The DBS ATM skimming fraud that took place earlier this year has probably made more Singaporeans aware of this sort of crime than ever before. Banks have had, both before and after that incident, installed various types of anti-skimming features to protect themselves and their customers. However, I sometimes wonder if these anti-skimming features actually add more confusion over their legitimacy. How do customers tell if they are legitimate?
A little background in case you’re not familiar with what card skimming is about: Card thieves install a card reader over the real card reader slot of the ATM machine. At the same time, they install a hidden camera with a clear view of the keypad. When you use the ATM, their card reader reads your ATM card as you insert it into the card slot, and the hidden camera captures your PIN as you enter it into the keypad. With your ATM card information, they can create a new identical copy of your ATM card, then go to an ATM machine, and using the PIN they’ve also captured, withdraw money from your bank account.
Clever, but it is a decades old trick.
Earlier this year, a bunch of unsuspecting DBS/POSB customers fell victim to this scam. The skimmers withdrew money from the victims’ accounts from ATM machines in Malaysia.
Banks have been installing anti-skimming devices to thwart card skimmers. They have added gadgets over the card slot to make it difficult to attach skimmer’s card reading gadgets. Do you wonder if these gadgets could themselves be a skimmer’s card readers?
There are other anti-skimming features that could, arguably, be more effective, and some of these are no doubt being used. But I’m just concerned about those anti-skimming gadgets that take on a physical form. It’s because these are things people can see, and these are things that a potential skimmer can also take advantage of to disguise his skimming gadget as a legitimate attachment to the ATM machine.
You see, many of these anti-skimming gadgets are add-ons. They aren’t inherently part of the machine. Why do the banks think that adding on another gadget makes the ATM more secure against skimming fraud?
Take a look at the photo above. This ATM now has a sort of cover over the keypad so that, presumably, it can better prevent any outside camera from having a clear view of the keypad. Nice.
What if this keypad is fake? What if the real hidden camera is actually inside this cover? Perhaps the whole keypad assembly is fake?
Oh, does the bank think that putting up a notice “Shield for Privacy” will legitimize this gadget, and convince customers that this is the real thing?
Well, guess what, card skimmers can also paste their own stickers eh. The “Shield for Privacy” was in fact just pasted on! For the record, the other “Added Security Feature” notice is also just pasted onto the ATM.
This is so laughable. I wonder if a card skimmer could just try installing a totally separate card reader next to the ATM machine, and put up a notice saying “Insert card here first to protect your card”. You know, it could be a space-age gadget that will apply an invisible anti-fraud shield over your card so that it is safe to use in the ATM.
Can our banks please design their ATMs to be inherently more secure?
Interestingly enough, banks have since started randomizing between different anti-skimming device designs and syncing them with the image shown on the screen.
So if they have been replaced, they need to look identical to the one in the ATM software and not just “any old” skimmer.