Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gang Used 3D Printers To Make ATM Skimmers

Posted by Soulskill on from the bank-error-in-your-favor dept.

An anonymous reader sends this excerpt from a post by security researcher Brian Krebs: "An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. ... Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. Last year, i-materialize blogged about receiving a client's order for building a card skimmer. In June, a federal court indicted four men from South Texas whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer."

6 of 212 comments (clear)

  1. Very broken system by syousef · · Score: 3, Insightful

    When a 3d printer can make a decent skimming device (or disguise one) you can't help but think the system is truly broken. Computer security has progressed in leaps and bounds - it isn't perfect and it certainly isn't idiot proof. But banks are still using hand written signatures and easily faked devices while all but ignoring the risk. Heck they're introducing pinless low value transactions at shopping centers in Australia. I'm ANNOYED that my card can be used without either a signature or a pin number verification being used. It means there's significant risk that me or my wife lose a credit card and don't immediately discover it, we'll be up for a very large sum of money. And even if we're not, we won't have access to the money while the issue is resolved.

    It's not sustainable. The banks need to be held more accountable.

    --
    These posts express my own personal views, not those of my employer
    1. Re:Very broken system by neyla · · Score: 5, Interesting

      Yeah, and there's absolutely no reason a "card-reader which harvests the data" should be possible to construct - and indeed with a well-engineered chip-card, it isn't.

      A magnetic stripe can obviously be read and duplicated. But a chip-card can use challenge-response. That is, to verify the card the protocol between ATM and card runs something like this:

      ATM: What's your public key ?
      Card: dead0011beef
      ATM: Prove it ?
      Card: Here's Trents signature that attest it.
      ATM: "Please sign 17ae4082b1f"
      Card: return sign(my_private_key 17ae4082b1f)
      ATM: verify(card_public_key, signature received in last step)

      The thing is, there doesn't need to be any easy way of reading out the private key of the card. What's needed is to use one of the many protocols that lets the card prove that it *knows* the private_key, without actually revealing that key.

      And this ain't science fiction - it's the way ATMs and retail-terminals *alreay* operates where I live. (though they're generally still *also* able to read magnetic stripes, for backwards compatibility, but they refuse to do so if your card is a chip-card. (the cards also tends to have chip -and- magnetic - the latter is only for use abroad on terminals unequipped for chips - and yes, that adds to risk!)

    2. Re:Very broken system by Anonymous Coward · · Score: 3, Informative

      My bank did this too. Took about 3 weeks before we saw the first new skimmers.

      They're translucent green, almost look like a screen cover for a phone.
      They fit under the new green card slot, where the green plastic protrudes over the actual card entrance to the machine.
      You have to look CLOSE to notice it; almost invisible.
      Amazing little devices, they'll actually using the insertion of the card itself to generate the power required to record the magstripe.
      The camera that shoots the PIN is actually in a different location, using a telephoto.

      Now they're talking about building anti-LOS boxes around all the ATMs to prevent the telephoto shot.
      (note that there are already anti-photo coatings on the screen, they're taking video of your hand movement and infering your PIN from that since the numbers are always in the same place on the screen)

      Next thing we need to do is start using all touchpad PIN entry and cypher it by having each of the keys (0-9) in a random place on the screen each time, that way, once you've entered your PIN, there's no way to know what number a certain gesture corresponded to.

  2. Goin' Digital! by Anachragnome · · Score: 4, Insightful

    I was having a discussion with my daughter (an artist) the other day about protecting her work, and much of what we discussed applies to this technology--when you get right down to it, the moment you convert any product into a digital format, and expose it to the internet in any way, you lose a great deal of control of that creation, if not all.

    This technology is about to do that to physical objects, by proxy--the dimensions are what are actually being digitized. The end result will be the same though--freely available physical products. The only catch is that the user must provide the physical medium...kind of like someone providing a blank CD in order to utilize an MP3 file. I predict that, one day, the king of "most downloaded" torrents will be a 3D printer file for a bong.

    This is the same genie that the recording/electronics industries let out of its bottle about 28 years ago. He appears to be having much adventure and does not wish to return to his bottle. Ever.

  3. Now I WOULD... by slider2800 · · Score: 3, Funny

    ...download a car. And print it!

    --
    return $sig;
  4. Ban 3D printers by zennyboy · · Score: 3, Interesting

    Used for illegal purposes? BAN 3D PRINTERS. And cassette tapes. And knives!

    Z