Academia

Study abroad survival series – ATM usage


I’ve recently been teaching in a study abroad program.  During one of our class meetings, I had a discussion with students about potential risks from using ATMs, and how to make good decisions to lessen the risk of getting skimmed or shimmed.  The difference between skimming and shimming is discussed below, but the important thing to know is that the end result is the same for the victim – your bank account(s) are most likely empty.

As you can imagine, or have experienced firsthand, getting skimmed or shimmed at all is a real pain.  Now, imagine this happening to you as a college student, on a study abroad – no money, no access to money, and you’re in a foreign country.

Anyway, I tweeted about my talk, and got a request from Trey Forgety (@cincvolflt on Twitter) about putting together a list of items I touched on, so that he could retweet them in the future.  Let me say that absolutely none of the things I talked about were items I came up with on my own.  Brian Krebs (@briankrebs on Twitter) has done an outstanding job of documenting issues and risks with ATMs in the past.  If you’re not reading his blog at https://krebsonsecurity.com/ you are missing out!

So, without further ado, here are my thoughts on what students in a study abroad should think about when using ATMs in foreign countries:

Pre-trip preparation

I am a big believer of doing as much “left of bang” as possible.  What does “left of bang” mean?  “Bang” is the incident – in this case, being the victim of an ATM skimming/shimming attack.  So, there are a few things you can do before the trip to help lessen your risk during the trip.

  • Install your bank’s mobile app for your phone

Most banks have a mobile app for Android or Apple devices.  Install and configure it, but take care to ensure you are installing the correct app for your bank.  Attackers have been able to get bogus apps through the Android and Apple vetting process, so be careful here.

  • Enable per-transaction notification

Some banks allow customers to be notified on a per-transaction basis.  This may be helpful if your ATM card is skimmed or shimmed, and then used to make online purchases.  This functionality may be available in your mobile banking app.

  • Enable lower daily withdrawal limits

All banks have a daily dollar limit placed on ATM withdrawals.  Contact your bank to see what that limit is, and consider asking them to temporarily lower it, if you feel that you can safely work with a lower daily limit.

  • Enable large transaction notification

Most banks will have the ability to notify customers when a large transaction takes place on their account.  Before leaving for your trip, think about what threshold you would like to be notified as a “large” transaction, and set that in your mobile banking app, if available.

ATM Location

When possible, choose an ATM that is physically connected to a bank building, hopefully built-in – think bank lobby or the like.  These devices are serviced, maintained and monitored by bank personnel on a regular basis, making it more difficult for attackers to get skimming or shimming hardware installed on the devices.

Freestanding ATMs, such as those found in convenience stores and the like, make a much more tempting target for attackers.  These devices are typically placed there by a third-party vendor who has an agreement with the store owner.  Oversight of these systems is typically much less than bank-located ATMs.  The store owner is getting paid based on an agreement to give the device floorspace in the store, and nothing else.  Store personnel typically are not tasked with monitoring these devices, and these devices are serviced much less frequently than their bank-located counterparts.

Potential ATM attack vectors and detection

Brian Krebs has written numerous articles on ATM skimming and shimming, so I am simply going to point you to his work at https://krebsonsecurity.com/?s=atm

I summarized the material for the students with the following tips:

  • Closely examine the ATM for signs of a skimmer overlay on the card reader slot.

Give the hardware around the card reader slot a good firm tug, to see if it comes off or otherwise moves around.  These devices are designed to be exposed to the environment, so giving it a good solid tug and/or wiggle will not harm it.  Also, pay close attention to subtle things, like the overall coloring scheme for the device.  Most devices have a clear coloring scheme, especially bank-located ATMs.  If the hardware around the card reader slot does not seem to match the existing color scheme, that may be an indicator of the presence of a card skimmer.  Finally, pay attention to the overall age and condition of the ATM.  If the majority of the device looks weathered or otherwise shows sign of age, yet the hardware around the card reader seems “fresh” or “new”, this may also be an indicator of a card skimmer being present.

  • Closely examine the ATM for signs of an overlay pad on the keypad

Almost all ATM keypads are inlaid on the device.  This means that the keypad is flush, or even slightly recessed on the ATM.  So, take a close look at the keypad – is it raised above the rest of the panel?  Can you see corners or edges on the keypad?  Can you move it with a simple tug or wiggle?  If any of these things are present, that ATM may have a keypad overlay in place, reading your PIN as you type it in.

You should always test the keypad, even if you are absolutely sure there is no skimmer installed on the device.  Why, you ask?  ATM shimmers, which are physically placed INSIDE the actual card reader slot, are almost impossible for average users to detect.  So, the ATM may have a shimmer installed, as opposed to the skimmer I discussed above.

So, ALWAYS check the keypad for evidence of tampering!

  • Look for the presence of a video camera

Some attackers will forego use of a keypad overlay, instead choosing to use a small video camera.  These cameras will be placed on the outside of the ATM, positioned so that your PIN can be recorded as you type it in.  ATMs will have built-in cameras, which are pointed to record the face of anyone using the device.  Attacker-placed cameras will typically be external to the device, and will be attached using some type of adhesive.  These cameras may be small, so users must take care to pay close attention here.

What to do if you have been skimmed or shimmed

Despite your best efforts, you may still end up being “right of bang”, the victim of an ATM skimming/shimming attack.  What do you do now?

  • Do not panic!

Yes, being “trapped” in a foreign country without electronic access to cash can be a scary thing.  But, working yourself up into a panic will only make things worse.  Take a breath, slow down, and know that you will be ok.

  • Contact your bank

As soon as you become aware of the money leaving your account, contact your bank immediately so they can be made aware of the attack, as well as start their process to get your money replaced.  Most major banks have international toll-free numbers for customers to use, printed on the back of the ATM/debit card.

  • Contact your onsite study abroad coordinator

If you have an onsite study abroad coordinator, inform them immediately.  In some instances, they may have contingency funds available to give you, if needed.  Also, they will be a source of support for you while working through the process of notification and recovery.

  • Contact your parents

Yes, I know this probably is the last thing you want to do.  Hopefully they will understand that you were the victim of a crime and won’t be too mad.  And, if they don’t think about it – feel free to remind them that you were, in fact, the victim of a crime.

Conclusion

Study abroad programs can be educational, fun, and life-enriching.  Go study, learn, eat, and experience all the things!  Taking a few seconds to protect yourself at ATMs will go a long way towards ensuring that your trip stays positive and enjoyable!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s