located at banks all around New York City. The end result was over $1.8 million in losses spanning across over 1,400 victims.
Atlanta ATM Fraud (Fall 2007 – July 2008) – around 400 victims
Romulus Bacian and Marius Csapay joined together as part of an organized identity theft crime ring to defraud at least around 400 bank customers in Atlanta. This was done by installing skimming devices into many different ATMs across the greater Atlanta region. This scheme was ran with two parts of equipment, an ATM overlay that grabbed card numbers and an undetectable camera placed to record the customer’s PIN entry. In total, over $200,000 was believed to have been stolen by the pair.
New York Gas Pump Fraud (March 2012 – March 2013)
13 fraudsters were indicted as a result of an ATM skimming identity theft spree that cost victims over $2.1 million. The scheme started with the installation of Bluetooth skimming devices in gas pumps across parts of the United States. The stolen information was used to create cards containing real consumer data, which was later cashed out. This case brought a lot of attention to Bluetooth skimming devices, which could be the next biggest threat to ATM security.
Here’s How You Can Keep Safe from ATM Skimmers!
No one approach will guarantee you protection from ATM skimming attacks, but there are definitely some rules you can follow to lower your risk exposure.
With that said, please always remember the following:
- There are other options. You almost never need to bother with using an ATM machine, unless it’s an absolute emergency. Just go into your bank and manage your transaction with an actual teller. Or, limit yourself to using machines at major financial institutions that are kept under 24/7 surveillance.
- Sometimes you can tell. Most of the time, ATM skimming tactics go unnoticed. The ways of detecting these devices often require the use of GPS tracking, Free2Move beacon scanning, and so on. Yet, looking for color disparities, abnormal depths, intentional tiny holes, and other signs of compromise can help you spot a malicious ATM before it’s too late.
- Cards and vacations. You must understand that an identity theft attack done while traveling is hard to detect, and almost impossible to stop. Before going on a business trip or vacation, make sure you exchange to the currency of your destination. It’s better to have an abundance and have to swap back when you return, than to have to rely on an ATM machine that could compromise your identity.
- Cameras and placement matter. Every ATM skimming criminal will first spot out machines that are easy for them to target. The biggest factors they must look for include a lack of video surveillance and a distraction from onlookers. As someone looking to use an ATM, apply the opposite logic and stick to monitored machines in public areas.
- Bank cards hold many risks. Your credit card is different, because your debt stops when the card gets compromised. Yet, an attack against your bank card could leave you unable to make your debt payments. You are better off paying with cash whenever possible, as any one problem with your bank account could lead to many more.
ATMs were not designed to be safe, because the cards they support are vulnerable. Chip and pin technology does help, but there are always new ways for identity thieves to target ATMs. If you want to stay safe from ATM skimming threats, you need to stop taking risks. And, as unfortunate as it is, that starts with no longer using a non-secure payment method — in this case, your debit or credit card!