Criminals Use 3D-Printed Skimming Devices On Sydney ATMs

AlbanX writes "A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture 'sophisticated' ATM skimming devices to fleece Sydney residents. One Romanian national has been charged by NSW Police. The state police found one gang that had allegedly targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and nabbing around $100,000."

Totally the fault of the USA

[norpy]

It's about time that US banks caught up with the rest of the world and put chips on all their cards, then we can finally get rid of the magstripes.

While chip&pin has it's security flaws it's way better than the 20 year old magnetic stripe system, in Australia and most of Europe the only reason they still put the stripes on cards is because the cards have to work when people travel to the US.
It's been at least a year since I've seen a reader without chip support in Australia and the only time the magstrip is used is when the chip or contactless read fails.

Re:hmmmmm

People should not lose any money when their cards get skimmed... However, when you find out, and contact your bank, they will immediately block your card, meaning that your access to cash is a little more difficult. Also, it may take several days until you get your money back. It's not the end of the world, but it surely is inconvenient. And therefore, people are affected too.

Re:Geography for dummies

[CRCulver]

Just FYI: whenever you read "Romanian" in the news regarding crime, and it's not related to the country of Romania, it actually means "gypsy"

That would be somewhat more likely if this were a story about petty crime like pickpocketing or car theft (but even there, some amount of ethnic Romanian immigrants are perfectly capable of engaging in petty crime). But when it comes to crime involving computer exploits, they are considerably more likely to be ethnic Romanian and not Roma. For example, this Wired article about online theft involves a number of young people who are not Roma .

Living in Romania myself and seeing it treated like a pariah abroad in spite of the fact that some parts of it are among the best educated and cultured parts of Europe, I am used to the tendency of many to blame the country's ills on the Roma, but good and evil is inside of everyone ethnicity.

This "Romanians = gypsies = criminals" connection is also dangerous one, as it can really mislead people about moving populations in Europe. I spend a lot of time in Finland, and I watched as one community lamented a large Roma tribe that flooded their town each summer, begging, pickpocketing and recycling. They called them "the Romanians" and that formed everyone's opinion about the country. When I tried to start a conversation with one of them in a queue at a supermarket's bottle-return machine, it turned out all of them were from a small town in central Bulgaria. But for some reason, Bulgaria never gets rubbished half as much as Romania.

Re:Maybe its a blessing for the consumer

Firstly yes, there are working attacks. We know that the following attacks have been done by actual criminals, real bad guys, who obtained money or goods through fraud with the attack, some of whom are now in jail for it:

- "YES cards". Fake chip clone cards which are programmed to tell the terminal that the PIN matched, then hand back a data block for the bank which says no PIN was used because the terminal authorised a signature instead. The bank gets the data data, says "Huh, you authorised on a signature? OK" and the transaction goes through. (They can't send back a fake PIN block to the bank because the bank knows the true PIN and will see it was wrong). These were used very widely, banks are slowly, slowly, deploying a newer system that isn't fooled by this trick.

- Fake/ modified terminals. The criminals either own the store, or they bribe the real owner to turn a blind eye as they modify the "tamper proof" terminals to retain the PIN so that it can be used later.

In addition there are attacks that we know work (because researchers have done them, typically after telling the police and any affected retailers what they're going to do) but we cannot prove they've been used by criminals. If you like to believe that criminals are all stupid then maybe these attacks don't worry you:

- UN guessing. The cryptographic nonce used in Chip and PIN is called the UN (Unpredictable Number). But banks trust terminals to make it actually unpredictable. Researchers have demonstrated that it's sometimes just a counter, or other simple predictable output value. The cryptographic security of the design rests on this nonce being unpredictable, by which its designers intended "random", but the acceptance tests just require it not to repeat within a few cycles. Uh-oh. It's hard to make random numbers reliably not repeat, try throwing a die twice in a row, sometimes you get the same number. But it's easy to make a counter, and that always passes the tests.

Shifting the burden for fraud onto consumers is a problem /even if Chip and PIN was flawless/. The same UK investigators who found the UN guessing attack previously investigated a case where the customer's card and PIN were used and they said they'd never received the card or PIN. The bank wouldn't back down, it refused to believe that insiders had stolen the customers details and redirected deliveries to take control of the account, and blamed the customer for everything. Right up until it presented its "proof" that the card was properly delivered. The proof was a courier photo (taken during delivery) of... the wrong address. "That's not my front door" said the customer. Suddenly realising that their house of cards was falling down the bank changed its mind and offered compensation. Why did the customer need to fight this hard? The bank must have suspected from the outset that it had an internal fraud problem, so why try to get the customer to pay?