Say Hello To Crazy Thin ‘Deep Insert’ ATM Skimmers

Some financial institutions in and around New York use ultra-thin "deep slot" skimming devices designed to fit into an ATM card slot. Card skimmers are combined with a small dark room disguised as an ATM. Here are some of the more sophisticated deep-seated skimmer technologies that fraud investigators have recently discovered.

Freshly removed from an NCR ATM in New York City, this ultra-thin and flexible "deep penetration" slider is about the size of a US dime. The big yellow rectangle is the battery. Image: KrebsOnSecurity.com.

The caps shown above are approximately 0.68mm tall. This leaves enough room to accommodate most payment cards (around 0.54mm) without compromising the device's ability to capture and return the customer's card. In comparison, this flexible skimmer is half the size of a US dime (1.35mm).

These skimmers aren't trying to steal data or transactions from a chip card, they're looking for cardholder information stored in plain text on the back of the magnetic strip on the back of most US-issued payment cards.

Here's what the other side of this insert skimmer looks like.

The other side of the deep skimmer. Image: KrebsOnSecurity.com.

The thieves who designed this skimmer were looking for the customer's data on the magnetic stripe and the 4-digit personal identification number (PIN). With these two pieces of information, fraudsters can clone payment cards and use them to withdraw money from the victim's accounts at other ATMs.

To steal PINs, fraudsters have built pinhole cameras into a fake panel that fits snugly against the teller's body on one side of the PIN entry panel.

The cameras in the aisle were hidden in these fake side panels attached to one side of the ATM and pointed at the PIN panel. Image: KrebsOnSecurity.com.

The skimming devices pictured above were found in an NCR-branded ATM called the NCR SelfServ 84 Walk-Up . In January 2022, NCR published a report on deep-insert motorized pads that looked more closely at other pads for the same ATM.

Here are some deep-load skimmer options identified by NCR in a recent study:

Image: NKR.

Image: NKR

The NCR report includes additional photos showing the fake side panels of the hidden camera ATMs, carefully crafted to match the side panels of real ATMs.

Image: NKR.

Sometimes thieves embed their dark spy camera into fake turntable panels, as in these recent attacks on a similar NCR model;

Image: NKR

In the image below, the thieves hid their dark room in a "consumer awareness mirror" located above an ATM.

Image: NKR

The financial institution that shared the images above said it was able to stop most plug-in skimmer attacks using a solution sold by NCR called a plug-in kit that breaks current skimmers. NCR is also testing a "smart detection kit" that adds a standard USB camera to monitor the inside of the card reader and uses image recognition software to detect fraudulent devices inside the card reader.

Skimming devices will continue to improve in terms of miniaturization and privacy until payment cards store cardholder information on an exposed magnetic stripe. It seems absurd that we have spent years rolling out anti-counterfeit and anti-cloning payment cards to undermine this progress in the name of backwards compatibility. However, there are still many small businesses in the United States that rely on the use of a customer card.

Many new ATM models, including the NCR SelfServ featured in this post, now have contactless features, meaning customers don't need to insert their ATM card anywhere. instead, they simply click on the smart card connection indicator. on the left side of the wireless card. reception (and under the cashier's sign "Use a mobile device here").

Due to its ease of use, this contactless feature is becoming more common in travel ATMs. If the payment card supports contactless technology, you will see a wireless signal icon printed on the card, probably on the back. Contactless ATMs also have the same wireless icon.

Once you're familiar with ATM skimmers, you'll find it hard to use the cash register without pulling out parts of it to make sure you haven't skimmed anything. But the truth is that you are more likely to be physically attacked after receiving money than if you encounter a skimmer in real life.

So be careful when you're near an ATM, and avoid suspicious-looking ATMs and out-of-network, dimly lit areas if possible. If possible, use the ATMs located in the bank. And be very careful when withdrawing money on weekends. Often, thieves install skimming devices on Saturdays, knowing that the bank will not be open for more than 24 hours.

Finally , by covering the PIN code with your hand, you eliminate one of the main components of most fraud : spy cameras, which thieves often hide in or near ATMs to catch customers entering their PINs.

Surprisingly, few people dare to take this simple and effective step. At least that's what KrebsOnSecurity discovered in this 2012 skimmer story , when we obtained hours of video from two ATMs and watched as customers walked up, inserted cards and dialed numbers; everything is clear.

If you enjoyed this story, check out these related posts:

Fraudsters go deeper with built-in deep skimmers

Network skimmer data recovery

How Cyber ​​​​​​​​​​​Sleuths hacked the Shimmer Gang from ATMs