Slashdot Mirror
Vacationing Security Researcher Exposes Austrian ATM Skimmer (carbonblack.com)
While vacationing with his family in Vienna, Ben Tedesco (from security company Carbon Black) discovered an ATM skimmer "in the wild", perfectly crafted to look like the original card reader. New submitter rmurph04 shares Ben's story: I went to grab some cash from an ATM. Being security paranoid, I repeated my typical habit of checking the card reader with my hand as I have hundreds of times. Today's the day when my security awareness paid off!
Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.
Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.
... the blatant camera/panel overlay above the PIN pad, which is almost certainly where the main logic and storage of the skimmer is.
ATMs should have a camera (preferably 2, for stereo) looking at themselves. When there is no customer, take a picture and compare it to the base line one (when it was freshly installed/last inspected etc). If it has been tampered with, the bank can see the difference. A computer program can recognise the change. If they keep recordings, they can even see who did it.
Bert
Sometimes there's a distraction attack afterwards and they steal the card. With the number they can then go & withdraw loads of cash.
Saw one on TV where a bloke spotted the hidden camera and alerted the bank. Turns out there were a bunch of undercover cops outside waiting for the perp to come back & collect it.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I just take a close look at the receptacle and especially the keyboard. I keep one hand on the keyboard (touching multiple keys) and cover it with my other hand, then enter the PIN blind. Good against camera's, but not against a fake keyboard. Another measure that a lot of machines here have implemented is to ingest the card in a very jittery manner, making it (almost) impossible for a skimmer to properly read the mag strip. And people still get skimmed: some skimmers took to breaking into shops in order to tamper with or replace the payment terminals.
Most banks here now issue cards with chips that cannot be skimmed. So skimmers came up with a new trick: they install a camera or keyboard to get your PIN, then stick something in the card receptacle in order to trap your card in there. Once you get fed up and leave, they'll retrieve it and now have your chip & PIN.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Yeah, because the Police are going to do SO MUCH. Every time I've reported skimmers to police, both in Europe and the US, they really don't give a damn. A lot of gas station employees also don't care. So yeah, much more fun to reverse engineer it, reinstall it so the guy that comes back to collect the data, gets a cryptoware virus on his laptop, then demand $10,000 from him. Would be far more effective than what the police do.
A security researcher who goes around looking for ATM skimmers should know that the magstripe reader always goes along with a camera for the PIN pad, and that the electronics inside the card reader part aren't the whole story.
It's completely obvious once you look for it, once you know a skimmer was installed on the card slot, especially having another pristine ATM right next to it to compare. Nobody's going to blame someone for not noticing a skimmer in the first place, but once you know one was installed, yes, the PIN pad part is blatant.