

Shimming: the newest con for stealing credit card info from ATM machines - Julie188
http://www.networkworld.com/community/node/63544

======
wmf
This doesn't work in the US because we don't have smart cards.

Edit: My point stands that _this particular attack_ does not exist in the US
and people don't need to worry about it. Existing precautions against
magstripe card skimming are adequate.

~~~
iheartmemcache
What? It's even easier in the US. Credit card data is just text. Hook up a
magstripe reader to a PIC and go to town (literally hah). People have been
doing it for years especially at gas stations and seedy bars where it's too
dark to notice/patrons are too drunk to care.

[http://www.identitytheft.com/article/identity_theft_gas_stat...](http://www.identitytheft.com/article/identity_theft_gas_stations)

~~~
kqr2
Since US cards are "dumb", the ATM doesn't need to send PIN information to it.
The ATM card # can be stolen, however, that's not enough to complete the
transaction.

~~~
gbrindisi
Talking about old mag stripe card, the system used to authenticate the
transaction is this:

1\. The account number is crypted in DES (ora a variant) with a _PIN key_ ,
the cryptogram is then decimalized and the first 4-5 digit extracted to obtain
the so-called _natural PIN_.

2\. The user then can change is PIN by using an offset: user PIN + offset =
natural PIN.

3\. Account number and offset are stored in the card.

4\. The ATM knows the PIN key (wich is a shared key common to all the ATMs
system of a certain bank) and when a card is inserted the ATM calculates the
natural PIN from the account number. Then it verifies the PIN number: if user
PIN = natural PIN + offset then SUCCESS

------
JoelB
From my understanding of smart cards, I don't see how this is possible.

Communication between the card and the reader is typically done using
encryption with a Diffie-Hellman key exchange with a man-in-the-middle
resistant protocol. You would need to attack whatever encryption algorithm is
being used, which is non-trivial even with physical access. You would need to
either perform differential power analysis attack or a timing attack or attack
a weakness in the algorithm.

Seeing as how one of the primary purposes of smart cards was to eliminate
skimming and similar attacks, I can't fathom why any reader would ever be
created that didn't support session encryption. Why use a chip if it's
basically the same as a magnetic stripe? I'll plead ignorance on the workings
of the European debit system as I'm Canadian and we're just getting smart
cards now.

Does anyone have a better source than the linked article?

EDIT: Nevermind, apparently the security was broken a while ago:

[http://www.cl.cam.ac.uk/research/security/banking/nopin/oakl...](http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf)

------
adorton
Interesting, but how could collected data be retrieved? Could a wireless
transmitter be built to fit on this 0.1mm card?

~~~
wmf
Perhaps the thieves return later to remove the shim and its data.

