I'm Jon Olick. I make shiny things. I simplify.

I presented Sparse Voxel Octrees at Siggraph 2008.

Sunday, April 3, 2011

Designing to make ATM Skimmers impractical

I was curious about how thieves make these things. Turns out you can buy ATM skimmers on online auction sites for $3000. They make them by manufacturer. So this got me thinking about what ATMs could do to make a skimmer impractical.

My first thought is to have 1000 different ATM front plates from each manufacturer. That would make most skimmers very expensive, but not quite impractical yet as they can just make a universal fit -- we can do better. If the shape of the card receptacle was easily identifiable by a human and able to match easily with a picture, then you could take advantage of the fact that a skimmer, no matter how complex never hides the display. You can use that to show a picture and have people manually verify the shape of the receptacle. If it is different, then there is a skimmer on top. While it would not eliminate skimming, it would make doing it incredibly expensive and unpractical to do for most thieves. The maker of the device would often be directly involved.

While this sounds all well and good, manufacturers would not like making 1000 different versions of their ATMs just to stop skimming. Implementation of that approach is unlikely and it doesn't solve the problem for millions of existing ATMs. Is there any other way to solve those problems?

Holographic stickers. If they printed out 10,000 different holographic stickers and put a different one right over the face plate, and then had people do the manual verification with a picture (for example a bunny, a squirrel, etc... easily recognizable to humans and you can have many hundreds if not thousands of variations). That would also serve the make impractical purpose for the most part. Its not as good as the former solution, but its a whole lot cheaper and can work on existing ATM machines with just a software upgrade.

At a minimum, you might even be able to not have the manual verification part and instead just have the holographic sticker with some special certification message. If it doesn't say ATM verified something or other, than its a fake. Having a sticker in the first place is a deterrent. Only risk without is somebody could rip off the sticker off the ATM and then use it on their skimmer. So that wouldn't be full proof.

Perhaps you could have a sequence of numbers on the sticker that you would have to enter before using the ATM. I would hate that, personally. It would work as well though and only work for that single ATM.