Based on what I've read in e.g. Krebs On Security, one scheme is to add hardware to an ATM that reads the magstripe data and photographs the person tapping out their pin. I'm glad to say that even before I read of this my general paranoia had me covering that process up ^_^.
Since our cards only have magstripes---heck, it wouldn't even matter if their data was encrypted since this is a playback attack that needs something like a challenge-response protocol a chip in a pin could implement---you just write that data to other cards and have people go to ATMs and make withdrawals with the fake cards and captured PINs.
Ah, yeah, for withdrawals from my major bank, I only use an ATM that's in a retail establishment that's open 24x7. Compromise of it is unlikely when there are so many others that are much much safer.
Well, this is one right outside a branch of its bank, all is part of the retail establishment.
Although I'd agree with something related to your point, an ATM that's part of a bank like mine or the ones you try to use are observed by bank personnel, who you can hope will be a bit more suspicious of any physical changes to it.
Since our cards only have magstripes---heck, it wouldn't even matter if their data was encrypted since this is a playback attack that needs something like a challenge-response protocol a chip in a pin could implement---you just write that data to other cards and have people go to ATMs and make withdrawals with the fake cards and captured PINs.
Ah, yeah, for withdrawals from my major bank, I only use an ATM that's in a retail establishment that's open 24x7. Compromise of it is unlikely when there are so many others that are much much safer.