While my family and I were out running errands today we stopped at the Wells Fargo at Hillcroft and Unity/Highmeadow (Houston) to pick up some cash. I use the two ATMs at this location fairly often, at least as often as I'm willing to use my ATM. I'm quite cautious about ATM cards since they're a direct line to one's checking or savings account. While banks are very prompt in refunding fraudulent charges it's still a nuisance to deal with. Today my caution paid off…but not immediately.
Normally I scan the machine quickly to make sure it's a) in service, and b) not been tampered with. Another ATM I use at a Chase bank on Washington was discovered with a skimmer a few months back. It pays to be cautious.
We were in a hurry to get to Costco before they close at 6:00. I pulled in and slid my card through the card-reader slot with nary a concern. While waiting for the transaction to process I looked at the card reader expecting it to spit my card out before dispensing the cash. It didn't look right. It had cracks. That might seem reasonable but if you touch the exterior of most bank ATM machines they're usually made from some form of metal (the cheap ones at gas stations are another matter). The substrate looked like plastic.
"No way!", I thought. It better not be. I grabbed the side of the reader and tugged. It came off in my hand. On the back I could see a USB port, some electronics, a battery and the skimmer. My worst fear confirmed. Adding insult to injury, I had already run my card through it.
I pulled through to the parking lot and stopped. My neighborhood is fairly close by. I called the off-duty HPD officer who patrols and asked him who to call. He gave me the number to HPD's non-emergency line. I told the nice lady who answered what happened. She had no idea what I was talking about. Not too surprising. ATM skimmers aren't well known yet. I explained it was a kind of fraud. She took some details and said an officer would come to take a report.
Waiting for the officer I called my bank and canceled my debit card and requested a new one. Then I took looked more closely at the device and took photos. I really wanted to pull it apart but I didn't think HPD would like that. I checked the other ATM machine to see whether it had also been fixed-up with a skimmer. None.
I waited for HPD for an hour and no one showed. The children were getting restless so we took them home. I imagine I'll get a call from someone in the fraud unit on Monday.
Below you'll find some detailed comments about the photos, or you jump straight to them on my flickr account.
The device was attached to the ATM machine over the built-in reader. I didn't see any cameras on or around the ATM machine to capture PIN codes. Perhaps these guys are just getting in to the business.
1.2 What the normal reader looks like. Notice how it has a ring of LEDs around it and how recessed it is. The first sign of a skimmer is that the face of the machine is mostly flat but there's a large protuberance on it. Give that a little tug if you suspect something.
See also the residue where the Braille "Insert Card" sticker was that was relocated to the skimmer.
Note: Not all skimmers are as large as this one. See these Google results for lots of images of skimmers. Thieves are getting better at making them smaller.
2.1 This card skimmer is designed to adhere to the front of the ATM machine and skim the user's ATM debit card as it passes through to the real ATM card reader.
In the picture you can see a bit of the material they used to stick the reader to the ATM. It feels like a light-duty caulk. It doesn't have much sticking power. The device came off with just the slightest tug.
2.2 Notice the faux aging and the Braille "Insert Card" sticker they pulled off the ATM machine to add some authenticity. The crack with plastic substrate is what tipped me off. That and it's size.
2.3 The reader is pretty simple itself. The batter is still plugged in but you'll notice the no ring of LEDs.
3.1 The back of the skimmer.
3.2 The card reader with Micro SD card. I don't know what the little black buttons on the left do. Maybe reset switches. The black and white device on the right looks like a simple switch for cutting power to the device.
And no, I did not put the card in my computer or plug in the USB port. If this were my device, I'd laden it with an evil virus or trojan to deter tampering. If I could keep it I'd find a way to attach it to a computer. There's no way I wouldn't want to find out more. ;-)
3.3 The 720mah battery. That's about 1/2 the power potential of my cell phone. That's a lot a power for a simple device. Must be necessary for the reader and Micro SD slot.
3.4 The electronics. This is the part I'd like to get a close look of to see whether there are any identifiable ICs. Most likely, just bog standard Micro SD controller parts.
You'll notice there are two photos. There's an LED on the device that alternates between blue and red. It was not on initially when I pulled it off. It flashed like crazy for a while and then settled in to a steady state.
I don't see any obvious antenna so I don't think it's bluetooth enabled.
3.5 The USB port. Interesting that it has the USB port given that it uses Micro SD. Perhaps there's more going on that meets the eye.
3.6 The reader. Just a very simple reader. Your old Sony Walkman cassette player was ten time more sensitive and capable.
 The exterior of ATM machines looks like pot metal to me.
 Keep in mind, banks like Wells Fargo and Chase are not the problem. Thieves place skimmers on the lawful property of the bank to grab card numbers from unsuspecting patrons so they can then rob the cardowners of their lawful property, i.e, their money. Skimmers are crimes of opportunity. Today it's Bank 'A', tomorrow Bank 'B'.