Criminals Use 3D-Printed Skimming Devices On Sydney ATMs

AlbanX writes "A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture 'sophisticated' ATM skimming devices to fleece Sydney residents. One Romanian national has been charged by NSW Police. The state police found one gang that had allegedly targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and nabbing around $100,000."

Even more interesting...

[geogob]

That they used 3D printing device, is hardly interesting news. That’s just more 3D printing hype. What I find fascinating with this story, is that card skimming at ATM still works, today, in 2013.

It’s clearly a failure to implement the most basic security and authentication features, which are widely available today. How can it be that, today, one can still do any kind of transaction with only a card number and a pin – if a pin is needed at all (eg. For online transactions).

They (the banks and/or credit card companies) try a lot of fancy things like nice holograms on ATM machines or abstruse authentication methods that fail to understand that a simple password is about as safe as the card number itself. This PIN skimming thing is the proof of that.

It’s slowly getting better, with unique number generators for validation or unique numbers sent through SMS. But I hardly believe these solutions are optimal for the users. Perhaps this explains why their implementation is so amazing slow – although I believe it still better to have those as none at all.

Maybe its a blessing for the consumer

[Camael]

As you have pointed out, European 'Chip-and-PIN' Cash-Card Security have already been cracked by criminals [technewsdaily.com].

And fair enough, generally cards with chips are still more secure than their magnetic counterparts.

What I am more disturbed about is, from the point of the consumer, it appears that in Europe at least the supposed security of the chip and pin system have been (ab)used by banks to deny refunds to their defrauded clients.

However, the chip and PIN system came under question in 2010, when researchers found that transactions could be executed without PINs.

In their paper, the Cambridge researchers asserted that, based on their conversations with bankers, "banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

Bond asserted that banks are aware of the problem but routinely “stonewall” customers-turned-victims because their transaction records show that the PIN was used.

From the POV of the consumer, I would not favor the use of this newer, more secure system if it shifts the burden of fraud on me with the excuse that "it's unhackable, you must have given them your PIN".

Re:Even more interesting...

[Anonymous Coward]

Since we have a chip capable of basic crypto operations why are we not simply using a 1-time pad stored on the chip itself to sign the transaction data, just sign the transaction and add on the CardID+SeqNum then you just have to store 10kb of true random on the card to use as the pad (or whatever amount of transaction attempts you expect the card to use during it's validity window). Just kill the card when it exhausts it's one-time pad.

This system of challenge-response would even allow you to online shop without passing over card details.
Just paste a transaction block into your web banking portal, it spits out a signature for you and you paste it back into the purchasing site.

Re:ah my countrymen...

[fustakrakich]

Nonexistent when compared to Wall Street extortion and foreclosure fraud.

$100,000 PFFT!