Can’t Hack a Hacker: Reverse Engineering a Discovered ATM Skimmer
When traveling, Elizabeth and I are always a little bit extra cautious; we hide money in special belts, we carry emergency cards in 3 separate places, we never withdraw more than $100 from the ATM. One precaution Elizabeth always takes, is covering her PIN number with her left hand while she types it with her right. At first, I thought it was over-paranoid, but being a security researcher, I was soon covering my PIN every time I typed it as well. Little did I know that this precaution would soon pay off…
What is a Skimmer?
Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:
- They want your card number
- They want your PIN number
To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine.
The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming”.
Once they have your card number, the second part of the equation is getting you PIN. Not surprisingly, the creativity of the criminal mind offers a few ways to do this. Most often, some sort of hidden camera is placed where they can view you typing the PIN. This is harder than it sounds because a camera will need power and a way to download footage to the attackers.
PIN pad overlays are devices that sit on top of the pin pad to record typed numbers. Similarly, making an overlay isn’t as easy as it sounds. In addition to looking like a legitimate part of the ATM, these PIN pad overlays need power, storage and download capabilities to be effective. Here is a video of a team of thieves installing a card skimmer overlay at a convenience store:
How do you protect yourself?
Krebs recommends two simple protections.
- Jiggle that ATM
Give the card reader area a good yank. Don’t get out your crowbar, just see if any pieces of the ATM come-off easily. Usually the skimmers will snap into place or use light adhesive so they can be easily removed and swapped-out by the thieves.
- Cover your PIN with your hand
This will not protect you from PIN overlays, but it will hide your PIN from hidden cameras. Plus it’s so easy to do, why wouldn’t you?
Finding a Skimmer in Bali, Indonesia
Outside of a popular tourist grocery store, there is a bank of ATMs.
The photo doesn’t do it much justice, but each ATM has it’s own entrance and tiny, air-conditioned cubicle. Tourists feel safe because no one can see them pocketing cash from the street.
We have used this ATM before. This time, when I went with Elizabeth to get some cash, I jiggled pieces of the ATM. The card reader was solid, but when I pulled on the guard that hides your hands when you type your PIN, it came right off.
A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.
I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!
We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.
By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.
The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.
Probing the Ports
The night we got it home, I couldn’t wait to figure this thing out. The thing that stood-out the most was the port on the front. I imagined it was a way for the criminal to download the footage recorded.
This cable would use 4 wires and I immediately thought “USB”. I wasn’t at home with my lab and soldering iron, so I had to make due with what I had. I cut one of my cell-phone chargers in half and stripped the 4 wires inside.
Next, I had to guess at the order of the wires. I thought the port resembled the USB pins on a motherboard so I used an image of the wiring order as my guide.
Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and….
It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.
After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down].
The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual key-presses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.
Some other interesting footage include the skimmer being installed. Unfortunately, you don’t see the person’s face or any tattoos that could identify them.
The most entertaining is probably the discovery of the device by Elizabeth and I.
How is the device made
Next I took to disassembling the device. This was a pain because it was an injection-molded plastic shell with Sculpy and hot glue inside. The sketch below should give you an idea of how the components are arranged and concealed.
The outer shell looked like an actual hand-guard that would have been ordered from somewhere. The yellow stuff was added and sculpted by the criminal. It was difficult to chisel away the yellow material without damaging the electronics inside. It took some time, but I was finally able to dig down to the components inside.
On the left you see the power source [Samsung battery], the controller board is on the right with some ribbon cable that goes up to the pinhole camera.
Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.
The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.
Also, choosing to use a pre-made spy camera has lot of advantages:
- Motion detection built-in
- Storage built-in
- USB connection built-in
- Low power consumption
The device is handmade not mass-produced. Since the attacker has to manually remove and download the contents of the device, they must have more than one so they can be swapped. I predict that the criminals produced only a handful of the skimmers. To check this theory I went back to the ATM a few days later…
I never found a physical card skimmer (the part of the system that grabs the card number). The wires visible behind the machine make me think the card numbers are probably being skimmed over the network. Fear of being shot prevented me from spending too much time investigating at the ATM site after the initial find.
Although the bank had my phone number, the bank never called me back and I didn’t press the matter because I’m not sure how well the Indonesian judicial system works. I was happy to get to research a cool device without getting entangled in legal proceedings.
I hope this encourages you to keep your eyes peeled for skimmers. Remember to wiggle those card readers and cover up those PINs. Happy hunting!
Update: 4 May 2016
According to this news report, the police in Bali recently nabbed a criminal skimming in much the same way. The Bulgarian man was caught placing a skimming device on an ATM 30 minutes away from the one I found.
“The staff saw a foreigner doing something suspicious on March 27. He had apparently changed the ATM’s keypad canopy with one that had an ATM skimming device.
Ivanov allegedly used two devices — a router to steal the bank data of customers using Wi-Fi and a key pad canopy that had a camera and a USB to steal data, Reinhard said.”
This sounds very similar to the device I found and confirms my suspicion that they were getting card numbers over the network. I doubt this individual was working alone, but I consider this a major win for the Bali Police and tourists visiting Bali.
We can help keep bad guys like these from exploiting weaknesses in your company.
Great write-up. Thank you.
Hey, as an Indonesian I am truly sorry you had to deal with this in Bali. Had heard of rumors of card skimming mostly in the US, but am surprised people found ways to card skim in here. Stay safe.
It’s pretty much everywhere………………………………..
I guess the movies have the recorded date and time. If you would supply the date and time when they installed it, to the bank, they should be able to check it with their security cam for that time and get an image of the skimmer. Just an idea.
Creepy yet instructive! Thank you a lot! Maybe to cover the sound of buttons we should whistle something loudly 😀
Stay safe, dude.
Still curious how they grab the card data.
Maybe they didn’t. Perhaps there was a pickpocket outside that just grabbed wallets and then later they found the PIN on the camera.
trough the usb port – the four holes explained at the beginning – if you can see the videos you can copy on a hard drive and then delete them and thus make room for more recordings
Great job! loved the article.
interesting post. my only question is if they could get the card # over the network, then what is preventing them from also getting the pin that way?
pin code is used to unlock the smartcard, it is not sent over the wire. Pretty much the same than a phone SIM card 🙂
As far as I know, the pads themselves encrypt the pin, they pass only the encrypted version to the rest of the ATM and only this encrypted version is communicated over the network.
Skimmers have always fascinated me, and ATMs have always puzzled me for similar reasons. Security. I’ve always questioned why an ATM beeps when you press a key. Yes, accessibility, but why not do a visual cue only (* appearing on the screen) unless the user has headphones plugged in for the audio cues? That’s just one thing I’ve always thought of. Keypads at convenience stores rarely beep with each keypress; Gas Pumps rarely beep like that. I tend to fake a few button presses on most keypads, just to try and ensure that if there’s a camera partnered with a skimmer, it’s a hell of a lot harder to get my PIN, but if the ATM’s dutifully reporting each keypress, it’s not going to do me much good. I also cover the pinpad with my hand to try and protect a little more, but once again, it doesn’t protect against keypad overlays. I’ve yet to encounter a skimmer in the wild (that I’ve noticed, but I’m fairly sure I’ve been had by one at least once before) but I’d probably do the exact same thing. Albeit it’s a bit of a risk to do so in the US, as you might end up holding the bag for being the one who installed the skimmer.
Redarding beeping keypads on ATMs but not gas pumps: there’s a higher likelihood of the blind getting cash or making an ATM deposit than using a gas pump, ergo sound cues more likely to be used on the ATM.
The keys beep for the same reason there is braille on them – for people who can’t see. So they know each press was entered.
most pin pads i’ve used in the uk beep!
Love this. Makes me more paranoid. Shared 🙂
bobo: The PIN never gets sent over the network, since it’s the card itself that verifies the PIN and not the bank. (Chip and PIN cards have a microchip that can do this.)
Matt: When you reported the device to the bank, why did they let you keep the skimmer? I’m confused about that.
The PIN being sent over the network is implementation dependant.
I have 3 ‘chip’ cards with contactless. They will not work in France or the UK as “PIN” cards, as unlike the banks in those counties, our banks do not encode the PIN into the chip. Verification is online. Means in France and the UK I have to sign for purchases, something that is no longer allowed at home.
Most of the ‘swipe to enter cubicle’ systems i’ve seen don’t care what card you swipe, only that they can read something. I’ve opened them with my office access card and other ‘random’ cards with mag stripes.
This is true with PURCHASES (POS) only, using the off-line PIN stored on the chip. The on-line PIN is used for ATM transactions, this happens after entering your PIN, selecting your transaction, it the connects to the bank network, verifying your PIN and completing the transaction. Strangely it is possible to have a different PIN for each- if your PIN has been reissued by your bank, this will change the on-line PIN, so the bank will refuse ATM transactions with the old PIN, but the card still has the old PIN saved on it for PURCHASES. This is then rectified by using the PIN UNLOCK transaction at the ATM, using the new pin which is verified by your bank to change the off-line PIN on the chip.
Did the little air conditioned room require you to swipe a card to gain access?
That’s started to get more common in the US. A lot of banks will keep the ATMs indoors with a stripe reader to gain access during off hours. Separating the skimmer from the pin capture can be easier. That offers a couple attack routes. You can MITM that reader. But as people become complacent with having to scan their cards to gain access, all the skimmer needs to do is find a room that isn’t protected and put their own skimmer next to it. Not everyone swipes, but enough will.
I have a Visa gift card I never activated for exactly this use-case. If I do need to swipe something to get in, that’ll do it, and if it turns out to be fake, the scammers get a pin number without the right card.
I have 2-3 magnetic strip cards who are not a bank cards, but they all open ATM room near my office 🙂
Likely the locking device just check if card have particular formatted data on them…
Shaftway, years ago I noticed that I could swipe any card with a magstripe to get inside the stm area! WTH?
I got about 3/4 of the way through the article before I realized, “Wait, Elizabeth and Matt?” I know them peoples!
Anyway, good looking out.
Cool article. Just half year ago I was skimmed in Bali for 5000$, due to some circumstances my bank couldnt prevent or refund it. I filed a local police record, and eventually the european ring of skimmers was busted, one guy from Serbia.
One silly ATM caught me off guard and now I’m afraid of them for till end of my life
Why didn’t the bank refund you?
Look on the hand of the guys who install the skimmer. Does not look Indonesian to me but rather caucasian. Most likely some Bulgarian or other Eastern Europeans for skimming as they’ve already caught a bunch already in Bali.
Source: http://www.thejakartapost.com/news/2015/10/20/119-foreigners-arrested-atm-skimming.html and http://www.thejakartapost.com/news/2016/04/06/bulgarian-nabbed-in-bali-for-an-alleged-atm-skimming.html
Thanks for this! Adding an update to the post.
Taking sometime of mylife to think about more good things for the future. I could only come up with one thing, finding my Lord God
Did you take the second skimmer?
no. we were too scared that it might be under surveillance.
This is absolutely epic. Great post, thanks for sharing. I’ll now be jiggling ATMs everywhere.
It is possible the card number is not being read over the wire. Criminals will sometimes wait to see/discover the PIN and then physically obtain (steal) the cash card.
Nice job and very nice article, thank you!
Did you give some more battery details (capacity, I guess it’s 3,7V) and estimate how long can camera work on single battery? Is the camera running on 3,7V or is there some voltage regulator added? And how many hours of recording can this pretty big SD card hold? I wonder how often they visit this ATM to perform “maintaince” – once a week, once a month?
“When it comes to Indonesian criminal gangs, you can never be too careful.” – this made me smile. Because after all, you put this article on the net, under real name. I know you are in another country right now, but still… Anyway, I guess they are not type of criminals with guns.
BTW you can also play with files recovery on this card. Maybe there are some interesting deleted files.
Hey. The battery looks like a standard Samsung Galaxy battery [3.8V 3100mAh]. The time stamps are wrong on the files, so it’s hard to estimate for sure how long it was there or how much longer the battery would have lasted. The file names range from “2009-1-13 6-52-16.AVI” to “2009-1-13 19-28-32.AVI” and take up around 11GB. So I imagine the SD card would fill up before the battery gave out. So I estimate the criminal would have to come back every couuple days to swap the device and retrieve the files. Thanks for reading!
The battery is a 3100mah capacity battery as mentioned below with a nominal voltage of 3.7v since it is a single cell lithium (voltage range will be 4.2v to ~3v). The type of camera that was modified and used for this device is designed to run in this voltage range and will actually come with a smaller capacity single cell lithium battery itself, so no conversion is necessary. The biggest flaw in the device Matt found was that it records 30 minutes of video per motion even which is a waste of battery. Most devices like this allow you to program this variable so I’m not sure why it is set for so long. I’d estimate the battery would last 2-5 days depending on the number of motion events, but as Matt said, the SD card is likely to fill up before the battery dies. If I were to design this, I would build in a passive motion sensor that would not rely on the CMOS sensor to be powered to detect motion. I would also reduce the recording time to maybe two minutes to conserve power and space. This is probably not worth the effort as it is probably easier to just rotate the device every couple days, but I enjoy designing electronics as a hobby. This is also why I typed this response, as I figured you might also find these details interesting based on your question.
Thanks for posting this.
Check recovery SD card in TestDisk/Recuva
Or, it could be the ATM maintainance guys themselves who put on the skimmers.
When on actual procedure, banks are supposed to install the so called “keypad protector”, the so called ” trusted contractors” themselves install the skimmers.
I believe they might have the access to the security cam as well.
Best thing on the internet today! Thanks
WOW this is GOOD!
They replaced the skimmer! If so then I would put a piece of tape on the lens of the old one. Delete all it’s files and replace them with the nastiest images I can find on the internet. Then reassemble the whole thing and swap it for the new one. Fun!!!
Wow! What a trip! I always cover the keyboard on ATM machines. They freak me out. I guess the only way to seriously avoid skimming is to go directly into the bank and get money. Same with gas stations.
pretty sure this might an inside job.
i know some ATM known for false money, whenever i took some cash on it, the another cash machine won’t accept them. And since the ATM maintenance always seems heavily guarded, i bet an outsider cant do this easily.
especially when i read the last part about the skimmer machine reinstalled again, it just like duude wtf, its an inside job.
Some scammers in the UK went to the trouble of buying a secondhand ATM, creating altered software and installing it inside a UK shopping centre. Nobody questioned the guys in overalls, installing some machine. The scammers’ software took details of cards and PINs but then told customers that there was some problem (e.g. run out of cash) and gave them their card back. Many victims didn’t notice money drawn from their account until they received their monthly statements. The scammers were presumably returning periodically, to download the stored data.
An increasingly popular scam in the UK is to swap POS card readers in shops. The scammers’ POS card readers have been altered to store card numbers and PINs but otherwise work as normal. The scammers have to return, either to swap the card readers or to use wireless technology to read off the the stored data.
Well done. Thanks for sharing!
I’m Indonesian, and unfortunately I was a victim of this ATM skimming too in Bali. My story happened when I traveled to the island back in July 2008 for honeymoon. I used my BCA ATM card on many different locations. It was not until circa December 2009 (yes, one and a half year later!) when I noticed funds where drawn from my bank account. At that time I was at Jakarta, while the “transactions” recorded at Bali, to be particular on different Permata Bank ATMs–later I found out that their ATMs don’t have security cameras.
Fortunately this happened on a large scale, many other where victims of this, it made it to the news (you can search this around Dec 2009 / Jan 2010), so BCA was responsive to my report and I got refunded.
Thank you, very useful. I live in Bali and my office near the grocery store in this article.
Nice article, just to point out with newer generation of 3D printers it gets easier to make skimmers and pin pads overlay 😀
just saw this on twitter. If the date stamp from your google maps screenshot indicates roughly when you were in Bali, then you may well have saved me lots of $$ and hassle. When did you actually visit and pull off the skimmer?
I was there in October 2015, and went to this exact grocery shop quite a few times, using the cash machines outside. (They only allow you withdraw quite small amounts of money, so had to use it almost every day). I recognise the ice cream parlour from the picture (delicious ice cream by the way).
Even if you didn’t save me, you definitely saved quite a few people from the pain of having their card skimmed. So, good on you!
Thanks matt, this article so helpful to me to do more carefull at ATM.
Great job for making us aware of such scams. These are the worst types of crooks, clever, talented and misguided. Some talent involved there, I am sure these types of thieves could find their way out of a bag being dropped off the side of boat before they drown?
a really informative article! You’ve won yourself another reader 🙂
And as a Bulgarian, this makes me sad, because of the bad reputation we get.
Keep up the good work tho!
So, how is the card number intercepted over the network, isn’t it encrypted? Also, why are ATMs so “bulky”, filled with bizarrely shaped parts and crazy indentations? Couldn’t they be flatter to make a skimming device more prominent?
Anyway, great write-up!
“2. They want your PIN number”
They want my personal identification number number?
dude – well done !
So, does the PIN keypad use different tones for different numbers (like a phone)? If so then using your other hand to cover your PIN-entry wouldn’t help.
Also, something I’m not clear on, and may be obvious to an expert, how do the crooks associate the skimmed PIN with the appropriate card number? Is there a clock somewhere so the card number stolen off the wire and the PIN can be aligned? Just wondering – otherwise I guess it’s trial and error to match them up. Thanks for posting; hope I don’t get hassled for giving ATM parts a good tug.
What about these “new” chip-activated cards? Seems to me if they get the card # and PIN the chips don’t provide any added protection.
The Bulgarian skimmer gang operates in South East Asia, several have been caught in the Philippines and Malaysia
I can’t seem to find a video link in English but one Bulgarian was caught specifically in Market Market in Makati, basically they were using a loyalty card from 7-11 (similar to that of an atm card with a magnetic strip) to withdraw money, I don’t know they engineered those 7-11 cards.
As someone originally from Bulgaria, I always do similar checks and try to conceal my PIN the best way I can. Some Bulgarian banks went to great lengths to prevent skimming. For example, many years ago one big bank updated heir card receivers to pull the cards in really slowly and at small steps. The rationale is that the magnetic stripe can only be read reliably when the head is moving quickly and at a more or less constant speed. I’ve never seen such a solution here in Germany – the ATMs just swallow the card at a typical swipe speed.
Anyway, thanks for the interesting write-up. It always saddens me that so many intelligent people from my home region choose the path of least resistance to become cyber-criminals building and deploying such devices in search for quick and risky buck.
I would have took the second one too, Free Micro SD cards!
This is still going on, I just got scammed over 3 grand, in Bali. Wish I knew about this a while ago.