Detecting skimmers and other ATM traps
From an end user perspective, i usually give the reader and surrounding plates a good whack with my fist and i try and peel back any of the faceplates with my keys or a knife. The fact of the matter is, the best quality skimmers aren't detectable. POS machines can be hacked which results in an almost undetectable scenario. Your best bet, if you want to avoid being skimmed, is to cash out at a teller at the bank :)
From a company perspective, I've come across two new defenses against skimmers recently from perusing ATM manuals (I'm doing some work with them at the moment and have all the manuals/specifications)
1) Sensors to detect any obstruction in front of the the card-reader for extended periods of time it'll trigger an alert. These sensors are light sensors, proximity sensors and beam sensors depending on the ATM in question. These are both mounted inside the card reader and around the device in general.
2) Sensors to detect constant RF signals. If you transmit for more than xx seconds (i won't mention the exact time frame) it'll trigger an alert. From the manual:
Radio frequency (RF) detection is used for detection of analogue transmitting spy cameras fitted to the ATM for purposes of fraudulently capturing card holder PIN entry. RF detection does not trigger an alert but provides additional supporting information to an alert if a fraud device is detected by a sensor at the same time as an RF detect alert.
Additionally:
HSFD consists of the following elements:
Control board
RF detect sensor (optional)
- From one to six sensors
- Cellular modem(to transmit alerts), with separate antenna (optional).
The following diagram shows an overview of the High Security Fraud Detection (HSFD) feature. Dashed lines indicate optional components:
Alerts usually go to a back to base central monitoring solution somewhere controlled by the bank that owns the ATM
There's a new proof of concept Anti-Skimming technology called SRS “Secure revolving system” that got announced recently, there's a video of in in action here. Original story here
The actual SRS device looks like this:
Basically it accepts the card 'side on' (as opposed to the usual card entry method) and then rotates it 90 degrees before accepting it. This basically prevents any face plate being attached over the device and makes it very difficult to position a skimmer.
The newest skimmers cannot be seen. These skimmers wafer thin and insert into the card reader:
To make matters worse the modification can be purely software. ATMs can be hacked, their software can be modified to log the mag strips and pins of every user.
This is a losing battle and you take a chance every time you use an ATM. Security is relative, that being said I would avoid using ATMs in general, especially in a bad neighborhood. Online banking isn't foolproof either, related: Is accessing bank account on the internet really secure?
The best you can really do is use ATMs you know or ATMs that have good physical security if one you know isn't available. (go to an ATM inside a bank). Even then, I always spot check the machine for any signs of tampering.
A simple trick that can work well is to make sure the keypad isn't compromised (by looking and pulling on it) and then if it appears valid, put one hand over your other hand as you type in the code, so even if there is a camera, it can't see your input.
Ultimately, it's still a losing battle and nothing is perfect, but thats the tips I usually follow. Hopefully in the future, we can move to a system that actually uses OTP (one time password) generation for added ATM security.