Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Crime Security The Almighty Buck

To Secure ATM Transactions: Ditch the Card (securityledger.com) 184

chicksdaddy writes: Security Ledger has a piece that looks at the efforts of a string of startups to secure ATM transactions from skimmers and malware-based attacks. Step 1: get rid of the ATM card. The article profiles a couple different companies. One, Trusona, has technology that can uniquely identify standard issue ATM cards by analyzing the unique distribution of Barium Ferrite particles on their magnetic strips and using it to connect the card to the customer. The company combines that with card swipe biometrics to thwart malware-based replay attacks. The article also mentions upgrades that will allow banking customers in the U.S. to use a mobile application to withdraw cash from ATMs without a card or PIN, and a prototype from Diebold that combines proximity based sensing (via NFC) with iris scans to authenticate customers and authorize transactions. Cool as it sounds, its worth remembering that most ATM attacks are decidedly "low tech." A survey by the ATM Industry Association in 2015 listed "physical attacks" and those using "explosives" as the second and third most common type of ATM attack after card skimming.
This discussion has been archived. No new comments can be posted.

To Secure ATM Transactions: Ditch the Card

Comments Filter:
  • by Anonymous Coward on Wednesday February 24, 2016 @05:44AM (#51573763)

    You can't skim a chip. Well, not with something that you can disguise on an ATM.

    • by fraxinus-tree ( 717851 ) on Wednesday February 24, 2016 @05:58AM (#51573795)
      You are from Europe, right? US still use mostly the strip. And while the chip is good, it only offers protection from skimming. Other vectors (theft, burglary and likes) still exist.
      • by slashping ( 2674483 ) on Wednesday February 24, 2016 @06:14AM (#51573831)

        US still use mostly the strip

        But the article is talking about upgrading the ATM to do a barium analysis on the cards. That seems idiotic if you can also upgrade it with a chip reader which is standard, and much more reliable.

        • In the US, the new chip thing that rolled out has been met with..issues. I've been declined at least three times now, they had to manually put my card in. One place it hung the entire system, and they had to call their payment vendor who rebooted it, and told them to swipe until told otherwise. That is about after 12 times of having to slide it in. The chip also looks like it's halfway worn off the card already. It simply takes too long to use as well, you can't just stick the card in and out and be on your

          • LOL. I have a chip card for a few years now, and never had problems. In fact, the only time there's an issue is when a vending machine doesn't accept the chip and tries to read the magstrip (which is severly damaged on my card) instead. In your case, I don't think you'd have better luck if the ATM was trying to do a finely tuned analysis of the barium signature in the magstrip.
      • Canada has had chips on the bank cards for quite a while too. Not as long as Europe but probably around a decade.

        • Canada is european in lot of senses, anyway.
        • by gmack ( 197796 )

          American cards have chips but it's chip + signature and they don't use it. Last summer my friend came to visit me in Canada and I had to explain to him how to use the chip portion of his card,

          • Comment removed based on user account deletion
            • It's more polite to leave the tip in cash, unless you're tipping at least 25%.
              • by swb ( 14022 )

                Who does this? The reason I pay a $250 dinner tab with a credit card is so I don't have to carry much cash with me, a $50 tip is nearly as bad from a carrying cash perspective.

                The whole social construct of tipping aside, I always wonder about tip fraud. It's just too easy to cheat on tips when they get manually entered into the credit processing system. You'd have to be supremely detail oriented to track the meal cost + tip as it shows up on your credit card. I think amex might detail it, but it's not h

                • by gmack ( 197796 )

                  This is why I prefer the chip and pin terminals that ask you to input the tip. Some of the newer ones allow you an enter an amount or a percentage.

                  • by swb ( 14022 )

                    I have a hard time seeing this being adopted in the US, so long as we don't use the pin.

                    I seem to remember eating at a restaurant where the servers used iPads for order taking and they had Square-style card readers to do the charges, but it was a pretty casual, small place so far all I know it WAS Square they were using.

                • Who does this [tip in cash]? ............ a $50 tip is nearly as bad from a carrying cash perspective.

                  You give $50 tips? Must be a very wealthy man.

                  The reason for tipping in cash is so that the particular waiter gets it. If you tip with a credit card, you don't know that the restaurant owner might get it. Is it really that hard to carry some coins for a tip? (Oh, forgot, the USA does not have any coin worth more than a peanut).

                  • by swb ( 14022 )

                    $50 is 20% on a $250 tab.

                    Since there's no rule book on tipping, I kind of follow my own.

                    In any low-end table service place, I figure the person working there isn't making much money to begin with, so if the service was good, I tip 20%.

                    At a higher end place, I will adjust the percentage down closer to 15% by default unless the server provided extraordinary service, especially if there are only two people being served because there's just not enough service taking place to warrant that much add on. In larger

                  • Tips are usually based on the food price, so they go way up in really expensive restaurants. There's a lot of social and legal structure in the US built around the tip as a percentage of the bill. Also, if I can afford an occasional $250 restaurant bill, I can afford a slightly more occasional $300 one, despite not being "very wealthy" (I'm well-off, but not wealthy).

                    There are differences between tipping in cash and putting it on the card, and I don't see one as necessarily superior to the other. If I

            • Our credit cards have the EMV chip now, but most of the stores whose POS terminals have an EMV slot are not using it. It's an even more confusing maze than before.

            • The signature is supposed to be important. It makes the transaction somewhat legal and a way to detect fraud or mistakes (find a mistake on your monthly bill you can complain to the restaurant and ask them to find your signature, though these days it's easier to just dispute charges with the credit card issuer).

              Personally I have little problem with cash. People hate it because they want everything to be electronic, thus it's more cool.

        • Canada has had chips on the bank cards for quite a while too.

          America has also had them for quite a while, we just don't actually use them. When we do use them, we do chip+signature instead of chip+PIN, so we get all the hassle of using a chip, with none of the benefits!!!

          • I don't even know what my PIN is with my card. It was assigned to me a couple decades ago and I've never needed it on a credit card. I got a reissued card a couple years with a chip but it did not come with any separate mail telling me what my PIN was...

      • EMV isn't a European thing, even though that's where deployment first started. EMV is an "everywhere but the USA" thing.

        The bizarre insistence of American financial providers on trying everything except just rolling out EMV is really amazing. At some point I start to wonder if it's a subtle form of protectionism.

      • God damn USA! Get with the times. Still using Imperial, still using mag stripes... Your neighbours to the north are disappointed in you. You guys are better than this!
        • God damn USA! Get with the times. Still using Imperial, still using mag stripes... Your neighbours to the north are disappointed in you. You guys are better than this!

          Apparently not. Kind of embarrassing when the only other countries that don't use metric are Liberia and Myanmar.

          It's a form of protectionism, since things like 4 liters of milk are not the same as a gallon, so exporting to the US requires different, non-standard sizes.

          • We should just ship things th the US in same size as everywhere else, but with ugly sizes printed on the container.
          • Technically we're still supposed to be migrating to metric, as I think that law is still on the books. The snag is that Reagan stopped funding some of the programs. Everyone learns metric in school though, all science here is done in metric, even the UK (technically a part of Europe if you squint) still uses miles, etc. We are not ignorant troglodytes even though it's the current elitist fashion in Europe to laugh at everything in America.

            (seriously, they're going to put up a wall Europe to keep out immi

      • Chips have been rolling out pretty aggressively in the USA over the past few months from all institutions, major banks to local credit unions. Stores may still be using the mag stripe to authorize, but it means they are accepting the liability for fraudulent transactions.
      • Canada moved to chip and pin long ago. Last I looked, we're not in Europe. And without the pin, it can't be used. 3 wrong tries and it's killed.
      • The chip and pin system can and has been hacked. Use cash when you can.

    • A suitably strong encryption would be enough to prevent skimming attacks, even assuming that the perps could insert a man in the middle.
    • by Z00L00K ( 682162 )

      You can skim them, but it's a lot harder than the magnetic strip.

    • by Salgak1 ( 20136 )
      I've only recently started getting Chipped cards, and in any case not all merchants have enabled their readers to use chip-based cards.

      Reports I've seen combined blaming the Christmas shopping season (i.e. don't slow down the cash flow), engineering issues, and MasterCard and Visa reportedly being late in publishing at least SOME of the documentation.

      http://www.nbcnews.com/busines... [nbcnews.com]

  • chip ? (Score:5, Interesting)

    by slashping ( 2674483 ) on Wednesday February 24, 2016 @05:45AM (#51573771)
    Why not use a chip card instead ?
    • Re:chip ? (Score:5, Funny)

      by Alumoi ( 1321661 ) on Wednesday February 24, 2016 @05:57AM (#51573793)

      I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
      Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
      No more muggins as it's quite hard to carry 2-3 severed head with you.

      • You don't think the tattoo is easily duplicated ?
        • by Alumoi ( 1321661 )

          Note the AND between tatoo and chip. You must have tem both in order to work. It's not called 2 factor authentication for nothing.

          • That would never fly in 'Merica, because the bible belt folks would then bray about the mark of the beast and the Book of Revelation.

            • Well, they'd be correct, wouldn't they? "And he causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or the name of the beast, or the number of his name."
            • Yet, they all willingly carry a cell phone.

              The " Mark of the Beast " is easily the Mac address or ipv6 address of your phone. :|

      • Re:chip ? (Score:4, Interesting)

        by Nyder ( 754090 ) on Wednesday February 24, 2016 @09:14AM (#51574499) Journal

        I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
        Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
        No more muggins as it's quite hard to carry 2-3 severed head with you.

        Pretty sure the xians will say this is the Mark of the Beast. But if it will bother them, then I am down.

      • I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head. Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited. No more muggins as it's quite hard to carry 2-3 severed head with you.

        Joe Pesci would like a word with you. [wikipedia.org] "Only 3? What a piker. Try 8."

    • Because you can't use fancy sounding science to scam investors who don't realise Chip+Pin is the solution to replay attacks.

    • by AmiMoJo ( 196126 )

      Chips aren't all that great for security... Better than mag strips, but far from perfect as anyone living in a country with the chip+PIN system will tell you. In fact in some ways it's worse, because when first introduced in the UK the banks tried to blame all fraud on the customer because the system was supposed to be immune to fraud.

      Phone is a pretty good option. You need the phone and you need a way to unlock it (fingerprint, PIN or 97 character password if you prefer). That's already at least as good as

      • anyone living in a country with the chip+PIN system will tell you

        I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect, but at least they can be made to prevent skimming, which is what the article is about. And it's a much better solution than chemical analysis of the mag strip.

        Phone is a pretty good option. You need the phone and you need a way to unlock it

        Except that not everybody has a (smart) phone. Also, it's easy to see what PIN people use when you sit next to them, or guess it from the fingerprints they've left on the touch screen. Or you can just wait for them to unlock the phone and then grab it out of t

        • by AmiMoJo ( 196126 )

          far from perfect as anyone living in a country with the chip+PIN system will tell you

          I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect

          Uh...

          • Why even respond if you can only grunt ? The chip+pin cards are a lot better than the magstripe cards, and the remaining problems can be solved without having to introduce radical new technology. They just need an upgrade to the protocol to remove the flaws.
        • by AmiMoJo ( 196126 )

          far from perfect as anyone living in a country with the chip+PIN system will tell you

          I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect

          Uh...

      • Phone is a pretty good option. You need the phone and you need a way to unlock it

        And you need a power bank in case it gets run down and you need a backup phone in case it fails. What is needed is an end to the race to the bottom, so that employers are hiring people smart and scrupulous enough to check for credit card fraud instead of engaging in it.

        • by AmiMoJo ( 196126 )

          Millions of people use their phones for payment already, not bothering to carry backup phones/cards/batteries etc. It's been working well for over a decade. Maybe your problem is you buy crap phones where the battery doesn't last three days on a charge.

    • Because it's not a perfect solution either. Chips are feel good solutions though, let the customer think that they have security.

  • You guys at that side of the pond still use magnetic strips?

    Just use standard PKI. It's secure, it's easy and it's standard.

    Create a key pair for each customer. The private key is protected by a pass phrase (also known as a PIN code). Distribute the key pairs along with the bank's public key on a chip which does the encryption/signing.

    Now go the the ATM or POS. Enter the card with the chip. Unlock the private key with the PIN. Let the card encrypt a message to the bank using the bank's public key and signed
    • Canadian here - we've been using Chip since at least 2008/2009. USA is still stuck in their old ways. I assume they'll start using chip when they start using the metric system.
  • There is no way in hell I'm having biometric identification for anything. I'm not about to have my fingers cut off or eyeball pulled out so some some crook can make off with my stuff.

    http://www.theregister.co.uk/2... [theregister.co.uk]

    Damn fool idea and probably being pushed more for the use of such data to build a huge database by ye olde 3 letter agencies than for any "security" reasons..

    • Not to mention that you can't revoke more than two retinas in the key repository, or that you can't get your money when you desperately need to pay for retinal detachment surgery.

  • by Macfox ( 50100 ) on Wednesday February 24, 2016 @08:28AM (#51574271)
    All this is pretty much available today outside the USA. Mobile or web App generates code. Anyone with the code and the value can visit the participating ATM and withdraw the cash within a few hours. The app even gives you the option to SMS the code. Same apps even support NFC, so the phone acts as the card.

    The majority of the big banks in Australia have been offering these facilities or similar for 2+ years

    Given the popularity of the Magstripe in the US, even after all these years, any advancement seems revolutionary I guess. One would think a possible reduction in fraud would drive even modest initiatives, like Chip+PIN adoption.

    • I would not trust a phone to handle anything to do with money, ever. When I see a vendor with an iPad with a credit card reader, I pull out cash instead and use that.

  • It'll be a cold day in hell before I willingly give my biometrics to my bank, my government, or a private agency. For one thing, I can't change them if they get stolen.

    Secure payments is a very solve-able problem. The only reason it hasn't been solved yet is the reliance on old technology and infrastructure. The two primary problems are a lack of instance validation, and static card information.

    Here's one answer:

    Bank issues card with a chip. The chip has the bank's public key and a unique priva
    • As you say the network is often down or not present. The nonces don't help because the stores themselves are not to be trusted. Stores have hacked the chip+pin systems and skimmed from customers. So nothing has really changed here: in the past the banks have accepted as certain percentage of loss from fraud credit cards, and today the banks accept a certain percentage of loss from chip+pin. You're also assuming, possibly naively, that the crypto systems are written to the highest level of security possi

  • You give money to ATM.
  • While chips have been standard in Europe for some time, I'm starting to see more and more US businesses starting to use the chip in cards over the past 6 months, especially drug stores.

    It is interesting though that many people do not have a PIN associated with these chip cards in the US, so it is still "authenticated" with a signature.

  • Get rid of the card

    What if I don't have and don't want a smartphone?

    Also, hasn't it occurred to anyone that this will actually make a 'cyber'-based attack easier?

    Here's a better idea: How about you train banking personnel to be proficient at inspecting automatic teller machines for card skimmers and other physical exploits, and have them do it every time they service or reload the machine? In other words: How about better security? Also, how about multi-factor authentication at ATM machines?

    Come on, people; every other day

  • I trust my debit card far more than I trust a mobile software application to interface with my financial accounts.

    Under no circumstances will I use a mobile platform ( regardless of vendor, MS / Google, Apple ) to access my bank accounts.

    Financial transaction alerts are pushed to the phone based on triggers I have setup, but I would never use a smartphone platform to log into nor perform a financial transaction.

  • Great idea, but not with that company.

It is better to travel hopefully than to fly Continental.

Working...