Slashdot Mirror
Vacationing Security Researcher Exposes Austrian ATM Skimmer (carbonblack.com)
While vacationing with his family in Vienna, Ben Tedesco (from security company Carbon Black) discovered an ATM skimmer "in the wild", perfectly crafted to look like the original card reader. New submitter rmurph04 shares Ben's story: I went to grab some cash from an ATM. Being security paranoid, I repeated my typical habit of checking the card reader with my hand as I have hundreds of times. Today's the day when my security awareness paid off!
Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.
Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.
... the blatant camera/panel overlay above the PIN pad, which is almost certainly where the main logic and storage of the skimmer is.
These days, pretty much any ATM I use, I attempt to pull the receptacle off, just on the off chance that there's a skimmer attached.
I've never been skimmed myself, but my parents have.
Chas - The one, the only.
THANK GOD!!!
Note that his ATM has a grey ridge just above the screen, almost blocking to buttons at the top of the screen, while the ATM left from his does not have this extra ridge. This part should contain the camera to record the password number, needed to use the card (in Europe).
that forgets looking for the pin-pad overlay or cam XD
ATMs should have a camera (preferably 2, for stereo) looking at themselves. When there is no customer, take a picture and compare it to the base line one (when it was freshly installed/last inspected etc). If it has been tampered with, the bank can see the difference. A computer program can recognise the change. If they keep recordings, they can even see who did it.
Bert
Sometimes there's a distraction attack afterwards and they steal the card. With the number they can then go & withdraw loads of cash.
Saw one on TV where a bloke spotted the hidden camera and alerted the bank. Turns out there were a bunch of undercover cops outside waiting for the perp to come back & collect it.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Stronger glue should be used.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
A nonce based protocol where the ATM can just ask the card wgat its PIN is, yes. The chip-and-pin protocols are completely broken and were designed by morons, unfortunately. See aa href="https://www.youtube.com/watch?v=szgwaYajKHA>"Chip and PIN is broken" from 27C3 or google for more recent attacks.
It is hardly surprising that he found this in a tourist location. Austria has long switched to chip cards for cash withdrawal so skimming the magnet stripe of an Austrian card wouldn't be much use. You could technically get the magnet stripe information from an Austrian card (which is there for legacy reasons and the occasional visit to the States) but if you tried to use it this would be immediately be caught by fraud detection.
Yeah, I too prefer to be robbed after a punch in the face and a stick on the head from a purely brutal british below poverty bred bloody bad ass, instead of being softly skimmed by a romanian.
Our cards have chip + strip. My credit card and my wife's debit card have both been skimmed in the past few years.
It's the same in Australia.
We have chip, strip, tap (near field) and they've recently phased out signature.
Three paths of attack are greater than one!
Backwards compatibility. They still mostly work in foreign ATMs that only use the magstripe.
Therein lies the problem. Here in Europe (and practically all of the rest of the world) we have switched to CHIP and PIN which allegedly makes skimming much more difficult. Unfortunately, this technology appears to be too complex for Americans to understand so we all have to have mag stripes on our cards as well just in case we ever go there. I never go to the USA, so the mag stripes on my cards are entirely useless other than for skimmers.
Does anyone know of any UK banks which offer a "I am never going to go to North America so please send me a card with a blank mag stripe" service or even a "I sometimes go to North America so please send me two cards, one with mag and one without" service?
Use a magnet to wipe the magstripe... It is a Hi-Co card so the magnet needs to be relatively strong to write data to it. A harddrive magnet would do.
That's all well and good for the people who understand the problem, but you've got to mandate it.
Boris, have you been overdoing the Chardonnay?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I'd be more concerned about the people by the cathedral... Somebody owns that skimmer and they're probably connected to organized crime.
So instead of phoning the police, he destroys possible evidence, such as fingerprints. Bravo.
He said he wants to reverse-engineering it (first).
Slashdot, fix the reply notifications... You won't get away with it...
Indeed.
Slashdot, fix the reply notifications... You won't get away with it...
Finders keepers!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well, with the cards EMV chips become more prevalent, and they use challenge-and-response based authentication, capturing the card, or even the entire exchange between the ATM and the main bank computer would not be enough to commit fraud. For authorizing card-not-present transactions, two factor authentication based on cell phone to confirm the charges will come through. So eventually this threat will go away.
But as long as the loss to the banks due to skimming is less than the cost of upgrading the infrastructure, they will drag their feet about the cards with chips. Also the credit card companies have shifted the liability for the fraud from themselves to the merchants, in USA. So we should see more EMV chips coming on line in USA.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The magnetic strip can easily be erased by a strong magnet (e.g. a neodymium one from a broken HDD). I erased the one on my credit card myself two years ago. However, I have since discovered that there are still payment terminals in Europe, which use solely the magnetic strip. For example, the highway toll gates in Italy and France.
-Yenya
--
While Linux is larger than Emacs, at least Linux has the excuse that it has to be. --Linus
The newer ones are designed to be "installed" in the cardslot so you can't even see them. Pulling on the green thing will no longer be sufficient.
Therein lies the problem. Here in Europe (and practically all of the rest of the world) we have switched to CHIP and PIN which allegedly makes skimming much more difficult. Unfortunately, this technology appears to be too complex for Americans to understand so we all have to have mag stripes on our cards as well just in case we ever go there. I never go to the USA, so the mag stripes on my cards are entirely useless other than for skimmers.
Does anyone know of any UK banks which offer a "I am never going to go to North America so please send me a card with a blank mag stripe" service or even a "I sometimes go to North America so please send me two cards, one with mag and one without" service?
The US now has CHIP and signature, but didn't implement PIN for our cards. Canada has had CHIP and PIN for forever in comparison. We now have NFC and Apple pay at most restaurants and stores. My thought is that banks will start offering ways of using ATMs without having to use a card.
But the EU cards also have mag stripes for compatibility in the Americas (and Pacific, and other places). So the card is skimmed in the EU and used either online or overseas.
It is installed in a tourist trap. The idea is to skim cards belonging to rich and stupid American right wing tourist...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
But how else will they demonstrate that they're not mad, really, they're actually laughing?
(yeah, they're mad)
You are welcome on my lawn.
My thoughts exactly. He should have gone into the bank with it and said. hey I found this on your machine outside. Moron...
"The US now has CHIP and signature, but didn't implement PIN for our cards."
Really? My bank card uses chip and PIN. Maybe they're just ahead of your bank?
That's all well and good for the people who understand the problem, but you've got to mandate it.
Actually, you are better off if you can fix the problem only for youself. That way everybody else will be a distraction for the criminals, so they won't get you.....
Erasing the magstrip might not be the least-obtrusive measure..... How about covering it with foil tape?
how can you trust him?
There are different kinds of cards that work in different ways. There are credit-only cards, debit-only cards, and hybrid debit cards with issued by a CC processor.
Credit only cards, when they get a chip, are chip+sign. This is because nobody in the US wants to be bothered with PIN entry, and won't put up with that crap. It's bad enough that the terminals make you leave the card in them for the duration of the transaction. Chip+PIN is a complete non-starter for credit-only in the US. And it can safely be that way because the laws are written in a way that most of the militant Eurotards that scream about Chip+PIN can't even comprehend. The cardholder is never in the wrong without the involvement of the courts. Period. The issuer or the merchant are most likely stuck with the costs of fraud. (And the processor never is.)
Debit-only cards always have a PIN. They were swipe+PIN forever. Now they're chip+PIN. The only new annoyance is keeping the card in the terminal for the entire transaction instead of the much simpler swipe-and-put-away that we've all been used to. Minor annoyance at most.
Hybrid cards are where the real confusion happens. It also just so happens that 99% of "debit cards" are actually hybrid cards, not true debit cards. Pre-EMV, swipe+sign was a credit transaction and swipe+PIN was a debit transaction. Now, the type of terminal determines how these cards are used. A terminal with the chip-reader deactivated (mostly due to certification delays as this whole transition spins up) will allow only swipe+sign transactions. A terminal with a working chip-reader will only allow chip+PIN transactions. But x+sign is still always credit and x+PIN is still always debit. So pending-certification terminals always use these as credit cards, and certified terminals always use these as debit cards. You have no choice now. This is making these types of cards very unpopular, as you never know from one store to the next whether your card will work the way you want it to.
And having a choice about whether you use your card as credit or debit matters. Credit cards have tons of cardholder protections by law. Debit cards have fewer protections and have $50 of cardholder liability, regardless of fault (many banks will waive this, but it's allowed by law). Merchants also get in on the act by steering people to use certain cards in certain situations. For small purchases, merchants steer you to a credit card if possible, since their fees are percentage-based. For larger purchases, they'd rather you use a debit card, since the fees are a legally-capped flat fee. Last I checked, it was capped at about $0.45. per transaction, which means that banks all charge exactly that amount. If you're only buying a candy bar at a convenience store for $0.95, they pay almost half of the revenue (not profit!) as a card processor fee, and they probably lose money on that transaction. With a credit card, that same purchase has a $0.04 (and fractions) fee.
So the EMV chip has only made a big fat mess. Will it be fixed? I'm sure it will. There's a lot of money riding on it being fixed, and soon. But Europe's regulations were different from the US, and the EMV chip transition didn't cause as many problems for Europe as it has for the US.
You have been mislead by the banks. They want you to believe that chip transactions are safe. The problem is the mag strips still exists and the chip usually contains a full, unencrypted copy of the mag stripe data. You can test this yourself by buying a programmable or USB chip reader.
The chip does have the capacity to have a card without stripe and even fully encrypt its data and even do simple crypto on chip but to date, many merchant banks (even big ones like Walmart) do not work with an encrypted chip.
IF the chip even does anything useful, the only data that is safe is what is on the wires between the chip reader and the bank. Chips could have easily been replaced by requiring strong TLS encryption and a custom key in the mag stripe.
Additionally, by the time the chip was declared ready to be used (a decade ago) the (homegrown) crypto was already outdated and researchers published papers on how an attack could be executed because those little chips don't have the compute power for anything better, it reuses keys generated with a very poor PRNG. By now, it is feasible to clone encrypted chips and force it to do weak, crackable crypto (with a bit of time on a decent computer). Once banks get around to go chip-only (another decade or even 2), I think it will be feasible to put the entire hack into one of those skimmers.
Custom electronics and digital signage for your business: www.evcircuits.com
Why not make the front of the ATM and especially the card reader section out of clear plastic?
It would stop of lot of this stuff dead in the water because you'd be able to see that something wasn't right (assuming you took 2 seconds to look, anyway).
Just cruising through this digital world at 33 1/3 rpm...
"Blatant" is rather an overstatement. Nobody is going to be alarmed by minor cosmetic changes such as the 1/8" gap between the blue sticker and the keyboard being eliminated. Do you think people go around with a precise image of these machines in their head?
Nukes have GPS bruh.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
That's why you always point out your hidden cameras when you come back to collect them. If they already know, you just saved your ass from getting busted. Worst case, they want to keep the camera or maybe turn it over to police; but, then, you should be using a wireless camera transmitting to a nearby (but not on the same property) storage device and ditching it after each op, anyway; if you can't afford that, get a job, running scams ain't for you.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Anyone sophisticated enough to do the live remote attack can fake a magnetic stripe in real time too, so it buys you _nothing_
Considering that the stripe would be read as the card got pulled into the machine, before the chip met the internal contacts, they'd have to do better than real time.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So, the big problem with Chip+PIN is that you have to keep the card in for the duration of the transaction? Seriously? Good grief people in the USA must be short of things to be inconvenienced by!
I have to say that I didn't quite understand all of your explanation, but fortunately as I never to the the USA I don't need to (Phew!). Do I however deduce that before long mag stripes will be disappearing from your cards and the rest of us can then give them up as well?
BTW, why doesn't the candy store put up a sign saying "No card transactions below $5". Plenty of shops in the UK do, but perhaps you have a law (or more likely hundreds of different laws) against it.
I can confirm that the switch to Chip and PIN caused very few problems here in the UK. At least not that I as a consumer noticed, it might have been a pain for the shop owners.
... we all have to have mag stripes on our cards as well just in case we ever go there. I never go to the USA, so the mag stripes on my cards are entirely useless other than for skimmers. Does anyone know of any UK banks which offer a "I am never going to go to North America so please send me a card with a blank mag stripe" service or even a "I sometimes go to North America so please send me two cards, one with mag and one without" service?
In the time that it took you to type that post, you could have erased all the mag stripes on all your credit cards. It doesn't take much -- a strong magnet will do it, or you could just use a bit of fine sandpaper to physically remove the stripe.
I do not deploy Linux. Ever.
But how else will they demonstrate that they're not mad, really, they're actually laughing?
(yeah, they're mad)
That's another problem - it's now become punctuation, used when no humour was created, nor even intended.
I saw a YouTube comment yesterday (yeah, I know) that had 3 sentences, all of which started with "lol", none of which contained even a single molecule of humour.
(Maybe it was homeopathic in its humour?)
"LOL is the internet mating call of those too stupid to find their own arse with both hands and a mirror." -- Abraham Lincoln.
Look at the video - the skimmer is in a green part that looks exactly identical to the original item as it's an overlay. No visual system would have caught it...
Now they WOULD have caught the pinhole camera mentioned my someone responding to the thread, but only if it was pretty high resolution and had such a degree of intolerance to difference that even dirt could set it off.
Not really a great way to go about protecting against skimmers, especially if like in Mexico you have the actual ATM repair guys install skimmers internally.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The US is currently transitioning to CHIP and PIN. By October of this year the liability will fall on whomever is using the weakest technology in the chain. Bank -> Processor -> Merchant. Nearly every store I visit already has new terminals and some have already transitioned to requiring chip & pin. Most banks have already replaced their customer's cards with chipped cards.
You can bet that once the deadline comes nobody is going to want to be on the receiving end of liability. There will be no bank or processor that will want to touch the mag strip with a 10 foot pole.
My Austrian bank gave me a magless card. And i have to apply for a US only card when i wanted one. Not the UK however. These the UK is on its own. :D
If information wants to be free, why does my internet connection cost so much?
Canada is almost entirely chip and pin now.
Be relentless!
Google Maps? Type in the address: done.
Or, to put it another way, if you ACs can be facetious, so can we registered users; most of whom are likely map-reading Americans.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
And the fact that the Highway toll gates accept t hem is the reason you do not need to enter a PIN.
Advantage: it is fast
Disadvantage : It is not secure
And now we are getting the great idea of wireless cards. Idiots.
Don't fight for your country, if your country does not fight for you.
Actually, no. Credit cards have transaction fee that's a per-transaction PLUS a percentage. Usually it's anywhere from 10-30 cents per transaction plus 1-5% of the amount.
Debit cards do vary a lot - the merchant may pay 45 cents max, but they usually have another per-transaction fee paid by the user (usually 25 cents or so). Some merchants actually refund you 25 cents as they eat that cost too.
That's actually one of the big reasons why Apple did the whole 30% thing - they new that at the very worst, selling a music file for 99 cents meant their transaction fees would be nearly a third of the total, and basically set their rates to cover the cost. They also did things like batching, so if you bought two songs, they'd charge you once, so they'd make a little money. (This was, remember, over a decade ago).
As for the US - it's mostly inertia. Retailers and banks are completely scared of introducing too many changes at once - "friction" in sales is something they want to avoid. Chip+Sign basically imitates as closely as possible the existing swipe+sign mechanism and people are used to signing their credit card receipts, so they keep it to avoid friction in having to teach a shopper how the newfangled credit cards work.
The criminals in charge of the skimming operation will simply move on to hiring Brexit Chavs from the local hash farm in the Council sink estate.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
They won't do it for the pay offered.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
On the other hand, the operations to INSTALL the skimmer head and PIN-watcher would have been considerably different to a normal transaction.
Have you seen video of people installing those things? The skimmer just takes a second, and looks identical to someone checking to see if there's a skimmer...
It would take some impressive software to distinguish skimmer installation from a normal transaction, and most of the work would be easy blocked by the installers body.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If they pay offered is their mother getting a kife in the face ... yeah, you're right - they'd continue growing their own. You'd have to burn down the hash farm first.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"