Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Australia Technology

Criminals Use 3D-Printed Skimming Devices On Sydney ATMs 110

AlbanX writes "A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture 'sophisticated' ATM skimming devices to fleece Sydney residents. One Romanian national has been charged by NSW Police. The state police found one gang that had allegedly targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and nabbing around $100,000."
This discussion has been archived. No new comments can be posted.

Criminals Use 3D-Printed Skimming Devices On Sydney ATMs

Comments Filter:
  • not sure how this affected tens of thousands of people... seems like a stretch to me... it affected 5 bank employees and 1 insurance company...
    • Re: (Score:3, Informative)

      by Anonymous Coward

      People should not lose any money when their cards get skimmed... However, when you find out, and contact your bank, they will immediately block your card, meaning that your access to cash is a little more difficult. Also, it may take several days until you get your money back. It's not the end of the world, but it surely is inconvenient. And therefore, people are affected too.

  • by norpy ( 1277318 ) on Friday August 16, 2013 @02:17AM (#44581071)

    It's about time that US banks caught up with the rest of the world and put chips on all their cards, then we can finally get rid of the magstripes.

    While chip&pin has it's security flaws it's way better than the 20 year old magnetic stripe system, in Australia and most of Europe the only reason they still put the stripes on cards is because the cards have to work when people travel to the US.
    It's been at least a year since I've seen a reader without chip support in Australia and the only time the magstrip is used is when the chip or contactless read fails.

    • by Camael ( 1048726 ) on Friday August 16, 2013 @02:30AM (#44581129)

      As you have pointed out, European 'Chip-and-PIN' Cash-Card Security have already been cracked by criminals [technewsdaily.com].

      And fair enough, generally cards with chips are still more secure than their magnetic counterparts.

      What I am more disturbed about is, from the point of the consumer, it appears that in Europe at least the supposed security of the chip and pin system have been (ab)used by banks to deny refunds to their defrauded clients.

      However, the chip and PIN system came under question in 2010, when researchers found that transactions could be executed without PINs.

      In their paper, the Cambridge researchers asserted that, based on their conversations with bankers, "banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

      Bond asserted that banks are aware of the problem but routinely “stonewall” customers-turned-victims because their transaction records show that the PIN was used.

      From the POV of the consumer, I would not favor the use of this newer, more secure system if it shifts the burden of fraud on me with the excuse that "it's unhackable, you must have given them your PIN".

      • by norpy ( 1277318 )

        I actually just realised that I do have a non-chip card; my American Express. Apparently my particular bank has chosen not to migrate those to chip cards yet, although Amex have done so on their directly issued ones.

        Of course since it's "American" Express i'm going to stand by my "it's America's fault" title.

      • by gl4ss ( 559668 )

        the copier is a bit harder to do for chips than for the magstripes. that is the point.

        for the record, I haven't heard of any actual working attacks on the chip/pin method, while the magnetic strip needs actually just the magnetic strip copied(having the pin just makes it easier to find a place to get the cash).

        and on to the story: 3d printed skimmers are not a new thing! they've been used before. it largely doesn't matter at all how the skimmer is made.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Firstly yes, there are working attacks. We know that the following attacks have been done by actual criminals, real bad guys, who obtained money or goods through fraud with the attack, some of whom are now in jail for it:

          - "YES cards". Fake chip clone cards which are programmed to tell the terminal that the PIN matched, then hand back a data block for the bank which says no PIN was used because the terminal authorised a signature instead. The bank gets the data data, says "Huh, you authorised on a signature

      • by jonwil ( 467024 )

        Here is an idea of how to make a chip-and-pin type technology that is secure:
        1.When the user inserts their chip enabled card into the card reader, the chip tells the reader to ask for the users PIN (under this system there would be no such thing as a chip-and-sign card, all cards would require the user to enter their PIN if the reader supports the technology)
        2.The card reader provides the merchant account number, payment amount and entered PIN to the chip on the card.
        3.The chip combines the merchant account

      • by Lennie ( 16154 )

        Don't worry, in the US the banks don't get the blame either, they shifted the blame to the shop owners.

    • The thing is fraud is just not making a dent in their finances to bother. Even with mag stripe the PIN is checked in real time with your bank for any non-trivial transaction, you could have any type of one-time-pass device for ATM transactions (or for purchases over let's say $100 or similar): paper, SMS, token, smartphone offline app, etc. You could have two cards, one without mag stripe. But no, that's just not possible. Even getting one card but without the mag stripe is not possible. I've been thinking

      • by khchung ( 462899 )

        The thing is fraud is just not making a dent in their finances to bother.

        Of course, those frauds (only called "Identity Theft" in the US) make dents only in their customers' finances, not the banks' own finances, why should the banks in the US bother?

      • Create to cards your self, cut the chip from the issued card and place on an other card. This leaves you with a magstrip card for bnckward atms.
        • This would be a nice idea, if I manage to do it cleanly. (I still want to pay with the card at the stores, in fact I'll be using the card that way mostly).
          I wouldn't be able to do it cleanly probably but I'm sure it is possible.

      • by cusco ( 717999 )
        Yes, killing the mag stripe is quite easy. Open the back of your speaker cabinet and rub the card on the back of the magnet on the woofer (even better if it's playing something with a lot of base). One of the reasons why a lot of facilities moved away from mag stripe cards, which cost about $0.25 each, to prox cards, at $1.50+ each, is because their facilities and maintenance people kept needing to have their cards re-encoded frequently when they were too close to large electric motors starting up. With
    • by HJED ( 1304957 )
      In Australia EFPOS cards don't have chip & pin, only cards such as Visa and mastercard. Most banks will issue you with an efpos card as well (or only an efpos card)
    • I don't think that is entirely true. The magnetic strip in my PIN card failed and it stopped working on other bank's ATMs. It continues to work fine with my bank's ATMs and in chip readers at retailers... But thanks for reminding me that I have to replace it before I go to the US : )

    • by khchung ( 462899 )

      It's about time that US banks caught up with the rest of the world and put chips on all their cards, then we can finally get rid of the magstripes.

      While chip&pin has it's security flaws it's way better than the 20 year old magnetic stripe system, in Australia and most of Europe the only reason they still put the stripes on cards is because the cards have to work when people travel to the US.
      It's been at least a year since I've seen a reader without chip support in Australia and the only time the magstrip is used is when the chip or contactless read fails.

      Part of the fault lies with your country's stores, or bank, or both. My credit card has chip and magstrip, at one time when a newb cashier tried to swipe the card through the magstrip reader (instead of correcting inserting the chip end to another slot to use the chip), the machine told her to use the chip instead, i.e. it refused to accept data from the magstrip for a card with chip.

      The only people at risk with a fake card with copied magstrip are people with cards that have no chip, i.e. America tourists

      • by cusco ( 717999 )
        No, cost. It's not consumers who get to decide what technology to use, it's the executives. When CityCorp can print mag stripe-only cards for $0.25 and chip cards cost >$2.50 the immediate executive decision is for mag stripe. Fraud and other issues aren't going to impact the end-of-year earnings payment that their bonus relies on while higher card costs will, and they'll have moved on to victimize another company by the time those costs become noticeable. Probably European and Australian bank execut
    • by Anonymous Coward

      In the Netherlands, most banks have disabled ATM transfers from outside the European union by default. Customers have to enable access before going outside EU by using their online bank account. This has reduced skimming with 80% (http://www.rtlnieuws.nl/nieuws/binnenland/skimmen-met-80-procent-gedaald (sorry, Dutch only)).

  • ATM security (Score:2, Offtopic)

    by Thanshin ( 1188877 )

    Sometimes it's funny how ATMs I see outside of my country (Spain) don't seem to have the security systems that they were forced to use here for problems like the one described in the article.

    I also find foreign paper currency to be unsafe, ID documents too easy to forge and store security to be amazingly weak.

    Sometimes I wish I lived in one of those countries where all that security isn't needed.

    • by AK Marc ( 707885 )

      Sometimes I wish I lived in one of those countries where all that security isn't needed.

      It's needed everywhere, it's just some are in greater denial about it.

  • I read stories like this that try to diss the use of "3D Printers" as if somehow banning the use of those devices is somehow going to stop criminals from engaging in acts like this. What utter nonsense.

    How many other stories about ATM skimmers emphasized any of the tools used to make the devices used to make their devices? Why such a strong emphasis on the 3D printing technology? It sounds like a cool buzz word, but means absolutely nothing other than an attempt to make something new sound frightening because the reporters and police officers involved don't have a clue about how the technology works.... therefore it must be some kind of dark magic that must be brought before the Inquisition and those involved banished to Hell (or some equivalent).

    While I don't mind seeing stories like this on Slashdot as it does talk about emerging technologies and their impact upon society as a whole, it still turns my stomach to see such awful reporting overemphasizing the manufacturing technology (it was the lead paragraph) instead of describing what people were doing first. Had the technology being used been mentioned much further into the article, I think it would have been much more appropriate.

    • Yep, same old scare tactics...

      "If you electrify homes you will make women and children and vulnerable. Predators will be able to tell if they are home because the light will be on, and you will be able to see them. So electricity is going to make women vulnerable. Oh and children will be visible too and it will be predators, who seem to be lurking everywhere, who will attack."

      “Women’s bodies were not designed to go at 50 miles an hour. Our uteruses would fly out of our bodies as they were accelerated to that speed [on trains].”

      Automobiles, Telegraphs, Telephones, Recorded Music, Radio, TV, MTV, Video Games, Internet, Cellphones, 3D printers, RFID, NFC, etc... Near any new technology you'll find unfounded fear drummed up around it. There is a primal fear of unknown that the unscrupulous exploit for popularity. Not even old technology is safe from the fear mongering media mavens: "After this break from our sponsors: Find out what's probably lurking under your sink that could kill you."

      When faced with what they do not understand the primitive minded are easily frightened, the futurists eagerly excited, and the practical remain predictably skeptical.

      It's sad really. Your "greatest" thinkers in science and philosophy alike shun their feelings. Those primal communications your ancestors scream wordlessly within your mind are ridiculously ignored, at great risk. This valuable primitive mode of thought was proved by evolution to be rational in general, yet is deemed "irrational". In so doing they discourage people from thinking with their whole minds, and thus they become more susceptible targets to the biases of the ancient ones.

      So, while one ignorant group is too strongly swayed by their emotions, the other group ignores their instincts completely in the name of rationality and is thus just as ignorant, literally. Don't you see that reasoning with only half a head is dangerous?! I cultivate my "irrational" feelings, I use them as a faster but less accurate logic unit. I let my subconscious quickly analyze situations and then converse with my wise but unlearned ancient ancestors about the dangers and desires we have. When reasoning with others I reach back through the millennnia and consider the subtexts as they would appear to language-less apes. I'm thus able to more effectively communicate my meanings at multiple levels.

      Do not so quickly discount the power of a message that wields both logical and primitive persuasions. This is a skill infamously used to sway weak minds by politicians and the media for centuries. This is a technique best learned sooner than later at the point of a pitchfork. While "insightful" folks like you scoff at the story and think them fools for pandering to the populous' fear in the name of greed, I credit them for doing so. If you want to scoff, then scoff at those so-called "great" rational minds who can not do the very same in the name of good... disgusting.

      To shrug off the subtext and not heed and hone the subconscious murmurs of your mind is to foolishly disrespect every single elder your lineage has ever had.
      And you call yourselves evolved?! You're barely even aware. Humans, ugh, how primitive!

      • However, there is still the question: is technology really improving our lives?

        You might want to read this:

        There is, though, one group of Americans that is imperturbably sunny: the Amish. Their depression rates are negligibly low relative to the rest of societys. Their happiness levels are consistently high. The Pennsylvania Amish, when asked how much they agree with the statement: You are satisfied with your life (using a scale of 1 to 10), turn out to be as happy as the members of the Forbes 400. The Amish, though, do without most of what we think of as modern technology. They don’t rely on the automobile, don’t need the Internet, and seem to prefer stability and permanence to the heady growth that propels innovation and the U.S. economy. The comparison is a little facile (the Amish have a lot of other characteristics that make people cheerful, including strong community ties, stable families, and religious faith). But it suggests an interesting question: is it possible that technology, instead of liberating us, is holding us back? Is technological progress merely a treadmill, and if so, would we be happier if we stepped off of it?

        Taken from: http://www.technologyreview.com/review/403558/technology-and-happiness/ [technologyreview.com]

        • by swb ( 14022 )

          Well, there's a postcard version of the Amish in their button-free clothes, hand-making all their stuff and living bucolic lives.

          And then there's the real world version of the Amish, where young people smoke, drink, and drive cars before they become full members of the church, the internecine religious conflicts involving sects, beard cutting, etc.

          I'm pretty sure that despite the awesome appearance of tech-free Amish life, there's a lot of psychological stress maintaining such an existence in the face of th

      • by asylumx ( 881307 )
        Please cite where your quotes are from.
    • by Anonymous Coward

      3d printing and the copyrights of physical items are going to be the next 'war on piracy' type thing.

      "You wouldn't pirate your neighbors BMW would you?" That sort of thing. Because soon you will be able to pirate your neighbors plastic trinkets at least to start with...

      So we have to start NOW to drum up grass roots hatred for 3d printers and those evil design pirate criminal scum.

      Expect these negative type storys that throw 3d printing under the bus to continue for decades. We must stop those evil cr

  • by geogob ( 569250 ) on Friday August 16, 2013 @02:27AM (#44581117)

    That they used 3D printing device, is hardly interesting news. That’s just more 3D printing hype. What I find fascinating with this story, is that card skimming at ATM still works, today, in 2013.

    It’s clearly a failure to implement the most basic security and authentication features, which are widely available today. How can it be that, today, one can still do any kind of transaction with only a card number and a pin – if a pin is needed at all (eg. For online transactions).

    They (the banks and/or credit card companies) try a lot of fancy things like nice holograms on ATM machines or abstruse authentication methods that fail to understand that a simple password is about as safe as the card number itself. This PIN skimming thing is the proof of that.

    It’s slowly getting better, with unique number generators for validation or unique numbers sent through SMS. But I hardly believe these solutions are optimal for the users. Perhaps this explains why their implementation is so amazing slow – although I believe it still better to have those as none at all.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Since we have a chip capable of basic crypto operations why are we not simply using a 1-time pad stored on the chip itself to sign the transaction data, just sign the transaction and add on the CardID+SeqNum then you just have to store 10kb of true random on the card to use as the pad (or whatever amount of transaction attempts you expect the card to use during it's validity window). Just kill the card when it exhausts it's one-time pad.

      This system of challenge-response would even allow you to online shop w

    • Yes, exactly. RSA-based public key cryptography has been around for 36 FUCKING YEARS! Why don't the banks use it already?! All it takes is to store your private key on the card so that it cannot be read from the outside unless you rip the chip out of the card and have the card itself sign transactions when you enter your PIN.
    • by cusco ( 717999 )
      Banks are run by bankers, possibly the only people on the planet who are cheaper than doctors or lawyers. Just look at all the cracks of bank web sites over the last couple of years, and the utter simplicity of most of them (replace your account number in the browser address bar, for example). This is symptomatic of a culture where the low bid is the turning point for deciding the acceptance of a product or service, not competency, security or track record, just price.
    • These aren't used to skim the PINs usually, they're used to get the card number, while a camera or someone with binoculars will pick up the PIN. This scheme would work with some types of chip and pin as well, as it's easy to be a man-in-the-middle attack if you can monitor the signals.

      Another scam is to make note of someone's PIN from a distance at a gasoline station, then walk to the attendant a few minutes later and claim that you forgot to get a receipt and ask for it. A lot of places will still includ

  • in an elephant's world.

  • Newsflash
    Criminals use 2D printers to create 'sophisticated' forged documents. Ban evil 2D printers!!!

  • by Anonymous Coward

    WTFC's? Criminals have used lathes, presses, drills, hammers, laptops, PC's, all sorts of tools in the past! So, they use another tool, in this case the dastardly 3D Printer! OOOHH! Who really cares???

    Some authors at /. absolutely cream themselves at the mere mention of a 3D Printer. Get over it already. They've been around awhile. Why the recent interest? Yeah, what I thought, a corporate sales scheme has infiltrated /. once again.

    3D Printer! 3D Printer! 3D Printer! 3D Printer! 3D Printer! The

  • ATMs ought to display a picture of what they are 'supposed' to look like. Might help fight the assholes with the skimmers.

  • Many companies send their occasional oversized get through for a print copy shop. But if you frequently blue, over two meters wide print banners or other documents, to invest in a wide format printer or trace elements can be good choice, these machines can print in color or black and white, on a variety of materials, in wide 24”60” or more. There are two large markets for large-format plotter. First is the architecture, engineering and construction, already long projects and other technical doc

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...