The move means that the fraudsters now have access to users' card details remotely and in real time, which, when allied to the keyhole cameras installed on the ATM, mean they can clone a card and use it within a matter of minutes of a cardholder using the cash machine.
Reporting on this latest evolution in cash machine fraud, security researcher Brian Krebs says that this step is a move on from wireless-enabled skimming devices.
Krebs, who has reported on this type of fraud for some time, says that he made contact with a skimmer on an exclusive hacker forum, and the skimmer offered a first-hand account – in poor English, Infosecurity notes – of why these cell-phone equipped fraud devices are safer – and more efficient – than less sophisticated models.
"That is, for the buyer at least", he notes in his security blog.
Let say we have a situation in which the equipment is established, works - for example from 9:00 a.m., and after 6 hours of work, usually it has about 25–35 tracks already on hand (on the average machine). And at cash out if the hacked ATM is in Europe, that's approximately 20–25k Euros", said the skimmer.
"So we potentially have already about 20k dollars. Also imagine that if it was not GSM, but sending SMS and to receive tracks it would be necessary to take the equipment from the ATM, and during this moment, at 15:00, along comes the police and takes off the equipment", he added.
With GSM-based kit, Krebs says that the skimmer has the magnetic stripe track data already in their hands, even if the police or bank staff arrive and remove the skimming hardware.
"That means they are already yours, and also mean this potential 20k can be cashed out ASAP. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dump transfers, you lose equipment, and tracks, and money", said the skimmer.
And here's where it gets interesting, as the skimmer says he has seen situations where the police have not removed the skimming hardware, but have stayed in their cars to observe the ATM, in the hope of catching the fraudsters removing their skimming device.
"However, having worked all the day and all the evening, and only by night the police have removed the equipment. As a result they thought to catch malicious guys, but it has turned out, that we have lost the equipment, but results have received in full. That day we got about 120 tracks with PINs", the skimmer explained.