Skimming at new-generation ATMs (with biometrics and NFC)

[Good Carder]

Bypassing facial recognition with deepfakes, intercepting NFC transactions with modified readers, using the "tag plugin" technique, and selling dumps through darknet billboards.​

From carders to carders. Skimming isn't dead. It's mutated. While you're fiddling with APIs and anti-detection, the real pros have already switched to next-generation ATMs. Where the average carder sees challenges, the professional sees opportunities. Biometric sensors, NFC modules, online banking — all these are new attack vectors that open access to hundreds of thousands of dollars. In 2026, banks spent billions implementing sophisticated security systems. But these systems are based on vulnerable algorithms that have already been cracked.

This article is a card of the terrain. From spoofing video streams to bypass facial recognition to NFC relaying via infected smartphones. I'll explain how attacks on next-generation ATMs work and how to sell stolen tracks on darknet billboards. Forget the plastic overlay from 2018. This is a war of algorithms, and the winner is not the one with the thickest jelly, but the one who can outplay artificial intelligence.

Part 1. From Overlay to Algorithm: Why the Old School is Dying​

Until recently, skimming was the domain of skilled craftsmen with a soldering iron. A card reader overlay, a camera disguised as a PIN pad overlay — and you're the owner of dozens of cards. ATMs combated this by installing anti-skimming shields and overlay detectors. In 2026, a standard skimmer on an ATM is an anachronism. However, as recent operations by the US Secret Service demonstrate, five skimming devices have been seized since the beginning of 2026, preventing potential losses of over $5.2 million. The method is alive, but dying.

Why?

Because modern ATMs are equipped with biometric authentication modules: fingerprint scanners, iris sensors, and, most importantly, facial recognition cameras and NFC readers. It's impossible to hack them using old methods. Moreover, millions of dollars are being invested in systems that require transaction confirmation via a biometric-enabled mobile app. Attacks have shifted from the physical to the digital realm.

Cybercriminals are now more often using malware and compromised authentication systems to attack ATMs, rather than physical overlays. Both good old shimming and jackpotting are trending. Modern attacks include exploiting vulnerabilities at the network communication level, relay attacks, and the introduction of malware that can linger for years in a bank's system. And by 2026–2027, new zero-day vulnerabilities in ATMs, especially in their NFC modules and authorization protocols, are estimated to be worth $300,000–$1 million on the black market.

Part 2: Deepfake Masks and Custom Camera Firmware​

The most "futuristic" attack vector is bypassing biometric authentication. Modern ATMs increasingly use cameras and facial recognition algorithms. This can be both an additional security factor and the primary method of logging into the Card-Face-PIN system (without a physical card). And it can be hacked.

2.1. Virtual Cameras: How to Fool Facial Recognition​

The classic method is to connect an external device that emulates a video device and replace the video stream with a prepared deepfake. In 2026, Telegram channels openly advertise tools that use virtual camera technology to replace the video stream from a phone's camera with a fake one, allowing carders to pass liveness detection checks in banking apps and services. Tools for bypassing biometric KYC that use deepfakes and video stream replacement are actively advertised on the darknet. Some of these are sold with fake documents, allowing the creation of a completely synthetic identity for opening accounts and withdrawing funds.

In the context of an ATM, this means an attacker can physically connect a device to the camera that will broadcast a pre-recorded video of a real customer. In some cases, this requires hacking the camera's firmware, but in practice, intercepting the USB stream is sufficient.

2.2. Hardware-Level Deepfake Attack​

A more complex, but more reliable method. The attacker hijacks the camera's power supply and replaces the image processing chip (ISP). The camera's firmware is patched to replace a real face with a pre-generated image of the intended person. This requires extensive knowledge of electronics, but such custom devices are already being sold on darknet forums. The price ranges from 5,000 to 20,000 rubles, depending on the ATM model.

During a demonstration at the RSAC 2026 conference, a researcher used neural network models to generate a fake face that successfully passed verification by a recognition system. Using the generated image, he was able to open a real bank account and access financial services. This confirms that even modern systems are not always able to distinguish a living person from their AI copy.

Banks are recognizing this threat. They are moving to combined authentication, requiring not only a face but also a fingerprint (which can also be faked), as well as confirmation via an app on a trusted device.

Part 3. The "Tag Plug" technique and NFC signal interception​

The magnetic stripe is dying, and with it, traditional skimmers. They are being replaced by NFC traffic interception. An attacker no longer needs to read card data through an overlay — simply holding a modified NFC reader to the victim's card for a few seconds.

3.1 Passive skimming​

Modern contactless payment cards constantly emit a signal. An attacker can use a special RFID amplifier and reader to intercept card data from up to 50 cm away, through a bag or pocket. This is sufficient for small transactions (PayPass/PayWave) up to a certain limit, which varies by country.

A higher risk arises when using contactless ATMs. These ATMs have an NFC reader installed on the front panel. An attacker can install their own reader on top of this reader, which will capture the victim's card data when it is presented to the ATM.

3.2. Active Relay Attacks via an Infected Android​

This method is far more dangerous and relies on creating a "digital bridge" between the victim's phone and the ATM. It's already a reality.

In 2026, ESET Labs discovered a new variant of Android malware dubbed NGate. Carders took the legitimate HandyPay app, which is used for NFC relay, and injected it with malicious code, presumably generated by artificial intelligence.

Here's how it works:

1. Infectious. Attackers send links to fake lottery websites or fake Google Play pages. The victim downloads the trojanized HandyPay app.
2. Data collection. Malware on the victim's phone intercepts NFC data from the bank card when the victim holds it to the phone (thinking they're paying for something or checking their balance). The malware simultaneously steals the PIN entered by the user via an overlay or keylogger.
3. Emulation. The carder takes the obtained data and holds their phone, which emulates a digital copy of the victim's card, to an ATM or POS terminal that supports contactless payment.
4. Cashout. The attacker enters the stolen PIN at the ATM and withdraws cash.

3.3. DevilNFC: Kiosk Mode Trap​

Another new family of Android malware is DevilNFC. It not only steals NFC data but also uses the "kiosk mode" feature to lock the victim's phone, displaying a fake banking app. The victim thinks they're verifying their PIN, while the malware silently relays the card details to an accomplice standing at the ATM. The money is gone in minutes.

Some implementations of these attacks can establish a connection over distances of up to 400 miles, turning the phone into a remote NFC repeater. Imagine the scale: a victim in New York accidentally holds their phone to a reader, while in Las Vegas, cash is withdrawn from their card through a compromised ATM.

Part 4. EMV Chip Cloning: A New Hope​

Attacks that intercept data (tracks) and write them to a magnetic stripe for cloning have long been ineffective in most countries. But new vulnerabilities are emerging: researchers at Black Hat 2026 presented a technique for exploiting the EMV protocol that allows the creation of card clones that emulate the chip. This isn't simply writing to a blank disc; it's software emulation of the chip through a modified device that responds to terminal requests as if it were a real chip.

Selling such emulators on the darknet is a growing business. They don't work with all banks, but the success rate is growing.

Part 5. PIN scraping and tag plugins​

The magnetic strip is dying, but PIN codes are alive and in demand.

• Deep Insert Skimmer. The device is inserted deep into the card slot, where it's undetectable without disassembling the ATM. It reads the chip/magnetic stripe data and sends it via Bluetooth to the attacker.
• PIN Overlay. The technology remains the same. The keypad overlay records the PIN, and a built-in camera records it as it's entered or transmits it via a hidden Bluetooth module. Modern overlays are made on 3D printers and are almost indistinguishable from the original.
• Camera Skimmer. A micro-camera is installed above the keyboard or next to the card reader and records the PIN.

Part 6. Darknet Monitoring and Dump Selling​

ATM dumps are actively sold on closed darknet forums. Leak channels and darknet monitoring systems track the sale of corporate data and credentials, and this is just the tip of the iceberg. Furthermore, banks pay bug bounties for ATM vulnerabilities, creating an additional data market for white-hat and grey-hat carders.

Part 7. ATM Security (and Your Counterargument)​

Banks do not stand still:

• Noise generation and GPS trackers inside safes.
• Anti-Skimming Technology. Internal sensors block operation when foreign devices are detected.
• Activity correlation. The system blocks the card if transactions are made with it at different ATMs within a short period of time (a sign of retransmission).
• Card reader shutters. Physically block access.

Resume from a carder​

Skimming at next-generation ATMs is a digital, not a physical, frontier. Deepfake masks bypass facial recognition, NFC relay via DevilNGO, NGate, and other Trojans turns victims' phones into card relays, and tag plugins and PIN overlays remain in the arsenal for targeted attacks. 5G integration only accelerates the process: skimming is becoming instant and remote.

Traditional skimming is dying out, giving way to hybrid attacks that combine social engineering, malware, and physical hardware. Selling dumps on the darknet is a huge market where you can make money without getting caught.

A quick one-line reminder:
"Plastic is no longer needed. Deepfake bypasses facial recognition, DevilNFC steals a card from a phone in seconds. NGate relays the signal to any ATM in the world." PIN overlays and tag plugins collect passwords. ATMs in 2027 aren't fortresses, but digital gates that can be opened with the right algorithm. The old ways are dead. Welcome to 2027, where the best coder wins, not the one with the thickest overlay.