To Secure ATM Transactions: Ditch the Card

chicksdaddy writes: Security Ledger has a piece that looks at the efforts of a string of startups to secure ATM transactions from skimmers and malware-based attacks. Step 1: get rid of the ATM card. The article profiles a couple different companies. One, Trusona, has technology that can uniquely identify standard issue ATM cards by analyzing the unique distribution of Barium Ferrite particles on their magnetic strips and using it to connect the card to the customer. The company combines that with card swipe biometrics to thwart malware-based replay attacks. The article also mentions upgrades that will allow banking customers in the U.S. to use a mobile application to withdraw cash from ATMs without a card or PIN, and a prototype from Diebold that combines proximity based sensing (via NFC) with iris scans to authenticate customers and authorize transactions. Cool as it sounds, its worth remembering that most ATM attacks are decidedly "low tech." A survey by the ATM Industry Association in 2015 listed "physical attacks" and those using "explosives" as the second and third most common type of ATM attack after card skimming.

Who is still using mag stripes on ATM cards?

You can't skim a chip. Well, not with something that you can disguise on an ATM.

Re:Who is still using mag stripes on ATM cards?

[fraxinus-tree]

You are from Europe, right? US still use mostly the strip. And while the chip is good, it only offers protection from skimming. Other vectors (theft, burglary and likes) still exist.

Re:Who is still using mag stripes on ATM cards?

[slashping]

US still use mostly the strip

But the article is talking about upgrading the ATM to do a barium analysis on the cards. That seems idiotic if you can also upgrade it with a chip reader which is standard, and much more reliable.

Re:Who is still using mag stripes on ATM cards?

[CanadianMacFan]

Canada has had chips on the bank cards for quite a while too. Not as long as Europe but probably around a decade.

Re:Who is still using mag stripes on ATM cards?

[Alwin+Henseler]

Not sure how theft, burglary, etc are a problem if you do not write down your pin?

Common method is to look over victims' shoulder when the PIN is used in a legitimate transaction. Often at supermarkets: just think about how 'hard' it is to see what PIN a customer in front of you enters on the keypad.
Then card is stolen / pickpocketed to be used immediately with the just-obtained PIN. Happens regularly, especially with elderly people as victims. But normally unless customer is clearly to blame, card issuer will compensate the damage (well okay... somehow spread out over all customers, that is).

But overall incidence is not that high. So in terms of cost to the average user, chip + PIN is a pretty good system. As a bonus, often the perps are caught on cam when they (try to) use the card at an ATM, retail store etc.

In some European countries (like mine) processing this type of payment has become so efficient, that (per transaction) it's as cheap if not cheaper than exchanging a few coins & bills. And of course store owners love it as it makes for less cash in house & thus less incentive for robbers.

Recently they've introduced the option of PIN-less payments for low-amount transactions (so there's less need to use your PIN 'everywhere'). And/or combined with some kind of electronic wallet that holds a limited amount (up to ~150 Eur or thereabouts). We'll see how that goes.

Re:Who is still using mag stripes on ATM cards?

[TheRaven64]

You might want to take a look at some of the known attacks against EMV.

Re:Who is still using mag stripes on ATM cards?

So are Botswana, Mozambique, Zambia, and Uganda. You don't see many people suggesting they act like European countries because of it, though.

Having spent a lot of time in the UK, the only resemblances to it that Canada has that I can think of are we still have a Queen (though she can no longer make laws here), kept some British spellings, and that's pretty much it. Canadian grocery stores (that aren't bottom tier) bag stuff for you, we mostly have intersections with lights (not roundabouts), police carry guns and are not considered friendly neighbours, most British language and British slang is either not understood or is just plain odd (nobody calls it a lift, being pissed means angry, chips are thin round crunchy discs, and you don't have flats not let them). If you want classic British cuisine you'll have to seek out the rare British pub and they will do a very bad impression of it. Pickup trucks are still the best selling vehicles and Canadian cars are closer to US size. Homes are some of the largest in the world here. Taxes are closer to US level than UK level. Canada is 12th on the gun ownership list, the UK is at 82.

Canada is neither the US nor Europe nor Britain. However, between all those, Canada is closest to the US, physically and by attitudes/preferences as well. Now, if you focus on Quebec, things change a bit, but for the odd rather than closer to Europe (France is not fond of Quebec). Quebec is far away from being similar to the US and yet also very far away from being similar to anything European.

Actually, suggesting Canada is like other countries in the Americas might possibly be the most interesting comparison I've heard. The problem is the rest of the Americas outside of Canada and the US are doing poorly economically. I wonder if those other countries would end up similar to Canada given a solid economy and lower corruption levels?

Re:Who is still using mag stripes on ATM cards?

[Outta_the_way_peck!]

Chips have been rolling out pretty aggressively in the USA over the past few months from all institutions, major banks to local credit unions. Stores may still be using the mag stripe to authorize, but it means they are accepting the liability for fraudulent transactions.

Re:Who is still using mag stripes on ATM cards?

[Darinbob]

But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked? And yes, this situation has happened.

Consider the example of the Target stores. The machines were hacked to intercept customer information. The machines did use mag stripes and have since become slightly more secure (Target today does not use the chip reader even though the reason my card was exchanged to have a chip was because of Target!). However the core cause of the breach was not the machines themselves or the magnetic strips but the transfer of the data from end point to back office and on to the credit card company. Customers are given false assurances that they've "fixed" things because they see new machines and have been issued new cards.

Good security is damned expensive. So businesses only want to deal with "good enough for now" security. The losses due to poor security are smaller than the cost of implementing proper security. The two problems with this thinking is that encourages criminals and when a flaw is discovered it be exploited on a large scale, and the ability to steal from the system become much easier over time as technology changes (mag stripe readers used to be extremely expensive but now are quite affordable).

chip ?

[slashping]

Why not use a chip card instead ?

Re:chip ?

[Alumoi]

I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
No more muggins as it's quite hard to carry 2-3 severed head with you.

Re:chip ?

[Nyder]

I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
No more muggins as it's quite hard to carry 2-3 severed head with you.

Pretty sure the xians will say this is the Mark of the Beast. But if it will bother them, then I am down.

Re:chip ?

[operagost]

Well, they'd be correct, wouldn't they? "And he causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or the name of the beast, or the number of his name."

Re:chip ?

[BarbaraHudson]

I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head. Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited. No more muggins as it's quite hard to carry 2-3 severed head with you.

Joe Pesci would like a word with you. "Only 3? What a piker. Try 8."

Re:actually it is really easy

[Z00L00K]

Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.

Re:actually it is really easy

[dissy]

Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.

If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.

Yesterday tech coming real soon...

[Macfox]

All this is pretty much available today outside the USA. Mobile or web App generates code. Anyone with the code and the value can visit the participating ATM and withdraw the cash within a few hours. The app even gives you the option to SMS the code. Same apps even support NFC, so the phone acts as the card.

The majority of the big banks in Australia have been offering these facilities or similar for 2+ years

Given the popularity of the Magstripe in the US, even after all these years, any advancement seems revolutionary I guess. One would think a possible reduction in fraud would drive even modest initiatives, like Chip+PIN adoption.

Riiiight

[s.petry]

The only reason people could possibly disagree with Electronic voting machines is because "Luddite", and not because there has been a long history of corruption made-easy by these devices.

Since this is the 2nd article in as many days on the same subject, basic math shows that there is no benefit in safety using a Phone vs. an ATM card. Both are a single point of failure, protected by a simple PIN (and last I checked Phones don't require PIN numbers). TFA hints at it: The majority of theft from ATM is by physical attack. It is not easy to install skimmers in reputable places, but it's pretty easy to stick a gun in someone's back and tell them to make a cash withdrawal. You won't hear much about the robbery stuff, small does not generate ratings or help the narrative along.

You increase security by distributing the attack surface and minimizing exposure. Using a phone to generate/receive a timed PIN for your ATM card would be more secure.

I would rather not tie bio metric data to the verification, and, it can not be checked effectively (consider how your body changes every time you eat something different, or use a different soap, etc..etc..). Too many things can go wrong with that, and again you are only changing the surface not extending the surface. "I have, I know" simply becomes "I have, I am".

Re:actually it is really easy

[Cro+Magnon]

If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.

I don't believe that's true. I'm pretty sure that even if you ARE working for the authorities, you're under suspicion by our beloved government.