
Fear the reaper: characterization and fast detection of card skimmers - godelmachine
https://blog.acolyer.org/2018/09/03/fear-the-reaper-characterization-and-fast-detection-of-card-skimmers/
======
ahes
Poland solved this problem pretty neat. I don't even remember using my credit
card with ATM.

You open your mobile bank app, click BLIK icon and a 6-digit code is
generated. You enter the code in ATM and you choose amount to withdraw. You
accept the amount on your mobile phone and money comes out.

This is how it looks:
[https://www.mbank.pl/indywidualny/uslugi/uslugi/blik/](https://www.mbank.pl/indywidualny/uslugi/uslugi/blik/)

~~~
gboudrias
That's very clever but honestly, just removing the magnetic strip seems like a
really obvious first step. I know for a fact they flag magnetic strip usage on
ATMs for credit cards anyway. (Then again, could be some sort of honeypot.)

------
patcheudor
"The measurement card has a carefully etched set of traces in the magnetic
stripe, (aligning with each of the three data tracks). When a read head
contacts the card it bridges a pair of electrical traces and completes a
circuit back to the microcontroller."

This seems to me to be a detective control which relies a bit too heavily on
obscurity, obscurity which is now blown. Having knowledge of how this works,
ATM skimming gangs who's devices might be found by local authorities with this
device can now take the active counter-measure of placing a piece of Kapton
tape over the read-head.

~~~
kw71
Or maybe they can monitor the wires on the legitimate read head instead. This
was possible on a formerly common fuel dispenser in the USA

------
ChuckMcM
This is _very_ cool. Basically a 'fake' card that can detect when it passes by
more than one 'read' head in the machine.

It should be possible to build this into a credit card sized device that you
could just swipe with and have it illuminate a red or green LED when it
detects a skimmer.

~~~
godelmachine
Well, you have a point there. But don't you think the "credit card sized
device" will again be used for fraudulent purposes? Maybe to trace EM
emissions or something else?

~~~
ChuckMcM
Perhaps, but the gist of the article is that you basically won't be able to
detect a skimmer most of the time. But their technique does detect skimmers
(all the time when they tested it). What I was wondering was if you could
carry something in your wallet to easily check for skimmers. A CC sized think
PCB with a thin package on it would be idea, and then a paper overlay to
create uniform thickness.

~~~
godelmachine
>> A paper overlay to create uniform thickness

Might I ask what purpose would it serve?

~~~
ChuckMcM
Some places have automated rollers that move the card in and out of the
machine. I would not want to lose my skimmer detector by having it getting
hung up inside the machine.

~~~
godelmachine
Thanks for explaining your thoughts :)

------
fabricexpert
We should really add 2FA to cards. E.g. if I withdraw a large sum or make an
unusual transaction prompt for a 2FA code.

For small transactions it makes no sense, but for anything above a user
defined limit we should have this option. e.g. I only withdraw more than £50
in unusual circumstances.

~~~
gambiting
In EU all banks have to implement 3D Card Secure - when making an online
payment over a certain amount, or of an unusual type the vendors website
redirects you to your bank's website where you have to authenticate the
payment(usually provide an SMS code or answer some security questions).

~~~
anewhnaccount2
In Finland you get a tiny card filled with single use pin codes. It's pretty
secure. Unfortunately, if your card is skimmed, the scammers will just -- for
example -- associate it with an Uber account and sell the account. Because
non-EU companies don't use 3D-secure there's nothing stopping them. I have
tried asking for non 3D-secure transactions to be blocked, (I believe when a
vendor doesn't offer it I can always find an alternative) but no such luck.
(Obviously you can get the money back, but I'd like to avoid the inconvenience
and the fact the scammers get money for nothing.)

~~~
Mediterraneo10
> In Finland you get a tiny card filled with single use pin codes. It's pretty
> secure.

Nordea Bank Finland ceased providing code cards earlier this year. Logging on
to online banking even warns that the code card you already have may stop
working soon. Everything has moved to the mobile app or, available as a
special order for the elderly and luddites, an electronic keypad.

------
ChrisSD
Do cards still use magnetic strips? I thought it was all done on the chip
nowadays?

~~~
Covzire
In the US they generally have both if issued in the last few years, but many
places still accept magnetic strips. I don't use an ATM often anymore, maybe
once or twice a year at most, but I've yet to see an ATM that only demands the
chip instead of forcing you to insert the whole card, so chip-only debit and
credit cards can't come soon enough.

Curious if there's an easy way to make my stripe unreadable with my most used
credit card, especially for dining where your card can disappear for several
minutes at a time.

~~~
julianwachholz
Revolut lets you disable the magnetic strip and other functions (e.g.
contactless) of your physical card via the App.

~~~
Milner08
As do Monzo, infact the magnetic strip is disabled as default and you can only
enable it for 24 hours at a time.

------
gambiting
I just don't understand why my card even has a magnetic stripe anymore. It's
been years since I've seen any terminals that could actually accept it, it's
all chip and pin over here. If I could get a card without the strip I'd gladly
do so.

~~~
acdha
The United States is still predominantly magstripe. We’ve had chip-and-no-pin
for a few years but many large retailers haven’t enabled it, possibly because
transactions are so much slower (usually 30-60 seconds) and less reliable.

~~~
tomxor
> possibly because transactions are so much slower (usually 30-60 seconds)

I don't know the details of the technological differences in transaction
communication between the two, but in the UK chip and pin is noticeably and
consistently faster to perform transactions in my experience, often to the the
point that it's perceptibly instant... although it has been quite some years
since i've used magnetic ones so that's from memory.

I suppose one way to protect yourself if you are never going to use your card
in the US, is by destroying the magnetic strip (magnetically).

~~~
acdha
The slow reads are entirely a technical failure by some of the large vendors.
Some systems are as fast as you describe and most of the ones which I see
being that slow are much faster for NFC, so I’m pretty sure it’s just that
they were rushed into profuction to meet the deadline imposed by the card
vendors.

~~~
tomxor
Maybe it's just a difference in how relatively new the technology is to US
retailers then, UK shops have had plenty of time to work out the kinks and
learn what hardware to avoid.

~~~
Someone1234
The first generation of Chip&Pin in the UK were garbage too. Slow and often
failed to read the chip, resulting in awkwardly cleaning the chip contacts.

Most of the machines were replaced inside of the first year and things have
improved substantially since then.

~~~
tomxor
Ahh yes I do remember a few instances of that now... I wonder what the
introduction of the magnetic strip was like, looks like that technology
arrived in 1969, anyone here experience that transition?

------
archi42
As an anti tamper measure, the ATM will not just pull in the card and read it;
instead, it's movement is somewhat randomised, as to increase the difficulty
of obtaining an illicit read. (At least the ATMs in my country are said to
usually do that)

As a result, the ATM's read head might pass over the detection spot multiple
times.

Maybe you can force the measurement device to move only in one direction, but
if I were to design the ATM, it would detect inconsistent, physical card
movement.

~~~
LeonM
> Maybe you can force the measurement device to move only in one direction,
> but if I were to design the ATM, it would detect inconsistent, physical card
> movement.

That would be very prone to false positives. Weather variations (temperature,
humidity), card types, dirt (grease , dust) and foreign objects (stickers on
the card) etc etc would all make the card movement inconsistent.

~~~
archi42
I don't think so. If you don't know how it moves, you can not read meaningful
data (if it moves forward/backward). That's the whole point of that counter
measure.

If they [the ATMs] do this and can read the card, then they can also check
that the measured movement matches what the controller sent to the motor
driver. Heck, depending on the driver they could just let it measure back EMF
(e.g. some Trinamic stepper drivers can do that).

------
doctorless
This should be provided by ATM manufacturers along with the ATM, and part of a
mandatory daily check before the machine can be used.

------
Paul-ish
It would be nice if I could clip on a thin piece of plastic/foil to my card to
block out the magnetic strip if I know the device I'm inserting it into only
needs the chip.

------
azinman2
I’d love to have a mini version of this that is just the size of a credit card
and could fit in my wallet.

------
cascom
I live in the US where you essentially have no liability for fraudulent
transactions (if you identify them in a reasonable amount of time) - so while
it’s annoying to have to get a card reissued once every couple of years, it
doesn’t seem like such a big deal

~~~
kurthr
I can't recommend SMS alerts for all transactions highly enough... that way
even traveling you know what went through, when, and for what amount.

However, once a year seems optimistic for card replacement, if you use them at
a lot of POS (gas stations). I've seen replacements at once a week (every time
they filled up) and the gas station attendent doesn't care either.

~~~
lucb1e
I have this as well, but using email. They automatically sort into a folder
and I can go through them later, super convenient.

------
gruez
>There’s one thing that’s fundamental to overlay and deep-insert skimmers –
they have to actually read your card data! This requires a read head pressed
against the magnetic track on the card with a spring mechanism. Furthermore,
the head must be a conductor and in practice seems to always be metallic.

next up: skimmers with "undetectable" read heads (lined with plastic)

I've seen cashiers sandwich cards between pieces of paper to get problematic
cards to read, which makes think that while the read head must be metal, it
doesn't have to be in contact with the card to work.

------
gruez
>... those that fit in the EMV slot (chip reader) and those that wiretap the
physical communication line.

What's the point of wiretapping the emv chip? Isn't EMV supposed to be immune
to skimming?

~~~
Crosseye_Jack
The full sentence is

> External devices can be attached as card reader overlays, deep-inserts
> inside the magnetic stripe slot, those that fit in the EMV slot (chip
> reader) and those that wiretap the physical communication line.

I believe the "those that fit into the EMV slot" and "those that wiretap the
physical communication line" are two different types.

A skimmer in the EMV slot can still skim the mag-stripe. Wiretapping the
communication line is used when the ATM/Payment terminal uses poor security
between it and what ever its connected too.

~~~
bradknowles
Except an insert into the chip reader slot isn't a full insert of the entire
card, and so they're not going to get the full mag stripe.

Now, if they don't need the full mag stripe, then you've got a problem. But I
don't think that mechanism would work for most skimmers.

~~~
Crosseye_Jack
Some of the card dip style readers do have a full card insert. Examples would
be the in shop ATMs that prevent the card from being removed (so they can
query the chip).

------
javadocmd
Better than hoping your customers are carrying their own detection device,
build such a detection mechanism into the rear of the card slot and have it
periodically "sweep" itself.

------
Daniel_sk
There is a clever solution to this from a bank in Slovakia (Tatrabanka), you
can use their mobile banking application to generate a one-time numerical code
for the withdrawal. So you can just generate the code and enter it on any ATM
that is owned by this bank. You don't need to have the card with you (and you
can forward this code to your wife for example). Also 100% of cards in Europe
are also protected by PIN, so simple skimmers won't work.

~~~
tjoff
PIN does not protect you from skimmers... Everything you need is on the
magnetic stripe, PIN is only needed if you use the chip - which an attacker
obviously wouldn't.

The whole concept of chip+pin is pretty pathetic considering that the magnetic
stripe is still there for backwards compatibility.

And now with wireless cards it is even less secure than a magnetic stripe.

~~~
rocqua
I've seen you claim wireless cards are really insecure a few times in this
thread. I was wondering about a source, and about the mechanism.

Certainly, using rather basic NFC smart card technology, all but on-line
attacks _could_ be eliminated. My question is then, what kind of low-
protection protocol do they use in practice to make this so insecure.

Specifically, I am asking about an offline attack that allows an actual spend
the bank would accept. I am also only interested in debit cards (because that
is what I have) so just reading a CC number from NFC doesn't bother me.

~~~
Crosseye_Jack
My "Party trick" when NFC payments was newish in the UK was using a pair of
Nexus S phones in a relay attack.

I would say to a friend "I bet I can buy the next round using your card, if I
can you buy the round if not I'll buy the round" Get them to place their
wallet with their card in it on the table with one of my phones near the
wallet and I would present my other phone to the reader at the bar.

At the time the bar I did it at had public wifi without Wireless Isolation so
I could use the bar's wifi as a low latency connection between the two phones
but back then the tolerances on the timings would allow you do do it with a
decent mobile connection. (At one point you could just get a NexusS custom rom
already set up for this replay attack).

It was more of a party trick as you had to have close proximity to the payment
card as it was just a relay attack and the banks limited NFC transactions to a
max of £20 which the banks would cover (its been bumped upto £30 these days or
more if you auth with biometrics like with Apple Pay if the store permits the
transaction).

I believe NFC payment terminals these days have tightened up the timings of
card reads to make such relay attacks more difficult.

~~~
rocqua
Yeah, active attacks are where PIN-less NFC gets really scary. That said, just
losing such a card is also scary.

It amazes me how timing makes it possible to detect this kind of stuff.

~~~
Crosseye_Jack
I've never been asked for a pin when using NFC payments (if you don't count
the times I've used my phone) but I mix my card transactions up all the time
between cash width drawls, Chip and Pin payments and NFC so I guess the "ask
for a pin counter / algo" gets reset when I use a pin in Chip and Pin / ATM.

I believe that after so many NFC payments (without reseting the count) or try
and make a purchase over £30 they ask for a pin and my bank will cover any NFC
payments on a lost card as long as you make them aware of the loss within a
reasonable time period. So personally I'm not too worried about losing my NFC
card. They know its not a perfect system (is anything perfect?) so limit their
loss by restricting the amounts used on such cards.

EDIT: Esp as a lost card could be used for online transactions as they have
the CVV (as they have the card) and losing your card prob means losing your
wallet and prob your driving license with your address on it (almost
everything a bad actor needs to make an online purchase, just got to hope that
Verified by Visa / Mastercard SecureCode kicks in).

~~~
rocqua
I actually need the PIN for any payment over €25, which can still be done with
NFC. Besides that, I'd say I still need to enter my PIN for small payments
roughly once every 2 weeks.

~~~
Crosseye_Jack
I believe the "purchase over £30" in the UK is dependant on the store. Instead
of asking I've just use Chip and Pin for such transactions. But yeah never had
the "enter your pin" for small NFC payments. Guess the bank thinks I'm a low
risk :-p

(Now I've said it I bet the next time I use NFC it will pester me for a pin
:-p)

~~~
rocqua
In the Netherlands, its something along the lines of "Every x payments, you
need a PIN". I'd guess that any payment with PIN resets the counter.

I was discussing with colleagues how smart the interval is. Perhaps the bank
is doing some anomaly detection to inform whether a PIN is needed.

------
therealmarv
I can block the whole magnetic stripe from my smartphone app (Revolut, EU).
This whole system (magnetic stripe) is flawed and totally outdated.

~~~
nullify88
While you can tell revolut to block transactions that use the magnetic stripe,
it doesn't physically disable the stripe, so they can still pull your data
from it which maybe enough for them to carry out an attack.

------
swsieber
... is there any way to destroy the mag strip a CA ed with a chip?

------
adam-a
I'm curious how the detector isn't triggered by normal card readers. Surely
legitimate untampered readers are reading the magnetic strip too?

~~~
doctorless
They mention that if there is a tampered reader, the read is triggered twice.

------
Tor3
Please someone... Why on earth are there still ATMs with magnetic stripe
readers in some countries?

Where I travel I don't run into those anymore. Because if I did it wouldn't
work - I've found that with enough magnetic stripe cards in the wallet they
effectively de-magnetize each other. I currently have exactly one (very new)
VISA debet card with a functioning magnetic stripe, which I use for parking
only, as there are still a few very old magnetic stripe machines around. The
other cards can't be read. (Someone could put a pinhole camera on the parking
lot reader.. doesn't matter, as no pin is entered. Cost is up to ~a dollar or
so, so they don't bother with the pin.)

