Crooks Hack Music Players For ATM Skimmers

tsu doh nimh sends in a report that criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers. These are devices designed to be attached to cash machines to siphon card +PIN data. "The European ATM Security Team (EAST) found that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them 'major ATM deployers' (defined as having more than 40,000 ATMs)... The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37)."

Re:Been said before

[betterunixthanunix]

But we really need to do something about this whole security thing.

Why would banks care about that? Secure digital cash systems have been around for a very long time, but banks do not like the concept very much, probably because it would mean losing certain revenue streams. Credit card processors and banks sell spending data to marketing firms; secure digital cash generally makes that difficult or impossible, since digital cash allows for anonymous payments. Additionally, digital cash would make it hard for banks to do things like profit from debit card overdraft fees (although with the new regulations, perhaps this is less of a valid argument).

It is not that the technology is not there, it is that it solves the wrong problem.

Re:Been said before

[jelizondo]

I don't know about other countries, but at least in Mexico and the Cayman Islands, devices like the one you describe (RSA SecureID) are commonly used for online bank transactions.

It would seem trivial to extend the use to ATM and POS terminals, it would end this type of scam for good.

Zero-knowledge protocols

[Anonymous Coward]

http://en.wikipedia.org/wiki/Zero-knowledge_protocol

It's possible to make an authentication scheme which is completely immune to skimming attacks.

Re:re

[JohnVanVliet]

i replied to a starwars post as the 3d poster -- then the starwars post disappeared

Re:Ballpeen hammer

[Lumpy]

Dont even need to do that. Pull on the card slot housing, lift on the keypad,etc... , if it comes off, take it.

Dont turn it in, your fingerprints are all over it now. Plus these things go for big $$$ on ebay. $1500 for cheap ones.

Audio-based cards = low security

[petsounds]

I read the linked Phrack file (brought me back to my BBS days), interesting read. Here's the relevant passage. Note the bolded text:

Not all magstripe cards operate on a digital encoding method. SOME cards
encode AUDIO TONES, as opposed to digital data. These cards are usually
used with old, outdated, industrial-strength equipment where security is not an
issue and not a great deal of data need be encoded on the card. Some subway
passes are like this. They require only expiration data on the magstripe, and
a short series of varying frequencies and durations are enough. Frequencies
will vary with the speed of swiping, but RELATIVE frequencies will remain the
same (for instance, tone 1 is twice the freq. of tone 2, and .5 the freq of
tone 3, regardless of the original frequencies!). Grab an oscilloscope to
visualize the tones, and listen to them on your stereo. I haven't experimented
with these types of cards at all.

Only being used with outdated equipment where security isn't an issue? This was written in 1992! Assuming the format hasn't changed much on these new systems, why the hell are ATMs now(still?) using this format?

Re:Been said before

[tlhIngan]

I think you are underestimating your fellow man here my friend. In the UK we ditched the swipe only method a long while back in favour of chip and pin for everything. A small minority bitched, but just got on with it as the benefits are obvious enough for the minor inconvenience of having to remember four digits. If you added another small layer of security to the existing chip + pin method I suspect the public reaction would be largely the same - a minority will complain, but then everyone will just get on with business as usual. Just like how when they made wearing seatbelts mandatory there was an outcry, but now its just so natural people don't even think about it.

Have they fixed the idiotic security issue with chip+PIN yet? You know, the one where the chip verifies the PIN? I remember a story where it turns out during PIN verification, the chip sends the reader an "OK" value (0x90, I believe?) if the PIN is OK and the transaction goes through. No, the bank's not checking your PIN at all - it's all done on the card you have. Which means anyone who can clone it doesn't need a PIN.

Which is a huge problem because you're liable for any charges made via chip+PIN, fraudulent or not.

That's why banks took it up with great abandon - it costs them less , and screws the customer even more. All the other security devices? Costs banks and doesn't give them any benefit at all over the status quo. If only running a bank was easier - someone could clean house by making a more security-conscious bank, which looks out for their customer's interests...