(U//FOUO) The purpose of this LIR is to inform DSAC and other relevant private sector partners about new methods ATM skimming crews use to target standalone or kiosk-style ATM terminals such as those found at casinos, hotels, airports, shopping malls, gas stations, restaurants, and supermarkets. The skimming crews intercept customers’ account data through the ATMs’ external cables. The activity observed to date in the United States was discovered at convenience store locations in California, Delaware, and Pennsylvania. This LIR provides details on the methods used in these skimming attempts as well as previously reported use of internal wiretap skimming devices.
(U//FOUO) Internal and external wiretapping (or eavesdropping) skimmers allow criminals to capture card data while circumventing the most common anti-skimming measures, which generally focus on securing the ATM’s card reader “mouth.” Additionally, while many consumers have learned to look for devices attached to ATM card readers, they may not think to look at Ethernet or other cables in plain view and, if so, may not recognize they are out of place. The internal wiretapping method, if properly concealed or achieved through the non-destructive “top box” method, allows for further obfuscation of tampering (i.e., no plain-view wiring), while the external method likely permits easier device installation and retrieval.
(U//FOUO) As of early 2016, card skimming crews targeted standalone ATM terminals in at least three US states and the Dominican Republic, with devices that intercept data in transit through the ATMs’ external cables. This differs from previously observed wiretap devices which Romanian and other criminal groups placed inside ATM terminals in the United States, the United Arab Emirates (UAE), and the United Kingdom to capture data directly from the ATMs’ card readers.
(U//FOUO) According to private sector reporting in February 2016, external eavesdropping skimming devices were recovered from NCR and Diebold ATMs in California, Delaware, and Pennsylvania. The devices captured card data from the main ATM network communication cable during customer transactions but required additional devices to capture customers’ personal identification numbers (PINs), which were encrypted upon entry on keypads. According to open source reporting, ATM manufacturer NCR issued a warning about these devices and reported a keyboard overlay was used to obtain PINs at a NCR ATM, while the Diebold ATM attacks used a concealed micro camera. External power sources resembling cell phone chargers were recovered.
(U//FOUO) This represents one of numerous technological developments observed in the realm of ATM skimming. Although there is no information available about the criminals responsible for the external devices reported in the private sector, technical advancements in skimming have in the past been pioneered in large part by groups based out of Eastern Europe, especially Romania and Bulgaria.
(U//FOUO) It is neither suggested nor addressed in the noted reporting, but while drilling a hole in an ATM faceplate would obviously draw suspicion, skimming subjects could disguise themselves as service technicians to install and remove devices through non-destructive top box access or on external cables.
(U) DSAC would like to highlight the tactics ATM skimming crews may use to obtain customers’ transaction information from standalone ATM machines. DSAC encourages financial institutions, casinos, and other companies with standalone ATMs on premises to take the information provided by this LIR into account and to review their internal procedures related to the maintenance and inspection of standalone ATMs as well as the verification of any ATM service technicians’ authorization. Businesses with standalone ATMs should ensure personnel are familiar with the appearance of their ATM terminals, both external and internal if they have that access. Businesses are encouraged to contact the ATM owner or service provider if they have questions or notice anomalies regarding the appearance, operation, or maintenance of standalone ATMs.