Since the advent of the Automated Teller Machine (ATM) a few decades ago, banks and their customers have had to deal with a new form of theft: card-skimming. Card-skimming is the collection of ATM card numbers and PINs for the purpose of stealing money from bank accounts, a scheme accomplished through methods as low-tech as simply watching customers as they use ATMs (a technique known as "shoulder surfing"), or methods as high-tech as installing false card readers (or whole false fronts) on top of existing ATMs. With the purloined information, scammers can manufacture counterfeit ATM cards and use them to withdraw money from accounts. (In some cases the thieves may steal the original ATM cards, then use some form of card-skimming to collect the appropriate PINs.)
The scheme described in the e-mail warning quoted above is one of the decidedly high-tech variety: a phony card slot installed over the real one scans information from an entered card's magnetic stripe, and a small camera hidden within an adjacent pamphlet holder records information from the ATM's display screen and keyboard. The pilfered information is sent via a wireless transmitter to waiting thieves, who can capture it on a laptop from up to 200 meters away.
The very scheme pictured here was indeed used in South America to steal information (and money) from customers of Bradesco, a Brazilian bank:
An e-mail, which has been widely circulated in the past week, shows how a fake card slot containing a scanner can be attached to an ATM machine to record data from a credit or debit card's magnetic stripe. A camera attached to the side of the ATM and disguised as an information box is positioned to record information on the screen and the keypad.
A wireless transmitter inside the box then sends the video to the scammers, who can capture the information on a computer in a nearby car or building. The thieves can be up to 200 metres away.
A spokesperson for NCR, the ATM giant which produced the cash machine shown in the e-mail, said the scam had been reported several times in South America. The machine shown in the document belonged to Brazilian bank Bradesco.
Police in Canada, the United States and Malaysia have reported cases of fraud using similar hi-tech methods.1
Similar card-skimming equipment was also found on ATMs in Hong Kong in January 2004:
Two hi-tech pinhole cameras concealed in two automatic teller machines outside a branch of the Hang Seng Bank branch in Tsuen Wan were discovered when a repairman was fixing a blown fluorescent light, it was revealed yesterday.
Each camera, equipped with a transmitter and batteries, was hidden behind a fake panel affixed to the top of the ATM casing, a source said. The machines were at the bank's Tai Ho Road branch.
The home-made panels were described by the source as highly sophisticated and not easily seen.
They were very thin and only about 7cm high, matching the width of the ATMs and painted the same colour.
The cameras were positioned to view the keypads and monitors of the machines to spy on cardholders as they entered their personal identification numbers.
The devices are understood to have been able to transmit images to a remote receiver in the area and had been there for two or three days.2
In the United States, where independent ATMs (i.e., machines not maintained by banks) are more common, some crooks have resorted to even more thorough methods for stealing money. In December 2003, U.S. Secret Service agents arrested Iljmija Frljuckic, who had bought and installed more than 55 ATMs in California, Florida, and New York. Frljuckic used the machines to collect information on more than 21,000 accounts from 1,400 different banks, which he used to appropriate over $3.5 million from customer accounts.
For now the best defense is for ATM customers to remain cautious and vigilant when using their cards, but distinguishing a rigged machine (especially one of the independent variety) from the real thing can be extremely difficult even for the most careful of users. NCR hopes that the introduction of "smart cards" (i.e., cards with embedded chips) will eliminate the problem of counterfeit fraud.
Good advice would be to get into the habit of using the same ATM for almost all of your transactions so as to better recognize when something is different with the machine. Be wary of any changes you see on its outside. If it's affixed to a bank, walk in and ask why the changes were made.