Gang Used 3D Printers To Make ATM Skimmers

An anonymous reader sends this excerpt from a post by security researcher Brian Krebs: "An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. ... Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. Last year, i-materialize blogged about receiving a client's order for building a card skimmer. In June, a federal court indicted four men from South Texas whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer."

Very broken system

[syousef]

When a 3d printer can make a decent skimming device (or disguise one) you can't help but think the system is truly broken. Computer security has progressed in leaps and bounds - it isn't perfect and it certainly isn't idiot proof. But banks are still using hand written signatures and easily faked devices while all but ignoring the risk. Heck they're introducing pinless low value transactions at shopping centers in Australia. I'm ANNOYED that my card can be used without either a signature or a pin number verification being used. It means there's significant risk that me or my wife lose a credit card and don't immediately discover it, we'll be up for a very large sum of money. And even if we're not, we won't have access to the money while the issue is resolved.

It's not sustainable. The banks need to be held more accountable.

Re:Very broken system

[neyla]

Yeah, and there's absolutely no reason a "card-reader which harvests the data" should be possible to construct - and indeed with a well-engineered chip-card, it isn't.

A magnetic stripe can obviously be read and duplicated. But a chip-card can use challenge-response. That is, to verify the card the protocol between ATM and card runs something like this:

ATM: What's your public key ?
Card: dead0011beef
ATM: Prove it ?
Card: Here's Trents signature that attest it.
ATM: "Please sign 17ae4082b1f"
Card: return sign(my_private_key 17ae4082b1f)
ATM: verify(card_public_key, signature received in last step)

The thing is, there doesn't need to be any easy way of reading out the private key of the card. What's needed is to use one of the many protocols that lets the card prove that it *knows* the private_key, without actually revealing that key.

And this ain't science fiction - it's the way ATMs and retail-terminals *alreay* operates where I live. (though they're generally still *also* able to read magnetic stripes, for backwards compatibility, but they refuse to do so if your card is a chip-card. (the cards also tends to have chip -and- magnetic - the latter is only for use abroad on terminals unequipped for chips - and yes, that adds to risk!)

Re:Very broken system

[clarkcox3]

Simple:

• Each card and ATM is given a public/private key pair.
• The public keys are signed by the bank's private key
• Every card also contains the bank's public key

When the card is inserted, the ATM asks for the card's public key

1. The ATM then verifies that the card's public key was signed by the bank, using the bank's public key.
2. The ATM then encrypts a block of random data with the card's public key, and asks the card to decrypt it.
3. If the card successfully replies with the same random data, it has just proven that it has the private key that it claims to have

Then it's the card's turn to repeat the same process:

1. It asks the ATM for its public key, verifies that it was signed by the bank, using the bank's public key.
2. The card encrypts a block of data with the ATM's public key, asks the ATM to decrypt it

At this point, both the card and the ATM know that they are talking to the appropriate device. Each device can then generate a symmetrical key for that session, and encrypt it with the other device's public key, and use those keys for any further communication.

Re:Very broken system

My bank did this too. Took about 3 weeks before we saw the first new skimmers.

They're translucent green, almost look like a screen cover for a phone.
They fit under the new green card slot, where the green plastic protrudes over the actual card entrance to the machine.
You have to look CLOSE to notice it; almost invisible.
Amazing little devices, they'll actually using the insertion of the card itself to generate the power required to record the magstripe.
The camera that shoots the PIN is actually in a different location, using a telephoto.

Now they're talking about building anti-LOS boxes around all the ATMs to prevent the telephoto shot.
(note that there are already anti-photo coatings on the screen, they're taking video of your hand movement and infering your PIN from that since the numbers are always in the same place on the screen)

Next thing we need to do is start using all touchpad PIN entry and cypher it by having each of the keys (0-9) in a random place on the screen each time, that way, once you've entered your PIN, there's no way to know what number a certain gesture corresponded to.

Re:Very broken system

[xaxa]

if you report the card stolen then you'll get the money back.

Thats not really the point is it, when I go out with cash, I carry what I need to use and thats it, which normally means £20-30.

But the credit card based paywave stuff as far as I know pretty much lets you have up to your card limit so long as the payments were small without ever challenging for authentication.

No, it prompts for a PIN "sometimes" for security. I expect if there are too many Paywave transactions in succession.

The maximum transaction is £15 (for Visa Paywave in the UK), and the retailers who use it accept the fraud risk (they pay back the bank, I think), so it's likely to stay as takeaway food and drinks, newsagents, etc. I think the criminal is likely to get more profit more easily by simply taking your cash.

Re:Very broken system

[firex726]

But isn't the skimmer just making a cloned copy of the information contained in the magnetic strip?

How would the CC or ATM know that there was a skimmer involved?

Re:Very broken system

[camperdave]

This isn't the 1980s anymore. ATMs can be about as small as a payphone. They have freestanding units. They even have mobile ATMs for places like county fairs. .

And did you know...

[Jane+Q.+Public]

... that CAMERAS can actually be used to take pictures of naked people?!

It's foolish to blame the tool for the crime. That takes people.

How long till they can print money?

[Sasayaki]

I've always wondered what the economics of the world of cheap, prolific, effective 3D printers is like. If anyone can create basically any material good, what's the economics of that place like?

Star Trek had replicators, which could basically make anything, even food or water (except for a few things which were a de-facto currency). They were basically communists, which doesn't work with people being people but might work if anyone could create whatever they wanted.

But what about things that can't be replicated/printed? Like electricity, or land for housing, or water/food? Trek says that water and food are replicable, but with our current 3D printers obviously we can't make that just yet unless you can eat plastic.

What's the economy of the western world going to look like if the only thing we need is material for 3D printers, power, land, food and water? Will provision of the un-replicable become the job of the state?

Re:How long till they can print money?

[lxs]

The Espresso book machine does just that. You put in a pdf and a paperback pops out.

Right now, there are only a couple of them installed around the world, but I'm sure that in time others will make similar systems and before you know it every copy place and bookstore will have three.

Re:How long till they can print money?

[Animats]

I've always wondered what the economics of the world of cheap, prolific, effective 3D printers is like. If anyone can create basically any material good, what's the economics of that place like?

The economics of 3D printing are worth noting. Complexity doesn't cost much, but material volume does. Watch size objects, yes. Auto bumpers, no.

This is somewhat different from CNC machining, where complexity and high detail costs machining time. You have to use smaller tools and can't remove metal fast in high-detail areas. Big smooth surfaces can be machined quickly with big tools.

Goin' Digital!

[Anachragnome]

I was having a discussion with my daughter (an artist) the other day about protecting her work, and much of what we discussed applies to this technology--when you get right down to it, the moment you convert any product into a digital format, and expose it to the internet in any way, you lose a great deal of control of that creation, if not all.

This technology is about to do that to physical objects, by proxy--the dimensions are what are actually being digitized. The end result will be the same though--freely available physical products. The only catch is that the user must provide the physical medium...kind of like someone providing a blank CD in order to utilize an MP3 file. I predict that, one day, the king of "most downloaded" torrents will be a 3D printer file for a bong.

This is the same genie that the recording/electronics industries let out of its bottle about 28 years ago. He appears to be having much adventure and does not wish to return to his bottle. Ever.

Re:Why not use the printer...

[lxs]

Yeah! Let's print oysters.

Now I WOULD...

[slider2800]

...download a car. And print it!

Ban 3D printers

[zennyboy]

Used for illegal purposes? BAN 3D PRINTERS. And cassette tapes. And knives!

Z