Convenience stores and gas stations have long been on high alert for cyber-thieves who steal credit and debit card numbers from gas pump skimmers, but these retailers also need to be on the lookout for the next generation of ATM skimmers that could be targeting their locations.
Security expert Brian Krebs, who publishes the KrebsOnSecurity blog, warned in September of a new breed of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot.
Besides banks and credit unions, convenience stores and gas stations are the second most popular location for ATMs, according to ATM distributor Lieberman Companies.
KrebsOnSecurity says that the new flexible ATM skimmers are just .68 millimeters tall – for comparison, a U.S. dime is 1.35 millimeters.
“This leaves more than enough space to accommodate most payment cards without interrupting the machine’s ability to grab and return the customer’s card,” says KrebsOnSecurity. “The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine.”
The target of these new ATM skimmers is not the chip-card data or transaction information, but the cardholder data that is stored in plain text on the magnetic stripe on the back of most payment cards.
These new ATM skimmers are a workaround against the new EMV card chip technology that has dropped fraud by some 76 percent between 2015 and 2018 among merchants who adopted it, according to Visa.
“Banks have issued EMV technology on our credit cards and debit cards, but the cards still have a magnetic stripe on them with the same card hold data as the chips – and therein lies the problem,” explained ATM Marketplace. “There are just too many legacy magnetic cards and readers still in circulation, and no vendor is willing to lose a sale due to technology incompatibilities, even if a new technology bolsters security.”
The new skimmers are solely focused on that little black stripe on the back of your ATM card.
“Therefore, when you slide or dip your card into an ATM and there is a skimmer present, it pulls data tracks 1 and 2 from your card. The skimmer ignores the EMV chip entirely,” said ATM Marketplace. “Until the payment industry completely migrates away from magstripes on debit and credit cards, cybercriminals will continue to skim every penny they can.”
KrebsOnSecurity says that cybercriminals are after two things with this new generation of ATM skimmers:
“With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs,” wrote KrebsOnSecurity.
In some cases, to steal PINs, cyber-thieves will embed pinhole cameras in false panels that fit snugly over the ATMs enclosure on one side of the PIN pad, according to the KrebsOnSecurity report.
Acquiring the customer’s PIN is crucial to the hack and the pinhole spy cameras have been found at ATMs in various locations:
ATM skimmers are common enough that if you run a Google news search for the topic you, sadly, will get almost 18,000 results with many of the stories happening in the past few days, weeks, and months.
Gas stations and c-stores continue to be prime targets of ATM skimmers judging from recent headlines:
The Houston Chronicle reported in April that since 2018, Houston police have found nearly 630 skimmers at gas stations, convenience stores, banks, and other places across the city.
ATM makers such as NCR are fighting back with new security solutions including “insert kits” which can stop current skimmer attacks.
“NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area and uses image recognition software to identify any fraudulent device inside the reader,” said KrebsOnSecurity.
Much like ATM Marketplace’s analysis, KrebsOnSecurity says that ATM skimming will continue until the legacy technology is finally retired.
“Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe,” concluded KrebsOnSecurity. “It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backward compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.”
Customers can also help protect themselves by not inserting or swiping their cards when possible – using contactless options if available – and by taking the simple but important step of covering the PIN pad when entering your number.
Even if you have the bad luck to insert or swipe your card where a stripe-reading skimmer is present, the cyber-thieves will be thwarted if their spy camera cannot steal your PIN.