Would you know if this ATM has been rigged to steal your data? Actually, you probably wouldn’t. /Rfc1394, Awyong Jeffrey, Mordecai Salleh
Further to assaults on privacy on the Internet, the people who steal our identity at ATMs and use it to raid our bank accounts have become much more sophisticated in the past decade.
Gizmodo freaks out a bit on the subject, but not without some justification, as we shall see:
In a little over a decade, ATM skimmers have gone from urban myth to a wildly complex, ever-evolving suite of technologies that has the potential to be the worst nightmare of anyone with a bank account.
Maybe, but in any event, a quick potted history, in five points:
– At first, many doubted that a technology for capturing data while the card was in use really existed. Then in December 2002, a CBS report confirmed the existence of skimmers that could record names, account numbers, etc., from the cards’ magnetic stripes. They could be downloaded to the thief’s personal computer. Hidden cameras could often record the PIN numbers.
– Even by 2009, the skimmers were primitive compared to those of today. Typically, they were devices laid over the actual ATM, to harvest the customer’s data first. But clumsily fitted devices could reveal the scam.
– Gizmodo tells us that by 2010, smarter criminals quit using cameras to spy on PIN numbers in favour of keyboard overlays that note the numbers pushed. Wireless transmission of the data proved vastly better for the criminal, who no longer had to risk retrieving data from the besieged bank (where security or even police might be waiting for him).
– By 2012, the thieves’ card readers were paper thin devices, so you could not actually spot them. As Brian Krebs of Krebs on Security explains,
An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot.
He provides photos from a bank that has asked to remain anonymous, of a device captured after the bank’s ATM “fatal error” alarm went off.
– By 2013, gas pumps were being attacked. At one chain, Murphy’s in Oklahoma, thieves netted $400,000.
Yes, banks are working on the problem, but just as soon as they develop a fix, thieves find a way to thwart it. So banks are at best one step ahead.
Crime does pay if crooks succeed. However, there are reasonable ways of protecting our families’ bank accounts, as Krebs explains:
As this and other insert skimmer attacks show, it’s getting tougher to spot ATM skimming devices. It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots.
Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).
If you would like more detailed information about skimming, see Krebs on security, “All about skimmers”
This vid recounts some common-sense measures that might prevent many thefts of data:
Denyse O’Leary is a Canadian journalist, author, and blogger.