Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Crime Australia Technology

Criminals Use 3D-Printed Skimming Devices On Sydney ATMs 110

Posted by samzenpus from the crime-that-pays dept.
AlbanX writes "A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture 'sophisticated' ATM skimming devices to fleece Sydney residents. One Romanian national has been charged by NSW Police. The state police found one gang that had allegedly targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and nabbing around $100,000."
This discussion has been archived. No new comments can be posted.

Criminals Use 3D-Printed Skimming Devices On Sydney ATMs More

Criminals Use 3D-Printed Skimming Devices On Sydney ATMs

Comments Filter:

  • Totally the fault of the USA (Score:5, Informative)

    by norpy ( 1277318 ) on Friday August 16, 2013 @03:17AM (#44581071)

    It's about time that US banks caught up with the rest of the world and put chips on all their cards, then we can finally get rid of the magstripes.

    While chip&pin has it's security flaws it's way better than the 20 year old magnetic stripe system, in Australia and most of Europe the only reason they still put the stripes on cards is because the cards have to work when people travel to the US.
    It's been at least a year since I've seen a reader without chip support in Australia and the only time the magstrip is used is when the chip or contactless read fails.

  • Re:hmmmmm (Score:3, Informative)

    by Anonymous Coward on Friday August 16, 2013 @03:27AM (#44581115)

    People should not lose any money when their cards get skimmed... However, when you find out, and contact your bank, they will immediately block your card, meaning that your access to cash is a little more difficult. Also, it may take several days until you get your money back. It's not the end of the world, but it surely is inconvenient. And therefore, people are affected too.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Friday August 16, 2013 @04:28AM (#44581311)
    Comment removed based on user account deletion

  • Re:Maybe its a blessing for the consumer (Score:2, Informative)

    by Anonymous Coward on Friday August 16, 2013 @10:03AM (#44583139)

    Firstly yes, there are working attacks. We know that the following attacks have been done by actual criminals, real bad guys, who obtained money or goods through fraud with the attack, some of whom are now in jail for it:

    - "YES cards". Fake chip clone cards which are programmed to tell the terminal that the PIN matched, then hand back a data block for the bank which says no PIN was used because the terminal authorised a signature instead. The bank gets the data data, says "Huh, you authorised on a signature? OK" and the transaction goes through. (They can't send back a fake PIN block to the bank because the bank knows the true PIN and will see it was wrong). These were used very widely, banks are slowly, slowly, deploying a newer system that isn't fooled by this trick.

    - Fake/ modified terminals. The criminals either own the store, or they bribe the real owner to turn a blind eye as they modify the "tamper proof" terminals to retain the PIN so that it can be used later.

    In addition there are attacks that we know work (because researchers have done them, typically after telling the police and any affected retailers what they're going to do) but we cannot prove they've been used by criminals. If you like to believe that criminals are all stupid then maybe these attacks don't worry you:

    - UN guessing. The cryptographic nonce used in Chip and PIN is called the UN (Unpredictable Number). But banks trust terminals to make it actually unpredictable. Researchers have demonstrated that it's sometimes just a counter, or other simple predictable output value. The cryptographic security of the design rests on this nonce being unpredictable, by which its designers intended "random", but the acceptance tests just require it not to repeat within a few cycles. Uh-oh. It's hard to make random numbers reliably not repeat, try throwing a die twice in a row, sometimes you get the same number. But it's easy to make a counter, and that always passes the tests.

    Shifting the burden for fraud onto consumers is a problem /even if Chip and PIN was flawless/. The same UK investigators who found the UN guessing attack previously investigated a case where the customer's card and PIN were used and they said they'd never received the card or PIN. The bank wouldn't back down, it refused to believe that insiders had stolen the customers details and redirected deliveries to take control of the account, and blamed the customer for everything. Right up until it presented its "proof" that the card was properly delivered. The proof was a courier photo (taken during delivery) of... the wrong address. "That's not my front door" said the customer. Suddenly realising that their house of cards was falling down the bank changed its mind and offered compensation. Why did the customer need to fight this hard? The bank must have suspected from the outset that it had an internal fraud problem, so why try to get the customer to pay?

Slashdot Top Deals

"But what we need to know is, do people want nasally-insertable computers?"

Close