What do you do when you can’t trust a single ATM? That’s a question I’ve been considering after learning of a new, nearly-indetectable ATM skimming scam plaguing my current home of Playa del Carmen.
What Is ATM Skimming?
In its most basic form, skimming is a way to intercept an otherwise legitimate financial transaction. It’s not just here in Mexico, either. While the United States is experiencing the majority of this type of card fraud, ATM skimming is on the rise internationally— costing banks upwards of one billion dollars each year.
Image credit: Krebs On Security
To understand just why this new breed of skimming devices is so scary, here’s a little bit about how they started.
A Brief History of ATM Skimming
Most people associate the phrase “ATM skimming” with the once-clunky devices that rested in an ATM’s card slot, waiting to read information from the cards of unsuspecting users. These first-generation devices had to be accompanied by a camera that criminals would use to record an image of your PIN being entered—this is why so many ATMs now have those awkwardly-placed keypad covers.
Image credit: Gizmodo
In an article detailing the terrifying evolution of ATM skimmers, Gizmodo shares how skimming devices have evolved since 2002, roughly when CBS reported that skimmers had begun appearing in ATMs around America.
“In a little over a decade, ATM skimmers have gone from urban myth to a wildly complex, ever-evolving suite of technologies that has the potential to be the worst nightmare of anyone with a bank account.”
While primitive versions of ATM skimmers worked by intercepting a card’s information, they sometimes rendering the ATM useless and were often quickly discovered. However, advancements in the technology brought about a new breed of devices that worked with the ATMs they were leeching off of.
Image credit: Krebs On Security
As you can see below, crooks even began using keypad overlays to work around having to place a camera nearby.
Image credit: Lockheed Martin
Near 2009, technology evolved to make ATM skimming easier—and devices became more readily available. In their report on the history of skimmers, Gizmodo states:
“Eventually, you could outsource the tech know-how entirely. Sites began selling whole skimming kits that could be color-coded according to the type of machine you were planning to rip off. They could be yours for around $1500.”
Cyber-security journalist Brian Krebs, of Krebs On Security, has been reporting on ATM hacking for close to a decade. Back in 2010, Krebs reported a new type of ATM skimmer that further reduced a thief’s risk of being caught:
“The trouble with these [older] devices is that the fraudster has to return to the compromised ATM to grab the device and the stolen data stored on it.
In contrast, wireless skimmers… allow the thief to receive the stolen card data from anywhere in the world, provided he or she has a working cell phone signal.”
Those wireless ATM skimming kits were expensive, selling for over $7,000 US dollars. However, the wireless tech was coupled with new, streamlined card slips that were nearly undetectable to the average user and instances of ATM skimming began to rise.
Other ATM skimmers went the opposite of discrete, instead hiding in plain sight, like the green-lit card slip below.
Image credit: Krebs On Security
Protection Against ATM Skimmers
The first rule of protection is to always cover the keypad when entering your card pin, as the majority of setups require a camera to capture your code.
But, card users aren’t fighting fraud alone. To help, ATM manufacturers have worked with imprisoned hacker Valentin Boanta to develop a way that could stop thieves from stealing info off a card’s magnetic strip. However, the device, which requires you to insert your card widthwise before rotating it to be inserted into the ATM, has yet to see widespread implementation.
Additionally, the US is finally embracing so-called “chip-and-pin” credit card systems. Though the US is relatively late to the laser chip-game, you may have recently received updated cards from your bank—attempts to thwart skimming is part of the reason why you’re being forced to switch.
Why Mexico’s Bluetooth ATM Skimmers Are So Scary
Mexico’s Yucatan Peninsula and Quintana Roo include tourist hotspots Cancun, Tulum, and Playa del Carmen—destinations that see over 4.8 million visitors each year, many coming from the United States and Canada.
The latter destination is also where I call home—which is why I heard about Krebs and his reports on increased ATM skimming in the area through a local ex-pat’s forum.
Krebs first wrote on Mexico’s plague of card fraud back in September, in “Tracking a Bluetooth Skimmer Gang in Mexico.” He made the four-day trip down South after being contacted by an ATM firm that complained of experiencing “an ongoing ATM fraud campaign of unprecedented sophistication, organization and breadth.”
Just how bad is it?
All of the above listed ATM skimming scams depend on stealth. However, up and down the Yucatan Peninsula, a gang of criminals has taken skimming to a new level. They’re boldly propositioning ATM technicians with bribes of 100-times their salaries, in hopes that the techs will agree to turn their backs during servicing.
Their intention? To install a new type of device directly into the machine.
The device is a Bluetooth circuit board, which is discretely wired directly onto the ATM’s own electronic circuit boards—allowing the Bluetooth device access to the machine’s debit card reader and PIN pad.
That means no camera, no fake keypad, no extended card slip. These Bluetooth ATM skimming devices are visually undetectable.
The Bluetooth circuit boards come equipped with their own storage device, meaning that stolen card data can be retrieved from the Bluetooth components wirelessly. The thief simply needs to be within ten-ish feet of the machine while he or she access data with the secret key used to protect the stolen information.
After examining one of the devices, Krebs reports on their complexity:
“These are not your ordinary skimming devices. Most skimmers are detectable because they are designed to be affixed to the outside of the ATMs. But with direct, internal access to carefully targeted cash machines, the devices could sit for months or even years inside of compromised ATMs before being detected (depending in part on how quickly and smartly the thieves used or sold the stolen card numbers and PINs).”
The Bluetooth ATM Skimmers Can Be Spotted… For Now
When a compromised employee led the ATM company to find a single device, they discovered that it emitted a Bluetooth signal named “Free2Move”—just like any Bluetooth device, such as your wireless headset, will appear on your smartphone or laptop, asking if you want to connect.
If you’re about to visit Mexico, you, too, can employ this technique to test an ATM’s security—for now. Simply scan the area for Bluetooth devices that give off the telltale Free2Move signal to discover any that are part of the scheme. However, the criminal gang employing these Bluetooth skimmers is sure to realize how easily they can be spotted sooner rather than later, and will likely take steps that increase secrecy.
Knowing the name of the device doesn’t mean that anyone attempting to connect can harvest data. Doing so requires entry of a unique encryption key known only to the criminals who placed it there.
In Four Days, Over 20 Compromised ATMS Were Located
Identifying the signal allowed Kreps to search out additional compromised machines—once he knew what to look for, compromised ATMs could be spotted everywhere.
“Not long after figuring out the scheme used by this skimmer, my source instructed his contacts in Cancun and the surrounding area to survey various ATMs in the region to see if any of these machines were emitting a Bluetooth signal called “Free2Move.” Sure enough, the area was blanketed with cash machines spitting out Free2Move signals.”
There were some in the airport. One of the ATMs in the hotel in Cancun where he stayed was compromised. Sometimes there was more than one telltale Bluetooth signal visible from where he was standing.
Image credit: Krebs On Security
While the sheer number of Free2Move signals Krebs found was terrifying, even worse was the lack of assistance when Kreps attempted to notify officials of the problem. When he spotted a compromised ATM in Cancun’s Marriott CasaMagna Hotel, Kreps immediately notified security. The hotel’s employees seemed concerned at first, but the Bluetooth signal kept on signaling until he left town.
Why not just go to the police? Kreps explains:
“Going to the cops would be useless at best, and potentially dangerous; Mexico’s police force is notoriously corrupt, and for all my source knew the skimmer scammers were paying for their own protection from the police.”
At this time, Bluetooth ATM skimming is such a problem in Mexico that it’s estimated to provide criminals with over five million a month—all siphoned from the accounts of unsuspecting card holders.
Krebs paints a riveting picture in a three-part series detailing his investigation, and it would be poor taste to steal his thunder by piecemealing quotes. You can read them in their entirety here:
- Tracking a Bluetooth Skimmer Gang in Mexico
- Tracking Bluetooth Skimmers in Mexico, Part II
- Who’s Behind Bluetooth Skimming in Mexico?
Protecting Your Card From Bluetooth ATM Skimming
First, rest easy that this wave of ATM skimming is likely to stay south of the border. While possible to implement in the United States, Canada, or the United Kingdom, the risks of doing so are much higher.
Whereas in Mexico? With the right connections, it’s unlikely that the thieves would even be prosecuted.
Again, it you are traveling to Mexico in the near future, don’t rely only on detecting a Free2Move signal.
Kreps’ articles have virtually exploded across the internet and it’s very likely that those responsible for installing these Bluetooth ATM skimmers will make moves to eliminate the universally-broadcasted name that makes them so easy to detect.
Instead, should you absolutely need to withdraw cash, do so at a bank-owned and operated ATMs—or machines on the premises of bank properties. All of the compromised ATMs were free-standing cash machines owned and operated by private companies, as Kreps noted in his third installment.
However, even bank-owned ATMs can be compromised. A better choice is to use a prepaid card, such as those provided by American Express, Visa, or even the US Post Office.
Your Best Protection Is Awareness & Prevention
Many travel companies warn tourists of the rampant scams that abound in Cancun and surrounding areas. However, that doesn’t mean you should cancel your ticket or avoid the region!
Instead, just use caution and employ a few preventative steps. Should you need to use an ATM card that’s connected to your bank account while traveling to Mexico, change your PIN code once you’ve returned home. And, don’t forget to keep an eye on your accounts—those who scrape ATM info with skimmers have been known to withdraw small amounts over a prolonged period of time, so as to escape notice.
It’s worth noting that in almost six months of living in Playa del Carmen, I haven’t experienced any unauthorized withdrawals from my account—nor have I been the victim of any crime or scam here. (Except for the tacos—they’ve stolen my heart.)
In the end, Mexico is like many tourist destinations in that most local criminals are not looking to hurt you—but, they do want to take money from unsuspecting visitors. Unlike many places that I’ve visited, police here do strive to protect tourists and violent crime is nearly nonexistent.
So come visit! Just be sure to use an alternate bank card meant for traveling so you don’t miss out on those tacos.