Crooks Hack Music Players For ATM Skimmers

tsu doh nimh sends in a report that criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers. These are devices designed to be attached to cash machines to siphon card +PIN data. "The European ATM Security Team (EAST) found that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them 'major ATM deployers' (defined as having more than 40,000 ATMs)... The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37)."

Been said before

[Anrego]

But we really need to do something about this whole security thing.

Personally I’m all for a one time password key token type device. You have a little key fob dealie generating numbers via a stream cipher at an interval (and with a key) synced with your bank. Once a pin is used, it is invalidated, so an attacker would have to skim the code, than use it before you punched it in. You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy “3 factor authentication”.

Heck you could even automate the first bit with some kind of challenge/response system.

This isn’t a radical or new idea.. people have been talking about this forever, and a few systems like this have actually been implemented.. but I don’t get why this isn’t wide spread yet? Are there vulnerabilities, user issues, or is it just a case of “cheaper to fix the problems reactively than prevent them”?

As has been said, security is a trade off of convenience. But I think money is one area people might be willing to put up with a slightly more cumbersome process.

Re:Been said before

[SirGeek]

You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy "3 factor authentication".

Sorry, One reason this will fail - People are inherently lazy.

If they can't get their swipe and walk away then they'll not be happy...

Granted, I also don't want yet another thing to hang off my keychain, but I'd rather have THAT safety than nothing.

Re:Been said before

[PseudonymousBraveguy]

IC card based authentication is well-kown and established, and is secure against skimming attacks without the need of external devices. Just slip in the card and enter your PIN. Even if your PIN is observed it's useless without the chip, and the chip is not easily readable (and thus, not really copy-able). The technology has been around for years (at least since the 1990), and is widely used. Only missing step is for the credit card companies to 1. adopt them (they are actually in the process of doing this, see EMV), and 2. to disable the old insecure systems. The most important step is step 2, and due to "backwards compatibility", that step will be delayed for years or decades.

The tech has been there for 20 years, but it will probably take abother 20 years until it will make you more secure (if it is not broken in the meantime, that is)

Re:Been said before

[Overzeetop]

Are your banks ran by complete scumbags

Yes, yes they are.

Ballpeen hammer

[spun]

Just carry a ballpeen hammer around with you. Before inserting your card, take a couple of good hard swipes with the hammer. Skimmers aren't mounted solidly, and the rest of the machine is pretty much unbreakable.

Re:Ballpeen hammer

[corbettw]

Sounds great. I'm sure a random police officer who happens to be passing by when you strike the ATM with a hammer will completely agree with your plan.

Re:Crooks?

[Abstrackt]

Not crooks: Geniuses! :-)

They're not mutually exclusive.