Scammers introduce ATM skimmers with built-in SMS notification

Summary:The bust of the notorious ATM scammer going under the handle of Cha0 in early September, once again puts ATM skimming in the spotlight. Among the main insecurities scammers face while embedding an ATM skimmer, is the retrieval process of the device that is now containing the credit card details of several hundred people depending on the volume of transactions that occurred while the device was in place.

ATM Skimmer SMS
The bust of the notorious ATM scammer going under the handle of Cha0 in early September, once again puts ATM skimming in the spotlight. Among the main insecurities scammers face while embedding an ATM skimmer, is the retrieval process of the device that is now containing the credit card details of several hundred people depending on the volume of transactions that occurred while the device was in place. How are then scammers going to minimize the risk of getting caught without having to come back at the crime scene? A recently uncovered serial manufacturer of ATM skimmer devices, seems to have solved the secure retrieval of the device issue by innovating, and introducing ATM skimmers that would automatically SMS the complete credit card details to the scammer.

How much does the device cost,  how does it work, what ATM skimming tips is the manufacturer offering, and also, how can you protect yourself against ATM skimming? Let's find out.

Starting from $8,500 and capable of sending 1,856 SMS messages -- processed credit card details -- without any charging the introduction of built-in SMS notification, and the ability to "call the ATM skimmer" in order to retrieve the information, is a major milestone for an ATM skimming device.

How does the device work according to the "manufacturer"?

"The card reader reads out cards and sends tracks via SMS. The keyboard tracks the pressed buttons sequences and also sends them via SMS. If it is necessary, you can make a call to skimmer and download information, but it’s more convenient to receive SMS. All SMS are being sent to a basic number defined by a Client, a sim card with a basic number is installed into the phone (we tell you the cellular phone model when you buy the skimmer). The phone is connected to a PC with running a certain software that controls the device functioning. In other words, You receive tracks and PINs, manage your device just sitting at home in front of your PC. Then we deciphering the data received. The data received by your PC is being coded instantly to prevent it being used and accessed by unwanted persons. To decipher the data one should use a special software that is supplied with the device. The data deciphered is ready for writing on cards. The equipment is designed for several ATM types that are widespread in Europe, USA, Australia and Arab states. The skimmers’ model line allows you to work in any city worldwide."

It's worth pointing out that the security process of "coding the data" and deciphering the skimmer credit card details are build with the idea to ensure that the organizers of the credit card theft group are not going to get scammed by other people working for them :

"Thus, you receive and use absolutely safe software. Even if someone take a look at your PC’s display when the software is running, it wouldn’t help a bit, even if this is a person that can tell one track from some other info. So, you use the system one cannot steal tracks from. This means that all your workers wouldn’t be able to steal tracks, you’ll be the only one who can fully access the information captured. Why the GSM is used? The service is based on GSM standard because you can receive SMS anywhere, would it be your home or a sunny beach. It is the most solid security in our days. … how many people were arrested only because they had used skimmers without data transfer… In return, no one has ever been arrested when using our skimmer. "

How are they capable of producing such legitimately looking ATM skimmers? They seem to be using the very same manufacturer that the banks are using, indicating possible cooperation with insiders or highlighting the insecure processes within manufacturers supplying anyone that pays with the ATM components :

"The skimmers form is being created on the basis of the pattern of the real ATM models. In other words, if the real ATM model has smooth lines, then our skimmers would be designed in accordance. That’s why skimmer looks even like an integral part of an ATM. The body of all skimmers is colored with the same paint that ATM manufacturers use (we are buying paints at the same facility). We take exactly the same color and hue required by the model of the real ATM. The technology of painting is the same, we reproduce all the necessary characteristics like the temperature, the angle of paint drop, the pressure, polymerization time etc. Thus, we achieved the full and precise compliance of the paint’s tone, gleam, hue at the different light angles, the paint’s surface feelings to the touch etc. In the real situations the skimmers really look like an integral part of ATM."

How does the device work, and how many SMS messages is it capable of sending without recharging the battery?

"Our skimmers read out the magnetic strip in two ways, there and back. The skimmer reads off the streap in both ways if there is 2 tracks. The skimmers reads off the strip even if there is only 2 tracks on the strip (that happens with electrons’). The data can be read off even if a holder passes the card changing speed or with a jerk. The skimmers fail-safely reads off data: 9,999 tries of 10,000 are successful. It works even if a holder passes the card fast and then slow it down. The only situation when the skimmers fails is when the card is stopped in the middle while being passed. It’s a typical error for all card reading devices linked to the magnetic stripes read off technology.

All devices are powered with Li-on batteries. The charger is delivered with devices. The battery can works fully 24 hours (when the temperature is 21 degrees centigrade). We conducted the test on the maximum number of SMS sent using one battery. The result is really great: 1,856 SMS were sent without any charging. The tester were passing a card permanently without any pauses from 03 a.m. to 5 p.m. Usually during a day the number of holders is less than 1,856 and the Skimmers is in the waiting mode, consuming less energy. So, in the normal mode one battery can work 24 hours."

The manufacturer seems to be a group of experienced ATM skimmers that have applied a great deal of security measures in order to ensure that their customers don't get caught while retrieving the data. For instance, in one of the cases they seem to have been observing how would the police react upon detecting the skimmer, and "just like they thought" while they were patiently waiting for someone to retrieve the device and bust him, the skimmed data has already been SMS-ed.

Interestingly, not every average credit card thief will be able to purchase the device unless he has recommendations and is a known "usual suspect" :

"But we do not sell to anyone and anytime. To buy the skimmers you should have recommendations, only in that case we can talk about the deal. We do not sell the equipment in stock anytime because we do not have the assembled equipment. Sometime we assemble few suites and sell them, but we do not always have assembled suites in stock. That’s why when we offer you’re the equipment here and now, you’d better buy it immediately because, say, in a week we wouldn’t have them in stock. "

How much does the device go for? Depends on the ATMs it's capable of fitting into and the number of skimmers the buyer requests :

"All models have the same price. 1 set =  $8.500 + shipment costs 2 sets = $16.000 + free shipment 3 sets = $24.000 + free shipment 4 sets = $32.000 + free shipment 5 sets = $40.000 + free shipment The price for two-model set is $9,800

We always quickly ship orders. We ship orders worldwide. I don’t like unresolved questions that’s why it pays to deliver the order ASAP as we receive the money. The faster we send the better we sleep. That’s why we talk about selling only assembled and ready-to-go devices. In other words, you wouldn’t wait ages while your equipment is being assembled, tested etc. We sell only tested equipment.

How we do tests? 1. Every devices are tested for bugs during 24 hours marginally. 2. Every shell is trying on the native model to ensure ideal installation 3. Every shell is thoroughly checked for painting defects etc, the client receives defects free equipment Shipment methods, terms and details are defined individually. We conduct shipment of every order using different methods, from different cities and countries for the security matters."

ATM Skimmer SMS
Just like Ebay's feedback system aiming to build trust among sellers and buyers, the underground ecosystem has been unofficially maintaining lists of scammers within the scammers, with sales of a particular service or product driven mainly because of the positive or negative feedback. In regard to this particular ATM skimmer, the scammers that have already purchased it are all giving positive feedback. Would the built-in SMS notification within an ATM skimmer render news items like "Police Release Photo of ATM 'Skimming' Suspect" pointless? If they start standardizing the feature, that could well be the case, for the time being, it once again proves that mandatory prepaid card registration could come handy in solving these, and many other crime cases.

Who's to blame at the bottom line, the bank or the shopping center maintaining the ATM for not physically inspecting it on a daily basis, the component manufacturers for having obvious loopholes within their security processes,  or the end user for not having a decent situational awareness about how to protect himself? It's a shared responsibility, but going through Cha0's tips for commiting ATM fraud might come handy from the perspective of knowing how an ATM skimmer thinks before the device is installed.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.