When at an ATM, we all zone in on the task at hand. Getting cash. Completely forgetting what those behind us can see and how they might be planning to also access our account. Unlike popular pantomimes, it now seems that worrying about what is behind you is only the tip of the iceberg.

Witnessed in Oklahoma, a wafer-thin infrared device was discovered collecting information from both the ATM itself and video footage of the ATM keypad. Providing the criminal everything required to clone a card and go on a shopping spree at the expense of someone else.

While infrared is not new technology, in fact we use it to control our TV’s and it can even be traced back to the Cold War. It does however indicate that the criminals had to be within line of sight of the ATM to receive the transmission of data.

When we think of infrared technology, our minds go in many different directions at once as we march through the variety of uses for infrared. For those who follow the myriad television crime dramas, their minds no doubt go to the use of infrared photography at crime scenes. For those who are birdwatchers, infrared video can capture the hummingbird’s expenditure of energy. For most us, we think of the remote control which connects us from our couch-potato position to our television.

Well, there’s one more to add to this list – use of infrared video to transmit data captured at your bank’s ATM by criminals wishing to clone and use your bank cards.

The newfangled ATM skimmer was found in Norman, Oklahoma and according to the Norman police department, the device which they discovered in June 2017 was wafer-thin and undetectable by the victim. This skimmer had an antenna attached which served to broadcast the collected information to a tiny camera, which had visibility of the ATM’s keypad.

Security investigative reporter Brian Krebs dug a bit deeper into this skimmer and learned that these criminals had mastered, using infrared technology, to not only transmit the data captured by the skimmer, but also to transmit the accompanying keypad video.

Infrared for data transfer is not new

Using infrared as a means to transmit data has been around for many years and is a highly efficient means to transmit at speeds many magnitudes faster than both Bluetooth and WiFi.

Furthermore, the use of an infrared transmitter greatly reduces the odds of having their transmissions inadvertently detected, when compared to WiFi or Bluetooth, which is present on every smartphone.

The criminals had only placed themselves at risk during time they put the device and video camera in place (Krebs has posted a photo of the two Oklahoma suspects), and when receiving the infrared signal (being in proximity to the ATM).

You’d have thought the criminals were Cold War history buffs, as their use of the concept of collect, store and forward data was previously perfected by the Russians. The KGB doctored several electric typewriters within the US embassy in Moscow in the 1980s which stored the key strokes and then used signal bursts to send the data to listening posts nearby. The implants were, like the ATM skimmers, deeply embedded in the hardware of the typewriter.

Available information doesn’t tell us if these ATM skimmer devices used directed or diffused infrared, a point of interest from a defensive standpoint. If the criminals used directed infrared, then their data collection point was within line of sight of the infrared transmitter – in other words, they would have to see the ATM, and thus could be seen from the ATM.

If their infrared signal used diffused infrared, then their collection point need only be in signal proximity, as the signal is more forgiving to line-of-sight disruption and therefore, a bit harder to observe.

The ever-reducing costs of readily available component parts make these devices essentially throw-away devices. Run the device for as long as the internal battery provides energy, and then move on.

What can the financial institutions do?

  • Review the video at their ATMs with regularity – in this instance, it appears that the criminals were visible on video at the ATM but do not conduct a transaction.
  • Install touchless technology, like NFC (near field communications), which will enable users to use their EMV/NFC debit/credit cards, key fob or smartphone to access their accounts.
  • Or as has recently been implemented in Macau, by the Macau Monetary Authority, “Know Your Customer” technology requires that each ATM use facial recognition technology.

What should we do?

The low-tech solution is to cover your keyboard hand with a newspaper or your other hand when entering your pin codes – which will certainly stop anyone sneakily filming you as you tap in your PIN.

For tips on how you and financial institutions can remain protected while at an ATM, take a moment to review the following Naked Security article.

Written by Jim O Brien/CEO

CEO in the transport industry, mobile tech fan 20 years, mobile consultant, Nokia/Microsoft VIP, HTC Specialist, Multiple forum supporter with worldwide top rankings, I also work in the background in the mobile technology sector, weekly radio show, Featured on the RTE consumer show and Cavan TV. Technology reviewer and blogger.Part time actor and security professional and brutally honest when it comes to opinions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s