Criminals Use 3D-Printed Skimming Devices On Sydney ATMs

AlbanX writes "A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture 'sophisticated' ATM skimming devices to fleece Sydney residents. One Romanian national has been charged by NSW Police. The state police found one gang that had allegedly targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and nabbing around $100,000."

Totally the fault of the USA

[norpy]

It's about time that US banks caught up with the rest of the world and put chips on all their cards, then we can finally get rid of the magstripes.

While chip&pin has it's security flaws it's way better than the 20 year old magnetic stripe system, in Australia and most of Europe the only reason they still put the stripes on cards is because the cards have to work when people travel to the US.
It's been at least a year since I've seen a reader without chip support in Australia and the only time the magstrip is used is when the chip or contactless read fails.

Re:ah my countrymen...

[nurb432]

Many criminals are hard working too.

Why not a Lathe, Drill Press, or Grinder?

[Teancum]

I read stories like this that try to diss the use of "3D Printers" as if somehow banning the use of those devices is somehow going to stop criminals from engaging in acts like this. What utter nonsense.

How many other stories about ATM skimmers emphasized any of the tools used to make the devices used to make their devices? Why such a strong emphasis on the 3D printing technology? It sounds like a cool buzz word, but means absolutely nothing other than an attempt to make something new sound frightening because the reporters and police officers involved don't have a clue about how the technology works.... therefore it must be some kind of dark magic that must be brought before the Inquisition and those involved banished to Hell (or some equivalent).

While I don't mind seeing stories like this on Slashdot as it does talk about emerging technologies and their impact upon society as a whole, it still turns my stomach to see such awful reporting overemphasizing the manufacturing technology (it was the lead paragraph) instead of describing what people were doing first. Had the technology being used been mentioned much further into the article, I think it would have been much more appropriate.

Re:Why not a Lathe, Drill Press, or Grinder?

[VortexCortex]

Yep, same old scare tactics...

"If you electrify homes you will make women and children and vulnerable. Predators will be able to tell if they are home because the light will be on, and you will be able to see them. So electricity is going to make women vulnerable. Oh and children will be visible too and it will be predators, who seem to be lurking everywhere, who will attack."

“Women’s bodies were not designed to go at 50 miles an hour. Our uteruses would fly out of our bodies as they were accelerated to that speed [on trains].”

Automobiles, Telegraphs, Telephones, Recorded Music, Radio, TV, MTV, Video Games, Internet, Cellphones, 3D printers, RFID, NFC, etc... Near any new technology you'll find unfounded fear drummed up around it. There is a primal fear of unknown that the unscrupulous exploit for popularity. Not even old technology is safe from the fear mongering media mavens: "After this break from our sponsors: Find out what's probably lurking under your sink that could kill you."

When faced with what they do not understand the primitive minded are easily frightened, the futurists eagerly excited, and the practical remain predictably skeptical.

It's sad really. Your "greatest" thinkers in science and philosophy alike shun their feelings. Those primal communications your ancestors scream wordlessly within your mind are ridiculously ignored, at great risk. This valuable primitive mode of thought was proved by evolution to be rational in general, yet is deemed "irrational". In so doing they discourage people from thinking with their whole minds, and thus they become more susceptible targets to the biases of the ancient ones.

So, while one ignorant group is too strongly swayed by their emotions, the other group ignores their instincts completely in the name of rationality and is thus just as ignorant, literally. Don't you see that reasoning with only half a head is dangerous?! I cultivate my "irrational" feelings, I use them as a faster but less accurate logic unit. I let my subconscious quickly analyze situations and then converse with my wise but unlearned ancient ancestors about the dangers and desires we have. When reasoning with others I reach back through the millennnia and consider the subtexts as they would appear to language-less apes. I'm thus able to more effectively communicate my meanings at multiple levels.

Do not so quickly discount the power of a message that wields both logical and primitive persuasions. This is a skill infamously used to sway weak minds by politicians and the media for centuries. This is a technique best learned sooner than later at the point of a pitchfork. While "insightful" folks like you scoff at the story and think them fools for pandering to the populous' fear in the name of greed, I credit them for doing so. If you want to scoff, then scoff at those so-called "great" rational minds who can not do the very same in the name of good... disgusting.

To shrug off the subtext and not heed and hone the subconscious murmurs of your mind is to foolishly disrespect every single elder your lineage has ever had.
And you call yourselves evolved?! You're barely even aware. Humans, ugh, how primitive!

Re:Why not a Lathe, Drill Press, or Grinder?

[swb]

Well, there's a postcard version of the Amish in their button-free clothes, hand-making all their stuff and living bucolic lives.

And then there's the real world version of the Amish, where young people smoke, drink, and drive cars before they become full members of the church, the internecine religious conflicts involving sects, beard cutting, etc.

I'm pretty sure that despite the awesome appearance of tech-free Amish life, there's a lot of psychological stress maintaining such an existence in the face of the modern world, along with all the stuff that goes on behind closed doors. I have to believe the Amish have their own problems with violence, sex abuse, etc -- we just don't hear about it because their culture keeps a lid on it.

Re:Why not a Lathe, Drill Press, or Grinder?

[Darinbob]

Once you've got that shape though you still have a lot of work to make it look real. A good 3d printer is too expensive for this stuff so they're going to use cheap printers that make things that look awful until you sand them down and paint them. Whereas once you have a silicone mold you can make a lot of copies much more quickly.

And 3D printers are not about democratization, they're being used mostly in companies to reduce costs of making prototypes or making one-off components. Whereas most individuals I see using them use them to make toys.

Re:hmmmmm

People should not lose any money when their cards get skimmed... However, when you find out, and contact your bank, they will immediately block your card, meaning that your access to cash is a little more difficult. Also, it may take several days until you get your money back. It's not the end of the world, but it surely is inconvenient. And therefore, people are affected too.

Even more interesting...

[geogob]

That they used 3D printing device, is hardly interesting news. That’s just more 3D printing hype. What I find fascinating with this story, is that card skimming at ATM still works, today, in 2013.

It’s clearly a failure to implement the most basic security and authentication features, which are widely available today. How can it be that, today, one can still do any kind of transaction with only a card number and a pin – if a pin is needed at all (eg. For online transactions).

They (the banks and/or credit card companies) try a lot of fancy things like nice holograms on ATM machines or abstruse authentication methods that fail to understand that a simple password is about as safe as the card number itself. This PIN skimming thing is the proof of that.

It’s slowly getting better, with unique number generators for validation or unique numbers sent through SMS. But I hardly believe these solutions are optimal for the users. Perhaps this explains why their implementation is so amazing slow – although I believe it still better to have those as none at all.

Re:Even more interesting...

Since we have a chip capable of basic crypto operations why are we not simply using a 1-time pad stored on the chip itself to sign the transaction data, just sign the transaction and add on the CardID+SeqNum then you just have to store 10kb of true random on the card to use as the pad (or whatever amount of transaction attempts you expect the card to use during it's validity window). Just kill the card when it exhausts it's one-time pad.

This system of challenge-response would even allow you to online shop without passing over card details.
Just paste a transaction block into your web banking portal, it spits out a signature for you and you paste it back into the purchasing site.

Maybe its a blessing for the consumer

[Camael]

As you have pointed out, European 'Chip-and-PIN' Cash-Card Security have already been cracked by criminals.

And fair enough, generally cards with chips are still more secure than their magnetic counterparts.

What I am more disturbed about is, from the point of the consumer, it appears that in Europe at least the supposed security of the chip and pin system have been (ab)used by banks to deny refunds to their defrauded clients.

However, the chip and PIN system came under question in 2010, when researchers found that transactions could be executed without PINs.

In their paper, the Cambridge researchers asserted that, based on their conversations with bankers, "banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

Bond asserted that banks are aware of the problem but routinely “stonewall” customers-turned-victims because their transaction records show that the PIN was used.

From the POV of the consumer, I would not favor the use of this newer, more secure system if it shifts the burden of fraud on me with the excuse that "it's unhackable, you must have given them your PIN".

Re:Maybe its a blessing for the consumer

[norpy]

I actually just realised that I do have a non-chip card; my American Express. Apparently my particular bank has chosen not to migrate those to chip cards yet, although Amex have done so on their directly issued ones.

Of course since it's "American" Express i'm going to stand by my "it's America's fault" title.

Re:Maybe its a blessing for the consumer

Firstly yes, there are working attacks. We know that the following attacks have been done by actual criminals, real bad guys, who obtained money or goods through fraud with the attack, some of whom are now in jail for it:

- "YES cards". Fake chip clone cards which are programmed to tell the terminal that the PIN matched, then hand back a data block for the bank which says no PIN was used because the terminal authorised a signature instead. The bank gets the data data, says "Huh, you authorised on a signature? OK" and the transaction goes through. (They can't send back a fake PIN block to the bank because the bank knows the true PIN and will see it was wrong). These were used very widely, banks are slowly, slowly, deploying a newer system that isn't fooled by this trick.

- Fake/ modified terminals. The criminals either own the store, or they bribe the real owner to turn a blind eye as they modify the "tamper proof" terminals to retain the PIN so that it can be used later.

In addition there are attacks that we know work (because researchers have done them, typically after telling the police and any affected retailers what they're going to do) but we cannot prove they've been used by criminals. If you like to believe that criminals are all stupid then maybe these attacks don't worry you:

- UN guessing. The cryptographic nonce used in Chip and PIN is called the UN (Unpredictable Number). But banks trust terminals to make it actually unpredictable. Researchers have demonstrated that it's sometimes just a counter, or other simple predictable output value. The cryptographic security of the design rests on this nonce being unpredictable, by which its designers intended "random", but the acceptance tests just require it not to repeat within a few cycles. Uh-oh. It's hard to make random numbers reliably not repeat, try throwing a die twice in a row, sometimes you get the same number. But it's easy to make a counter, and that always passes the tests.

Shifting the burden for fraud onto consumers is a problem /even if Chip and PIN was flawless/. The same UK investigators who found the UN guessing attack previously investigated a case where the customer's card and PIN were used and they said they'd never received the card or PIN. The bank wouldn't back down, it refused to believe that insiders had stolen the customers details and redirected deliveries to take control of the account, and blamed the customer for everything. Right up until it presented its "proof" that the card was properly delivered. The proof was a courier photo (taken during delivery) of... the wrong address. "That's not my front door" said the customer. Suddenly realising that their house of cards was falling down the bank changed its mind and offered compensation. Why did the customer need to fight this hard? The bank must have suspected from the outset that it had an internal fraud problem, so why try to get the customer to pay?

Re:ah my countrymen...

[fustakrakich]

Nonexistent when compared to Wall Street extortion and foreclosure fraud.

$100,000 PFFT!

Re:hmmmmm

[temcat]

In other words, they didn't build those skimming devices?

Re:Geography for dummies

[CRCulver]

Just FYI: whenever you read "Romanian" in the news regarding crime, and it's not related to the country of Romania, it actually means "gypsy"

That would be somewhat more likely if this were a story about petty crime like pickpocketing or car theft (but even there, some amount of ethnic Romanian immigrants are perfectly capable of engaging in petty crime). But when it comes to crime involving computer exploits, they are considerably more likely to be ethnic Romanian and not Roma. For example, this Wired article about online theft involves a number of young people who are not Roma .

Living in Romania myself and seeing it treated like a pariah abroad in spite of the fact that some parts of it are among the best educated and cultured parts of Europe, I am used to the tendency of many to blame the country's ills on the Roma, but good and evil is inside of everyone ethnicity.

This "Romanians = gypsies = criminals" connection is also dangerous one, as it can really mislead people about moving populations in Europe. I spend a lot of time in Finland, and I watched as one community lamented a large Roma tribe that flooded their town each summer, begging, pickpocketing and recycling. They called them "the Romanians" and that formed everyone's opinion about the country. When I tried to start a conversation with one of them in a queue at a supermarket's bottle-return machine, it turned out all of them were from a small town in central Bulgaria. But for some reason, Bulgaria never gets rubbished half as much as Romania.

Re:So here's a crazy question...

[ledow]

There's a lot of much simpler security measures that work a lot more effectively. Every time you hear someone come up with elaborate digital security, you have to go back to thinking of basics. Security is simple, and overthinking it is the best way to make it even worse.

Put ATM's in secure places. In the UK, they are almost always just out on the street where anyone can shoulder-surf your PIN. Like in Europe/US put them inside a room that is controlled and monitored.

Make ATM's show you what they should look like. All the time, the ATM should just show you a picture of what it SHOULD look like. This picture should move / flip every now and then so you can see if someone has tampered with the screen. A quick glance and you can tell if that random bit of green plastic on the card slot is SUPPOSED to be there or not (this pisses me off even with genuine ATM's and I don't use them if they have those green slots).

(Incidentally, why do credit card terminals, which have to talk to the bank, not send the card number - or some identifier from the card - to the bank, which sends back a PHOTOGRAPH of the CARD HOLDER which the genuine merchant can use to verify, at least in part, whether it's their card or misuse. Unfakeable, as the photo is from the bank, not from the card, so genuine merchants would be able to spot even wives using their husband's cards - which is still technically not allowed, but is currently ignored. Fuck Chip-and-PIN, give my photo to every merchant I use my credit card with so they know who is me and who isn't and can query if they are uncertain).

Put a shutter on the card slot. When the card is needed, open the shutter. When it's not, shut the shutter. Make it so that ANY device on the card slot would stop the shutter shutting, and this in itself would cause the ATM to disable itself and alarm. No worse a chance of losing the card for the customer than those ATM's who haven't been serviced in a while and the motors barely have the strength to push it back out.

Make fucking cards that can't be "skimmed" and that - without the PIN - are useless. This isn't difficult, and what Chip-and-PIN was always supposed to solve. Then you can skim my card to your heart's content because without my PIN being entered correctly NOTHING happens or provides useful data (we've already sacrificed mag-stripes, so this is no great burden as the cards should ALREADY be useless without the PIN).

SEND SMS MESSAGES to users on every use of their card. Almost every European bank already does this (except for the UK). My Italian girlfriend gets a text within seconds of touching her card anywhere, even in the UK, with details of the transaction. Her dad, too, when he was over here and bought £10 of stuff in a hardware store, and we were able to tell the SHOP STAFF that they'd duplicated the transaction by mistake because he got a text before he even got his card back.

Simple things. Put the cardholders back in control of their cards. The only reason NOT to is that you make money somehow out of not doing this. I can't believe billions of pounds worth of fraud isn't incentive enough to do things like send texts to cardholders, or put little motorised shutters (like some ATMs used to have anyway) on the card slot.

Re:Geography for dummies

[blackraven14250]

It would also be more likely if the person arrested wasn't described as a "Romanian national" by both the summary and the article.

Re:ah my countrymen...

[Cinnamon+Whirl]

Not to mention technically accomplished. They should apply for grants instead.

Re:Geography for dummies

[LoRdTAW]

Romainians are NOT Gypsies. The Roma people are the peoples called Gypsies who originated from India.

Re:Geography for dummies

[LoRdTAW]

Wait, the point I was trying to make is that not all Romanians are Gypsies otherwise known as Roma people, a subgroup of the Romani people. I never claimed anything. I merely pointed out Gypsies are Roma peoples. Maybe I needed to spell that out better.

In many parts of the world it is often mistaken that Roma = Romanians, meaning all Romanians are mistaken for Gypsies.