A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.
This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.
The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).
These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.
Here’s what the other side of that insert skimmer looks like:
The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.
The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.
To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.
Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.
The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.
Here are some variations on deep insert skimmers NCR found in recent investigations:
Image: NCR.
Image: NCR
The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.
Image: NCR.
Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:
Image: NCR
In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:
Image: NCR
The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which it said stops current insert skimmer designs. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.
Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.
Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).
For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.
Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.
So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.
Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.
If you enjoyed this story, check out these related posts:
Crooks Go Deep With Deep Insert Skimmers
Maybe you’ve seen videos where Robert Downey Jr. and other cast members of The Avengers follow the yellow brick road after they swap faces with the cast of 1939’s The Wizard of Oz. Or how about any of the umpteen videos where the face of actor Nicolas Cage is swapped with, well, everybody, from the cast of Friends to Forrest Gump. They’re funny, uncanny, and sometimes a little too real. Welcome to deepfakes, a technology that can be entertaining, yet one that has election year implications—now and for years to come.
Deepfakes are phoney video or audio recordings that look and sound real, so much so that the best of them can dupe people into thinking they’re the real thing. They’re not unlike those face-swapping apps your children or nieces and nephews may have on their phones, albeit more sophisticated. Less powerful versions of deepfaking software are used by the YouTube channels that create the videos I mentioned above. However, more sophisticated deepfake technologies have chilling repercussions when it comes to public figures, such as politicians.
Imagine creating a video of a public figure where you literally put words into their mouth. That’s what deepfakes effectively do. This can lead to threat tactics, intimidation, and personal image sabotage—and in an election year, the spread of disinformation.
Deepfakes can make you question if what you’re seeing, and hearing, is actually real. In terms of an election year, they can introduce yet another layer of doubt into our discourse—leading people to believe that a political figure has said something that they’ve never said. And, conversely, giving political figures an “out” where they might decry a genuine audio or video clip as a deepfake, when in fact it is not.
The technology and security industries have responded by rolling out their own efforts to detect and uncover deepfakes. Here at McAfee, we’ve launched McAfee Deepfakes Lab, which provides traditional news and social media organizations advanced Artificial Intelligence (AI) analysis of suspected deepfake videos intended to spread reputation-damaging lies about individuals and organizations during the 2020 U.S. election season and beyond.
However, what can you do when you encounter, or think you encounter, a deepfake on the internet? Just like in my recent blog on election misinformation, a few tips on media savvy point the way.
While the technology continually improves, there are still typical telltale signs that a video you’re watching is a deepfake. Creators of deepfakes count on you to overlook some fine details, as the technology today largely has difficulty capturing the subtle touches of their subjects. Take a look at:
This is important. Like I pointed out in my recent article on how to spot fake news and misinformation in your social media feed, deepfake content is meant to stir your emotions—whether that’s a sense of ridicule, derision, outrage, or flat-out anger. While an emotional response to some video you see isn’t a hard and fast indicator of a deepfake itself, it should give you a moment of pause. Listen to what’s being said. Consider its credibility. Question the motives of the producer or poster of the video. Look to additional credible sources to verify that the video is indeed real.
How the person speaks is important to consider as well. Another component of deepfake technology is audio deepfaking. As recently as 2019, fraudsters used audio deepfake technology to swindle nearly $250,000 dollars from a UK-based energy firm by mimicking the voice of its CEO over the phone. Like its video counterpart, audio deepfakes can sound uncannily real, or at least real enough to sow a seed of doubt. Characteristically, the technology has its shortcomings. Audio deepfakes can sound “off,” meaning that it can sound cold, like the normal and human emotional cues have been stripped away—or that the cadence is off, making it sound flat the way a robocall does.
As with all things this election season and beyond, watch carefully, listen critically. And always look for independent confirmation. For more information on our .GOV-HTTPS county website research, potential disinformation campaigns, other threats to our elections, and voter safety tips, please visit our Elections 2020 page: https://www.mcafee.com/enterprise/en-us/2020-elections.html
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Election 2020 – How to Spot Phony Deepfake Videos this Election appeared first on McAfee Blogs.