Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Almighty Buck Crime EU Security

Vacationing Security Researcher Exposes Austrian ATM Skimmer (carbonblack.com) 181

While vacationing with his family in Vienna, Ben Tedesco (from security company Carbon Black) discovered an ATM skimmer "in the wild", perfectly crafted to look like the original card reader. New submitter rmurph04 shares Ben's story: I went to grab some cash from an ATM. Being security paranoid, I repeated my typical habit of checking the card reader with my hand as I have hundreds of times. Today's the day when my security awareness paid off!
Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.
This discussion has been archived. No new comments can be posted.

Vacationing Security Researcher Exposes Austrian ATM Skimmer

Comments Filter:
  • And yet he missed... (Score:5, Interesting)

    by marcansoft ( 727665 ) <hector@marcansoft.UMLAUTcom minus punct> on Sunday June 26, 2016 @02:42AM (#52391663) Homepage

    ... the blatant camera/panel overlay [imgur.com] above the PIN pad, which is almost certainly where the main logic and storage of the skimmer is.

    • it is strange he didn't even look for the C&C portion of the skimmer

      • by Khyber ( 864651 )

        Those skimmers have everything built-in. You need practically zero space to store name/number/PIN/Expiration date/ZIP code, a tiny silver-air battery can power the skimmer for a month.

    • Blantant? (Score:4, Insightful)

      by nuckfuts ( 690967 ) on Sunday June 26, 2016 @11:05AM (#52393293)
      "Blatant" is rather an overstatement. Nobody is going to be alarmed by minor cosmetic changes such as the 1/8" gap between the blue sticker and the keyboard being eliminated. Do you think people go around with a precise image of these machines in their head?
      • Re:Blantant? (Score:5, Interesting)

        by marcansoft ( 727665 ) <hector@marcansoft.UMLAUTcom minus punct> on Sunday June 26, 2016 @11:38AM (#52393473) Homepage

        A security researcher who goes around looking for ATM skimmers should know that the magstripe reader always goes along with a camera for the PIN pad, and that the electronics inside the card reader part aren't the whole story.

        It's completely obvious once you look for it, once you know a skimmer was installed on the card slot, especially having another pristine ATM right next to it to compare. Nobody's going to blame someone for not noticing a skimmer in the first place, but once you know one was installed, yes, the PIN pad part is blatant.

    • by kriston ( 7886 )

      Yeah, you can't do anything without the PIN. Very interesting observation about his report that omitted any acknowledgement of the PIN camera.

  • These days, pretty much any ATM I use, I attempt to pull the receptacle off, just on the off chance that there's a skimmer attached.

    I've never been skimmed myself, but my parents have.

  • by Anonymous Coward

    Note that his ATM has a grey ridge just above the screen, almost blocking to buttons at the top of the screen, while the ATM left from his does not have this extra ridge. This part should contain the camera to record the password number, needed to use the card (in Europe).

  • by Anonymous Coward

    that forgets looking for the pin-pad overlay or cam XD

    • by dohzer ( 867770 )

      Because there's only one type of security, so he should have picked up on this! Good logic.

  • Solution (Score:5, Interesting)

    by kanweg ( 771128 ) on Sunday June 26, 2016 @03:36AM (#52391777)

    ATMs should have a camera (preferably 2, for stereo) looking at themselves. When there is no customer, take a picture and compare it to the base line one (when it was freshly installed/last inspected etc). If it has been tampered with, the bank can see the difference. A computer program can recognise the change. If they keep recordings, they can even see who did it.

    Bert

    • by Teun ( 17872 )
      Interresting.
    • Comment removed based on user account deletion
    • by mysidia ( 191772 )

      Even better if they include infrared imagery in the scans.

      And start using anti-counterfeit graphics containing unique serialized digital data on the surfaces of the readers and keypad which will be scanned and verified before every transaction.

    • Re:Solution (Score:5, Informative)

      by thegarbz ( 1787294 ) on Sunday June 26, 2016 @08:48AM (#52392659)

      That's a great idea but an image recognition nightmare if you can't control the environment. Outdoors between the sun moving, clouds, rain, street lights, etc doing such side by side recognition to catch such a minute detail would be incredibly difficult.

    • Look at the video - the skimmer is in a green part that looks exactly identical to the original item as it's an overlay. No visual system would have caught it...

      Now they WOULD have caught the pinhole camera mentioned my someone responding to the thread, but only if it was pretty high resolution and had such a degree of intolerance to difference that even dirt could set it off.

      Not really a great way to go about protecting against skimmers, especially if like in Mexico you have the actual ATM repair guys ins

      • Look at the video - the skimmer is in a green part that looks exactly identical to the original item as it's an overlay. No visual system would have caught it...

        On the other hand, the operations to INSTALL the skimmer head and PIN-watcher would have been considerably different to a normal transaction. Which would also give you video of the people installing and retrieving the skimmer hardware. Good for evidence - though these would be cannon-fodder personnel anyway.

        • On the other hand, the operations to INSTALL the skimmer head and PIN-watcher would have been considerably different to a normal transaction.

          Have you seen video of people installing those things? The skimmer just takes a second, and looks identical to someone checking to see if there's a skimmer...

          It would take some impressive software to distinguish skimmer installation from a normal transaction, and most of the work would be easy blocked by the installers body.

    • The ATMs in the video already protect against these types of skimmers by emitting a jamming signal in the EM range that interferes with magstrip read heads making skimming impossible here. There are also sensors around the card reading housing that alerts the bank to the presence of tampering.

      As discussed on reddit when this story broke, this video is likely an advertisement (filmed in vertical much like the guy sleeping in his Tesla on the freeway to make it look amateurish). Seeing now that it's linked di

  • Stronger glue should be used.

    • The skimmer and head are temporary installations. Typically they'll be installed, then removed after a few hours so the skimmer can be put onto another ATM (of the right cosmetic type) while the data is read and cards cloned to drain the susceptible card's accounts. Using a glue that comes off easily and leaves no suspicious residues to alert cleaning staff would move happen pretty fast.

      Though these aren't very expensive bits of equipment (in cash value), since they'll often contain fingerprints, DNA, and

  • It is hardly surprising that he found this in a tourist location. Austria has long switched to chip cards for cash withdrawal so skimming the magnet stripe of an Austrian card wouldn't be much use. You could technically get the magnet stripe information from an Austrian card (which is there for legacy reasons and the occasional visit to the States) but if you tried to use it this would be immediately be caught by fraud detection.
    • Unfortunately this isn't entirely true. Austrian (like all European) cards do have a chip, but they also still have the magstrip. And third world ATMs use mag strips near exclusively, which is usually enough to withdraw money there.

      In other words, what happens is that the data is being transmitted to some backwater country where the mag strip part is duplicated and used on one of those ATMs there. Yes, it's easy to spot this since your card will be used in, say Albuquerque while you're not even near the con

      • by kylant ( 527449 )

        Unfortunately this isn't entirely true. Austrian (like all European) cards do have a chip, but they also still have the magstrip. And third world ATMs use mag strips near exclusively, which is usually enough to withdraw money there.

        In other words, what happens is that the data is being transmitted to some backwater country where the mag strip part is duplicated and used on one of those ATMs there. Yes, it's easy to spot this since your card will be used in, say Albuquerque while you're not even near the continent, but when you notice it the attacker still has the money.

        As I wrote previously, this isn't how it works: An Austrian Maestro Card (the card you use to withdraw cash from your bank account) will not work in any country that operates with magnetic stripe only unless you call your bank first. I'm not sure about Albuquerque but most countries outside Europe and the US are blocked by default.

  • by Freedom Bug ( 86180 ) on Sunday June 26, 2016 @05:54AM (#52392105) Homepage

    So instead of phoning the police, he destroys possible evidence, such as fingerprints. Bravo.

    • by moronoxyd ( 1000371 ) on Sunday June 26, 2016 @06:43AM (#52392227)

      Come on... he's American, so he clearly knows better than the police in a backwater country like Austria!

    • by nnull ( 1148259 ) on Sunday June 26, 2016 @07:37AM (#52392401)
      Yeah, because the Police are going to do SO MUCH. Every time I've reported skimmers to police, both in Europe and the US, they really don't give a damn. A lot of gas station employees also don't care. So yeah, much more fun to reverse engineer it, reinstall it so the guy that comes back to collect the data, gets a cryptoware virus on his laptop, then demand $10,000 from him. Would be far more effective than what the police do.
      • by delt0r ( 999393 )
        In Austria they most definitely would. There is very little crime there, so they would be happy to have something to do. They even turn up if you be a dick about getting caught not paying 2EU for a train ride. I lived in Vienna for 7 years, and well skimming was a recognized problem. My bank would send out pamphlets on what to look out for. Despite the fact that my card was not really vulnerable.
      • Every time I've reported skimmers to police, both in Europe and the US, they really don't give a damn

        How many skimmers are you finding?
        I'll admit I'm no expert but I do keep an eye out for any suspect ATMs. In my entire life I've come across precisely zero.

    • So instead of phoning the police, he destroys possible evidence, such as fingerprints. Bravo.

      Bravo indeed. Instead of presenting a small chance that a police officer could catch the people in question he instead offered to educate someone in person, and 1.76million people online (at the time of this post) about what to look out for with these kinds of skimmers.

  • The real solution is to make it not worthwhile to steal the credit card number. At least in Europe, they bring the card reader to the table in restaurants and you need a PIN even for credit card. Not like USA. They let me use an American creditcard without PIN, and it was scammed. 5000$ fraudulent charges!

    Well, with the cards EMV chips become more prevalent, and they use challenge-and-response based authentication, capturing the card, or even the entire exchange between the ATM and the main bank computer would not be enough to commit fraud. For authorizing card-not-present transactions, two factor authentication based on cell phone to confirm the charges will come through. So eventually this threat will go away.

    But as long as the loss to the banks due to skimming is less than the cost of upgrading the infrastructure, they will drag their feet about the cards with chips. Also the credit card companies have shifted the liability for the fraud from themselves to the merchants, in USA. So we should see more EMV chips coming on line in USA.

    • So Europe and the US are the only places that exist in the world?

      Hint: there are a great number of 3rd world countries with payment card systems; they typically run whatever other countries happen to throw away; they won't be using chips anytime soon.
      • by 140Mandak262Jamuna ( 970587 ) on Sunday June 26, 2016 @12:30PM (#52393717) Journal
        In third world countries, law enforcement is very weak. In Africa mobile phone based banking is taking hold. There are typically no ATMs. But shops that sell prepaid phones also act as local tellers dispensing cash after being authenticated using cell phones. Fraud is much less common there. In most third world countries banks are very powerful and the laws favor the banks. All the fraud liability rests with the poor people who are very guarded. The only people using credit cards seriously in Aftrica are the naive tourists.
        • So, now it's Europe, the US, and Africa? What about everywhere else? I specifically mentioned payment card systems.
          • Fine, have it your way. Hold forth, sir, your views that apply to all continents...
            • Did I say all continents? I surely did not. You're limiting the discussion to places where the magstripe has fallen out of favor and I'm merely pointing out that more places than those exist.
  • by toonces33 ( 841696 ) on Sunday June 26, 2016 @06:45AM (#52392231)

    The newer ones are designed to be "installed" in the cardslot so you can't even see them. Pulling on the green thing will no longer be sufficient.

  • Why not make the front of the ATM and especially the card reader section out of clear plastic?

    It would stop of lot of this stuff dead in the water because you'd be able to see that something wasn't right (assuming you took 2 seconds to look, anyway).

    • Why not make the front of the ATM and especially the card reader section out of clear plastic?

      The number of prople who put either the ATM or their card "out of order" by pushing the card into the cash-dispensing slot, or the receipt printing slot would vastly increase.

      You note that part of this machine is made of translucent plastic - and is taken advantage of by the skimmer's designer.

      • The number of prople who put either the ATM or their card "out of order" by pushing the card into the cash-dispensing slot, or the receipt printing slot would vastly increase.

        Most of the ATMs I see have a flashing light around the card entry area to cue you where to put your card in and another flashing light around the cash exit slot. They each flash as a cue as to where to put the card or when to take the cash.Alternatively they could block the cash exit slot until the card goes in (I think the BOA machines do that already if I'm not mistaken).

        -

        You note that part of this machine is made of translucent plastic - and is taken advantage of by the skimmer's designer.

        Translucent, but not clear. A clear casing, like they use in prison TV sets and similar items, would make it harder to attach somethin

        • A clear casing, like they use in prison TV sets

          You've obviously spent more time in prison than I have.

          would make it harder to attach something without it being at least a little more obvious, I would think.

          Oh, I see what you mean. Well, it's an idea. Whether it'd get past Marketing is another question - the loss of revenue from the lost advertising space would be catastrophic. Or detectable.

A triangle which has an angle of 135 degrees is called an obscene triangle.

Working...