
All About ATM Skimmers - qiqing
http://krebsonsecurity.com/all-about-skimmers/
======
pwang
What I don't understand about this is... why don't ATMs just put a damn
motorized door in front of the card reader slot, or alternatively stick out a
tray that you put the card in. The door approach makes it so that the thief
has very small time window in which to install the skimmer. The tray approach
can make it so that a simple internal image of the empty tray can determine if
anything is ever left on it which is out of whack.

Yes it costs a little bit more, but CD-ROM drives have been doing both of
these approaches for ages, and it would make the installation of a skimmer
reader much, much harder.

~~~
jzzskijj
Better yet, if only the USA banks would finally get to this millennium and
start using chip-and-pin cards. Then there would be no need for this nonsense.
My European credit card still has a magnetic stripe just because I might go to
USA. In this side of Atlantic Ocean many stores, bars, gas stations etc. have
a card reader in which the card goes only a few centimeters in to read the
chip.

~~~
deathanatos
> Better yet, if only the USA banks would finally get to this millennium and
> start using chip-and-pin cards. Then there would be no need for this
> nonsense.

What about a chip-and-pin card prevents a skimmer from either monitoring or
emulating the radio conversation between the card and the terminal (and thus
capturing the card number) and another keypad skimmer from capturing the PIN?

It seems to me that the problem is that everything required to conduct a
transaction is handed to every merchant and/or untrusted machine of the
merchant. (Compare to public key cryptography, where I remain in possession of
a private key.) What about chip-and-pin changes that situation?

~~~
sargun
Chip and pin cards use public key cryptography. From my understanding, you
would have to provide the PIN code to the device to first unlock it, and then
you could verify the authenticity of the card by reading a public key, which
identifies the card (and is used in transactions), and providing some nonce
for it to sign for offline verification.

They also require the pin code to start the process, so you would have to skim
that as well.

In addition to this, in the online scenario it can interact with the payment
provider's servers to provide security.

The combination of these methods make rapid stealing of EMV cards difficult.

More info here:
[http://www.emvco.com/download_agreement.aspx?id=653](http://www.emvco.com/download_agreement.aspx?id=653)

~~~
oceanofsolaris
Can you actually read the public key from the card? A secure system should
sign the transaction on the chip, so even a manipulated machine could not
steal the card data.

~~~
dfox
Card's and issuer's public keys can be read from the chip, but these are not
directly relevant to actual transaction signing.

Even if these keys was relevant, the important part is that they are public
keys, not private keys. You cannot get card's private key from the chip by
normal means (ie. without doing something that is classified as attack, be it
side-channel, physical inspection or exploiting some firmware bug/backdoor).

------
blindfly
Couldn't they just avoid all this fuss if you insert your card horizontally?

~~~
eloisant
What do you mean?

~~~
pliny
Imagine giving the ATM a high-five.

------
ZanyProgrammer
One of the more interesting ways of protecting ATMs that I've seen in the Bay
Area is that (this applies more to bank branches) instead of ATMs being built
into a wall and facing the outside, like they normally do, you need to swipe
your ATM card to be allowed access to the room that the ATMs are located in.

~~~
michael_h
That's what one of the examples pointed out [0]. They just put the skimmer on
the door instead.

[0] [http://krebsonsecurity.com/2011/01/atm-skimmers-that-
never-t...](http://krebsonsecurity.com/2011/01/atm-skimmers-that-never-touch-
the-atm/)

------
leni536
Just put a smart card chip and the pin code entering mechanism on the card (or
authentication token. It doesn't necessarily need to be a "card"). This way
you don't have to trust the ATMs. (Or any other device you don't control. How
many times do you buy stuff using your credit card?)

~~~
artr
Commonwealth Bank in Australia does something like that. They have a feature
in their iOS/Android app that lets you withdraw cash without a card. It
generates a code on the phone and also sends you a 4 digit code via sms. Then
you enter both codes to their nearest atm. Good for when you've forgotten your
card or the atm looks dodhy.

------
chippy
So what's the best way to inspect the ATM before use?

