A number of financial institutions in and around New York are facing a series of ultra-thin “deep insertion” skimming devices designed to fit inside the credit card acceptance slot. ‘an ATM. Card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the ATM. Here’s a look at some of the more sophisticated deep insertion skimming technologies that fraud investigators have recently discovered in the wild.
The insert skimmer pictured above is approximately 0.68 millimeters high. This leaves more than enough space to accommodate most payment cards (~0.54mm) without interrupting the machine’s ability to pick up and return the customer’s card. For comparison, this flexible skimmer is about half the height of a US penny (1.35mm).
These skimmers do not attempt to siphon data or transactions from smart cards, but rather are after cardholder data still stored in clear text on the magnetic stripe on the back of most payment cards issued to Americans.
This is what the other side of this insert skimmer looks like:
The thieves who designed this skimmer were looking for the customer’s magnetic stripe data and 4-digit personal identification number (PIN). With these two pieces of data, the crooks can then clone payment cards and use them to siphon money from victims’ accounts to other ATMs.
To steal the PIN codes, the fraudsters in this case embedded pinhole cameras in a fake panel designed to fit snugly into the cash dispenser housing on one side of the PIN pad.
The skimming devices pictured above were taken from a brand of ATMs manufactured by NCR called NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on Motorized Deep Insertion Skimmers, which offers a closer look at other insertion skimmers found targeting this same line of ATMs.
Here are some variations on NCR deep insert skimmers found in recent surveys:
The image below left shows another deep insert skimmer and its components. The image on the right shows a battery-powered pinhole camera hidden in a fake panel directly to the right of the ATM’s PIN pad.
The NCR report included additional photos that show how the fake ATM side panels with the hidden cameras are carefully designed to slide over the real ATM side panels.
Sometimes skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, like in these recent attacks targeting a similar NCR model:
In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM equipped with an insert skimmer:
The financial institution that shared the images above said it has successfully stopped most of these insertion skimmer attacks by incorporating a solution sold by NCR called an “insertion kit”, which prevents current skimmer designs to locate and lock in the card reader. NCR is also conducting field trials on a “smart detection kit” that adds a standard USB camera to view the internal card reader area and uses image recognition software to identify any fraudulent devices inside the reader.
Skimming devices will continue to mature into miniaturization and stealth as long as payment cards continue to store cardholder data in clear text on a magnetic stripe. It might seem silly that we’ve spent years rolling out more tamper-proof, tamper-proof chip payment cards, to undermine this breakthrough in the name of backwards compatibility. However, there are a large number of small businesses in the United States that still rely on the ability to swipe the customer’s card.
Many newer ATM models, including the NCR SelfServ referenced throughout this article, now include contactless capability, which means customers no longer need to insert their ATM card anywhere: they can simply press their smart card against the wireless indicator to the left of the card acceptance slot (and just below the “Device here” on the ATM).
For simple reasons of ease of use, this contactless functionality is now increasingly common in drive-thru ATMs. If your payment card supports contactless technology, you’ll notice a wireless signal icon printed somewhere on the card, probably on the back. ATMs with contactless capabilities also feature this same wireless icon.
Once you get familiar with ATM skimmers, it’s hard to use an ATM without also tugging on some parts to make sure nothing comes loose. But the truth is, you’re probably more likely to get physically attacked after withdrawing money than you are to encounter a skimmer in real life.
So keep your mind sharp when at the ATM and avoid dodgy, stand-alone ATMs in low-light areas if possible. Whenever possible, stick to ATMs that are physically located in a bank. And be especially careful when withdrawing money on weekends; thieves tend to set up skimming devices on Saturdays after business hours — when they know the bank won’t be open for more than 24 hours.
finally but The most important, covering the PIN pad with your hand defeats a key component of most skimmer scams: the spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
Surprisingly, few people bother to take this simple and effective step. Or at least that’s what KrebsOnSecurity found in this skimmer’s tale from 2012, in which we obtained hours of video grabbed from two ATM skimming operations and saw customer after customer go up, insert their cards and type in their numbers – all in the clear.
If you liked this story, check out these related articles:
Crooks goes deep with Deep Insert Skimmers
Unloading data from deep insertion skimmers
How cyber sleuths hacked into a Shimmer Gang ATM