Schneier on Security
A blog covering security and security technology.
« James Bond Movie-Plot Threats |
| IT for Oppression »
November 29, 2012
Advances in Attacking ATMs
Cash traps and card traps are the new thing:
[Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.
"Spring traps are still being widely used," EAST wrote in its most recently European Fraud Update. "Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country despite warning messages that appear on the ATM screen or are displayed on the ATM fascia customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale transactions."
More descriptions, and photos of the devices, in the article.
Posted on November 29, 2012 at 4:36 PM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
1. Take a picture of the ATM
2. Photoshop it to generate 2 or 3 versions which add some subtle details
3. Make the user select the right one before even accepting the ATM card
Won't work, of course, as the cost of fraud to the bank (due to modified ATMs) is less than the cost of lost business (due to user-unfriendly ATMs).
Some of the ATMs of my bank have changed the authentication sequence. Now you insert your card in the machine, the machine reads it and ejects it, then you enter your PIN and proceed.
Won't stop the card from getting grabbed, but if it does get grabbed I would not have even attempted to ener my PIN yet.
Then there are machines where you just slide the card in and out of the reader yourself. Those are immune to this.
I wonder why they don't just have the machine put a stop on the card. If the machine knows enough to display a warning message, then that'd seem the obvious thing to do.
More generally I think the days of effectively single point one-time authentication are on their way out. So many instances of fraud could be limited by the simple expedient of sending a text to your phone, from a number to which any reply will put a stop on the card, whenever a draw on the account is made. Heck, if they put a pause between the time a transaction code was generated and the time it became valid, so that the owner could conceivably cancel the card before the money was claimed, then you could arguably outright stop a great deal of it.
How many machines are there in the wild that still take and hold the card? All of the ones I've used in recent years require you to insert and remove the card, the same as gas pumps and parking meters.
How ironic. That's how they used to do it in the old days, but people used to dress up as bank officials, wait till the user is authenticated and then tell them the machine is out of order. Hence the switch to holding the card for the entire transaction. Now we're back where we started.
Pretty much every ATM in Australia.
> despite warning messages that appear on the ATM screen
Yeah. Crappy warning messages, that never change so we become used to them. Oh, and the ones that say "check the security seal"
1) Images on screen so low res I can't tell if the seal is valid anyway.
2) They use TWO kinds of seals at my bank, making it more confusing to tell which I am looking for.
3) How hard would it be, with this BS, to fake the seal with a label printer?
The ATM makers and banks are bringing a lot of this with poor design, poor execution, poor process and an atrocious lack of talking to customers like humans.
Just the line above blaming the end users speaks volumes to their mindset.
As @Chris above has noted in many ways,
That's how they used to do it in the old days... ...we're back where we started.
If you think about it that's perhaps the biggest indicator there is that there is something wrong with the base technology, and it's time for a compleate re-think.
And for those who might be thinking "What to do next..." proffesionaly I urge you not to use Near Field Communications (NFC) because with a minor variation it will still be the same failing system underneath, except you will have in all probability made some relay attacks easier.
And that's the problem the "security" changes that have been made over the past twenty or so years to ATM's are just cosmetic and are in effect "like puting a sticking plaster on a broken bone", they are a quick fix on the surface but leave the real problem in a broken condition, and that's usually crippling at best and quite often fatal...
And unless a radical change is made we are just going to see "the same old same over and over" that we have seen in the past but with minor variations.
Do I know the solution "no" have I thought of a way to go "not realy" but one suggestion is to think about a couple of base level important things,
1, Make it "communications channel" independent.
2, Always include the user in the comms channel to reliably authenticate the transaction in both ways.
The reason for the first is it will alow future changes in technology to be quickly and easily incorperated into the overal system thus giving customers more choice more quickly.
And the second is the whole point of banking to ensure the "customer" and the what the customer thinks is the "bank" realy are not just for opening the comms channel but for each and every transaction.
Thus if done correctly "Internet banking" and "ATM Banking" will be the same. But further if the "Merchant" is likewise correctly authenticated then the solution will include both Banking and Purchasing across any communications channel. And that ultimately should be the goal for all parties.
In Finland, there's a neat solution to that problem with chip based cards. You never push the whole card inside, only half of it. That way the customer can always remove the card.
Then there are machines where you just slide the card in and out of the reader yourself. Those are immune to this
Whilst they might be immune to this specific attack it leaves the system wide open to "card not present" attacks.
Basicaly the "not present" attack works on voting machines as well as ATMs and many other systems and should realy be called "session not closed" attacks.
What happens is the user starts a session in which they perform a transaction, but don't close the session when they finish and thus "walk away with the session still open" If the system either allows or can be coerced into allowing another transaction to take place then an attacker jumps in on the open session and makes another transaction for themself at the users cost. With ATM's the cost might just be a few hundred dollars, with voting machines it means their vote gets stolen.
One of the reasons why cards are kept in the machine is specificaly to stop "card not present" attacks and as often as not the reason it is done is the view the legislators and judiciary take.
It is also intrinsic to some systems (or should be) like Chip-n-Pin.
User not present style attacks can be a bit more subtal than this and can occur with what are in effect Man In The Middle (MITM) attacks or Relay attacks and these days are not just possible but probable with all card systems. These attacks occur because the PIN is a laughably weak form of one way authentication that is only performed on opening a sesssion not on individual transactions.
Essentialy the user opens the channel(s) with their PIN and from that point onwards performs no further authetication... And thus as long as the channel(s) stay open the attackers are free to proceade from that point onwards, it's why I say above that authentication must be on every transaction not the channel(s).
In the case of MITM there is only one channel what the attacker does is "be transparent" during the authentication phase and then either fake what the user sees or performs another transaction in the background which is not visable to the user.
With some relay attacks two or more channels could be opened with multiple simultanious transactions possible unless the Bank has appropriate preventative measures in place at the Banks end which we know from some other attacks is not always the case, and further all offline transactions are compleatly vulnerable to multiple channel attacks. It's why I say above that all the authentication has to be two way, that way the user knows that the channel they are seeing is actually talking directly to the bank.
To remove the multiple channel issue or replay attacks the user has to actually be in the communications channel and the authentication has to be strong not weak as unfortunatly PINS are.
What do I mean by strong authentication well firstly it has to be sufficiently strong to make guessing and similar attacks not feasable so needs a high level of entropy. Secondly it should not actually use the secret (PIN) in a way that it could be recorded and then be used for a replay attack, this is it either needs to have some time based changing element or some kind of verification of a shared secret where the secret it's self is never transfered across the communications channel, preferably both.
And the reason the user needs to be in the channel well so they can reliably see what is being authenticated and when.
It is these last two points that are difficult to find a solution to because of the required level of entropy in the secret and the size and number of values used for proper transaction authenttication. Whilst having an independent token is now becoming more normal, humans are still not particularly good at typing in long strings of what appears to them to be random data.
It is a problem I've been thinking on how to solve for over a decade now and the solutions I've thought of (such as using something humans are good at and computers bad) have been beaten by the attackers one way or another.
As a couple of exampless,
Back in the last century (mid to late 1990's) I proposed using an out of band authentication channel using either a token or as they were becoming quite common then the mobile phone SMS text message. Back then the problem it failed on with using SMS was the mobile phone operators regarded it as a secondary service at best, and delivery of texts was neither timely or even guarenteed.
Later with the development of the smart phone and the lack of channel seperation this cause as far as I was concerned had "put the nail in the coffin" of this idea. However not as far as the Banks were concerned, because it was at this point that Banks finally said yes we will use SMS and started rolling systems out. However as we now know the attackers exploited an entirely different weakness to the one I'd seen, they exploited a "human" weakness in either the Bank's or the phone service suppliers Customer Service Depts to change the phone number used in some way so the SMS went to the attacker not the customer...
As a second example of a big rock on the journy, I liked the idea of capatchers, they are relativly easy for humans to read but currently quite difficult for computers.
So I thought well why not compress the transaction data via some method or uses a checksum and encode it in a capatcher for the user to type into the token to cut down on user typing.
Well it turned out that labour is so cheap and employers so unethical in some parts of the world that attackers could rent people to translate the capatchers in real time for the attackers computers...
In short it's a hard problem to solve and there are many rocks and pot holes as yet unseen on the journey, and currently all the advantages appear to be with the attackers due to the very human (not technical) weaknesses of the customers, banks and associated third parties such as mobile phone suppliers...
@ Mikko Särelä,
You never push the whole card inside, only half of it. That way the customer can always remove the card.
This has been tried before, what attackers have done is que behind you, shoulder surf the PIN number then distract you whilst you are momentarly distracted they grab your card and run with it to another cash machine where they put your card in type in the pin withdraw the maximum allowed on your daily limit, and if lateish in the evening wait untill early the following morning and try their luck for a second withdrawal and then toss the card in the trash...
So not nice to lose the money but it has been worse as the distraction has been just shoulder slam you against the ATM to at a minimum knock the air out of you, then when you are off balance push/kick/throw you to the ground. The chances are you won't even see them as they run away.
How do I know this? Well somebody I've know for a very long time from Germany was attacked back in 98 this way at an ATM, and suffered a broken nose and lost a couple of front teeth, all the attackers grabed was the 40GBP she had just taken out, the emergancy dental costs were over five times that and her nose had a permanent bend. This happened in Central London and quite near Victoria Railway Station (a backpacker trap area due to Victoria Coach Station as well) and the Police response basicaly made it clear they had zero chance of catching the attacker(s) as she had not seen them (basicaly they indicated it was probably Eastern European criminals who had been known to be attacking others in a similar way in the area).
I spoke to her quite recently and she still does not think she will ever come to London again, and to be honest I can't say I blaim her...
This trick is a couple of years old. Some banks have tried to adapt by installing unique card readers that make it more difficult for a threat agent to install one of these devices and easier for customers to tell if the device was tampered with. But some ATMs don't have these updated card readers.
Looks like in Europe governments provide right incentives/regulations for banks towards protecting customer's interest in financial sector and ATM usage in particular versus primary so called 'self-regulation' of financial sector in US. Just to balance power government should be primary on the side of the customer (average Joe/Jane) in financial sector. That is why I guess what was recently done in US with additional regulation/oversight of financial sector and /consumer protection were appropriate first steps in the right direction.
ATMs around the globe usually have either hidden or in open view cameras installed by the banks for the purpose of protecting bank losses due to ATM fraud/vandalism. They are NOT capturing PIN entered, but person/activity around ATM. With due incentive those cameras could be utilized for capturing images in the cases similar to the victim described by Clive, tempering with ATM, etc.
Cameras and image storage are chip now, transmission to the cloud (hate that cloud by that is the option). Stored images could be erased at the end of the day as soon as no problem detected/reported. Otherwise backed up and available for LE, customer's legal representative, consumer protection agencies, not only to banks on their discretion.
In Norway where card skimming and ATM traps are rampant, banks are planning on deploying ATMs without magnetic stripe readers and instead use the chip imbedded in the ATM/credit card as all cards issued in Norway are chipped. This will pose a problem for travelers from the USA as almost no banks issue chipped cards (the bank for UN employees in NYC and Andrews Federal Credit Union are the only two I know about that issue them in the USA)
ATMs at tourist hubs (airports, trains stations, etc.) will still have magnetic stripe readers.
I want to echo the sentiment above that one of the more effective methods I've seen is the instant notification. Way back when (2005) I could, with my bank, receive instant text messages (within a few seconds) with the transaction details every time my card was used. If a transaction came up that wasn't mine, I could reply with "FRAUD" or something like that and it would flag the transaction. Very handy and good peace of mind.
Then they mysteriously dropped it. When I called about it the told me "Well, people have bank apps, and mobile internet, and can check anytime they want that a transaction was accepted by the bank systems." Utter facepalm moment. I spent a few flustered minutes trying to explain that I didn't care if they were accepting my transactions, I want to know if they're accepting transactions by people pretending to be me.
Now they have e-mail notifications set up, but the e-mails take anywhere from a few minutes to a few hours to arrive, and only get sent for certain kinds of transactions (the pattern which I haven't figured out yet).
In Italy a new attack it the "cash trapping". A spring is used to block the money in the ATM, then the robber get them using another tool.
What gets me is the ATMs here in the UK which warn you not to use them if any unauthorised devices have been attached.
How on earth am I supposed to know what an authorised ATM looks like in the first place?
This throws the responsibility in the user's face with no information to make one capable of actually taking that responsibility
I can't comment on other bank, but for HSBC Australia, their ATM is based on the Push, and Pull out your card. Which initiates the session, and then prompted you for your PIN, and then you are good to go. Also at the end of any transaction (even checking your balance), you will be asked for your PIN again, not for the physical card again. At least this does close the hole of 'open session' attack. I realize this won't help if the attacker got your PIN, but at least, if you did walk away with your card, and left an open session hanging, the attacker who does not know your PIN can't do anything.
With regards to Clive Robinson story, the safest method to do this is of course is to push the card, pull, and put into your pocket or wallet straight away (before entering PIN) to avoid anyone bumping / distracting you to steal your card. They will not have the PIN yet (as you haven't entered them), and your card is in a safe-r (relative of course) condition from being bumped and stolen.
Also another method to secure yourself, is ALWAYS to have your bank's 24/7 phone number handy on your phone. For any issues with the ATM acting funny (As what @Paolo mentioned, or card not ejecting), call that hotline straight away, mention about what happened right in front of the ATM. Make the report onsite, and after the report is in, it is the Bank's responsibility to investigate, and any fraudulent charges after that will no longer be on the user.
I know its not fair for the bank, but if the bank ATM is acting up due to some attacker, the bank need to take action.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.