Slashdot Mirror
Gang Used 3D Printers To Make ATM Skimmers
An anonymous reader sends this excerpt from a post by security researcher Brian Krebs:
"An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. ... Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. Last year, i-materialize blogged about receiving a client's order for building a card skimmer. In June, a federal court indicted four men from South Texas whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer."
Yeah, and there's absolutely no reason a "card-reader which harvests the data" should be possible to construct - and indeed with a well-engineered chip-card, it isn't.
A magnetic stripe can obviously be read and duplicated. But a chip-card can use challenge-response. That is, to verify the card the protocol between ATM and card runs something like this:
ATM: What's your public key ?
Card: dead0011beef
ATM: Prove it ?
Card: Here's Trents signature that attest it.
ATM: "Please sign 17ae4082b1f"
Card: return sign(my_private_key 17ae4082b1f)
ATM: verify(card_public_key, signature received in last step)
The thing is, there doesn't need to be any easy way of reading out the private key of the card. What's needed is to use one of the many protocols that lets the card prove that it *knows* the private_key, without actually revealing that key.
And this ain't science fiction - it's the way ATMs and retail-terminals *alreay* operates where I live. (though they're generally still *also* able to read magnetic stripes, for backwards compatibility, but they refuse to do so if your card is a chip-card. (the cards also tends to have chip -and- magnetic - the latter is only for use abroad on terminals unequipped for chips - and yes, that adds to risk!)
Used for illegal purposes? BAN 3D PRINTERS. And cassette tapes. And knives!
Z