Security News

Beware of ATM and gas pump card skimming

David Strom, 8 June 2020

ATMs and gas pumps have long been a target for thieves to gather unsuspecting users credit card information. Here’s what you need to know

ATMs have long been targets for thieves; several years ago there was the Tyupkin malware, which could control their cash drawers. But a more popular form of attack is carried out via ATM and gas pump card skimmers, which are typically overlays attached to the outside of the ATMs and pumps. When you insert your card into the machine, these skimmers clone your card and capture your account number and PIN, which then is used later to clean out your account.

PC Magazine has a long list of suggestions about how to recognize these skimmers, as well as how to take care when you are getting cash to ensure you’re accessing a legitimate ATM service. This is especially a problem now that many ATMs are being made by private vendors and are situated in non-banking areas such as bodegas and bars. That could be an issue, especially with the rise of more sophisticated ATM skimmers. You should be worried because this is basically giving your identity to the bad guys.

Brian Krebs is on the case. He posted a series of articles several years ago about his trip to the Riviera Maya in Mexico, where he observed the problem firsthand. He managed to find at least 19 different ATMs that all appeared to be hacked and retrofitted with tiny, sophisticated devices that store and transmit stolen data and PINs via Bluetooth technology. In fact, Krebs found one such machine coincidentally installed at his own hotel! Despite meetings with the hotel security staff, he wasn’t able to get the ATM disabled. These ATM skimmers could have been installed by compromised employees bribed to open the machines and insert the necessary circuit boards to trap customer data.

As Krebs wrote in one blog post, “Stolen card data can be retrieved from the Bluetooth components wirelessly: The thief merely needs to be within a few meters of the compromised ATM to pull stolen card data and PINs off the devices, providing he has the secret key needed to access that Bluetooth wireless connection.” Unlike the more traditional skimmers, there is no way to immediately know if a machine has been tampered with other than by analyzing the Bluetooth signals coming from the machine. Krebs reported on last year a new tool that can help locate Bluetooth-based skimmers called Bluetana. It is being used by law enforcement and is an app that runs on a smartphone.   

ATMs aren’t the only place frequented by skimmers: crooks have branched out to attaching their devices to gas pumps too. This is because many are unattended, and just a few master keys can open them up so that the crooks can install their skimming electronics.

Since those posts appeared, journalists have investigated and gotten the attention of law enforcement. They documented how this one ring of Romanians bought Chinese-made ATM machines, added their own custom software and Bluetooth devices and soon controlled more than 100 ATMs in Mexico to skim cards. The ring made millions of dollars from their operations before being shut down by authorities. The journalists have documented how they built their empire and laundered their cast through a series of real estate investments.

Are Fake ATMs a Concern?

Is this just an issue outside of the US? Nope. Back in the U.S., a Connecticut fraudster was arrested in 1993 for placing fake ATMs across the state. The tipoff? These fakes never contained any actual cash to dispense. Yes, the US has better banking regulations than Mexico, but that just means it is harder for criminals to operate.

What you should do to be more secure

Given these exploits, there are a few suggestions you should remember the next time you need to get cash. First, follow the PC Magazine suggestions on being aware of the kind of ATM (or gas pump) you are about to use. Second, use a bank-owned machine whenever possible and not a private, third-party ATM; the ATM skimmers that Krebs found were all from private parties. Next, always examine your bank statements and reconcile all your account activity, especially the ATM and other debit card withdrawals. The crooks involved in the Mexican ATM scams would just withdraw a few hundred dollars at various locations across the globe to try to thwart detection.

If you use an ATM or get gas, consider using a contactless debit card. This could avoid any skimmer because you don’t insert anything into the card slot of the machine. Contactless cards have been in Europe for many years and recently have finally taken hold here in the States – many of my new cards have this feature. This could take the form of using Apple or Android Pay, which basically turn your phone into a contactless payment source. (Contactless cards are also a lot faster and you don’t have to give anyone your card, which is another bonus outside of using them in ATMs.) And finally, try not to carry cash. Given that cash is no longer accepted at many places because of virus fears, this isn’t such a bad idea.