One of the oldest ATM card-theft tricks is the creation and installation of fake ATM interfaces, complete with keypad and card scanner. They're called ATM skimmers. These are mounted by criminals on top of the real ATM interface. When someone tries to use the ATM, the crooks copy the data from the card and record the PIN entered on the fake keypad.
Here's a security video of a skimmer being installed at an ATM in New Jersey.
This particular crime has been around for years, and it's growing fast.
The FICO Card Alert Service says the number of ATMs with compromised security increased sixfold in 2015 over the previous year.
The biggest recent innovation in the world of ATM insecurity comes in the form of pinhole "spy" cameras. While a skimmer copies the data on the card, the camera records video of the bank customer entering his or her PIN. Later, the crooks can make a fake duplicate card, and use the PIN they saw entered on the video.
This is a better solution than fabricating a mock keypad, because the equipment is smaller and less difficult to build. Victims use the actual ATM keypad, instead of a fake one. Only the card skimmer is fake.
This method has mostly replaced the old approach of fabricating a phony keypad. Already some 90% of skimmers found now use pinhole cameras, according to Verizon.
The London police do a great job raising public awareness about various types of theft and what people can do about it. The department's official Twitter account tweets photos of new ATM scams they discovered, such as this and this. The department is trying to get people into the habit of covering their fingers while entering their ATM PIN, just in case there's a hidden camera watching. They use the hashtag #CoverYourPin.
These pictures reveal that ATM-installed pinhole cameras are almost impossible to spot.
Security experts say you should look for signs of tampering, such as broken, scratched or loose fixtures, before using an ATM.
The New York Police Department says crooks often install card-skimming electronics on one machine, then damage nearby machines to force customers to use the compromised one. They warn that customers should avoid using an ATM if it's one of several and the others are out of service.
In fact, the evolution of ATM skimmers tracks the same trends in consumer technology -- thinner, smaller and more mobile.
That's why the advice to look for ATM tampering works only for the "traditional" skimmers that duplicate ATM interface elements.
The newest threat is something ATM maker NCR calls "deep insert skimmers." Instead of an elaborate fake ATM interface placed on top of the ATM, "deep insert skimmers" go inside the scanning mechanism where they can't be seen, and where they don't interfere with the functioning of the ATM's card scanner.
Sign up for Computerworld eNewsletters.