Crooks Hack Music Players For ATM Skimmers

← Back to Stories (view on slashdot.org)

Crooks Hack Music Players For ATM Skimmers

Posted by kdawson on Tuesday November 23, 2010 @06:37AM from the sweet-sounds-of-cash-dropping-into-our-hands dept.

tsu doh nimh sends in a report that criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers. These are devices designed to be attached to cash machines to siphon card +PIN data. "The European ATM Security Team (EAST) found that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them 'major ATM deployers' (defined as having more than 40,000 ATMs)... The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37)."

20 of 82 comments (clear)

Min score:

Reason:

Sort:

Been said before by Anrego · 2010-11-23 06:42 · Score: 2, Insightful

But we really need to do something about this whole security thing.
Personally I’m all for a one time password key token type device. You have a little key fob dealie generating numbers via a stream cipher at an interval (and with a key) synced with your bank. Once a pin is used, it is invalidated, so an attacker would have to skim the code, than use it before you punched it in. You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy “3 factor authentication”.
Heck you could even automate the first bit with some kind of challenge/response system.
This isn’t a radical or new idea.. people have been talking about this forever, and a few systems like this have actually been implemented.. but I don’t get why this isn’t wide spread yet? Are there vulnerabilities, user issues, or is it just a case of “cheaper to fix the problems reactively than prevent them”?
As has been said, security is a trade off of convenience. But I think money is one area people might be willing to put up with a slightly more cumbersome process.
1. Re:Been said before by SirGeek · 2010-11-23 06:46 · Score: 3, Insightful
  
  You could even combine it with some kind of traditional pin or even biometrics if you want to be all new age, giving you the very trendy "3 factor authentication".
  Sorry, One reason this will fail - People are inherently lazy.
  If they can't get their swipe and walk away then they'll not be happy...
  Granted, I also don't want yet another thing to hang off my keychain, but I'd rather have THAT safety than nothing.
  
  --
  UPS Sucks
2. Re:Been said before by betterunixthanunix · 2010-11-23 06:57 · Score: 4, Interesting
  
  But we really need to do something about this whole security thing.
  Why would banks care about that? Secure digital cash systems have been around for a very long time, but banks do not like the concept very much, probably because it would mean losing certain revenue streams. Credit card processors and banks sell spending data to marketing firms; secure digital cash generally makes that difficult or impossible, since digital cash allows for anonymous payments. Additionally, digital cash would make it hard for banks to do things like profit from debit card overdraft fees (although with the new regulations, perhaps this is less of a valid argument).
  
  It is not that the technology is not there, it is that it solves the wrong problem.
  
  --
  Palm trees and 8
3. Re:Been said before by jelizondo · 2010-11-23 06:57 · Score: 4, Interesting
  
  I don't know about other countries, but at least in Mexico and the Cayman Islands, devices like the one you describe (RSA SecureID) are commonly used for online bank transactions.
  It would seem trivial to extend the use to ATM and POS terminals, it would end this type of scam for good.
  
  --
  Be very, very careful what you put into that head, because you will never, ever get it out. - Cardinal Wolsey
4. Re:Been said before by PseudonymousBraveguy · 2010-11-23 07:22 · Score: 2, Insightful
  
  IC card based authentication is well-kown and established, and is secure against skimming attacks without the need of external devices. Just slip in the card and enter your PIN. Even if your PIN is observed it's useless without the chip, and the chip is not easily readable (and thus, not really copy-able). The technology has been around for years (at least since the 1990), and is widely used. Only missing step is for the credit card companies to 1. adopt them (they are actually in the process of doing this, see EMV), and 2. to disable the old insecure systems. The most important step is step 2, and due to "backwards compatibility", that step will be delayed for years or decades.
  The tech has been there for 20 years, but it will probably take abother 20 years until it will make you more secure (if it is not broken in the meantime, that is)
5. Re:Been said before by Overzeetop · 2010-11-23 07:38 · Score: 2, Insightful
  
  Are your banks ran by complete scumbags
  Yes, yes they are.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
6. Re:Been said before by tlhIngan · 2010-11-23 09:09 · Score: 2, Interesting
  
  I think you are underestimating your fellow man here my friend. In the UK we ditched the swipe only method a long while back in favour of chip and pin for everything. A small minority bitched, but just got on with it as the benefits are obvious enough for the minor inconvenience of having to remember four digits. If you added another small layer of security to the existing chip + pin method I suspect the public reaction would be largely the same - a minority will complain, but then everyone will just get on with business as usual. Just like how when they made wearing seatbelts mandatory there was an outcry, but now its just so natural people don't even think about it.
  Have they fixed the idiotic security issue with chip+PIN yet? You know, the one where the chip verifies the PIN? I remember a story where it turns out during PIN verification, the chip sends the reader an "OK" value (0x90, I believe?) if the PIN is OK and the transaction goes through. No, the bank's not checking your PIN at all - it's all done on the card you have. Which means anyone who can clone it doesn't need a PIN.
  Which is a huge problem because you're liable for any charges made via chip+PIN, fraudulent or not.
  That's why banks took it up with great abandon - it costs them less , and screws the customer even more. All the other security devices? Costs banks and doesn't give them any benefit at all over the status quo. If only running a bank was easier - someone could clean house by making a more security-conscious bank, which looks out for their customer's interests...
Ballpeen hammer by spun · 2010-11-23 06:55 · Score: 3, Insightful

Just carry a ballpeen hammer around with you. Before inserting your card, take a couple of good hard swipes with the hammer. Skimmers aren't mounted solidly, and the rest of the machine is pretty much unbreakable.

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
1. Re:Ballpeen hammer by corbettw · 2010-11-23 07:06 · Score: 3, Insightful
  
  Sounds great. I'm sure a random police officer who happens to be passing by when you strike the ATM with a hammer will completely agree with your plan.
  
  --
  God invented whiskey so the Irish would not rule the world.
2. Re:Ballpeen hammer by Lumpy · 2010-11-23 07:27 · Score: 3, Interesting
  
  Dont even need to do that. Pull on the card slot housing, lift on the keypad,etc... , if it comes off, take it.
  Dont turn it in, your fingerprints are all over it now. Plus these things go for big $$$ on ebay. $1500 for cheap ones.
  
  --
  Do not look at laser with remaining good eye.
3. Re:Ballpeen hammer by pla · 2010-11-23 07:37 · Score: 2, Funny
  
  Half the point of a credit card is portability and ease of use. Carrying around a hammer is rather counterproductive towards that end.
  
  You need the new Chase(tm) Big Iron(sm)(r) card! For when you need convenience and heft, complete with a sensible no-hassle rewards program.
4. Re:Ballpeen hammer by spun · 2010-11-23 07:49 · Score: 5, Funny
  
  Just throw your ballpeen hammer at them.
  
  --
  - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
5. Re:Ballpeen hammer by spun · 2010-11-23 07:52 · Score: 2, Funny
  
  I thought that came with a no-reward hassle program?
  
  --
  - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Zero-knowledge protocols by Anonymous Coward · 2010-11-23 07:02 · Score: 2, Interesting

http://en.wikipedia.org/wiki/Zero-knowledge_protocol
It's possible to make an authentication scheme which is completely immune to skimming attacks.
Re:re by JohnVanVliet · 2010-11-23 07:08 · Score: 2, Interesting

i replied to a starwars post as the 3d poster -- then the starwars post disappeared

--
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
The RIAA was *almost* right. by sehlat · 2010-11-23 07:10 · Score: 5, Funny

Home taping is killing ATMs.
wow by bhcompy · 2010-11-23 07:14 · Score: 2

Phrack, nice. Only been a decade since I've seen a Phrack reference. Probably got some Phrack printouts with some 2600 mags in a storage bin somewhere. I wonder what the modern underground magazine of record is nowadays
Re:Crooks? by Abstrackt · 2010-11-23 07:24 · Score: 2, Insightful

Not crooks: Geniuses! :-)
They're not mutually exclusive.

--
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Do not take me seriously by spun · 2010-11-23 07:51 · Score: 3, Funny

Insightful? Uh, it was supposed to be a joke. Please don't actually do this. As someone else mentioned, just tug on the thing.

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Audio-based cards = low security by petsounds · 2010-11-23 08:25 · Score: 2, Interesting

I read the linked Phrack file (brought me back to my BBS days), interesting read. Here's the relevant passage. Note the bolded text:

Not all magstripe cards operate on a digital encoding method. SOME cards
encode AUDIO TONES, as opposed to digital data. These cards are usually
used with old, outdated, industrial-strength equipment where security is not an
issue and not a great deal of data need be encoded on the card. Some subway
passes are like this. They require only expiration data on the magstripe, and
a short series of varying frequencies and durations are enough. Frequencies
will vary with the speed of swiping, but RELATIVE frequencies will remain the
same (for instance, tone 1 is twice the freq. of tone 2, and .5 the freq of
tone 3, regardless of the original frequencies!). Grab an oscilloscope to
visualize the tones, and listen to them on your stereo. I haven't experimented
with these types of cards at all.
Only being used with outdated equipment where security isn't an issue? This was written in 1992! Assuming the format hasn't changed much on these new systems, why the hell are ATMs now(still?) using this format?