

Would you have spotted the fraud? - ax0n
http://www.krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/

======
ShabbyDoo
Given how entrenched the ATM card standards are, it will be hard to make
fundamental changes to improve security. If one could replace all ATMs in
existence, one obvious solution is to issue RNG cards. Perhaps, to make them
easy to use, the challenge/response could be electronic ala the "Java Ring"
technologies (from TI) advocated by Sun a decade ago.

What could be done given that the fundamental use of an ATM machine (put in
card, type in PIN) can't be changed overnight?

On machines capable of displaying pictures, users could be shown what the
insertion slot ought to look like so they could compare.

A shroud could be placed over the keypad to reduce the viewing angles
available to a pinhole camera.

Could smart phones be used to provide a "have something" security model? Let's
say you paid $0.25 less per ATM transaction if you used your bank's iPhone app
to generate a unique pin for every visit.

What else could be done simply?

~~~
praptak
> What else could be done simply?

A simple thing that is actually being done: ATMs pulling in the card with a
randomly changing speed. This makes it very hard for the skimmer to get a
reliable reading. The actual reading by the ATM is done during the second
phase, inside the ATM.

~~~
tptacek
That's something companies like JPMC and Citi are doing. But there are tens of
thousands of crappy Tranax deli-style ATMs out there that aren't going to
change.

~~~
TeHCrAzY
Interesting, I called my bank about this annoying "feature" and was told it is
for security reasons, but never understood why (and they were unwilling or
unable to inform me). Enlightening. This functionality is very common in
Australia, at least in Sydney.

------
ajross
Simple answer: almost certainly not. That article inspired me to audit the
last few months of my checking account. Scary.

------
ShabbyDoo
Another thought... When someone steals account information using such methods,
it is unlikely the ATM owner/operator who is responsible for losses. After
all, it would be really hard to prove conclusively that it was the fault of a
particular ATM's lack of security that led to future thefts. Perhaps strong
correlation could be shown, but the legal costs associated with reimbursement
likely outweigh the efforts, at least in the short term.

Do ATM owners have any incentive to prevent thefts? I suppose those who
process mostly the transactions of their own customers (BoA in SF, etc.) have
the greatest incentive as the problem is their own.

~~~
bruceba
I was just a victim of ATM fraud (presumably by skimmer) and according to the
detective who handled the police report, there is almost no cooperation from
banks and card providers. It is not in their interest that you know how much
fraud there is out there. I have heard figures of over 8-10% in the US. That's
a lot of overhead to be passing onto the consumer.

~~~
tedunangst
8-10% of what?

~~~
bruceba
Total transaction value of all ATM/credit card usage. Lots of money.

------
tiffani
I'm always terribly suspicious of ATMs--especially those off-brand ones that
pop up in random establishments that don't take debit cards nowadays. I
understand some businesses just don't want to pay the fees behind accepting
debit cards, but I'm increasingly becoming of the ilk where if you don't
accept debit/credit I'm not shopping with you. Sure, you have folks that will
handle your card and still do nefarious things with it, but at least you're
not walking up to a machine prone to this kind of thing.

And for the first skimmer, I'd be suspicious of why they had to put a diagram
to show you how to use what should be a universally understood sort of thing
now. Slot? Card. The others, no, I wouldn't have caught those. :\

~~~
aarongough
The 'diagram' was a plastic plaque designed to contain/hide the electronics
responsible for storing the skimmed data.

~~~
tiffani
I know. But, anyone should be suspicious of why that's even needed.

~~~
ciniglio
I think a slot for a credit/debit card isn't terribly intuitive, especially if
the reader only accepts one orientation of the magnetic stripe, in which case
a diagram is almost necessary.

There are readers that have asymmetric widths on the entry mechanism
(strangely worded, but looks like [1]). This is an extremely subtle hint
regarding the orientation (magnetic stripe goes with the wider part), that I
would imagine the majority of people don't pick up on.

You might also look at this article [2] to see that legitimate ATMs do offer
diagrams indicating the proper orientation of a magnetic stripe card.

[1] [http://consumerist.com/images/31/2009/04/041909-008-shell-
le...](http://consumerist.com/images/31/2009/04/041909-008-shell-legit-card-
slot-2.png) [2] [http://consumerist.com/2009/04/heres-what-a-card-skimmer-
loo...](http://consumerist.com/2009/04/heres-what-a-card-skimmer-looks-like-
on-an-atm.html)

------
rdj
I'm curious about the video monitoring on the machines that have been tampered
with. What do these security cameras normally see? Do the perps block the
camera so it can't see them installing their hardware? If so, couldn't some
program be written to determine that the image of a person is abnormal
(measure the amount of "whitespace"" around a subject) and trigger some sort
of real-time alarm?

~~~
pavel_lishin
I don't think most of the video cameras on ATM machines are actually pointed
at the machine; they're designed to capture the user's face.

I would imagine that gluing a piece of plastic onto an ATM can look just like
a regular transaction - person walks up, looks at the screen while their hands
are doing something below.

~~~
TeHCrAzY
It likely would be difficult to do a transaction and modify the ATM at the
same time however.

------
sown
It depends how well glued solid it is.

Ever since I read about these a few years ago I got into the habit of pushing
and trying to move around parts of the ATM, like windows, the card reader,
brochure boxes, etc to see if they can come off.

Also, inspect by touch for places where a camera or stray wire could hide,
that are out of view, under perhaps a display sign, brochure box, on the upper
part of the keypad that might be hidden from view.

Also, use other hand to cover up fingers when entering pin.

~~~
thwarted
I wonder if there's a risk that some random bank security reviewer would
consider this to be tampering.

------
Confusion
I've started to pull and wiggle the card slot a bit before sticking the card
in. From these photo's, I have the impression these skimming devices should be
a little 'looser' than the regular thing. However, it may be completely
useless.

My second countermeasure is screening the number pad with my hand while
entering my PIN. They can probably make out the PIN from hand movements, but
I'm hoping it'll be too much trouble for them and they will just move on to
the next, easier, target.

~~~
JacobAldridge
I've mastered the ability to type my PIN with three fingers all hitting
different buttons each time (but only one, and it differs for each number,
actually hitting it hard enough to register). With the right recording and
enough time I doubt it would stop a truly committed thief, but it makes me
feel safer.

If they crack that, the $20 I keep in my ATM account to prevent over-drawn
fees are all theirs.

------
enneff
My bank (ANZ) has new ATMs with prominent, translucent green housings around
the card slot that flash when the card is inserted or removed. It's a very
distinctive design, and one that I feel must have been crafted specifically to
mitigate these kinds of attacks.

~~~
villiros
I've noticed some newer ATMs around these parts started doing that as well.
However, is is of absolutely no use without associated customer education. The
machines don't even say "here is what the slot should look like, please check
it before entering your PIN." There were even reports of people calling the
police thinking this security feature was a skimming device, since it looks so
out of place and different from what's usually on the machines.

------
sjs
Here's a video that shows how easy it is for people to set these up.

<http://www.wimp.com/cashscam/>

------
visitor4rmindia
There is actually a very simple solution that a bank could use to mitigate
this issue - just send a SMS everytime there is an ATM withdrawal.

I believe the bank I've just moved to (<http://www.kotak.com/>) does do this.
It sends me an SMS for every transaction done so far (I haven't used the ATM
yet).

------
andrewvc
That scared the shit out of me, because I'm a Citibank customer, and I live in
Woodland Hills. In fact, I just noticed that they just put a giant opaque
enclosure around their ATMs for privacy recently, wonder if this is why.

OC, luckily, I never actually use the Citi ATMs, thank god.

------
sid-
Well windows laptops have fingerprint scanners to log you in these days. So a
fingerprint scan and pin ought to be enough ?

~~~
litewulf
Revocation would suck though. And I understand you leave your fingerprints
everywhere you go, so it would probably be "easy" to steal.

------
rmorrison
Damn.. time to change my pin.

------
gcb
In Brazil almost all ATMs have negative inserts instead of positive ones.

<http://tadificil.files.wordpress.com/2007/05/caixa.jpg>

instead of raising the sides it usually have a insert in the middle for your
fingers.

even tough the raised ones are starting to popup.

