Advanced ATM Skimming Tools Circulate Dark Web, Severe Security Issues

Advanced ATM skimming tools are circulating the dark web and banks are struggling to implement necessary security measures to prevent loss of funds and theft of debit card information.

Over the past decade, ATM skimming has remained a popular method of data theft internationally. In most cases, hackers replace ATM card scanners with their customized hardware that has identical physical characteristics with ATM card scanners. Because the outer framework is so similar to the real hardware, bank users and debit card users usually cannot differentiate one from the other.

However, as banks began to implement security precautions by advising debit card holders and users to switch from mag stripe to EMV cards, and by offering tips on differentiating malware to legitimate ATM scanners, traditional ATM skimming methods have become outdated and unusable.

Recently, new-generation technologies and hacking tools have surfaced on the dark web. According to security experts including Chris Hadnagy, the CEO of Social-Engineer, a cybersecurity training company, hackers and dark web criminals have created sophisticated technologies that are difficult to prevent even with the implementation of necessary security systems.

One newly emerged technology is a card that is thinner than the usual debit or credit card which can be placed under or within card scanners. The card operates as an independent card scanner and automatically transmits data of the debit card through bluetooth, before the built-in ATM card scanner can detect the card. Through the technology and the advanced card scanning system, any bank ATM user can become vulnerable to identity and financial data theft, which inevitably can lead to additional criminal activities such as direct blackmail, theft of funds and illegal usage of personal debit cards.

More importantly, because newly emerged ATM skimming methods such as card scanning can be done through wireless networks or bluetooth, hackers can simply walk towards the ATM, transfer financial data to their phones or other devices and leave the location. Even with security camera footage, it seems as if the hackers were using the ATM or withdrawing money from the machine like others, making it difficult for banks to obtain hard evidence against the hackers.

“If you can get it in there [the ATM] and not be seen or found, you can walk up to the device later on, turn your phone on, connect to the Bluetooth wireless, download all the cards, act like you’re pumping some gas and leave, and they would never know that it was you. It calls to a server and downloads all the numbers to a file for them to obtain,” explained Hadnagy.

In an interview with CNBC, he also demonstrated the easy process of installing bluetooth-enabled card readers onto bank ATMs and stealing information from debit card users. Hadnagy expressed his concerns over the increasing popularity of ATM skimming technologies in the dark web as hackers are selling the technologies with step-by-step installation instructions. According to Hadnagy, the installation process can be done by anyone with basic knowledge in computers, mobile phones and ATMs.

Banks are cooperating with ATM manufacturers to come up with new solutions to prevent ATM skimming. Diebold Nixdorf, an ATM manufacturer and designer, introduced an ATM design which allows debit card users to insert their cards widthwise, instead of lengthwise. Because the change of the direction completely alters the way the ATM reads the information the card, Nixdorf explained that the simple change in the card reading process renders most ATM skimming methods ineffective.

Still, through the dark web, hackers will be able to distribute new methods of ATM skimming that adapt to various changes, including the data transmission alteration proposal introduced by Nixdorf.