What are Skimmers?
This page deals with ATM and Point-of-Sale (POS) Skimmers. For interception and tracking of cell phone systems see http://nc3.mobi/references/2005-cell-skimmers
A skimmer is a device that gets between your device, usually a card, and the intended reader. They can be very large, or look like a part of an ATM, or may be a point-of-sale (POS) terminal that has been compromised to act as a skimmer. They can be added to machines that have been opened. Or they can be very thin and applied from outside the device. An excellent overview can be found at Krebs on Security and more information at arstechnica
Some skimmers store information for later retrieval via a wireless link. Skimmers can be as simple as a bent paperclip or claw that captures cash as it is dispensed from an ATM. Or, even a whole fake ATM!
Smaller …. and smaller
7/07/2014 The devices are getting smaller, thinner and more capable.
No small problem
Continuing Vulnerability of ATMs
Just because the financial institution knows an ATM, or a series of ATMs, are vulnerable does not mean the vulnerability will be removed any time soon. The NCR 5587 ATM uses the Windows XP operating system and were known to be vulnerable to the “ulssm.exe” malware. Its manufacturer, NuSource Financial Inc, disclosed that XP would not longer be supported back in April 2014. Absent such support the ATM could lose its PCI-DSS certification so NuSource pushed for an upgrade to Windows 7. Some ATM operators didn’t upgrade or otherwise protect their machines. Back in October, Malaysia reported that crooks infected and jackpotted the equivalent of one million US dollars from under two dozen infected machines.
New Methods to Hack ATMs
New illegal access methods continue to develop. On 10/14/2014 Kaspersky Lab uncovered Backdoor.MSIL.Tyupkin malware affecting ATMs from a major ATM manufacturer running Microsoft Windows 32-bit operating systems (not WinXP). Tyupkin allows crooks access to infected ATMs at specific times using a changing code. No counterfeit credit card or skimming device is required. More than 50 ATMs in Eastern Europe and Russia have been infected. Kaspersky engineers believe the risk of Tyupkin spreading is high.
Like a walk up piggy bank, a crook can walk up to the machine during a time when the malicious access mode is active. Two codes are required, a primary and a secondary. The codes randomly change and a senior crook may hold back the secondary code so the junior crook will have to call for it just in time. This limits the possibility of someone getting greedy and getting caught.
As of October 2014 more than 50 ATMs in Eastern European and Russian banks have been discovered carrying the malware with the total theft estimated in millions of dollars. While no infected ATMs have so far been discovered in the U.S. Kaspersky engineers believe the risk of the concept spreading is high. (source)
SecureList reported on 10/07/2014 that the threat has spread from Russia to the US, India, China, Israel, France and Malaysis, but in small numbers. The link has more details and an interesting video of the malware in operation. “The Tyupkin malware is one such example of attackers moving up the [ food ] chain and finding weaknesses in the ATM infrastructure. The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.”
Update 2/14/2015 It wasn’t just the ATMs
The largest bank heist in history, and not a shot fired
A report to be published on Monday 2/26/2015 by Kaspersky Lab (their home and their security center) reports that the ATMs spewing cash was only the more visible part of more than 100 compromised banks in more than two dozen nations. Hundreds of millions of dollars were transferred to other accounts making it one of the largest bank thefts in history and the first with nearly no visible signs of a crime.
For months malware allowed crooks to record the ebb and flow of routine activity. Using compromised credentials the crooks transferred millions from banks around the world into their accounts and got ATMs to just spew cash. The amount? The financial institutions are not saying (there is no international requirement for disclosure) and Kaspersky was granted access under non-disclosure. The estimate is about $300 million USD and possibly more, approaching one billion US dollars.
One way was to use a bank’s compromised administrative authority to inflate an account’s value, then transfer the inflation to the crook’s account. The account’s true owner would suspect little as their account value had returned to its previous value. As the value was created from “thin air” and the air was transferred, who was left to raise an alarm? Only when the bank’s books were to be reconciled would an out of balance condition be detected because real money left the bank, but no bank account had been decreased, at least properly decreased.
The really bad news: These attacks appear to have started more than two years ago, were not detected until recently, and continue today in the same general manner. Malware arrives via email. One (that is all it takes) employee activates the malware and the rest goes on. (more at NYTimes)
Update 2/16/2015 Price Tag over One Billion Dollars
The police department in Redlands California isn’t really that big so putting up a 24/7 stakeout on a gas pump implanted with an ATM skimmer was going to be an expensive proposition. Instead, they affixed a GPS pinger to the device and watched from the office. Source: The US Department of Justice, Community Oriented Policing Services (COPS) electronic newsletter Volume 7, Issue 10 of October 2014 on How GPS Technology Aided in the Apprehension of Credit Card Skimming Suspects (part 3 of a series)
Redlands has used GPS in several other ways. Thieves Know No Boundaries: Using GPS Technology to Address Cemetery Theft (part 2 of the series) from USDOJ COPS Volume 7, Issue 9 of September 2014. Vehicle Burglary: A Problem Every Community Experiences (part 4 of the series) from USDOJ COPS Volume 7, Issue 11 of November 2014. Using GPS Tracking Devices as Alarms (part 6 of the series) from USDOJ COPS Volume 8, Issue 1 of January 2015. More on Redlands use of electronic stakeouts from The Police Chief, volume 81, number 1 of January 2014.
Update: May 4, 2015
Security researcher Brian Krebs reviews the Redlands PD story, adds a lot more information and pictures.
Rather than put something in the path of the physical card to skim the data, some crooks are wiretapping the innards by drilling a hole in the panel, inserting technology, and covering the hole with a decal. This is akin to ATM arthroscopic surgery to insert and attach equipment to read and store account numbers, passwords, everything a crook needs to drain your account. More from a November 2014 article on Krebs On Security.
12/09/2014 Update on Wiretapping
Some of the holes are not so small. This example shows a hole twice as large as a charge card laid flat. Read more at Krebs on Security including how some crooks are inserting gas containers and blowing ATMs into a mess.
12/22/2014 Update Why wiretap outside ATMs? Stay inside.
Long History of ATM Compromises
This problem has been going on a long time. Not long after standalone ATMs were introduced (as opposed to those machines located inside a bank branch) one appeared overnight in a busy people walk between several large buildings in the north side of downtown Chicago. It was literally in the path of thousands each day. The machine would accept a card, ask for the PIN, they reply with “Unable to connect to your bank. Please try again later.” By then the information from the ATM card and the password had been passed to crooks who would tap that account and take what they could.
Crooks do tempt their luck sometimes. In July/August of 2009 crooks tried to steal from the Defcon Hacker Conference in Las Vegas. The participants didn’t take long to discover something wrong.
Gas Pumps with Security Tape?
Some pumps have security tape over the keylock yet skimmers often use the same slot as your charge card. Sometimes the innards have security tape. Is that effective? Ah, not so much. Read the article at Krebs on Security.
Watch the door!
Do you use an ATM kiosk where your ATM card opens the door? Crooks put skimmers on the door system taking advantage of weaker security compared to the ATM itself. Read more from Krebs on Security.
ATM Skimmer Increase
Detailed examination of two ATM devices found during July 2015 attached to an ATM in the tourist destination of Puerto Vallarta on the west coast of Mexico. In addition to the skimmer itself there is a tiny, pin-hole camera which recorded the keypad entries, including the personal information number (PIN). (source)
ATM Shimmer found in Mexico
A shimmer is an ultra-thin device that fits between a chip on a card and the device inside the ATM that reads that chip. The shimmer records the data for later use by crooks. Shimmers can be installed via the card slot in seconds. (Source: KrebsOnSecurity includes pictures of the shimmer)
An insert skimmer was recently recovered from an ATM in Europe having been inserted into the card reader without having to compromise the ATM construction. More at KrebsOnSecurity.
KOS tracks skimmers in Mexico
Anti-crime activities carry dangers
Dr.Web, a Russian security firm, exposed organized criminal effort which developed and sold malicious software to illegally obtain cash and card data from ATMs back in December 2013. The crooks didn’t like being exposed and the response included multiple warnings and harassing Molotov cocktail attacks. More at KOS.
11/19/2015 Gas Station Skimming rising
The FBI / Miami Division issued a press release cited four skimming cases. The first, United States v. Anthony Nunovero and Edelso Sanchez, (Case No. 15-20884-CR-Huck) alleges they installed credit card scanning devices modified to slurp data from gas pump card readers. The pumps were opened, the equipment installed, pump closed, and sealed with counterfeit tamper-proof stickers. The trend of this form of tampering has been a general straight line increase through 2015 — it’s dramatically up across all regions,” according to Owen Wild, director of security marketing at NCR, a maker of ATMs and other payment systems. More at CBS News.
11/30/2015 Clever brains, bad morals, rolling bombs
Illegally modifying gas pumps to skim credit card information has been around a while. Implanting a wireless transmitter so crooks don’t have to physically access the pump is a little more recent. As to the problem of converting the stolen charge card information … a new approach. These crooks cut out lots of overhead by using the charge cards from gas pumps to buy … gas. Not just a few gallons either. See what appears to be an old tire hauler is actually a multi-hundred gallon, unlicensed, fuel carrier. On a smaller scale, this SUV still carries a lot of fuel. How many of these potential catastrophes are rolling around the streets? In the City of Angels, Los Angeles, at any given time, 20 to 30. Also not good, every piece of licensed equipment at a gas station is tested, rated, and permitted so as not to cause an arc that might ignite fuel vapors. Watch (1m 20s) as static electricity from a sweater ignites fuel vapors at the nozzle. Much more in this article at KrebsOnSecurity.
12/16/2015 Safeways stores hacked
Multiple checkout terminals at Safeway stores appear to have been compromised. Debit card information is being used to drain accounts after shopping at Safeway stores. Bank industry sources report skimming from Colorado: Arvada, Conifer, Denver, Englewood, and Lakewood. California: Castro Valley and Menlo Park. More at KrebsOnSecurity article.
2/03/2016 Update Safeways hack up close
See a whole point-of-sale overlay shell at this article at KrebsOnSecurity. Would you recognize it as a fake?
1/07/2016 Good News in Cops vs Crooks
Europol reports: “that The Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism (DIICOT), assisted by Europol and Eurojust as well as a number of European Law Enforcement authorities, disrupted an international criminal group responsible for ATM malware attacks. This operation, one of the first in Europe against this kind of threat, resulted in multiple house searches in Romania and the Republic of Moldova and the final arrest of 8 individuals. The criminals used Tyupkin ATM malware which allowed the attackers to manipulate ATMs across Europe and illegally empty ATM cash cassettes.” The history of “Tyupkin” and its discovery is above . Forbes had an interesting article on the economies involved using malware-for-rent. Sometimes it isn’t very profitable.
3/08/2016 Update Bad News: Tyupkin Hacker escapes
Tyupkin is malware that allows crooks to walk up to an ATM and receive cash, a function called “jackpotting” in reference to hitting the jackpot on gambling devices such as slot machines. It had an upgrade and wit its new name “GreenDispenser” is seeing service in Mexico.
Renato Marius Tulli was arrested in early January and was being held in a Bucharest police precinct with seven other suspects in the jackpotting scheme. On Monday 3/7/2016 Tulli escaped with robbery suspect Grosy Gostel while in precinct’s yard taking their daily outdoor break. The break area was enclosed with light metal mesh which, while a concern of the police, was never reinforced. (original source Google translation Romanian to English). Gostel was recaptured, but the ATM hacker remains at large. More at The Hacker News.
2/09/2016 Clutter? Cables? Hackers?
Major ATM vendors issued an advisory regarding increased use of external skimmers that don’t skim the card itself, but the communications to the back office. Pictures and more at KrebsOnSecurity
3/15/2016 Gone in 3 seconds
Crooks convert a Miami Beach convenience store card terminal into a skimmer in 3 seconds.
Look at the 19 second mark of this 1:17 video. The one in blue is the distractor. The one in back has the overlay. They don’t interact with each other. Once the skimming device is placed the placer just saunters away. More of the story at The Hacker News
4/29/2016 ATM Skimming Rose 5 times
… but did you get any news from your bank?
FICO (the credit score people) reported in early April that ATM compromises in 2015 were up 546% from 2014. That is the bad news. The good news is that the duration of a compromise fell to 14 days in 2015 from 36 days in 2014. This means that while crooks are hacking machines at a greatly increased rate, the ATM operators are getting faster at detecting and resolving the hack. More at Krebs On Security
5/06/2016 ATM “Deep Insert” Skimmers
Not a new porn movie, the deep insert skimmers are further inside the ATM than an insert skimmer and completely hidden from view via the front panel. There are also skimmers mounted on the outside of the ATM enclosure, but these are more easily spotted by bank personnel who know how the outsides of ATMs should appear. Deep insert skimmers have been found on ATMs from multiple manufacturers installed in Bulgaria, Greece, Ireland, Italy, Switzerland, Sweden, Turkey, United Kingdom and the United States. More at Krebs on Security
5/25/2016 New POS swiper overlays found
New skimmer-overlays for card readers by Ingenico can be applied in seconds, have a pass thru for chip-enabled cards, and memory to hold the stolen information. Crooks retrieve the whole device in the same few seconds and recover the information. Could you tell if this was installed? (graphic) More at Krebs On Security
6/13/2016 Insert Skimmers
Insert skimmers are getting smaller and smaller and thinner and thinner. How thin? See this. Krebs on Security has gathered several brief videos showing how a modified metal spatula can insert, or extract, a skimmer in less time it than it took for you to read this paragraph. These devices can also be used at card scanners at gas stations or other places.
6/23/2016 ATMs: Why Skim when you can Surf?
At the upcoming Black Hat Security Conference 7/30-8/4/2016 there is one session devoted to hacking the “Next Generation” Secure ATM systems including bypassing counter-skimmer and counter-shimmer methods. They will demonstrate a method to activate unattended “cash outs” at long range. Also demonstrated “La-Cara”, withdraws money from current EMV and NFC ATMs with harvested card data at a rate of $20,000 to $50,000 (depending on what value currency was loaded) in 15 minutes.
6/27/2016 ATM Skimmer Observation Pays Off
A cyber security researcher reached out to an ATM card reader in Vienna. A tug and it came off in his hand. A skimmer found. More at The Hacker News
7/13/2016 $2.2M ATM Jackpot
“Jackpotting” an ATM is to infect it with malware so the ATM will spew a large number of bills without being encumbered by other security. Several dozen machines in Taiwan were infected with one of three versions of malware to provide more than 70M Taiwan Dollars ($2.2 million US dollars) to two persons believed to be Russian nationals. From the video coverage it appears a cell phone was used to trigger the attack at more than 40 ATMs during one night and one day.
All of the ATMs appear to be a specific model and multiple banks have suspended operations of nearly 1,000 machines of the same model affecting about 4% of the national ATM network. The company that made those ATMs is being acquired by Diebold, already a major participant in the ATM business. More from Reuters
7/28/2016 Eyeball Security Still Effective
8/04/2016 Chip & PIN hacked ATM
[ According to one researcher “The state of chip and pin security is that it’s a little oversold.” Ya think? -ed ]
8/26/2016 Super ATM – RIPPED via EMV
Malware aimed at ATMs (hence the name ATMRipper, found in the code) use the technique similar to Tyupkin, SUCEFUL and GreenDispenser to cause the jackpotting of a maximum of 40 bills, the limit imposed by the ATM manufacturer. It cleans up after itself removing evidence it was ever there. See FireEye for details. Here is the kicker – the malware is delivered via the EMV chip. Correct, the chip that was supposed to provide security has created an additional attack plane. More at Tom’s.
Sadly there are many more.