Inventory of ATM Scams & Crimes

Last updated May 2005 produced by ATMIA for GASA

Table of Contents
Definition of ATM Crime ! Scam/Crime 1 ! Scam/Crime 2 ! Scam/Crime 3 ! Scam/Crime 4 ! Scam/Crime 5 ! Scam/Crime 6 Slide 3 Skimming Slide 4-14 Card Trapping Slide 15-21 Card Swapping Slide 22 Distraction Thefts at ATMs Slide 23 Cash Trapping Slide 24 Robbery & muggings at ATMs Slide 25 Attacks against cardholders Slide 25 Cash in Transit attacks Slide 26 Illegal Diversions at ATMs Slide 27 ATM Burglaries Slide 28 Ram Raids Slide 29-30 ATM Vandalism Slide 31 Fake ATMs & Dummy Overlays Slide 32-33 ATM Crypto Attack Slide 34 ATM Cyber Attack Slide 35 Transaction Reversal Fraud Slide 36 Card & PIN Phishing Slide 37 Slide 38

! ! ! ! ! ! ! ! !

Scam/Crime 7 Scam/Crime 8 Scam/Crime 9 Scam/Crime 10 Scam/Crime 11 Scam/Crime 12 Scam/Crime 13 Scam/Crime 14 Scam/Crime 15

Acknowledgments

Inventory of ATM Scams & Crimes

Definition of ATM Crime When we talk about ATM crime, we are talking about a crime, whether prosecuted or not, that would not have occurred but for the presence of the ATM system. In other words, to qualify as an ATM crime, the ATM, and the (cash or money) value it contains or dispenses, must be a target of the crime. Crimes can be defined by their end product or output, by asking the question: What was the intended outcome of the crime? Criminal intention, criminal means and criminal output together seem to make up the essence of crime. Since cash-dispensing is the ATMs reason for existence, the intended outcome of most of ATM Crimes should be seen as the illegal procurement of cash or money value channelled through the ATM network. An ATM is a machine that performs automated teller functions. Any activity which contributes towards the removal (or attempted removal) of cash at any point in the automated teller process, including during any of its ancillary or support processes, should fall under ATM crime.
!

[From GASAs International ATM Crime Directory, published 2004, p.2]

Scam/Crime 1 - Skimming
!

Definition Illegal copying of a bank cards security and identification data via a card reading device, coupled with PIN misappropriation via shoulder surfing, miniature camera, electronic recording or long-range surveillance methods. The cardholders information is then transferred onto another card, often a piece of virgin white plastic or other readily available plastic i.e. mobile phone top-up cards or supermarket loyalty cards. The counterfeit card is then used, in conjunction with the corresponding PIN, to withdraw funds at ATMs, usually where there is no CCTV. Major Types Hand-held skimmers; ATM overlays; false card readers; modified POS devices GASA Security Tips
Hourly checking of ATM interface; install skimming device detectors; cardholder security education on PIN protection; surveillance; defensible space and/or ATM mirror to prevent shoulder surfing; CCTV to capture images of fraudsters, especially out of office hours when these crimes mostly take place.

FALSE slot Fixed to the original card slot. (Same color and sticker ). Contains additional card reader to copy your card information ..and duplicate your card

Scam/Crime 1 Skimming Shoulder surfing the PIN

NOTING PIN NUMBER

5

Scam/Crime 1 - Skimming
!

A New Variation on the Skimming Theme Fraudsters are posing as bank employees at ATMs and informing clients that the latest bank procedure is for them to swipe their cards through a card reader. The skimming device used by fraudsters is either attached to the ATM or held by hand. The bank employee, dressed in a bank uniform, then tricks the customer into revealing his/her PIN.

Scam/Crime 1 - Skimming
!

Another Variation on the Skimming Theme Fraudsters have been known to use standalone skimmers on a presentation board posing as a card cleaner, tricking cardholders into being skimmed.

Scam/Crime 1 - Skimming
False pamphlet box affixed to the ATM cubicle side
The micro camera at the side can view the KEYPAD and also the monitor to send wireless picture up to 200metres.

There is a hidden micro camera at the side of the box

Scam/Crime 1 - Skimming
Inside the pamphlet box
Camera positioned at correct angle to view keypad and monitor Camera Battery; Transmission Antenna

Scam/Crime 1 - Skimming

Note that false card readers can be installed in lightening criminal operations for short periods from 15-20 minutes, in order to avoid detection, during which time several cards can be compromised. This kind of threat necessitates very regular checking of the ATM interface by trained staff and also reinforces the need for proper placement of ATMs in well-lit, prominent spots.

10

Scam/Crime 1 - Skimming -models

11

Scam/Crime 1 - Skimming -models

12

Scam/Crime 1 - Lobby Door Skimming

!

Definition Here false skimming devices are attached to the entry points of a bank lobby door to illegally copy information encoded on the bank cards magnetic stripe. The skimmer could either be placed inside the door entry device or placed above or below it so that the customers card will be swiped. Fraudsters remove the door entry device, strip the insides and replace them with their own skimming equipment. PINs can then be obtained by shoulder surfing or through micro-cameras or as a result of Good Samaritan deception tactics.

GASA Security Tips Hourly checking of lobby access point; install skimming device detectors; cardholder security education; surveillance; replacement of swipe mechanism with push-button activation.

13

Scam/Crime 1 - Lobby Door Skimming

14

Scam/Crime 2 Card Trapping

!

Definition
The theft of a customers card through tampering with the card reader to ensure the card remains stuck inside the card slot and cannot be returned to the customer after it has been inserted. In this scam, the ATM will not register that a card has been entered, so the screen does not change or request the person to enter his PIN. This crime involves affixing a device to the card reader/slot, typically a loop of material or plastic V fitted to a false card slot and then placed over or into the genuine card reader. Once the card is trapped the fraudster poses as a fellow customer and Good Samaritan and offers assistance, advising the customer to enter their PIN to release the card. This does not release the card and only serves as a way for the fraudster to observe the PIN. [Dip" or "swipe" card readers are not susceptible to this type of scam because the card never fully enters the ATM on those particular models.] The customer believes the card has been retained and leaves the ATM. Fraudsters then remove the device and card and subsequently use the card fraudulently, often before the cardholder has reported the incident.

Types
Fuse wire Lebanese Loop Water bottle Algerian V VHS tape Romanian Loop Tape measure Builders Loop

GASA Security Tips

Card trapping is comparatively easy to prevent by educating cardholders about never accepting help from a stranger at ATMs. Most major ATM manufacturers have enhanced newer designs that prevent the insertion of foreign objects into the card reader. We recommend daily checking of ATM interface in addition to cardholder security education. The use of a painted defensible space around the ATM will help reduce interference from fraudsters. Note that captured cards can be used by criminals with or without a PIN - signature-based cards, for example, can be removed and used for point-of-sale transactions instead of cash withdrawals.

15

Scam/Crime 2 Card Trapping

Lebanese loop device

16

Scam/Crime 2 Card Trapping

Lebanese Loop Card Trap
Front View Side View Entry Flap Fixed at top

Loop fixed to top and bottom of entry flap

Back View

Card Insertion

Entry Flap

Doublesided Sticky Tape

Bank Card

Card forces entry flap up

Card Inserted Loop made from VHS video cassette tape

Card blocked by loop and entry flap

Not To Scale

Not To Scale

17

Scam/Crime 2 Card Trapping

This fraudster is rigging the card reader to capture the card of the next person who uses the machine.
18

Scam/Crime 2 Card Trapping

Here the fraudster pretends to render assistance. What he is in fact trying to do is obtain the customers PIN now that he has captured the card.
19

Scam/Crime 2 Card Trapping

He convinces the customer that he would be able to retrieve his card if he entered his PIN while he holds down both the cancel and the enter buttons.
20

Scam/Crime 2 Card Trapping

!

Variation on Card Trapping the thin plastic sleeve ploy

A thin plastic sleeve is inserted into the card reader to trap the card AND to prevent the ATM from reading the magnetic stripe data. The ATM repeatedly asks the customer to enter his PIN number. The fraudster observes the customers PIN being tapped in. When the victim leaves, thinking the ATM has swallowed his card, the thief removes both the plastic sleeve and the card.

21

Scam/Crime 3 Card Swapping

!

Definition

This is a card theft trick whereby a fraudster poses at an ATM as a Good Samaritan after forcing the ATM to malfunction and then uses a sleight of hand to substitute the customers card with an old bank card, observing the customer entering his PIN (which of course does not work for the old card). The malfunction may involve freezing the ATM by entering a specific sequence of zeros on the keypad (this method of operation can only be performed on certain machines). The ATM does not switch off or show any obvious sign of being tampered with. The victim tries to insert his card in the reader, the ATM reader slot will not properly open so the card will not go all the way in. The thief comes along and offers his assistance by pretending to push the victims card into the slot. While doing so, he either swaps the card or steals it. A further twist can occur when the fraudster offers to call the banks card loss division for the customer, either to obtain the PIN number if that has not already been achieved OR to delay the reporting of the problem by the customer to but time for more fraudulent withdrawals. Once the card has been swapped, the thief offers to call the banks card loss division to cancel the card on the victims behalf, using his cell phone. At the other end of the phone is a member of the syndicate.
!

GASA Security Tip

Customer education, customer education and customer education! In addition, surveillance and checking the interface of the ATM regularly.

22

Scam/Crime 4 Distraction Thefts at ATMs

!

Definition Methods of stealing at, or in the vicinity of, ATMs, varying from pickpocketing to some types of card swapping , which involve breaking the concentration of the customer in order to carry out the crime undetected by the victim. Typically a victim is observed withdrawing large sums of cash from either the ATM or over the branch counter. The fraudsters wait for them to leave and approach them in the street by squirting a substance over them. Then they pose as well meaning passers-by offering to wipe the mess from the victims clothing whilst pick pocketing them at the same time. Fraudsters often operate in groups so that one of them can distract the customer while someone else swaps or swipes the card.

GASA Security Tip Customer education programmes should warn customers never to accept help from strangers at ATMs. Customers should be vigilant and aware of their surroundings at all times especially when leaving the premises.

23

Scam/Crime 5 Cash Trapping

!

Definition The illegal interference with the ATMs cash dispensing function so that the cash will be trapped and later stolen after the victim has departed from the ATM. This tampering is targeted at ATMs using the spray cash dispensing method the obstruction inserted by the fraudster prevents the notes from being dispensed into the cash tray. Cash trapping can take place at any type of machine.

GASA Security Tip Hourly checking of all cash machines for any signs of tampering.

24

Scam/Crime 6 Robbery & muggings at ATMs - attacks against cardholders

!

Definition The use of force to steal cash from a customer using an ATM. Most robberies at ATMs are committed by a lone offender, using a weapon, against a lone victim, usually at night (with the highest risk between midnight and 4 am), after a cash withdrawal. Police estimate about 15% of victims are injured during the robbery. Forced ATM withdrawals occur when criminals take cardholders against their will to an ATM and force them to withdraw cash, sometimes at gunpoint. Forced withdrawals typically do not originate at the ATM but tend to form part of a sequence of multiple crimes like home invasions, abductions and assaults.

GASA Security Tip High rates of street robbery, including ATM robbery, are likely to coincide with crack cocaine or other drug markets; industry should work with police to root out local drug territories; customer education programmes should stress that customers should avoid poorly lit and isolated ATMs, especially during the middle of the night.

25

Scam/Crime 6 Robbery & muggings at ATMs Cash in Transit attacks

!

Definition Inside Premises attacks Take place when the cash carrier is replenishing cash within the premises where the ATM is located. Typically, a gang enters the ATM area prior to arrival of the crew and lays an ambush. Weapons and extreme violence may be used. The cash carrier is forced to handover the cash. Cross Pavement attacks Various modus operandi are employed, the most common of which is to attack the cash carrier after the cash cassettes have been removed from the Armoured Vehicle for delivery to the ATM in order to snatch the cassettes. Weapons and extreme violence may be used.

GASA Security Tip GASA has produced a security best practice manual for ATM cash replenishment which should be consulted by all cash carriers.

26

Scam/Crime 7 Illegal Diversions at ATMs

!

Definition The use of false out of order notices and other diversionary signs intended to channel customers to ATMs situated in quieter, less secure spots, where a variety of ATM crimes can occur, such as skimming, robbery, cash trapping, etc See also ATM Vandalism (Scam/Crime 10) as a possible diversionary tactic.

GASA Security Tip Customer education programmes should stress that customers need to steer clear of ATMs which are isolated or perceived as poorly lit.

27

Scam/Crime 8 ATM Burglaries

!

Definition

The use of force, usually involving technology like angle grinders, blow torches, and explosives to break into the inside of an ATM on site in order to steal the cash stored in the machine.
!

GASA Security Tip

Physical protective measures like alarms, CCTV, security guards, smoke and dye systems may be employed. For convenience ATMs, merchant fill models whereby merchants remove cash from the ATM as they would from the till after closing, leaving the ATM open and providing a notice to indicate there is no money in the ATM, can provide a low-cost deterrent to burglaries by taking away the criminal reward and target for the crime.

28

Scam/Crime 9 Ram Raids

!

Definition Ram raids often take place in the early hours of the morning in areas where police times might be slower than normal. Externally sited ATMs Highly organised activity often involving the use of 3 vehicles and industrial equipment. ATM surround is chiselled out and an industrial wire is placed around the machine. Transit van is reversed towards the ATM, wire is fed through the back and front of (windscreens removed) and attached to a tow bar on a 4x4. The 4x4 pulls away and drags the ATM whole into the rear of the van. Internally sited ATMs Free-standing ATM is lassoed, lasso is then tied to a vehicle which pulls away and removes the ATM away from anchoring. ATM stolen whole. Cash later removed from cassettes away from premises. Cash is then removed from the scene to avoid detection by tracking device.

GASA Security Tip Physical protective measures like bollards, anti-lasso devices, alarms, CCTV, security guards, smoke and dye systems may be employed. Merchant fill models whereby merchants remove cash from the ATM as they would from the till after closing, leaving the ATM open and providing a notice to indicate there is no money in the ATM, can provide a low-cost deterrent to ram raids by taking away the criminal reward and target for the crime.

29

Scam/Crime 9 Ram Raids

Crimes Making The Headlines

30

Scam/Crime 10 ATM Vandalism

" Definition The defacing of an ATM either as a random act of damage to property or as a deliberate ploy to divert ATM users to ATMs which are more isolated and poorly lit and where the criminals may be waiting to commit their crimes. " GASA Security Tip

Customer education programmes should stress that customers need to steer clear of ATMs which are isolated or perceived as poorly lit.

31

Scam/Crime no 11 Fake ATMs & Dummy Overlays

!

Definition

Bogus ATMs, some of which can dispense cash, installed in non-bank premises for short periods of time to capture cards and record PINs. Dummy covers can be placed over part or all of the ATM interface which can trap cash or cards or both. False PIN pads can be used to record customer PINs, often in conjunction with skimming devices.
!

False ATM Pin pad

GASA Security Tip

We recommend hourly checking of the ATM interface in addition to cardholder security education.

32

Scam/Crime no 11 Fake ATMs & Dummy Overlays

Casio palm computer

MagTek bi-directional swipe reader

33

Scam/Crime no 12ATM Crypto Attack

!

Definition

PIN data encrypted in messages from the ATM to the Acquiring Host are compromised using Cryptographic analysis techniques. The compromised data is processed and relayed and new counterfeit cards are created for use with the genuine but compromised PIN.

GASA Security Tip

Triple DES encryption.

34

Scam/Crime no 13ATM Cyber Attack

!

Definition

When an ATM system is deliberately disrupted, damaged or compromised through unauthorised cyber penetration, including through hacking, viruses, Trojans or worms. The aim could be to destroy or obtain data or to undermine trust in the ATM and in financial networks in general.
!

GASA Security Tip

GASA has produced a General Cyber Security Manual and an ATM Cyber Security Manual for ATMs with Windows XP operating systems, as well as a white paper on a Continuous Cyber Security Process (CCSP).

35

Scam/Crime no 14Transaction Reversal Fraud

!

Definition This scam may fall under legitimate cardholder ATM crimes that is, when a cardholder defrauds his/her bank through misuse of his/her legitimate ATM card and/or the ATM system. Transaction reversal fraud involves tricking the ATM into not debiting some of the cash that has been taken or manipulating the ATM to pay more than the balance available on the account. Type 1. A manipulation device (clips / fingers) placed within the cash dispenser slot to interfere with the transit of cash from the cassette to the dispenser. Transaction undertaken, funds issued and removed by fraudster, however the interference in the dispenser prevents the ATM from completing the cycle, ATM assumes the money is purged and not dispensed to customer. Activity often involves stolen card/PIN. Type 2. Transaction undertaken and notes dispensed. Some of the notes are carefully removed. ATM times-out and notes that remain are retracted into the purge bin. ATM unable to count the number of notes retracted and assumes the transaction hasnt completed and the notes havent been dispensed and the customers account is not debited.

GASA Security Tip Reassess the cash dispensing functionality and system to prevent manipulation.

36

Scam/Crime no 15Card and PIN Phishing

!

Definition
Fastest growing ATM card fraud loss type in US is Phishing fraud. International Problem criminals target financial institutions in multiple countries and moving to smaller sized financial institutions. Criminals organizations are based in the US, Russia, Former Eastern Bloc and Asia. ATM fraud identified in Romania, Russia, UK, Vietnam, Spain, US, Turkey, China, Mexico, Columbia, Germany, Canada and Kenya. Email and Trojan attacks are merging and becoming much more sophisticated.

GASA Security Tip

Use Card Based PIN Offsets or CVV / CVC verification for PIN transaction authorizations if not using Card Based PIN Offsets. Resist sending legitimate emails to customers with log on links. Use alternate information instead of ATM PIN numbers for user validation at online banking sites. Implement 2 Factor user authentication for Internet based online banking systems in addition to cardholder security education.
37

Acknowledgments
" APACS online Cash Machine Crime Directory & Picture Gallery " Martin Lewis, Chairman, ATM Crime Group, APACS " Fair Isaac " GASA " SABRIC " EAST (European ATM Security Team) " Banking Ombudsman, SA " Alan Townsend, Crime Prevention Co-ordinator, Flying Squad " Graham McKay, ATMIA

38