A tiny skimmer removed from an ATM way back in 2006.
A reader wrote of an ATM experience which, soon after, led to $9,000 in fraudulent withdrawals. He was abroad, but this happens at ATMs everywhere; and so frequently that I think it’s worth posting as a reminder.
As I was using an atm at a money exchange kiosk, I received the cash I wanted but was unable to get my card back. The man in back of me told me I had to enter my pin number again in order to have the card returned. He even reached in front of me and hit some buttons and told me to enter my pin. I did so and after a slight wait, the card came back. The experience was unsettling because I had never heard of entering a pin number a second time to get your card back after a transaction and no one had ever brazenly reached in front of me to assist me at an atm. Since I received my cash and finally my card, I felt everything was fine. But that was the day the mysterious withdrawals began.
I called my bank as soon as I realized there was a problem. The woman I spoke with immediately closed the credit card account linked to my atm card. Within a couple weeks, the bank had deposited the total of the disputed withdrawals into my account.
There are two essential goodies the card fraudster needs: the info on your card and your PIN. Info on the card can be gained in many ways. A snapshot can be taken of it with a cellphone camera, an imprint can be made, or a skimmer can be attached to the ATM itself. Nowadays, skimmers can be tiny and imperceptible. The vital PIN can be easily obtained by the crafty thief’s strategy. The example above is a classic: the false samaritan. The fraudster offers help in order to gain what he needs. Sometimes these “samaritans” even make cellphone calls to helplines, handing the phone to the mark; but the person on the other end of the phone call is the fraudster’s colleague, who pretends to be a bank official.
To protect against these scams, first, don’t use an ATM that looks suspicious in any way. Unfortunately, they usually don’t look suspicious, even if they’ve been tampered with. Second, shield your PIN with your hand as you enter it. A wireless video camera may be mounted to capture the entry of your PIN. The illicit video camera, which is only the size of a sugar cube, might be in front of you, so your body won’t block it. Use your hand. Third, if your card gets stuck, get suspicious! Do NOT accept help from a stranger. Walk away from the card if you must, but do not give up your PIN. And lastly, always suspect the stranger who enters your personal sphere. That’s just not natural. He or she is after something—of yours!
It’s sad that we must suspect a friendly stranger, but a look at identity theft statistics is enough to convince anyone that it’s better to be safe than sorry. Ruthless, creative scammers specialize in benevolence, and they’re darn convincing. CONvincing, as in gaining your CONfidence. That’s why they’re called CON artists!
A shoulder-surfer in Stockholm gets seniors' PIN, then steals their ATM card.
I want to wail even in Sweden, because the country has long been perceived as enjoying a relatively low crime rate. And it did. But not any more.
The day I arrived in Stockholm, the paper featured a spread on thieves lurking at ATMs who preyed on the elderly. The scam stars a shoulder-surfer lying in wait for seniors to come use a cash machine. He watches them enter their PINs, then tricks them into allowing their bank card to be physically stolen in one way or another. The thief may ask to change a ten crown note, or may meet the mark at the parking meter and ask for a small coin. Anything to get the mark’s wallet out.
One wallet, many hands.
Then what? “Magic arts,” one victim said. “Finger magic,” said the police. Hard to believe that a bank card can be stolen from a victim’s wallet right under his nose. Yet, Bob and I recognize the trick we call the “flower gift lift,” as practiced by women in Palma de Mallorca (and I’m sure other places, too). It’s forceful, brazen, devious, and it works. I’ve written about that here.
The Stockholm shoulder-surfer was part of an international gang from Romania. He and one other were sentenced to a few years in prison. Police say they’ve operated all over Sweden, targeting the elderly and handicapped. ATM surveillance photos show victims in wheelchairs and using walkers.
At around the same time. a community newspaper warned of “false policemen” also targeting seniors at ATMs. The thieves convinced the seniors that they needed their bank cards and PINs in order to control illegal withdrawals. Police report additional ploys: door-to-door police impostors warn of burglaries in the neighborhood and want to photograph jewelry and valuables. Whatever the ploy, the thief gets in—cash and valuables go out.
Graph from www.bra.se
As I was writing this, the evening news came on. Seems some scammers are knocking on seniors’ doors to give them tips about H1N1. Rather, one scammer knocks and talks. While the senior is occupied, the other slips in and robs the resident.
Meanwhile, last month, police saw for the first time credit cards being skimmed at gas pumps. “So far police have no suspects and haven’t been able to determine how the skimming operation has been carried out.” I have advised them!
Skimmers have been found attached to ATMs at Ikea and a Stockholm Toys R Us store. There was a home invasion in the sleepy suburb where my family lives.
What has Sweden come to?
You can save up to 20% when you change money abroad if you shop around. Maybe more.
I found myself in Rome recently, with a wad of Swedish money I wanted to get rid of. Instead of buying American dollars with the Swedish crowns and buying the euros I needed with U.S. cash, I wanted to change the crowns to euros.
For this story, the country of origin of the money doesn’t matter much. It’s just a numbers game.
I decided to take my own advice: “Before you buy foreign currency, compare the posted prices at several booths or banks. Find out whether they charge fees or commissions [or both]. Compare, and ask for better deals.”
Let’s say the Swedish cash I had to change was worth about US $800. I popped into the first change booth I found, “Forexchange” on Via Solferno.
“How many euros will you give me for 6000 Swedish kronas?” I said.
“429,” the woman said, after some poking on her calculator.
“Is that your best offer?”
“For you, 452.”
See, I could have made 23 euros without even a pretty-please. It was a terrible deal, though. Forexchange takes a fee of €4.90 and a whopping commission of 19.7%. Of course. They’re in the business of making money by buying and selling currency.
I went to another foreign exchange booth where I was offered 495 euros. Up 66 euros from the first quote. Still a bad deal.
American Express will wave its fee for Platinum Card holders, but even with this discount, I’d only get 522 euros for my 6000 SEK. Still, that’s €93 more than the first quote.
Finally, I went to a branch of BNL bank where, after locking all my metal objects into a lobby locker, I stepped into a glass capsule that shut behind me, holding me briefly captive before opening inward and allowing me to enter the bank. The offer there was €535. 106 euros more than if I’d just made a quick change at the first available place. That’s a difference of about $150 on my $800 exchange.
Even with the recent rise in credit card companies’ foreign transaction fees, I believe in using plastic whenever possible for foreign purchases. The fees are now 2 or 3%, but that’s all. For me, credit cards are convenient and economical, and I like the other benefits of using them. But I still need to buy small amounts of local currency—enough for coffee, taxis, souvenirs, and tipping. My experience in Rome last month reminded me that it pays to shop around.
Would you notice if a skimmer were attached to an ATM?
Skimmers, officially called magnetic card readers, capture the data on a card’s magnetic strip. Exactly what information is that?
Credit and debit cards have three “tracks” of data. Track 1 stores your name, account number and expiration date, and discretionary data to verify the PIN and security code. This information goes to the point of sale terminal, and allows your receipt to include your name and the last four digits of your account number.
Track 2 stores similar information coded and formatted specifically for the banking industry. This is the data that, from a merchant, goes to the bank via modem. Actually, it goes to an “acquirer,” a middle-man organization that authenticates the account data and guarantees payment to the merchant.
Track 3 was supposed to store biometrics, like a photo and thumbprint, but the banks decided it was too expensive to implement and do not use track 3 at all. It’s sometimes used on non-bank cards: airline cards, hotel and club memberships, etc. Track 3 is also writable.
Credit card fraud
ATM: sucks data, spits cash.
Legitimate mag-strip readers are everywhere. Illegitimate ones, which I’ll refer to as skimmers, are, too. They may be stuck onto the faces of ATMs or gas pumps (possibly detectable). They may be attached to a merchant’s point-of-sale terminal (undetectable by customer, should be detectable by aware merchant). They have recently been found inside gas pumps (undetectable). Tiny, handheld models are used by waiters and others who swipe credit cards legitimately; they make an additional, criminal swipe through the portable skimmer.
Mag-strip readers are easily, legally purchased. The largest distributor is (no surprise) just outside Las Vegas. Bob met with the owner of the business, and bought a skimmer. The owner claims that his largest customers are schools and libraries, which buy in bulk in order to record attendance and keep track of books. I’ve heard from law enforcement that his biggest customer is the FBI, which buys skimmers, encodes them with trackable ID, and lets them fall into the wrong hands.
Our skimmer, pictured below, captures all three data tracks. Bob could have bought one half the size with twice the storage and a bluetooth interface for twice the price. The kind just pulled from the apron of a waiter at a high-end restaurant at Caesar’s Forum in Las Vegas—a restaurant frequented by a celebrity clientele (i.e. high-limit credit cards).
Whether obtained by an employee using a handheld skimmer, or one attached to stationary equipment, card data is gathered and stored, then collected by wired download or wireless transmission. Then what?
Credit card theft is a growing problem but it does not happen the way most people envision it. It’s not the lone hacker who goes it alone to compromise one site and sell the credit card numbers to fraudsters.
These days it’s a network of carders who each have a specific role. Roman Vega of Boa Factory fame was known for having lawyers, botnet owners, hackers, traffickers, and pushers all on staff. These days the professional carder will knock over several merchants and store the information without using it for up to two years. Once they have amassed enough information they join the databases together forming a master datasheet on peoples lives.
Once they join databases with your credit card number and others with your e-mail address they can perform ‘spear phishing’ where they send you a targeted e-mail, with your credit card number, asking for your PIN number.
Portable magnetic card reader, aka skimmer.
Credit card fraud is highly organized, en masse. Besides phishing and spear phishing, data is also written to new cards. These new cards can be blank stock, stolen cards (where sometimes the encoded data does not match what is printed—but who notices that?), gift cards, or shared-value cards. Mag-strip writers can be purchased as easily as mag-strip readers; and some models of readers just need a little extra software in order to write.
Everything one needs for credit card fraud can be learned or purchased on “carder sites.” Skimmer “dumps” are sold in lots, with payment made via Western Union. Here’s a typical “ad,” found among Afterlife’s blog comments (link above). This one’s about six months old:
The Best Dumps for a Good Price. Selling USA.
Hello dear friends. I’m a Memfis.
I have USA dumps, and some Asian.…¨I have a good price for it:
USA…¨20 USD CLASSIC, MASTER…¨25 USD VISA GOLD…¨30 USD VISA PLATINUM AND BUSINESS
ASIA…¨80 USD CLASSIC, MASTER…¨100 USD PLATINUM
I have my own base, good approval percent …“ about 90%…¨USA and Asia …“ 101 only. But I dont have EU bins.
USA …“ original track2.…¨Asia …“ both tracks are original, track1 and track2.
Payment is Western Union.…¨I’m sending order only after recieving payment, in 3-24 hours.…¨I have a replace pocily, but i should know what cards declined or holdcall in 24 hours, to replace it, in other time i wont replace.
For real buyers:…¨I can proove my quality, message me my ICQ.
Latest ATM skimmer, with measurement in centimeters.
Here’s a good thing: some of these gizmos hidden in gas pumps cause the pump to fail, so they’re found. But there’s bad news, too. Data from skimmers slyly hidden in gas pumps and other good places is often not used for three or four months. Why ruin a good thing if the skimmer is steadily transmitting account numbers and PINs? When credit card holders start reporting fraud, the common merchant on the victims’ accounts will be investigated and the device will be pulled. Has your card already been skimmed? Has mine?
…¢ Identity theft is now the number one crime in the world.
…¢ Las Vegas is number one in the U.S. for ID theft; even though it’s estimated that only 20% of the crimes are reported.
…¢ The FBI estimates that seven out of every ten stolen dollars end up in Las Vegas. There’s more money in Vegas than most places. Hence Vegas’s place at the top of the ID theft heap.
These wispy facts were spit out by Las Vegas Metro Police Department Forgery Detail’s Detective Kim Thomas at the start of his recent identity theft presentation. Then he got to the scary stuff.
I recently wrote about “profiles,” the findable bits of personal information about an individual. A utility bill constitutes a profile, though not as good of one as a loan application. Envelopes, receipts, statements, are others.
Detective Thomas emphasized the importance of shredding all documents before discarding them. Then he pointed out how something as simple as a discarded box can trigger both a burglary and ID theft. He gave the example of a resident getting a new plasma tv. A trawling thief spots the box at the curb on trash day. He watches the house and notes when it’s unoccupied. Then he steals a truck, kicks in the front door (that’s how they break in nowadays, Det. Thomas explained; no finesse involved), grabs the tv—and the pile of bills in the kitchen at the same time. “Even a box has value to someone,” he said. “Cut it up.”
We can shred.
We can break down our discarded boxes, or take them to dumpsters.
We cannot control how businesses store and discard our data. (My own little example: I went to a health clinic where patients are given forms on clipboards to fill out and return to the desk. When I returned to the unattended desk with my completed forms, I stood staring at other patients’ medical histories and Social Security numbers on the clipboards they’d left on the desk as instructed.)
Credit card data skimmer: the size of a Bic lighter.
But here’s the big thing now: skimmers. Wait! You think you know, but I’m about to describe the very latest in skimmers; not the deck-of-cards-sized box in a waitress’s apron, not the big old multi-part plastic set-ups of yesterday stuck onto ATMs. If you’re not sure exactly what a skimmer is, read the three little paragraphs of my previous post. In the old days (not very long ago), waiters and store clerks were given skimmers to swipe credit cards through and they were paid for the data they collected. But a waiter might talk if caught. A store clerk will be watched if suspected, leading police to the skim-master. And how many cards can they skim in a day, anyway?
Skimmer with keypad taken off ATM.
Old news: nowadays, skimmers are attached to the fronts of ATMs and gas pumps. Yeah, we know. But you probably don’t know how impressive the latest version is. It’s tiny: 3.5 inches long, by a half inch by a quarter inch. It’s almost impossible to detect. It contains batteries charged by an induction plate and stores data on a camera memory card. It attaches to a thin number pad overlay to capture PINs, and as a secondary method, also has a motion-activated video camera (jury-rigged from a high-end mobile phone) which is time-tagged to match up with the right credit card info. It has a bluetooth transmitter that allows remote, anonymous downloads, which means the skim-master doesn’t have to go near the scene of the crime, once the thing is installed.
About 40 of these tiny self-contained data-collectors have been recovered in Las Vegas in the past month. Probably more by now. Certainly more still out there, too.
Where do you get your gas?
Skimmer (somewhere) inside a gas pump.
Yes, they’re still stuck onto the fronts of ATMs. But they’re also put inside gas pumps. How do you open a gas pump? Use the same key that opens an RV storage locker, five bucks online. LVMPD found that one of these skimmers can be installed in eight minutes flat. Which, they figure, means the skim-master can probably do it in seven.
A little background, as reference for my next post:
A skimmer is a battery-operated device smaller than a deck of cards with a slot for swiping credit cards. It reads and stores data embedded in the magnetic strip on the back of the card. Restaurant waiters are the typical recruit, given the contraption and requested to swipe each credit card as they take customers’ payments. At the end of the shift, the data collector shows up with a computer and downloads the skimmer’s memory, which might hold the information from a hundred or more cards.
This is effective data collection; and the waiters—for the data collector solicits many of them—may not even understand the purpose of the exercise for which they receive a nice little tax-free chunk of change. Restaurant and service station employees are reportedly earning over $100 for each credit card they skim.
Meanwhile, the customer has no way of knowing that his credit card has been skimmed. Some privacy advocates and security experts recommend that you never let your credit card out of your sight. I find this advice impractical to the point of impossible, but it’s a question of compromise: convenience in exchange for risk. Each of us must decide where to live along that scale. While I might hand my credit card over to a waiter for processing, you might decide to follow him to the charge machine and supervise the transaction.
Don’t be self-ripped
That means: do your research. Besides knowing the tricks and scams prevalent in your destination, you should be up-to-date on currency. Look up the exchange rate, get familiar with the denominations of the foreign currency and what each note is worth in dollars. Low-value currency can be baffling. Menus and price tags can blind you with zeros in Istanbul, for example, with the Turkish lira at six hundred thousand some to the dollar. Will you pay 21,875,000 lira for your dinner, or 218,750,000? It’s easy to make a mistake. We got so many Zambian kwachas for our $10 once, we kept them and stuck thick wads inside our prop wallets. (That was before we realized that cut paper thickened a wallet just as temptingly.)
So, know the currency; also consider how much cash you need to carry. Bob and I recommend carrying as little as possible. We’re great proponents of credit cards. Sure, you need enough local currency for small purchases. Taxis, delightful sidewalk coffee and exotic streetfood, craft markets, tips, and all those expensive luxury items you want to buy without a papertrail, all require cash. But for the rest of it, credit cards are a better deal.
When you buy foreign currency, the money dealer makes a profit. You may be charged a poor rate of exchange, a fixed fee, a commission, or all three. Believe it or not, many money changers will Continue reading
In which Bob Arno and his fancy accessory spy on the Russians.
A man plays accordion on a Russian bridge
St. Petersburg, Russia— I was ensconced in my stake-out spot on the Canal Griboyedova across from the Gostiny Dvor Metro station; Bob was elsewhere. My position was excellent: close to the action, but the canal between my spot and the crime scene prevented my view from being blocked by passing people. It also had a massive, standing concrete slab, some sort of abandoned roadworks part, which I could duck behind when necessary. Leaded exhaust already lined my nasal passages, and fresh pee fumes rose from the slab. The location wasn’t perfect. I did enjoy the faint strains of accordion from a man squeezing one on the canal bridge half a block away.
Bambi's canal-side hide-out, beside a pee-stained concrete slab.
After filming alone for an hour or so, Bob passed behind me as if he didn’t know me and suggested I cross Nevsky Prospekt because the Mongolian pickpocket gang was at work in the crosswalk, out of my field of view. I did so, but felt exposed and nervous. I half hid behind a billboard and tried to film them, but the angle wasn’t good. A constant stream of pedestrians and traffic blocked my view of the corner. I was also afraid that, since they knew me, one of the gangsters would approach me from behind, or while I was looking through the camera’s view finder. After a while Bob came to get me again.
Bob speaks to the ice cream seller, who has contraband to pass off.
He brought me over to an ice cream cart on the corner in front of the Kazansky Cathedral. The proprietor, Katarina Pavlova, spoke French to Bob. She said she had noticed that he was observing the pickpockets, and that she had something to show him. She looked left and right before explaining that one of the thieves had walked past her stand and tossed something into her trash. Digging through the garbage, she retrieved a thick stack of credit cards, ID, and other wallet contents belonging to a 55-year-old French woman.
The wallet contents had been tossed into the ice cream seller's trash can.
The ice cream seller said she felt it was safe enough to tell us only because this was her last day of work; she was retiring from the ice cream business and planned to stay out of the city. She pressed the plundered heap into Bob’s hand with a forced crooked smile. He should take it. For some reason, she felt it was right.
She retrieved the stolen credit cards from her trash can after seeing the thieves throw them in.
Â
So. Pickpockets were dumping ID and credit cards. This seemed to corroborate what other thieves and the police had told us: that the guys working the streets do not exploit credit cards. But what were we to do with the cards? Of course, we immediately thought, we’d try to return them to the victim. After all, they included a telephone number and address. But just as quickly, with a chill, we asked ourselves if this was a set-up. Can you imagine the shakedown? We’re accused of being pickpockets, searched, and found with a French woman’s documents. What would that cost in baksheesh? I imagined handcuffs; then beatings and prison and huge ransoms.
Here you can see the peeish concrete slab. Bambi stands against the canal rail, in her black camouflage.
Bob took the cards.
I objected. So we compromised. We gave the cards back to the ice cream seller, then videotaped her handing them over to Bob and explaining how she had obtained them. Might not stand up in court, but it eased my mind. Eventually, we did try to phone the woman in France, but the number was no longer good. We put them into the mail and never heard of them again.
A little Russian gypsy girl plays in the street
We wandered a couple blocks down, halfway between Nevsky Prospekt and the Church on the Spilled Blood, toward an internet cafe. We’d been inside it many times, and it was always empty except for the sour boy who took our coins. Wandering along, we paused in the oppressive heat to watch a tiny barefooted girl squatting in the street, spinning an old muffler.
She begs and gets a bottle of water
With fine-tuned radar, she leapt to her feet as a man and woman strolled into view and ran to them as fast as her heavy velvet dress allowed. Her big brown eyes netted a bottle of water, which she appeared to take with delight. She went back to her muffler, only to rise again for the next couple, who tried to ignore her.
She latches onto the leg of a passerby
The tenacious little beggar latched onto the man’s leg and wouldn’t let go. When she fell to her knees, the man literally dragged her along the pavement.
The girl is given a dollar
One American dollar freed him. The girl admired her take, carefully folded the bill, and stuffed it into a small pouch that hung from her neck. We watched her until she ran to her mother, who sat on the ground with an infant a block away, leaning against the canal rail.
The little beggar girl tucks money into her pouchShe runs back to, probably, her mother and baby sibling
Late that night, we spoke with a group of Belgian tourists who said that they had been robbed the day before while coming out of the Metro station on Nevsky Prospekt. Three women were hit. One had her purse slashed with a blade and all contents were removed. Her arm had been across her purse. The cut was just under her forearm. The thief had planted his elbow in the woman’s stomach. The other woman had her fannypack opened. The pickpocket handed her passport back to her, indicating that it had been on the ground. I didn’t get the story of the third woman.
Andrey Umansky, a front desk manager at the Grand Hotel Europe, used to work at Baltic Tours, a tour bus operator. Every spring, before tourist season began, they’d pay the police, he said. The deal was that they’d use special signs affixed to buses and carried on sticks, which were meant to tell thieves to stay away from this group. And the police, he explained, made deals with the thieves in order to protect the groups that paid for protection.
There’s lots more.
Another day…
See Russian Rip-off, a five-part post with video.
