ATM ‘Skimmers’ Can Be Virtually Impossible To Spot, Says Expert
by technology editor Ian Bush
MEDFORD, N.J. (CBS) — TD Bank says it is getting in touch with customers who may have fallen victim to a card “skimmer” installed on one of their ATMs on Stokes Road in Medford, Burlington County (see related story).
But it can happen at any ATM, from any bank. So how can you keep your cash from ending up in some criminal’s hands?
One expert notes that with plastic that matches the bank’s color scheme and a light-up slot that fits over the actual debit card reader, the fakes can fool you — and cost you.
“Some of these things have gotten pretty sophisticated,” says tech security expert Brian Krebs, editor of KrebsOnSecurity.com. “The ones that fit into the throat of machines would be very difficult to detect.”
Listen to this story:
Luckily for consumers, Krebs says, he hasn’t yet witnessed the sale of that kind of skimming technology — mounted inside the existing ATM card slot — on underground message boards. The popular option for thieves is the all-in-one skimmer.
“It’s essentially a plastic device that fits over the card acceptance slot,” Krebs says, “and it’s made to record the data that’s stored on the magnetic stripe on the back of the card.”
While you’ll be able to jiggle this reader on some shoddy installations, many times it’ll look and feel legit. But even crude skimmers get the job done.
And often, a tiny camera is waiting to catch you enter your PIN.
“Some of the most sophisticated ATM skimmers have a PIN pad overlay,” Krebs explains. “They’re devices that look just like the PIN pad, that sit on top of the buttons and record you entering in the number. But those are far less common than a hidden camera [below]. Bad guys can steal your card number, but it’s a lot less worthwhile to them if they don’t have your PIN. ”
Covering the PIN pad with your hand while you enter your access code can keep you from becoming a victim in that way.
“It’s really important for people to pay attention to their statements and report any unauthorized activity,” Krebs adds. “And your physical safety is always the most important thing. It’s a good idea to use ATMs that are in well-lit places, not tucked away in a corner somewhere. I always recommend that if people have the option, go to a real bank ATM instead of one that’s stuck in a convenience store or managed by a third party, because they’re monitored less closely.”
But the skimmer in Medford, NJ was installed at a TD Bank branch.
“This is a crime that is often frustrating and inconvenient,” Krebs says. “But consumers are protected — at least in the United States — against this type of fraud.”
Driving home the point that cover-your-PIN is key, Krebs — who has researched and written a series on skimmers on his website, which includes photos of the devices in many shapes and sizes — says he’s even seen skimmers mounted at doors to major bank vestibule ATMs: your card is skimmed when you swipe to open the door, and a camera is inside to record your secret code.
“They get your card data, they get your PIN, and they never have to touch the ATM,” he says. “Another thing I tell people is, if you see two ATMs and one is out of order, you might want to pay special attention to the one that’s not out of order. I’ve seen this technique used where they compromise one ATM in a string, and they’ll put out-of-order signs on the ones that aren’t compromised.”
In a statement, TD Bank says it’s contacting customers who may have been affected by the breach. The company encourages ATM users to cover they keypad when entering their PIN and to carefully review bank statements and credit reports for unauthorized activity.