Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crooks Hack Music Players For ATM Skimmers

Posted by kdawson on from the sweet-sounds-of-cash-dropping-into-our-hands dept.

tsu doh nimh sends in a report that criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers. These are devices designed to be attached to cash machines to siphon card +PIN data. "The European ATM Security Team (EAST) found that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them 'major ATM deployers' (defined as having more than 40,000 ATMs)... The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37)."

82 comments

  1. Been said before by Anrego · · Score: 2, Insightful

    But we really need to do something about this whole security thing.

    Personally I’m all for a one time password key token type device. You have a little key fob dealie generating numbers via a stream cipher at an interval (and with a key) synced with your bank. Once a pin is used, it is invalidated, so an attacker would have to skim the code, than use it before you punched it in. You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy “3 factor authentication”.

    Heck you could even automate the first bit with some kind of challenge/response system.

    This isn’t a radical or new idea.. people have been talking about this forever, and a few systems like this have actually been implemented.. but I don’t get why this isn’t wide spread yet? Are there vulnerabilities, user issues, or is it just a case of “cheaper to fix the problems reactively than prevent them”?

    As has been said, security is a trade off of convenience. But I think money is one area people might be willing to put up with a slightly more cumbersome process.

    1. Re:Been said before by SirGeek · · Score: 3, Insightful

      You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy "3 factor authentication".

      Sorry, One reason this will fail - People are inherently lazy.

      If they can't get their swipe and walk away then they'll not be happy...

      Granted, I also don't want yet another thing to hang off my keychain, but I'd rather have THAT safety than nothing.

      --
      UPS Sucks
    2. Re:Been said before by betterunixthanunix · · Score: 4, Interesting

      But we really need to do something about this whole security thing.

      Why would banks care about that? Secure digital cash systems have been around for a very long time, but banks do not like the concept very much, probably because it would mean losing certain revenue streams. Credit card processors and banks sell spending data to marketing firms; secure digital cash generally makes that difficult or impossible, since digital cash allows for anonymous payments. Additionally, digital cash would make it hard for banks to do things like profit from debit card overdraft fees (although with the new regulations, perhaps this is less of a valid argument).

      It is not that the technology is not there, it is that it solves the wrong problem.

      --
      Palm trees and 8
    3. Re:Been said before by jelizondo · · Score: 4, Interesting

      I don't know about other countries, but at least in Mexico and the Cayman Islands, devices like the one you describe (RSA SecureID) are commonly used for online bank transactions.

      It would seem trivial to extend the use to ATM and POS terminals, it would end this type of scam for good.

      --
      Be very, very careful what you put into that head, because you will never, ever get it out. - Cardinal Wolsey
    4. Re:Been said before by Anonymous Coward · · Score: 0

      Personally I’m all for a one time password key token type device. You have a little key fob dealie generating numbers via a stream cipher at an interval (and with a key) synced with your bank.

      You mean something like this???

      Between my wife and I, we have about a half dozen of them to be able to get into client VPNs. They work like a charm.

      Of course, if someone steals it from you and knows your obvious password which you had written down, they don't stop a damned thing.

    5. Re:Been said before by houghi · · Score: 1

      I would then need to carry at least three with me. I know people who would need more than that. So unless there is some way to centralize this and everybody agrees on what to use, this will be a burden, not a blessing.

      I already dislike it with online banking. I am now able to do things online only at home, as I do not want to carry it around with me and risk of loosing it.

      --
      Don't fight for your country, if your country does not fight for you.
    6. Re:Been said before by Charliemopps · · Score: 1

      How about they use the BILLIONS of dollars they are freely collecting in fees from these machines to actually provide security? I live in the capital of my state and in the entire city there is exactly 1 ATM that's located inside it's own enclosure (about the size of a small bathroom) you have to swipe your card for the door to open, it will not open for anyone else until you leave, and it takes your picture when you walk in. Anyone attempting to tamper with this ATM would first need a valid ATM card (which I suppose could have been stolen) then they'd need to have the actual pin to access the terminal. If they were inside the ATM for more than a minute or so and never actually used the ATM it could easily flag the incident, store video of everything that went on inside and send it to bank security officer for review.

    7. Re:Been said before by PseudonymousBraveguy · · Score: 2, Insightful

      IC card based authentication is well-kown and established, and is secure against skimming attacks without the need of external devices. Just slip in the card and enter your PIN. Even if your PIN is observed it's useless without the chip, and the chip is not easily readable (and thus, not really copy-able). The technology has been around for years (at least since the 1990), and is widely used. Only missing step is for the credit card companies to 1. adopt them (they are actually in the process of doing this, see EMV), and 2. to disable the old insecure systems. The most important step is step 2, and due to "backwards compatibility", that step will be delayed for years or decades.

      The tech has been there for 20 years, but it will probably take abother 20 years until it will make you more secure (if it is not broken in the meantime, that is)

    8. Re:Been said before by khb · · Score: 1

      A simple two factor solution, requiring no additional hardware for the average consumer has long existed. Leverage the existing cellphone. There's a commercial firm with a packaged solution (www.PhoneFactor.com) out there.

      However, the cost of such services+customer resistance may well keep it out of wide spread usage.

      Just because it's possible to be safer, doesn't necessarily make it cost effective.

      However, most customers would probably be less resistant to using their phone than carrying yet another device (worse, possibly one device per security aware business).

    9. Re:Been said before by Lumpy · · Score: 1

      Why 3? Are your banks ran by complete scumbags that wont use a single common one like the verisign device?

      Hell I got an iphone app that also does it so I dont need my keyfob with me.

      --
      Do not look at laser with remaining good eye.
    10. Re:Been said before by Overzeetop · · Score: 2, Insightful

      Are your banks ran by complete scumbags

      Yes, yes they are.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    11. Re:Been said before by Anonymous Coward · · Score: 0

      What you describe sounds a lot like the VPN key that I use to work from home. Type in a PIN that I've selected, and follow that by typing in the code the VPN generates within so many seconds, and I'm into the system.

    12. Re:Been said before by Anonymous Coward · · Score: 1

      You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy "3 factor authentication".

      Sorry, One reason this will fail - People are inherently lazy.

      If they can't get their swipe and walk away then they'll not be happy...

      Granted, I also don't want yet another thing to hang off my keychain, but I'd rather have THAT safety than nothing.

      I think you are underestimating your fellow man here my friend. In the UK we ditched the swipe only method a long while back in favour of chip and pin for everything. A small minority bitched, but just got on with it as the benefits are obvious enough for the minor inconvenience of having to remember four digits. If you added another small layer of security to the existing chip + pin method I suspect the public reaction would be largely the same - a minority will complain, but then everyone will just get on with business as usual. Just like how when they made wearing seatbelts mandatory there was an outcry, but now its just so natural people don't even think about it.

    13. Re:Been said before by Anonymous Coward · · Score: 0

      It's actually really easy - make the banks responsible. Then you'll have the same level of security as you do for credit cards, which is much better.

    14. Re:Been said before by geekprime · · Score: 1

      First off ANY card will open that outer door,
      Second, Ok, the thief goes in and places his device right after the bank closes on friday and takes it back sunday morning Hm, you security guy reviews the tap on monday sometime but all the accounts have already been cleaned out sunday.

      The skimmer collects the card info, the camera records the pin, and the thief gets all our money.

    15. Re:Been said before by Anonymous Coward · · Score: 0

      My bank has that. It's called RSA Secure ID. The password changes every minute and can be only used once. Sadly it is only used for online banking.

      To confirm a transaction you need 4 number PIN + 6 number ID which changes. So someone has to steal PIN + device.

      Apparently this is the safest online banking in Slovenia. (NKBM)

      It would be very useful to use this with every transaction.

    16. Re:Been said before by Parhelion · · Score: 1

      You can get that kind of security here in the US for online bank transactions. Bank of America has an option where the bank sends a text to your cell phone containing a unique code that you have just a few minutes to enter on their website in order to execute a transaction online. In addition to that they offer an RSA type of device that you can buy, but I think texting to your cell phone works just as well, unless you have reception issues.

    17. Re:Been said before by Anonymous Coward · · Score: 0

      You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy "3 factor authentication".

      Sorry, One reason this will fail - People are inherently lazy.

      If they can't get their swipe and walk away then they'll not be happy...

      Granted, I also don't want yet another thing to hang off my keychain, but I'd rather have THAT safety than nothing.

      Yubikeys.

      They're USB devices that appear as keyboard HIDs. You move the cursor to the password field, press the button, and the OTP is sent directly into the field. You can even program them to send a \M so that's one less step.

      One of the algorithms they includes a counter, so even if an attacker sniffs the input, they can't re-use the OTP like they can in the time-based tokens (e.g., RSA's SecurID). The hardware can also use IETF RFC 4226's HOTP if you're worried about vendor lock-in:

      http://en.wikipedia.org/wiki/HOTP

      Instead of entering a PIN, you put in your card, plug in your USB stick, and press the button when prompted. The truly paranoid could also enter a PIN.

    18. Re:Been said before by Anonymous Coward · · Score: 0

      Same here in Canada, and most merchants have it, although we have backwards compatibility for magnetic stripe cards (which are being phased out very slowly)

      The major problem seems to be older people. Younger people have no problem interacting with a simple calculator-like machine with prompts, but older people who obviously have never done an electronic transaction of any kind are confused and angry at having to use a machine to purchase goods with their credit card. The ones that do understand, simply start typing their pin number into the machine without waiting for a prompt, resulting in even more confusion.

      Another more subtle problem, chip+pin obviously does not function at all in online or over-the-phone transactions, which are potentially a much larger security risk than skimmers. To deal with this problem, they are now surcharging any transactions ~+1.5% which are "punched in" (i.e. a transaction where the card number is typed, rather than swiped or read from a chip) to persuade clerks to avoid taking payment in this manner, which harms companies like mine, which do quite a bit of "credit card number over the phone" business.

      Instead of taking a hit in profits and having to explain this crap to our customers, and figuring out how to put this crap on invoices (technically you sign a contract to not surcharge for visa/mastercard/amex transactions), we just increased all our pricing 1% instead. So, all this crap causes a trickle down effect in general goods pricing, which is really unnecessary, as people will just recite their credit card number over an unencryted copper pair. I shudder to think how much money could be stolen by wiretapping a few large 'phone order' businesses.

    19. Re:Been said before by tlhIngan · · Score: 2, Interesting

      I think you are underestimating your fellow man here my friend. In the UK we ditched the swipe only method a long while back in favour of chip and pin for everything. A small minority bitched, but just got on with it as the benefits are obvious enough for the minor inconvenience of having to remember four digits. If you added another small layer of security to the existing chip + pin method I suspect the public reaction would be largely the same - a minority will complain, but then everyone will just get on with business as usual. Just like how when they made wearing seatbelts mandatory there was an outcry, but now its just so natural people don't even think about it.

      Have they fixed the idiotic security issue with chip+PIN yet? You know, the one where the chip verifies the PIN? I remember a story where it turns out during PIN verification, the chip sends the reader an "OK" value (0x90, I believe?) if the PIN is OK and the transaction goes through. No, the bank's not checking your PIN at all - it's all done on the card you have. Which means anyone who can clone it doesn't need a PIN.

      Which is a huge problem because you're liable for any charges made via chip+PIN, fraudulent or not.

      That's why banks took it up with great abandon - it costs them less , and screws the customer even more. All the other security devices? Costs banks and doesn't give them any benefit at all over the status quo. If only running a bank was easier - someone could clean house by making a more security-conscious bank, which looks out for their customer's interests...

    20. Re:Been said before by PseudonymousBraveguy · · Score: 1

      Have they fixed the idiotic security issue with chip+PIN yet? You know, the one where the chip verifies the PIN? I remember a story where it turns out during PIN verification, the chip sends the reader an "OK" value (0x90, I believe?) if the PIN is OK and the transaction goes through. No, the bank's not checking your PIN at all - it's all done on the card you have. Which means anyone who can clone it doesn't need a PIN.

      It is a feature that the card confirms the PIN. This allows offline-transactions, and is not per se insecure, if the protocol between terminal+card would have been designed correctly (which it unfortunately was not). The problem (link) is, that the current protocol allows a man-in-the-middle degradation attack: Ther terminal uses PIN+chip, but the man-in-the-middle tells the card not to use PIN+chip (i.e. to use chip+sign). The confirmation of the card is used to make the terminal think the PIN was accepted.

      If the protocol is fixed (i.e. by properly authenticating the data exchange), everything would be perfectly fine. Additionally, they should get rid of the insecure payment methods (i.e. anything not involving a pin), to disable *all* degradation attacs (what use is chip and pin if any fraudster can still use all of the old payment methods with a forged card?)

    21. Re:Been said before by dave562 · · Score: 1

      Even better than that, there is an RSA SecureID application for smartphones (Blackberry and iPhone). You do not even need the dongle anymore. Just fire up the app on your cellphone to get the current PIN.

    22. Re:Been said before by flowwolf · · Score: 1

      People are not inherently lazy. Civilization would not have made it this far if we were. It is an environmental effect that has been created by us; Not one of inheritance. People have been trained to be lazy.

    23. Re:Been said before by flowwolf · · Score: 1

      CC's have had PINs the entire time here in Canada. Probably everywhere else too. When those machines first came out, I would have people yelling at me that I was wrong and their card never had a PIN ever. This happened more often than you think. So many of them want me too just 'punch it in manually'. I just say we're not equipped for it.

      Money transactions should never be made convenient. This transition we're experiencing into chip+pin in Canada has made me realize that more now than ever before.

    24. Re:Been said before by metrix007 · · Score: 1

      Chip and PIN is horrible, and most people in the UK only think it is more secure cause their banks tell them it is. It isn't, it in fact shifts liability from the bank to the consumer -- it's horrible. However, due to a great advertising campaign, most brits will be very skeptical of any non CHip+PIN card thinking it horribly outdated and insecure. In Australia, we can't swipe without entering a PIN or signing, the same as in most sane countries.

      The US desperately needs a revamp of their banking system where no authentication is needed when you have a card, but Chip+Pin is not the way to go.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    25. Re:Been said before by Grapplebeam · · Score: 1

      No, the reason people don't want this is because we really don't want the idiot in the minivan in front of us that already can't use the ATM to take even longer.

      --
      There is no -1 Disagree.
    26. Re:Been said before by Anonymous Coward · · Score: 0

      Pretty sure they can just build it into the ATM card, they way they do the chip-and-pin devices. You already need to carry it, it's not extra.

    27. Re:Been said before by gmhowell · · Score: 1

      One for work, one for bank, one for warcraft.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
    28. Re:Been said before by Archangel+Michael · · Score: 1

      Same with politicians overseeing the banking industry. Both (D) and (R) are into it.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    29. Re:Been said before by RockDoctor · · Score: 1

      CC's have had PINs the entire time here in Canada. Probably everywhere else too.

      Was over in Canada around a month ago. Several times in my first few days the ATMs wouldn't accept my Chip'n'PIN cards, but the "swipe-only" readers would accept the same card.

      Off the back of an envelope, I'd say that around 1/3 of the ATMs I looked at were swipe-only.

      (I'd got all new cards, due to having my pocket picked shortly before ; this may have been why the rejection rate was so high.)

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    30. Re:Been said before by Anonymous Coward · · Score: 0

      Are your banks ran by complete scumbags

      Yes, yes they are.

      I detect some tautology here. Banks are complete scumbags.

  2. Re:re by Anonymous Coward · · Score: 0

    What was that about?!

  3. Ballpeen hammer by spun · · Score: 3, Insightful

    Just carry a ballpeen hammer around with you. Before inserting your card, take a couple of good hard swipes with the hammer. Skimmers aren't mounted solidly, and the rest of the machine is pretty much unbreakable.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    1. Re:Ballpeen hammer by corbettw · · Score: 3, Insightful

      Sounds great. I'm sure a random police officer who happens to be passing by when you strike the ATM with a hammer will completely agree with your plan.

      --
      God invented whiskey so the Irish would not rule the world.
    2. Re:Ballpeen hammer by Lumpy · · Score: 3, Interesting

      Dont even need to do that. Pull on the card slot housing, lift on the keypad,etc... , if it comes off, take it.

      Dont turn it in, your fingerprints are all over it now. Plus these things go for big $$$ on ebay. $1500 for cheap ones.

      --
      Do not look at laser with remaining good eye.
    3. Re:Ballpeen hammer by girlintraining · · Score: 1

      Before inserting your card, take a couple of good hard swipes with the hammer.

      Half the point of a credit card is portability and ease of use. Carrying around a hammer is rather counterproductive towards that end.

      --
      #fuckbeta #iamslashdot #dicemustdie
    4. Re:Ballpeen hammer by Anonymous Coward · · Score: 0

      Dont even need to do that. Pull on the card slot housing, lift on the keypad,etc... , if it comes off, take it.

      And shortly afterward, get shot by the person who put it there, who was hiding nearby.

    5. Re:Ballpeen hammer by pla · · Score: 2, Funny

      Half the point of a credit card is portability and ease of use. Carrying around a hammer is rather counterproductive towards that end.

      You need the new Chase(tm) Big Iron(sm)(r) card! For when you need convenience and heft, complete with a sensible no-hassle rewards program.

    6. Re:Ballpeen hammer by spun · · Score: 5, Funny

      Just throw your ballpeen hammer at them.

      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    7. Re:Ballpeen hammer by spun · · Score: 2, Funny

      I thought that came with a no-reward hassle program?

      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    8. Re:Ballpeen hammer by tsu+doh+nimh · · Score: 1

      Pull skimmer equipment off the ATM and walk away with it and your are likely to get busted by feds or local cops who may be monitoring the machine. If not, you are likely to be confronted by the scammer who put the thing there in the first place. It's not uncommon for these things to disappear the minute someone from the bank notices something's wrong and goes inside to report it. That's because the thieves often are somewhere nearby watching the machine.

      --
      ...because you never know who you're dealing with.
    9. Re:Ballpeen hammer by DigiShaman · · Score: 1

      Not only that, but the camera may have already taken your photo with it in hand. The criminal who put it there however, may have contorted to avoid the camera while installing the skimmer. So yes, the hero gets thrown behind bars as it usually goes.

      --
      Life is not for the lazy.
    10. Re:Ballpeen hammer by Stregano · · Score: 1

      Uh, I would not be too worried about that if the skimmer was just there installing it. I am pretty sure that if a skimmer is caught on tape doing it, they will see you removing it. If they are not going to stop some dude from installing a skimmer on an atm, i highly doubt they will care if you give the machine a few small hits from a ballpeen hammer

      --
      The world is how you make it
    11. Re:Ballpeen hammer by Anonymous Coward · · Score: 0

      ATM cameras are the WORST ones for actually working. They're out of service more often than not.

    12. Re:Ballpeen hammer by drinkypoo · · Score: 1

      And shortly afterward, get shot by the person who put it there, who was hiding nearby.

      Comments this stupid are the reason why anonymous posting should be disabled on Slashdot. It's not like your slashdot account has to be tied to your real identity.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:re by Spectre · · Score: 0, Offtopic

    you do know that a "parsec" is 3.26 light years ?? right
    if they came out 3 light years past the planet and it's moon -- they would be in the middle of NOWHERE with no stars nearby

    I do believe you are about a persec away from being on-topic ...

    --
    "Flame away, I wear asbestos underwear"
  5. Zero-knowledge protocols by Anonymous Coward · · Score: 2, Interesting

    http://en.wikipedia.org/wiki/Zero-knowledge_protocol

    It's possible to make an authentication scheme which is completely immune to skimming attacks.

  6. Re:re by JohnVanVliet · · Score: 2, Interesting

    i replied to a starwars post as the 3d poster -- then the starwars post disappeared

    --
    "I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
  7. The RIAA was *almost* right. by sehlat · · Score: 5, Funny

    Home taping is killing ATMs.

  8. Crooks? by courteaudotbiz · · Score: 1

    Not crooks: Geniuses! :-)

    1. Re:Crooks? by Abstrackt · · Score: 2, Insightful

      Not crooks: Geniuses! :-)

      They're not mutually exclusive.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    2. Re:Crooks? by Anonymous Coward · · Score: 0

      But calling them just crook induces only negative emotions. Its like we are conveniently ignoring the fact that they are geniuses. Its only fair we call them both crooks and geniuses.

    3. Re:Crooks? by Anonymous Coward · · Score: 0

      When dealing with a genius, it's customary to prefix their title with 'evil' rather than use the disrespectful crook label.

    4. Re:Crooks? by Ungrounded+Lightning · · Score: 1

      Not crooks: Geniuses! :-)

      Geniuses? It only took them EIGHTEEN YEARS to deploy something that was published in Phrack.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  9. wow by bhcompy · · Score: 2

    Phrack, nice. Only been a decade since I've seen a Phrack reference. Probably got some Phrack printouts with some 2600 mags in a storage bin somewhere. I wonder what the modern underground magazine of record is nowadays

    1. Re:wow by vm146j2 · · Score: 1

      My thoughts exactly; right on top of the TAP xeroxes. The scam actually reminds me of a blue box.

      --
      "Lost time is not found again."
    2. Re:wow by delysid-x · · Score: 0

      AFAIK they still publish 2600. I bought one not too long ago.

  10. Ummm. Wargames? Anyone? by fuzzyfuzzyfungus · · Score: 1

    Wasn't this exact method(COTS audio recorder + playback attack) used in Wargames? Circa 1983?

    If anything, the only surprise here is that criminals were ever not taking advantage of cheap MP3 player/recorder hardware. The economies of scale with your basic anonymous fleabay-special "designers MP5 player" are stupendous, and most of the (comparatively) difficult stuff is in software, which is an easier trail to hide...

  11. Is that you Neo? by Anonymous Coward · · Score: 0

    My favorite part of the article:

    If ANYONE reprints this file and tries to sell it FOR A PROFIT, I will hunt you down and make your life miserable. How? Use your imagination. The reality will be worse.

  12. Do not take me seriously by spun · · Score: 3, Funny

    Insightful? Uh, it was supposed to be a joke. Please don't actually do this. As someone else mentioned, just tug on the thing.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  13. Audio recording? by Yvan256 · · Score: 1

    Here in Canada the ATMs they do the same frequency and length of "beep" for all keys, it's a simple audio feedback to let the user know the key has been pressed and registered properly.

    Do ATMs in other countries do different tones for different keys? If they do, that's just insane.

    1. Re:Audio recording? by Anonymous Coward · · Score: 0

      RTFA, the audio tech is used to record the magnetic stripe data. There's still a pinhole camera to watch the pad.

      Shielding your hand with the other as you type in your pin is still one of the easiest effective things you can do at an ATM.

    2. Re:Audio recording? by Yvan256 · · Score: 1

      The summary talks about "music players", I haven't seen any mp3 player with a magstripe reader yet.

      No, I still haven't RTFA.

    3. Re:Audio recording? by Tacvek · · Score: 1

      Take something like a digital audio recorder as the core, and add a walkman cassett head, and peice them together with a few passive components, and you have a simple, cheap and effective device to skim credit cards.

      Later you download the recorded audio (it is a Digital audio recorder) and run it through say a quick matlab script, and you decode the card data.

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
  14. I don't know why they aren't used by Sycraft-fu · · Score: 1

    I have one with my bank (Bank of America). It is a credit card, or so it appears at first glance. Looking closer you notice it has a smart chip in it and that the 6 digit number in one corner looks a lot like a segmented LCD readout. It is actually eInk, so it doesn't draw power except to change. Squeeze the button, it generates a new code. My online account is set up so that is required to get in, as well as a password. However the ATMs for the same bank take no note of it. That just uses regular debit card and pin.

    Maybe the ATMs just aren't compatible or something, I dunno. Seems silly that the bank would push this new security feature but not use it for ATMs.

    1. Re:I don't know why they aren't used by Anrego · · Score: 1

      Seems silly that the bank would push this new security feature but not use it for ATMs.

      Or they should atleast (I am assuming they don't) provide you the option to not allow the card to be used by devices which don't support this.

      I really hate that.. it's like the whole "verified by visa". Useless because someone can just use your card at a site that doesn't require it. All it serves is to protect site owners (which may have been the point.. but it could have served both site and card owner).

  15. Audio-based cards = low security by petsounds · · Score: 2, Interesting

    I read the linked Phrack file (brought me back to my BBS days), interesting read. Here's the relevant passage. Note the bolded text:

    Not all magstripe cards operate on a digital encoding method. SOME cards
    encode AUDIO TONES, as opposed to digital data. These cards are usually
    used with old, outdated, industrial-strength equipment where security is not an
    issue and not a great deal of data need be encoded on the card.     Some subway
    passes are like this. They require only expiration data on the magstripe, and
    a short series of varying frequencies and durations are enough. Frequencies
    will vary with the speed of swiping, but RELATIVE frequencies will remain the
    same (for instance, tone 1 is twice the freq. of tone 2, and .5 the freq of
    tone 3, regardless of the original frequencies!). Grab an oscilloscope to
    visualize the tones, and listen to them on your stereo. I haven't experimented
    with these types of cards at all.

    Only being used with outdated equipment where security isn't an issue? This was written in 1992! Assuming the format hasn't changed much on these new systems, why the hell are ATMs now(still?) using this format?

    1. Re:Audio-based cards = low security by wiredlogic · · Score: 1

      The last image in the article shows a screenshot of a tool that has decoded a waveform skimmed from a magstripe. It's clearly showing flux reversals from Manchester encoded data and not any sort of "audio" signal.

      --
      I am becoming gerund, destroyer of verbs.
    2. Re:Audio-based cards = low security by lwsimon · · Score: 1

      Isn't this how Square's cardreaders for iPhone work, anyhow?

      --
      Learn about Photography Basics.
    3. Re:Audio-based cards = low security by Anonymous Coward · · Score: 0

      Only being used with outdated equipment where security isn't an issue? This was written in 1992! Assuming the format hasn't changed much on these new systems, why the hell are ATMs now(still?) using this format?

      Err... because you assume that the format hasn't changed much. If it had changed much, then ATMs wouldn't still be using it, and your assumption would be wrong. (Think about it.)

    4. Re:Audio-based cards = low security by Anonymous Coward · · Score: 0

      Because we haven't managed to move on from the stupid black magnetic strip to the card with a chip. Most cards these days have the chip but for some reason most machines still read the magnetic strip . I would imagine it's got to do with the US and them dragging their feet again as with most technology the world cottoned on to years ago. Have they gone digital on their mobile network yet?

    5. Re:Audio-based cards = low security by MadMaverick9 · · Score: 1

      Because most ATMs run Windows XP ... and I am not kidding.
      At the local 7-11 I can look inside the ATM at the back, where it has a small monitor, and it clearly is Windows XP.
      Windows XP is also running your ATM...

  16. RTFA FFS! by shrtcircuit · · Score: 1

    Lots of comments here about "OMG they're recording the sound of the keypad" or audio tone encoding on the cards, which is silly. It uses a magnetic head to read the stripe, and just records the flux as audio instead of digitally. It's not a bad idea really, though not terribly new - just a different method of recording the same data, which is ultimately just a bunch of 1's and 0's relatively timed to how fast you slide the card through.

    Nothing is recording audio of your keypresses (which usually are just monotone anyway) or decoding tones from the card, and they still need video to record your PIN at least for now. I had a thought though, if you could somehow cheaply scan the heat from the keypad after the user has left it could be useful. Covering the pad would eliminate video, but you have to jam on those keys so hard most of the time that there is going to be latent heat from your fingers; just rate the heat of each key and you have the order and position. More expensive, but nearly impossible to defeat.

    1. Re:RTFA FFS! by cybernanga · · Score: 1

      Use the eraser end of a pencil to press the keys.

      --
      www.Buy-Proxy.com - A "buyer-driven" global marketplace.
  17. with $20 you can buy many peanuts... by Thud457 · · Score: 1

    see, if you carry the ballpeen hammer, you don't need the credit card...
    good luck getting on the plane with that, though...

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  18. Make a better design of ATM by jonwil · · Score: 1

    I have seen designs of ATM that make attaching card skimmers harder yet too many ATMs (even brand new ATMs) are of designs where attaching skimmers without it being obvious is simple to do.

    Its not rocket science to design an ATM that makes it harder to attach a card skimmer or more obvious that one has been attached.

    You can also add covers of various to the pin pad so its almost impossible to see the numbers being keyed in if you are shoulder surfing or have attached a hidden camera to the ATM. (and I have seen ATMs that have such covers).

  19. Re:re by Nethead · · Score: 1

    These are not the articles you are looking for.

    --
    -- I have a private email server in my basement.
  20. Transparency by TomRC · · Score: 1

    Might it help to make card readers transparent - so there's nothing but clear plastic and a very small read head with some wires leading off into the ATM?
    Then if you ever see other electronic cruft surrounding the read head, or see a non-transparent reader, you'd know to be suspicious...