Schneier on Security
A blog covering security and security technology.
« Hacking Cars with MP3 Files |
| Zombie Fungus »
March 17, 2011
Hacking ATM Users by Gluing Down Keys
The thieves glue down the "enter," "cancel" and "clear" buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account.
The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use the ATM touchscreen to finish their transaction, or become nervous when the keypad isn't working and react by leaving the ATM unattended....
Posted on March 17, 2011 at 6:50 AM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The unwitting customers either do not know that they can use the ATM touchscreen to finish their transaction", or the ATM does not have a touch screen.
Honestly, I would bet that most automatic teller machines in Germany do not have a touchscreen and this "hack" would work without the customer being able to do anything about it. If it is late at night, would you really call the police and wait there until they arrive?
While not a perfect solution, I'd definitely add some extra numbers on the end if the machine was refusing to let me proceed or cancel.
Waiting should work. AFAIK an ATMs cancels the transaction after some timeout. It might keep the card though.
Going by just the linked article, it sounds like the thieves are relying on the ATM having a touchscreen, so an ATM without a touchscreen would likely be protected against this particular scam.
Okay, unless you're assuming that they can somehow unsticky the keys again in a reliable, repeatable and fast way - but even then they'd have to do that, grab the cash and re-glue the keys for the next victim before the current one comes back...
Presumably a thief would want to choose an ATM with a touchscreen so he could get the money once the customer's left. How would he benefit from pulling this trick on an ATM without a screen?
@Andrew (&others): "How would [the thief] benefit from pulling this trick on an ATM without a screen?"
I would believe that there is 'research' underway to disable the keys only temporarily (magnets, solvents, etc).
6 months is not "very late adoption". The Nigerians' discovery of the Spanish prisoner scam took about a century. THAT is "very late adoption".
And so the wait is on for the first genius to actually glue himself to the keypad and make a surprise entry in the world's dumbest criminals list.
I've long believed that an ATM (or any other unsupervised card terminal, like a gas pump) should hold your card through the entire transaction. People usually don't deliberately walk away from a terminal that has their card. The fact that a swipe-and-return terminal has an open transaction is more subtle, and easy for those who aren't security-savvy to fail to notice.
I agree; I was rather surprised when I first saw a machine that didn't keep the card. Granted, my experience is that every machine that doesn't keep the card is a third-party machine as opposed to a bank-owned machine. This leads to different security attitudes, as the third-party companies don't have the same worry about brand reputation as the banks themselves do.
I believe I've mentioned here before that during the initial pilot tests of ATMs, some banks noticed that people would grab their money and leave without necessarily even collecting their card, allowing someone else to grab it. Hence they modified the operation of the machine to not dispense money until after the card was removed...
I'm going to have to check this but I've a feeling that most ATMs in the UK don't need to you press enter after you've entered four digits.
All machines I had trouble with (something stuck, myself trying to remember the pin, etc.) timed out after about one minute. So the thief needs to be pretty fast and has a considerable risk of being noticed by the tricked customer.
By the way, I guess one minute is the amount of time I'd spend jogging the glued keys before even thinking about leaving the ATM -- even if I was totally clueless about how stupid leaving would be.
Of course, if people would stop and think things through (even if they don't know that the transaction can be completed by touch screen) they should be able to remember/figure out that the transaction will time-out, hang around by the machine until it does, and _then_ go into the branch to get help.
Of course, our brains aren't normally wired to pause and consider the best course of action when we're having an "oh shit" moment, and it's not an adjustment that our schools to a terribly good job of developing..
@Dirk Praet: Most "super" glues are easily dissolved using acetone nail polish remover. On the other hand, I hope dumb criminals don't figure this out, because I really, really want to see one glue himself to an ATM keypad.
"Most super glues are easily dissolved using acetone nail polish remover"
You've just given yourself away. Only girls know that 8-)
This stems from another related problem with ATMs, where you are allowed to make as many transactions as you want after you are authenticated once. If a customer inadvertently leaves their ATM session active, usually at the "Do you want another transaction? YES NO" screen, further withdrawals can be made. Citibank even has a warning on the instruction sticker they put on the ATM facade, which tells users "Do not leave the Financial Center until 'Thank You' is displayed on the ATM screen." This is a pet peeve of many ATM users, myself included.
@Ross, Bryan. As for major banks: BotW and BofA both use motorized readers, but they dispense the cash before ejecting the card. They both beep until you take the card. San Francisco Stagecoach Bank dispenses card first, then cash/stamps/receipt, after all transactions are finished.
Another bank, JPMC, has the best design I've seen. They use dip readers exclusively, so you can put away your card immediately. There is a short timeout, about 30 seconds, before it asks "Do you need more time?", followed by "For your protection and security, please re-enter your PIN". In most cases, it will also prompt for PIN when doing certain consecutive transactions, and when choosing a sensitive activity after no input has been received for 10 seconds.
@Ross Patterson "People usually don't deliberately walk away from a terminal that has their card."
Stateside, every ATM I've used keeps the card for the whole transaction, and I've frequently found cards left behind in the machines, despite the loud, incessant beeping designed to remind customers to take the card. It seems like it's gotten a little better since the machines started spitting out the card first and then the paper (originally they tended to do it the other way around), but it still happens. People get distracted, or are in a hurry because someone's behind them and they're juggling several items, and they simply forget the card.
Every ATM I've used, even the captive-card ones, has required me to re-enter my PIN after the "Do you want another transaction?" screen. There are some that don't require this?
Most of them that I've seen here don't. After checking the balance, you can press continue, and withdrawal money without being asked for the PIN.
The local Bank of the West and US Bank have Diebold Optevas that do this, and a collection of vintage Diebolds with green or orange CRT screens that do this as well.
This is admittedly a clever trick. It wouldn't work on my bank's ATM's. For one, my bank's ATM requires a PIN to be entered before every transaction and times out after a short period of inactivity. Additionally, my bank puts their ATM's in each store of a very large retail chain, usually right next to the cashier. This increases risk for criminals who would want to repeatedly piggy back on victims of this type of scam. They'd probably just go elsewhere, especially at an outdoor ATM.
As for ATM's holding cards, I actually prefer that they do NOT hold my card. This provides no extra security for me. If anything, it increases my risk: I've seen ATMs and POS systems screw up countless times, whereas ATM fraud attempts are more rare. Virtually every kind of ATM fraud would work whether my card was in there or not, so why impose the risk on me?
It's also harder to make a getaway if I see trouble coming, as is sometimes the case when living in a rougher area. In those situations, every second counts. Waiting ten for the cancel to go through and my card to be ejected would have been a nightmare.
Shouldn't alleged "journalists", at least, know the difference between robbery and theft or fraud? The customer was defrauded, not robbed.
(Trivial? There's a drastic difference in punishment between the two, not to mention the threat to the victim's safety, and it always amazes me how programmers, who know that a single misplaced comma or other syntax error can hose an entire program, don't show the same respect for the "language" of English.)
"I've a feeling that most ATMs in the UK don't need to you press enter after you've entered four digits"
It depends if the ATM software knows the length of PIN in advance. Some expect a 4 digit PIN for certain cards and automatically accept input on the 4th digit.
Wow--scary, thanks for sharing. Just what will thieves think of next?
Nice photos, Erin. I really liked the one with the waterfall and water lilies.
My bank asks if I want another transaction and when I reply negatively, gives me the card first, then the money then the confirmation slip.
@Dirk Praet: "You've just given yourself away. Only girls know that 8-)"
Or people who have a tendency to glue their fingers together every time they work with superglue. However, girls are more likely to have nail polish remover handy.
foolproof ATM security measure: I don't use them.
@ yt & Dirk Praet,
"Most super glues are easily dissolved using acetone nail polish remover"
If you had read my posts with regards "home brew explosives" you would know that the places to go amongst others are cakemaking/home baking shops (for vit C) and Beauty Parlours / Nail Bars or Plumbers Merchants for Acetone.
Interestingly blumbers cary both "Super Glue" and "acetone" as glues. In the latter case it disolves clean plastic pipes sufficiently for them to "self weld" together as the acetone vaporises off.
Other good places for Acetone are car body shops where it is often called something like "plasti weld".
The most acetone I've ever bought in one go was a drum of 25 litres and nobody turned a hair or asked silly questions even though I was paying cash (I did ask for a recipt to be made out to a local company name)
And for the terminally curious ;) this was when designing an Intrinsicaly safe (EX e) power supply.
The dam thing started to self oscillate after it was encapsulated it was no fun getting it out to find out why (somebody had put the wrong speed Op-amp in the wrong place).
I discovered even doing it outdoors with protective clothing acetone still managed to "degrease" parts of my anatomy I thought were well covered (I intched and had flaky skin for weeks afterwards).
@a different Ross "People get distracted, or are in a hurry because someone's behind them and they're juggling several items, and they simply forget the card."
I *did* say "deliberately" :-) I've accidentally left my card in an ATM twice, most recently just a few weeks ago.
@Bryan Feir: SunTrust Bank ATMs here in VA are a mix of dip-readers and hold-readers. I've *love* to know if their loss rates skew on that axis!
Bank of America ATMs here in MA are also a mix of dip-readers and hold-readers.
@Serian: The BofA ATMs I've used as of late force you to take your card before dispensing cash.
@ Clive, yt, & Dirk Praet
My impression isn't that polymerized superglue can be _dissolved_ in acetone. Rather, it is only softened by it. The reason, as far as I know, why acetone is effective in disconnecting the glued parts is that the acetone is able to diffuse through the polymer and effectively "wet" both substances at the adhesive interface.
BTW, Clive, I've never heard of cyanoacrylate being used for the encapsulation of electronics; epoxy resins are much more common, no? I would think that the tendency of cyanoacrylate to depolymerize at high temperatures would be a show stopper for its use as a potting compound.
Disclaimer: I'm only a chemistry pedant, but not really an expert in adhesion...
When the ATM is in transaction mode the built in video cameras are in full frame rate capture mode, so are these thieves wearing masks?
@ Ron K,
"I've never heard of cyanoacrylate being used for the encapsulation of electronics epoxy resins are much more common"
Neither have I conformal coating would be better as CA does not stick at all well to certain PCB materials or even component coatings.
Further it is reputed that eythl cyanoacrylate used without phthalic anhydride is weak to both moisture and heat (which is why some modlers who use "super glue" via syringe needles know it can be cleared out simply by heating the tip of the needle with a lighter for a few seconds).
What many people don't know is CA does not like certain organic fabrics such as cotton or wool and can generate enough exothermic energy to set the fabric on fire.
I'm not sure why you assumed the encapsulant was cyanoacrylate I didn't say it was, nor intended anyone to think it was.
Luckily the epoxy that we used at the time (which was loaded with quartz dust) would actually disolve (all be it slowly) in acetone which the electronics wouldn't.
As RobertT has indicated you need a bit sterner stuff in the way of solvents to disolve the encapsulant used on IC's etc and belive me you would not want to play with some of them. Not onlt do they have "toxicological disadvantages" (ie it kills you in very small quantities) it also has a bad habit of reacting very very unpleasantly with normal air in a way that would remove your hair if you were lucky and turn you into "long pork scratchings" if you are unlucky.
@ Clive Robinson
"As RobertT has indicated you need a bit sterner stuff in the way of solvents to disolve the encapsulant used on IC's etc and belive me you would not want to play with some of them."
Chip hacking. Toxicological effects. Why am I thinking this is a good way to get rid of a crew member in a deniable way? ;)
"The Nigerians' discovery of the Spanish prisoner scam took about a century. THAT is "very late adoption"."
You are clearly trying to slight the Nigerians but on what evidence?
You have not established that fraud techniques were adopted late there. It is more likely that you only recently became aware of them.
There is plenty of evidence that the use of this scam technique and others have been present in Nigeria for a long time.
The changes that most likely led to your delayed discovery were the 1980s Petroleum crisis and the lower burden of entry for scams to operate over longer distances.
More importantly, the Spanish prisoner scam is very often used by others who only pretend to be African, because pretending to be from Nigeria helps bypass victims' defensive abilities. Why? Most victims, as evidenced in your baseless claim about Nigerian fraud history, do not know much about Africa.
Dirk: "'Most super glues are easily dissolved using acetone nail polish remover' You've just given yourself away. Only girls know that 8-)"
Or transvestites. :-)
Off topic, but speaking of females, the master female hacker Joanna Rutkowska has an interesting piece on separating one's personal security domains.
Partitioning my digital life into security domains
@Richard Steven Hack
That's nothing. You should see her list of requirements to speak
"In general I’m not interested in traveling to those countries which are not part of the civilized world..."
Good luck with that diagram.
Here all banks issue chip cards. ATMs have a separate slot for them. Card is inserted only half-way, giving user visual indication that magnetic stripe is not being read. Card can be pulled out at any time, which cancels the transaction.
Of course there is still risk. Recently I withdraw 60€ and got only 40€. Had to make a phone call to get my 20€ back.
wow, what a clever trick... here it would work...
moreover, I smell plausible deniability going on in there. Think about it: the victim leaves the atm machine and enters the bank to complain about the machine failure. The bad guy approaches the atm machine PRETENDING to be another atm customer who wants to use his card. If the bad guy is fast enough it would leave thr atm, if he get caught he would complain about the failure of the atm machine like any other customer. Very very very nice trick...
I'm surprised by some of the comments here - I haven't come across an ATM with a touchscreen yet, although I still remembering a machine too old to have a screen at all (there was a single line LED matrix readout instead!). Almost every machine I've used retains the card during the transaction, then returns it (and requires it to be removed from the slot) before the cash is issued - it is indeed all too easy to take the cash you are waiting for, then walk away forgetting about the card, unless the ATM enforces card removal first.
Thinking about it, though, a touch screen would defeat this approach and some other forms of skimming, as well as allowing more flexible authentication (passwords as opposed to PINs, partial authenticators as used for online banking, one-time codes...) - well worth thinking about for an intelligent bank.
Swiss ATMs tend to re-authenticate before each state-changing action (not sure about, say, balance queries or similar read-only transactions). Takes care of whole classes of similar distraction-based attacks on ATMs.
I am sorry, but you really have to be dumb to leave a screen of an ATM with your PIN on it to go anywhere. You should either call the bank or delete the PIN. If you have your money stolen this way, you will at least learn not to make mistakes like that in the future.
Stick to "credit" cards, because you have better recourse through the banks/credit unions. If you need local currency go to the foreign affiliate of you bank or credit union and work directly with the teller to exchange travelers checks. Why on earth use a debit card or an ATM card in a foreign country or even out of state.
@Steve: only because it's sometimes cheaper and more convenient, and the option of going to a foreign affiliate may not be available. As it has been reported to me, BofA and citiclowns are the only two that major presence in Asia. This may have changed in the past years with the major banks. I highly doubt I'll ever see a CU Service Centers branch anywhere outside the U.S.
Credit cards typically have cash advance fees and foreign exchange upcharges, but many debit cards, such as Chuck Schwab Bank and USAAFSB, don't. It's about risk versus return; besides, I'm not liable for unauthorized use. ATMs have been carefully engineered to provide a secure experience for their users, and they fulfill this role well, so don't be afraid to use them.
Worried about your PIN? Many banks and credit unions allow you to change your PIN online or over the phone.
ATM in Germany and UK are a little bit more clever then that.
They retain the card until the end of the transaction.
If you don't take the card and walk away, the card is pulled back and you will get it back per mail or so.
If you pull the card, you get your money.
If you leave you money in the machine and walk away (Don't laugh it happened to me) the machine will take the money back after a little time and log that event.
I called the bank, and after laughing about the incident they booked the money back on my account.
Superglue is not a viable hack against well designed ATM.
@Tilman Baumann: Same here.
The part you mention about "pull the card, get your money" applies only to the ones that eject the card before dispensing money, this is becoming more common here as well.
Nearly all bank machines with motorized readers and cash presentation using shutter slots (as opposed to dip readers and drop trays on small machines) have the same behavior. These features, often referred to as card capture and cash retraction, are designed to protect against "Lebanese loop" card trapping and cash trapping scams, as well as deal with forgetful customers and cassette dispense problems. The ATM is now programmed to retract the card and/or money into a special "escrow bin" after a failed dispense.
Over here, however, cards found in the ATM that belong to other banks (foreign cards) are supposed to be destroyed unless it is released by the issuing FI. Your bank mails you a new card with the same number, and it's sent in the mail unactivated.
Unless I'm missing something, there are two fairly obvious problems with this attack: it's likely to be discovered more or less immediately, and the attackers have to be near the machine in order to benefit. That seems like kind of a bad combination of failure properties, from the attacker's perspective.
> If it is late at night,
Who goes to the ATM late at night? What would be the point? It can wait until morning. People normally go to the ATM in the daytime when they're getting ready to run errands. On the way to the store, for example, would be a typical time to stop at the ATM.
Also, if the criminals are hanging around near the ATM late at night, they're going to get noticed rather quickly.
> would you really call the police and
> wait there until they arrive?
Most people would never bother with that, quite irrespective of the time of day.
> So the thief needs to be pretty fast and
> has a considerable risk of being noticed
> by the tricked customer.
Or by a third-party observer, or by the bank dude who comes out to investigate the complaint. In general the risk profile of this attack seems very unfavorable to the attacker. I'd bet money that the risk of getting caught is higher than 1% *each* time the attack is executed. Run the scam as a career, and by the time you take court time and jail time and so on into account your hourly wage is going to be lower than minimum wage.
> I guess one minute is the amount of time
> I'd spend jogging the glued keys
Most users are considerably less patient than that. (Frustration distorts the perception of time. If most people fiddle with a non-working machine for fifteen seconds, they will swear that it was at least five minutes.)
> Shouldn't alleged "journalists", at least,
> know the difference between robbery
> and theft or fraud? The customer was
> defrauded, not robbed.
Fraud would be if the victim was somehow convinced to provide the money (on false pretenses; if there are no false pretenses, it's just begging).
That's not what happened here. The money was stolen from the victim's account without consent. Clearly that's theft, or robbery, not fraud. (The only difference between the verbs "steal" and "thieve" and "rob" as far as I'm aware is whether the direct object is the property taken or the victim.)
> foolproof ATM security measure:
> I don't use them.
Yeah, me too. It's still interesting to discuss their security properties, however.
> Stick to "credit" cards,
Actually, I strongly recommend not owning one of those things, at least if you live in the US. They're *WAY* more trouble than they're worth. (I'm not talking here about crime, but about preventing the bank from effectively gaining ownership of your personal bits, through various unethical but completely legal mechanisms.)
None of the ATMs that I have seen/used have touchscreens, so this trick wouldn't work.
I also haven't seen any ATM in years that says "do you want to make another transaction".
As for design of ATMs, I like the ones where you insert the card then remove it and it doesn't retain your card. Less chance of forgetting your card and less risk of cards being stuck (either due to faulty machines or due to deliberate tampering).
One design I have seen had a large trans-green piece of plastic surrounding the card slot with LEDs in it such that fitting a card skimmer over it would be very hard.
Has anybody verified this?
All of the ATMs I've ever seen have been PCs running Windows, and a stuck down key or combination of keys would probably screw up the entire keypad.
Ever had a stuck key on your desktop keyboard? You probably wouldn't even get past the BIOS keyboard check.
If there's a stucked key,i doubt if the machine wil allow the user punch in thier pin considerin that the three keys been glued are quite the most functional keys.nice try though
I put my card in the machine and pin number then put in £350 to withdrawl pressed enter, the machine asked me if i wanted an advice slip I pressed no and waited nothing happend the machine went back to it home page, the guy behind me went and got a member of staff from the post office. The machine started to read all sorts of tech stuff then up popped a windows 98 sign then it said sorry this service is out of order the post office worker said that was it now i would not get my card or money best go contact my bank. I went into the shop opposite came out and the machine was working people were getting cash out of it, I went back into the post office they said the machine had been playing up all day we spoke to a man that id seen at the machine he said he had no trouble and got his card and cash. My bank statement is showing that i did withdrawl £350 cash from that atm machine, i now having to wait untill the machine is empty and see if it retained my card and cash, if not ive lost out.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.