To Secure ATM Transactions: Ditch the Card (securityledger.com) 184
chicksdaddy writes: Security Ledger has a piece that looks at the efforts of a string of startups to secure ATM transactions from skimmers and malware-based attacks. Step 1: get rid of the ATM card. The article profiles a couple different companies. One, Trusona, has technology that can uniquely identify standard issue ATM cards by analyzing the unique distribution of Barium Ferrite particles on their magnetic strips and using it to connect the card to the customer. The company combines that with card swipe biometrics to thwart malware-based replay attacks. The article also mentions upgrades that will allow banking customers in the U.S. to use a mobile application to withdraw cash from ATMs without a card or PIN, and a prototype from Diebold that combines proximity based sensing (via NFC) with iris scans to authenticate customers and authorize transactions. Cool as it sounds, its worth remembering that most ATM attacks are decidedly "low tech." A survey by the ATM Industry Association in 2015 listed "physical attacks" and those using "explosives" as the second and third most common type of ATM attack after card skimming.
Who is still using mag stripes on ATM cards? (Score:3, Insightful)
You can't skim a chip. Well, not with something that you can disguise on an ATM.
Re:Who is still using mag stripes on ATM cards? (Score:5, Informative)
Re:Who is still using mag stripes on ATM cards? (Score:5, Insightful)
US still use mostly the strip
But the article is talking about upgrading the ATM to do a barium analysis on the cards. That seems idiotic if you can also upgrade it with a chip reader which is standard, and much more reliable.
Re: (Score:2)
In the US, the new chip thing that rolled out has been met with..issues. I've been declined at least three times now, they had to manually put my card in. One place it hung the entire system, and they had to call their payment vendor who rebooted it, and told them to swipe until told otherwise. That is about after 12 times of having to slide it in. The chip also looks like it's halfway worn off the card already. It simply takes too long to use as well, you can't just stick the card in and out and be on your
Re: (Score:2)
Re: (Score:3)
Canada has had chips on the bank cards for quite a while too. Not as long as Europe but probably around a decade.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
So are Botswana, Mozambique, Zambia, and Uganda. You don't see many people suggesting they act like European countries because of it, though.
Having spent a lot of time in the UK, the only resemblances to it that Canada has that I can think of are we still have a Queen (though she can no longer make laws here), kept some British spellings, and that's pretty much it. Canadian grocery stores (that aren't bottom tier) bag stuff for you, we mostly have intersections with lights (not roundabouts), police carry
Re: (Score:2)
For the purpose of this discussion Canada could be considered more European because the don't seem to be as opposed to change as the US. (Although I have never been to Canada). They use the metric system, (although not really European but every other country in the world except (Burma, Liberia, USA)). They have dropped their 1 cent coin, they their 1 and 2 dollar note a coin. When I visited the US, it amazed me how may places seemed not to accept EFTPOS, for what considered the most technologically advanced
Re: (Score:2)
Part of the US bag groceries for you, and much of Europe will not bag groceries and think you're some sort of elitist by wanting such service. There are some European countries with high gun ownership. The stop light and stop sign are extremely common in mainland Europe.
I think there's a disconnect in assuming that teh UK is a typical European country.
Re: (Score:2)
American cards have chips but it's chip + signature and they don't use it. Last summer my friend came to visit me in Canada and I had to explain to him how to use the chip portion of his card,
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Who does this? The reason I pay a $250 dinner tab with a credit card is so I don't have to carry much cash with me, a $50 tip is nearly as bad from a carrying cash perspective.
The whole social construct of tipping aside, I always wonder about tip fraud. It's just too easy to cheat on tips when they get manually entered into the credit processing system. You'd have to be supremely detail oriented to track the meal cost + tip as it shows up on your credit card. I think amex might detail it, but it's not h
Re: (Score:2)
This is why I prefer the chip and pin terminals that ask you to input the tip. Some of the newer ones allow you an enter an amount or a percentage.
Re: (Score:2)
I have a hard time seeing this being adopted in the US, so long as we don't use the pin.
I seem to remember eating at a restaurant where the servers used iPads for order taking and they had Square-style card readers to do the charges, but it was a pretty casual, small place so far all I know it WAS Square they were using.
Re: (Score:2)
Who does this [tip in cash]? ............ a $50 tip is nearly as bad from a carrying cash perspective.
You give $50 tips? Must be a very wealthy man.
The reason for tipping in cash is so that the particular waiter gets it. If you tip with a credit card, you don't know that the restaurant owner might get it. Is it really that hard to carry some coins for a tip? (Oh, forgot, the USA does not have any coin worth more than a peanut).
Re: (Score:2)
$50 is 20% on a $250 tab.
Since there's no rule book on tipping, I kind of follow my own.
In any low-end table service place, I figure the person working there isn't making much money to begin with, so if the service was good, I tip 20%.
At a higher end place, I will adjust the percentage down closer to 15% by default unless the server provided extraordinary service, especially if there are only two people being served because there's just not enough service taking place to warrant that much add on. In larger
Re: (Score:2)
Tips are usually based on the food price, so they go way up in really expensive restaurants. There's a lot of social and legal structure in the US built around the tip as a percentage of the bill. Also, if I can afford an occasional $250 restaurant bill, I can afford a slightly more occasional $300 one, despite not being "very wealthy" (I'm well-off, but not wealthy).
There are differences between tipping in cash and putting it on the card, and I don't see one as necessarily superior to the other. If I
Re: (Score:2)
Our credit cards have the EMV chip now, but most of the stores whose POS terminals have an EMV slot are not using it. It's an even more confusing maze than before.
Re: (Score:2)
The signature is supposed to be important. It makes the transaction somewhat legal and a way to detect fraud or mistakes (find a mistake on your monthly bill you can complain to the restaurant and ask them to find your signature, though these days it's easier to just dispute charges with the credit card issuer).
Personally I have little problem with cash. People hate it because they want everything to be electronic, thus it's more cool.
Re: (Score:2)
Canada has had chips on the bank cards for quite a while too.
America has also had them for quite a while, we just don't actually use them. When we do use them, we do chip+signature instead of chip+PIN, so we get all the hassle of using a chip, with none of the benefits!!!
Re: (Score:2)
I don't even know what my PIN is with my card. It was assigned to me a couple decades ago and I've never needed it on a credit card. I got a reissued card a couple years with a chip but it did not come with any separate mail telling me what my PIN was...
Re: (Score:2)
The reason for chip/signature is that it is believed customers will not remember their PIN and won't be able to use
a chip/pin card.
That is silly. People use PINs all the time with debit cards. An interim solution would be to allow individuals to enable/disable PINs on their account. I would certainly enable it, for the extra security. My PIN is my wife's birthday, so I have plenty of incentive to not forget it.
Re: (Score:2)
That is silly. People use PINs all the time with debit cards.... My PIN is my wife's birthday, so I have plenty of incentive to not forget it.
It certainly is silly; so silly that I wonder if you are not allowed in the US to change the PIN to something easier to remember. The date idea, being four digits, is a good one. I might use dates of battles; a pickpocket, or even someone who knows me, is hardly likely to derive it because (1) He won't know that I use dates of battles and (2) Even if he did he won't know which battle.
So my HSBC card might be the Battle of Blenheim, and my Lloyds card the Battle of Borodino. Actually, they are not.
Re: (Score:2)
Re: (Score:2)
EMV isn't a European thing, even though that's where deployment first started. EMV is an "everywhere but the USA" thing.
The bizarre insistence of American financial providers on trying everything except just rolling out EMV is really amazing. At some point I start to wonder if it's a subtle form of protectionism.
Re: (Score:2)
Re: (Score:2)
God damn USA! Get with the times. Still using Imperial, still using mag stripes... Your neighbours to the north are disappointed in you. You guys are better than this!
Apparently not. Kind of embarrassing when the only other countries that don't use metric are Liberia and Myanmar.
It's a form of protectionism, since things like 4 liters of milk are not the same as a gallon, so exporting to the US requires different, non-standard sizes.
Re: (Score:2)
Re: (Score:2)
Technically we're still supposed to be migrating to metric, as I think that law is still on the books. The snag is that Reagan stopped funding some of the programs. Everyone learns metric in school though, all science here is done in metric, even the UK (technically a part of Europe if you squint) still uses miles, etc. We are not ignorant troglodytes even though it's the current elitist fashion in Europe to laugh at everything in America.
(seriously, they're going to put up a wall Europe to keep out immi
Re: (Score:2)
I've only done it once, and it was at my optometrist and only a few months ago. No where else did it, not even Target which was the damn store with the break in (unrelated to magnetic stripes) that encouraged banks to start re-issuing cards with chips.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The chip and pin system can and has been hacked. Use cash when you can.
Re: Who is still using mag stripes on ATM cards? (Score:2)
Re:Who is still using mag stripes on ATM cards? (Score:5, Informative)
Not sure how theft, burglary, etc are a problem if you do not write down your pin?
Common method is to look over victims' shoulder when the PIN is used in a legitimate transaction. Often at supermarkets: just think about how 'hard' it is to see what PIN a customer in front of you enters on the keypad.
Then card is stolen / pickpocketed to be used immediately with the just-obtained PIN. Happens regularly, especially with elderly people as victims. But normally unless customer is clearly to blame, card issuer will compensate the damage (well okay... somehow spread out over all customers, that is).
But overall incidence is not that high. So in terms of cost to the average user, chip + PIN is a pretty good system. As a bonus, often the perps are caught on cam when they (try to) use the card at an ATM, retail store etc.
In some European countries (like mine) processing this type of payment has become so efficient, that (per transaction) it's as cheap if not cheaper than exchanging a few coins & bills. And of course store owners love it as it makes for less cash in house & thus less incentive for robbers.
Recently they've introduced the option of PIN-less payments for low-amount transactions (so there's less need to use your PIN 'everywhere'). And/or combined with some kind of electronic wallet that holds a limited amount (up to ~150 Eur or thereabouts). We'll see how that goes.
Re: (Score:2)
In Spain, I had to show ID with every card based purchase in a store even if it was chip and pin. I can only imagine it reduced a lot of thefts like this.
Re: (Score:3)
But what if the shop keeper is skimming off your card? How does the customer know that the chip reader has not been hacked? And yes, this situation has happened.
Consider the example of the Target stores. The machines were hacked to intercept customer information. The machines did use mag stripes and have since become slightly more secure (Target today does not use the chip reader even though the reason my card was exchanged to have a chip was because of Target!). However the core cause of the breach wa
Re: (Score:2)
Considering I met a consultant who had to deal with Target.. They didn't even bother with any security let alone "good enough for now" security but that's beside the point..
In most of the rest of the world, if they skim the card info from the payment system they can't just throw it onto a new card since chip and pin cards are much more difficult to duplicate. In the one successful replay attack I've managed to find out about the stolen info could only be used on hacked chip and pin terminals making the t
Re: (Score:2)
Chip and pin suffers from a flawed assumption common in many systems. The assumption that breaking it is too costly for the average person and that any remaining losses will be handled as a cost of business.
For the mag strip credit cards the banks actually do assume a percentage of loss rather than fix the flaws. For chip and pin they assume that hacking it is too difficult for the average corner shop or quickie mart, except that once someone figures out how that information is easily spread and replicate
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
You can skim them, but it's a lot harder than the magnetic strip.
Re: (Score:2)
Reports I've seen combined blaming the Christmas shopping season (i.e. don't slow down the cash flow), engineering issues, and MasterCard and Visa reportedly being late in publishing at least SOME of the documentation.
http://www.nbcnews.com/busines... [nbcnews.com]
chip ? (Score:5, Interesting)
Re:chip ? (Score:5, Funny)
I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
No more muggins as it's quite hard to carry 2-3 severed head with you.
Re: (Score:2)
Re: (Score:2)
Note the AND between tatoo and chip. You must have tem both in order to work. It's not called 2 factor authentication for nothing.
Re: (Score:2)
That would never fly in 'Merica, because the bible belt folks would then bray about the mark of the beast and the Book of Revelation.
Re: (Score:2)
Re: chip ? (Score:2)
Yet, they all willingly carry a cell phone.
The " Mark of the Beast " is easily the Mac address or ipv6 address of your phone. :|
Re: (Score:2)
FTFY.
Re:chip ? (Score:4, Interesting)
I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head.
Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited.
No more muggins as it's quite hard to carry 2-3 severed head with you.
Pretty sure the xians will say this is the Mark of the Beast. But if it will bother them, then I am down.
Re: (Score:2)
The mark of the beast, but with a CRC at the end!
Re: (Score:2)
"X" has been a shortcut symbol for "Christ" for a thousand years. So saying "Xmas" is not an attack on Christmas like some want to claim.
Re: (Score:3)
I'd say go one step forward: tatoo a barcode on everyone's forhead AND a chip inside the head. Forget the ATMs, think of the posibilities: easy tracking, no more anonimity in public, oh, the options are unlimited. No more muggins as it's quite hard to carry 2-3 severed head with you.
Joe Pesci would like a word with you. [wikipedia.org] "Only 3? What a piker. Try 8."
Re: (Score:2)
Because you can't use fancy sounding science to scam investors who don't realise Chip+Pin is the solution to replay attacks.
Re: (Score:2)
Chips aren't all that great for security... Better than mag strips, but far from perfect as anyone living in a country with the chip+PIN system will tell you. In fact in some ways it's worse, because when first introduced in the UK the banks tried to blame all fraud on the customer because the system was supposed to be immune to fraud.
Phone is a pretty good option. You need the phone and you need a way to unlock it (fingerprint, PIN or 97 character password if you prefer). That's already at least as good as
Re: (Score:2)
anyone living in a country with the chip+PIN system will tell you
I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect, but at least they can be made to prevent skimming, which is what the article is about. And it's a much better solution than chemical analysis of the mag strip.
Phone is a pretty good option. You need the phone and you need a way to unlock it
Except that not everybody has a (smart) phone. Also, it's easy to see what PIN people use when you sit next to them, or guess it from the fingerprints they've left on the touch screen. Or you can just wait for them to unlock the phone and then grab it out of t
Re: (Score:2)
far from perfect as anyone living in a country with the chip+PIN system will tell you
I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect
Uh...
Re: (Score:2)
Re: (Score:2)
far from perfect as anyone living in a country with the chip+PIN system will tell you
I live in a country with chip+pin, and I'm not telling you. Maybe chip cards aren't perfect
Uh...
Re: (Score:2)
Re: chip ? (Score:2)
Re: (Score:2)
Phone is a pretty good option. You need the phone and you need a way to unlock it
And you need a power bank in case it gets run down and you need a backup phone in case it fails. What is needed is an end to the race to the bottom, so that employers are hiring people smart and scrupulous enough to check for credit card fraud instead of engaging in it.
Re: (Score:2)
Millions of people use their phones for payment already, not bothering to carry backup phones/cards/batteries etc. It's been working well for over a decade. Maybe your problem is you buy crap phones where the battery doesn't last three days on a charge.
Re: (Score:2)
Because it's not a perfect solution either. Chips are feel good solutions though, let the customer think that they have security.
Riiiight (Score:3)
The only reason people could possibly disagree with Electronic voting machines is because "Luddite", and not because there has been a long history of corruption [wikipedia.org] made-easy by these devices.
Since this is the 2nd article in as many days on the same subject, basic math shows that there is no benefit in safety using a Phone vs. an ATM card. Both are a single point of failure, protected by a simple PIN (and last I checked Phones don't require PIN numbers). TFA hints at it: The majority of theft from ATM is by
Sigh. (Score:2)
Just use standard PKI. It's secure, it's easy and it's standard.
Create a key pair for each customer. The private key is protected by a pass phrase (also known as a PIN code). Distribute the key pairs along with the bank's public key on a chip which does the encryption/signing.
Now go the the ATM or POS. Enter the card with the chip. Unlock the private key with the PIN. Let the card encrypt a message to the bank using the bank's public key and signed
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We're in the midst of transitioning right now.
Stuff biometrics (Score:2)
There is no way in hell I'm having biometric identification for anything. I'm not about to have my fingers cut off or eyeball pulled out so some some crook can make off with my stuff.
http://www.theregister.co.uk/2... [theregister.co.uk]
Damn fool idea and probably being pushed more for the use of such data to build a huge database by ye olde 3 letter agencies than for any "security" reasons..
Re: (Score:2)
Not to mention that you can't revoke more than two retinas in the key repository, or that you can't get your money when you desperately need to pay for retinal detachment surgery.
Yesterday tech coming real soon... (Score:3)
The majority of the big banks in Australia have been offering these facilities or similar for 2+ years
Given the popularity of the Magstripe in the US, even after all these years, any advancement seems revolutionary I guess. One would think a possible reduction in fraud would drive even modest initiatives, like Chip+PIN adoption.
Re: (Score:2)
I would not trust a phone to handle anything to do with money, ever. When I see a vendor with an iPad with a credit card reader, I pull out cash instead and use that.
Re: (Score:2)
It's been a common problem in Atlanta where crooks follow someone with a nice car home, then jump them and kidnap them in their driveway, take them to an ATM and empty their account.
Things like that have been happening here for years. I remember about 8 years or so ago they arrested a bunch of kids right before school in the parking lot of the high school I used to go to. They would watch people at ATMs withdraw money then follow them and hold them up (believe they were using a BB gun though) and rob them. This wasn't even in Atlanta, it was in East Cobb (admittedly I went to school on the border of East Cobb so we had plenty of rougher, poorer areas in our district too).
Re: (Score:2)
Chip+pin doens't reduce fraud claims because it doesn't reduce fraud.
Nice try... (Score:2)
Secure payments is a very solve-able problem. The only reason it hasn't been solved yet is the reliance on old technology and infrastructure. The two primary problems are a lack of instance validation, and static card information.
Here's one answer:
Bank issues card with a chip. The chip has the bank's public key and a unique priva
Re: (Score:2)
As you say the network is often down or not present. The nonces don't help because the stores themselves are not to be trusted. Stores have hacked the chip+pin systems and skimmed from customers. So nothing has really changed here: in the past the banks have accepted as certain percentage of loss from fraud credit cards, and today the banks accept a certain percentage of loss from chip+pin. You're also assuming, possibly naively, that the crypto systems are written to the highest level of security possi
In Soviet Russia ... (Score:2)
Re: (Score:2)
Chip (Score:2)
While chips have been standard in Europe for some time, I'm starting to see more and more US businesses starting to use the chip in cards over the past 6 months, especially drug stores.
It is interesting though that many people do not have a PIN associated with these chip cards in the US, so it is still "authenticated" with a signature.
Stupidest idea I've heard all week! (Score:2)
Get rid of the card
What if I don't have and don't want a smartphone?
Also, hasn't it occurred to anyone that this will actually make a 'cyber'-based attack easier?
Here's a better idea: How about you train banking personnel to be proficient at inspecting automatic teller machines for card skimmers and other physical exploits, and have them do it every time they service or reload the machine? In other words: How about better security? Also, how about multi-factor authentication at ATM machines?
Come on, people; every other day
Trust (Score:2)
I trust my debit card far more than I trust a mobile software application to interface with my financial accounts.
Under no circumstances will I use a mobile platform ( regardless of vendor, MS / Google, Apple ) to access my bank accounts.
Financial transaction alerts are pushed to the phone based on triggers I have setup, but I would never use a smartphone platform to log into nor perform a financial transaction.
Ditch the Diebold (Score:2)
Great idea, but not with that company.
Re: (Score:2)
I agree there - as soon as I saw Diebold and NFC I realized that this is going to be really bad.
Not that magnetic strips are good either, they should have been killed a decade ago. All cards I have are chip cards, and any point of sale here in Sweden have a chip reader.
For Iris scan, just watch this scene [youtu.be] from the movie Demolition Man.
Re: (Score:2)
People are still using cards with a mag strip?
What 3rd world country is this?
Re: (Score:2)
I used a mag strip ATM card in Europe quite easily.
Cheap is not so much a factor (Score:2)
A card sized microprocessor that does two factor authentication is a relatively reasonable cost. Interfacing them to existing machines could be done through the mag reader as an interface, or through a new interface. The problem with a new interface is replacing all the terminals to support the new interface, this is the problem that the chip based credit cards are facing.
Today the cards themselves are replaced so infrequently that I can't imagine cost being the driving force.
What we already know is that th
Re: (Score:3, Funny)
Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.
Re:actually it is really easy (Score:5, Insightful)
Use Bitcoins and get tagged by the FBI and all other three letter agencies you can think of.
If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.
Re:actually it is really easy (Score:5, Funny)
If you're an American and not working for the authorities, you're already "tagged" by the government for observation as a suspected criminal.
No action is required on your part for this, so there is little point in letting it stop you from using bitcoin.
I don't believe that's true. I'm pretty sure that even if you ARE working for the authorities, you're under suspicion by our beloved government.
Re: (Score:2)
Re: (Score:2)
Well, you get tagged on a scale, so you may get a higher priority on your tags if you stand out using bitcoins.
Re: (Score:2)
Use a bitcoin and contribute to criminal agencies and support its pyramid scheme. Bitcoin was not designed to be an independent secure alternative to cash or it would have been designed differently.
Re: (Score:2)
What I would like to see is a banking app that would run on a phone or on a durable card sized device.
I'm really not comfortable tying everything to my phone, which is easily hacked or frequently runs out of power on extended trips.
NOTE: some contactless payment technologies today can be skimmed without contact, using a radio antenna designed for the purpose. (ex: EMV)
Re: (Score:2)
But, but... using smart phones is cool! You can pay your bill and update your Instagram at the same time! I can hardly believe how uncool old people are.