We are all accustomed to the phrase “technological progress”. Quite a few years ago, the change of generations of all kinds of devices and gadgets became as common a phenomenon as the change of seasons. And it surprises no one, for the most part. We are accustomed to the metamorphosis of mobile phones, home TVs, computer monitors, now watches and even glasses have caught up. However, there is a certain small class of devices that many have heard about, are afraid of, but only a few have seen in person. We are talking about skimmers.
In Russia, ATMs are still not that common, despite 23 years of official capitalism. But even here, skimmers have become a kind of urban horror story. And few people think that these devices, using high-tech components, also evolve over time. And therefore, of particular interest is the recently published material, which clearly presents the stages of “modernization” of skimmers, right up to the latest developments of criminal craftsmen.
At its core, skimming is a method of stealing certain information necessary to carry out a transaction from a bank account in order to steal funds. Simply put, in order to withdraw money from your bank card account through an ATM, scammers need to find out your PIN code and read the data from the magnetic stripe. And for this, devices of various designs and operating principles are used - skimmers.
Skimmers are designed to be as invisible as possible to ATM users. Often they mimic some element of the interface or external design. This makes it very difficult not only to detect skimmers, but also to catch the attackers themselves. And over the past 12 years, skimmers have undergone serious metamorphoses. At least judging by the samples that were discovered during this period.
2002-2007
In December 2002, CBS reported the discovery of a never-before-seen device that could "capture names, account numbers and other identifying information from the magnetic stripes of bank cards and then download them to a computer." Personal Computer!
At the time, even legalists believed that skimmers were science fiction. When fraud prosecutor Howard Weiss himself became a victim of skimming, he was shocked that technology had reached such a level.
Of course, complete ignorance of the facts did not last long. In 2003, customers using an ATM at a New York grocery store lost a total of about $200,000 in one day. Subsequently, a warning letter began circulating online:
2008
Earlier this year, Naples police received a call about a failed attempt to place a skimmer:
This rather primitive device consisted of a reader, which could be purchased legally, installed on top of an ATM card reader. And under the plastic visor above the monitor there was a small camera installed.
2009
The first generations of skimmers were rather primitive crafts. Below is one of the designs, which includes a battery, a flash drive and a miniUSB port.
This skimmer was discovered by one of the readers of the website Consumerist. The vigilant user suspected something was wrong, pulled the card reader and this fell into his hands .
Less than a month later, another skimmer was discovered that prevented the ATM from reading cards correctly and included a fake mirror with a built-in camera.
At the time, the key to successful skimming for scammers was to find a way to get the stolen information from the skimmer:
Early models of skimmers sometimes caused ATMs to malfunction. But soon the attackers learned to successfully parasitize them.
2010
For years, skimmers have used cameras to steal PIN codes. But it wasn't so easy to place them discreetly on an ATM. The result was overhead keyboards that recorded the sequence of keys pressed:
As technology advanced, it became increasingly easier for scammers to create compact devices. Outsourcing production services have developed and become cheaper. They started selling entire skimming kits on the Internet, which could be painted in the desired colors upon request. Prices started from $1500.
But this is only an entry-level set. Top devices went for $7000-8000:
Advanced skimmers like this made the work of skimmers less dangerous, reducing the likelihood of being caught red-handed.
2011
Eventually, ATM manufacturers started doing something to combat skimming. Firstly, they began to introduce elements made of transparent plastic, in particular, hemispherical card readers. But the attackers quickly adapted to this:
As you can see, you can only notice the setup by a small, inconspicuous plastic cover. How many of you would pay attention to it? And soon, affordable 3D printing brought the quality of skimmers to a new level:
Home models of 3D printers were still of little use for these purposes, and parts were ordered externally from specialized companies. Above is one of those orders that the manufacturer carefully refused to fulfill.
2012
Detecting skimmers has become increasingly difficult. Below is an almost perfect device. The only drawback is the small hole on the right, through which a small camera captured the PIN code entered on the keypad.
Eventually, skimmers have become so tiny that you can't see them even if you try hard. According to the European ATM Security Team , skimmers as thin as a sheet of cardboard were discovered in July 2012. They were placed inside the card reader, and it was impossible to notice them from the outside.
Now your cards can be scanned not only at ATMs, but also at mobile terminals.
Now any employee can connect the device they brought with them, and at the end of the working day take it away, filled with data from a large number of bank cards. The functionality of these terminals even allows you to simulate a connection error when the data is successfully read. They also come with software for decrypting information from cards, and all data can be downloaded via USB.
2013
Last year, a number of skimming incidents were reported at the Murphy gas station chain in Oklahoma , where a total of $400,000 was stolen. the scammers used readers in combination with overhead keyboards:
The interesting thing about this story is that the skimmers were equipped with Bluetooth modules and received power directly from the ATMs themselves. In other words, their service life was practically unlimited, and a direct visit from the scammers was not required to collect data.
While one “evolutionary branch” of skimmers came to miniaturization, another took the path of radical mimicry. The skimmer below is a huge overhead panel with a display. This sample was discovered in the wild in Brazil:
The device was made from parts from a disassembled laptop.
2014
But this can be attributed more to curiosities, or to the peculiarities of the hot Brazilian character. Still, compact skimmers have a much greater chance of remaining unnoticed. And just last week, such a skimmer as thick as a credit card was discovered:
Fortunately, manufacturers are also not sitting idly by, in particular, using the knowledge and experience of caught hackers to combat scammers. But they quickly adapt, so this situation resembles a struggle between a projectile and armor.
What should we, ordinary users, do? How to avoid becoming a victim of scammers and save your money? Always. Always cover the keypad when entering your PIN code: in most cases, scammers use miniature cameras. And if you use a Chip-and-pin system card , then it is not so easy for attackers to read data from it.
And most importantly, if there is anything alarming about the appearance of an ATM, it is better to use another one. Try to use ATMs only in bank branches, this significantly reduces the risk. Well, try not to keep a lot of money in your “card” account.
