
Inside a British Bank-Bombing Spree - mparramon
http://www.bloomberg.com/graphics/2015-atm-bombers/
======
djhworld
Fascinating read!

Also I'm really liking the use of different media that decorates/enhances the
article, whether it be the animated GIFs of footage, or interactive timelines
etc.

Was nice to see the credits at the end there too, with the developers and
designers getting a shout out for their contribution in putting the piece
together.

------
Nicholas_C
Great read.

>As far as anyone knows, there has never been a gas attack on an American ATM.
The leading theory points to the country’s primitive ATM cards. Along with
Mongolia, Papua New Guinea, and not many other countries, the U.S. doesn’t
require its plastic to contain an encryption chip, so stealing cards remains
an effective, nonviolent way to get at the cash in an ATM.

Would this really be the reason why there hasn't been a gas attack in the US?
Even if a criminal stole an ATM card they would still need a PIN. How does a
criminal get the PIN? Especially in a non-violent manner?

~~~
hga
Based on what I've read in e.g. Krebs On Security, one scheme is to add
hardware to an ATM that reads the magstripe data and photographs the person
tapping out their pin. I'm glad to say that even before I read of this my
general paranoia had me covering that process up ^_^.

Since our cards only have magstripes---heck, it wouldn't even matter if their
data was encrypted since this is a playback attack that needs something like a
challenge-response protocol a chip in a pin could implement---you just write
that data to other cards and have people go to ATMs and make withdrawals with
the fake cards and captured PINs.

Ah, yeah, for withdrawals from my major bank, I only use an ATM that's in a
retail establishment that's open 24x7. Compromise of it is unlikely when there
are so many others that are much much safer.

~~~
walshemj
Actually its the crappy ATM's not in banks that are more likely to get
targeted that's why I used the ones inside the banks branch whenever possible

~~~
hga
Well, this is one right outside a branch of its bank, all is part of the
retail establishment.

Although I'd agree with something related to your point, an ATM that's part of
a bank like mine or the ones you try to use are observed by bank personnel,
who you can hope will be a bit more suspicious of any physical changes to it.

------
marcosscriven
I look forward to the day the whole concept of getting pieces of paper from a
machine in a wall is looked upon as a vaguely amusing aspect of the past.

~~~
walshemj
ah so your the one fumbling with a credit card and holding every one up at the
bar when I want to get a round in.

Personally I like having access to cash reduces the attack surface for me when
compared to handing over my card for every transaction and DONT! get me
started on NFC credit cards that can be debited with NO interactinon

~~~
grecy
> _ah so your the one fumbling with a credit card and holding every one up at
> the bar when I want to get a round in._

Here in Canada I just tap my card on the machine and walk away - much, much
faster than trying to count out the right amount of cash, then waiting for
change, etc.

> _and DONT! get me started on NFC credit cards that can be debited with NO
> interactinon_

Let me guess, you also didn't like when it was possible to make CC payments
over the phone with no signature (!)

And you also didn't like when it was possible to make CC payments over the web
with no signature AND no actual human (!!!!!!)

Things progress, get with the program.

~~~
walshemj
You do know the Chaos Club in berlin demoed a nfc harvester years ago walk
through a crowd of unsuspecting commuters and take 5 pounds from everyone.

BTW I have developed a Paperless direct debit system so I do know what the
flip I am talking about.

~~~
zaroth
It's a risk, but you can fix it on the backend, away from the end-user. If
they were bitcoins then sure you need interaction for NFC. But credit cards
are a closed system on the merchant side, any new identity pulling only NFC
traffic would be very suspicious. NFC would always be an expected proportion
of overall captures. So it's simple to defend against this attack without
killing the feature.

------
oasisbob
3SI, a company which produces other bank security devices (eg, exploding dye
packs) claims to have methods to neutralize the explosive gasses in these
attacks:

[https://www.3sisecurity.com/products/agn](https://www.3sisecurity.com/products/agn)

I'd be very curious to know if/how this works. So far I haven't been able to
turn up patents or any technical details.

The Bloomberg article mentioned that no US ATM has been attacked in this way.
Must be tough to be a US-based company trying to sell a product to defend
against attacks that aren't common here.

~~~
Someone1234
If it was me, I'd buy off-the-shelf explosive gas detectors (which already
commonly exist) and when they went off instead of sounding an alarm I'd
release nitrogen or argon gas. Both are inert or inert for all intents and
purposes (as with nitrogen).

Inert gases are already used in fire suppression systems. Even if the
flammable gas was still flammable when mixed with our almost inert gases, its
would still likely slow down the burn and reduces pressure within the ATM/cash
point.

However there is likely a realistic limit on how much gas you'd store in the
ATM, so they could trick the system into pre-firing, wait a few minutes, and
then try again. So you'd likely want to set off the building's alarms to stop
such an attack vector (even assuming a 10 minute police response, they likely
cannot try the attack twice).

~~~
ratsbane
I was thinking along those lines too. A 46" high nitrogen tank holds around
125 cubic feet. As a wild guess, if an ATM contains 5 cubic feet of air then
you could completely change the air 25 times with one tank. Does that sound
reasonable?

------
fargolime
Liked the story!

> near–terrorist plofkraak squad

How terrorist in any regard? The word seems to be thrown around these days.

~~~
scintill76
Yeah, there's even this: "In Wirral, one team paused moments before attacking
the ATM when an oblivious citizen walked up. They hid as he made a transaction
and departed." Terrorists would have hurt the guy to, well, incite terror.
More hardened criminals might have killed him just to avoid "loose ends."
These guys sound downright friendly, by comparison.

------
contingencies
These criminals weren't too smart. To begin with, the risk/reward ratio on an
attack like that is pretty high. Repeated attacks in the same physical area,
even worse. Using people already known to police? Not so smart. And the icing
on the cake: involving lots of people!

------
philo23
Very interesting read, what's even more interesting to me is that the place
this article focused on is only around 10/15 minutes from where I live and I
had absolutely no idea this had ever happened!

