Hacker News new | comments | show | ask | jobs | submit login
ATM Skimmers (krebsonsecurity.com)
88 points by tomse 1607 days ago | hide | past | web | 75 comments | favorite

A while ago I split my primary bank account into several different accounts with different purposes. One, that gets the bulk of my paycheck for bills/mortgage, gets autodrafted. I never do ATM withdrawals from this account. A certain amount is autodeposited into savings for which I have no ATM card whatsoever. A secondary checking account gets a much smaller slice of my paycheck and is used exclusively for ATM withdrawals for pocket cash. (I use Simple, btw, which is quite nice.)

An unintentional side effect of this system is that it also minimizes the risk posed by ATM skimmers, since I don't keep much in the ATM account.

Yes, I started doing this as soon as I got a debit card after two of my friends were beat up to surrender their pin numbers. One of my friends was held for 7 hours in a tunnel by a thug while his pal was busy taking as much cash as possible and when the limit was reached he started buying expensive, easy to sell goods. He lost all of his money. I learned my lesson from his very traumatic experience.

"my friends were beat up to surrender their pin numbers. One of my friends was held for 7 hours [...] He lost all of his money."

That's horrible. Not to try to minimize, but something doesn't sound right, though (in the US). Risk of loss on debit cards should be up to $50, if you notify your bank within the first 48 hours, under the Federal Electronic Fund Transfer Act.[1]

[1] https://en.wikipedia.org/wiki/Debit_card#United_States

It's not a debit card transaction, it's an ATM withdrawal.

I met some partygoers in Budapest once who told of a similar tale.

They went into the wrong bar apparently, and upon leaving were told that they forgot to pay the cover charge. Which was $100 a head apparently.

So they grabbed one of the men and literally started beating him in front of the partygoers until they all emptied their debit cards into the ATM at the door of the club.

It took 7 hours for the thugs to reach the daily ATM maximum limit? How do you buy expensive goods with an ATM card? That sounds completely bogus to me.

Mobile phones where not so common at the time ( circa 1995, Portugal), so the guy holding him couldn't tell how much money was in the bank account and how long his "partner" would take to empty it.

Large transactions are more difficult to pull than smaller ones and I guess the guy was sampling the limits of the card with reasonable sized chunks.

But to rationalize the actions of a heroin junkie is hard and I won't try.

Shit, that's scary.

I've never had any traumatic experiences like these, but I always picture myself seeking revenge.

How did your friend cope with the anger?

This was back in the middle 90's. Here's the full story:

My friend was working out of town in a suburb of Lisbon and had to take a train everyday in the reverse flow ( commuters were coming in to the center, he was going out ) so the train was pretty empty one day and he was alone in the carriage.

Two guys walk in, sit next to him and one of them produces a dirty syringe, says he has HIV and that the my friend better cooperate or else.

They escort him out on the next station and go into the tunnel where the syringe guy held him for all that time.

For the next few days he was completely paranoid and he had a friend in the police who tried to find the robbers but unfortunately they couldn't.

"All is money" at the time ( he was 19 ) was around $3000 in today's money, and the bank didn't help ( it wasn't a credit card ). He had no form of insurance either.

He was always a very shy and inward person and that episode made him much more so.

But the years have passed and now he is quite normal and has become a really good 3D artist.

I haven't met him since I left Portugal but I guess he doesn't like to talk about this episode.

Another friend of mine was beaten up when he refused to give his pin and two other friends just gave it without resistance.

This is why I always have just enough money for daily expenses on the card bank account. It means I have to constantly top up that account which could be another security problem but at least if I am confronted with a violent situation I'll just give my stuff away and minimize my risk of physical damage.

[EDIT] Actually I was just on his website looking at his recent work and maybe he was more affected than what I imagined.

I do this as well, mostly because I do a lot of third world traveling and it's easy to get your card cloned. I only keep $500 in the checking account linked to my debit card, and the rest in a savings account that I can transfer money from instantly. I did have my card cloned once and this technique saved many thousands of dollars from being spent. I would have recovered it all eventually but it takes weeks and it would be a disaster while on the road.

I do the same thing. It helped when I did get skimmed. Looking back the card slot was slightly wobbly. Now I always check. My credit union contacted me the same day, hours after the skimmage and everything was taken care of practically instantly.

Having this setup really helped when my card was skimmed. I received a call from my bank asking if I had anything to do with attempting to purchase some very expensive train tickets in Sweden. They tried to make a large purchase, and when the card was rejected they tried to make a smaller one - but still over the small amount I had in the account.

And that's why we use chips instead of magnetic strips nowadays.

For a longer list, see: https://krebsonsecurity.com/all-about-skimmers/

The one with the keylogger-featuring keypad is what has me most worried, someone could rob me of my card a bit later. Then again, they might as well rob my card and demand the code, having someone else try it while keeping me at gunpoint. Yeah guns are outlawed here, but that doesn't mean they don't have 'em.

Crypto is cool, until you mention physical security. Obligatory: http://xkcd.com/538/

I live in a European country where chips are common. Yet, about one year ago I encountered a skimming device (I ripped it off and brought it to the cops). Unless magnetic strips are completely disabled (domestically and abroad) the security issue is still there.

Incidentally, one of my banks by default blocks all use of Maestro (the European debit card system) outside of the Eurozone. You have to activate use of Maestro abroad on a trip by trip basis. One of my other banks automatically blocks credit cards used in the United States unless preceded by cash withdrawal at an ATM.

How do chips solve the problem? From my understanding, a man-in-the-middle scanner can gather enough information about query-responses to simulate the chip. This was one of the big problems identified with RFID chips embedded in passports because all a criminal would need to do is brush by other travelers with his skimmer.

I've seen two different kinds of reports:

* Some banks cards were vulnerable due to faulty crypto. The banks phased those cards out.

* Attacks based on a malicious PIN pad logging the PIN code, then feigning a chip error and telling the user to fall back to the magstrip, thus turning to traditional skimming.

I haven't read anything that attacks the chip itself on current cards. Do you have any links?

edit; Just found http://en.wikipedia.org/wiki/EMV#Vulnerabilities

edit2: Wikipedia TL;DR: There are two currently-relevant attacks:

* One lets attackers trick a terminal into initiating a PINless transaction in order to use a stolen card. This information is sent to the issues as part of the authentication, so a bank could deny all PINless chip charges if they wished (I'm not sure what cases this legitimately used in?), plus there's a clear trail that the cardholder isn't liable.

* The latest attack tricks the card into downgrading to an older, plaintext method of transferring the PIN from the terminal to the card, allowing the PIN to be skimmed. I'm not sure how this is useful in recreating the card to steal money.

There's some evidence that the first attack was used in the wild, but the banks deleted the logs showing whether a PINless transaction took place so the customers were found liable for the charges.

To make matters worse, after C&P rolled out some banks would just flat out refuse to reimburse cardholders for fraudulent charges. They claimed the system was bulletproof and if fraud did happen, then it was the cardholder's fault: http://en.wikipedia.org/wiki/Chip_and_PIN#Banks.27_liability

Unfortunately it's regular practice to say that things are bulletproof and airtight :/

The chips are sophisticated and powerful enough to setup an SSL/TLS session to the bank if needed. Just like with SSL/TLS, if it's designed correctly, intercepting the traffic between the card and POS/ATM is useless.

I haven't been able to find very much on this in a few evenings that I searched for info on it, but from what I've been able to find I'm quite sure that it's possible to do. The chips give a boolean response as to whether the PIN number is correct and lock themselves after 3 attempts. Combined with the knowledge that 6 pins (=6 parallel bits) are used for 4 digit PIN numbers (log(10^4)/log(2)=14bits), you can deduce that it must have at least persistent storage and computational capabilities. A complete Von Neumann machine. This makes it feasible to implement algorithms like RSA and AES (asymmetric and symmetric encryption) on the chips. The POS/ATM then provides power and a connection to the desired bank, and all should be fine.

I don't really think they are that good to connect to the bank directly, but the idea that the chip is capable of this kind of crypto makes me feel better than with magnetic strips.

They are "sort of" connecting to the bank - the idea is that the card issues an authorisation token w. the amount and other info, signs it with the private key, and then the merchant sends it to the bank which may approve or deny the transaction.

The chip is authenticated with a public/private key challenge/response. The private key is never sent to the ATM; the chip actually runs a very small program/system that can generate the correct response to the challenge using its private key. The chip is powered by the contact with the ATM.

Physically how would you perform a man-in-the-middle? I think you're confusing the chip-and-pin chip (EMV) with an RFID chip.

EMV is a contact system that requires physical metal pins to touch multiple contacts on the top of the chip itself.

No, it can't. The chip works with a challenge/response system (and this only works after the pin is input to the chip)

What happens is that they clone the magnetic strip, so sometimes that and pin is enough to produce a card that does withdraws.

Ah yes, the rubber-hose cryptanalysis: http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

I've yet to see a card where all the required information to clone the card isn't available on the strip too, have you?

I just wish banks had the option to get a card without a magstripe. I could use the chip-only card for day to day stuff and only use the magstripe when I travel to the U.S.

You can easily demagnetise it, with even a kitchen magnet [0].

[0] http://lifehacker.com/5780617/how-to-prevent-yourself-from-o...


And then your card is useless when in a place that only reads the stripe (like, that uses Square)

The European competitor to Square uses the chip. And I already suggested to keep a separate magstrip card for traveling to less developed countries.

kalleboo was asking about getting a card with no magstripe, so I assume he's OK with that

You can clone a "magnetic card" from a chip card - it's magnetic stripe will be identical, but you won't have the private key of the chip.

And afterwards, if the bank knows that it is supposed to be a chip-capable card; and the location (country) is supposed to be chip-capable, then all mag-stripe transactions are rejected even if the "all required information" is correct.

The banks could do this, but in general they don't seem to - it's too annoying for their customers when the chip is covered in dirt, a bit damaged, whatever.

Good point, I hadn't thought of that. I suppose I should call my bank and ask them. But how do I know what they're saying is true? Usually when you call support (never tried calling a bank) you get some blonde that tells you nothing except that "everything is secure!"...

On the other hand, the card doesn't slide all the way in anymore. Just far enough so that it sticks and it can read the contacts, so at least they can't grab all the information on it.

There also is the technique of completely replacing an ATM in say a mall. Read about that one a couple times. Some ATMs in convenience stores and even retail chains like Walgreens and CVS already look sketchy enough.

A couple years ago someone brought a fake ATM into Defcon.

I'd also like to point out that it was placed there by local criminals, not the conference attendees. It was however discovered by the attendees and the hotel was notified and the offending ATM was turned over to police.

Were these the most idiotic criminals of all time?

"Hey, Bob! Let's place our ATM skimmer right in the middle of a bunch of FBI goons and security experts!"

This is an epidemic at gas stations in Southern California. I've been nailed by skimmers in LA, and a lot of my friends have too. My girlfriend refuses to use the debit cart option at Arco gas stations for fear of her card info being stolen again, and its a legit concern.

They're impossible to spot unless you plan on trying to pry off the front of every payment kiosk, which as far as I know most banks and gas stations frown upon...

I always jiggle the reader with a bit of gusto before I use an ATM. All of the ATMs that I have found have been sturdy enough that I don't worry about damaging them.

I do too, but having never seen a skimmer, I'm not sure how effective this is. The slots are often loose enough to jiggle, though not loose enough to seem fraudulent.

there certainly has to be a method that could be devised to prevent this type of fraud. Visually a lot could be done that should foil someone looking to attach a skimmer.

From continuous images, seamless faces to make it obvious something is added on, to screen based keyboards. I am sure a lot of thought is put into it. I would hazard that the losses are not sufficient to fix it.

I agree completely. For a bank ATM I'm sure that they have a lot to lose from skimmers, as it affects their customers' accounts. But for a gas station, a generic ATM do they really stand to lose much from the skimmer? They still get your money. And in many cases I'm suspicious that its shifty gas station employees, store clerks that are installing these things in the first place. Who else has the time to go and study the layout of the card reader, maintain it and retrieve the data etc without getting caught? The only way there is going to be a real change is with legislation in my opinion

Yeah my first thought on reading the article is that if enough actors cared about this they would redesign the standard for card readers so that the card goes flush into the reader without any protrusions (some are already like this) and then market this fact so that machines that aren't flat are viewed with suspicion, but I'm sure the costs to replace all the machines out there and do the marketing would be enormous at this point, and you would need buy-in from a ridiculous amount of companies so it is unlikely to happen.

It could happen if pushed by the companies that make the ATMs, rather than the banks.

I can confirm this, I live in Southern California and I have had multiple cards stolen. I try not to use my card anymore but always remembering to get cash from the bank is really inconvenient.

The only time you should ever use your PIN number is when it's absolutely required to complete a transaction. That means at ATMs, getting cash back at a retail store, or purchasing certain items like money orders or prepaid credit cards. NEVER use your PIN outside of these transactions. It increases your risk significantly.

At Arco they only accept debit. I would never use a debit card if I could avoid it. There are much more protections and insurance on credit card transactions, but if money comes out of debit, its gone.

I had no idea. Any particular cities/areas in particular? (I live in LA.)

Burbank, Orange County, El Segundo.. hard to tell tho because you don't find out till later

Just today I was in the test lab for the ticketing machines at the transport company I work for. Our machines being unattended and often in public spaces, skimming is a real concern (and it has happened to me personally).

The solution? Adding a plate with random bumps to each machine, and also adding a contraption infront of the card slot into which you place your card and then slide it in (see http://blog.webwereld.nl/wp-content/uploads/2009/08/nspas.jp... ). This last solution seems to be patented BTW.

I seem to recall that some banks (in Estonia??) will mail you a piece of paper with a list of single-use PIN numbers. Use one, mark through it. When you get close to running out, they mail you a new list.

This used to be standard practice for internet banking here in Germany, but not for cash withdrawals or debit card use.

I seriously doubt this method is ever used for that, as it would massively increase the risk when your card gets stolen (along with the PIN list you'd have to keep on hand). Additionally, I don't think it would work with international payment/withdrawal networks like Maestro.

Some banks do RSA ids, and you have to punch the right number in at the time of withdrawal.

A search on Google didn't pull much up for me on which banks offer this. Do you know which banks off hand?

Charles Schwab will issue a two factor device for online banking, but it is not required for withdrawals AFAIK.

I always tug at the card reader on the ATM to make sure it doesn't come loose.

What I don't understand is why don't ATMs in Europe use chip and pin yet? All the stores do. That would solve this problem.

> Why don't ATMs in Europe use chip and pin yet?

Many of them do - one security feature is to have the ATM pull the card very, very slowly into the slot whilst oscillating them to prevent skimmers reading the mag strip, as it's no longer required (unlike the US, nearly all ATMs here in the UK feed the card in automatically, rather than manually dipping it). If you're not used to this you might think the machine was on the way out.

Even with ATMs that support EMV (chip and PIN) you still run into the problem that a) ATM design inherently involves pushing the card into something, which could allow the mag stripe to be raed, and b) as long as there are ATMs and places that don't use EMV then there's always going to be a way to get money out / buy product with cloned cards.

I had an ATM card eaten in London on vacation because I couldn't recall the PIN.

That was a weird moment.

It's interesting that they use a chip reader internally, but

> you still run into the problem that a) ATM design inherently involves pushing the card into something

Makes that moot. Interesting about the card readers that wiggle the card in, I think I've seen one or two of those. I wonder how hard that is to defeat with a more intelligent skimmer (wheel to measure how fast the card is moving to compensate?).

Heh, I didnt know about the automatic feeding, I always get annoyed that these ATM's are slow and old.

If you suspect a skimmer, be aware that the person operating the skimmer might be close-by and not too pleased to see you take it apart.

Very unlikely.

Sometimes the real card readers will pop off easily when tugged. You can also check for pinholes for cameras, and cover the holes up with gum.

> why don't ATMs in Europe use chip and pin yet?

Most if not all of them do. But the cards still have the mag stripe to be compatible with ATMs all over the world that don't - and those are where the cloned cards are then used.

This is pretty scary stuff, I mean fuck, every time I see a story like that I can't help but be amazed at how incredibly insecure the services of credit card companies are, and how hypocritically they behave at every single step about security.

It's an arms race, never throw in the big guns if you want to stay ahead. I'm no expert, but this is ain't rocket science. Suppose the insurance company covers $256K worth of damages, it's useless to add more security when the damages total $192K. The insurance company would periodically (or rather sporadically) evaluate their claim requirements (ATM must have grade X lock, must weigh at least Y tonnes, etc.) and adjust for common risks (according to past cases). Between upgrading the contract to cover more risk and implementing security measures, the latter will probably have a better cost-benefit. The costs saved not doing anything beyond the minimum helps their bottom line and potentially you as well (albeit indirectly), by offering you a better deal (i.e. slightly lower interest rates) than their competitors.

This may not be exactly how the system is set up, but I think I'm not too far off.

Article dates from 2010. Title should be revised to note this.

I want to thank HN for possibly saving my arse. During my lunch break, I put some gas in my car. During the fill-up, I noticed the anti-tamper stickers on the pump were all broken. I paid it no mind, finished the fueling, bought some lotto tix with cash, then left.

Came back to my desk, fired up HN, and read the article upon which we are commenting. Simmered in paranoia for a little while, then called up my bank and told them my card might have been compromised. New card with new number on the way.

Now just have to remind myself to check my transactions until the new card arrives.

I'm surprised this is new to HN. The article is from 2010 and ATM skimmers have been around for 15+ years. They've become significantly more sophisticated over time. Back when I was involved with this stuff 9 years ago most people were making skimmers you had to hook up with a USB cable to get the data. Now people are using cell phone hardware to transmit the data automatically.

See previous discussion on "How is an ATM Secure"

Original article:




You should ALWAYS put the hand over the other one while you type the PIN number. At least your PIN typing is not going to be recorded. It's something.

The standard skimmer "online kit" options include also replacement keypads - a thin (1mm) overlay over the real keys that record your physical keypresses.

2011 story. Can somebody downvote this? Gah.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact