I actually found a similar one today at my bank![1] Thanks to reporting by Brian Krebs and others, I'm pretty tuned in to anything suspicious. This was on the ATM I use most frequently so I immediately noticed the translucent green card receptacle was shinier than usual. Sure enough, it was a flexible plastic cap over the real slot. The PIN camera was the typical fake bezel with pinhole.
I notified the branch manager and he immediately deactivated the machine and called their security team and the police. I didn't hang around to see their response, but happily they were very thankful and took it seriously.
Sounds like a good course of action for getting the appropriate attention on the issue (the bank obviously doesn't want their customers getting robbed electronically) without wasting your own time dealing with police or putting yourself at risk of them thinking you did it. How did you find the branch manager?
So, I'm always paranoid about finding these, and whenever I enter a keypad I cover my hands so as to hide my entries from any cameras, and then wiggle any keyplate or credit card slot to find things like you found.
Would you say that grabbing the receptacle and trying to move it briefly would have made it obvious it was a cover? Or did you really need to put some force behind it and pry it off?
I'm curious how effective my efforts may be from the standpoint of "general ATM security" and whether they would actually protect me from anything.
It was a medium-density (vinyl?) rubber material. Just grabbing it, it was clear it wasn't supposed to be there. Also lower-quality construction than the real part under it.
I first checked for a keypad overlay before noticing the camera. Its bezel was pretty loose when pulled on. Probably just double-sided tape.
It was fairly thick - maybe 1/2" - so had plenty space for an SD card, battery, etc. I don't think they leave them on the ATM for a very long time before retrieval so it wouldn't need a huge battery.
I'm going to stop by the bank tomorrow to find out what happened with it.
Finds ATM skimmer in the wild, doesn't call the police.
As a security professional I cringe at this sort of thing every time it happens. Fundamentally this isn't something to go reverse engineer, to show off to the person next to you to show how smart you are, it's evidence of a crime and needs to be handled as such by contacting the authorities. Perhaps there are fingerprints on the inside. Maybe the police have stopped someone who was suspicious around that ATM previously and would now have evidence to bring them in for further questioning. Maybe they could pull video. By not calling the authorities all of those potential angles to find the perpetrator are lost. Further, in many jurisdictions, not immediately calling the police can get you in a lot of trouble:
1) What if the police were watching, waiting for the criminal to return to remove it? You're now their prime suspect and a video of your 'discovery' isn't going to help you as you sit in jail for a few days.
2) This is directly tampering with evidence of a crime. Removing it is fine, that's discovery, but keeping it without contacting the authorities? That could be criminal.
Perhaps I'm wrong about this, but I can't really imagine the police are well equipped to handle this sort of thing. I guess don't have much faith in the authorities when it comes to cyber crime. The police can only do so much. Giving people knowledge to protect themselves is far more beneficial imho.
You are wrong indeed. Police in Europe in general and specifically Austria is not only very active in this particular regard (atm skimmers), but did also use forensic methods in the past to publicly post pictures of the guy installing the camera, because apparently they sometimes film themselves during installation of the skimmers. Also, particularly this spot in town is _plastered_ with dozens of cctv cameras, so the guys might have been filmed during installation.
Also, the skimmers are nowadays usually left in place for only a few hours, and the gathered data immediately used and then discarded, to avoid being catched by the police before people even realize anything. So the police is very happy if they catch devices in the wild.
Watch a Crime Series like Forensic Files (even if the cases might be cherry-picked) and your attitude might change.
Sure regarding technology they are not always up to industry standards, they might have to deal with too much workload, they might be under-funded, and someone working for the police will most likely not be smart enough to work for Google and earn 200000$ a year. But they can take fingerprints, they do have databases where they collect such information, they certainly can analyse video material, and it's stupid to think that in a country like Austria this won't be investigated (it's also Vienna we are talking about).
Even if they just take some fingerprints, analyse the video material, maybe notify the bank and send out a memo, how is this not worth reporting it immediately?! The bank being notified can warn customers, change pins for customers they think might be victims, are paying more attention, ...
I won't name other countries as I don't want to insult anyone, so let's just say in a "tourist-heavy corruption-ridden non-1st world country" I could sympathize a little bit more with your sentiment, but in this case I think you are just wrong and should re-think your attitude.
We've had a rash of car break-ins in my neighborhood. My roomate had a large metal ball hucked through his car window, and when the police called, the dude refused to bag it for evidence, take it with him, fingerprint it, or anything. I'd say to consider yourself lucky if your local beat police give a damn about collecting evidence of a crime that's not drugs, violence, or human trafficking.
EDIT: Just remembered, instead, he picked up the metal ball and started tossing it around, from hand to hand, into the air, etc. All casual like - as if it were a toy. Callous disregard for his job and totally destroyed the evidence.
I don't doubt the story at all and I am sad to hear that, but I have to make the following points:
-) Even if no fingerprints are taken, the other points I made stand.
-) Anecdotal evidence is weak/no evidence, though I will not disregard it completely.
-) Not sure where this happened, call me biased (I really don't want to open a can of worms here), but I have more believe in the police of Austria compared to many other (including the USA for example) countries. [1]
[1] I don't mean to imply the capabilities are different, I want to say that I think the police in the USA, especially on the level of "normal" police officers, seems to get away with far more misconduct / inappropriate behaviour than a police officer in Austria ever would. Crime rates also have a huge impact, in areas of high crime rates or under-funded police especially "smaller" cases will not be investigated properly, et cetera...
Yeah. Two worlds I guess. Large southern US city vs Austria.
To make matters worse, it was most likely payback from a person who previously vandalized his car and got arrested for it. The cop wouldn't even listen.
Many years ago, our family home in London was burgled. The burglar(s) left being a pocket knife. Perhaps it had helped them get in.
As in your case, the police did not bag it or take it away. I was surprised as, even if there were no fingerprints, the engraved inscription on the knife would make it unique and would surely provide some clue. They told us to bin it, which we did.
They did not hold out much hope that they would find the perpetrators or our belongings. They suggested we go around to local pawn shops to see if any of our stuff showed up.
Excuses i have heard from Police before for not taking fingerprints are that its not worth it for minor crimes. The cost of forensics is not insignificant and even for theft from a vehicle more than 10 years ago it simply wasn't investigated.
Obviously card skimming is a massively serious offence and should be thoroughly investigated.
this is it right here. police can't launch a manhunt for petty property crimes (sorry about your car, but that is what this is called). card skimming is a hugely scalable crime that can tear the fabric of electronic transactions.
> not be smart enough to work for Google and earn 200000$ a year
Ugh. Equating market value and intelligence is a cancer in tech circles. I've worked in government. I've worked in private sector. My last job at a highly valued SV firm had me in close proximity to people in government. The private sector guys weren't any smarter, but they sure thought they were.
Some people knowingly go into the government sector and take pay cuts because they believe in civil service.
Be as it may, these things need to be escalated. At least police can access the security cameras in the area to possibly catch whoever installed the device and at very least they are now aware that in said area skimmers have been installed.
If you load the comments on the article, the original author claims that he did in fact contact the Vienna Police Department. Whether he should have touched the skimmer at all is another question.
A quick visual inspection would reveal that the false card bubble with the skimmer installed was different in two significant ways. It was glued into place, while a real one would be embedded into the panel, and it was larger than the real one which was visible on the ATM to the left.
In practice though I think it's actually better to warn the public about this so they're aware and can check for themselves. Every single time I contacted the authorities in my entire life (in one instance a pretty significant crime) it turned out to be a huge waste of my time.
I've had similar experiences. In one example, an uninsured driver backed up into my car as we were leaving a gas station. The driver was obviously intoxicated (seemed like high on marijuana, the smell was quite strong). I asked for their insurance, they said they had none, and said "please don't call the police". They then got back in and drove away. At this point, the station attendant comes out and says that he has video cameras and the tape and that he saw what happened and would do whatever he could to help. I called the police and all they cared about was "was anyone injured? No? Then we're not coming out. You can come here and file a police report if you want." They honestly didn't care about a hit-and-run with an uninsured driver who very likely had drugs on them. I filed a police report and got the damage looked at, and it was less than my deductible to repair, so I just ate it. Nothing ever happened with the police report. It also annoys me that this happened in my home town where the police absolutely love to sit at freeway exits where the service drive lane has a stop sign instead of a yield sign and write tickets all day for people rolling the stop signs, so I very much doubt that they have anything better to do, they just seem super lazy.
In one instance I was driving on the freeway in some traffic in the right lane and suddenly a huge 18 wheeler truck behind me starts honking the horn, I had no idea why. I creep up as much as I could as there was another car in front of me. The truck driver proceeds to rear end me. The first time I thought it was an accident, then he keeps doing it over and over again until I am finally in the shoulder. When I'm out of his way he starts driving away, I follow him to get his tag # and call the police. He did some pretty significant damage to my car. When they arrive to file the report they tell me there's 'nothing they can do' because the plates were out of state. They said they would file the report anyway. About a year later I shop around for car insurance and discover that the police report somehow indicated that the collision was my fault. Luckily the insurance company took a look at the damage and saw I was rear ended and concluded it probably was not my fault and removed it from my record.
They don't give you the report to sign after typing it up? Sounds like a terrible system, not just a bad cop. I've filled police reports in three (European) countries and I've always had to sign my declarations.
While I don't think scaremongering is needed, I agree that it was a bad idea to just take the skimmer. It does interfere with legitmate police operations and could delay or prevent prosecution of the perpetrators.
In a world of mostly-dumb-people: no, I disagree. The overwhelming majority of my direct life experience, so far, to date, says we are awash in a world of dumb people. Therefore, I can't say I agree with you. "Report a vulnerability? They'll assume you are an evil attacker. Glance at a pretty girl? They'll assume you're an evil pedophile. Wear camo pattern pants? They'll assume you're an evil militant revolutionary gun nut freak mass murderer waiting-to-happen."
Takeaway: The world in reality is very different than the world as it exists in your theory or ideal.
This is just self-serving rationalization for never doing anything. If you find a skimmer, call the cops. Even a dumb cop is not going to think you called them to remove and investigate your own skimmer.
> Even a dumb cop is not going to think you called them to remove and investigate your own skimmer.
you might be so smart that you don't know what "dumb" means. I assure you: speaking after enough decades on this planet, that "dumb" means something which includes, at a minimum, totally lacking or ignorant in what a "smart" person might include as "common sense". speaking in broad strokes. any kind of phrase of "even a dumb person surely wouldn't do X, Y, Z" should be assumed false/wrong. otherwise "dumb" means nothing. again, speaking in broadstrokes, obviously. (again: for "smart" folks it should be obvious but to "dumb" folks may not be obvious. HN readership, however imperfect they may be, is overwhelmingly weighted towards the "smart" end.)
As there is a lot of distrust against the police in this thread, I'd like to share my experience with them in my home country, Belgium. In every case, they were professional, as human as possible, and did more than required form them in bad situations:
* Suicide attempt by close relative: Police called us in the middle of the night after making sure immediate medical aid was given. They let us stay in the police night office until we could enter the hospital in the morning, gave us coffe, calmed us as much as possible. At that point the suicide attempt vs murder attempt part wasnt very clear and they could have treated us as potential murderers.
* Unexpected death of another close relative in Holland: Both Belgian and Dutch police gave every help they could, even calling back the 2 cops from a day of who had found him in very messy circumstances (which explains the day off). Lots of legal wrangling because he died in another country, but they did everything they could and more.
* Failure of a traffic light in heavy storm with zero visibility in the middle of the night. It was a temp traffic light in road works, that sank away in the mud. So basically everyone from one direction ignored the red light while seeing almost nothing. We had just avoided an accident ourselves, then witnessed another one seconds later. So we called 112. Ten minutes later, in the storm, in the night, they came and started regulating traffic until they found the guy (hours later) that could fix the light.
I hear horrible police stories from the USA, but at least in western europe the police has by default my respect.
What probably would have happened if the police were involved? This device would have been sealed in an evidence vault while the police investigate, and hardly anybody would ever know about it, whether these particular criminals were found or not.
Instead, it's on the front page of Hacker News, and a LOT more people are aware of how sophisticated skimmers have become, and will be a lot more careful to check for skimmers on ATMs, and probably start warning family members and friends. IMO, this had a much more positive impact overall than anything the police would have done. But perhaps my opinion of police does not apply to Austrian police...
While waiting for the police there's nothing wrong with making a video. Taking it home to inspect it? That's something else entirely.
In terms of this as valuable education, lets put our critical thinking hats on. Did this ultimately make the world safer and help real people? Likely very little because most people have zero liability for credit-card fraud and if we think through this a bit more maybe it makes the world more dangerous.
What happens when someone who watched this video decides to do the same when they find a skimmer in Mexico, but someone from the local crime syndicate that placed it there see's them remove it, then follows them until they have a chance to take it back with force? Now someone gets hurt.
In all cases, immediately call the police.
EDIT: and if you don't trust the police, leave it, walk away, and anon call it in or call the bank.
I would agree it is completely stupid to remove and walk off with an ATM skimmer in a foreign country, all before calling the cops. There are so many ways that could end badly. There's nothing informative or educational that couldn't be shown by pictures or videos at the ATM and calling cops right away (the poster is now claiming he did call cops when he was able to get to a phone; this is still not impressive).
However, this is an ATM skimmer + PIN cam. Not credit card fraud. Debit and ATM cards have much less protection. Consumers have 0 liability for CC fraud; when but your card is skimmed and PIN is stolen your checking account can get emptied, and you potentially have the burden of proving that it wasn't you using your card in a card-present, PIN transaction.
While I've seen skimmers that cover the entire front of the ATM, it boggles my mind that the credit card acceptor isn't designed to be flush with the front face. That would make it much harder to plant an additional device on top without it looking more conspicuous.
The 'green eye' card slot show in the video is actually designed like this in order to make it harder to hide a skimming device in the slot.
It doesn't help though, ATM skimming is just so lucrative that they can easily spend a couple of thousand dollars on a skimming device. It pays for itself after less than a day of 'deployment'.
Thats also the reason why removing a skimmer by yourself is always a _very very_ bad idea. There is a good chance that the owner of that device is very close. If its a non-wireless skimmer (like most of them are, only few have GSM or bluetooth) the criminal has to retrieve it to collect his loot. If he doesn't, he'll looses thousands of dollars. You might get stabbed for this. Better alert the authorities and let them handle it.
As somebody already mentioned, Brian Krebs has many very interesting posts about skimming technology, like this one about a similar skimming device:
Yeah I don't know why they have designed the card readers this way. It conditions the user to expect a ridiculous thing slapped on the front of the machine. In my opinion it makes it much easier for the skimmers.
I am curious if the stripe can be retained only for orientation and then have something embedded in the holographic image so many cards use that can be visually read. Kind of like a fixed CD
Chip cards use challenge-and-response with an embedded secret key and can't be cloned. (well, unless your bank so helpfully puts the card number+name in plaintext on the chip, as some do)
Eh not really skimmers are always going to be cheap to produce compared to what you can get in return.
You can't just change the tech of the cards because it needs to allow people from all over the world to use an ATM and most importantly you can't switch over ATM's and credit cards every few years that alone would cost more than what is lost to skimmers.
ATM's need to be reliable and consistent that actually makes it easier for both end users to detect skimmers and for ATM manufacturers to make them more resistant to skimmers.
Just to drive the point home ATM skimmers with the ability to read or probe the chip & pin were implemented before any chip & pin ATM's were out there it was simple enough to do in real time by just inserting an additional shim that would touch the smart card interface on your bank card.
The skimmer shown in this video is a fairly basic one there are already skimmers with NFC and Chip & Pin capabilities that read out the pin pad in real time to process a direct charge transaction while you use the ATM (they don't care about stealing your Track 1 and Track 2 data).
The ways of reading the pads vary from using cameras that are not that different from the kinect one to laying a thin touch sensor over the keypad to actually running a differential capacitive touch analysis on the metal keys as they are grounded.
A single skimmer in a tourist spot can be used to access 10,000's of accounts over a single weekend with that financial incentive the cost of the skimmer can almost be ignored.
The cost of the skimmer is insignificant, but the labor to replace it adds friction and is going to reduce the number of active skimmers. To replace the removed skimmer will also expose the criminal to more risk of getting caught, especially if the police are aware of the removal and can set up a sting or something.
So while the economic ROI is so high the behavior will continue, it does slow them down.
Not a complete fix by any means, but adding friction to their criminal behavior.
It's not a fix both cards and ATM's have to serve the lowest common denominator you can't just replace billions of cards and millions of ATM's every few years because of skimmers.
The labor to replace skimmers is already not an issue skimmers do not last for years, or even weeks most of them have a battery that only lasts for a few days and they are put at strategic locations usually hot spots around big venues or events.
From my understanding the new chip cards are, in effect, smart cards meaning that after the first use, the information collected is useless. Whereas with a magnetic stripe the CC #, CVV #, expiration date, and name are all transferred plaintext.
Your understanding is incorrect.
This is just one example [0] there are many ways to skim Chip & Pin (EMV[1]) cards, even if you build a card which cannot be cloned through active or passive monitoring of the ICC component you can still perform at least 1 illicit transaction by proxying to it.
The same holds for NFC skimmers which are now becoming more and more relevant and popular especially with the commercial availability of ultra-low-power and ultra-compact wireless SOC's.
If some one was wondering what are things like ESP8266[2] that give you WiFi connectivity with less than 1mW standby draw while being the size of a quarter are good for; if nothing less they are a pretty damn good platform for real time NFC or ICC skimming.
"Flush" here is used when something is at exactly the same level as a flat surface.
For example, if you take two tables of the same height, and push them together, their surfaces will be "flush".
Or, if something is embedded inside a surface, so that it sits at the same level as the surface. The slot on some optical drives is a good example of a slot that is "flush" [1].
So on an ATM a "flush" slot would be one that is just a plain slot in the flat plastic surface of the ATM, without any anti-skimming device which sticks out the front.
Like the other people are saying, it means" flat" or "broken outer surface".
Are you familiar with poker? We have another use of the word `flush` in that context, https://en.wikipedia.org/wiki/List_of_poker_hands#Flush where all of the cards are the same suit. So it's a similar use of flush in this instance, that everything is the same. It's similar to this thread's use of "flush".
We should not forget that flush also refers to the time when a person's face becomes red.
As in, your face will go flush if you realize your credit card reader is not flush because you might have just flushed all your winnings from having a poker flush down the toilet.
Please keep comments constructive. This does not help the original questioner, who may not understand why it isn't a fantastic analogy. Please either refrain from the negative commentary, or enhance the conversation by clarifying why you feel it is lacking.
In this case the poker analogy is terrible because in this case flush is talking about a physical surface being unbroken while poker is talking about a collection of items all being the same.
"Flush" in the poker context has more to do with definitions 1 (Abundantly full. In later use chiefly of a stream, etc.: Full to overflowing, swollen, in flood.) and 3 (Plentifully supplied (esp. with money).) rather than 5 (Even, level, in the same plane with / Even or level with the adjacent surface.).
To be "flush with money" is to have a lot of money---in poker, to be flush with hearts is to have 5 hearts.
I know others have already answered, but I found this learner's diction version of the Merriam-Webster dictionary (and it looks a lot better than their normal site anyway).
Scroll down to the 4th listing, which is the adjective version. "even or level with another surface"
So the original poster meant that he thought the card reader should just be completely even or level with the front of the machine. I guess that would just be a plain slot.
I agree. Have a smooth front with a flush slot and show on the screen a picture of what the ATM should look like so you can compare to see if there are any protruding bits that shouldn't be there.
Even if it was flush, people are so used to seeing ones that stick out it wouldn't matter. I wonder if it's possible to demagnetize certain cards so they only use chips.
there's a blue sticker on the front of the ATM, above the PIN pad. On the woman's ATM the sticker goes up to the edge of the screen; on his ATM there's a small white/gray strip covering it. He hypothesized that's a pinhole camera to capture PINs.
I thought they used Chip & Pin in Europe? Wouldn't that make skimmers a much less useful proposition? Also the women next to him was hilarious. Clearly thinking "Who is this nutbag and why is he grabbing at me?"
They do but if you are a tourist getting money from this machine it might not have a chip (i.e. most US debit cards). Even if you are using a chip and pin they still use the ancient magnetic strip and PIN when getting money abroad. As I learned when I used my Eurocard in Puerto Rico. The machine was the older dipping kind; it felt odd to have the card in my hand while typing in the PIN.
Yup! It's reading the magstripe of the card and that means it gets the account holder name, card number, expiration, and CVV. Being in a tourist location it will get that information from a lot of cards which can then be used to make online purchases, etc.
ATMs in Europe probably should not be able to read the mag stripe except when the chip does not work. Why do I have to insert the card fully, so that a skimmer can read the mag stripe? Why not have a way to only insert the chip and only if it can't be read make it possible to insert the whole card?
I only need the mag stripe in the US. Every terminal or ATM in Germany I ever encountered the last few years would read the chip. Only ATMs (most likely being undetected attacked by skimmer) swallow the whole card.
I don't get this industry.
On a related note: Is there something I can cover the mag stripe with that makes it unreadable, but can be removed easily if I need it?
You could possibly ask your bank for a second card (or, if you have family, set up a shared account and get multiple cards that way) and then just cut off some/all of the magstripe from the primary card and use your secondary card as a backup.
What's the safest approach if you come across one of these in the wild? If you had already put your card in, you wouldn't want to just leave the device around waiting for the thief to pick it up. But you probably also don't want to be the person pocketing the memory chip with other people's debit card info.
I suppose taking a cell phone video describing your thought process and recording your interactions with the device is a good precaution to take whatever you end up doing with it.
I actually found a similar one today on the ATM outside my bank. Went in and notified the manager - he immediately disabled the ATM and posted someone outside to stop people from using it until his security team and the police could arrive.
American banks have continuously made a conscious choice to ignore more secure designs (one-time passwords, signing transactions, push-based methods of sending money rather than authorizing someone else to pull it, etc) because it is cheaper to eat the fraud than to revamp the payment networks.
This is only now changing with the advent of Chip + Signature, with a tiny portion of stores now accepting it years after the deadline.
I installed the Revolut app the other day and was just today sent a debit card from them. The app is interesting in that it has an option where you can deactivate the magnetic strip.
Since nobody in my country ever used the magstripe for anything, I went ahead and disabled it, which theoretically should prevent against skimmers. It also has options to decline transactions from a location other than where your phone is, or transactions online.
Pretty interesting what you can do when your credit card has a companion app.
This is why we need to move to Apple/android Pay type systems. The security is in the protocol. Somebody can "skim" the packets all day long and it doesn't matter.
That's why Europe moved to Chip-and-PIN years ago. Sadly the magstripe has to remain for backwards compatibility with countries that haven't adopted it yet (the USA).
I still don't get why ATMs in the EU don't let you just dip the chip in instead of sucking in the whole card.
Someone could surreptitiously watch the PIN being introduced and then grab the card and run. You want the ATM to keep it locked while the user is distracted typing numbers and such.
That's obviously possible but it seems a lot more risky and less efficient for the criminal - at that point they almost might as well just mug or pickpocket people.
And it also seems like there are several physical (or software) locking designs you could use to work around the problem.
Risky and less efficient, but also doable by someone without any tech knowledge, and probably more lucrative than pickpocketing, since few people carry as much cash as one can withdraw.
Yeah but that's very closed and it gives apple/Google a lot of power. I think the current chip/pin API is open enough you could probably do it with just your it phone.
Whatever it was, it was highly irresponsible to not immediately call the authorities and not, in the video instruct people to immediately call the authorities if they find a skimmer. Tampering with evidence of a crime is a crime in most places.
I'm just curious -- do you have anything nice to say?
While I applaud your valor, I am grateful I clicked on this because I've only heard ATM scanner used in passing conversation -- had no idea they could be outfitted like this. Your parent comment & this comment make it seem like you got a chip on your shoulder.
This breaks the HN guidelines and is not the first time you've done so. We ban accounts that do this, so please don't do it again. Instead please (re)-read the guidelines and post civil, substantive comments or none at all—regardless of how wrong you think someone else is.
You can't post like this here, regardless of how strongly you disagree with someone. We ban accounts that do this, so please don't do it again. Instead, please (re)-read the guidelines and post civilly and substantively, or not at all.
I notified the branch manager and he immediately deactivated the machine and called their security team and the police. I didn't hang around to see their response, but happily they were very thankful and took it seriously.
[1] http://imgur.com/a/KGoBM