NCR has been made aware of intelligence from the Middle East and Africa (MEA) region which indicates that criminals have developed a method to install a Deep Insert Skimmer inside a motorized card reader such that it cannot be detected by the NCR APTRA platform software. NCR recommends using the Tamper Resistant Card Reader as the prevention mechanism for both Deep Insert Skimming and Eavesdropping Skimming techniques.
A function was added to the NCR software platform that is capable of detecting certain deep insert skimmers using the device sensors in the motorized card reader. This function was released in APTRA XFS 06.05. The function operated by causing an alert when media input to the card reader was detected as being dimensionally different from a standard bank card. The alert is configurable and can be used as a simple alarm, or to shut down the ATM upon detection of non-standard media. Video evidence received by NCR indicates that criminals have developed a technique which masks the dimensions of the deep insert skimmer such that it can no longer be distinguished from a standard bank card.
Guidance and Recommendation:
NCR recommends using the NCR Secure™ Tamper Resistant Motorized Card Reader as a measure to prevent Deep Insert Skimming attacks. The Tamper Resistant Card Reader has modified internal dimensions which reduce space to successfully install a Deep Insert Skimmer. This reader was launched in 2017 and is now the standard reader in NCR SelfServ™ ATMs. Upgrade kits are available for 30 series and 80 series NCR ATMs. The Tamper Resistant Motorized Card Reader also has features which can help protect against Eavesdropping Skimming. This is a skimming technique that places an electronic bug onto the card reader circuitry to ‘eavesdrop’ card data during normal operation of the ATM.
The APTRA XFS Internal Skimmer Detect (ISD) function can continue to be used to monitor for attempts to place deep insert skimmers, but this must not be relied upon as the only line of defense.
General Skimming Guidance:
Criminals can skim card data from any point, either inside or outside of the ATM, or by tapping into electronic and software systems to harvest data. Any ATM anti-skimming strategy must take into account all points within the ATM subsystem that carry card data, and protection must be applied at every point.
Fascia Skimming – deploy NCR Skimming Protection Solution
Deep Insert Skimming – deploy NCR Tamper Resistant Card Reader
Eavesdropping Skimming - deploy NCR Tamper Resistant Card Reader
Software Skimming – deploy NCR Hard Disk Encryption and NCR Solidcore Suite for APTRA
External Communications Skimming – deploy TLS1.2 encryption
Internal USB Communications Skimming – deploy USB encryption with APTRA XFS 06.06
Skimming exploits magnetic strip data used on bank cards. Alternative technologies exist and should be used instead e.g. EMV chip cards. Where magnetic strip data remains on a card, additional authorization controls should be used to prevent skimming.
Deploy GeoBlocking – block all magnetic strip transactions received from non-EMV capable regions.
Disallow fallback – block all magnetic strip transactions received from EMV capable ATMs.
Deploy Contactless EMV – ‘tap and PIN’ EMV contactless transactions at an ATM are immune to skimming.