ATM Skimmer on Bank Door Lock

This is a clever development in ATM skimming technology. It's a skimmer that attaches to the ATM-room door lock, not the ATM itself. Combined with a hidden camera, it's an ATM skimmer that requires no modification to the ATM.

Posted on February 3, 2011 at 5:54 AM • 51 Comments

Comments

Mike BFebruary 3, 2011 5:59 AM

Those ATM door locks actually work on ANY magnetic swipe, as actually verifying the card is a valid one would be too complicated and take too long. For years I have opened those doors with my grocery club card as a matter of principle instead of using an card with actual value. I appears I had some remarkable foresight.

Clive RobinsonFebruary 3, 2011 6:23 AM

It's bl**dy obvious when you read the page title. It actually made me laugh, then made me think "why didn't I think of it"...

Which is what makes it so clever...

The next question of course is could you also put a keypad beside the skimmer and get people to type their PIN in....

I think I'll take a close look at my local bank door and see if the wiring is easy to get at etc.

BF SkinnerFebruary 3, 2011 6:49 AM

But my atm doesn't have a door! it's out in a cow field (well, orchard actually) what shall the poor skimmers do!

What I found interesting, if true, is that it was a customer report of a camera that tipped off the investigation. How does a customer recognize the difference between legit bank security and bogus to-be-reported hinkiness?

It's why those pamplet holder camera's are so effective. Those things are everywhere and just sort of blend into the background of visual noise.

Hans E PetersonFebruary 3, 2011 7:18 AM

This is a very old attack type, and it may be a violation of agreements to encourage the use of payment cards for access control purposes. Another well known attack in a similar environment is to hack an access control system where you are using your own magnetic card - there will be payment cards in the database, with valid PINs... Luckily, the attack you describe normally does not give PINs, but giving the attacker an obvious opportunity to collect cardholder data is bad enough.

dizzyFebruary 3, 2011 7:34 AM

I don't understand why ATMs are still using magnetic strips. My VISA and ATM cards have both magnetic strip and microchip and the ATM tries to read the magnetic strip first.

I know this because I have recently disabled the magnetic strip on both cards with insulating tape (that I can easily remove if needed) and now the ATM makes repeated strange noises trying to read the strip before reverting to the microchip.

Also the door lock seems to work fine, so it seems that removing or disabling the magnetic strip is an effective countermeasure against skimmers.

PaeniteoFebruary 3, 2011 7:36 AM

Issuing chip-only cards without magnetic strips would pretty much eliminate the whole issue.
Issue separate magnetic cards for customers that explicitly request them.

I doubt that attacking a smartcard chip will become practically feasible in the foreseeable future.
(NB: "feasible" includes "cost-effective", "fully automatic" and "built into a rather small device" for the ATM scenario)

jFebruary 3, 2011 7:48 AM

There's no infrastructure for chip-based cards in the US. Even if a bank issued chip-based cards and replaced all their ATMs with chip-reading units, every retailer and third-party ATM would still require the magnetic strip.

Steven HooberFebruary 3, 2011 8:04 AM

> There's no infrastructure for chip-based cards in the US

Wrong. Look harder. Lots of places bought them (or had them issued, I am unclear about the financial relationship for hardware) a few years back. For example, every McDonalds seems to.

I have a small number of work acquaintances who have NFC cards. They are able to use them at a surprising percentage of retailers, and do so. Enough that the card doesn't need to be taken out of the wallet for appx half of transactions.

Card companies just need to go ahead and start issuing these to everyone. There's a high turnover, so very shortly, a lot of people will understand how it works, and then you can start talking about the improved security.

Shortly after this, retailers with only magstripe readers get charged extra when they renew service. Then we start issuing chip-only cards (remember, typing into the keypad is always an option for the retailer).

SparkyGSXFebruary 3, 2011 8:09 AM

In the Netherlands, most retailer units use the magnetic strip. Only recently (the last couple of months), units using the chip for PIN transactions are being installed.

The strange part is that many retailer units actually do have a chip interface, but it's only being used for the small transaction debit cards (called "chipknip"), where the debit is actually stored on the card itself (thus, if you lose the card, you lose the debit stored on it). This project has pretty much failed miserably (like most similar projects on other countries, I believe), and most retailers don't accept such payments.

I believe the chip interface is used in Belgium for PIN transactions, at least in the part I visited recently.

I still can't believe the utterly and completely broken PIN system is still in use. It has been proven to be insecure numerous times, but those with the power to change things (mostly the banks) don't have an economic incentive to do so, because they aren't liable for damages.

Clive RobinsonFebruary 3, 2011 8:36 AM

@ Steven Hoober,

"Shortly after this, retailers with only magstripe readers get charged extra when they renew service"

Shall we start a sweep stake on how long it will be befor somebody from Magnatec shows up and posts about their mag stripe finger printing system and how this will "save the world from skimmers"?

Clive RobinsonFebruary 3, 2011 8:53 AM

OFF Topic.

@ Bruce,

You used to do an occasional "security" piece for the UK Guardian Newspaper from time to time.

Do you still read it online?

If so did you read Tuseday 1st of Feb's edition?

There is a lovely little piece titled,

Guardian Security : Tapped from the wire"

(Given half way down this page http://m.guardian.co.uk/media/2011/jan/31/wikileaks-washingtons-call-direct-talk?cat=media&type=article )


It's about the Guardians "Wikileaks team" trying to do secure comms with "pay as you go" mobile phones, it might amuse.

vwmFebruary 3, 2011 9:04 AM

In Germany, I have seen labels at bank doors warning about those door lock skimmer for at least 5 years. Something like "You never need to enter your PIN at the door. If the door says otherwise, it's a scam."

I always figured that those door lock skimmer have been more popular here than skimmers at the ATM.

Than again, for obvious reason, it just might be simpler to warn people about the door-devices than to warn them about ATMs.

AustinFebruary 3, 2011 9:15 AM

@ Steven Hoover: what the posters above are talking about are the contact chips used in e.g. Europe, not the NFC ones becoming popular in the U.S., which would be just as vulnerable to the same kind of attack.

@ SparkyGSX: the readers common in NL can actually read Maestro via the chip, *but* you have to tell the cashier (who might not even know what you're talking about) to tell the computer that, so it's always easier just to swipe. BE, in the other hand, does everything via chip—my understanding is that it's the result of certain contracts with payment vendors, since it's the exact same equipment.

AustinFebruary 3, 2011 9:19 AM

Sorry, Steven, I didn't mean to misspell your last name. (The keys are totally right next to each other.)

TomFebruary 3, 2011 9:22 AM

Don't these ATMs always have video surveillance? Can't they see the crooks installing the devices?

It's another data point towards video cameras not being effective.

Still, 9 times.. It might be worth reviewing tapes....

Dirk PraetFebruary 3, 2011 11:35 AM

@ SparkyGSX

The majority of transactions in Belgium, including those of ATM's, go through Atos Worldline that acquired both Banksys and Bank Card Company, the former major players on the market. This company takes care of the entire payment process: issuing cards, developing payment terminals, managing the payment network, processing payment transactions, providing e-services and CRM tools. The chip is used for most transactions (stores, restaurants). Only notable exceptions I know of today are older terminals at fuel stations, with the magnetic strip also still being used for access to bank ATM's outside of business hours. As a rule of thumb, it won't get you into to any bank other than the affiliates of the one your card comes from.

The system with debet value stored on the chip too (Proton) is in the process of dying a slow death as it proved way too expensive for most retailers that bailed out of it.

This said, it is indeed an older attack, but banks over here in general don't spend too much time on informing their customers of what to be careful about other than not allowing other people to look over your shoulder. Although most take safety and security reasonably serious, they don't consider educating their patrons as a part of their core mission.

Stephen SmoogenFebruary 3, 2011 11:37 AM

Actually I am thinking this is where an attack has been repurposed after going dormant. I remember that there was some sort of 'attack' going on in the 1990's about this (like someone putting a "door" outside of an ATM just for this. Many atm boxes went away due to convenience of other ones, but I guess they are coming back in vogue.

Oh for surveillance. Most of the surveillance is aimed at inside of the room and is not live watched. That would be highly expensive man-power wise so its easier to just review tapes.

AlexFebruary 3, 2011 1:19 PM

I have the impression there are many fewer bank lobbies like this in the UK now. Some years ago they were fairly common. Now, although a lot of banks have stripped their front room/banking hall out and put in a lot more ATMs, with meeting rooms on the first floor, you usually can't get in after hours (annoyingly).

I presume this is to defeat this attack.

Clive RobinsonFebruary 3, 2011 1:23 PM

@ Adam,

"I think if I found a DVR on a cash machine I'd just keep the thing."

Unless you are wearing body armor and are prepared to face down a couple of large thugs wielding crow/pry bars I would just quietly leave and go tell the cops (not that they will do anything).

A few years ago I was in central London with a friend and needed to get some money out. There is a Sainsbury's close to Victoria Railway station with a "hole in the wall ATM".

The bloke in the que in front of me noticed something was wrong and started running his hands around the facia of the ATM and found the pin hole camera etc. He, told me it was "bugged" and went into the store to complain meanwhile I being a curious soul was looking at the device when two very large blokes came up from behind with crow bars smashed one of them smashed theirs against the wall near my head whilst his mate crow bared the camera unit and card reader off of the ATM card slot. droped it into a plastic bag and the pair ran off around the corner all in about 15 seconds.

My friend got a good full face photo of one of them on his camera phone.

Now I'm 6ft 6in and at the time reasonably "handy" but there was no way on God's little green apple I was going to tackle either of them. They looked like a pair of Albanian death wrestlers who did part time mutilation just for amusment.

I also noticed that they where not using a DVR but a 2.4GHz micro video camera (made by Swann in AUZ) so they had cronies very near by (in an Iranian run shop across the road).

Any way we called the police as the shop manager was busy saying it was nothing to do with the Sainsbury's store (even though it was a Sainsburys Bank ATM) and he wanted nothing to do with it.

After repeated calls to the Police they finaly turned up and said they had been given the wrong address (something I knew to be incorrect as I had got the controler to read it back of the computer twice). They were not very interested and lost compleat interest when the shop manager said that the CCTV security camera that looked down on the ATM had stoped working in the morning... My friend showed them the full face picture of one of the two men but they where even less interested and basically made their excuses and left...

Any way my friend was not happy with this and the following day went back and sure enough the stuff was back on the ATM and he saw the bloke he had photographed with his mate sitting in the shop across the road with the shop keeper with the CCTV camera receiver...

This information was also passed onto the police and guess what a week later the same setup was still running.

I don't know how many peoples cards they had skimmed in that week but it's a main student / tourist arival point for international coaches and trains up from the ferry ports, the ATM usually had a small que of people using it...

Bob O`BobFebruary 3, 2011 1:59 PM

if they have that camera trained on the row of atm's, why can't they show images of the fake mirror being installed? Why can't they have software constantly compare the static images to detect such alterations in the first place?

John HardinFebruary 3, 2011 2:27 PM

@clive: "I being a curious soul was looking at the device when two very large blokes came up from behind with crow bars smashed one of them smashed theirs against the wall near my head..."

If they tried that in the states they might get shot.

GabrielFebruary 3, 2011 3:16 PM

@Clive: considering the ease with which the police could have arrested and prosecuted the thieves, one has to wonder if they were getting a cut. Oh well, at least a grenade could take care of the skimmers in the shop. J/k

BF SkinnerFebruary 3, 2011 5:29 PM

@Clive "just quietly leave and go tell the cops (not that they will do anything)."

Oh that's not fair! Sure they will...after 9 times.

SeiranFebruary 3, 2011 5:30 PM

The modification to the vestibule reader has been done before; it's less popular due to the abundance of in-wall ATM units here.

When talk of ATM skimming comes up, there is always a suggestion of Chip & PIN. Often it is mentioned how other countries are handing chips, pins, and ATM fraud. There are several shortfalls of this approach. Aside from the PIN bypass attack (Anderson et al), another problem is the additional exposure of the debit PIN at the POS terminal. I don't want to give up any of my zero-liability protection due to the false perception that PIN usage equals non-repudation. There is a reduction in convenience, at a time when acquirers are trying to increase their share of small-value transactions.

What should be realized is that the U.S. is already gearing up for more convenient, comparably secure payment device that delivers a superior user experience. Why implement the old-and-busted ISO contact chip when you can leapfrog to the latest technology, contactless EMV. There is a risk of RFID skimming, but this isn't as damaging as one might think. Chipcards - not to be confused with earlier systems using magstripe data - generates a new PVV for each transaction, based on an event counter. If a valid/unused PVV is obtained through RFID skimming, it is invalidated for online authorization on the next usage of the card at an online contactless card terminal. The bank will then expect the next PVV in the sequence. Given that nearly every McDonald's has them, this next usage can occur within hours.

There's no PIN exposed, and no need to insert a card.

When challenge-reponse is properly added in, replay won't work at all. The only compromise I could imagine is relaying the communication between the reader and a remote skimmer in real time, using a cellular connection.

I've figured a way where contactless EMV can also protect against cloned cards at the ATM. ATMs with motorized readers can easily be outfitted with an antenna under the card's travel path that reads the card's EMV PVV and relays it to the bank, in conjunction with magnetic stripe and PIN. Machines with dip readers can have an auxiliary reader pad installed, or have the antenna hidden in the dip reader. Users would just need to be instructed to keep the card inserted for a second or to "tap your card to the screen".

Implementation can be done at low cost today with COTS hardware and no card reissue. Many bank debit cards have it already, and once magstripe is completely replaced with challenge-response contactless smartcards, we can take the stripe off completely or limit the swipe transaction amounts to under $50 a day.

For bank customers at most bank-owned ATMs, only a software change is needed, as the machines use an in-house network with no need to cooperate with payment network standards at all.

As for using ATMs in dodgy places across the pond. Use a strikelist. The customer gets a list of sequential one-time codes, printed in small text on a separate scratch off card. Plus a secret number they append or prepend. If they lose or forget the list, they can just use the regular PIN.

@Clive - Wonder what would've happened if you had called the Home Office or SOCA and told them "foreign-looking hackers" were committing a "high-tech financial crime" at the ATM.

Clive RobinsonFebruary 3, 2011 5:41 PM

@ John Hardin,

"If they tried that in the states they might get shot."

I suspect that they might have got that aspect covered as well, lets put it this way those two were definatly not acting alone, and it was definatly well organised.

@ Gabriel,

"Considering the ease with which the police could have arrested and prosecuted the thieves one has to wonder if they were getting a cut"

No I suspect the police didn't realy care, technicaly the only crime they would have committed would be petty vandalism at that point which is not of necessity an arrestable crime. Which would then leave the old trusty "going equiped".

It turns out that a lot of these gangs target the tourists not the nationals, and as such they actually commit the financial crime in another country. Thus in general the police have little they can do against them.

However my friend kept the photo he had taken and is fairly certain the individual was one of a group arrested on counterfit documents a year or so later and had their "mug shoots" printed in the newspaper year (apparently they had something like six thousand blank drivers licences, passport, and other documentation such that eastern europeans not from the EU could claim to be from the EU and work etc.

As for "being on the take" or "getting a slice of the action" if there was a person getting a cut my money would be on a member of staff in the Sainsburys. The reason being the oh so conveniant failure of the Security CCTV camera overlooking the ATM on the day the crooks start their operation just strikes me as being more than coincidental...

Petréa MitchellFebruary 3, 2011 6:20 PM

BF Skinner:

The message for Bruce Schneier fans appears to be part of a standard JavaScript widget at the top of every blog post there. And yes, it does appear to be reacting to the referring page.

GabrielFebruary 3, 2011 7:22 PM

Ah well, I would have imagined pounding the wall next to you unprovoked with a potentially lethal weapon would at least merit an aggravated assault. Of course, you would have had to see it through court. I'm not familiar with British laws and obligations to its citizens, but I am none too thrilled that in the US, "equal protection under the law" is mostly lip service. At the very least, unlawful eavesdropping is occurring on a piece of private property.

Also, regarding the legality of possessing such skimming equipment and putting it in place, i'll have to see what case precedent is here, but it strikes me as odd that it would be considered a crime in a foreign country (to yours). After all, if a British national is murdered in Italy, the Italians have jurisdiction. Same thing happens to US citizens such as murdered peace corps volunteers. In the same manner, the defrauding takes place within British jurisdiction, esp. the physical portion of the crime. It seems like governments still haven't sorted out how to handle any crimes (or civil violations) that take place in one jurisdiction that affects a resident of another. Just look at the civil case against Geohot for the PS3 cracking. Sony is pursuing him in a California court, even getting an injunction for seizing his property (another issue I have, when property has to be turned over for evidence, it should be to a regulated neutral third party, particularly computers, which are highly prone to tampering). And I haven't even gotten into a certain Australian national who hasn't set foot on US soil...

Davi OttenheimerFebruary 3, 2011 7:38 PM

@Petréa Mitchell
@BF Skinner

It's the Greet Box plugin for WordPress blogs

http://omninoggin.com/projects/wordpress-plugins/wp-greet-box-wordpress-plugin/

@Mike B

Totally agree! I recommend to everyone now that they keep an expired/canceled payment card for exactly this kind of situation...

Just the other day when I was on the road I saw someone with a new iPad get extremely frustrated when they tried to enable it -- a payment card was required. I let them curse Apple for a while (ok, maybe a long time) before I hinted..."I bet you have an expired number"

JonFebruary 3, 2011 9:50 PM

@ Chip card infrastructure:

Furthermore, the TWIC (Transportation Worker Identification Credential) is a chip card, and you need one to do any marine work.

J.

larryFebruary 4, 2011 2:34 AM

I worked in a bank and we were warned about this type of attack couple of years ago. Since then I always open such doors with an expired card, which I keep for this purposes. I guess you can also use any card with magnetic stripe.

Clive RobinsonFebruary 4, 2011 3:42 AM

@ Seiran,

"Wonder what would've happened if you had called the Home Office or SOCA and told them"foreign-looking hackers" were committing a "high tech financial crime" at the ATM."

Well as you may or may not know the UK's "FBI" or "Serious Organised Crime Agency" (SOCA) has a (semi) secret South London communications center at the back of an industrial estate in Morden Surrey.

And the reason it's now only semi-secret brings a smile to my face every time I think about it...

It just so happens that a popular UK Police TV Drama called "The Bill" for many years used the same industrial estate on a regular basis for filming supposadly unbeknown to both SOCA's planners and the TV producers...

Thus SOCA were "outed" by a "fake police outfit" that as many have observed are more belivable than SOCA are.

The second reason SOCA got outed was "parking restrictions". The industrial estate they are on has had parking enforcment outsourced to an organisation that has a very very very poor reputation (and gets called ShyteHawk by the locals). Part of the clampers reputation is due to the fact that they are reputed to be a bunch of criminals.

Well Apparently ShytHawk empounded some of SOCA's vehicals and rather than just deal with it quietly a member of SOCA staff "flashed the badge" and did a "You know who we are sonny" number on the clampers. Who then in turn mouthed of their frustration (they didn't get a clamping fee) down at their local and other places, as some of these are "low dives" frequented by certain criminals the word got around faster than a gold fob watch at a pickpockets convention.

Another problem with SOCA is they are "doing an NSA" in more ways than one and the results (or lack there of) are almost as predicted. They have effectivly ended up as a dumping ground for a large number of specialist units the most recent is the debacal with the agency tasked with protecting children from exploitation online etc...

Rather than say NO, SOCA have been empire building but at a knock down due to Gov spending reviews. Thus SOCA have lots and lots of extra duties but not the financial resources needed to run them either efficiently or at all...

So I suspect that hypotheticaly if the same thing happened today and I were to ring SOCA and reporte a "high tech organised crime" I would get less response than I did from the Met Police...

Clive RobinsonFebruary 4, 2011 4:22 AM

@ Gabriel,

"... but i strikes me as odd that it would be considered a crime in a foreign country (to yours)."

Sorry I was not clear. The skimmers were "scanning" the cards of tourists in the UK, they were then sending the cloning details to people in another country where the actual making of the card and using it for fraudulant activities was done. This country is often a "holiday resort" place but importantly it is not the UK or the country the tourist comes from.

Thus in the UK the crimes the skimmers were commiting were petty vandalism (adding removing card reader ect to ATM) and potentially "going equiped to commit a crime" for carrying the crow/pry bar but not a lot else because the data on the mag stripe is not technicaly Personaly Identifing Information (so no Data Protection) and also "public" that is every merchant you use the card with gets the same information.

Oh and the very very thorny question of writing down the secret pin number.

The entire "security" foundation of the likes of EMV and the banks using their system is that you the "card holder" must at all times keep the PIN secret... Even though the card holder has to type the PIN in, in a "public place".

Thus if the skimmers can "see" what you type in technicaly it is you the card holder who has been "negligent" and "revealed your "secret" in a public place" and have thus "made it public"... The same argument does not hold if the skimmers use a "keypad shim", not that you can prove this after you have been defrauded and are trying to show that "the bank" not you as the "card holder" were negligent...

Oh and although it was not the case back then, in the UK the Government has encoraged the "investigation of card fraud" be carried out not by the Police but by those who are "specialists", that is EMV and the banks. So the people who have externalised the risk onto the "card holder" are responsable for investigating if they themselves have been negligent or the "card holder".... So that's alright then no conflict of interest there...

BF SkinnerFebruary 4, 2011 6:51 AM

@Davi Ottenheimer "...everyone now that they keep an expired/canceled payment card for exactly this kind of situation"

I thought about this (HAVING now a cx card due to a leak of one of my online services leading to fraud attempts-thank you very much) but it would be better if you had a card that was tied to NO financial service; lest they come back against you for attempted fraud. Use instead your ex-wife's or the guy's who never returns the tools he borrows.

busy BeeFebruary 4, 2011 7:53 AM

@ Dirk Praet
"As [the Proton system with cash value stored on the chip itself] proved way too expensive for most retailers"

I was told that the bank fees for getting payments below €20 via proton were lower than for any of the other electronic payment systems. The main "expense" of proton payments for many retailers was that it interferes with tax evasion because, unlike cash, Proton leaves an audit trail. I'm not saying that actually paying taxes (on the totality of your revenue) is not a big competitive disadvantage in some retail sectors, but I have little sympathy for their predicament.

I have also been told that the Proton system never got a foothold outside of Belgium because whenever it was being considered somewhere, Visa/MasterCard would boast that they would come out with a Visa/Mastercard branded system any day now, and that the strength of their brand would make it easier to get customers to accept the system. This is blatant abuse of their monopoly in one market to create a monopoly in a new market, and apparently they don't even deny that: instead, year after year, they have been paying the fines and trying to keep it as quiet as they can.

My main disappointments with the Proton system are:
1) that as a consumer I never could get a set of proton cards from my bank that was separate from my bank card, and
2) that the bank doesn't make it easy to top up the proton value on my bank card to a lower value than the limit of €125. If I could just set a preference that every time I insert the card into an ATM or into one of those bank statement printers it would top up the proton value to €30, I would happily do that. Losing €125 if I lose the card is more than I personally feel comfortable with.

Mary_j_jFebruary 4, 2011 8:57 AM

Interesting blog post.

Anything as important as a bank needs to be secure.

But WHO needs to skim, when you've got THIS backdoor built right in ?? --

The backdoor/'hole' I'm referring to is the very idea/concept of security questions -it's an oxymoron.

Think about it. A person is supposed to 'make it more secure' by answering with information 'only they know'. ONLY they know? The answers are what people share with others just through casual conversation!, so HOW can it be touted as answers that 'only you'll know'? Hence, oxymoron.

Take this bank's question as an example (actual bank question, since it's my bank) : "What's the name of your maternal grandpa?"

Very funny Bank ******, but as I'm simply conversing with neighbors and some people on the internet, sometimes conversations come up that are like this short one :

Fred "I'm quite busy today, wished I weren't."
Joe "Yeah, some days are like that."
Joe "Busy with what?"
Fred "Oh, nothing to dramatic. Just emailing some relatives to update them on what's up with me lately. I've sort of put it off because of other things kept coming up. So it's catch-up time."
Joe "Oh, it's ones of those days."
Fred "Yeah. It'll take me a while just to type them up. I tend to make typing errors enough that everything I type is pretty much a rough draft till I can edit it until I get the final version done. A lot of work IMO."
Joe "In my case, I don't look forward to emailing my maternal grandfather, Michael. You know the type, he's one of those who gripes if he reads my email and finds I've used any slang. Pick, pick, pick, I love him but.... it's a pet peeve of his. So, unlike you who has to deal with typing errors, I have to edit it for slang words! Haha!"

One more conversation like the above, but regarding the topic of surnames will supply a last name as well.

See what's just happened here? Simply shooting the breeze has just given anyone with the urge a nice backdoor right into your property.

Personally, I think the concept of 'security questions' should be trashed and replaced with some concept that actually works. But... if it's going to stay here, everyone should be told to never, ever, answer them with the TRUTH. You will not have the 'supposed' convenience if you do, but true security is well worth it. Reminding oneself of **what you have to lose if you do otherwise** rather than going on and on with the misperception, "But those type of replies to security questions are hard to recall.", will service a person more - in more ways than one.

What I advocate, if security questions are going to be used, is to make it secure by making it all garble - uppercase, with spaces, numbers, and lowercase - in other words, nonsense. Therefore extremely hard to hack. It would look like this :

6Gd9Ie2 T1 K0d75Xa

If anyone involved in IT security is truly security conscience, it would be about time to act the part and *stop* advocating people type in the truth in their security question replies. Doing otherwise is asking for trouble.

Joseph C.February 4, 2011 10:05 AM

@BF Skinner and everyone -

Ah, pamphlet holder scam.

Combine that scam, with the mirror-in-the-upper corner scam etc., imo, the best thing to do at this point is to stop using ATM's.

Rule #1 to good personal/business/government security is :

Don't do what most people are doing.

Most everyone uses ATM's and because of it, hackers flock to attack this arena - then use telebanking and in person instead. The other route to hacking peoples accounts is the online break-in - well then, stop using online banking.

Overall theme of rules I'm covering is - always use the route(s) less used by most everyone else.


This will reduce ones risk of getting hit by a great deal.

One more rule, for me anyway :

Once I create a new way to be secure, never ever divulge it to anyone, period. Even here in this blog. Hackers and others lurk everywhere, why make their job easier?

For example, I have a method to make Windows OS completely spyware proof - I've used it, tested it, it works. Am I sharing this with anyone - anyone? No way jose, hackers will see it and may find a hole (IF there's a hole to be found, that is), then the work end up nor not.

So, rule #2 is :

Never ever reveal methods to keep things secure. No one can crack/attack what they don't know even exists. (Sorry, but it's a fact life - hackers/phreakers/others lurk, that's just the way it is.)


One final thought -

This blog may be a good idea in some ways, but it has that catch-22....like others do, not picking on Bruce's of course.

Have a nice day, and *try* to keep secure.

-Joseph C.

Peter A.February 4, 2011 10:48 AM

@Mary_j_j:

Some time ago my employer opened up an account with an US-based brokerage firm for me - to put some company stock in it as a bonus. I accepted the stock grant mostly out of curiosity how the US online brokerage account looks like - the amount of stock granted was symbolic.

The process of setting up the account included answering like *ten* pre-defined "security questions" like the name of your pet, the name of the city you lived in previously etc. - in addition to a username and password (both of very limited maximum length, so I could not use my usual password length and could not make a username out of my first name initial and last name) and ... a 4-digit PIN for over-the-phone transactions! That's plain ridiculous. I pulled all the answers out of my /dev/random, base64-encoded. Strangely, answers to "security questions" were not limited in length (or not so much) so I was able to use my preferable password length there.

Random strings as security questions answers is a smart way to beat the silliness of them, if they are going to be used online. Just copy and paste from your favourite password management app. On the other hand, spelling them out to a call center drone could be funny. An alternate, but somewhat less secure approach would be to lie to these questions still, but keep the answers more pronouceable.

Mary_j_jFebruary 4, 2011 11:13 AM

@Peter -

I've had occasions when I had to contact a call center and give them my garble a.k.a. security answers. It's not a biggie for me, nor them, and has been easy to do. At most, all I encounter from their end is a sound of minor amusement and surprise in their voice as they remark, "Wow, I rarely hear such an unusual security question reply" and I just explain why I do it as an FYI - although I usually explain that upfront so they'll see why I'll be stating it one character at a time.

I've not once been inconvenienced by doing this.

I forgot one more thing regarding security questions and replies to them in my comment/post above :

Periodically change the questions and answers, just as is advised for passwords.


Your reply brings up another point I never covered - that of the username people pick. Mine is nothing coherent. I make them like the security questions replies I mentioned. Also, on the occasion some place lets my 'write my own question', I make up a question that's nonsensical and it's answer is likewise.

I feel doing this with the username, plus periodically changing the security questions and their replies, is simply sound thinking and very preventative.

Keep 'em off the trail, is my motto!

Mary_j_jFebruary 4, 2011 11:26 AM

@Peter -

P.S.

I think of it this way, in regards to telling a call center my security reply :

At times, I've had to spell out my name to them, so what's the difference between relaying THAT character by character and doing so with this?

Nada.

Peter A.February 4, 2011 12:20 PM

@Mary_j_j:

Call center: my remark was purely theoretical as I never had to answer any "security questions" on the phone (yet). Forced to do so, I would probably use your approach of explaining and spelling.

Username: I don't see a random-string username as a big improvement in security when a good password is in place. Well, maybe as a protection against DOSing a service by enumerating usernames and exhausting users' password retry limits. In some contexts random username is sensible, in some not so, for example if it is also used as a nickname/handle/signature.

Changing answers to security questions: as Bruce and others have pointed out, security questions and their answers are effectively secondary passwords, so they should follow password rules. But there are different schools of thought regarding frequency of password changes - I'd rather have random long passwords and change them rarely if at all, or immediately after a possible compromise.

Nick PFebruary 4, 2011 2:02 PM

@ Clive Robinson

I just read the Guardian article. I couldn't drink and read at the same time. That crap was so funny! They picked up a few prepaid phones and then they had their "own leak-proof network." LOL! At least one of the morons probably used their credit cards to buy them. I hope these guys don't ever get any information that actually has some value. Lives could be lost.... National borders redrawn... (cough) more movie plot scenarios (cough)

need to get a better walletFebruary 4, 2011 2:52 PM

@Steve Hoober:
"Enough that the card doesn't need to be taken out of the wallet for appx half of transactions. "

This is worrisome. I guess we'd better not lean too far towards the card reader while waiting our turn, lest our card gets charged for the purchase being made by the person in front of us.

Time to invest in one of those lead-lined wallets!

JohnFebruary 4, 2011 3:00 PM

Clive, try to be a little more aware of your surroundings. If these guys had been targeting your head, you'd be dead right now.

That's a major part of my martial arts training, in fact the very first part: sure, I could probably catch the crowbar, twist it around and either throw the guy to the ground by it or hell, I just took his weapon; but in the first place, I know when people are looking at me, approaching me, etc, and if I see two huge guys coming my way looking suspicious I can get further out in the open for a better defensive standpoint. That doesn't mean I can fight them better out there; maybe I can, but I also have the option to run like hell. Sounds like you'd be better off with that option in this case.

On a more direct note, couldn't you have reported it to the bank's higher-ups? In the US, the ATMs all represent a bank-- Bank of America, Chase, etc. We get scammed on fees, $2, $3, etc to withdraw money; but if your card is issued by the bank that owns the ATM, no fee. Call their head office, tell them their machine's rigged and you got attacked by crowbar thugs when you were poking at it, and they've re-rigged the machine again.

Or if you're butthurt about being ambushed by two guys with crowbars (oh yeah, real brave guys, I bet you feel real tough), you could wander into that coffee shop with your own crowbar and take them by surprise; but that has legal consequences and I'm not sure I could recommend that.

Mary_j_jFebruary 4, 2011 4:46 PM

@Peter -

In regards to :

"Username: I don't see a random-string username as a big improvement in security when a good password is in place. Well, maybe as a protection against DOSing a service by enumerating usernames and exhausting users' password retry limits. In some contexts random username is sensible, in some not so, for example if it is also used as a nickname/handle/signature."

I disagree that in some contexts, a username composed of a random string would not be sensible when it doubles as a nick/handle/signature.

Take this example of how it can be :

If a government agency's employees needed to use it as a nick every time when they interacted with others, simply use, say, the 1st 7 or so characters when referring to someone they're speaking with via voice. In other situations, such as email, one can use programs/utilities which can verify the entire string as being authentic.

In the above example though, when it comes to voice communications, there would be no doubt other things in place to prevent/detect compromises anyway, therefore using only the 1st 7 or so wouldn't devalue the attempt at security too much.


Mary_j_jFebruary 4, 2011 5:48 PM

@Peter, everyone -

I didn't mention this idea which I implemented long ago in my original post above :

'Never have your contact address book on anything computer related.'

Worms are known to harvest its contents. There are other ways to do this besides worms, as you probably know.

I mention this one because a recent email from my bank had me thinking (once again) about some of the insecure things banks do. I'll paste in the sentence in that email to which I'm referring :

"Please add YOUR BANK to your email address book."

1st thing I thought was, "What? Why give someone the 1st step to attacking my bank account by telling them WHERE I bank?"

If it's not obvious already, I'd never do that. In fact, I don't have a contact book on anything computer related since computer and computer related attacks are the main avenue of compromise. As someone said above, "Go the route least traveled", posted by Joseph C. I agree, so I stick to the old fashioned hard paper version (plus doing what's below, and then some).

Continuing with this line of thinking... :

If someone *is* going to have a computer related, or even smartphone version of an address/contact book, keep such information as who you bank with stealth. An illustration is as follows :

Important contact info such as ...
bank name, address, etc.
home phone.
relatives phones, address, etc.
work phone, address, etc.
etc.
>> File all these under the group name "Recreation". Where the 'name' would be typed for your bank, for example, use another code word which fits 'recreation' as a group listing, such as "Brian's gym", where "B" for you means "B-ank info".

This is just a quick illustration.

Doing this, and then some, would make it very hard for a worm, or even someone in person for that matter, to find the banks name (much less anything else).

IMO, more people should implement this, and more.

DaveFebruary 4, 2011 7:08 PM

Since my bank card was compromised a few months ago, I have been "padding" my PIN, as I enter it anywhere, with bogus keystrokes. That is, I pass my finger over numbers not in my PIN before the PIN numbers, between them, and after. E.g., if... my PIN were 44444, I might gesture 17445444826, with only the '4's being real keystrokes.

I think this might be a simple way to obfuscate the PIN and artificially increase the keyspace that an attacker would have to interpret from a video record.

Jonathan WilsonFebruary 5, 2011 4:15 PM

Here in Australia there are some retailers where you insert the card and it uses the chip, some retailers where you swipe the card and then other retailers that have a slot where it looks like you could use a chip but it doesn't work or isn't enabled and you have to swipe. (my card has both a chip and a stripe)

There are also retailers that support something called PayPass (MasterCard) or PayWave (Visa) for low-value transactions (less than $100 IIRC) where you just hold the card up to the reader and you dont need to input a pin at all.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..