

Hacker serving 5-year sentence invents ATM add-on to prevent theft - abdophoto
http://arstechnica.com/information-technology/2013/05/hacker-serving-5-year-sentence-invents-atm-add-on-to-prevent-theft/

======
scoot
It's a nice idea (inserting the card widthways), but it's completely over-
engineered. It's never going to be used as a retro-fit - it looks too much
like a skimmer. In fact, if they became commonplace, it would make fitting
skimmers that look like this device so much easier than trying to hide a
skimmer in a discrete housing.

Instead, allowing the card to be inserted widthways, and pulling it into the
ATM as normal, then within the ATM read the card either by moving it sideways
into a normal card reader (so that the card moves left, rather than forward),
or more likely, a reader where the head moves across the magstripe as the card
is held in place.

Anyway, as has been pointed out by another poster, chip-and-pin makes
magstripes effectively obsolete, I imagine the magstripe is only included for
backwards compatibility.

~~~
jvdh
In the Netherlands they're already outfitting ATMs and other credit machines
with addons on the outside. Most ATMs also display a picture on the screen of
what it's supposed to look like. So no, it's not that over engineered I think.

On the other hand, because of the moving parts involved it is probably going
to be much more expensive. And with the current chips on the card already, I
don't think the banks are going to invest in those things as it simply will
not provide them with enough ROI.

~~~
tinco
Even better, the Dutch railways (NS) employ an add on that requires you to
insert your card sideways, and then push it in. Solving the problem in the
same fashion, yet not requiring any weird over-engineered rotation system.

See here: [http://blog.webwereld.nl/wp-
content/uploads/2009/08/nspas.jp...](http://blog.webwereld.nl/wp-
content/uploads/2009/08/nspas.jpg)

------
quackerhacker
Nice innovation. Being a convicted hacker myself and serving time in a federal
camp, I give him credit for wanting to make amends, that is definitely an
awesome motivation...not buying the part about being happy about being caught
(forced intervention), since I know from experience and people I've met.

I understand being liberated, starting your consequence (the nickel sentence),
and feeling hope of change when your out....but to simply put it...."happy,"
is a strong word. I know this may come off as semantics, but when you talk
about 5yrs of someone's life, happiness does not come to mind.

~~~
bradleysmith
Thanks for the post, I was wondering how someone else having been through
similar circumstances would have felt about someone being 'happy' to be
caught.

All said, it probably gets him a similar recognition from ATM mfg'rs &
business people as an advanced degree, no? Couldn't a certain type of mind see
an arrest like this as a badge of honor or starting sales platform to build a
career in security?

That's an honest question. Arrest records seem to be a death sentence in so
many professional industries, and the 'reformed hacker' professional seems to
be a real identity for some professionals. How hard was it to find work after
your run-in?

~~~
quackerhacker
The conviction can get notoriety in the security field, but as any criminal,
black hat hacker, or just coder will tell you....it's ALL trial and error.
Where a conviction may benefit someone is if they are doing their own
business...as far as employment.

An employer may be hesitant to hire a criminal simply for the liability they
presume over their employee. I can get a job fairly easy in coding since I
have no restrictions on computer usage and some employers are amazed by my
crime (google my name Michael Largent), but I'm a little different than maybe
this individual (I get anxiety attacks sometimes).

As for me and employment, I've been through interviews some employers in the
field will offer me a position, but coding is more of a hobby to me than a
profession. I run my own business, because my conviction affects my self-
esteem though...so I can't speak for others. I'm an awesome coder, but am
afraid of rejection, so sometimes I won't apply for a job or I'll pass on a
job offer.

~~~
DavidChouinard
I was intrigued by your background. Since you invited us to Google your name,
I hope you don't mind my posting this here:
<http://www.wired.com/threatlevel/2008/05/man-allegedly-b/>

~~~
quackerhacker
Don't mind at all. I just don't want to thread jack the OP.

To get back on topic a little bit. I understand how he could want to make
amends for what he's done, I do coding, algorithms, and websites usually for
free and help others with any questions they may have that I have an answer
for, but the PR being portrayed here is that he is "happy," to be caught.

The quoting words just sounds like he's trying to capitalize on a conviction
(example: who did the video rendering? and I've seen this done ALOT
inside)...not that there's anything wrong with using your circumstances to
your advantage, but just careful with the wording.

------
abcd_f
Clever. Won't survive in the field though, sorry.

ATMs have metallic keypads and as few moving parts as possible for one simple
reason, which is vandalism. People will hit and break ATM display in anger,
because it didn't register their touch selection made with a hotdog. They will
break, bend, twist and pull apart anything that as much as hints that it's
possible. Something that swings 90 degrees and requires reasonably precise
alignment of moving parts to work - that's just asking for it.

~~~
uptown
I think this design might work better if the pivoting part were moved internal
to the ATM. It'd avoid vandalism, and maintain the benefit of the sliding
behavior occurring along a path inaccessible to the skimmer. The obvious
downside to such a design is that you'd need to replace all of your ATMs which
is why, I'm assuming, this design included the pivot mechanism on the outside.

------
orofino
I'm sorry, but don't smart cards completely obviate the skimmer issue? Aren't
they widely used in Canada and Europe?

I'm not terribly knowledgeable in this area, but I thought this was a solved
problem being held up by corporate interest in the US.

~~~
mpyne
The smart card I have requires only a PIN, and that PIN can be intercepted by
suitable hardware can it not?

~~~
dan-bell
I've heard of pinhole cameras being used in card skimming operations where PIN
numbers are required.

~~~
jonknee
That doesn't do anything for a chip and pin card. You need the chip too.

~~~
norse1
Here in the uk they skim your card, create a replica and use a pinhole camera
to get your pin.

~~~
icebraining
As far as I know, you can't skim the chip. In the EMV system, the private key
is only accessible to the internal "CPU", not the reader.

------
deskpro
Why are ATMs not 100% flat with 3 holes - for a keypad, note delivery and a
hole for the bank card to go in. A skimming device can then not be added
without making it very obvious the ATM has been altered.

An ATM could also have a video camera installed that monitors the area where
the card is entered - if something changes the ATM does not work and a warning
message is displayed.

~~~
Cakez0r
That wouldn't stop somebody from adding a flat facade over the whole ATM.

~~~
willvarfar
I've seen ATMs in the Netherlands that have a semi-transparent backlit plastic
facade so its very obvious if anything is stuck on the front.

------
michaelmartin
Like other readers have said, the real step forward in this area would be chip
and pin. That raises a potentially more interesting question though, how do
you transfer a country the size of the US from swiping to the chip and pin?

Even here in the UK, where absolutely everywhere that uses a card is using the
chip, a bank can't ditch the magnetic strip because then suddenly they're the
only bank where you can't use your credit card abroad.

Would ATMs that read the chip without actually taking the card in the whole
way work to obsolete these skimmers? (The chip is always at one end of it, so
why does the rest of the card need to enter the machine?)

~~~
kalleboo
> how do you transfer a country the size of the US from swiping to the chip
> and pin?

Well most of the rest of the world transferred without too many hitches, why
would the US be any different?

I've seen a few chip readers in the US, but none of them have been active.

------
minikites
I don't know much about the mechanical implications of this, but why not move
the sensor instead of the card? Put the card in longways first, halfway in.
Motorized sensor moves across card to scan it. There wouldn't be enough room
left over for a skimmer that would still allow the ATM to read it and even if
there was a skimmer, it makes the skimmer that much more expensive, since it
would have to have a motor too.

I assume it would just be prohibitively expensive.

~~~
joezydeco
Some ATMs are designed to hold and keep the card if it's known to be stolen or
too many PIN attempts fail.

------
famousactress
That's really pretty clever. Watch the video for clarity on the design. It's
silent, in case that was stopping anyone.

------
yason
But chip cards already sidestep the problem of skimming.

You only insert half of the card into the chip reader slot and, for what I
remember or could imagine, let the ATM exercise some challenge-response
protocol with the on-card chip so that there's no way to and there would be no
point in actually trying to copy the chip because all you see from the chip is
an interface to it.

I haven't had the magnetic stripe on any of my cards swiped for at least a
couple of years. Last time I did was probably because of dirt or grease on the
chip's contacts prevented reading it. The magnetic stripes still exist for now
but everywhere I go there are chip readers, from pizza restaurants to little
shoppes.

------
driverdan
I came up with a similar idea years ago but I'm not interested in creating
hardware. This needs to be built into the machine, not a bolt-on. The machine
itself needs to only accept cards in horizontally.

------
r00fus
I agree with a comment in the story - we need a better framework that actually
supports non-replayable (ie, one-time) codes being transferred.

If Blizzard can give keyfobs to gamers for auth, why cant banks include that
in tech for ATMs?

More and more I think corruption and fraud are the likely reasons - those are
features the establishment wants to support, not prevent... they can profit
from all of it.

~~~
icebraining
_If Blizzard can give keyfobs to gamers for auth, why cant banks include that
in tech for ATMs?_

Well, banks here in Portugal do offer one-time authorization codes, either by
SMS (default) or keyfob, but only for online operations, not in ATMs.

That said, a Chip and PIN solution prevents (in theory) this problem, since it
can actually authenticate the transaction by providing a cryptographic
signature, without ever exposing the private key to either the ATM or any
skimmer.

------
atleta
I remember reading about a solution where the ATM would move the card back and
forth while pulling it in (maybe even reading it at the same time, but it's
not even necessary), preventing the skimmer from successfully reading it.
Sounds like a better solution to me. (The problem with chips are, at the
moment, is that the magnetic stripe is still used. So if they can read it then
the card is stolen.)

------
scorcher
If I saw a big metal thing attached to the front of an ATM I would run a mile.
The turning mechanism really needs to be inside the ATM.

------
Already__Taken
I'd be surprised if this got implemented as it only costs the bank money
without moving any more liability onto you.

~~~
mpyne
Banks already are liable for much of the fraud that would result from skimmed
PIN or credit card data, so stuff like this would help the bank directly.

------
umsm
I don't know if the design is effective... what prevents anyone from
installing a skimmer on/within this device?

~~~
anonymoushn
Current skimmers need a horizontal swipe to read. This device requires the
user to insert the card in the wrong orientation for the skimmer. The device
holds onto the magnetic strip end of the card while it rotates, so it's not
possible to skim after the device has performed the rotation. It's not clear
how difficult or easy it is to make a skimmer that reads a card that is swiped
vertically, though.

~~~
umsm
But, think about if a criminal duplicates the design and screws it to the
front of existing / old machines? Most users will think that it's not a
skimmer but the "secure" device.

Also: Place the skimmer to the LEFT most portion of the horizontal hole. The
card is the rotated and pushed past the skimmer as it's inserted into the
machine :)

~~~
anonymoushn
> Also: Place the skimmer to the LEFT most portion of the horizontal hole. The
> card is the rotated and pushed past the skimmer as it's inserted into the
> machine :)

The non-magnetic part of the card is pushed past the skimmer...

------
sogjis
Here we have this simple solution:
<http://y.delfi.lv/norm/11865/2112354_9nb3eA.jpeg>

Fitting skimmer over this seems impossible.

------
badclient
This seems pretty obvious. I can't imagine folks whose job it is to build
these machines to not have hopped onto this idea. This raises the question
what's the downside of these?

~~~
jonknee
The moving parts have to be a big downside. If US banks really thought
skimming was a problem they would just implement chipped cards. Right now it's
apparently cheaper to not rely on a chip and deal with all the fraud that
comes with it.

------
chemcoder
looks like modern day Frank Abagnale Jr. to me. Only thing is it has a lot of
moving parts. I think more maintenance and power issues. Hope they work out
the case when the machine fails in middle of operation. People will break this
add on in that case.

------
borplk
this is quite genius. from the text it's not clear but video makes sense.

------
joering2
Can someone change the title. It should be "Criminal serving 5-year sentence
puts white hat on and invent ATM theft prevention device".

