We’ve heard the warnings for years now to avoid sketchy ATMs, yet folks continue to withdraw from hacked ATMs and later watch helplessly as money drains from their accounts.
Thanks in part to slow adoption of EMV chip smart cards in the U.S., thefts of card data from U.S. ATMs are at the highest rate in two decades. From January to April alone, ATM security breaches rose 174% from the same time last year.
New ATMs are on the rise that claim to defeat the current ATM hacking methods, but in the meantime, there are tips to steer clear of ATMs that are most likely to be hacked.
When you insert your bank card into an ATM, it reads the information on the black magnetic stripe as it pulls the card into the machine. One way hackers steal your card info is by mounting a very thin reader ahead of the ATM machine’s card reader to get your card’s information as you slide your card in. Another is by prying into the machine itself and hooking up to the ATM’s digital guts to hack it the old fashioned way.
Regardless of a hacker’s method to steal your information, they only target ATMs that are easy to access and modify without getting the hacker caught. Logically, avoid ATMs that are away from busy areas or outside public vision. An ATM outside a lonely gas station around the corner from the attendant’s field of view is a perfect target for hacking. And the tech to grab your card data via external devices, called scamming, is pretty cheap.
“There are products you can buy on the dark web, four or five models, all from off-the-shelf components. The scammer can replace the front panel so it looks like an ATM credit-card swiper, but you are sticking your card into their device first,” says security consultant Shaun Murphy of consulting firm Private Giant.
These scamming kits vary in price and ability, from $20 to $30 basic kits you build yourself, to sophisticated and preassembled kits that cost hundreds of dollars. But these kits are so sophisticated and miniaturized that it’s almost impossible to detect them on an ATM. The best thing you can do is look for anything out of the ordinary: a loose corner you can jiggle, something attached to the card slot, or a camera above the keypad that could take a picture of your pin.
Scammers avoid ATMs from big banks and ATMs inside businesses. Even if a business could conceivably work with a scammer to split any hacks, the large risk for legitimate businesses to get shut down or prosecuted would not be worth taking for such a small payoff. Instead, scammers make money by not attracting scrutiny, pulling small amounts from ATMs in bulk from up to 30 ATM locations within a few square miles. Maybe 90% of the cards they scan end up having too much protection from a bank’s background hacker detection system, but even 10% of all the cards scanned can buy a lot of product or bitcoin, says Murphy.
In the battle between hackers/scammers and banks/credit card companies, the latter do not sit idle. Visa’s fraud prevention system, an artificially intelligent neural network that knows who you are and what you buy, is a good example, says Murphy. It is designed to detect anomalies, so the system will alert you if it falls outside your purchase patterns. That’s because hackers take baby steps first, buying $1 or $2 items to test the card’s security before buying $1,000 laptops or tablets, says Murphy.
Unfortunately, card security in the U.S. is still mostly bound to the aging magnetic stripe technology. Mastercard and Visa are on board for the October 2015 liability deadline that will push legal liability on whoever hasn’t upgraded to EMV chips or readers yet, which will hopefully lower credit card fraud in the U.S. Delaying so long in adopting EMV chips is likely the reason the U.S. is home to half the world’s credit card fraud: once other countries adopted EMV chips, hackers and scammers took the path of least resistance and rushed to vulnerable U.S. credit card users, Mastercard’s Carolyn Balfany told The Wall Street Journal.
Magnetic stripes are simple technology, just sending your account information wherever you swipe it. EMV chips sends your account information too, but it’s a transactionally based equivalent version of that information that is timestamped and fingerprinted. Even if someone were to steal the information sent to the card reader from an EMV chip-equipped card, says Murphy, they have maybe a minute to use that same time-stamped account information before it expires. Apple Pay does a roughly similar thing, basically producing a one-time-use credit card every time it’s used, both in person and online.
Of course, the arms race hasn’t slowed with the EMV chips. Fraud experts in Mexico have found that thieves are placing “shimmers” in card readers to steal the EMV chip’s information, reports digital security expert Brian Krebs. Then the thieves match that EMV information on a card with a cloned magnetic stripe that imitates the original card. Banks can run simple tests to determine whether the magnetic stripe data is counterfeit–but there may be some instances in which banks are doing this check or correctly or not at all, writes Krebs, and thieves may have caught on to which banks are failing to catch these cloned cards.
To beat scammers from stealing the magnetic data on your card’s stripe as you insert your card, ATM manufacturer Diebold launched new ATMs last year that have users insert cards in a completely different orientation. Instead of inserting thin side first, the Diebold 5500 line of ATMs forces users to insert wide side first. Remember the “magnetic” part of magnetic stripes? Diebold’s new ATMs push the whole magnetic reading process inside the ATM, fully ingesting a card before a motorized reader scans the stripe horizontally.
If a scammer wants to steal information, they have far less time (about half a second) as the ATM machine ingests your card wide-side-first. They would effectively need their own motorized reader mounted outside the card slot, which would be very conspicuous, says Diebold chief innovation officer Frank A Natoli.
“They would need something on the card reader gate to stop it from taking in the card, and then they’d need their own motorized read head and battery, which is big and bulky. They’d essentially need to duplicate our internal edge reader outside the machine,” says Natoli. “It would be a giant wart on the side of the ATM.”
Diebold’s new ATM might defeat this external scamming of magnetic stripe information, but there are plenty of other methods to get into an ATM. Natoli must design the ATM to survive more physical attacks that target the ATM itself, which are more common in Latin America, Eastern Europe, and Africa than the U.S. These range from prying the top of the ATM cabinet off to insert malicious code into the ATM’s computer system via USB port to literally dynamiting the ATM open.
Physical attacks in the U.S. tend to be less explosive and ATM countermeasures detect changes in motion or heat: seismic alarms go off and lock down the ATM if they detect anything like drilling or cutting, while heat alarms sense of someone is trying to cut into the ATM with a blowtorch, says Natoli.
In Latin America, dynamite is popular, along with explosive gas that thieves insert through the top cabinet before igniting. In Eastern Europe, thieves use acetylene and welding gases. Diebold’s higher-end ATM lines have static and powered venting mechanisms to keep the gas in the top parts of the ATM, where detonations have less chance to give thieves access to the cash held in the lower parts. If all else fails, the ATMs have inkstaining failsafe mechanisms. Wherever ATMs are installed, there will be thieves attempting to circumvent security. So the arms race goes.
“We build a 10-foot wall, so they build an 11-foot ladder,” says Natoli.
It does not matter which country you are in, says Natoli: To protect yourself, just look at the ATM. Look to see if it’s properly manufactured with a cohesive design. The second you see things, like pieces of plastic that are not quite finished or holes drilled in odd spots, be extra careful.
“Use common sense, use caution, and if it looks tampered with, maybe a little too thick, alert the operator of the ATM and go from there,” says Natoli.