Schneier on Security
A blog covering security and security technology.
« David Kahn Donates his Cryptography Collection to the National Cryptologic Museum |
| The DHS is Getting Rid of the Color-Coded Terrorism Alert System »
November 24, 2010
New ATM Skimming Attack
In Europe, although the article doesn't say where:
Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects data on ATM fraud throughout Europe.
Posted on November 24, 2010 at 1:33 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I guess pretty soon they will stop issuing cards with magnetic strips. I can't remember the last time I had to use mine.
Seems like the mag strip will be around for a long, long time. Every self-pay gas pump and swipe-your-own-card pad in stores in my area (MN) read the stripe. Only very recently have I seen a few of the proximity-reader capable devices, more than a year after Chase issued me (unrequested) a "Blink" card with a RFiD chip in it.
Also see Brian Krebs' write up on the same EAST findings, with pictures http://krebsonsecurity.com/2010/11/...
Reminds me of that video about a "security measure" they attached to some payment terminals for the train in Holland.
People were not allowed to film or see how those devices were attached, and 5 min. later (when the woman is talking to the press how well it can prevent you from skimming) you see the device falling off as quickly as it was put on...
Nowadays I am jerking hard on the thing where I have to put my card in. If it falls off, then the machine is rigged.
Mag strips aren't the problem anymore - at least not at the point of skimming.
Mini cams are being used to not only read the long number and expiry date as it's put in the machine, but the PIN from the keypad too.
With those two you can duplicate a card, and use it anywhere (as shop readers still support mag strip - doh!), and use the pin.
If cards with chips had a long number prefix that made that only usable for CNP and PIN transactions, this would close the hole....but that would make the big assumption that C&P is about improving security.
All banks in Canada have switched to issuing Visas and Mastercards with Chip-and-PIN on them.
This is extremely annoying to me because it means that to use my card at stores with a Chip-and-PIN capable reader (thankfully not many--yet) I now have to remember another PIN thing, and enter it on their untrustworthy point of sale keypad.
Since it can't be used to secure internet transactions, and it still requires you to trust some device installed in a store or gas station with the PIN you enter, I can't see how this is any more secure than the old plain magstripe cards. In fact it seems less secure, because at least some customers are going to use the same PIN that they use for their *debit* cards, and that might make it marginally easier for thieves to compromise their account. Maybe they are trying to reduce petty fraud with it (i.e. the stolen-wallet kind of fraud), which I guess might be worthwhile, I don't know.
I do suspect part of the reason the card issuers have embraced Chip-and-PIN crap is to make it easier for them to shift liability for credit card fraud onto their customers. They will probably try to blame any compromise of the PINs on their customers, or something.
What we need is a hand-held device (could be credit card sized) that behaves in the following way:
1. User/customer attaches (via quick cable or wireless) their device to the merchant payment system.
2. Merchant payment system sends transaction data to customer device. This includes the amount of the transaction and information about the merchant/merchant terminal.
3. Customer reviews transaction information on their device.
4. Customer Device prompts customer to enter their authenticator (what you know).
5. Assuming authentication is successful, customer device hands the signed transaction data back to merchant terminal.
6. Merchant terminal sends signed data on to payment processor.
Of course, this system is costly. As we all know, it's just far cheaper for the Payment card industry to use heuristics to find suspect transactions and just eat the fraud that slips through the cracks.
"it now appears in some areas that those devices are being successfully removed and then modified for skimming"
[snark]Now THERE'S a shocking surprise![/snark]
I've always found those anti-skimming devices problematic. It's clear they aren't part of the machine, but we've been told that they're for our own safety and we should trust them. But there's no indication of what an anti-skimming thing is supposed to look like. It's a bit like undercover cops - or others showing a badge. Great you have a badge, so what? Did you get it issued officially, or buy it from the $2 shop?
Same deal with the ATMs - I can tell it's been modified, but not really wether the mod is legit or not.
Just google to the facts. See fraud report from APAC UK. Black hole still in USA due to cross border transactions
Everything here is chip and pin. I don't even have a mag stripe on my card.
That's sort of what an EMV card does in DDA and CDA modes. A bunch of dynamic data is signed by the card using its own key(s). Of course, in this case the user enters the PIN to the merchant terminal, not the card.
It sounds like this is a good step, but the merchant terminal cannot be a trusted device. As we see here, they can be easily compromised (by the merchant or other miscreant).
Back in the 1970s I worked for Citicorp. We had a patented technology that used micro-holes embedded in the plastic cards. The card was read via a light beam, not via a mag stripe. We had mag stripes on the card so that other banks could read them. The cards were seriously difficult to counterfeit as one needed special equipment to manufacture them.
I believe the technology was offered by John Reed, only an EVP at Citi back then, to the credit card giants, MasterCard and Visa, but Bank of America, who controlled Visa, wanted nothing to do with technology they didn't invent and control. Hence, bank cards used mag stripes, which are simple to read, manufacture and alter.
To avoid having a camera view me entering my PIN, I cover my hand and enter the PIN by feel. So what did my bank do? They replaced the keypad with a smooth touch-sensitive screen. I can't enter the PIN by feel anymore.
@Phillip: The hard part about that is actually aggregation of data. A tremendous number of details must be correct for a transaction (dollar amount and recipient being the two most meaningful, but others are important too). That information must be displayed on a trusted display(read: owned by the user), and the confirmation code must also come from a trusted keypads. All of this hardware now has to be hauled around with you.
Worse, it can't be integrated into one of our mutli-purpose tools like smart phones, because the last thing we want is to lose our precious trusted display to a virus.
In the long run, I think your idea is what we'll end up with.. but in the short run its a major pain(tm)
Security by obscurity much?
As soon as it became worthwhile to counterfeit those cards, it would be done - I'm guessing the same "special manufacturing technology" is exactly the same as is used nowadays to manufacture fine-pitch PCBs...
The EAST bulletin has a list of all the countries and differences between them in terms of attacks.
I thought the most interesting part was the use of MP3 players for analog attacks.
Off-topic, just bumping Bruce's latest quote in the NY Times.
U.S. to Drop Color-Coded Terror Alerts
" The color-coded threat levels were doomed to fail because “they don’t tell people what they can do — they just make people afraid,” said Bruce Schneier, an author on security issues. He said the system was “a relic of our panic after 9/11” that “never served any security purpose.” "
I chuckled at the closing paragraphs; I had no idea that there is a color lobby.
"Amy Wax, president of the International Association of Color Consultants North America, said — perhaps not surprisingly — colors could be an effective part of a warning system if tied to specific action. “How are we going to take those instructions and apply it to our lives?” she said. “Are we going to go to the airport, or not go to the airport?”
She said the agency’s use of “childish” primary colors like red, yellow and blue might have diluted the impact. “Purple, orange and magenta might create a sense of something that would get attention,” she said. "
If the banks bear the risks, I do not worry.
They will be able to make the relevant cost/benefit analysis. Security that is more expensive than the losses prevented is bad business sense.
What I experienced, I was skimmed myself and heard it from a neighbor, the banks simply pay back the damages. There is some inconvenience but no actual financial loss.
"Banks in five countries also reported seeing a new type of skimming device, which uses a modified MP3 player to record card details."
It's time to outlaw MP3 players. Security theater to the rescue !
@moo: "I can't see how this [using chip-and-pin] is any more secure than the old plain magstripe cards."
The trick is, the chip cannot be copied.
My newest card (renewal) from Chase does not have the numbers embossed on the front. They're printed (slightly raised print, like fancy letterhead) on the back.
Given that "knuckle-buster" credit card embossers are mostly history, it's a long overdue change that actually improves security against mini-cams and other shoulder surfing techniques.
(Chase bank, by the way).
@ Steve Kalman
Unfortunately, there are situations in which those are still in use, and I do not know if there is a good substitute. For example, the small merchants who do smaller fairs and conventions. As an example, the vendors who sell you a leather shirt or carved walking stick at a Renaissance Faire often use them.
The natural progression is that the crims will soon be replacing whole ATMs with compromised ones
"The trick is, the chip cannot be copied"
Big deal (and I think you mean 'cannot be copied AS YET')... What about magstripe ATMs abroad and this -
Well taking an ATM away from an installed site and installating a compromised one is a bit of a bother.. Big upfront investment, Forklifts, people/ the acquirer bank noticing etc, unless you can carry out a credible 'under maintenance' attack...
Why not instead
a. Compromise the one already installed there, or
b. Setup a brand new ATM location filled with fake notes?
Clearly the only solution is to do away ATMs and go back to withdrawing cash from bank branches, where you would need to stand on one leg, recite your last 5 transactions backwards and provide a biometric verifiction before being allowed to withdraw cash......
@Dom De Vitto: Any bank that's worth their Visa/MC license will have additional random data on the strip, often referred to as CVV or PVV. This number is not present in, and ideally not derived from, the human-readable information on the card. There are a few systems that do not verify the CVV, only sending the account number (PAN), Cardholder Name and the expiration through a web gateway. I presume they do not receive card-present rates.
@moo: That's is exactly what they're aiming for: shifting more liability to consumers. It is what happened in the UK. This move resulted in a decrease in accepted claims by customers (more profit for banks!)
@Jon: You should see the NCR ATMs. The card reader sinks into the ATM and glows green through translucent plastic (blue on some Chase machines). The dip reader is the most common one. There is also a motorized reader, one place you'll see them is on some newer Wells Fargo EnvelopeFree ATMs. It has a lenticular hologram of a smiling padlock embedded into the plastic. When moving from side to side, the padlock shrinks and grows. NCR refers to this design as their FDI, Fraudulent Device Inhibitor.
The "anti-skimming" devices I've seen on many European ATMs look like garbage, one welded out of bare steel, some of them look like skimmers themselves. The Russian hackers will be in for a big surprise - and a big headache - when they see the latest ATM designs here.
@Richard, why would they? Patents = royalties. I absolutely abhor attempts by inventors real-or-imaginary to manipulate government, standards bodies, etc. as to coerce others into using their invention. A good analog is the SafetyPIN invention by Joe Zingher: enter your PIN backwards as a duress signal. To his credit, many times he offered to give the idea away, with no luck. It sounds like a good idea, it works on paper, and his intentions are honest. The problem is, it doesn't do much help anyways (police response times are a joke in most major cities), it costs money even if the IP is free (implementation and testing is not cheap), and it takes additional user effort in a stressful situation.
We often look to the latest cutting-edge high-tech inventions to solve our security problems. Ironically, the magnetic strip itself was a "secure" medium until it became popularized, then the equipment was everywhere. Likewise, laminators were controlled through pricing and paperwork, then everyone had one, PVC card printers were hard to get for a while too. I imagine that the micro-hole system would be compromised as well. A similar system today is laser-personalized cards, currently considered the most secure system today. It allows for monochrome printing, raised text, even the clear micro-pores that I imagine is quite similar to the Citicorp invention. The thing is, lasers haven't been "special" for a long time - and it's only a matter of time before some hacker gets a used Epilog and modifies it to overlay data onto the lasercard.
New inventions in security are useful; simply because a new system is not perfect or uncompromisable doesn't mean we shouldn't adopt it, you can't get away from the cat and mouse game. But new inventions typically don't solve underlying problems.
@Geek Propher re: Kalman: Exactly my concern. There's a good reason why cards have been embossed for a long, long, time. I hope that Chase does not discontinue the embossed numbers on my debit card. Only temporary and stored-value cards (and some student-ID-plus-payment combo cards) have the silly printed numbers, part of the reason is that the card is ELECTRONIC USE ONLY and they don't want it to be usable for offline transactions. Having no embossed numbers makes me feel like some low-class Green Dot carrying member of the unbanked masses, not a customer of a classy traditional commercial bank.
By the way, those printed numbers probably aren't secure. The raised version is a resin, a bit more resistant to certain organic solvents than the flat pigment-based one. I've had a piece of it flake off though, which makes me wonder if certain conditions cause the adhesion to fail. There's a reason why it's not being used.
@RH, Phillip: The smart phone can be made into and/or (preferably) contain a trusted display. I agree, having a trusted display is one of the things I advocate as part of an overall security overhaul for computing systems, including secure interfaces, trusted boot/initialization, onboard key storage, etc. I have also come to realized that separate hardware presents an adoption hurdle that is not readily accepted, even if paid for by someone else, unless the alternative is much worse. I draw upon the case of the American Express smart cards and the free card readers (both made by Gemplus), which turned out to be a huge flop. Other places have had more success with two-factor tokens, E*Trade has a SecurID deal with RSA, PayPal has Vasco and InCard(ICT) tokens through Verisign VIP, and Blizzard Entertainment has their own Vasco system for World of Warcraft (their WoW token is UGLY though). Penetration is still low. Even given the risk associated with account compromise and the time investment that many have put into their characters, I know high-level players who just don't want the token because they'll lose it, or won't have it when they want to play.
I propose a Secure Mode feature for computing devices that uses an obvious indicator lamp to distinguish between a trusted application and a general-purpose application. There is prior art that reflects this usage for PIN keypads, also, research on the EV SSL green address bar reflects that consumers pick up quickly on security-assurance signals and notice if they are missing. A green glow around a handheld device (or for laptops, a green backlit keyboard) would appear whenever a trusted application is requesting input. This would be a hardware-controlled feature indicating execution path integrity leading to a curtained environment like Secure Desktop on recent releases of Windows. Only vendor-signed, code-vetted processes (such as login helpers) could receive input in this state. There isn't so much a need for a trusted display as there is for a trusted execution path. If you can put a bank app on a phone, and can be reasonably sure that other userland applications can't read its storage, then give the app a secret and you've got your secure device.
The biggest problem is when users lose their phone. This happened in the movie "Big Fat Liar", and the results for the phone-loser weren't pretty.
> Big deal (and I think you mean 'cannot be copied AS YET')...
Ah, yes. All statements about the security of something cannot take into account hypothetical brilliant inventions from tomorrow.
Anyway, I mean "cannot be copied under attack-practical circumstandes for the foreseeable future". We are not talking laboratories here.
> What about magstripe ATMs abroad
I would suggest having one chip-only card for general use and issuing a dedicated "use only abroad" magstripe card on demand.
> and this - http://www.zdnet.co.uk/news/it-at-work/2010/02/...
A single online man-in-the-middle attack is a wholly different thing from having the chance to go shopping/withdrawing at will with a cloned magstripe card.
I think this tech http://www.passwindow.com/ can help (no I have no connection to the company, I just like their idea)
It can be used anywhere there is a display screen. Capturing the numbers as you enter them into the system wont work because it changes every time. Capturing the pattern of lines on the little window is hard because its so small (they claim the plastic bit is hard to photocopy so presumably it would be hard to capture with a video camera as well)
"The smart phone can be made into and/or (preferably) contain a trusted display. agree, having a trusted display is one of the things I advocate as part of an overall security overhaul for computing systems, including secure interfaces, trusted boot/initialization, onboard key storage, etc."
Sorry It's not going to happen.
Security is a state of mind not actuality, for a whole heap of reasons.
Just about every secure system that has ever been designed has failings of one form or another, so much so it should be taken as a given that "nothing is secure" just "conditionaly secure under known assumptions"
For instance I have been warning for several years that "signed code" is not a mark of security the only thing it says is a code base is the same at the point it was signed and absolutly nothing more.
Since then we have seen the (too short) key for TI calculators cracked, and more recently malicious code in the Stuxnet worm apperaing to have been legitimate because it was apparently signed by the correct key.
Then there was the issue of "software updates" for mobile phones where phone manufactres devolve the signing key down to just about every network service provider.
Then there is the trick of updating a "user phone" to a "developer test phone" whereby the phone then allows code signed under an easily available "developer key" to be loaded into the phone.
Then there is the issue of device drivers, who signs the driver code, who checks it does not have security flaws etc etc.
It does not atter how secure your security application, security kernel, secure storage are etc if I can subvert the display you lock at and the keypad you type at.
Then there is the question of "mutability" these days few systems are truly diode fuse or mask programed, thus there are ways to change the contents of their memory if you can get access.
And this is the security bottom line of all these systems, cease to be secure if at any point they pass out of your concious control, (and we all have to sleep sometime). Thus you somehow have to re-certify the device before every use.
And we know from certain fundemental mathmatical and computing theory that a general purpose computing system (ie Turing) is incapable of certifying it's self...
How about fabricating ATM card readers of transparent plastic?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.