Slashdot Mirror
Criminals Use 3D-Printed Skimming Devices On Sydney ATMs
AlbanX writes "A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture 'sophisticated' ATM skimming devices to fleece Sydney residents. One Romanian national has been charged by NSW Police. The state police found one gang that had allegedly targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and nabbing around $100,000."
not sure how this affected tens of thousands of people... seems like a stretch to me... it affected 5 bank employees and 1 insurance company...
It's about time that US banks caught up with the rest of the world and put chips on all their cards, then we can finally get rid of the magstripes.
While chip&pin has it's security flaws it's way better than the 20 year old magnetic stripe system, in Australia and most of Europe the only reason they still put the stripes on cards is because the cards have to work when people travel to the US.
It's been at least a year since I've seen a reader without chip support in Australia and the only time the magstrip is used is when the chip or contactless read fails.
Sometimes it's funny how ATMs I see outside of my country (Spain) don't seem to have the security systems that they were forced to use here for problems like the one described in the article.
I also find foreign paper currency to be unsafe, ID documents too easy to forge and store security to be amazingly weak.
Sometimes I wish I lived in one of those countries where all that security isn't needed.
Many criminals are hard working too.
---- Booth was a patriot ----
I read stories like this that try to diss the use of "3D Printers" as if somehow banning the use of those devices is somehow going to stop criminals from engaging in acts like this. What utter nonsense.
How many other stories about ATM skimmers emphasized any of the tools used to make the devices used to make their devices? Why such a strong emphasis on the 3D printing technology? It sounds like a cool buzz word, but means absolutely nothing other than an attempt to make something new sound frightening because the reporters and police officers involved don't have a clue about how the technology works.... therefore it must be some kind of dark magic that must be brought before the Inquisition and those involved banished to Hell (or some equivalent).
While I don't mind seeing stories like this on Slashdot as it does talk about emerging technologies and their impact upon society as a whole, it still turns my stomach to see such awful reporting overemphasizing the manufacturing technology (it was the lead paragraph) instead of describing what people were doing first. Had the technology being used been mentioned much further into the article, I think it would have been much more appropriate.
That they used 3D printing device, is hardly interesting news. That’s just more 3D printing hype. What I find fascinating with this story, is that card skimming at ATM still works, today, in 2013.
It’s clearly a failure to implement the most basic security and authentication features, which are widely available today. How can it be that, today, one can still do any kind of transaction with only a card number and a pin – if a pin is needed at all (eg. For online transactions).
They (the banks and/or credit card companies) try a lot of fancy things like nice holograms on ATM machines or abstruse authentication methods that fail to understand that a simple password is about as safe as the card number itself. This PIN skimming thing is the proof of that.
It’s slowly getting better, with unique number generators for validation or unique numbers sent through SMS. But I hardly believe these solutions are optimal for the users. Perhaps this explains why their implementation is so amazing slow – although I believe it still better to have those as none at all.
As you have pointed out, European 'Chip-and-PIN' Cash-Card Security have already been cracked by criminals.
And fair enough, generally cards with chips are still more secure than their magnetic counterparts.
What I am more disturbed about is, from the point of the consumer, it appears that in Europe at least the supposed security of the chip and pin system have been (ab)used by banks to deny refunds to their defrauded clients.
From the POV of the consumer, I would not favor the use of this newer, more secure system if it shifts the burden of fraud on me with the excuse that "it's unhackable, you must have given them your PIN".
Nonexistent when compared to Wall Street extortion and foreclosure fraud.
$100,000 PFFT!
“He’s not deformed, he’s just drunk!”
in an elephant's world.
“He’s not deformed, he’s just drunk!”
That would be somewhat more likely if this were a story about petty crime like pickpocketing or car theft (but even there, some amount of ethnic Romanian immigrants are perfectly capable of engaging in petty crime). But when it comes to crime involving computer exploits, they are considerably more likely to be ethnic Romanian and not Roma. For example, this Wired article about online theft involves a number of young people who are not Roma .
Living in Romania myself and seeing it treated like a pariah abroad in spite of the fact that some parts of it are among the best educated and cultured parts of Europe, I am used to the tendency of many to blame the country's ills on the Roma, but good and evil is inside of everyone ethnicity.
This "Romanians = gypsies = criminals" connection is also dangerous one, as it can really mislead people about moving populations in Europe. I spend a lot of time in Finland, and I watched as one community lamented a large Roma tribe that flooded their town each summer, begging, pickpocketing and recycling. They called them "the Romanians" and that formed everyone's opinion about the country. When I tried to start a conversation with one of them in a queue at a supermarket's bottle-return machine, it turned out all of them were from a small town in central Bulgaria. But for some reason, Bulgaria never gets rubbished half as much as Romania.
"Hard working" is the opposite of capitalism's philosophy by design.
"Law abiding" is just a risk minimisation strategy.
I know Romania's been dragged from the horror of despotism into the quagmire of neoconservatism, but really, patriotism's never the way forward, nor is pandering to the propaganda of the Protestant work ethic. These guys are just dicks who are taking advantage of the guy on the street.
There's a lot of much simpler security measures that work a lot more effectively. Every time you hear someone come up with elaborate digital security, you have to go back to thinking of basics. Security is simple, and overthinking it is the best way to make it even worse.
Put ATM's in secure places. In the UK, they are almost always just out on the street where anyone can shoulder-surf your PIN. Like in Europe/US put them inside a room that is controlled and monitored.
Make ATM's show you what they should look like. All the time, the ATM should just show you a picture of what it SHOULD look like. This picture should move / flip every now and then so you can see if someone has tampered with the screen. A quick glance and you can tell if that random bit of green plastic on the card slot is SUPPOSED to be there or not (this pisses me off even with genuine ATM's and I don't use them if they have those green slots).
(Incidentally, why do credit card terminals, which have to talk to the bank, not send the card number - or some identifier from the card - to the bank, which sends back a PHOTOGRAPH of the CARD HOLDER which the genuine merchant can use to verify, at least in part, whether it's their card or misuse. Unfakeable, as the photo is from the bank, not from the card, so genuine merchants would be able to spot even wives using their husband's cards - which is still technically not allowed, but is currently ignored. Fuck Chip-and-PIN, give my photo to every merchant I use my credit card with so they know who is me and who isn't and can query if they are uncertain).
Put a shutter on the card slot. When the card is needed, open the shutter. When it's not, shut the shutter. Make it so that ANY device on the card slot would stop the shutter shutting, and this in itself would cause the ATM to disable itself and alarm. No worse a chance of losing the card for the customer than those ATM's who haven't been serviced in a while and the motors barely have the strength to push it back out.
Make fucking cards that can't be "skimmed" and that - without the PIN - are useless. This isn't difficult, and what Chip-and-PIN was always supposed to solve. Then you can skim my card to your heart's content because without my PIN being entered correctly NOTHING happens or provides useful data (we've already sacrificed mag-stripes, so this is no great burden as the cards should ALREADY be useless without the PIN).
SEND SMS MESSAGES to users on every use of their card. Almost every European bank already does this (except for the UK). My Italian girlfriend gets a text within seconds of touching her card anywhere, even in the UK, with details of the transaction. Her dad, too, when he was over here and bought £10 of stuff in a hardware store, and we were able to tell the SHOP STAFF that they'd duplicated the transaction by mistake because he got a text before he even got his card back.
Simple things. Put the cardholders back in control of their cards. The only reason NOT to is that you make money somehow out of not doing this. I can't believe billions of pounds worth of fraud isn't incentive enough to do things like send texts to cardholders, or put little motorised shutters (like some ATMs used to have anyway) on the card slot.
Blah blah blah...
Store a private key on the card so that it cannot be read from the outside without physically damaging the card. Use the card to cryptographically sign transactions after you enter the correct PIN. Problem solved.
The only problem that remains are rogue payment terminals and ATMs which use your own card to overcharge your account. But if you keep track of where you've used your card and when, you have everything the police needs to know and they can either catch the culprit or at least disable the rogue device.
It would also be more likely if the person arrested wasn't described as a "Romanian national" by both the summary and the article.
And chip has already been broken, at least with rogue terminals. Tell the card that the user selected "sign" and the chip will "approve" the transaction, while capturing the PIN for later use, if desired.
Learn to love Alaska
Not to mention technically accomplished. They should apply for grants instead.
So, you draw conclusions about an entire nation after analyzing a sample of one? Who's the racist here?
We don't have beggars, we already pay them collectively to stay inside and watch tv or drink themselves to dead.
And this is where you fail, because you do not understand that we all live on the same planet. As long as you take care of your citizens and say fuck you to the rest of the world, this will keep happening. If you're so wonderful, why not help your neighbors improve? Otherwise some turtle beneath you will move eventually and you will end up in the mud.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Romainians are NOT Gypsies. The Roma people are the peoples called Gypsies who originated from India.
Sorry, but "Romanian" as a label of national origin (which is how it is used most of the time outside of Romania) encompasses both ethnic Romanians and ethnic Roma/Saxons/Hungarians/Banat Bulgarians/Dobrogean Tatars and whoever else was born in the country. Trying to claim that Roma are not Romanians when the word is used in that sense shows a great misunderstanding of how English works.
Wait, the point I was trying to make is that not all Romanians are Gypsies otherwise known as Roma people, a subgroup of the Romani people. I never claimed anything. I merely pointed out Gypsies are Roma peoples. Maybe I needed to spell that out better.
In many parts of the world it is often mistaken that Roma = Romanians, meaning all Romanians are mistaken for Gypsies.
Newsflash
Criminals use 2D printers to create 'sophisticated' forged documents. Ban evil 2D printers!!!
WTFC's? Criminals have used lathes, presses, drills, hammers, laptops, PC's, all sorts of tools in the past! So, they use another tool, in this case the dastardly 3D Printer! OOOHH! Who really cares???
Some authors at /. absolutely cream themselves at the mere mention of a 3D Printer. Get over it already. They've been around awhile. Why the recent interest? Yeah, what I thought, a corporate sales scheme has infiltrated /. once again.
3D Printer! 3D Printer! 3D Printer! 3D Printer! 3D Printer! There... hope I just made your day.
Education is free in Romania. If the gypsies don't want to change, they will not change. Keeping your younglings in school it's a parent's basic duty. But nobody can enforce that to them. I think that, eventualy, Europe will get used to them. As far as I'm concerned, I don't think they will ever change their stupid ways. Tradition needs to be rethinked when it starts to brake the law. At least the law can be enforced. Crime has no ethnicity.
All they did is take notes of debt. The bankers can print more. The only people it really hurts is the bankers. They deserve it fucking slave masters. There is no crime unless another natural person is injured or infringed upon.
How long will it take for someone to suggest giving everyone an account linked to their biometric info, and just eliminate cash outright?
NSA/CIA/FBI shill detected.
Given their recent shenanigans, the cashless society has probably been pushed back at least one generation.
Have gnu, will travel.
ATMs ought to display a picture of what they are 'supposed' to look like. Might help fight the assholes with the skimmers.
Once someone else knows your PIN then what happens when you've lost the card? At least with cash you only lose the amount of cash you're carrying on your purpose. With a chip and pin system you may lose a huge amount of money from your account. This is probably why most banks limit the amount of cash you can withdraw in a day.
SMS is pointless if you don't use SMS or have it explicitly disabled (I refuse to pay for it as it is an additional expense and I have to pay even if I receive SMS from complete strangers or the phone company).
Better to just not use a card and use cash instead. If some stores refuse to take cash then go to a different store. If that's too cumbersome then it's a choice between security or convenience. Most of the world still works this way, in fact quite a lot of the first world works this way too (if you think everyone in Europe or America uses cards then you need to start hanging out in poorer areas where they don't even use banks).
It has been broken with non-rogue terminals. You can take legal terminals and modify them.
When you modify a legal terminal, how is that not then a rogue?
Learn to love Alaska
If the gypsies don't want to change, they will not change.
Prejudice is ugly no matter who tries it on.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Many companies send their occasional oversized get through for a print copy shop. But if you frequently blue, over two meters wide print banners or other documents, to invest in a wide format printer or trace elements can be good choice, these machines can print in color or black and white, on a variety of materials, in wide 24”60” or more. There are two large markets for large-format plotter. First is the architecture, engineering and construction, already long projects and other technical documents for the acquisition of trace elements in. Another market is for printing graphics. Stores print and design, for example the use of large format printers to create large banners, signs and other graphics for free or sustainable textiles. These charts scale of educational institutions, advertising agencies and businesses used for only a few to name a few. Some of these organizations have the right to obtain a large format printer that is clean, where the printed volume is quite high. There are two basic methods used in modern wide format printers are getting high tech: toner and ink-jet printer in the spotlight. Printer use dry toner drum on the transfer printing toner and toner on the paper with heat. Either switch the light emitting diodes (LEDs) or lasers can be used in the printing process, but the laser is the most popular. Large format ink-jet printers use print head squirt small droplets of liquid on the surface of the printing ink to create an array of colors that make up an image. There are two basic types of in-jet printers. Electric crystals, instead, is used as a piezoelectric in-jet, thermal, in-jet technology uses the heat in the ink. Some new technologies for various sizes of ink droplets, the impression of a smooth surface to use less ink.