Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Here are some variations on deep insert skimmers NCR found in recent investigations:

Image: NCR.

Image: NCR

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Image: NCR.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

Image: NCR

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

Image: NCR

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which it said stops current insert skimmer designs. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantlycovering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

Source: https://krebsonsecurity.com/2022/09/say-hello-to-crazy-thin-deep-insert-atm-skimmers/

Smart homes are hackable homes if not equipped with updated, supported tech

Smart homes are increasingly becoming hackable homes, according to consumer research.

The report by consumer rights organization Which? paints a grim picture for people who have equipped their residences with gadgets, many from trusted tech names.

As with pretty much everything in IT, if you connect a device to the internet, ensuring it’s patched and has a decent password is the very least owners can do. Even then, there are no guarantees that this is secure.

Unsurprisingly, the Which? team found that out-of-support devices were relatively straightforward for hackers to compromise. The example of an early Amazon Echo smart speaker was given where researchers were able to take control without the user being aware.

Other devices, such as smartphones and routers, were also exploited. The Which? team were able to infect a Samsung Galaxy S8 smartphone with malware disguised as a delivery text. Siphoning of user data was then possible.

However, in these cases the devices were out of support and “the attack would have been better blocked or detected by a device that was still receiving security updates,” Which? noted.

Continue Reading: https://www.theregister.com/2022/06/01/which_smart_tech_advice/

Microsoft Defender can ironically be used to download malware

A recent update to Windows 10’s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

In a recent Microsoft Defender update, the command-line MpCmdRun.exe tool has been updated to include the ability to download files from a remote location, which could be abused by attackers.

With this new feature, Microsoft Defender is now part of the long list of Windows programs that can be abused by local attackers.

Full story at https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/

Physical Security: Padlocks

Taking a bit of a side trip from our usual information about online security, here is a video from YouTube’s LockPickingLawyer which shows his choice of the top 10 “biggest and baddest” padlocks.

View some of his other videos to see just how easily someone can break into most of the standard, run of the mill padlocks.

I haven’t looked, but I’m willing to bet all of these are relatively expensive.  But if you really want to lock something down, you might want to consider getting a quality padlock.

Definition: 2-Factor Authentication

You have probably heard the words “2 Factor Authentication” (2FA), but do you understand the concept and the increased level of security they provide? (Even despite the mild annoyance factor.)  And do you know the preferred way to set it up for your WordPress website?

The basic idea is that logging in requires more than just your user/password combination.  User names can be fairly easy for a hacker to discover, and there are many tools available for them to obtain likely passwords – from brute force attacks to “dark web” sites which sell lists of user/password or email/password combos stolen during the unfortunately high number of breaches over the years.

So we add a second factor – something you HAVE, which the hackers probably don’t have: typically your phone or other device. You enter the code from your device as the last step of logging in.

Note: there are methods which involve sending a code to a designated email account or send an SMS text to your phone.  The downside is that the hacker may already have gained access to your email too.  And text messages can be intercepted, as happened in 2019 to the CEO of Twitter.  Yes, any 2FA is safer than no 2FA, but email and text messages are not the safest way. (see also Microsoft Warns Against SMS, Voice Calls for Multi-factor Authentication)

Right now (March 2020) the safest way to implement 2FA on your website is to use an Authenticator application – either on your phone or as a stand-alone device.

Some well known authenticators include:

Password managers 1Password and LastPass offer the service as well.

Rather than send you an SMS or email, each of these apps shows you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you’re trying to log into. The benefits of tying those codes to a physical device rather than your phone number extend beyond security; apps like Google Authenticator generally continue to work even without an internet or cell connection. If 2FA has ever locked you out of Facebook on a flight, here’s some relief.

We suggest using one of the above Authenticators along with the 2FA available through Wordfence, which we install on all our clients’ sites.  Download the Authenticator of your choice to your phone/tablet, Log in to your web site as an administrator, go to the Wordfence menu in the left hand navigation, and go to Login Security.  

You should now see a QR code (with a text key below it).  Follow the instructions at https://www.wordfence.com/help/tools/two-factor-authentication/ to get it set up.

It would be wise to require all Administrator and Editor level users on your site to implement 2FA. You get used to the extra step pretty quickly.

 

Important note: Nearly all 2FA setups allow you to copy and store Backup Recovery Codes. Once you have set up 2FA through WordFence you’ll have the opportunity to generate, copy, and save new Backup Recovery Codes.  I highly recommend that you store them in your password manager or another high security location – they come in very handy if you drop your phone like I did last week and it goes in the shop!

 

If you want to get really hard core, Yubico’s YubiKey is a hardware-based 2FA solution. It’s a small card-like device with one end that slots into a standard Type-A USB port. It can verify authentication with a button press instead of manually entering a short code. YubiKeys are also very durable and waterproof making it difficult to ruin these devices. These are probably the most secure solution overall, but to my knowledge Wordfence does not yet support YubiKey.