Over 10 billion transactions are performed every year at ATMs, and there are over 425,000 of these cash-dispensing machines throughout the U.S. for a total of 3,000,000 used globally. ATMs hold anywhere from $3,000 to upwards of $100,000 per machine, so they naturally become a prime target for thieves.
Physically breaking open an ATM is not trivial, as they house a small internal safe protected with hardened steel. A patient thief would need about 20 hours with a diamond tipped drill just to penetrate an ATM. ATMs have been in use for 50 years, but the only thing that has evolved are the thieves trying to crack them.
Some thieves go to the extreme and use a brute force attack. One thief stole a backhoe and drove it down the road for 5 miles to the local bank in a failed attempt to try to break into an ATM, while other criminals have tried looping a chain around the ATM and yanking it out with a truck.
Another clever trick, called ‘forking,’ was discovered in Australia a few years back. Thieves make a small withdrawal of cash, and as the cash is being dispensed, they jam a fork-like instrument into the dispenser, causing the ATM software to lock up and reset. The ATM gets confused, and the internal trigger loses track of how much money is dispensed, thereby allowing for additional withdraws.
Thieves exploited this vulnerability for several years until ATM manufacturers got all the wiser.
Over time, various methods to rob ATMs were discovered by manufacturers and law enforcement, so countermeasures were put in place. This caused thieves to get creative.
Card skimmers have been used for years by unscrupulous retail employees. These skimmers have been slimmed down to the point where they can be circuitously slid into the ATM card slot so they can steal and store debit card data. This is often accompanied by a covert PIN hole video camera placed to capture the consumers’ PINs.
Thieves then create their own fake debit cards with stolen card data and compromised PIN to empty bank accounts. The challenge with many of these skimmers is they have to be carefully placed in the ATM card slot quickly and then eventually removed without getting caught.
Innovative cyber criminals have added a wireless Bluetooth module to the skimmers, allowing for remote debit card theft. Thieves can now park 50 feet away from the planted Bluetooth skimmer for real-time collection of each card swiped along with streaming video of PINs entered.
In some cases, the thieves can also have the Bluetooth skimmer store all stolen card info and issue a wireless command through their Bluetooth-equipped laptop to wirelessly dump all the data. This use of Bluetooth is fast and convenient, and it minimizes the risk of getting caught since thieves do not have to uninstall any skimmer hardware.
As a consumer, there are several precautions you can take. I strongly suggest using common sense and thoroughly scanning the area surrounding the ATM for anything suspicious. This includes the ATM itself, as well as the surrounding area.
Does the ATM you see even belong in a dark alley or on the sidewalk? Before inserting your debit card, physically check the machine for anything suspicious, such as loose plastic, misaligned bezels, or any alterations to the keypad. For the really paranoid ATM users (like me), a careful inspection for a pinhole cameras aiming at the keypad would also be in order.
If you suspect a Bluetooth skimmer in use at an ATM, you might actually be able to see it listed under Bluetooth devices on your smartphone. Unfortunately, there are so many Bluetooth devices on the market, thereby making it difficult to determine which one is coming from inside an ATM and which one is simply a nearby FitBit, Apple Watch, wireless speaker, or any of the other 8.2 billion registered Bluetooth devices in the world.
To make matters worse, many Bluetooth devices do not broadcast their ID, and even if they do, locating that suspicious device can still be a guessing game when faced with many nearby ATMs and Bluetooth devices.
Security experts, including famed security researcher Brian Krebs, have revealed hidden ATM skimmers and law enforcement agencies have begun to organize task forces to sweep gas station pumps and public ATM areas for hidden skimmers, as well. So the problem is being addressed, but without dedicated tools, they face many hours of fruitless searching.
Fortunately, tools are being developed to quickly detect suspicious Bluetooth skimmers and even locate them. As a security expert, I have always advocated for cash purchases when convenient, but it’s getting more difficult to recommend cash when so many ATMs are potentially rigged to steal directly from consumers. Stay safe.
About the Author: Scott Schober (@ScottBVS) has lectured and presented extensively regarding cybersecurity and corporate espionage at numerous conferences around the globe. He has recently overseen the development of several cell phone detection tools used to enforce a “no cell phone policy” in correctional, law enforcement and secured government facilities. He is regularly interviewed for leading national publications and major network television stations, including Fox, Bloomberg, Good Morning America, CNN, CCTV, CNBC and MSNBC. He is the author of “Hacked Again” and writes, “In a modern digital world no one is safe from being hacked, not even a renown cybersecurity expert.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.