ATM skimmers are clamp-on units that fit to the card insertion slot of a cash machine and electronically lift the card's credentials from the magnetic stripe on the card and store them for future use.
When allied to a pinhole camera or similar technique to capture the users' PIN, the data can then be used to created a cloned card – for use in retail stores and, of course, to draw cash from other machines, Infosecurity notes.
According to security researcher Brian Krebs, about a year ago he noted that ATM skimmers were being constructed of parts from old MP3 players. Since then, he says in his latest security blog, he has noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices.
Using audio to capture credit and debit card data, he asserted, is not a new technique – Square, an increasingly popular credit card reader built for the iPhone, works by plugging into the headphone jack on the iPhone and converting credit card data stored on the card into audio files.
In the latest retasking of an MP3 player, the Krebs on Security newswire researcher has spotted a card skimmer designed to fit over the card acceptance slot on a Diebold Opteva 760, one of the most common ATMs seen in the US and Canada.
“The green circuit board on the left was taken from an MP3 player (no idea which make or model). When a card is slid past the magnetic reader (the small black rectangle at the end of the black and red wires near the center of the picture), the MP3 player “hears” the data stored on the card’s magnetic stripe, and records it as an audio file to a tiny embedded flash memory device”, he wrote.
The card skimmer kit – which sells for $1,500 – comes with a false panel that fits snugly into the top of the ATM; it contains a miniature video camera that records victims entering their PIN when the card skimmer slot is activated. The battery included in the hidden camera lasts for six hours, according to the ad posted by the skimmer’s designer.
Krebs reported that the vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10–15 seconds).” But the catch with this skimmer is that the price tag is misleading. That’s because the audio files recorded by the device are encrypted. The MP3 files, he noted, are useless unless you also purchase the skimmer maker’s decryption service, which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.
In fairness, Krebs continued, the seller does note in the fine print that third-party software is required to decrypt the audio files, and that he is 'working closely with another partner for this service.'
“That partner is a different fraudster who will decrypt the audio files in exchange for 20% of the stolen card numbers and PINs”, he said.