Schneier on Security
A blog covering security and security technology.
« Wrasse Punish Cheaters |
| Web Security »
January 21, 2010
Neat pictures. I would never have noticed it, which is precisely the point.
Posted on January 21, 2010 at 7:28 AM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Without getting into an arms race about it, how does an ATM vendor eliminate this?
What I don't understand is why Banks make their ATMs with so many different looking parts, materials, colors and seemingly random protuding elements.
And that's just one individual machine, there are dozens of types each with variants of card-feeder, lighting elements, stickers and signs, money dispenser and so on.
Another thing: why still use that 70s magnetic strip when there are chip based systems that are much harder to read out and copy?
Let's face it: Banks just want to save money where they can and play the blame game, so in the end the customer pays for their shortcomings more often than not.
Here in Germany some people found out that there are up to 9 valid PIN for some DebitCards (unknown to the owners) and you can guess the PIN on ElectroonicCash-Card 6 times by switching from the chip to the magnetic strip (2 times 3 tries) before the card is deactivated.
And that just month after about 30 million ElectronicCash-Cards were rendered useless by a Y2010 bug, leaving customers stranded short on cash for weeks.
Why do we still have magnetic stripes on the ATMs is beyond me. All the cards I have, have a smartcard built-in, and in most cases, I'm actually using it through the smartcard.
I guess cards without a magnetic stripe would be way harder, if not practically impossible, to skim.
The Braille above the "Insert Here" text is something that would re-assure me it's really since the little details can often get missed (even though from what I can tell it isn't real Braille)
I would've noticed it. Skimming at ATM machines is so common in Germany now, that my first action at an ATM is to pull and push the card slot in any direction possible. The skimming device is usually not mounted by screws (as the ATM would notice that.) but by tape. So if you apply some force, any fake device would come off. Next to skimming the card, the gangsters also need your PIN (at least in Germany) to make use of the card. There are two options they achieve that. In the past, they attached a tiny camera to the ATM pointing at the keyboard and recording visually the numbers you put in. Nowadays they put a very thin, fake keyboard as an overlay over the real keyboard. The overlay keyboard will store the PINs. That's why my second act at an ATM is to try to dismount the keyboard.
In my opinion, ATM operators should provide a laminated picture of the untouched critical parts of the machines, so that a customer can compare the machine parts to the picture. The picture should be positioned so that it's impossible to set off the alarm of the ATM.
Yup I would not have noticed it except for maybe the thickness of the area containing the electronics.
A few years ago you could find these devices because the camera worked in the 2.5GHz band. A friend and I used to find them arounf tourist traps in London.
The thing is they work against Chip-n-Pin Plastic as well due to two reasons,
1, the default fall back is to mag stripe.
2, the banks refuse to say even in court if a transaction was on chip or stripe.
So watch out they are out to get you with the fastest rising "non investigated" crime around.
I saw many ATMs which have transparent card slot. I guess it is exactly counter skimmers measure.
Most of the ATMs in Switzerland now have card guides that are made of a solid block of plexiglass. Very effective against skimmers.
There's no way I'd have noticed it, and if I did I'd have put it down to adding the Braille making it more accessible.
On the Braille side... it always tickled me that the drive-thru ATMs in the US have Braille.
I probably would not have noticed it. Even if I did I probably would think my bank changed its ATM.
I do routinely cover my hand when typing in my PIN which might help counter the camera. The more powerful counter move is to go into the bank to get cash and to pay in cash at stores. However I recognize this is not a practical solution for everyone.
For some time I am considering scraping the magstripe off my Visa Electron that I use in ATMs only. All ATMs in my vicinity have chip readers.
What stops me still is the uncertainty of what would happen when the ATM's chip reader fails and it falls back to the nonexistent magstripe...
Talking about arms race: I guess this "funny formed" card reader slots (as the "real one" in the picture) have just been introduced to prevent phoney attachments. I always found it hard to tell, whether a given attachment is a skimmer or a countermeasure...
@Patrick G.: I know of at one fellow, who accidentally ripped of the countermeasure...
Last time I went into my bank to get cash I was told to go outside (to the ATM) to get it. When I explained the 4000 Euro I needed was slightly above my daily limit, the solution was simple. A temporary adjustment of the limit. And yes, in three goes (1500 per time I think), the machine spit out an amazing stack of 50 Euro bills.
@Patrick G. "ATMs with so many different looking parts, materials, colors and..."
I've wondered the same thing about POS devices like gas pumps. One pump I go to has two card slots and the software will ask you to confirm with both a push to the screen (yes/no) AND has yes/no buttons. I've speculated that this is to allow their customers to modify the device later (my gas station put in a car wash "do you want a car wash?" yes/no?)
@k "solid block of plexiglass"
I like this...
I've confined my cash withdrawls to my banks machines AT my banks. I am assuming (yes I know 'bout those) that banks are more aware of the physical state of their own machines.
Follow the update to the twitter pics...What I don't like is banks refusing to believe their customers are being defrauded and covering the loss. This is our fallback protection for CC abuse. Probably gonna have to pass a law before they'll take it seriously.
I typically only use bank ATMs, and all of my bank's ATMs card slots are flush with the rest of the ATM. You know, the kind that "eats" your card and you have to trust that it will spit it back out to you at end of transaction.
Anytime I see an ATM with an externally manipulable card input like this, I think about this kind of attack, but I'm not sure I would catch it. Honestly I look for human skimming more than automated. Thanks for the wake up call.
Incidentally, Bruce, this isn't the best way to tell you but Imperva quotes you in a "password practices" analysis report I read today. http://www.imperva.com/docs/...
And of course if it's (literally) an inside job, there's nothing to spot.
"In this case, somebody had placed devices inside gas pumps. Police believe the device intercepts information and sends the PIN number and other debit card information to someone with a laptop."
Here in Canada, at least on CIBC machines, the machines display the physical structure around the card slot ON THE SCREEN as part of the 'please insert your card' request, including an animation of the card going in. This is in addition to the fact that the surrounding structure is translucent plastic with LEDs lighting it up from behind. It would be difficult to change one of these and still make it look like the screen display. (Not completely impossible, of course, but difficult.)
It's probably just simpler to claim compliance with the Americans with Disabilities Act if you put Braille on all ATMs, whether a blind person has any likelihood of using them or not.
Being the slightly paranoid type, I've always grabbed the card reader and given it a little tug, just to make sure I'm not being spoofed. I have no idea whether it does any good or not.
Here in the Netherlands the machines display the physical structure around the card slot ON THE SCREEN as part of the 'please insert your card' request.
@Steve J: it is real Braille, but it's contracted Braille, which has additional symbols for common combinations of letters. The symbols in the picture, from left to right, are:
My bank in Brazil (Itaú) has been using only smart cards for a couple of years now. And you get to type your 6 digit password using a “injector function” like “Press here for 1 or 5” and so one. Even recording the screen once is pretty useless.
And no more ATMs around by themselves like in some hotel corner or even by the street. Now they are either inside a branch office under surveillance and access control (you have to swipe your card to get in) or some place under heavy traffic such inside a shopping mall. Before that some ATMs were actually stolen (the machines themselves, not just the money) so the bad guys could better study them.
In 2008 I was surprised to see in Toronto an ATM in a corner of a bar. Not only that, the wires - including the network wire - were easily accessible. I took a picture: http://rapidshare.com/files/338844530/...
I would never insert my card into one of those mousetraps.
Maybe it helps that in Brazil the banks are usually stuck with the bill for unauthorized uses so they are more carefull. Even credit cards companies (or merchants) are stuck with 100% loss of any contested purchase that they cannot positively prove.
Also ATM can don't give back chip based card :-)
I have a pretty simple process for detecting credit card fraud.
1. I get a daily email listing transactions that hit my account.
2. I compare the transaction each day to my receipts.
3. Any transaction that does not have a receipt, I investigate.
4. Any transaction I can't reconcile gets reported immediately.
Basically, in most circumstances, any unauthorized transaction will be reported the day after it hits an account as opposed to a month later when I get my statements.
Takes me about 30 seconds a day to verify the validity of each transaction on email.
Just curious, why do you do step 2?
The only reason I can justify that on a daily basis, is if you have a significant number of transactions everyday. If you don't, then it would seem like you should be able to account for the transaction from memory.
I'm not trying to start anything, just geniunely curious.
My wife will do that on a monthly basis because she didn't like my method of logging into the website every view days to see if anything looks odd and if not, then I assume the bill is correct. Yes, there's the risk of credit card fraud and web based attacks running concurrently, but I found that to be very low.
@AppSec: I'm not trying to start anything, just geniunely curious.
No, it's fine, it's a fair question.
1. My wife and I use the same credit card account, so I'm not always aware of every valid charge.
2. To verify the amounts equal the receipts.
There have been some cases where the receipt said one thing and a different amount was withdrawn. In one case, a waiter added a 20% tip that was not authorized.
I understand your wife's logic. I probably wouldn't do it every day if I had to log in, but with an email sent to me every day I find it too easy not to do.
I thought that might have something to do with it... Not to totally threadjack, but we went out with a group of people to a restuarant. Everyone but us paid in cash. I handed what was roughly $100 in cash to the waitress and my card. She handed the bill back and charged the complete amount on the card thinking the $100 was her tip... Which would have made sense if the bill wasn't around $130 (not including tip).
To bring it back around -- Charging tips has always scared me. I understand the "feeling" issue with requesting the amount before hand (not sure if that's the real reason or not), but it seems like adding it afterward is always going to lead to a your word against mine, especially since receipts aren't carbon copied anymore. Can you actually get a post tip receipt of the charge?
@AppSec at January 21, 2010 12:29 PM
I agree. Post tip receipts are not common, probably due to inconvenience. They print two copies, and it does become a you vs. them argument. The customer could put the tip on one, not on the other, and then argue it later, or make a mistake.
I don't think this is really threadjacking. Methods of credit/debit card abuse/theft/fraud are interrelated. What detects one may help detect the other.
The post-tip challenges are doable, mostly because the owner is interested in you coming back to their establishment.
I am not in the business, but I would venture that the company would eat the "tip", but keep very solid records on which employees have an uncanny number of "tips"
@RH: "The post-tip challenges are doable, mostly because the owner is interested in you coming back to their establishment. I am not in the business, but I would venture that the company would eat the "tip", but keep very solid records on which employees have an uncanny number of "tips""
I think most people who fraudulently inflate tips count on the cardholder not performing a close review.
Another thing I'm guessing happens is strategically transposing when it works in one's favor (if it's a $12.50 tip, plug it in as $21.50). Those small amounts add up and can be explained away easily, and may go unnoticed on the cards of big spenders who eat at restaurants that would result in that kind of tip.
I remember an audit once where an entity got nailed on spreadsheet "mistakes." The header would say commission is 0.145% but the fomula would read 0.154% for example. Several spreadsheets contained similar transpositions, always in the entity's favor. Coincidence? I've got beach property in northern alaska for sale.
"Here in Canada, at least on CIBC machines, the machines display the physical structure around the card slot ON THE SCREEN as part of the 'please insert your card' request, including an animation of the card going in. This is in addition to the fact that the surrounding structure is translucent plastic with LEDs lighting it up from behind. It would be difficult to change one of these and still make it look like the screen display. (Not completely impossible, of course, but difficult.)"
This is really the same thing as the banks sending out legitimate emails that looks like phishing, which they seem to do plenty of. A couple of years ago my bank sent out and posted on its website a note that the look of ATM card slots would soon change in the interests of security, and to watch out for skimmers. But they didn't include an actual picture, so when I encountered the first one with its flashing green lights I was highly suspicious. Putting a picture on the screen is cute, but I bet most non security-dudes don't make any real connection. Think about your average Windows user, and how much/little awareness they have of how the GUI should behave.
If banks really cared about the problem, they would specify that ATM vendors automatically detect the presence of attachments. Net cost would be
I’d be glad to furnish a design and I am sure many others would be as well (for a fee of course :=) ). The reality remains that so long as the losses can be absorbed as a cost of doing business and passed on as fees and the payment of lower interest rates, there will be no emphasis on fraud prevention of any kind (check fraud, mortgage fraud, etc.) beyond “theater” to mask the reality. In virtually all cases, without challenge, the losses are covered by the ATM provider The pain caused the customer in disruption to their life is largely ignored.
i thought, the new ATM have a jammer that makes reading the magnetic strip (nearly) impossible when the card is inserted. but it takes time and money to upgrade all ATM.
> On the Braille side... it always tickled me that
> the drive-thru ATMs in the US have Braille.
I *used* to think that was funny. Then I met someone who is legally blind and has a driver's license.
She's not totally completely blind in the sense of "everything is just black", but her vision is *severely* impaired, in ways that cannot be corrected with lenses. It's genetic. One eye has two pupils. She doesn't see out of that one at all, so you can guess what her depth perception must be like.
At the time I met her, she had a valid Indiana driver's license. She's since moved to Florida and has a driver's license there.
As for the skimmer, these are old news of course, but it's good to remind people, and I think the photos are especially helpful, since some people remember photos better than verbal information.
And yeah, it looks like a real part of the unit to me. If the person who posted the photo had switched the helpful labels, marking the one on the right (with the braille pad) as the real thing and the one on the left (just the card slot) as the piece that fits over top and does the skimming, I wouldn't have known any better.
Here in Australia there has a new twist emerged: The scammers exchange a credit card reader handset in a shop with a doctored one which sends all info to a nearby laptop. According to the police they have already taken 50 million AUD, mostly from people which pay for small amounts for instance at McDonalds.
Now why somebody would go to them at all and then pay with a credit card and not with cash I just don't understand.
I get all my cash as a so called 'cash out' when I do my weekly grocery shopping. I tell the cashier the amount I need, this is added to the bill and I pay the total in one go.
This is at one of the largest grocery chains in the country, but I still check my account online every 2 or three days as I only have about 700 AUD on it at any time, my bank sends me an automatic email if the amount is less than 500 AUD. Online transfer from my cash management account at the same bank takes 10 seconds.
My (Minnesota, US) bank has the ATM behind locked doors after hours -- you need a mag stripe card to get in.
Note -- I said "a" card, not necessarily the one the bank provides. I've used the mag stripe on various credit cards, my drivers license, and even bus transfers to unlock the door.
> On the Braille side... it always tickled me that
> the drive-thru ATMs in the US have Braille.
A blind person can use the ATM from the driver's-side rear seat.
@Derob: Last time I went into my bank to get cash I was told to go outside (to the ATM) to get it.
Why did the bank do that? If my bank told me that I would have a little chat with the branch manager about why my bank wasn't provided me with normal banking services.
outraged on your behalf
@AppSec: Another point to consider on the restaurant/cash/credit card thing is that you never know how the waiter/waitress cashes out your check if you are giving them cash and card (or multiple cards even).
Also it depends on the sophistication of the software on the POS terminal I think. I used to work for a food delivery service years ago and at least we had software sophisticated enough to allow us to split bills amongst mulitiple cards on the same order.
@Harry: Why did the bank do that? To cut costs!
I guess the bank simply has fired the cashier and sold the safe. Also it won't need to spend that much of security dollars if the cash is all gone... Only paperwork here, if you're for cash, go outside :-)
Ok, that was a bit tongue-in-cheek. The bank probably still wants to take some deposits, so cashiers are there to stay (or only some of them). But more and more banks start using one-way safes to stow deposited cash, timed safes to store cash to be withdrawn etc. and advertise it - to ward off robbers, and cut on security/insurance expenses.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.