I discovered a card skimmer on a cash machine on Sunday morning.
It looked mostly convincing on the outside, and I might well not have realised that anything was amiss if not for the fact that
- I frequently use that ATM and recognised that it was different,
- there is a pair of identical machines, and its neighbour hadn’t been altered, and
- a whirring noise seemed to be coming from the slot.
I probably wouldn’t have been able to hear the whirring at a busy time of day, but it’s quiet at half past nine on a Sunday morning. On closer inspection, there were a couple of other peculiarities: peering into the slot, I could see a small ribbon cable hanging down; around the edge of the retrofitted bezel, the fascia had been gouged.
Put together, there were enough clues for a naturally suspicious person in broad daylight, but I doubt that many of the Saturday night punters would have been so observant.
I phoned the operator of the ATM, RBS. That turned out to be a wholly unsatisfactory experience: the phone number listed on the screen took me through to a generic customer service line, on which I had to cut in on their script to explain that I wasn’t a customer. There’s no kind of identifying number on the cash machine, so they asked me for the postcode, which, of course, I didn’t know either. I was eventually able to communicate the location, but an unambiguous code would really have helped.
RBS said that they would send someone to look, but I didn’t perceive much urgency on their side, so I opened a second front.
As the cash machine is attached to a supermarket, and some of the staff were turning up for their shifts, I went to the staff entrance to tell them about it, and suggested that maybe they could put a sign on it until RBS turned up to check. I showed the machine to a member of the security staff, who agreed that it looked different from its twin, but said that he’d used the machine the other day, and that it had looked like that then!
I left for my appointment feeling rather disappointed at the lack of response. In retrospect, I think I’d have been better off calling the police non-emergency number.
Walking past the same ATM today, however, I saw that it was out of order. A hopeful sign! The skimmer still looks to be in place, though whether that’s waiting for the operators to return and incriminate themselves or whether no one really cares, I can’t say.
I find it very disturbing. Although there were signs that something was amiss in this instance, a more competent criminal would have been able to avoid gouging the ATM fascia, and might have chosen a solitary machine—or fitted a duplicate dummy bezel to its neighbour—in order to make the alteration less distinctive. The kind of microelectronics that you’d need to read and store card numbers can be made very small, and there seems to be no technical reason why a retrofitted bezel couldn’t be completely convincing.
Card skimmers are difficult to spot, and it seems to be hard to get people to take them seriously. I have some suggestions for mitigation, though:
- ATM operators should provide dedicated phone lines, with unique identifying numbers on the screen, so that it’s easy to report a specific device.
- ATM operators should remotely disable machines that are reported to have been tampered with.
- ATM manufacturers should eliminate device fascia fussiness. There are so many protruberances and bits of plastic that additional ones don’t stand out, and no one knows what the real thing is meant to look like. It would be a lot harder to glue a bezel or camera on if, for example, the entire fascia were a single piece of steel with a card-sized slot cut into it.
This problem doesn’t seem likely to go away. I’m going to stick to using machines inside bank branches as far as possible.
Read the update!
2014-09-16 00:09 UTC. Comments: 7.