How ATM monitoring systems work to detect skimmers?

[Mutt]

For educational purposes, I will explain in detail how ATM skimmer monitoring systems work in the context of carding, a fraudulent activity involving the theft of bank card data for subsequent illegal use. Skimming is one of the key carding techniques, and protecting ATMs from it requires a comprehensive approach. I will describe how anti-skimming sensors, jitter technology, and transaction analysis work together to prevent skimming, and discuss their role in combating carding, including technical details, examples, and limitations.

1. Context of carding and skimming​

Carding is a type of fraud in which criminals use stolen bank card data (card number, CVV code, PIN code, etc.) to make unauthorized transactions, purchase goods or withdraw funds. Skimming is a method of stealing card data using devices (skimmers) that are installed on ATMs or payment terminals to read information from the magnetic strip or chip of the card. Skimmers are often supplemented with miniature cameras or keyboard overlays to record the PIN code.

The purpose of ATM monitoring systems is to prevent the installation of skimmers, minimize successful data reading and identify suspicious activity related to carding. Let's consider the key technologies: anti-skimming sensors, Jitter technology and transaction analysis.

2. Anti-skimming sensors​

Anti-skimming sensors are hardware devices built into ATMs or installed as separate modules designed to detect physical skimmers. In the context of carding, they act as a first line of defense, detecting attempts by attackers to install data-stealing devices.

Operating principle:​

• Sensor types:
  • Electromagnetic sensors: Detect metal or electronic components of skimmers, which often contain magnetic heads to read the card strip. They analyze changes in the electromagnetic field around the card reader.
  • Optical sensors: Use infrared or laser technology to scan the geometry of the card reader. Any deviation (for example, an additional overlay) triggers an alarm.
  • Ultrasonic sensors: Measure the distance and shape of objects in the card reader area, detecting foreign devices by changes in echo signals.
  • Active anti-skimming systems: Generate interference (such as electromagnetic pulses) that disrupt the skimmer's operation, making its read data incorrect.
• Detection process:
  • The sensors are calibrated to recognize the normal state of the card reader. Any change (for example, the installation of a plastic or metal cover) is recorded as an anomaly.
  • When a suspicious object is detected, the system can:
    • Send an alarm signal to the bank's monitoring center.
    • Block the card reader, preventing use of the ATM.
    • Enable visual or audio warnings for users.
• Example of technology:
  • NCR uses anti-skimming solutions such as the Skimming Protection Solution (SPS) that integrate multiple types of sensors and active jammers to protect ATMs.
  • Diebold Nixdorf devices such as the Activator include anti-skimming modules with skimmer detection and suppression capabilities.

Carding connection:​

• Skimmers are the carders' primary tool for stealing magnetic stripe or chip data. Anti-skimming sensors make it difficult to install such devices, reducing the likelihood of successful skimming.
• If the sensor detects a skimmer, the bank can quickly check the ATM, which prevents mass theft of data that carders use to create clones of cards or conduct online transactions.

Limitations:​

• Skimmer Camouflage: Modern skimmers can be made from materials that are difficult to detect (e.g. non-metallic components).
• Shimmers: Electronic Memory Card Readers (EMVs) are thinner and harder to detect because they are installed inside the card reader.
• Bypass: Carders may use temporary skimmers that are installed for a short time to avoid detection.

3. Jitter technology​

Jitter technology is a security method that makes it difficult for a skimmer to read data from a card's magnetic stripe by changing the movement of the card in the card reader.

Operating principle:​

• Mechanism:
  • When you insert a card into an ATM, the card reader creates small vibrations or uneven movement (e.g. jerks, changes in speed). This is called "jitter".
  • Skimmers are designed to move the card evenly to accurately read the data from the magnetic strip. Jitter disrupts this process, causing errors in the data the skimmer records.
  • For example, instead of the correct card number, the skimmer may receive distorted data that is unsuitable for creating a card clone.
• Technical implementation:
  • Jitter technology is built into the card reader motor that controls the movement of the card. The ATM software generates random or programmed changes in movement.
  • This technology is often used in combination with anti-skimming sensors to improve efficiency.
• Example:
  • Wincor Nixdorf (now Diebold Nixdorf) ATMs use Anti-Skimming Jitter technology, which is activated automatically every time a card is inserted.
  • Some NCR ATM models also support this feature, integrating it with other security mechanisms.

Carding connection:​

• Jitter technology directly reduces the effectiveness of traditional skimming, which is often used by carders to steal magnetic stripe data.
• Even if a skimmer is installed, it may collect incorrect data, making it useless for carding (e.g. creating card clones or selling on the black market).
• This is especially important in countries where magnetic stripes are still used despite the transition to chip cards (EMV).

Limitations:​

• Chip Cards (EMV): Jitter technology is ineffective against shimmers that read data from a chip, as they do not rely on card movement.
• Adapting Carders: Attackers can develop skimmers that are resistant to Jitter, although this requires complex electronics.
• Limited Use: Jitter only works at the card entry stage, and not against cameras or keypad overlays that carders use to steal PINs.

4. Transaction Analysis​

Transaction analysis is a software method that uses machine learning algorithms and behavioral analysis to detect anomalies related to skimming and carding. It is based on real-time monitoring of ATM activity.

Operating principle:​

• Data collection:
  • The system collects transaction data, including:
    • Time and frequency of operations.
    • Type of transactions (cash withdrawal, balance inquiry, etc.).
    • Geographical location of the ATM.
    • User behavior (e.g. multiple attempts to enter a card without completing a transaction).
  • The data is aggregated into a centralized monitoring system, which can cover the bank's ATM network.
• Anomaly Analysis:
  • Machine learning algorithms compare current activity with historical data and patterns of normal behavior.
  • Examples of anomalies:
    • An unusually large number of transactions in a short period of time (e.g. carders testing stolen data).
    • Multiple attempts to enter the card without completing the transaction (typical for installing or testing a skimmer).
    • Transactions with cards that are later used in fraudulent transactions (e.g. in other countries).
  • Algorithms can use scoring models to assess risk: each transaction is given a "suspiciousness rating".
• System response:
  • If an anomaly is detected, the system can:
    • Notify the bank's monitoring center.
    • Temporarily block the ATM to prevent further transactions.
    • Request an ATM inspection by a technical team.
  • In some cases, the data is transferred to Fraud Detection Systems, which monitor further card activity.
• Example of technology:
  • Platforms such as FICO Falcon Fraud Manager or SAS Fraud Management integrate with ATMs to analyze transactions and identify suspicious activity.
  • Many banks use their own systems that combine data from ATMs with information from other sources (such as POS terminals or online banking).

Carding connection:​

• Carders often use skimmers to collect card data in bulk, which they then test through small transactions or balance inquiries. Transaction analysis can identify these tests and block cards before they can be used in large-scale fraudulent transactions.
• If a skimmer is already installed, transaction analysis may detect suspicious activity (such as mass cash withdrawals from multiple cards), indicating that the ATM has been compromised.
• This method also helps to track "secondary" signs of carding, such as the use of stolen data in other regions or on the black market.

Limitations:​

• False Positives: High activity on popular ATMs may be incorrectly classified as suspicious.
• Delayed response: If the skimmer is collecting data but no transactions are being processed, the system may not immediately detect the problem.
• Limited accuracy: Algorithms depend on the quality of data and model training. New carding schemes can outperform older algorithms.

5. Combined interaction of technologies​

The effectiveness of the fight against carding is achieved by integrating anti-skimming sensors, Jitter technology and transaction analysis into a single monitoring system. These technologies operate at different levels, creating multi-level protection.

How it works together:​

• Attack scenario:
  • The carder installs a skimmer on the ATM to steal card data. The skimmer can be an overlay on the card reader (for a magnetic strip) or a shimmer (for a chip), and can also be supplemented with a camera to record the PIN code.
  • Users insert cards, a skimmer reads the data, and carders use them for fraudulent transactions.
• System response:
  1. Anti-skimming sensors:
     • The skimmer is detected (for example, by changing the electromagnetic field or the geometry of the card receiver).
     • Send an alarm to a monitoring center, which can block the ATM or send technicians to check.
     • If the sensor is an active type, it generates interference, reducing the effectiveness of the skimmer.
  2. Jitter technology:
     • Disrupts the reading of data from the magnetic stripe, making the stolen data incorrect.
     • Even if the skimmer is not physically detected, Jitter reduces the likelihood of successful carding.
  3. Transaction Analysis:
     • Detects anomalies such as multiple card entry attempts or suspicious transactions (e.g. cash withdrawals from cards that have previously been used at the same ATM).
     • If the card data has already been stolen and is being used elsewhere, the system can link it to the ATM and initiate a check.
• Example scenario:
  • A carder installs a skimmer on an ATM in a shopping center.
  • The anti-skimming sensor detects a foreign object and sends an alarm signal.
  • Jitter technology distorts the data read by the skimmer, making it unsuitable for carding.
  • Analysis of the transactions reveals that several cards used at this ATM were later used for fraudulent transactions in another region.
  • The bank blocks the ATM, sends technicians to remove the skimmer and notifies customers of the possible card compromise.

Integration with other measures:​

• Video surveillance: Cameras on ATMs record the actions of criminals, helping to identify carders.
• Data Encryption: Modern ATMs use encryption to protect card data, making stolen data less valuable without the key.
• Fraud Detection Systems: Transaction analysis integrates with banks' fraud prevention systems that monitor the use of stolen data in real time.

6. Limitations and challenges in the fight against carding​

Despite the effectiveness, the combination of these technologies has limitations that carders try to exploit:

• Evolution of Skimmers: Modern skimmers are becoming thinner, less noticeable and resistant to Jitter technology. Chip card shimmers are especially difficult to detect.
• Social Engineering: Carders can use social engineering techniques (such as phishing) to obtain PINs bypassing ATM security.
• Cyber attacks: If carders gain access to the ATM's internal network (e.g. through malware), they can disable the security mechanisms.
• Global nature of carding: Stolen data is often sold on the black market and used in other countries, making it difficult to track.

Solutions:​

• Regular updates of anti-skimming sensors and ATM software.
• Training transaction analysis algorithms to recognize new carding schemes.
• Integrate additional measures such as biometric authentication or two-factor verification for cash withdrawals.
• Physical inspection of ATMs and training of staff to identify suspicious devices.

7. Conclusion​

The combination of anti-skimming sensors, Jitter technology and transaction analysis creates a powerful system of protection for ATMs from skimming and carding.

• Anti-skimming sensors detect physical devices, preventing their installation.
• Jitter technology reduces the effectiveness of skimmers while protecting magnetic stripe data.
• Transaction analysis identifies anomalies associated with fraudulent activity, allowing you to quickly respond to threats.

These technologies work synergistically to provide multi-layered protection. However, with carding methods constantly evolving, banks need to regularly update systems, integrate new technologies (such as biometrics), and collaborate with law enforcement to combat fraud. For educational purposes, it is important to understand that protection against skimming is not only a technical process, but also an organizational one that requires a comprehensive approach.