Give Me Back My Money, ATM: A Hands-On Guide to Skimmers

It happens that a familiar, seemingly ordinary thing comes with such a twist that you start looking at it in a completely different way. That's what happened to me... for a couple of years I'd been withdrawing money from my card in a hundred different places without any trouble... then I arrived in a small town and at the very first ATM I encountered that very twist. The place and circumstances were such that in just a few moments I'd accumulated enough food for thought and impressions to last two weeks.

For some reason, I thought this could only happen in the land of ever-green presidents, and that we simply didn't have the personnel to do this sort of thing. Turns out I was deeply mistaken. You just don't encounter every day something you've only read about in magazines or on the internet, or seen in movies [by the way, I can't recall a single movie that featured a skimmer :) ].

What is a skimmer? If you search on Yandex, the first results will tell you it's some kind of pump for cleaning swimming pools. But think about it — a pump and an ATM... something doesn't add up. Although, pumping money out of an ATM with a pump — quite fitting :)

Without delving into the history of the name, a skimmer is a small device that can help criminals use your plastic card.

Those of you who are in the know are probably reading this and chuckling at my description, but this was the first explanation that came to my mind.

A skimmer usually consists of two elements — an overlay keypad (pin-pad) and a magnetic strip card scanner.

The pin-pad is placed precisely over the ATM's original keypad and allows criminals to learn your PIN code (a miniature camera can also be used for this purpose), while the scanner is attached over the card insertion slot. The camouflage does its dirty work.

You insert your card into the ATM (not suspecting that you're inserting it into the criminals' card scanner, after which the card goes into the ATM's actual slot) — voila, the data from your card (the dump) is already either on the storage device inside the scanner, or has already been transmitted via wireless interface to someone. Then you enter your PIN code, which is also either saved or immediately sent. That's it — to use your money, all that's left is to make a duplicate card, which apparently is done quite easily — using the dump, a blank piece of plastic is programmed and it's ready.

By the way, it's much worse if there's no overlay keypad on the card reader and someone is simply watching you enter your PIN code. Even worse if you just stepped out of your polished-to-mirror-shine Audi Q7 (or a 99, third-gen BMW, Lancer — pick your favorite), in a fancy sheepskin coat, with a headset but no helmet. In that case, there's every chance you'll simply get whacked over the head with something heavy and hand over your card money just as easily. But that case isn't as interesting — mugging has existed everywhere and always.

Despite always looking at the ATM before inserting my card, that time I inserted it anyway. We weren't alone, there was no time to examine the ATM. I was about to enter the PIN code when I noticed the keypad wasn't flat but convex — which it shouldn't be. Quickly comparing the texture of the keypad and the ATM body with my finger, I mentally tried to convince myself everything was fine. A second later I told my friends:

— Damn, looks like a skimmer.
We froze. I pried the keypad with my fingernail... first the nail went in, then the finger... pure excitement :). When I realized the keypad was coming off, I thought I'd broken the ATM and there would be nothing under the buttons, and I'd just glue it back and withdraw my money.
Lifting the keypad, we were stunned — underneath was an exact copy of our keypad, only perfectly flush with the ATM's surface.
— Holy cow, it's a skimmer! A skimmer, damn it! Oh my God, I've never seen one in person before, turn it around, let me take a photo!
— Yeah, first time seeing one too. Except my dump is already in there, and it should've been one of yours :)

I shifted my gaze to the card reader — no longer thinking clearly, I tried to pull out my card. No luck. I remembered the Cancel button, pressed it — the card came out. Whew.
Prying the protruding card reader with my nails, it also came off — which only added to the horror. We examined the device for a few seconds — some lights were blinking, there was a battery, neat soldering... yes, clearly this is taken seriously. A moment later, we all simultaneously realized we shouldn't be standing there anymore :)

The rest was like in a movie :) The cops promised to arrive within an hour, which in our case obviously didn't help us at all. The skimmer peacefully returned to its rightful owners :) And we, realizing we walk under God, teleported away.

So, those were roughly the emotions from the first encounter. What food for thought did we get that day?

First, it was the first hands-on experience — we learned what it looks like, what it consists of, who guards it and how. Everything below is speculation.

From unreliable sources, the price for a set of equipment of this type (the hardware itself, software, etc.) is around 3-5 thousand dollars (despite the fact that there's nothing supernatural about it), which already is at minimum a reason not to leave the device unattended. The price depends on the construction and the configuration. Some can work autonomously for a long time, some store dumps on their own memory card, some transmit information to the owners immediately (exotic).

A quote from some website: "News about skimmers has appeared more than once, but the devices improve every day. This time the skimmer no longer needs to approach the ATM to download information — it's sent via SMS. The device can send up to 1,856 SMS messages on a single charge. It costs $8,500. The paint for the external parts is purchased from the same factories as ATM manufacturers, taking into account temperature, angle, and painting time. At first glance, it's virtually impossible to tell the difference.

The only BUT... If the bank employees react quickly and trace the criminal's SIM card, catching them might actually be easier..."

Therefore, somewhere within direct line of sight there's definitely someone, even if you can't see them. But they can see you, for example, from a tinted car across the road ;) Since the observer's job is essentially guarding the equipment, I'm almost certain their build is that of a proper security guard ;)

If you think you outsmarted everyone by ripping off the skimmer and running — don't celebrate too soon. They might find you through the dump, or you might have dropped your ID — anything can happen ;) And afterward there might be no happy ending. So think about whether it's even worth getting involved — maybe it's simpler to withdraw money somewhere else?

Next, let's think about where skimmers tend to be found. Obviously, the ideal location is where there are more people — and not students with stipends, but proper people. I think you could encounter a skimmer near train stations, airports, casinos, cafes, cinemas, electronics stores and other busy spots — in short, places where people need to withdraw large amounts of cash.

After wandering for a couple of hours around flea markets and electronics bazaars, passing through a couple of train stations — I didn't find anything interesting. From this, it follows once again that the devices aren't always in place.

I presume that first the guys figure out the service schedule for the target location — what days and times the armored car arrives to load money, when they pass by, and so on. Since the armored car crews are probably different each time, the criminal shouldn't count on their kindness toward the skimmer. Therefore, skimmers are probably attached and removed several times a day.

But this raises another point. Even the loneliest ATM usually has cameras, and someone from security should be watching them. And I won't even mention ATMs inside bank branches. Therefore, I refuse to believe that every time someone attaches a device to the ATM, nobody notices and nothing is done. Yes, the criminal can block the camera for a few seconds while doing their thing... but this is supposed to happen several times a day!?! I think you don't even need to attach the device constantly — a couple of hours on one holiday evening would be enough.

What conclusion follows from this? That everyone knows about it perfectly well. And if the girl at the reception desk is just supposed to turn a blind eye, then the bank owners surely don't live on depositors' interest alone =) otherwise there's no point in having such a feeding trough right under their noses. Thus, once again we see how the banking sector treats the ordinary user — an honest person, mind you. Sadly :)

Walking into a bank one day, I encountered a security guard at the entrance who was stepping out for a smoke. Without thinking long, I decided to talk to him — here's the dialogue we had:

— Hello, I wanted to ask a couple of questions about ATM security.
— Give it a try.
(point blank) — Are you aware of what a skimmer is?
— Mm, I've heard of them, why?
— I recently encountered such a device for the first time — I only noticed it after I'd already inserted my card but hadn't entered the code. Can they make purchases on my behalf without knowing the PIN, for example online or in regular stores?
— Honestly, I don't know that. But better safe than sorry — go in and change your code, it'll only take 10 minutes. And where did you find this thing?
— At such-and-such place. But honestly, I was surprised — I thought this only happened in the States, and you'd only read about them in magazines.
— Heh... the States =) you're living in Russia. While the Americans are inventing something, we've already made the "anti" version. They have viruses, we already have antiviruses and vice versa. So in a country where everyone wants to rake in money without doing anything, these devices can't not exist.
— Really! And are there many... in Moscow?
— Plenty. Where do you live?
— Such-and-such place
— Well... not far from me. Look around — you'll find them ;)
— Interesting. And why does nobody fight them?
— It's not that nobody fights them... they do. It's just that since they exist, it means someone needs them to.
— True, where there's smoke there's fire. And how does bank management feel about this, are they aware?
(Perking up) — Of course! :)
— Wow. So it turns out they don't remove them at least partly because management also benefits?
(Smiling) — Well... anything's possible. And what do you even need all this for?
— I just ran into one accidentally, wanted to find out more.
— Be careful. Do you have anything like jurisprudence at your university?
— No, but we had something similar.
— And they didn't teach you which questions you can ask whom?
— They didn't, but I come with purely peaceful intentions ;)
— Obviously. It's just that sometimes, asking a seemingly harmless question can trigger an inadequate response. Same with behavior. Did you know you can't bang on an ATM?
— Nope, does it hit back? ;)
— No. But that could already count as property damage. Just the other day a drunk guy came in, whacked it — a van arrived, they tackled him and took him away. There are all sorts of sensors inside... and try proving you weren't trying to break in.
— Serious stuff here. Alright, let's get back on topic. Tell me something about how they're built, how they're attached, how they're maintained?
— Well, what's there to tell. I don't know exactly how they work, but they're not that hard to spot. For 80-year-old grandmas who've been scammed by the government their whole lives, these tricks are incomprehensible, but if you see something sticking out — don't put your card in, just go to another ATM.
— And if someone rips it off and runs?
— Well, go ahead and rip it off =) You understand, these things aren't left unguarded... if not immediately, they'll find you later. They'll tap you on the shoulder, you won't even notice.
— Interesting... and nobody really cares about any of this?
— Well... sometimes there are demonstrations — specialists drive around, wag their fingers at whoever needs it for the record... and then everything goes back to normal.
— Has anything interesting happened here?
— Nah, that's more for ATMs outside of banks, though anything can happen.
— Well, you've got a bank right here, so...
— The most we've had is someone snatching cash... but again, whose fault is that? Look, there... walked out with a wad of cash... why not put it away immediately? You can count it later... or they enter PIN codes without covering them... and there are a thousand ways to peek. And then they complain...

— Where's your weapon? ;)
(smiling) — I've got the tank today. They won't get far if anything happens ;) Alright, get going, it's not May weather, I'm heading in. Take notes.
— Best of luck, and thank you!

So that's the dialogue we had, but there was almost no specifics. Later, by chance, I managed to find someone online who was in the know — someone I'll never be able to find again :) I didn't take much of his time, but still, I got some information that once again confirmed my guesses:

Me: What types exist (storage method, transmission method, power)? What sizes do they come in? Roughly what are the prices and what do they depend on? Where do they come from — are they mass-produced?

Him: Each device is essentially custom-made — tailored for a specific ATM, since the main required property is invisibility. Nobody mass-produces them since this is after all a criminal offense, but that doesn't mean they're all handmade. The price for a turnkey skimmer is from $5,000 and up. Mostly these are autonomous devices with built-in memory — "install, wait, remove." I haven't had any with data transmission, but obviously that's much safer for the owners.

// Here the contact didn't elaborate on device sizes, but I found a couple of interesting images online. Yes, even a "lighter" like this (more accurately, a "Cube") in someone's hand next to you is capable of draining your entire fortune.

Me: How are they attached? Sometimes they're just placed over the keypad and slot. But I've heard that cameras are more commonly used. Have they come up with anything else?

Him: That's right — in simple models, it's attached only to the card reader + a camera for capturing the PIN. There are quite a few ways to mount the camera.

// Scanning the photo of an ATM, I considered where a camera could be hidden. If it's not an "extra" bank camera that looks like a real one, the options aren't that many. If the person is tall, the camera can be stuck to the upper part of the ATM protruding over the keypad — you won't see them easily, but by leaning down slightly — it's easy. Or you could hang your own "lamp" for illumination, hiding a camera grain in its transparent plastic (have you seen how tiny cameras are in some video intercoms? "." — slightly bigger than that period).

Or like in this internet photo — in a brochure holder that was originally given only an informational function.

Or your code could simply be peeked at by people standing nearby ;) That's why mirrors are placed on ATMs for a reason. Banks that care about their customers also install special "fences" on the keypad that help prevent your code from being seen.

Me: Where are they most common — at indoor or outdoor ATMs? Are some ATMs or banks particularly careless about this, while others value their customers? Favorite habitats? Where are there more — in Moscow or St. Petersburg?

Him: Outdoor ATMs are preferred. The more foot traffic — the better. As for banks — no idea. No phreaker will tell you that, or they'll deliberately swap the bank names around ;) Everyone monitors, of course, but nobody will admit their ATM got skimmed. Where there are more — IMHO, in St. Petersburg. But Moscow has plenty too.

Me again: A bit more on prices — can you only buy them online, or do they sell them at electronics markets too? ;) What changes in that case? What should a person do if they remove a skimmer? :)

Him: A ready-made kit bought at a flea market or elsewhere — 99% chance it'll be non-functional or already used, and even then it's hard to find what you need. Online, people are much more willing to make contact, but you can just as easily buy the wrong thing or at an inflated price. The price, again, made to order — from $5,000. If you managed to remove a skimmer — the rest is simple — dump the data from it and sell it to carders. Or to drops. Cashing out the money yourself is equivalent to walking into the police station with a confession.

// Hmm, that $5K figure again ;) On forums, though, the offers vary widely — from $1K to $15K.

Me: Who actually does this — these aren't just boy scout radio enthusiasts, right? How do they install them — do they stick them on every day under the ATM camera in the morning and remove them before the armored car arrives? Or is even the armored car not an obstacle? :)

Him: Who does it? Smart and cautious phreakers (not to be confused with freaks — my note). The most common installation method is after the armored car team arrives and leaves — 5-10 minutes later the "team" returns, and then leaves again. This approach works for organized crime groups that can afford to imitate service technician uniforms. A simpler option is installation for the evening-night, i.e., few people, the armored car is guaranteed not to come until morning (arrival time is determined by simple observation), but security is also higher. Skimmers are also typically installed and removed by a "noisy group of students" — a crowd surrounds the ATM ("blocks the suckers"), the skimmer is installed... and variations limited only by imagination...

Me: I want some numbers :) Is their risk at least justified — how profitable is this fishing? Or if not in dollars, at least in number of dumps. How often do skimmers get stolen? :)

Him: The price of freedom is different for everyone — some take the risk, some don't. But you don't always have to do everything yourself ;) don't be stingy with the percentage cut and everything will be fine. Number of dumps = number of cards inserted into the ATM. The haul — nobody ever gives specific figures. But it covers not only the cost of the device, but enough for a new one too. Maybe you've heard the song: "Restaurant lunches, no neighbors in the house, and a BMW 7-series is much better than a bicycle" :)

Me: I have ;) And what do they actually do with the dumps, what's their further journey? Does a person need to change their PIN if they only inserted the card but didn't enter the code? How quickly does a dump get into "dark hands" and how much time does a person have to save their money? Do they then make a copy of the card, or what can you do with a dump plus a captured PIN? How long does decryption take, or is it a 5-second job?

Him: See above — they're sold to carders or drops. Whoever has the contacts. If the PIN wasn't entered — no need to change it. The dump usually reaches the drops within a day or two after the skimmer is removed. But if the "operation" went successfully, the person only learns that money left their account through SMS banking or the next time they check their card. Decrypt what? The dump? The dump isn't decrypted. It's simply cloned. Yes, drops have card cloning equipment (also an expensive pleasure).

It's already not as ambiguous as in the first dialogue, but the picture is becoming ever clearer. Give me Da Vinci's manuscripts and I'd decode them in no time ;)

Browsing various forums online, I was amazed at how much information is freely available. Schematics, pinouts, firmware, manuals, step-by-step instructions, and beyond that, the most important thing — people who possess the most valuable thing of all — knowledge, information.

Schematic of the scanner reading head:

GSM skimmer schematic:

Naturally, nobody will share anything just like that :) People wouldn't even tell me anything in a roundabout way — it's their bread and butter. On the other hand — you can't cash out all the money in the world, and some people in this country still earn honestly. So it works out — on one end of the wire are people afraid of the cops, and on the other end are people afraid of losing their money. And still, one shouldn't forget that some people out there still work honestly.

What conclusions to draw from this, everyone decides for themselves ;) For those too lazy to think it through, here are a few tips that will help you avoid senselessly losing the last coupons on your card:

1. Before approaching an ATM, look around. If you're drunk or notice something strange or suspicious — postpone the withdrawal for better times. Not for paranoia's sake, but for safety's sake — look around just like you would when crossing the road.

2. You should know exactly what your bank's ATM looks like (if you're not withdrawing money with a commission from any random ATM). Most of them have: a keypad that does NOT protrude from the flat surface, a flat or recessed card insertion slot. If you see the keypad protruding even by a couple of millimeters, or the card reader sticking out — withdraw money somewhere else. If you decide to be brave and call, whether it's the police or the bank — do it away from the ATM!

3. After inserting your card, don't rush to enter the PIN code — look around one more time =) There should be NO-THING non-standard on the ATM. If someone is standing nearby, enter your code so they can't see it.

4. After withdrawing money, don't wave it around left and right. Removed the card > put it away > took out the cash > quickly counted it and immediately put it away securely > took the receipt > vanished.

5. One day someone might call you supposedly from the bank and say: "Hello, dear Mr. Loshdize Baobab Babosovich, this is your bank's security department. For the safety of our clients, we are switching them from a 4-digit PIN to a 6-digit PIN. Please provide your current PIN code and your desired new one, or do the same by visiting our branch." Naturally, trekking over and dealing with paperwork would be too lazy for many, so I venture to guess that a good half would simply say their code. Therefore... NEVER tell ANYONE your PIN code! Not to ladies at the store checkout, and certainly not to any gentlemen. Not even bank employees — from the receptionists to the board of directors — under any pretext. They already have plenty of ways to leave you without your pants :)

6. If you're already being beaten — scream loudly — there are more of them ;=)))

For dessert — a couple of photos of what your thief might look like:

Just kidding :)

1. The keypad can look like this:

Usually the buttons are flat, but sometimes the buttons do protrude... No-no-no, there's definitely nothing inside them, that's already pure paranoia... or is it... :)))

2. Card reader:

The device in the last picture raises some doubts for me — on one hand, its right side is clear (the side where the magnetic strip would be), meaning a scanner shouldn't fit there, and this device is essentially a so-called anti-skimmer. But it's made so poorly (including the build quality) that you can't tell it apart from a skimmer. Or you could rip it off and stick a skimmer in its place... basically, they made something stupid :)

Regarding anti-skimmers — banks could easily secure the card reader — use an absolutely flat slot, special grooves that prevent attaching any object on top — but again... if they wanted to, they would :) Here are examples of attempts to make life harder:

(Also a silly idea, really, since masking a skimmer as one of these is easy, and even the anti-skimmer itself raises suspicions)

Sometimes you can see stickers or stands showing "how the ATM should look," and supposedly if it looks different, don't use it. Obviously, you can stick or hang anything on top of that :) ANYTHING, just to avoid working! :)

Good luck!