The physical compromise of ATMs has long been considered a “tried and true” scheme among many fraudsters — and rightfully so. Not only do these schemes remain very common in many parts of the world, they continue to demonstrate that when it comes to crime, sophistication doesn’t always trump creativity.
Indeed, a group of criminals in Brazil developed a new tool for targeting Europay Mastercard Visa (EMV) payment cards that serves as a case in point. Although EMV cards — often referred to as “chip cards” — were initially developed as a more-secure alternative to traditional magnetic stripe cards, these criminals’ new device can undermine an EMV card’s security measures by targeting none other than the chip itself. Once installed in an ATM’s card reader slot, this device physically steals EMV cards’ chips by punching the chips out of cards inserted into the machine.
Seeking to maximize their financial gain from the stolen chips, the criminals reportedly installed cameras near compromised ATMs to record valuable information, such as the affected cardholder’s name and PIN information. Criminals can then insert the stolen chips into blank cards and use the victim’s accompanying PIN to make fraudulent purchases and unauthorized withdrawals.
Image 1: An example of a victimized card shows how the chip was punched out in a clean and precise fashion. Photo Courtesy of Globo G1 Rio De Janiero News.
Image 2: An example of a card reader overlay taken from an ATM in Brazil. The overlay is associated with EMV chip-punching; a mechanism inside the card slot would physically punch out the chip from a card after it was inserted into an ATM. Photo courtesy of YouTube.
Image 3: The underside of an assembly that was placed above select ATMs in Brazil. The front of the assembly matches the design of the ATM and conceals a pinhole camera that would record the victim’s PIN information while it was being typed on the keypad. Photo courtesy of YouTube.
Unfortunately, this particular ATM compromise scheme is part of a growing trend in Latin America, where lower levels of security awareness often enable criminals to successfully carry-out bold stunts without alarming victims. In fact, one victim of the “chip-punching” scheme recently spoke with Brazilian reporters about the fact that, despite having noticed the missing chip, he didn’t take action immediately. It wasn’t until his bank notified him of suspicious activity on his account that he decided to report the incident.
Furthermore, in December 2016, Flashpoint released a report detailing Brazilian criminals’ use of a different device called a “chupa-cabra” to steal money from ATMs. The thieves used a long flat piece of metal crafted to fit the slot of the ATM machine and wedge the slot door open. Once the tool was wedged into the slot, the far end would open to reveal a heavy, sticky piece of metal attached to the long piece of metal by means of a ribbon. The sticky piece of metal would be lowered into the deposit box, where it would stick to the first envelope on the pile, allowing the thief to pull it out of the slot, along with the deposit envelope.
Image 4: Law enforcement demonstrates use of a chupa-cabra to pick up a deposit envelope. Photo courtesy of YouTube.
Cases of ATM targeting in Latin America reinforce the notion that some types of criminal schemes need not be sophisticated to be effective. While ATM compromises in more-developed geographical regions often employ sophisticated malware and tactics requiring advanced technical skills, those in Latin America tend to rely on physical means of theft. Schemes involving tools like the card-punching device or chupa-cabra also serve to illustrate how the widespread use of older technologies in some countries — such as many of the ATM models common throughout Latin America — can be compromised and exploited with ease for financial gain.