There's no dearth of sophisticated gear for the aspirational ATM thief. But skimmers don't exactly have an aisle at Wal-Mart. In this Gizmodo investigation, we take a look at the scary internet black market where fraudsters get their tools.
When it comes to new and creative ways of pilfering personal financial data, ATM crime is enjoying something of a renaissance here in the US. In the past year alone, devices like skimmers have been found on POS machines, inside gas pumps, on ticket vending machines, and affixed to ATMs throughout Northern California and the rest of the country. In some cases, thieves have successfully made off with tens of thousands in cash and/or personal card data before anyone was the wiser.
It gets scarier. According to a recent FTC report (.pdf), in certain parts of the country you're now more likely to be the victim of this category of fraud while making withdrawals than direct, physical crime.
So what exactly is ATM skimming? At its most basic level, it's when a thief affixes a phony card-reading device over the face of an ATM, and uses either Bluetooth or cellular technology (text messages) to transmit the data received from the magnetic strip to his own nefarious hands. Bam: all your debit card info are belong to criminals. That info is then either cloned onto a dummy card or sold to 3rd parties for cash money.
And good skimmers are virtually impossible to detect. Indeed, manufacturers of these devices have become so adept at customizing their components—matching everything from the color scheme of the particular banking branch to the brand of the machine—that they can blend in perfectly. Enterprising criminals have even started fabricating made-to-order versions, built around photos of specific targets. In addition to the actual skimming component, identity thieves will often hide a small pinhole camera in a brochure holder, light bar, mirror, or one of those speakers on the face of the ATM to capture victims' PIN numbers. They also employ fake pad overlays that record which buttons are pushed.
If you get hit by one of these, a careful crook could slowly drain your account without ever even alerting you. Remember that month when you spent too much by accident and ended up in overdraft? Are you sure that you spent too much? Better take another look at that statement, chief.
But don't take a vow of plastic celibacy just yet. Turns out, getting your greedy little hands on the necessary equipment requires an inordinate amount of patience and hard work. Even then, the would-be thieves (not you) are far more likely to be the targets of fraud. Ah, Karma.
"As with everything in the criminal underworld, the biggest issue is not getting ripped off," says Brian Krebs. The former Washington Post staff writer who now runs Krebs on Security says this is especially true for those looking to break into this increasingly popular field of fraud. During the past two years, Krebs discovered one overarching trend while reporting on the myriad forms of skimmers for his site: Obtaining real, working components—without getting swindled yourself—is friggin' hard.
That's largely because 95-percent of the stuff out there is designed to either relieve the would-be criminal of his own money or force him into unfavorable rent-to-own deals. It's criminals preying on an unlimited supply of other would-be criminals who are, in turn, hoping to take advantage of you. Reminds you of the food chain you learned about in 7th-grade bio, doesn't it?
And this every-crook-for-himself world has never been more ruthless. Skimming schemes are not only complex, but they require sophisticated (custom-made) components. It's particularly difficult to find reputable online dealers, and it's next to impossible to verify the legitimacy of what you're buying before it's too late.
Here's how things generally work when shopping for a phony cash dispenser: First you decide what form of skimming fraud you want to pursue. Do you want to target a specific machine? Maybe you've scoped out a particular ATM at a local branch. You should also have an idea of how much money you're willing to spend, as well as the level of risk you'll want to take on. (Less advanced skimmers require that you not only install them, but also go back to retrieve the pilfered info. DANGEROUS! Also: AFFORDABLE!)
Depending on how you answer to those questions, you can either buy your skimming components piecemeal or go for one of the all-in-one solutions. During our hunt, we discovered prices can range anywhere from just shy of a grand to well over $8,000, depending on the target and the specific implementation you choose. The next step is actually tracking down a legit forum where these components are sold. This is key, and usually the trickiest part of the process. While sites like ATMbrakers, Tradekey.com and thousands of others offer forums that claim to sell and rent ATM skimmers, most end up being bogus.
A handy tip: the more reputable the forum, the fewer pictures will be plastered all over its pages. These things are, you know, illegal and stuff. This being the criminal underground, you'll need to find an initiated member willing to give you the thumbs-up. That means you only get access to ATMSkimmer88 and his crew of Russian assemblers if 007Goldenshower vouches for you. In many cases, you'll have to be vouched for by two separate people on a forum. But even that doesn't do the trick sometimes, says Krebs.
Oh, and you'll want to brush up on your Russian, too. While there are many eager sellers on the forums claiming to make skimmers, most of the reputable ones tend to hail from Eastern Europe. If all goes well, you will usually be invited chat up some shadowy figure on ICQ (Вы говорите по России?), at which point you'll get sample pictures and the menu of skimming options sent directly your cellphone.
A less dangerous option entails purchasing a generic ATM from eBay or Craigslist. These usually go for around $800, and pop up whenever bars, restaurants, and gas stations go out of business. In this scheme, you basically set up a dummy or ghost machine by hacking the software so that it simply records unsuspecting customers' data without actually allowing a transaction.
Identity theft expert Robert Siciliano did exactly this last year with an ATM he bought off of Craigslist. He eventually walked away with thousands of card numbers after setting up the dummy machine in a high foot traffic area. (This was done with police cooperation.) You'll need to know (or be) someone who can tinker with ATM software for this method to work, but it does cut down on many of the risk factors associated with traditional skimming techniques.
Despite the alarming rise and sophistication in ATM fraud, though, you're still far more likely to have your credit card info stolen by some shitbag waiter running your card at the end of a meal. Combine that with the fact that your personal data actually isn't worth that much in the first place, and you can see why the ‘everybody panic' headlines associated with this topic are a bit overblown.
Bottom line? Yeah, the magic of the Internet makes it possible for anyone to buy the equipment necessary to steal your debit card info. But you can take comfort in the knowledge that the creeps looking to purloin your personal data are way more at risk than you.
Original art by Chris McVeigh (AKA powerpig). You can catch all his work at flickr.com/powerpig, and follow him on Twitter. (@Actionfigured)