Stealthy, Razor Thin ATM Insert Skimmers

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.
The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.

A side view of the stainless steel insert skimmer pulled from a European ATM.

“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”
Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):

The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).

Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.

Virtually all European banks issue chip-and-PIN cards (also called Eurocard, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard.
For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.

This angle shows the thinness of this insert skimmer a bit better.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries with a total deployment of more than 640,000 cash machines, European financial institutions are increasingly moving to “geo-blocking” on their issued cards. In essence, more European banks are beginning to block the usage of cards outside of designated EMV chip liability shift areas.
“Fraud counter-measures such as Geo-blocking and fraud detection continue to improve,” EAST observed in a report produced earlier this year. “In twelve of the reporting countries (two of them major ATM deployers) one or more card issuers have now introduced some form of Geo-blocking.”

Source: European ATM Security Team (EAST).

As this and other insert skimmer attacks show, it’s getting tougher to spot ATM skimming devices. It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots.
Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).