Over 10 billion transactions are performed every year at ATMs and there are over 425,000 of these cash dispensing machines throughout the US for a total of 3,000,000 used globally. ATMs hold anywhere from $3,000 to upwards of $100,000 per machine so they naturally become a prime target for thieves. Physically breaking open an ATM is not trivial, as they house a small internal safe protected with hardened steel. A patient thief would need about 20 hours with a diamond tipped drill just to penetrate an ATM. ATMs have been in use for 50 years but the only thing that has evolved are the thieves trying to crack them.
Some thieves go to the extreme an use a brute force attack. One thief stole a backhoe and drove it down the road for 5 miles to the local bank in a failed attempt to try to break into an ATM in Prince George’s County in Maryland while other criminals try by looping a chain around the ATM and yanking it out with a truck.
Another clever trick called ‘forking’ was discovered in Australia as few years back. Thieves made a small withdrawal of cash and as the cash was being dispensed, they’d jam a forklike instrument into the dispenser causing the ATM software to lock up and reset. The ATM would get confused and the internal trigger would lose track of how much money was dispensed allowing for additional withdraws. Thieves exploited this vulnerability for several years until ATM manufacturers grew wiser.
Over time, various methods to rob ATMs were discovered by the manufacturers and law enforcement so countermeasures were put in place. This caused thieves to get creative. Card skimmers have been used for years by unscrupulous retail employees. These skimmers have been slimmed down to the point where they can be circuitously slid into the ATM card slot so they can steal and store debit card data. This is often accompanied by a covert pin hole videocamera placed to capture the consumers’ PINs. Thieves then create their own fake debit cards with stolen card data and compromised PIN to empty bank accounts. The challenge with many of these skimmers is they have to be carefully placed in the ATM card slot quickly and then eventually removed without getting caught.
Innovative cyber criminals have added a wireless bluetooth module to the skimmers allowing for remote debit card theft. Thieves can now park 50 feet away from the planted bluetooth skimmer for real time collection of each card swiped along with streaming video of PINs entered. In some cases, the thieves can also have the bluetooth skimmer store all stolen card info and issue a wireless command through their bluetooth-equipped laptop to wirelessly dump all the data. This use of bluetooth is fast, convenient and minimizes the risk of getting caught since thieves do not have to uninstall any skimmer hardware.
As a consumer, there are several precautions you can take. I strongly suggest using common sense and thoroughly scanning the area surrounding the ATM for anything suspicious. This includes the ATM itself as well as the surrounding area. Does the ATM you see even belong in a dark alley or on the sidewalk? Before inserting your debit card, physically check the machine for anything suspicious such as loose plastic, misaligned bezels, or any alterations to the keypad. For the really paranoid ATM users (like me), a careful inspection for a pinhole cameras aiming at the keypad would also be in order.
If you suspect a bluetooth skimmer in use at an ATM, you might actually able to see it listed under bluetooth devices on your smartphone. Unfortunately, there are so many bluetooth devices on the market making it difficult to determine which one is coming from inside an ATM and which one is simply a nearby FitBit, Apple Watch, wireless speaker or any of the other 8.2 billion registered bluetooth devices in the world. Too make matters worse, many bluetooth devices do not broadcast their ID and even if they do, locating that suspicious device can still be a guessing game when faced with many nearby ATMs and bluetooth devices.
Security experts including famed security researcher, Brian Krebs, have revealed hidden ATM skimmers and law enforcement agencies have begun to organize task forces to sweep gas station pumps and public ATM areas for hidden skimmers as well. So the problem is being addressed but without dedicated tools, they face many hours of fruitless searching. Fortunately, tools are being developed to quickly detect suspicious bluetooth skimmers and even locate them. As a security expert, I have always advocated for cash purchases when convenient, but it’s getting more difficult to recommend cash when so many ATMs are potentially rigged to steal directly from consumers. Stay safe.
This blog originally appeared on Tripwire’s State of Security.