
ATM Skimmers - tomse
http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/
======
msluyter
A while ago I split my primary bank account into several different accounts
with different purposes. One, that gets the bulk of my paycheck for
bills/mortgage, gets autodrafted. I never do ATM withdrawals from this
account. A certain amount is autodeposited into savings for which I have no
ATM card whatsoever. A secondary checking account gets a much smaller slice of
my paycheck and is used exclusively for ATM withdrawals for pocket cash. (I
use Simple, btw, which is quite nice.)

An unintentional side effect of this system is that it also minimizes the risk
posed by ATM skimmers, since I don't keep much in the ATM account.

~~~
yeureka
Yes, I started doing this as soon as I got a debit card after two of my
friends were beat up to surrender their pin numbers. One of my friends was
held for 7 hours in a tunnel by a thug while his pal was busy taking as much
cash as possible and when the limit was reached he started buying expensive,
easy to sell goods. He lost all of his money. I learned my lesson from his
very traumatic experience.

~~~
frenchman_in_ny
"my friends were beat up to surrender their pin numbers. One of my friends was
held for 7 hours [...] He lost all of his money."

That's horrible. Not to try to minimize, but something doesn't sound right,
though (in the US). Risk of loss on debit cards should be up to $50, if you
notify your bank within the first 48 hours, under the Federal Electronic Fund
Transfer Act.[1]

[1] <https://en.wikipedia.org/wiki/Debit_card#United_States>

~~~
InclinedPlane
It's not a debit card transaction, it's an ATM withdrawal.

------
lucb1e
And that's why we use chips instead of magnetic strips nowadays.

For a longer list, see: <https://krebsonsecurity.com/all-about-skimmers/>

The one with the keylogger-featuring keypad is what has me most worried,
someone could rob me of my card a bit later. Then again, they might as well
rob my card and demand the code, having someone else try it while keeping me
at gunpoint. Yeah guns are outlawed here, but that doesn't mean they don't
have 'em.

Crypto is cool, until you mention physical security. Obligatory:
<http://xkcd.com/538/>

~~~
wschroed
How do chips solve the problem? From my understanding, a man-in-the-middle
scanner can gather enough information about query-responses to simulate the
chip. This was one of the big problems identified with RFID chips embedded in
passports because all a criminal would need to do is brush by other travelers
with his skimmer.

~~~
kalleboo
I've seen two different kinds of reports:

* Some banks cards were vulnerable due to faulty crypto. The banks phased those cards out.

* Attacks based on a malicious PIN pad logging the PIN code, then feigning a chip error and telling the user to fall back to the magstrip, thus turning to traditional skimming.

I haven't read anything that attacks the chip itself on current cards. Do you
have any links?

edit; Just found <http://en.wikipedia.org/wiki/EMV#Vulnerabilities>

edit2: Wikipedia TL;DR: There are two currently-relevant attacks:

* One lets attackers trick a terminal into initiating a PINless transaction in order to use a stolen card. This information is sent to the issues as part of the authentication, so a bank could deny all PINless chip charges if they wished (I'm not sure what cases this legitimately used in?), plus there's a clear trail that the cardholder isn't liable.

* The latest attack tricks the card into downgrading to an older, plaintext method of transferring the PIN from the terminal to the card, allowing the PIN to be skimmed. I'm not sure how this is useful in recreating the card to steal money.

~~~
makomk
There's some evidence that the first attack was used in the wild, but the
banks deleted the logs showing whether a PINless transaction took place so the
customers were found liable for the charges.

------
ck2
There also is the technique of completely replacing an ATM in say a mall. Read
about that one a couple times. Some ATMs in convenience stores and even retail
chains like Walgreens and CVS already look sketchy enough.

~~~
tlrobinson
A couple years ago someone brought a fake ATM into Defcon.

~~~
match
I'd also like to point out that it was placed there by local criminals, not
the conference attendees. It was however discovered by the attendees and the
hotel was notified and the offending ATM was turned over to police.

~~~
blhack
Were these the most idiotic criminals of all time?

"Hey, Bob! Let's place our ATM skimmer right in the middle of a bunch of FBI
goons and security experts!"

------
rwhitman
This is an epidemic at gas stations in Southern California. I've been nailed
by skimmers in LA, and a lot of my friends have too. My girlfriend refuses to
use the debit cart option at Arco gas stations for fear of her card info being
stolen again, and its a legit concern.

They're impossible to spot unless you plan on trying to pry off the front of
every payment kiosk, which as far as I know most banks and gas stations frown
upon...

~~~
Shivetya
there certainly has to be a method that could be devised to prevent this type
of fraud. Visually a lot could be done that should foil someone looking to
attach a skimmer.

From continuous images, seamless faces to make it obvious something is added
on, to screen based keyboards. I am sure a lot of thought is put into it. I
would hazard that the losses are not sufficient to fix it.

~~~
georgemcbay
Yeah my first thought on reading the article is that if enough actors cared
about this they would redesign the standard for card readers so that the card
goes flush into the reader without any protrusions (some are already like
this) and then market this fact so that machines that aren't flat are viewed
with suspicion, but I'm sure the costs to replace all the machines out there
and do the marketing would be enormous at this point, and you would need buy-
in from a ridiculous amount of companies so it is unlikely to happen.

~~~
p0ckets
It could happen if pushed by the companies that make the ATMs, rather than the
banks.

------
joelhaasnoot
Just today I was in the test lab for the ticketing machines at the transport
company I work for. Our machines being unattended and often in public spaces,
skimming is a real concern (and it has happened to me personally).

The solution? Adding a plate with random bumps to each machine, and also
adding a contraption infront of the card slot into which you place your card
and then slide it in (see [http://blog.webwereld.nl/wp-
content/uploads/2009/08/nspas.jp...](http://blog.webwereld.nl/wp-
content/uploads/2009/08/nspas.jpg) ). This last solution seems to be patented
BTW.

------
chiph
I seem to recall that some banks (in Estonia??) will mail you a piece of paper
with a list of single-use PIN numbers. Use one, mark through it. When you get
close to running out, they mail you a new list.

~~~
srik
Some banks do RSA ids, and you have to punch the right number in at the time
of withdrawal.

~~~
thesis
A search on Google didn't pull much up for me on which banks offer this. Do
you know which banks off hand?

~~~
kniht
Charles Schwab will issue a two factor device for online banking, but it is
not required for withdrawals AFAIK.

------
kalleboo
I always tug at the card reader on the ATM to make sure it doesn't come loose.

What I don't understand is why don't ATMs in Europe use chip and pin yet? All
the stores do. That would solve this problem.

~~~
objclxt
> _Why don't ATMs in Europe use chip and pin yet?_

Many of them do - one security feature is to have the ATM pull the card very,
very slowly into the slot whilst oscillating them to prevent skimmers reading
the mag strip, as it's no longer required (unlike the US, nearly all ATMs here
in the UK feed the card in automatically, rather than manually dipping it). If
you're not used to this you might think the machine was on the way out.

Even with ATMs that support EMV (chip and PIN) you still run into the problem
that a) ATM design inherently involves pushing the card into something, which
could allow the mag stripe to be raed, and b) as long as there are ATMs and
places that _don't_ use EMV then there's always going to be a way to get money
out / buy product with cloned cards.

~~~
nutate
I had an ATM card eaten in London on vacation because I couldn't recall the
PIN.

That was a weird moment.

------
dreen
This is pretty scary stuff, I mean fuck, every time I see a story like that I
can't help but be amazed at how incredibly insecure the services of credit
card companies are, and how hypocritically they behave at every single step
about security.

~~~
brokenparser
It's an arms race, never throw in the big guns if you want to stay ahead. I'm
no expert, but this is ain't rocket science. Suppose the insurance company
covers $256K worth of damages, it's useless to add more security when the
damages total $192K. The insurance company would periodically (or rather
sporadically) evaluate their claim requirements (ATM must have grade X lock,
must weigh at least Y tonnes, etc.) and adjust for common risks (according to
past cases). Between upgrading the contract to cover more risk and
implementing security measures, the latter will probably have a better cost-
benefit. The costs saved not doing anything beyond the minimum helps their
bottom line and potentially you as well (albeit indirectly), by offering you a
better deal (i.e. slightly lower interest rates) than their competitors.

This may not be exactly how the system is set up, but I think I'm not too far
off.

------
dredmorbius
Article dates from 2010. Title should be revised to note this.

------
squozzer
I want to thank HN for possibly saving my arse. During my lunch break, I put
some gas in my car. During the fill-up, I noticed the anti-tamper stickers on
the pump were all broken. I paid it no mind, finished the fueling, bought some
lotto tix with cash, then left.

Came back to my desk, fired up HN, and read the article upon which we are
commenting. Simmered in paranoia for a little while, then called up my bank
and told them my card might have been compromised. New card with new number on
the way.

Now just have to remind myself to check my transactions until the new card
arrives.

------
driverdan
I'm surprised this is new to HN. The article is from 2010 and ATM skimmers
have been around for 15+ years. They've become significantly more
sophisticated over time. Back when I was involved with this stuff 9 years ago
most people were making skimmers you had to hook up with a USB cable to get
the data. Now people are using cell phone hardware to transmit the data
automatically.

------
GFischer
See previous discussion on "How is an ATM Secure"

Original article:

[http://security.stackexchange.com/questions/32917/how-is-
an-...](http://security.stackexchange.com/questions/32917/how-is-an-atm-
secure)

Comments:

<https://news.ycombinator.com/item?id=5421864>

------
kaoD
You should ALWAYS put the hand over the other one while you type the PIN
number. At least your PIN typing is not going to be recorded. It's something.

~~~
PeterisP
The standard skimmer "online kit" options include also replacement keypads - a
thin (1mm) overlay over the real keys that record your physical keypresses.

------
fluxon
2011 story. Can somebody downvote this? Gah.

