Schneier on Security
A blog covering security and security technology.
« Problems with Mac OS X Lion Passwords |
| Insecure Chrome Extensions »
September 28, 2011
Making Fake ATMs Using 3D Printers
One group stole $400K.
Posted on September 28, 2011 at 6:03 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Making fake ATMs, or making ATM skimmers?
> Making fake ATMs, or making ATM skimmers?
Making skimmers that look like a normal part of the ATM, being 3-D printed to fit a specific target ATM.
How long till they do 3D print a full ATM and just place it at a location without a real one (and without a security camera)? Give error messages (specifying that the problem is known and help is already coming to fix it) after people enter their PIN.
3D printing is overkill.
In any case you can buy a small 3D printer for less than the price of a large photocopier. This stuff is not only out there, it has been for about a decade.
The surprise is that anyone was dumb enough to order a part from a supplier instead of making it in their garage.
Ah, yes, now the scammers have to bring a solvent to tracelessly remove the label.
Or, for added fun, they could just stick their own on top of it, giving a fake emergency telephone number and/or reassuring statements like "security certification valid thru 10/30/11".
More seriously, the point is that customers would have no idea that such a label is supposed to be there. Nor do they know how an authentic label would look like.
That's certainly possible, but would require too much work. Enough of an OS to accept the card and take the pin would be required, while looking legit.
The usual route is much easier as most skimmers are buying the gear online for less than they can steal from one account, these aren't brilliant, innovative criminals, they don't need to be.
My local bank has not just got the security sticker, but makes you agree that the card reader and sticker looks correct before transacting. Couple issues:
1) Human factors. It's the same same message each time. Already used to it, so I just press the "yeah, sure" button. I am sure everyone else does.
2) Fidelity. It's not that good a display, or photo. I /guess/ the machine looks like the photo.
3) Reproducibility. If a criminal can make a skimmer to overlay the card reader without arousing suspicion at size, color, texture, etc., they can certainly make a fake taped-on seal to put there after they install it. And if the old adhesive is there because the didn't line up right? Well, that's just how security seals look, of course.
@Paeniteo, you're right of course, it would be more useful if this pattern were _expected_ by everyone, and the institution had an example of what it should look like somewhere near-by. If the scammer had to have an exact sticker it would be much more difficult to add a skimmer. This isn't a solution of course, but it's at least a low-cost deterrent and would make people feel better. ;)
I would certainly take advantage of this setup and make sure the card reader sticker matches. I always give card readers a good shake back and forth to see if it comes off. That probably wouldn't detect a fake, but it makes me feel a little less scared. Having a sticker at least gives me something to key off of to potentially detect a false card reader.
Ah, the bank system Steven describes isn't perfect, but I'm happy at least some people are trying to make it better. Most card readers have nothing at all to help you find out if is a fake.
Makes sense. I think the normal progression is (1) technology is created, (2) people start to use it, (3) someone adopts the technology to the porn industry, and then (4) someone uses it for stealing money. I'll let someone else Google for #3.
I have long wondered whether it would be possible to make a smartphone app that checks an ATM for manipulations...
Could work along the following lines:
- Take a reference picture of the ATM (or, more detailed, its card slot) at your bank on your first visit. For simplicity, assume that this state is "known good".
- Whenever you visit the ATM again, take another picture and let the app compare it to the reference picture.
Given the computing power and camera resolution of nowadays' smartphones, that does not sound infeasible, does it?
The app could store reference images for multiple ATMs and use GPS to find the correct image to compare to.
Currently, banks are already fielding rather... how should I call them... *extravagant* card slots that are supposed to make it more difficult to attach a card skimmer to the slot.
Now suppose that the attached skimmer would have to replicate the look of the card slot closely enough to fool the smartphone...
@Steven Hoober "... makes you agree that the card reader and sticker looks correct before transacting"
Hmmmm. Issue 4 transfering liability?
"YOU said OUR security looked okay to YOU. That's good enough for US. It's not our loss it's YOURs."
One way to mitigate the effects 'stick-on' skimmers might be to integrate a small three or four digit, seven segment LED display into the bevelled bezel of the card slot itself (these bezels are, usually, wide and deep enough to incorporate a reasonably sized high-brightness calculator-style display within a millimeter or two of the actual card slot).
The user is required to type in the code displayed on the bezel before the ATM will unlock the card slot and accept the user's card.
A bypass option for blind or partially-sighted users would also be required - possibly by a secondary code that would cause the ATM to speak the unlock code to the user.
Many ATM manufacturers, stores and financial institutions have implemented features that have been highly successful in deterring card skimming. The natural progression is to see these more widely used, and eventually standard.
I think I've said before that I am very partial to NCR's ATMs. The card readers have a very distinct shape that would make designing a plausible skimmer very challenging. Both the dip and motorized reader have a transparent body illuminated by a pulsing backlight. The motorized reader also has a lenticular hologram (a "smiley lock") and implements jitter. The ATM can owner can choose to have a video demonstrating usage of the card reader displayed on the idle screen.
There are also some sensors (electrostatic proximity?) that ATM owners can purchase as an option which purport to detect foreign object attachment.
Since security seals were mentioned:
Sam's Club also has a blue sticker on their fuel pumps similar in size to the red sticker from Shell that someone linked to here. They put it over a keyhole. The sticker has a releasing layer that reveals "void" if it is peeled up normally; these are used on many aircraft to seal the lavatory smoke detectors.
The problem with using seals to reassure the general public is that people don't notice if they're completely missing, and won't miss them even if they have seen them before. If told to look for a seal, users also do not remember what the seals look like and how to authenticate them, if authentication is possible at all. The fuel pump and aircraft lavatory stickers are fairly tamper resistant, but can be forged with some paper having the right texture with the result that no tampering is obvious until someone tries to remove the sticker and notices that the void message doesn't activate.
I don't trust these stickers to protect my credit card all by themselves. Fortunately in the country I live in, the United States, skimming is rare and zero-liability fraud protection for consumer credit products is standard.
What is likely to be a more effective indicator is a tamper button is held down by the service door, since a tamper alarm can respond very quickly and disable the pump to prevent skimming and fuel theft - much more common than skimming.
Inside the stores, Costco Wholesale has both a locking swivel dock for their MX readers and a tamper detect sticker (a generic 1" rayburst hologram with the Costco logo and a serial number printed in black) on the reader itself. It faces the cash register side so clearly, the cashiers know it's there.
Look under the colo(u)r Verifone terminals used by many stores here, and you'll see a white frangible sticker with silver accent placed over the screw hole by Verifone. It may serve to reveal malicious tampering, or merely a warranty seal since most card readers are in sonically sealed plastic shells. Later PCI-compliant readers zeroize the master key when it's opened, and I would presume the POS will not recognize it anymore when this has happened.
It may be worth noting that Michaels craft stores, which suffered from a customer payment card/PIN breach resulting from a doppelganger terminal attack, did not have any security seals or locking mechanisms in place. They also use very old Everest readers that just might not be as tamper-resistant as newer models.
What about setting up a security camera facing the machine? However normal it looks, it's still going to look different, which it shouldn't after any normal uses it.
For point 1, I think it would be better if it only did this for a few customers, say randomly about 1 in 5 or 1 in 10. That way it wouldn't become routine (and it wouldn't contribute to long lines or customer irritation) but would still catch tampering relatively quickly.
The interesting technology issues aside, I draw much more fundamental lessons from cases such as this one.
(1) Loose lips sink ships. Why the hell were you gossiping about the details of your operations to an FBI informant. How did you vet the people in your gang, anyway.
(2) Never underestimate the value of good old fashioned human intelligence to break the case.
To me the real lesson in this case is that you had a gang that was creative enough to devise an intelligent solution to a difficult problem but then dumb enough to blather the details to people they couldn't trust. No wonder they got caught.
Some of the skimmers are remarkably advanced. The author of this article has another page where he shows a number of skimmers. Even if I were diligent in looking for skimmers, I'm not confident I could detect these.
@ olli on skimmer prevention
That seal was beyond ineffective. Paeniteo's solution was actually overkill because the seal doesn't even cover the card reader or pin pad. It just party get's in that area. The person making the skimmer just has to cover the card reader & pin pad. People rarely are worried if the card reader & its picture on the left look slightly different.
@ Bill Smith
"(3) someone adopts the technology to the porn industry"
That was actually often No. 2 in the late 90's & early 21st century. The porn industry has promoted many new technologies from efficient HD content streaming to truly interactive DVD's. The positive effect the porn industry has had on the development of the modern internet is little known due to the taboo nature of the subject. And my knowledge of these technologies is second-hand, of course. ;)
I like your idea of taking a high res reference picture. This is essentially the same method for tamper detection I've pushed for devices in the past. However, I add a clear see-through case so the internal components can be checked visually. This is helpful since most skimmers are made from cheap iPod parts, etc. (They might adapt, though.)
Good info and analysis. I do like those features of the NCR ATM's. I'll have to look into them more thoroughly. Of course, we can always fall back on more direct attacks on the shoddy OS.
The best prevention mechanisms is still a secure, out-of-band authentication technique. It must combine a dedicated device with onboard crypto locked to a specific accoun with something the user knows (entered into the device per transaction). This prevents issues with POS's, ATM's, online purchases & potentially non-banking related applications.
Most ATM's have a colour screen these days.
Why not (*) display a picture of the ATM on the screen with a sign "If the ATM doesn't look _exactly_ like this then DO NOT USE IT, phone".
It'll work, at least until the screen is covered up as well (by the time the thieves have a fake PIN pad, card-skimming hood and fake screen they might as well just build their own ATM :-)
(*) Obviously a rhetorical question.
The screen 'real estate' is far too valuable for marketing purposes to allow it to be used like that. Also, the last thing the bank wants you to discourage you form using the ATM by making you think about risks.
Maybe as a compromise banks could have a picture gallery of ATMs on the web somewhere (part of their "find an ATM" page?). If in doubt, look up a known trusted picture of the ATM on your smart-phone before you use it.
@Captain Obvious: I wouldn't be surprised to see home brewed counterfeit ATMs that look just like bank ATMs, even with modified software, show up. Just look at the two men convicted for selling counterfeit video slot machines. I would reckon ATM's are no more complex, I know some (maybe most?) even run Windows CE, so that makes the hacking simpler. The question becomes one of cost vs. profits.Counterfeit ATMs have already been set up in locations such as hotels, just look at the one that was found at the hotel hosting DEFCON two years ago. Obviously, these low end ATMs have already become commodity, you'll probably see Bank of America, Chase, and Wells Fargo ATM's counterfeited, even if it's just a motherboard swap to allow hacked firmware to run.
Counterfeit slot machines reference: http://arstechnica.com/tech-policy/news/2010/12/...
Defcon Counterfeit ATM: http://www.wired.com/threatlevel/2009/08/...
How many phone call will it take for them to change this idea when a kid with a razer blade keeps cutting the seal ? thats what i would do, to freak them out daily..just cut the seal and make the thing un trustable. :-)
Making it a habit to only use ATM's located inside a bank's premises will probably seriously diminish your chances of being victimised. As there are surveillance cameras in all of those areas, any attempt to tamper with the ATM's would be picked up rapidly.
Won't chip-based cards eliminate this vulnerability through end-to-end encryption between the financial institution and the card itself? Or am I just wrong about how those work?
@anonymous: if you can do a search on the forum, I believe you will find posts by Clive Robinson linking to articles raising concerns of massive security vulnerabilities in chip and pin systems, as implemented in Europe. It seems those are only better on passing the buck to the customer, giving the bank an out on covering the loss by saying it was the customer's fault.
What's fascinating to me is that banks are actually bringing this to customers' attention in the first place.
Cynically, it may well be in banks' interest to _promote_ a certain amount of ATM fraud, especially now that many customers have accepted service charges for teller withdrawals: the profit potential of "fee-free" ATM withdrawals is strictly limited by the (obvious) fact that they generate zero revenue. Check cards, by introducing the bank as a middleman in what would otherwise amount to a cash purchase, do not suffer from this fatal flaw.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.