Vacationing Security Researcher Exposes Austrian ATM Skimmer

While vacationing with his family in Vienna, Ben Tedesco (from security company Carbon Black) discovered an ATM skimmer "in the wild", perfectly crafted to look like the original card reader. New submitter rmurph04 shares Ben's story: I went to grab some cash from an ATM. Being security paranoid, I repeated my typical habit of checking the card reader with my hand as I have hundreds of times. Today's the day when my security awareness paid off!
Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.

Suck me to sleep!

Now!

And yet he missed...

[marcansoft]

... the blatant camera/panel overlay above the PIN pad, which is almost certainly where the main logic and storage of the skimmer is.

Re:And yet he missed...

That looks curious due to the angles, but it is entirely possible as the result of different perspectives combined with poor quality control in manufacturing.

Re:And yet he missed...

[johnjones]

it is strange he didn't even look for the C&C portion of the skimmer

Re:And yet he missed...

Maybe if ATMs weren't changing every year it would be easier for normal people to notice. A simple picture next to the ATM or a screen asking you to confirm the keypad looks like XYZ, would make this much, much more diffilcult. If they really cared...

Re:And yet he missed...

Nah, bro, security measures like stickers and whatnot can be circumvented in no time, because they are a snap to duplicate/alter.

Re:And yet he missed...

Which is why you show the picture on the screen.

Re: And yet he missed...

most countries dont have standard atm look even per bank. or per sw.

anyways, of course it had a battery and a circuit board. how the fuxk it wouls work otherwise.. he shouls just have called the cops, so they could have taken the guys when they came to retrieve it.

Re:And yet he missed...

This skimmer's clear plastic lets the light and the pretend-holographic security lock to show through.

Pretty awesome construction.

Re:And yet he missed...

[Khyber]

Those skimmers have everything built-in. You need practically zero space to store name/number/PIN/Expiration date/ZIP code, a tiny silver-air battery can power the skimmer for a month.

Re: And yet he missed...

Watch the video. You missed it. The parent is correct. Camera is installed too right above keypad

Re:And yet he missed...

[kriston]

Yeah, you can't do anything without the PIN. Very interesting observation about his report that omitted any acknowledgement of the PIN camera.

Re: And yet he missed...

[beastofburdon]

Good point.

SOP for using ATMs nowadays

[Chas]

These days, pretty much any ATM I use, I attempt to pull the receptacle off, just on the off chance that there's a skimmer attached.

I've never been skimmed myself, but my parents have.

Re: SOP for using ATMs nowadays

I do the same and i have recently been skimmes

Re: SOP for using ATMs nowadays

[JaredOfEuropa]

I just take a close look at the receptacle and especially the keyboard. I keep one hand on the keyboard (touching multiple keys) and cover it with my other hand, then enter the PIN blind. Good against camera's, but not against a fake keyboard. Another measure that a lot of machines here have implemented is to ingest the card in a very jittery manner, making it (almost) impossible for a skimmer to properly read the mag strip. And people still get skimmed: some skimmers took to breaking into shops in order to tamper with or replace the payment terminals.

Most banks here now issue cards with chips that cannot be skimmed. So skimmers came up with a new trick: they install a camera or keyboard to get your PIN, then stick something in the card receptacle in order to trap your card in there. Once you get fed up and leave, they'll retrieve it and now have your chip & PIN.

Re: SOP for using ATMs nowadays

[mysidia]

then stick something in the card receptacle in order to trap your card in there.

I would pull out pliers and rip the card out by force, before leaving.

Re: SOP for using ATMs nowadays

You would just pull those plyers out of your ass?

Re: SOP for using ATMs nowadays

Yes, that's how I keep my answers in place until I need them.

Re: SOP for using ATMs nowadays

[konohitowa]

Amateur. I'd pull out a bulldozer and make sure the bank got the message.

Re: SOP for using ATMs nowadays

[Cajun+Hell]

Right next to the pennies.

Re: SOP for using ATMs nowadays

Nuke it from orbit, it might be the only way to be sure.

Re: SOP for using ATMs nowadays

[akozakie]

So what if they retrieve it? We have cellphones now. I definitely wouldn't leave before calling the bank to block the card. Then, even if they get the card, online payment won't work. Offline might, up to the (low) limit, but the bank will swallow those losses.

Re: SOP for using ATMs nowadays

[invictusvoyd]

Most banks here now issue cards with chips that cannot be skimmed. So skimmers came up with a new trick: they install a camera or keyboard to get your PIN, then stick something in the card receptacle in order to trap your card in there. Once you get fed up and leave, they'll retrieve it and now have your chip & PIN.

Wouldn't you call the bank and have that card blocked immediately ? oh wait a sec .. gringotts doesn't have a telephone.

Re: SOP for using ATMs nowadays

I bypass any ATM skimming by just mugging people when I need cash.

Re: SOP for using ATMs nowadays

[Nunya666]

You would just pull those plyers out of your ass?

No, out of my pocket. My Swiss Army Knife has a great set of pliers. I never go anywhere without my trusty pocketknife.

Re: SOP for using ATMs nowadays

[RockDoctor]

You've left a lot of them in airports?

Re: SOP for using ATMs nowadays

[thewolfkin]

as long as you're polite about it.

camera is in extra ridge above screen

Note that his ATM has a grey ridge just above the screen, almost blocking to buttons at the top of the screen, while the ATM left from his does not have this extra ridge. This part should contain the camera to record the password number, needed to use the card (in Europe).

LOL

I'm still LOLing at the Europeans even today, most of whom are mourning the first of many nations to leave the EU. It's a matter of time before the rest of the EU fails, too. I'm so thankful for being a Canadian, because we are smarter and better than the Europeans and Americans. Unlike the United States and most of Europe, Canada is not a failed state. Look for Canada to become the dominant power as China sinks deeper into recession, the United States spirals downward in decay, and the EU breaks apart at the seams.

Re: LOL

Another Leftist failure.

Re: LOL

If you mean the EU when you talk about leftist, you don't have the slightest clue about what's going in dude

Re: LOL

[Feral+Nerd]

Another Leftist failure.

If you mean the EU when you talk about leftist, you don't have the slightest clue about what's going in dude

I agree. It always amuses me when right wingers randomly throw the word 'socialist' at things they do not like. Whenever somebody does that I get this visual of him standing there next to his toaster looking reflectively at a burned slice of toasted bread muttering to himself: 'Yet, another perfect example of the failure of socialism'. Overuse of the word 'socialist' in some form is the perfect litmus test to tell the stupid right wingers ones from the smart ones. The smart ones use 'socialism' sparingly because they know what it is, the stupid ones usually can't let fly more than three sentences in any discussion without wrongly applying the word 'socialism' to something that has little or nothing to do with socialism.

Re: LOL

[Mashiki]

You're right of course. The EU wasn't socialist, it was a dictatorship. Elected MEP's couldn't do shit, and an unelected commission held the defacto power. Of course it's not "stupid right wingers" that say this, there's plenty of "stupid left wingers" that say the same thing and deny that under said dictatorship you get lots more freedoms...by giving up your sovereignty and bowing down to people you didn't elect.

Re: LOL

[gumper23]

You're the only one who used the word "socialism". Projecting much?

Re: LOL

[Suferick]

Actually, in the EU the main decisions are taken by the Council of Ministers, composed of (elected) government representatives from each of the member states. The commission is simply a civil service that implements the decisions.

Re: LOL

You're understandably touchy about socialism, given how it always fails.

Re: LOL

Only thing that bothers me more are people who use "right wing" and "left wing"

Re: LOL

And this is why Van Rompoy says things like: " if the public doesn't want it we'll do it anyway".
And Juncker says he will block any right wing elected leaders from having any influence in the EU.
Sounds so democratic when you put it that way.

Re: LOL

[Maow]

Another Leftist failure.

If you mean the EU when you talk about leftist, you don't have the slightest clue about what's going in dude

I agree. It always amuses me when right wingers randomly throw the word 'socialist' at things they do not like.

They're idiots. "I don't like X and I don't like socialism, so X is socialism!"

Overuse of the word 'socialist' in some form is the perfect litmus test to tell the stupid right wingers ones from the smart ones.

That and "LOL" are both give-aways for stupidity.

Re: LOL

If that happens the US will nuke Canada, it's already been discussed. Quebec, Montreal, Vancouver, Winnipeg, Calgary...all getting nuked. Sorry man.

Re: LOL

[PopeRatzo]

That and "LOL" are both give-aways for stupidity.

But how else will they demonstrate that they're not mad, really, they're actually laughing?

(yeah, they're mad)

Re: LOL

And when ACA was being voted on, the leftists pointed to Europe and espoused how great the "socialist" system worked. I guess now they are no longer socialist. lmao

Re: LOL

[Mashiki]

Funny how reality is wholly different isn't it? That's why the EU(commission) has come out saying to paraphrase "we'll do whatever we want, and if the public doesn't like it too bad." And the MEP's can do nothing about that. Or when they came out and said "if a right-wing party is elected, we won't do anything with them and block them from doing anything." So democratic isn't it...that commission that isn't elected. You know who else uses things like "councils of ministers" to implement decisions regardless of the populaces support? Communist and totalitarian countries.

Re: LOL

Chicken winger here, you're both dumb.

Re: LOL

LOL, Americans going to try to figure out how to works the map and find Canada on it.
LOL

Re:LOL

I'm still LOLing at the Europeans even today, most of whom are mourning the first of many nations to leave the EU. It's a matter of time before the rest of the EU fails, too. I'm so thankful for being a Canadian, because we are smarter and better than the Europeans and Americans. Unlike the United States and most of Europe, Canada is not a failed state. Look for Canada to become the dominant power as China sinks deeper into recession, the United States spirals downward in decay, and the EU breaks apart at the seams.

You keep making this post, but worded slightly differently each time. It's still obviously the same person.
You could save yourself some effort putting your post into the clipboard.

Re: LOL

Funny how reality is wholly different isn't it? That's why the EU(commission) has come out saying to paraphrase "we'll do whatever we want, and if the public doesn't like it too bad." [citation needed]

Nuff said...

Re: LOL

[cheesybagel]

Yeah just like the Politburo. Ever heard of 'Democratic Centralism'?

Re: LOL

Funny how reality is wholly different isn't it? That's why the EU(commission) has come out saying to paraphrase "we'll do whatever we want, and if the public doesn't like it too bad." [citation needed]

Nuff said...

I have no idea who this Nuff guy is or why you didn't quote him, but here's the interview with Van Rompuy.

http://www.standaard.be/cnt/dm...

Oh my. A citation. Whatever will you do now? Spin commencing in 3..2..1..

Re: LOL

[BronsCon]

Nukes have GPS bruh.

Re: LOL

Two birds of the same feather

Re: LOL

[Maow]

That and "LOL" are both give-aways for stupidity.

But how else will they demonstrate that they're not mad, really, they're actually laughing?

(yeah, they're mad)

That's another problem - it's now become punctuation, used when no humour was created, nor even intended.

I saw a YouTube comment yesterday (yeah, I know) that had 3 sentences, all of which started with "lol", none of which contained even a single molecule of humour.

(Maybe it was homeopathic in its humour?)

"LOL is the internet mating call of those too stupid to find their own arse with both hands and a mirror." -- Abraham Lincoln.

Re: LOL

Yea, but you need to figure out what coordinates to use... you know information that comes of that map..

Re:LOL

When someone showed him Ctrl-C he just said "hell no, nobody should be trying to control Canada"

Re: LOL

[BronsCon]

Google Maps? Type in the address: done.

Or, to put it another way, if you ACs can be facetious, so can we registered users; most of whom are likely map-reading Americans.

A "security researcher"

that forgets looking for the pin-pad overlay or cam XD

Re:A "security researcher"

[dohzer]

Because there's only one type of security, so he should have picked up on this! Good logic.

How can this work with European smart cards?

Unlike the US, European cards generally have a chip in them and use a nonce based protocol. So skimming the interaction with the ATM is not going to buy very much. Not the secret in the chip. Maybe the extra number written on the back if it has a camera.

So what was the point?

Re: How can this work with European smart cards?

Stealing the cards of US tourists?

Re:How can this work with European smart cards?

[Hognoxious]

Sometimes there's a distraction attack afterwards and they steal the card. With the number they can then go & withdraw loads of cash.

Saw one on TV where a bloke spotted the hidden camera and alerted the bank. Turns out there were a bunch of undercover cops outside waiting for the perp to come back & collect it.

Re:How can this work with European smart cards?

A nonce based protocol where the ATM can just ask the card wgat its PIN is, yes. The chip-and-pin protocols are completely broken and were designed by morons, unfortunately. See aa href="https://www.youtube.com/watch?v=szgwaYajKHA>"Chip and PIN is broken" from 27C3 or google for more recent attacks.

Re: How can this work with European smart cards?

Our cards have chip + strip. My credit card and my wife's debit card have both been skimmed in the past few years.

Re: How can this work with European smart cards?

[dohzer]

It's the same in Australia.
We have chip, strip, tap (near field) and they've recently phased out signature.
Three paths of attack are greater than one!

Re:How can this work with European smart cards?

[marcansoft]

Backwards compatibility. They still mostly work in foreign ATMs that only use the magstripe.

Re: How can this work with European smart cards?

[HuskyDog]

Therein lies the problem. Here in Europe (and practically all of the rest of the world) we have switched to CHIP and PIN which allegedly makes skimming much more difficult. Unfortunately, this technology appears to be too complex for Americans to understand so we all have to have mag stripes on our cards as well just in case we ever go there. I never go to the USA, so the mag stripes on my cards are entirely useless other than for skimmers.

Does anyone know of any UK banks which offer a "I am never going to go to North America so please send me a card with a blank mag stripe" service or even a "I sometimes go to North America so please send me two cards, one with mag and one without" service?

Re: How can this work with European smart cards?

Use a magnet to wipe the magstripe... It is a Hi-Co card so the magnet needs to be relatively strong to write data to it. A harddrive magnet would do.

Re: How can this work with European smart cards?

[dohzer]

That's all well and good for the people who understand the problem, but you've got to mandate it.

Re: How can this work with European smart cards?

It's worse than you think. A national grocery chain here has shiny new chip capable readers everywhere. But they do not allow you to use them. You must swipe. It's rediculous.

Re:How can this work with European smart cards?

[hcs_$reboot]

Indeed.

Re:How can this work with European smart cards?

[Opportunist]

They also have the mag strip, though. And that's enough to withdraw money from ATMs that use it. Third world countries still use that, nearly exclusively.

Re: How can this work with European smart cards?

[Yenya]

The magnetic strip can easily be erased by a strong magnet (e.g. a neodymium one from a broken HDD). I erased the one on my credit card myself two years ago. However, I have since discovered that there are still payment terminals in Europe, which use solely the magnetic strip. For example, the highway toll gates in Italy and France.

Re: How can this work with European smart cards?

[David_Hart]

Therein lies the problem. Here in Europe (and practically all of the rest of the world) we have switched to CHIP and PIN which allegedly makes skimming much more difficult. Unfortunately, this technology appears to be too complex for Americans to understand so we all have to have mag stripes on our cards as well just in case we ever go there. I never go to the USA, so the mag stripes on my cards are entirely useless other than for skimmers.

Does anyone know of any UK banks which offer a "I am never going to go to North America so please send me a card with a blank mag stripe" service or even a "I sometimes go to North America so please send me two cards, one with mag and one without" service?

The US now has CHIP and signature, but didn't implement PIN for our cards. Canada has had CHIP and PIN for forever in comparison. We now have NFC and Apple pay at most restaurants and stores. My thought is that banks will start offering ways of using ATMs without having to use a card.

Re:How can this work with European smart cards?

[maeka]

Unlike the US, European cards generally have a chip in them and use a nonce based protocol. So skimming the interaction with the ATM is not going to buy very much. Not the secret in the chip. Maybe the extra number written on the back if it has a camera.

So what was the point?

But the EU cards also have mag stripes for compatibility in the Americas (and Pacific, and other places). So the card is skimmed in the EU and used either online or overseas.

Re:How can this work with European smart cards?

[flyingfsck]

It is installed in a tourist trap. The idea is to skim cards belonging to rich and stupid American right wing tourist...

Re: How can this work with European smart cards?

[reboot246]

"The US now has CHIP and signature, but didn't implement PIN for our cards."

Really? My bank card uses chip and PIN. Maybe they're just ahead of your bank?

Re: How can this work with European smart cards?

[mysidia]

That's all well and good for the people who understand the problem, but you've got to mandate it.

Actually, you are better off if you can fix the problem only for youself. That way everybody else will be a distraction for the criminals, so they won't get you.....

Erasing the magstrip might not be the least-obtrusive measure..... How about covering it with foil tape?

Re: How can this work with European smart cards?

Stoopid 'Murricanz! Me so stoopid all my cards ar chipped right now. Me guess they send superior yooripeen card to me!

Re: How can this work with European smart cards?

At least one bank here (AU) does this, it was introduced a year or two ago as a "Oh, you've lost your card? Never mind, here's how you can have cash anyway" feature. Seems to use a combination of phone / Internet banking and generates a unique code, but as I'm not a customer I've not tried it.

Re: How can this work with European smart cards?

You're an idiot. Chip and pin is not in the least bit secure.

Re:How can this work with European smart cards?

You're an idiot.

Re: How can this work with European smart cards?

There are different kinds of cards that work in different ways. There are credit-only cards, debit-only cards, and hybrid debit cards with issued by a CC processor.

Credit only cards, when they get a chip, are chip+sign. This is because nobody in the US wants to be bothered with PIN entry, and won't put up with that crap. It's bad enough that the terminals make you leave the card in them for the duration of the transaction. Chip+PIN is a complete non-starter for credit-only in the US. And it can safely be that way because the laws are written in a way that most of the militant Eurotards that scream about Chip+PIN can't even comprehend. The cardholder is never in the wrong without the involvement of the courts. Period. The issuer or the merchant are most likely stuck with the costs of fraud. (And the processor never is.)

Debit-only cards always have a PIN. They were swipe+PIN forever. Now they're chip+PIN. The only new annoyance is keeping the card in the terminal for the entire transaction instead of the much simpler swipe-and-put-away that we've all been used to. Minor annoyance at most.

Hybrid cards are where the real confusion happens. It also just so happens that 99% of "debit cards" are actually hybrid cards, not true debit cards. Pre-EMV, swipe+sign was a credit transaction and swipe+PIN was a debit transaction. Now, the type of terminal determines how these cards are used. A terminal with the chip-reader deactivated (mostly due to certification delays as this whole transition spins up) will allow only swipe+sign transactions. A terminal with a working chip-reader will only allow chip+PIN transactions. But x+sign is still always credit and x+PIN is still always debit. So pending-certification terminals always use these as credit cards, and certified terminals always use these as debit cards. You have no choice now. This is making these types of cards very unpopular, as you never know from one store to the next whether your card will work the way you want it to.

And having a choice about whether you use your card as credit or debit matters. Credit cards have tons of cardholder protections by law. Debit cards have fewer protections and have $50 of cardholder liability, regardless of fault (many banks will waive this, but it's allowed by law). Merchants also get in on the act by steering people to use certain cards in certain situations. For small purchases, merchants steer you to a credit card if possible, since their fees are percentage-based. For larger purchases, they'd rather you use a debit card, since the fees are a legally-capped flat fee. Last I checked, it was capped at about $0.45. per transaction, which means that banks all charge exactly that amount. If you're only buying a candy bar at a convenience store for $0.95, they pay almost half of the revenue (not profit!) as a card processor fee, and they probably lose money on that transaction. With a credit card, that same purchase has a $0.04 (and fractions) fee.

So the EMV chip has only made a big fat mess. Will it be fixed? I'm sure it will. There's a lot of money riding on it being fixed, and soon. But Europe's regulations were different from the US, and the EMV chip transition didn't cause as many problems for Europe as it has for the US.

Re:How can this work with European smart cards?

[guruevi]

You have been mislead by the banks. They want you to believe that chip transactions are safe. The problem is the mag strips still exists and the chip usually contains a full, unencrypted copy of the mag stripe data. You can test this yourself by buying a programmable or USB chip reader.

The chip does have the capacity to have a card without stripe and even fully encrypt its data and even do simple crypto on chip but to date, many merchant banks (even big ones like Walmart) do not work with an encrypted chip.

IF the chip even does anything useful, the only data that is safe is what is on the wires between the chip reader and the bank. Chips could have easily been replaced by requiring strong TLS encryption and a custom key in the mag stripe.

Additionally, by the time the chip was declared ready to be used (a decade ago) the (homegrown) crypto was already outdated and researchers published papers on how an attack could be executed because those little chips don't have the compute power for anything better, it reuses keys generated with a very poor PRNG. By now, it is feasible to clone encrypted chips and force it to do weak, crackable crypto (with a bit of time on a decent computer). Once banks get around to go chip-only (another decade or even 2), I think it will be feasible to put the entire hack into one of those skimmers.

Re: How can this work with European smart cards?

There are also some terminals in high security situations that use both the strip and the chip. The chip could possibly (practical attack PoC demonstrated, but not known if criminals used it) be bypassed using a proxy attack to a real terminal somewhere else.

Re: How can this work with European smart cards?

Anyone sophisticated enough to do the live remote attack can fake a magnetic stripe in real time too, so it buys you _nothing_

The live remote attack is very hard to industrialise, it requires an accomplice at a retailer who is going to need to vanish soon after the crime, or they'll get pinched. Because their terminal will be the "odd one out" the victim used that doesn't show up in the transaction logs and there invariably turns out to be CCTV putting the crime on them. There will also be CCTV of you, at the other end, with the terminal, but high value retailers don't like "customers" who wear a full-face mask all the time, it's ... well it's an obvious sign you're a crook. You also end up with goods, not money so you need to fence them which hurts your profit on the deal very badly. Say you get some schmuck to buy a $2000 diamond necklace by live remote, you need to find somebody who can move that $2000 necklace, and they're going to offer you $500 at most for it, less if you're in a hurry or it's on the news.

Well now a $500 crime may seem like a good day's work, but it's not retirement money is it? So you'll have to do this several times a month, maybe once a week. And each time your accomplice has to disappear (which costs money) or they get pinched and tell the cops everything. For that money why not just start shoplifting?

Re:How can this work with European smart cards?

[BronsCon]

That's why you always point out your hidden cameras when you come back to collect them. If they already know, you just saved your ass from getting busted. Worst case, they want to keep the camera or maybe turn it over to police; but, then, you should be using a wireless camera transmitting to a nearby (but not on the same property) storage device and ditching it after each op, anyway; if you can't afford that, get a job, running scams ain't for you.

Re: How can this work with European smart cards?

[BronsCon]

Anyone sophisticated enough to do the live remote attack can fake a magnetic stripe in real time too, so it buys you _nothing_

Considering that the stripe would be read as the card got pulled into the machine, before the chip met the internal contacts, they'd have to do better than real time.

Re: How can this work with European smart cards?

[HuskyDog]

So, the big problem with Chip+PIN is that you have to keep the card in for the duration of the transaction? Seriously? Good grief people in the USA must be short of things to be inconvenienced by!

I have to say that I didn't quite understand all of your explanation, but fortunately as I never to the the USA I don't need to (Phew!). Do I however deduce that before long mag stripes will be disappearing from your cards and the rest of us can then give them up as well?

BTW, why doesn't the candy store put up a sign saying "No card transactions below $5". Plenty of shops in the UK do, but perhaps you have a law (or more likely hundreds of different laws) against it.

I can confirm that the switch to Chip and PIN caused very few problems here in the UK. At least not that I as a consumer noticed, it might have been a pain for the shop owners.

Re: How can this work with European smart cards?

[Nonesuch]

... we all have to have mag stripes on our cards as well just in case we ever go there. I never go to the USA, so the mag stripes on my cards are entirely useless other than for skimmers. Does anyone know of any UK banks which offer a "I am never going to go to North America so please send me a card with a blank mag stripe" service or even a "I sometimes go to North America so please send me two cards, one with mag and one without" service?

In the time that it took you to type that post, you could have erased all the mag stripes on all your credit cards. It doesn't take much -- a strong magnet will do it, or you could just use a bit of fine sandpaper to physically remove the stripe.

Re: How can this work with European smart cards?

Spoken like a true asshole.

Re: How can this work with European smart cards?

[mea_culpa]

The US is currently transitioning to CHIP and PIN. By October of this year the liability will fall on whomever is using the weakest technology in the chain. Bank -> Processor -> Merchant. Nearly every store I visit already has new terminals and some have already transitioned to requiring chip & pin. Most banks have already replaced their customer's cards with chipped cards.

You can bet that once the deadline comes nobody is going to want to be on the receiving end of liability. There will be no bank or processor that will want to touch the mag strip with a 10 foot pole.

Re:How can this work with European smart cards?

And that is why you can call your issuer and ask them to block the card from being used abroad. If you are going to travel somewhere then give them a call again to unblock it for that country for a specified amount of time..
Don't care myself, but so far i have never been skimmed.. Did at one point have 3 charges of the same amount on my card from a restaurant that did not use a chip+pin so guess they either tried to rip me off or made a mistake somewhere..

In my home-country i go with chip+pin for all purchases and when traveling i always withdraw cash from a bank ATM.. (one of those built into the wall)...
I do travel quite a bit so must be doing something right at least.

Re: How can this work with European smart cards?

[delt0r]

My Austrian bank gave me a magless card. And i have to apply for a US only card when i wanted one. Not the UK however. These the UK is on its own. :D

Re: How can this work with European smart cards?

[MarkRose]

Canada is almost entirely chip and pin now.

Re:How can this work with European smart cards?

No, the ATM cannot ask the card what its PIN is. You're the moron.

Re: How can this work with European smart cards?

[houghi]

And the fact that the Highway toll gates accept t hem is the reason you do not need to enter a PIN.
Advantage: it is fast
Disadvantage : It is not secure

And now we are getting the great idea of wireless cards. Idiots.

Re: How can this work with European smart cards?

[tlhIngan]

And having a choice about whether you use your card as credit or debit matters. Credit cards have tons of cardholder protections by law. Debit cards have fewer protections and have $50 of cardholder liability, regardless of fault (many banks will waive this, but it's allowed by law). Merchants also get in on the act by steering people to use certain cards in certain situations. For small purchases, merchants steer you to a credit card if possible, since their fees are percentage-based. For larger purchases, they'd rather you use a debit card, since the fees are a legally-capped flat fee. Last I checked, it was capped at about $0.45. per transaction, which means that banks all charge exactly that amount. If you're only buying a candy bar at a convenience store for $0.95, they pay almost half of the revenue (not profit!) as a card processor fee, and they probably lose money on that transaction. With a credit card, that same purchase has a $0.04 (and fractions) fee.

Actually, no. Credit cards have transaction fee that's a per-transaction PLUS a percentage. Usually it's anywhere from 10-30 cents per transaction plus 1-5% of the amount.

Debit cards do vary a lot - the merchant may pay 45 cents max, but they usually have another per-transaction fee paid by the user (usually 25 cents or so). Some merchants actually refund you 25 cents as they eat that cost too.

That's actually one of the big reasons why Apple did the whole 30% thing - they new that at the very worst, selling a music file for 99 cents meant their transaction fees would be nearly a third of the total, and basically set their rates to cover the cost. They also did things like batching, so if you bought two songs, they'd charge you once, so they'd make a little money. (This was, remember, over a decade ago).

As for the US - it's mostly inertia. Retailers and banks are completely scared of introducing too many changes at once - "friction" in sales is something they want to avoid. Chip+Sign basically imitates as closely as possible the existing swipe+sign mechanism and people are used to signing their credit card receipts, so they keep it to avoid friction in having to teach a shopper how the newfangled credit cards work.

Re: How can this work with European smart cards?

we're using chip cards here now. I guess you wouldn't know that since you don't come here though.

Re: How can this work with European smart cards?

There is an important exception: gas pumps are exempted from the liability shift until October 2017.

Fucking foreigners

Upgrade your cards to chip and PIN, so that we can finally get rid of the damn mag stripe.

Re:Fucking foreigners

Chip and pin doesn't fix anything, you moron.

Solution

[kanweg]

ATMs should have a camera (preferably 2, for stereo) looking at themselves. When there is no customer, take a picture and compare it to the base line one (when it was freshly installed/last inspected etc). If it has been tampered with, the bank can see the difference. A computer program can recognise the change. If they keep recordings, they can even see who did it.

Bert

Re:Solution

[Teun]

Interresting.

Re:Solution

[reboot246]

That's a good idea and needs to be seriously investigated.

Re:Solution

[mysidia]

Even better if they include infrared imagery in the scans.

And start using anti-counterfeit graphics containing unique serialized digital data on the surfaces of the readers and keypad which will be scanned and verified before every transaction.

Re:Solution

[thegarbz]

That's a great idea but an image recognition nightmare if you can't control the environment. Outdoors between the sun moving, clouds, rain, street lights, etc doing such side by side recognition to catch such a minute detail would be incredibly difficult.

Re:Solution

[mea_culpa]

The ATMs in the video already protect against these types of skimmers by emitting a jamming signal in the EM range that interferes with magstrip read heads making skimming impossible here. There are also sensors around the card reading housing that alerts the bank to the presence of tampering.

As discussed on reddit when this story broke, this video is likely an advertisement (filmed in vertical much like the guy sleeping in his Tesla on the freeway to make it look amateurish). Seeing now that it's linked directly to the security company's website and his linkedin profile in this slashvertisment^H^H^H^H article, an astroturf viral advertisement would be my assessment.

Despite this, it's nice that people are being made aware of skimming.

Re:Solution

Just put a automatic door in front of the machine for controlling the environment.. Would probably be enough to have a small door just for the card-reader/keypad to prevent skimmers to be installed.

To make things harder to install on ATM's would be to have some unique pattern, per ATM, of extrusions around/on the key-pad and card-slot and above the key-pad where they usually fit the camera.. Ie no one-size fits all..

Re:Solution

There's a solution here. Use an IR time-of-flight camera like the Xbox. These not only capture time of flight, but due to the bi-phase way they work, can capture both the ambient lighting condition and an image more-or-less irrespective of the ambient lighting.

Re:Solution

Image recognition is a problem. However, binary-output "tilt switches" aren't:

Internal photocounters (ATM inside should be dark inside). Acoustic sensors (listening for the "crack" of something being pulled loose). Actual tip/tilt sensors. Internal laser tripwires that pick up any internal disturbances.

There's all kinds of ways to make it really, really, really hard to corrupt something the size of an ATM without it sending out an alarm bell.

Battery?

...and even its own battery

Well ... duhhh!*?!

Not in the UK

[Hognoxious]

The UK will soon be free of this. Thanks to Boris we can chuck out all the Romanians.

Re:Not in the UK

[burni2]

Yeah, I too prefer to be robbed after a punch in the face and a stick on the head from a purely brutal british below poverty bred bloody bad ass, instead of being softly skimmed by a romanian.

Re:Not in the UK

[Hognoxious]

Boris, have you been overdoing the Chardonnay?

Re:Not in the UK

It's a lot better to have white collar thieves that sit in their fancy London city offices and rip off tens of milions of people around Europe/world through financial engineering. Yeah, Romanians are the real thieves in UK. Lucky with the Brexit, UK will get rid of those Romanian thieves and Europe will get rid of those London city thieves. Win-win huh?

Re:Not in the UK

[RockDoctor]

The criminals in charge of the skimming operation will simply move on to hiring Brexit Chavs from the local hash farm in the Council sink estate.

Re:Not in the UK

[Hognoxious]

They won't do it for the pay offered.

Re:Not in the UK

[RockDoctor]

If they pay offered is their mother getting a kife in the face ... yeah, you're right - they'd continue growing their own. You'd have to burn down the hash farm first.

Euronet ATMs

I used a Euronet ATM in Berlin once and while I was able to get money out of it without hidden charges, my credit card got locked immediately, supposedly because the operator withdrew the money incorrectly according to my credit card company. Locals tended to agree that they're suspicious. You may want to avoid them.

Advice for skimmer installers

[mrbester]

Stronger glue should be used.

Re:Advice for skimmer installers

[RockDoctor]

The skimmer and head are temporary installations. Typically they'll be installed, then removed after a few hours so the skimmer can be put onto another ATM (of the right cosmetic type) while the data is read and cards cloned to drain the susceptible card's accounts. Using a glue that comes off easily and leaves no suspicious residues to alert cleaning staff would move happen pretty fast.

Though these aren't very expensive bits of equipment (in cash value), since they'll often contain fingerprints, DNA, and possibly supplier information, then you really don't want them to come into the hands of the police. As an installer/ retriever, you'll get one level of beating for being spotted, but a very different - potentially fatal - beating if your Big Boss loses the man who builds his skimmers. Or even worse - making that translucent green shroud is going to be a custom, and very specific job. So the police would love to find the injection-moulding factory (or other technique, or even just the plastics supplier) that produced them.

Tourist trap

[kylant]

It is hardly surprising that he found this in a tourist location. Austria has long switched to chip cards for cash withdrawal so skimming the magnet stripe of an Austrian card wouldn't be much use. You could technically get the magnet stripe information from an Austrian card (which is there for legacy reasons and the occasional visit to the States) but if you tried to use it this would be immediately be caught by fraud detection.

Re:Tourist trap

[Opportunist]

Unfortunately this isn't entirely true. Austrian (like all European) cards do have a chip, but they also still have the magstrip. And third world ATMs use mag strips near exclusively, which is usually enough to withdraw money there.

In other words, what happens is that the data is being transmitted to some backwater country where the mag strip part is duplicated and used on one of those ATMs there. Yes, it's easy to spot this since your card will be used in, say Albuquerque while you're not even near the continent, but when you notice it the attacker still has the money.

Re:Tourist trap

[kylant]

Unfortunately this isn't entirely true. Austrian (like all European) cards do have a chip, but they also still have the magstrip. And third world ATMs use mag strips near exclusively, which is usually enough to withdraw money there.

In other words, what happens is that the data is being transmitted to some backwater country where the mag strip part is duplicated and used on one of those ATMs there. Yes, it's easy to spot this since your card will be used in, say Albuquerque while you're not even near the continent, but when you notice it the attacker still has the money.

As I wrote previously, this isn't how it works: An Austrian Maestro Card (the card you use to withdraw cash from your bank account) will not work in any country that operates with magnetic stripe only unless you call your bank first. I'm not sure about Albuquerque but most countries outside Europe and the US are blocked by default.

Re:Tourist trap

Nope, my European cards do not have a magnetic stripe.

shit!?

the 8eaper BSD's them5elves to be a

Expensive Skimmer

I'd be more concerned about the people by the cathedral... Somebody owns that skimmer and they're probably connected to organized crime.

Police?

Why didn't this idiot contact the police? Or the back that owns the ATM?

Re:Police?

[hcs_$reboot]

He said he wants to reverse-engineering it (first).

Re:Police?

[Opportunist]

Finders keepers!

Re:Police?

He said he wants to reverse-engineering it (first).

So he's stealing evidence and allowing the criminal to get away. Typical security researcher.

Re:Police?

[theNetImp]

My thoughts exactly. He should have gone into the bank with it and said. hey I found this on your machine outside. Moron...

Re:Police?

Yea. I work with some security researchers. Some of them I'm almost certain are criminals on the side, or only use their job as a cover and source of insider information; Most of the rest are at best ambivalent and more commonly enthusiastic about the crimes and exploits of their adversaries, with good reason: without these cybercriminals they wouldn't have work to do as security researchers, so it is imperative for the survival of the field to empower and educate potential cybercriminals to become actual cybercriminals.

Re:Police?

Ok, so he probably has a train to catch to his next destination of his holiday. Is he going to risk missing his connection just so he can have a chat with local police about what he found, and all the inane questions they will ask him? Best to throw it into a bin inside the bank, then send them a text message later that afternoon.

Phoning the police?

[Freedom+Bug]

So instead of phoning the police, he destroys possible evidence, such as fingerprints. Bravo.

Re:Phoning the police?

Newsflash: The police won't do shit.

Re:Phoning the police?

[moronoxyd]

Come on... he's American, so he clearly knows better than the police in a backwater country like Austria!

Re:Phoning the police?

[nnull]

Yeah, because the Police are going to do SO MUCH. Every time I've reported skimmers to police, both in Europe and the US, they really don't give a damn. A lot of gas station employees also don't care. So yeah, much more fun to reverse engineer it, reinstall it so the guy that comes back to collect the data, gets a cryptoware virus on his laptop, then demand $10,000 from him. Would be far more effective than what the police do.

Re:Phoning the police?

So instead of getting the company he works for to pay him for the work, he's doing the work for free while on vacation.

Re:Phoning the police?

[thegarbz]

So instead of phoning the police, he destroys possible evidence, such as fingerprints. Bravo.

Bravo indeed. Instead of presenting a small chance that a police officer could catch the people in question he instead offered to educate someone in person, and 1.76million people online (at the time of this post) about what to look out for with these kinds of skimmers.

Re:Phoning the police?

I'm pretty sure you mean Australia. There is no such place as "Austria".

Re:Phoning the police?

Fingerprints on an object in public, give me a break.

Re:Phoning the police?

[BitZtream]

Pretty sure you're just ignorant of of the fact that Europe exists

https://en.m.wikipedia.org/wik...

Re:Phoning the police?

[BronsCon]

Ehm...

Re:Phoning the police?

[BronsCon]

On the interior surface...

Re:Phoning the police?

It's bitztream, the autism-hating Slashdot troll!

Re:Phoning the police?

[mekkab]

Yes, they regularly throw shrimp on the barbi in the opernplatz.

Re: Phoning the police?

I hear this year they came second in the eurovision despite winning a couple of years ago.

Re:Phoning the police?

[delt0r]

In Austria they most definitely would. There is very little crime there, so they would be happy to have something to do. They even turn up if you be a dick about getting caught not paying 2EU for a train ride. I lived in Vienna for 7 years, and well skimming was a recognized problem. My bank would send out pamphlets on what to look out for. Despite the fact that my card was not really vulnerable.

Re:Phoning the police?

[Gussington]

Every time I've reported skimmers to police, both in Europe and the US, they really don't give a damn

How many skimmers are you finding?
I'll admit I'm no expert but I do keep an eye out for any suspect ATMs. In my entire life I've come across precisely zero.

3D printing will make it even more easy to do

[140Mandak262Jamuna]

The real solution is to make it not worthwhile to steal the credit card number. At least in Europe, they bring the card reader to the table in restaurants and you need a PIN even for credit card. Not like USA. They let me use an American creditcard without PIN, and it was scammed. 5000$ fraudulent charges!

Well, with the cards EMV chips become more prevalent, and they use challenge-and-response based authentication, capturing the card, or even the entire exchange between the ATM and the main bank computer would not be enough to commit fraud. For authorizing card-not-present transactions, two factor authentication based on cell phone to confirm the charges will come through. So eventually this threat will go away.

But as long as the loss to the banks due to skimming is less than the cost of upgrading the infrastructure, they will drag their feet about the cards with chips. Also the credit card companies have shifted the liability for the fraud from themselves to the merchants, in USA. So we should see more EMV chips coming on line in USA.

Re:3D printing will make it even more easy to do

[BronsCon]

So Europe and the US are the only places that exist in the world?

Hint: there are a great number of 3rd world countries with payment card systems; they typically run whatever other countries happen to throw away; they won't be using chips anytime soon.

Re:3D printing will make it even more easy to do

But as long as the loss to the banks due to skimming is less than the cost of upgrading the infrastructure, they will drag their feet about the cards with chips.

Banks routinely dodge any security measure, even ones they are forced to implement by law (hence the whole "wish it was two-factor authentication" fiasco of the mid 2000's). The ONLY way to have a reasonably secure banking system (fraud will never completely disappear) is to make the banks responsible for all fraudulent charges. Today the banks simply don't care because they have had the laws crafted to push the costs of fraud onto the merchant and consumer. US banks are REFUSING to issue PINs with the cards with chips, which largely renders them ineffective. I find it very hard to believe that somehow issuing a four-digit random number (or even letting the card owner choose his own) will cost the bank millions of dollars (which they claim) even though the infrastructure already exists for use with debit cards.

Re:3D printing will make it even more easy to do

[140Mandak262Jamuna]

In third world countries, law enforcement is very weak. In Africa mobile phone based banking is taking hold. There are typically no ATMs. But shops that sell prepaid phones also act as local tellers dispensing cash after being authenticated using cell phones. Fraud is much less common there. In most third world countries banks are very powerful and the laws favor the banks. All the fraud liability rests with the poor people who are very guarded. The only people using credit cards seriously in Aftrica are the naive tourists.

Re:3D printing will make it even more easy to do

[BronsCon]

So, now it's Europe, the US, and Africa? What about everywhere else? I specifically mentioned payment card systems.

Re:3D printing will make it even more easy to do

[140Mandak262Jamuna]

Fine, have it your way. Hold forth, sir, your views that apply to all continents...

Re:3D printing will make it even more easy to do

[BronsCon]

Did I say all continents? I surely did not. You're limiting the discussion to places where the magstripe has fallen out of favor and I'm merely pointing out that more places than those exist.

This is an older skimmer...

[toonces33]

The newer ones are designed to be "installed" in the cardslot so you can't even see them. Pulling on the green thing will no longer be sufficient.

Re:This is an older skimmer...

[thegarbz]

Do you have a source or example of this? I've seen a few skimmer teardowns but nothing like you describe so far.

Re:This is an older skimmer...

[wonkey_monkey]

Pulling on the green thing will no longer be sufficient.

I may make those my last words just to confuse people.

Re:This is an older skimmer...

Me too, as all of the ATM/Card swipes I use have barely enough room to fit the card in, how could you put something else into the same slot and still allow the card to fit.

Re:This is an older skimmer...

[Khyber]

https://techcrunch.com/2014/08...

Re:This is an older skimmer...

[toonces33]

http://krebsonsecurity.com/201...

Re:This is an older skimmer...

[thegarbz]

Fuck!

That is about all there is to say about that.

Re:This is an older skimmer...

[delt0r]

It is important to note that this *only* clones mag stripes. My CC and bankcards from EU didn't have any. I had to get special ones issued for traveling to the US or other places that don't have chip and pin.

Re:This is an older skimmer...

[thegarbz]

Yeah I'm disappointed that when I got to the EU that my cards had mag stripes on them. I thought they removed them universally but not yet.

don't waste this opportunity !!

i would like to invite you to this amazing website !!
http://www.ahaal.com

ATM Machine - and not using landscape mode

how can you trust him?

VVS

Ugh. I hate vertical videos.

Clear Plastic

[JustAnotherOldGuy]

Why not make the front of the ATM and especially the card reader section out of clear plastic?

It would stop of lot of this stuff dead in the water because you'd be able to see that something wasn't right (assuming you took 2 seconds to look, anyway).

Re:Clear Plastic

And know how each different ATM is supposed to look...

Better to put a few cameras inside the atm and check if something has changed or gotten stuck inside the atm.. (ie let the bank manage it)..

Re:Clear Plastic

[RockDoctor]

Why not make the front of the ATM and especially the card reader section out of clear plastic?

The number of prople who put either the ATM or their card "out of order" by pushing the card into the cash-dispensing slot, or the receipt printing slot would vastly increase.

You note that part of this machine is made of translucent plastic - and is taken advantage of by the skimmer's designer.

Re:Clear Plastic

[JustAnotherOldGuy]

The number of prople who put either the ATM or their card "out of order" by pushing the card into the cash-dispensing slot, or the receipt printing slot would vastly increase.

Most of the ATMs I see have a flashing light around the card entry area to cue you where to put your card in and another flashing light around the cash exit slot. They each flash as a cue as to where to put the card or when to take the cash.Alternatively they could block the cash exit slot until the card goes in (I think the BOA machines do that already if I'm not mistaken).

-

You note that part of this machine is made of translucent plastic - and is taken advantage of by the skimmer's designer.

Translucent, but not clear. A clear casing, like they use in prison TV sets and similar items, would make it harder to attach something without it being at least a little more obvious, I would think.

Re:Clear Plastic

[RockDoctor]

A clear casing, like they use in prison TV sets

You've obviously spent more time in prison than I have.

would make it harder to attach something without it being at least a little more obvious, I would think.

Oh, I see what you mean. Well, it's an idea. Whether it'd get past Marketing is another question - the loss of revenue from the lost advertising space would be catastrophic. Or detectable.

Re:Clear Plastic

[JustAnotherOldGuy]

You've obviously spent more time in prison than I have.

I don't see how that's possible, frankly.

Blantant?

[nuckfuts]

"Blatant" is rather an overstatement. Nobody is going to be alarmed by minor cosmetic changes such as the 1/8" gap between the blue sticker and the keyboard being eliminated. Do you think people go around with a precise image of these machines in their head?

Re:Blantant?

[marcansoft]

A security researcher who goes around looking for ATM skimmers should know that the magstripe reader always goes along with a camera for the PIN pad, and that the electronics inside the card reader part aren't the whole story.

It's completely obvious once you look for it, once you know a skimmer was installed on the card slot, especially having another pristine ATM right next to it to compare. Nobody's going to blame someone for not noticing a skimmer in the first place, but once you know one was installed, yes, the PIN pad part is blatant.

Re: Blantant?

[nuckfuts]

In a rare instance of admitting to being wrong, I accept your clarification. Thanks :)

Wouldn't have worked

[SuperKendall]

Look at the video - the skimmer is in a green part that looks exactly identical to the original item as it's an overlay. No visual system would have caught it...

Now they WOULD have caught the pinhole camera mentioned my someone responding to the thread, but only if it was pretty high resolution and had such a degree of intolerance to difference that even dirt could set it off.

Not really a great way to go about protecting against skimmers, especially if like in Mexico you have the actual ATM repair guys install skimmers internally.

Re:Wouldn't have worked

[RockDoctor]

Look at the video - the skimmer is in a green part that looks exactly identical to the original item as it's an overlay. No visual system would have caught it...

On the other hand, the operations to INSTALL the skimmer head and PIN-watcher would have been considerably different to a normal transaction. Which would also give you video of the people installing and retrieving the skimmer hardware. Good for evidence - though these would be cannon-fodder personnel anyway.

Not different at all

[SuperKendall]

On the other hand, the operations to INSTALL the skimmer head and PIN-watcher would have been considerably different to a normal transaction.

Have you seen video of people installing those things? The skimmer just takes a second, and looks identical to someone checking to see if there's a skimmer...

It would take some impressive software to distinguish skimmer installation from a normal transaction, and most of the work would be easy blocked by the installers body.