A bank-machine hacker who reportedly was arrested earlier this month in Turkey gave would-be fraudsters tips on how to install rogue card-reading devices, including advising them to target drive-through ATMs (automated teller machines) and avoid towns with fewer than 15,000 residents.
The hacker, who went by the handle "Chao", reportedly was arrested earlier this month in Turkey. He was one of the most well-known ATM hackers in the world, according to Uri Rivner, head of new technologies for RSA Consumer Solutions.
Chao sold fake faceplates that fraudsters could attach to the card slots in ATMs. These "skimmer" devices can read the magnetic stripe of every customer's ATM or credit card, and are often used in conjunction with a hidden camera that watches people enter their PINs (personal identification numbers), Rivner says. Alternatively, criminals can attach an extra keypad on top of the one in the machine and capture the PIN that way, he adds.
After collecting this data over a period of time in these devices, the fraudster can remove the devices and use the information to make counterfeit ATM and credit cards that can be used in stores and ATMs, Rivner says. There are other such devices that can send the information to a nearby computer via wi-fi, he adds. Fraudsters also commonly produce counterfeit cards using information stolen directly from bank and credit-card databases. Overall, card counterfeiting is one of the major types of fraud against ATM and credit card issuers, representing roughly 30% of their fraud losses in the US, Rivner says.
In an animated online video commercial for his skimmers, Chao provided a glimpse into the world of ATM hacking with a series of tips for potential customers who would buy and install his products.
Picking an ATM to target with this scheme requires watching the surrounding area for days or weeks and taking notes on foot traffic and other characteristics, Chao says in the video. Among his tips are these:
— don't install a skimmer in the morning, because people are more vigilant then;
— determine where a person would have to stand to keep an eye on everything happening on that block;
— avoid blocks where more than 250 people per day walk through, because of the danger of detection;
— don't install skimmers in towns with fewer than 15,000 people, because people in those towns know what their ATMs look like;
— avoid areas with small shops open 24 hours a day, because there may be surveillance cameras and vigilant shopkeepers;
— don't set up in areas where a lot of illegal immigrants live;
— places with a lot of tourist traffic are good;
— look for affluent neighbourhoods and drive-through ATMs;
— ATMs near cash-only bars are a good bet for lots of customer activity.
It's fairly rare for a consumer to be a victim of skimming, but Chao's tips indicate consumers are probably safer if they use ATMs at their own banks or financial institutions, says Enterprise Strategy Group analyst Charlotte Dunlap. The safest course would be to use machines inside the bank, though that's not practical for most people's schedules, she notes.
Consumers also should keep tabs on their account activity, via statements or the web, and report any abnormal activity, Dunlap advises. Consumers typically are protected from this type of theft, as they are with a lost or stolen credit card, she says.