A new type of ATM card skimmer that uses a technique called “periscope skimming” has officially been found installed in ATMs in the United States, and from the outside there’s no way to tell that a machine has been compromised.
Most card skimmers are designed to be quickly installed over an ATM’s existing card slot to capture account information as the machines are used over the course of a few days. They’re easy and less risky to install and retrieve, but many ATMs are designed to prevent their installation. A trained eye can usually spot them in use.
But that’s not the case with a periscope skimmer. As KrebsonSecurity explains, they’re designed to be installed inside an ATM, out of sight, connecting to both the motorised card reader and the circuit board where cardholder data is transferred to the rest of the machine’s electronics to process transactions. They do require access to inside an ATM via a key, but once installed they can operate for close to 14 days and collect up to 32,000 card numbers before their battery runs out.
A recent non-public alert issued by a financial crimes task force to banks revealed that a periscope skimming device was discovered inside an ATM in Conneticut in August, while a second was found inside an ATM in Pennsylvania in early September.
The good news about this reveal, at least for the time being, is that neither skimmer included a way to capture an ATM user’s PIN number required to process transactions. It is suspected that both of these devices were being used for testing purposes only, but you can assume that whoever was responsible for developing the hardware must surely have plans to grab that information from unsuspecting ATM users as well. [KrebsonSecurity]