Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vacationing Security Researcher Exposes Austrian ATM Skimmer (carbonblack.com)

Posted by EditorDavid on from the reading-the-cards dept.

While vacationing with his family in Vienna, Ben Tedesco (from security company Carbon Black) discovered an ATM skimmer "in the wild", perfectly crafted to look like the original card reader. New submitter rmurph04 shares Ben's story: I went to grab some cash from an ATM. Being security paranoid, I repeated my typical habit of checking the card reader with my hand as I have hundreds of times. Today's the day when my security awareness paid off!
Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.

29 of 181 comments (clear)

  1. And yet he missed... by marcansoft · · Score: 5, Interesting

    ... the blatant camera/panel overlay above the PIN pad, which is almost certainly where the main logic and storage of the skimmer is.

  2. camera is in extra ridge above screen by Anonymous Coward · · Score: 2, Insightful

    Note that his ATM has a grey ridge just above the screen, almost blocking to buttons at the top of the screen, while the ATM left from his does not have this extra ridge. This part should contain the camera to record the password number, needed to use the card (in Europe).

  3. Solution by kanweg · · Score: 5, Interesting

    ATMs should have a camera (preferably 2, for stereo) looking at themselves. When there is no customer, take a picture and compare it to the base line one (when it was freshly installed/last inspected etc). If it has been tampered with, the bank can see the difference. A computer program can recognise the change. If they keep recordings, they can even see who did it.

    Bert

    1. Re:Solution by reboot246 · · Score: 2

      That's a good idea and needs to be seriously investigated.

    2. Re:Solution by thegarbz · · Score: 4, Informative

      That's a great idea but an image recognition nightmare if you can't control the environment. Outdoors between the sun moving, clouds, rain, street lights, etc doing such side by side recognition to catch such a minute detail would be incredibly difficult.

    3. Re:Solution by mea_culpa · · Score: 2

      The ATMs in the video already protect against these types of skimmers by emitting a jamming signal in the EM range that interferes with magstrip read heads making skimming impossible here. There are also sensors around the card reading housing that alerts the bank to the presence of tampering.

      As discussed on reddit when this story broke, this video is likely an advertisement (filmed in vertical much like the guy sleeping in his Tesla on the freeway to make it look amateurish). Seeing now that it's linked directly to the security company's website and his linkedin profile in this slashvertisment^H^H^H^H article, an astroturf viral advertisement would be my assessment.

      Despite this, it's nice that people are being made aware of skimming.

  4. Re:How can this work with European smart cards? by Hognoxious · · Score: 3, Interesting

    Sometimes there's a distraction attack afterwards and they steal the card. With the number they can then go & withdraw loads of cash.

    Saw one on TV where a bloke spotted the hidden camera and alerted the bank. Turns out there were a bunch of undercover cops outside waiting for the perp to come back & collect it.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  5. Re: SOP for using ATMs nowadays by JaredOfEuropa · · Score: 5, Interesting

    I just take a close look at the receptacle and especially the keyboard. I keep one hand on the keyboard (touching multiple keys) and cover it with my other hand, then enter the PIN blind. Good against camera's, but not against a fake keyboard. Another measure that a lot of machines here have implemented is to ingest the card in a very jittery manner, making it (almost) impossible for a skimmer to properly read the mag strip. And people still get skimmed: some skimmers took to breaking into shops in order to tamper with or replace the payment terminals.

    Most banks here now issue cards with chips that cannot be skimmed. So skimmers came up with a new trick: they install a camera or keyboard to get your PIN, then stick something in the card receptacle in order to trap your card in there. Once you get fed up and leave, they'll retrieve it and now have your chip & PIN.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  6. Re:How can this work with European smart cards? by Anonymous Coward · · Score: 2, Informative

    A nonce based protocol where the ATM can just ask the card wgat its PIN is, yes. The chip-and-pin protocols are completely broken and were designed by morons, unfortunately. See aa href="https://www.youtube.com/watch?v=szgwaYajKHA>"Chip and PIN is broken" from 27C3 or google for more recent attacks.

  7. Re:Not in the UK by burni2 · · Score: 2

    Yeah, I too prefer to be robbed after a punch in the face and a stick on the head from a purely brutal british below poverty bred bloody bad ass, instead of being softly skimmed by a romanian.

  8. Re: How can this work with European smart cards? by Anonymous Coward · · Score: 2, Informative

    Our cards have chip + strip. My credit card and my wife's debit card have both been skimmed in the past few years.

  9. Re: How can this work with European smart cards? by HuskyDog · · Score: 3, Insightful

    Therein lies the problem. Here in Europe (and practically all of the rest of the world) we have switched to CHIP and PIN which allegedly makes skimming much more difficult. Unfortunately, this technology appears to be too complex for Americans to understand so we all have to have mag stripes on our cards as well just in case we ever go there. I never go to the USA, so the mag stripes on my cards are entirely useless other than for skimmers.

    Does anyone know of any UK banks which offer a "I am never going to go to North America so please send me a card with a blank mag stripe" service or even a "I sometimes go to North America so please send me two cards, one with mag and one without" service?

  10. Re: How can this work with European smart cards? by Anonymous Coward · · Score: 2, Informative

    Use a magnet to wipe the magstripe... It is a Hi-Co card so the magnet needs to be relatively strong to write data to it. A harddrive magnet would do.

  11. Phoning the police? by Freedom+Bug · · Score: 3, Insightful

    So instead of phoning the police, he destroys possible evidence, such as fingerprints. Bravo.

    1. Re:Phoning the police? by moronoxyd · · Score: 3, Funny

      Come on... he's American, so he clearly knows better than the police in a backwater country like Austria!

    2. Re:Phoning the police? by nnull · · Score: 5, Interesting

      Yeah, because the Police are going to do SO MUCH. Every time I've reported skimmers to police, both in Europe and the US, they really don't give a damn. A lot of gas station employees also don't care. So yeah, much more fun to reverse engineer it, reinstall it so the guy that comes back to collect the data, gets a cryptoware virus on his laptop, then demand $10,000 from him. Would be far more effective than what the police do.

    3. Re:Phoning the police? by delt0r · · Score: 2

      In Austria they most definitely would. There is very little crime there, so they would be happy to have something to do. They even turn up if you be a dick about getting caught not paying 2EU for a train ride. I lived in Vienna for 7 years, and well skimming was a recognized problem. My bank would send out pamphlets on what to look out for. Despite the fact that my card was not really vulnerable.

      --
      If information wants to be free, why does my internet connection cost so much?
  12. 3D printing will make it even more easy to do by 140Mandak262Jamuna · · Score: 2
    The real solution is to make it not worthwhile to steal the credit card number. At least in Europe, they bring the card reader to the table in restaurants and you need a PIN even for credit card. Not like USA. They let me use an American creditcard without PIN, and it was scammed. 5000$ fraudulent charges!

    Well, with the cards EMV chips become more prevalent, and they use challenge-and-response based authentication, capturing the card, or even the entire exchange between the ATM and the main bank computer would not be enough to commit fraud. For authorizing card-not-present transactions, two factor authentication based on cell phone to confirm the charges will come through. So eventually this threat will go away.

    But as long as the loss to the banks due to skimming is less than the cost of upgrading the infrastructure, they will drag their feet about the cards with chips. Also the credit card companies have shifted the liability for the fraud from themselves to the merchants, in USA. So we should see more EMV chips coming on line in USA.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:3D printing will make it even more easy to do by 140Mandak262Jamuna · · Score: 3, Informative

      In third world countries, law enforcement is very weak. In Africa mobile phone based banking is taking hold. There are typically no ATMs. But shops that sell prepaid phones also act as local tellers dispensing cash after being authenticated using cell phones. Fraud is much less common there. In most third world countries banks are very powerful and the laws favor the banks. All the fraud liability rests with the poor people who are very guarded. The only people using credit cards seriously in Aftrica are the naive tourists.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  13. Re: How can this work with European smart cards? by Yenya · · Score: 4, Informative

    The magnetic strip can easily be erased by a strong magnet (e.g. a neodymium one from a broken HDD). I erased the one on my credit card myself two years ago. However, I have since discovered that there are still payment terminals in Europe, which use solely the magnetic strip. For example, the highway toll gates in Italy and France.

    --
    -Yenya
    --
    While Linux is larger than Emacs, at least Linux has the excuse that it has to be. --Linus
  14. This is an older skimmer... by toonces33 · · Score: 4, Informative

    The newer ones are designed to be "installed" in the cardslot so you can't even see them. Pulling on the green thing will no longer be sufficient.

    1. Re:This is an older skimmer... by wonkey_monkey · · Score: 2

      Pulling on the green thing will no longer be sufficient.

      I may make those my last words just to confuse people.

      --
      systemd is Roko's Basilisk.
    2. Re:This is an older skimmer... by Khyber · · Score: 3, Informative

      https://techcrunch.com/2014/08...

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  15. Re:How can this work with European smart cards? by guruevi · · Score: 2

    You have been mislead by the banks. They want you to believe that chip transactions are safe. The problem is the mag strips still exists and the chip usually contains a full, unencrypted copy of the mag stripe data. You can test this yourself by buying a programmable or USB chip reader.

    The chip does have the capacity to have a card without stripe and even fully encrypt its data and even do simple crypto on chip but to date, many merchant banks (even big ones like Walmart) do not work with an encrypted chip.

    IF the chip even does anything useful, the only data that is safe is what is on the wires between the chip reader and the bank. Chips could have easily been replaced by requiring strong TLS encryption and a custom key in the mag stripe.

    Additionally, by the time the chip was declared ready to be used (a decade ago) the (homegrown) crypto was already outdated and researchers published papers on how an attack could be executed because those little chips don't have the compute power for anything better, it reuses keys generated with a very poor PRNG. By now, it is feasible to clone encrypted chips and force it to do weak, crackable crypto (with a bit of time on a decent computer). Once banks get around to go chip-only (another decade or even 2), I think it will be feasible to put the entire hack into one of those skimmers.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  16. Blantant? by nuckfuts · · Score: 3, Insightful

    "Blatant" is rather an overstatement. Nobody is going to be alarmed by minor cosmetic changes such as the 1/8" gap between the blue sticker and the keyboard being eliminated. Do you think people go around with a precise image of these machines in their head?

    1. Re:Blantant? by marcansoft · · Score: 5, Interesting

      A security researcher who goes around looking for ATM skimmers should know that the magstripe reader always goes along with a camera for the PIN pad, and that the electronics inside the card reader part aren't the whole story.

      It's completely obvious once you look for it, once you know a skimmer was installed on the card slot, especially having another pristine ATM right next to it to compare. Nobody's going to blame someone for not noticing a skimmer in the first place, but once you know one was installed, yes, the PIN pad part is blatant.

    2. Re: Blantant? by nuckfuts · · Score: 2

      In a rare instance of admitting to being wrong, I accept your clarification. Thanks :)

  17. Re:How can this work with European smart cards? by BronsCon · · Score: 2

    That's why you always point out your hidden cameras when you come back to collect them. If they already know, you just saved your ass from getting busted. Worst case, they want to keep the camera or maybe turn it over to police; but, then, you should be using a wireless camera transmitting to a nearby (but not on the same property) storage device and ditching it after each op, anyway; if you can't afford that, get a job, running scams ain't for you.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  18. Re: How can this work with European smart cards? by HuskyDog · · Score: 2

    So, the big problem with Chip+PIN is that you have to keep the card in for the duration of the transaction? Seriously? Good grief people in the USA must be short of things to be inconvenienced by!

    I have to say that I didn't quite understand all of your explanation, but fortunately as I never to the the USA I don't need to (Phew!). Do I however deduce that before long mag stripes will be disappearing from your cards and the rest of us can then give them up as well?

    BTW, why doesn't the candy store put up a sign saying "No card transactions below $5". Plenty of shops in the UK do, but perhaps you have a law (or more likely hundreds of different laws) against it.

    I can confirm that the switch to Chip and PIN caused very few problems here in the UK. At least not that I as a consumer noticed, it might have been a pain for the shop owners.