Using the local ATM is by far one of the easiest way to get money in a foreign country, but just like everything else, it does come with its risk.
According to an October 2015 report from the European ATM Security Team, global ATM fraud losses increased 18 percent to €156 million (RM717 million) in the first half of the year, compared to the same period in 2014. The majority of this losses were in the USA and the Asia-Pacific region, particularly Indonesia. The group reported that the most common fraud that led to the increase is ATM skimming.
Skimming is the stealing of debit card number and ATM PIN number using card reading devices that are illegally attached to an ATM. Criminals use skimming devices together with hidden cameras to record you as you enter your PIN number onto the keypad. With both debit card and PIN number, they can then make counterfeit cards to steal money from your bank account.
Matt South of TrustFoundry was in Bali with his partner when they almost fell victim to ATM skimmers. The couple were withdrawing cash from a regular ATM located outside a popular tourist grocery store. The ATM looked safe enough, it was housed in a small air-conditioned cubicle away from prying eyes. This was not their first time using this ATM machine.
Out of habit, Matt jiggled pieces of the ATM machine – a safety precaution he learnt from reading articles about ATM skimmers. ATM skimmers look exactly like a part of the machine but are actually attached using glue. They can be easily snapped on and off by the thieves.
Matt jiggled the card reader, it was solid. When he pulled on the keypad canopy that covers your hands when you enter your pin number, it came right off.
The dubious canopy had a tiny switch, a port for cables, and a faint blue light. Matt immediately suspected that it was a skimmer. “A piece of plastic to prevent people from seeing your pin number should not need a switch or cable,” Matt said. True enough, when he tore open the plastic cover, he found a battery, a controller board, some ribbon cable, and a pinhole camera.
He managed to hack the skimmer. He plugged it into his laptop and lo and behold, 11GB of video files began downloading. The skimmer had been recording 30-second videos of people’s ATM pin number. Each video was named with a date and time stamp.
In the videos, you can clearly see the keypads and hear the beeps. Matt realised that the sound recording was helpful for the thieves as the keyboard beeps correspond to the actual key presses. This way, you can’t fool the skimmer by pretending to press multiple keys. The sound of money dispensing also signals that the PIN is valid.
Amongst the library of videos was a footage of the skimmer being installed.
Matt, who happens to be a security consultant, thought the hand-made skimmer was very cleverly designed. The pinhole camera was small enough, there was built-in motion detection, storage, and USB connection, and the power consumption was small.
The next day, Matt returned to the very same ATM. He was surprised to find that the thieves had re-installed the skimmer. He wasn’t able to find the device that would read his debit card number and suspects that it was probably being skimmed over the network.
A couple of weeks after his find, The Jakarta Post reported that the Balinese police had arrested a 39-year-old Bulgarian man for allegedly attaching a skimming device to an ATM in a supermarket in Nusa Dua. The suspect allegedly used two devices – a router to steal the bank data of customers using Wi-Fi and a keypad canopy that had a camera and a USB to steal data.
It was the exact same modus operandi Matt stumbled upon. He suspects that the ATM skimmer he removed was by the same man.
How many poor victims had lost hundreds and thousands of money by ATM skimmers? Matt and Elizabeth were fortunate that their safety measures had paid off.
The next time you use an ATM, do these two crucial steps that saved them from becoming victims of ATM fraud: Jiggle pieces of the ATM and cover your PIN with your hand. You never know when you might save yourself from an ATM skimmer.
Read Matt’s full story on Trust Foundry.