hackaday.com
Open in
urlscan Pro
192.0.66.96
Public Scan
URL:
https://hackaday.com/2022/09/16/gaze-upon-just-how-thin-atm-skimmers-are-getting/
Submission: On February 01 via manual from GB — Scanned from GB
Submission: On February 01 via manual from GB — Scanned from GB
Form analysis 10 forms found in the DOM
GET https://hackaday.com/
<form role="search" method="get" class="search-form" action="https://hackaday.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form onsubmit="return false;" id="share-menu">
<label>Title:</label>
<div class="share-entry">
<input type="text" id="article-title" readonly="true" value="Gaze Upon Just How Thin ATM Skimmers Are Getting">
<button id="copy-title">Copy</button>
</div>
<label>Short Link:</label>
<div class="share-entry">
<input type="text" id="article-link" readonly="true" value="https://hackaday.com/?p=553351">
<button id="copy-link" onclick="">Copy</button>
</div>
</form><form id="commentform" class="comment-form">
<iframe title="Comment Form"
src="https://jetpack.wordpress.com/jetpack-comment/?blogid=156670177&postid=553351&comment_registration=0&require_name_email=1&stc_enabled=1&stb_enabled=1&show_avatars=0&avatar_default=mystery&greeting=Leave+a+Reply&jetpack_comments_nonce=6f7d465e1d&greeting_reply=Leave+a+Reply+to+%25s&color_scheme=dark&lang=en_US&jetpack_version=11.7.1&show_cookie_consent=10&has_cookie_consent=0&token_key=%3Bnormal%3B&sig=d8775de434eff6a67b5daa1a83f5286fe465da35#parent=https%3A%2F%2Fhackaday.com%2F2022%2F09%2F16%2Fgaze-upon-just-how-thin-atm-skimmers-are-getting%2F"
name="jetpack_remote_comment" style="width: 100%; height: 75px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
</iframe>
<!--[if !IE]><!-->
<script>
document.addEventListener('DOMContentLoaded', function() {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = false;
commentForms[i].scrolling = 'no';
}
});
</script>
<!--<![endif]-->
</form>GET https://hackaday.com/
<form role="search" method="get" class="search-form" action="https://hackaday.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe
<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
target="_blank" novalidate="">
<div id="mc_embed_signup_scroll">
<label for="mce-EMAIL">
<input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
</label>
<!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
<div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
<input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
</div>
</form>GET https://hackaday.com/
<form role="search" method="get" class="search-form" action="https://hackaday.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe
<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
target="_blank" novalidate="">
<div id="mc_embed_signup_scroll">
<label for="mce-EMAIL">
<input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
</label>
<!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
<div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
<input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
</div>
</form>GET https://hackaday.com
<form action="https://hackaday.com" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name="cat" id="cat" class="postform">
<option value="-1">Select Category</option>
<option class="level-0" value="114554125">3d Printer hacks</option>
<option class="level-0" value="18020710">Android Hacks</option>
<option class="level-0" value="18020705">Arduino Hacks</option>
<option class="level-0" value="27981650">ARM</option>
<option class="level-0" value="422579952">Art</option>
<option class="level-0" value="422589899">Artificial Intelligence</option>
<option class="level-0" value="422573560">Ask Hackaday</option>
<option class="level-0" value="64298109">ATtiny Hacks</option>
<option class="level-0" value="422590491">Battery Hacks</option>
<option class="level-0" value="25122024">Beer Hacks</option>
<option class="level-0" value="422577767">Biography</option>
<option class="level-0" value="12115263">blackberry hacks</option>
<option class="level-0" value="422570206">Business</option>
<option class="level-0" value="422573558">car hacks</option>
<option class="level-0" value="11894719">Cellphone Hacks</option>
<option class="level-0" value="35745764">chemistry hacks</option>
<option class="level-0" value="422573559">classic hacks</option>
<option class="level-0" value="31677810">clock hacks</option>
<option class="level-0" value="18755632">cnc hacks</option>
<option class="level-0" value="568165">computer hacks</option>
<option class="level-0" value="422573570">cons</option>
<option class="level-0" value="5738">contests</option>
<option class="level-0" value="422573551">cooking hacks</option>
<option class="level-0" value="2588813">Crowd Funding</option>
<option class="level-0" value="421976847">Curated</option>
<option class="level-0" value="422570209">Current Events</option>
<option class="level-0" value="422590009">Cyberdecks</option>
<option class="level-0" value="10969032">digital audio hacks</option>
<option class="level-0" value="10969033">digital cameras hacks</option>
<option class="level-0" value="10969034">downloads hacks</option>
<option class="level-0" value="107827385">drone hacks</option>
<option class="level-0" value="63176382">Engine Hacks</option>
<option class="level-0" value="422570207">Engineering</option>
<option class="level-0" value="212825112">Fail of the Week</option>
<option class="level-0" value="35890">Featured</option>
<option class="level-0" value="422570208">Fiction</option>
<option class="level-0" value="551890">firefox hacks</option>
<option class="level-0" value="53446541">FPGA</option>
<option class="level-0" value="18020562">g1 hacks</option>
<option class="level-0" value="422578065">Games</option>
<option class="level-0" value="320557">google hacks</option>
<option class="level-0" value="10969036">gps hacks</option>
<option class="level-0" value="24535490">green hacks</option>
<option class="level-0" value="190105353">Hackaday Columns</option>
<option class="level-0" value="27311668">Hackaday links</option>
<option class="level-0" value="289711781">Hackaday Store</option>
<option class="level-0" value="21755374">Hackerspaces</option>
<option class="level-0" value="422573553">HackIt</option>
<option class="level-0" value="10969037">handhelds hacks</option>
<option class="level-0" value="422573549">hardware</option>
<option class="level-0" value="422590036">High Voltage</option>
<option class="level-0" value="421979219">History</option>
<option class="level-0" value="66307084">Holiday Hacks</option>
<option class="level-0" value="10969038">home entertainment hacks</option>
<option class="level-0" value="5660882">home hacks</option>
<option class="level-0" value="422573566">how-to</option>
<option class="level-0" value="422570204">Interest</option>
<option class="level-0" value="908478">internet hacks</option>
<option class="level-0" value="831">Interviews</option>
<option class="level-0" value="1416772">iphone hacks</option>
<option class="level-0" value="1275163">ipod hacks</option>
<option class="level-0" value="4157506">Kindle hacks</option>
<option class="level-0" value="46717088">Kinect hacks</option>
<option class="level-0" value="10969048">laptops hacks</option>
<option class="level-0" value="422573554">Laser Hacks</option>
<option class="level-0" value="422573557">LED Hacks</option>
<option class="level-0" value="422573568">Lifehacks</option>
<option class="level-0" value="729674">Linux Hacks</option>
<option class="level-0" value="20732807">lockpicking hacks</option>
<option class="level-0" value="10969060">Mac Hacks</option>
<option class="level-0" value="422582715">Machine Learning</option>
<option class="level-0" value="422573573">Major Tom</option>
<option class="level-0" value="11284667">Medical Hacks</option>
<option class="level-0" value="139916">Microcontrollers</option>
<option class="level-0" value="5611793">Misc Hacks</option>
<option class="level-0" value="18020730">Multitouch Hacks</option>
<option class="level-0" value="22652725">Musical Hacks</option>
<option class="level-0" value="18020722">Netbook Hacks</option>
<option class="level-0" value="6166512">Network Hacks</option>
<option class="level-0" value="103">News</option>
<option class="level-0" value="1861880">Nintendo DS Hacks</option>
<option class="level-0" value="114555425">Nintendo Game Boy Hacks</option>
<option class="level-0" value="18020685">Nintendo Hacks</option>
<option class="level-0" value="422573552">Nintendo Wii Hacks</option>
<option class="level-0" value="118011206">Nook Hacks</option>
<option class="level-0" value="422570205">Original Art</option>
<option class="level-0" value="114556430">Palm Pre Hacks</option>
<option class="level-0" value="422573571">Parts</option>
<option class="level-0" value="422592105">PCB Hacks</option>
<option class="level-0" value="10969081">Peripherals Hacks</option>
<option class="level-0" value="16325149">Phone Hacks</option>
<option class="level-0" value="10969088">Playstation Hacks</option>
<option class="level-0" value="2060">Podcasts</option>
<option class="level-0" value="10969096">Portable Audio Hacks</option>
<option class="level-0" value="10969099">Portable Video Hacks</option>
<option class="level-0" value="588444">PSP Hacks</option>
<option class="level-0" value="23971578">Radio Hacks</option>
<option class="level-0" value="47">Rants</option>
<option class="level-0" value="69218551">Raspberry Pi</option>
<option class="level-0" value="21870780">Repair Hacks</option>
<option class="level-0" value="422578063">Retrocomputing</option>
<option class="level-0" value="212824350">Retrotechtacular</option>
<option class="level-0" value="422590062">Reverse Engineering</option>
<option class="level-0" value="422573565">Reviews</option>
<option class="level-0" value="10969101">Robots Hacks</option>
<option class="level-0" value="422573563">Roundup</option>
<option class="level-0" value="422578013">Science</option>
<option class="level-0" value="10969111">Security Hacks</option>
<option class="level-0" value="422570203">Skills</option>
<option class="level-0" value="422573572">Slider</option>
<option class="level-0" value="2301">Software Development</option>
<option class="level-0" value="3796421">Software Hacks</option>
<option class="level-0" value="10969116">Solar Hacks</option>
<option class="level-0" value="422577709">Space</option>
<option class="level-0" value="10969121">Tablet Hacks</option>
<option class="level-0" value="3075183">Teardown</option>
<option class="level-0" value="12936984">Tech Hacks</option>
<option class="level-0" value="227104736">The Hackaday Prize</option>
<option class="level-0" value="10969130">Tool Hacks</option>
<option class="level-0" value="25277004">Toy Hacks</option>
<option class="level-0" value="10969134">Transportation Hacks</option>
<option class="level-0" value="1">Uncategorized</option>
<option class="level-0" value="422573556">Video Hacks</option>
<option class="level-0" value="34942364">Virtual Reality</option>
<option class="level-0" value="50802420">Weapons Hacks</option>
<option class="level-0" value="12552193">Wearable Hacks</option>
<option class="level-0" value="39510952">Weekly Roundup</option>
<option class="level-0" value="4891215">Wireless Hacks</option>
<option class="level-0" value="7079455">Xbox Hacks</option>
</select>
</form>Name: mc-embedded-subscribe-form — POST //hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe
<form role="subscribe" action="//hackaday.us11.list-manage.com/subscribe/post?u=80fc49ec84df168e48c00c18a&id=a428253bfe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="subscribe-form validate"
target="_blank" novalidate="">
<div id="mc_embed_signup_scroll">
<label for="mce-EMAIL">
<input type="email" value="" name="EMAIL" class="subscribe-field" placeholder="Enter Email Address" id="mce-EMAIL" required="">
</label>
<!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
<div style="position: absolute; left: -5000px;"><input type="text" name="b_80fc49ec84df168e48c00c18a_a428253bfe" tabindex="-1" value=""></div>
<input type="submit" class="subscribe-submit" id="mc-embedded-subscribe" value="Subscribe">
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
HACKADAY
Primary Menu
* Home
* Blog
* Hackaday.io
* Tindie
* Hackaday Prize
* Submit
* About
* Search for:
February 1, 2023
GAZE UPON JUST HOW THIN ATM SKIMMERS ARE GETTING
63 Comments
* by:
Donald Papp
September 16, 2022
*
*
*
*
*
Title:
Copy
Short Link:
Copy
ATM skimmers are electronic devices designed to read financial card information,
and they are usually paired with a camera to capture a user’s PIN. These devices
always have to hide their presence, and their design has been a bit of an arms
race. Skimmers designed to be inserted into a card slot like a parasite have
been around for several years, but [Brian Krebs] shows pictures of recently
captured skimmer hardware only a fraction of a millimeter thick. And that’s
including the battery.
As hardware gets smaller, cameras to capture PIN entry are more easily hidden in
things like fake panels.
The goal of these skimmers is to read and log a card’s magnetic strip data. All
by itself, that data is not enough to do anything dastardly. That’s why the
hardware is complemented by a separate device that captures a user’s PIN as they
type it in, and this is usually accomplished with a camera. These are also
getting smaller and thinner, which makes them easier to conceal. With a copy of
the card’s magnetic strip data and the owner’s PIN, criminals have all they need
to create a cloned card that can be used to make withdrawals. (They don’t this
so themselves, of course. They coerce or dupe third parties into doing it for
them.)
Retrieving data from such skimmers has also led to some cleverness on the part
of the criminals. Insertable readers designed to establish a connection to the
skimmer and download data is how that gets done. By the way, retrieving data
from an installed skimmer is also something criminals don’t do themselves, so
that data is encrypted. After all, it just wouldn’t do to have an intermediary
getting ideas about using that data for their own purposes.
Countermeasures include ATM manufacturers taking advantage of small cameras
themselves, and using image recognition to watch the internals of the card area
for anything that seems out of place. Another is to alter the internal design
and structure of the card slot, preventing insert skimmers from locating and
locking into place (at least until they get redesigned to compensate.)
Amusingly, efforts to change the design of an ATM’s key components in unexpected
ways to prevent criminals from attaching their own hardware led our own Tom
Nardi to discover a skimmer, only to find out it wasn’t a skimmer.
So with skimming hardware getting smaller and harder to detect, what’s one to
do? [Brian] points out that no matter how cleverly the hardware is hidden,
covering the keypad with your hand as you enter your PIN will defeat a critical
component of a skimming operation: capturing your PIN. Sadly, after reviewing
many hours of video from captured skimmer hardware, [Brian] says that’s
apparently a precaution virtually no one takes.
*
*
*
*
Posted in Security HacksTagged atm, crime, deep insert skimmer, pinhole camera,
skimmer
POST NAVIGATION
← Scratch-Built RC Excavator Is A Model Making Tour De Force
Vintage Tube Tester Teardown →
63 THOUGHTS ON “GAZE UPON JUST HOW THIN ATM SKIMMERS ARE GETTING”
1. Technocoma says:
September 16, 2022 at 1:23 pm
I though that magnetic strip was no more use in ATMs, at least that’s the
case in France. Well that’s what the bank said in 1997 when a French
hacker, Serge Humpich, was trapped when he demonstrated the “Yes card”
principle: they said that the chip inside credits cards were safe, and that
the magnetic strips were no more used. Of course they lied because magnetic
strips are still in use, particularly for paying the highway.
From my point of view, the banks are responsible that such an attack is
possible: I can’t understand that ATMs still use magnetic strips, and that
they don’t use the cryptographic systems embedded in the card’s chip. They
will say that it’s expensive to replace the ATMs, but they make huge
profits at the same time.
Bankers are really stupid … or professional liars … (I’ll bet on the second
hypothesis).
Report comment
Reply
1. Anonymous Coward says:
September 16, 2022 at 1:30 pm
I reckon that even if the ATM itself doesn’t use the chip, the skimmers
themselves will still work because the card is still passing through the
ATM.
Report comment
Reply
1. Steven says:
September 16, 2022 at 4:06 pm
But then the skimmer can’t read the whole strip, just however much
gets inserted.
Report comment
Reply
1. lampamrk says:
September 16, 2022 at 11:15 pm
That’s going to be repeated many times down the length of the card
Report comment
Reply
2. punkdigerati says:
September 16, 2022 at 1:57 pm
Most CC companies in most countries have implemented a change of
liability for strip reading, quite some time ago. Businesses that use
strip readers are liable for the cost of fraudulent charges, or rather
won’t be reimbursed, if it’s caught.
Report comment
Reply
3. come2 says:
September 16, 2022 at 2:38 pm
In 1997 maybe. Now, I can say I have never ever seen the magnetic strip
being used, and that on some cheap cards it’s even absent. For the
highway we now use contactless payment.
Report comment
Reply
1. Boris says:
September 16, 2022 at 6:23 pm
By default card readers are using the smart chip but can default to
magnetic strip as well. There is no chip only card readers on ATM.
Report comment
Reply
1. anonymous says:
December 11, 2022 at 1:57 am
The ATM near me (in Canada) doesn’t fall back to mag-strip. I
disabled the RFID by drilling out the antenna traces and it
stopped working in my local ATM (still works in chip&pin devices).
Then again, chip&pin has been the standard for about a decade up
here.
Report comment
Reply
2. elwing says:
September 16, 2022 at 9:36 pm
I’ve definitely some card that have a printed black line where a
magnetic strip would be but that clearly aren’t magnetic tracks, yes.
it’s definitely not used any more in my country, I haven’t seen any
payment device with the slot to wipe the card….
Report comment
Reply
3. xosperois says:
September 17, 2022 at 12:21 am
So a year or 3 ago, my ATM card started peeling, and I took off the
whole plastic layer which apparently included the magnetic strip.
After that, the local ATM wouldn’t open up anymore so I couldn’t use
it to withdraw cash.
I was flabbergasted that it required (at least the first part) of the
magnetic strip before it actually accepts the whole card.
Report comment
Reply
1. Tailgunner says:
September 17, 2022 at 5:02 am
I was an ATM engineer for about 16 years. The ATM card reader is
equipped with a width switch, a mag stripe ‘pre read’ head and a
metal gate( some also have thickness switch). The mag stripe and
width switch together opens the gate.This prevent people from
inserting all sort of garbage and cause a jam in the reader,
ultimately it keep the ATM functional for you.
Report comment
Reply
2. Brian says:
September 17, 2022 at 6:06 am
ATM manufacturers still use the magnetic stripe as a security
feature. You wouldn’t believe the number of people who just shove
popsicle sticks, quarters, receipts and other random objects in
the slot. The ATM’s no longer functional at that point.
Report comment
Reply
4. Mathew b says:
September 18, 2022 at 3:22 am
In Canada stripe cards only function at a terminal that the card belongs
to (RBC at RBC, TD at TD, etc) they will never work at stores (and
that’s debit/atm cards). Credit cards can be swiped sometimes, but
normally just to activate. The logic with the ATM debit cards is that,
all branch arms are in house and very much monitored. Third party ATMs
and stores, not so much.
Report comment
Reply
2. Ostracus says:
September 16, 2022 at 2:08 pm
“So with skimming hardware getting smaller and harder to detect, what’s one
to do? [Brian] points out that no matter how cleverly the hardware is
hidden, covering the keypad with your hand as you enter your PIN will
defeat a critical component of a skimming operation: capturing your PIN. ”
Seems a tinted shield over the keypad would help.
Report comment
Reply
1. James says:
September 16, 2022 at 8:29 pm
Not sure if they use IR cameras too. They can see the heat signature
your fingers left on the keys. The coolest key is first and the warmest
key is the last one pressed. After I make any transactions on keypads I
place my hand over other keys.
Report comment
Reply
2. Mike says:
September 18, 2022 at 9:23 am
I think a shield just gives them a better place to hide a camera.
Report comment
Reply
3. Alexander Wikström says:
September 16, 2022 at 2:33 pm
To be fair. The whole payment card system is fairly flawed at its very
core.
A system shouldn’t be built on the end users having to trust a random
terminal. A good system should embrace the fact that this isn’t secure, and
instead move the security to the control of the one’s who needs it.
Considering how these payment cards effectively needs an internet
connection to be useful, then it isn’t unreasonable to take the step to
separate out the authentication from the card itself.
A proper system in my own opinion would be implemented as follows:
Only use the card to store 1 number, and 1 bank. (Like: 1234 5678 9012 3456
@ card.example.bank (yes, that is effectively an “email address”.)) There
is no need for any security measures here.
This card number is then used to make a payment request to said bank. Often
through one’s own bank, unless it is the same bank. Said payment request is
generated by the payment terminal, ATM, or server, encrypted with a pre
shared key (that is shared with the store’s own bank). This encrypted
request is then processed by the bank. (Likewise encrypted and sent to the
card holder’s bank if it isn’t the same bank as the store. Since if it is
the same the bank don’t have to contact itself about it.)
The bank the card is referencing knows who is the card owner, and knows
what authentication method/device the owner prefers/uses. The request is
forwarded to the card holder’s authentication device over an encrypted
connection using pre shared keys. This will allow the end user to deny or
accept the request on their own trusted device.
There is simply little useful information on the card itself. It isn’t a
key to the card owner’s bank account that is valid for years at a time. All
it contains is a single number, that also would be printed on the card, on
the magnetic strip as well, and likely a QR code too.
Now, some banks (like my own) does have 2FA for “internet purchases”, with
moderate success. And to a large degree, the proposed system is just “2FA”.
(card number is first factor, and the response from the app/device is the
second one, nothing special here.)
However, with the above mentioned system there is the risk of the number
getting “leaked” and attackers starting to spam the card with requests.
This is though easy to notice, and if the end user denies many requests it
is good reason to send out a new card to the end user to replace to old.
Another major attack vector is good old social engineering and sending out
requests that seems legit already is a working strategy. To a degree one
can solve this, at least for major brands where the well established nature
of the business makes it easy for banks to know who the request is from,
but also work on spotting copycats impersonating the larger brand. (When I
say “large” this can still be quite small companies.)
I am not saying it is a perfect system.
It does require an internet connection for the card holder’s authentication
device of choice. (For some countries, a low bandwidth data plan likely
should be provided to all citizens due to how central the internet has
gotten in daily life in these countries.)
Likewise is there the issue of trust. Most would inherently trust their app
riddled smart phones for this task. Perhaps even have the card number
itself stored on the same phone. But a more standalone security device
would be an ideal option for more security minded individuals. (and no, a
chip and pin card in a random payment terminal isn’t a particularly
trustworthy system, bring your own authentication device.)
And yes, card skimmers would still be a good way to collect card numbers
for an attacker to later send socially engineered requests to.
Report comment
Reply
1. 1337 n00b pwnr says:
September 16, 2022 at 7:32 pm
Instead of a pin, have a pseudorandom 2fa code like a lot of us already
use to log into email/games. It’s weird that my RuneScape/wow/sw:tor
bank accounts are more secure than the one I store real money in. Solves
problem of me needing cell service at the PoS.
Report comment
Reply
1. Foldi-One says:
September 16, 2022 at 9:59 pm
That rather depends on the quality of the implementation and security
practices/code quality.
No login/verification method means beans if the service provider is
leaking their secrets everywhere some other way…
While you would think entering your pin at an atm is riskier, in many
ways its not – as the banks have a huge vested interest in keeping
all their/your money so they are actively working to catch the
fraudster, make it harder etc – your online game really doesn’t have
any reason to give a monkeys if your account is stolen – you already
paid them, and their goods cost them nothing to just print more –
eventually they can give you your account recovered to whatever state
on the preceding backup. But anything the thief did with it, which
may well include paying them yet more money didn’t cost them anything
or meaningfully break the in game economy, so they only care enough
to avoid really bad publicity..
Also 2fa can be good, or can be nearly pointless – for instance even
if you can’t unlock the smartphone that is inevitably part of 2fa you
can usually see enough of the message on the lock screen – and that
is assuming that message chain from provider to your device has no
man in the middle.
Where if your 2fa is a one time pad type arrangement, likely with a
date-time element as some banks have done with their card reader you
need to have that OTP, understanding of how it works, and quite
likely a full clone of the chip on the card itself as part of how it
works – many fewer folks you need to trust in the message relay chain
than the sms message – obviously its still got risks, as nothing is
truly secure. But its far better than trusting every part of the
telecom giants your sms is passed through is secure and you haven’t
had your phone stolen/cloned..
Report comment
Reply
1. Alexander Wikström says:
September 17, 2022 at 6:50 am
2FA over SMS is indeed far from ideal.
An app is a bit better, but still not ideal.
A dedicated device for authentication is far more ideal. Since we
can ensure end to end encryption between the device and its bank
and that nothing else runs on said device.
Pin codes for cards is however requiring that every single payment
terminal is secure, else it can gather the needed information to
make actual card transfers without the card owner’s approval. And
ensuring that every payment terminal is secure is a hard task.
Meanwhile, having the card only being an ID for stores to make
requests to. And then handle the authentication and approval of
said requests separately. Then it doesn’t matter what level of
security the payment terminal has, since the card itself doesn’t
provide the security. (it literally becomes an “here is my
address.” As an example, you can’t hack an email account by simply
knowing the address of it, even if it helps narrowing down where
to search.) However, payment terminal security is still important
for the store, else a man in the middle can redirect founds
elsewhere, and that is obviously not good for business.
In this sort of system the authentication and approval of requests
would instead take place on a device of the user’s choosing.
(Either app or dedicated device.) Yes, this can still be attacked,
but realistically it would be harder and the attacker would only
gain access to that one account, not every card used in a given
terminal.
Effectively speaking, suddenly skimming card details is about as
useful as skimming email addresses. Good for spamming, good for
socially engineered requests, but not a direct key to the money.
Skimming phones for the authentication app would be a new field to
attack. And this is already the case, at least here in Sweden
where the apps “Swish” and “bankID” is common as mud, one used to
transfer money and the other used to authenticate oneself in
practically everything. So far, security has been decent, but
personally phone apps just doesn’t sit right with me. (Even a
Bluetooth connected authentication device with just an app to
relay the data would sit a lot better with me personally.)
Report comment
Reply
1. dave says:
September 20, 2022 at 3:16 am
Banks and everywhere else are pretty much adopting 2FA over SMS
(or paypal’s even better instant phone you system) for
authentication.
ATM’s just need to catch up.
But here they are solving that problem by removing ATM’s from
circulation.
Since Irish “travellers” (AKA pikey scum here) tend to like
taking them out of the wall they are mounted into with stolen
backhoes the losses are costly when they can have a few 10K
worth of currency in them.
Report comment
2. Chris F says:
September 17, 2022 at 12:33 pm
That’s how Online EFTPOS works, you enter your bank and mobile number
and that sends a payment request to your mobile banking app on your
phone to authorise.
It works fine most of the time. Sometimes it takes a few minutes.
The website needs to offer it and your back to support it too. It’s not
very common.
It’s not fast enough for use in a busy shop.
Report comment
Reply
3. Klh says:
September 17, 2022 at 3:43 pm
Cards with chips have secure elements inside them. Even if someone
manages to modify the payment terminal (which is hard and would quickly
get caught), the data they get is only valid for a single transaction,
and a skimmed pin would still need the physical card – the system is
already two factor (three if your bank decides that buying 3 TVs at 2am
in a city you never made a transaction in is suspicious and decides to
call you to check).
Doing what you described is not needed and downgrades security by
allowing brute-force attacks – just stop using magstripes (I erase mine
on every card I get).
Report comment
Reply
1. David says:
September 25, 2022 at 1:56 pm
Occasionally you get surprised when a merchant’s machine’s chip
interface doesn’t work but the stripe reader does AFTER you’ve eaten.
Report comment
Reply
4. J says:
September 17, 2022 at 6:03 pm
How about we just implement a basic income thing like Sweden has done
instead of forcing everyone to work?
Report comment
Reply
1. barf says:
September 18, 2022 at 12:34 am
Sweden does not have any basic income thing implemented. I live here
so I should know.
Report comment
Reply
2. Klh says:
September 18, 2022 at 1:41 am
Don’t know where you got the idea from, but Sweden doesn’t have
“basic income” and pretty much no political party is for implementing
it. Most people need fulfilling work in their life.
Report comment
Reply
3. dave says:
September 20, 2022 at 3:17 am
When you grow up and earn your money instead of getting it from mum
and dad you’ll appreciate why most people that put in effort dont
really wish to give their money they earned away to people that cant
be arsed.
Report comment
Reply
4. David says:
September 25, 2022 at 1:44 pm
I think that was a Finnish experiment that went pretty well. But
there are large cultural differences between Scandinavia and North
America and many years of wildly different policies conditioning
people to react differently.
Report comment
Reply
5. AE7HD says:
September 25, 2022 at 2:57 pm
So you just want to force some people to work, while the lazy ones
don’t?
Report comment
Reply
4. David Schultz says:
September 16, 2022 at 3:19 pm
I am a bit amazed that an old technology hasn’t shown up for keypads. A
randomized pad. Each key has a display (preferably with a limited field of
view) that displays a randomized number. An observer can tell which keys
are being pressed but can’t tell what numbers have been selected because
the numbers change every time.
Report comment
Reply
1. slincolne says:
September 16, 2022 at 3:22 pm
Probably would be an issue for access for people with disabilities.
Report comment
Reply
1. Vincent Gadoury says:
September 16, 2022 at 6:00 pm
And also for a lot of people who remember their pin at least
partially by its pattern and some muscle memory. I’m noticing this
more and more since contactless payment is now available almost
everywhere and I enter my pin at most once per month, probably less.
Report comment
Reply
1. David says:
September 25, 2022 at 1:49 pm
Yes! I have trouble remembering some pins to say the numbers but
my fingers know.
Still, I like the idea.
But what about sight-impaired at the drive-thru ATM? Randomized
Braille dots on the keys? Idiotic question but a cool engineering
challenge (no doubt already solved to my ihnorance).
Report comment
Reply
2. stevenbell says:
September 16, 2022 at 7:50 pm
This *is* done in some places. I can’t find the link at the moment, but
I recall an individual somewhere in Europe complaining about how it was
impossible to type their PIN after a couple of drinks because the
numbers change on the keypad.
Report comment
Reply
1. fanoush says:
September 17, 2022 at 1:04 am
well, after couple of drinks the numbers can indeed change and it may
be hard to type anything :-)
Report comment
Reply
3. Dave says:
September 21, 2022 at 12:55 am
In addition to the other comments about this, one well known payment
terminal manufacturer actually has the touchscreen pin entry pad move to
a random spot on the screen when used to avoid fingerprints being used
to easily discern a PIN, though obviously this isn’t completely fool
proof. This is disabled if you use their physical cover with rubber
buttons for accessibility reasons.
Report comment
Reply
5. Eric Mockler says:
September 16, 2022 at 5:21 pm
Maybe 2 factor ATM’s, instead of “enter pin” it could say “enter pin, or
press enter to get a code to your phone”.
If you select “phone” then it prompts for the code. It would only go to the
phone # you have attached to the bank.
Report comment
Reply
1. The Commenter Formerly Known As Ren says:
September 16, 2022 at 7:59 pm
So, the mugger took your wallet and your phone.
Report comment
Reply
1. Andrew says:
September 16, 2022 at 8:22 pm
SMS messages can be spoofed, plus it’s literally no fun if you’re
travelling and your home provider does not have a reaming, er,
roaming agreement in the country you are visiting.
Report comment
Reply
1. Nick says:
November 28, 2022 at 12:56 pm
I got caught by this when travelling. It sucks, and as far as I
can tell there’s no way to opt-out of the security theatre of SMS
authorisation. It sucks after being in transit for 50+ hours to be
unable to check in to one’s accommodation because the bank sent an
SMS to a phone with no roaming!
(The hotel’s “fix” for this was interesting though. They just
leave their reception office unlocked overnight, and all the late
check-ins are in envelopes on the desk!)
Report comment
Reply
2. MrSVCD says:
September 16, 2022 at 11:26 pm
ATM are two factor already, something you have and something you know.
The problem with the magic strip is that it can easily be turned into
something you know and therefore it becomes one factor.
If I understand the chip/contact less part of the card, it is a call and
response. You give the card the “transaction id” and it responds with a
hashed/encrypted message that later on gets compared with what the bank
expects and if it matches the transaction goes through. So even if you
intercept the communication it should only be valid for that specific
transaction.
Report comment
Reply
1. Dan says:
September 17, 2022 at 3:18 am
Yup, that’s right. And the mag stripe readers don’t *need* an
internet connection (though many use it); they can take the card on
trust and batch process transactions later – especially with credit
cards.
Report comment
Reply
6. Gregg Eshelman says:
September 17, 2022 at 1:38 am
Wasn’t there a HaD article a while back on devices found inside gas pumps,
plugged into the unencrypted RS232C connection between the reader and
keypad and the rest of the electronics? They used Bluetooth so the crooks
didn’t have to physically access anything to retrieve the stolen account
codes and PINs. There was a Smartphone app to scan Bluetooth for the common
device IDs used in the recovered examples of the skimmers. The crooks were
mostly too lazy (or incompetent) to change the IDs.
With a decent fake of an inspection sticker, a criminal could open the
panel on a pump, unplug the connection, plug in the skimmer, close it up,
slap on the fake sticker and off he goes. If the pump is a type where the
access panel to the reader and keypad hardware isn’t ‘secured’ by an
inspection sticker, the crook would only need to pick the lock. Skimmers in
such pumps would be more likely to be discovered since gas station
employees would be able to open the panel without requiring some official
to come and replace the seal sticker.
Report comment
Reply
7. Bill con says:
September 17, 2022 at 2:59 am
Simple : qr code login. Your banking mobile app scans the code and you
withdraw money or send some
Report comment
Reply
1. dave says:
September 20, 2022 at 3:20 am
We have that here with some banks. it started as emergency use in case
you forgot your card or lost it, but now has turned into a thing so that
you no longer need your card, just your phone and the app.
Some banking apps have even forced you into using face recognition for
approving some transactions – mainly so they can say “look, YOU approved
this”.
Report comment
Reply
8. Dan says:
September 17, 2022 at 3:15 am
Amazed scammers can still make money on this. Does anyone use ATMs any
more? Hardly anyone uses cash, it’s all contactless, especially since
covid. Even our local chip shop now takes contactless. And cat parking is
now contactless or more usually apps, which saves the council on
maintenance and collecting cash.
And banks don’t want to invest in massive changes to ATMs; even without
fraud, they lose money on running ATMs, due to the costs in installing,
maintaining, and stocking them.
Report comment
Reply
1. The Commenter Formerly Known As Ren says:
September 17, 2022 at 5:44 am
Tell me more about this “cat parking”!
B^)
Report comment
Reply
1. Michael Joseph Ballezza says:
September 17, 2022 at 6:11 am
It’s what you do after you herd them, most people don’t get that far
in the process
Report comment
Reply
1. The Commenter Formerly Known As Ren says:
September 17, 2022 at 7:49 am
That’s why I haven’t heard of it! Very rare indeed!
B^)
Report comment
Reply
2. David says:
September 25, 2022 at 1:40 pm
Tips! We’re very aware of businesses keeping some of waters’ tips. Cash,
to some degree, interferes with this practice. They can’t take what they
can’t count.
Report comment
Reply
3. Nick says:
November 28, 2022 at 12:58 pm
Where I live, it’s common to be charged up to 2% for using EFTPOS. Cash
all the way for me. Although i do still see a lot of other people using
eftpos (often via their phones) I guess they are jusg richer than I am.
Report comment
Reply
9. YGDES says:
September 17, 2022 at 5:03 am
Same.
Report comment
Reply
10. delresearch says:
September 17, 2022 at 5:14 am
I have a savings card with no chip on it. It would work in that situaion.
Report comment
Reply
11. delr4esearch says:
September 17, 2022 at 5:20 am
Hey the encrypted data on he card was not even checked back n the day. The
crooks figured they could cash out with just he track 2 data as long as the
checksum was correct. Its was there to protect anyone just using
information off the card. They didnt even check, as long as it was there.
Report comment
Reply
12. Antares says:
September 17, 2022 at 12:02 pm
Unfortunately hiding your pin entry by covering it with your other hand
doesn’t help. There had been a study two years ago showing that pin entry
can be recovered by capturing the ankle of your hand. This can even be
simplified using ai
Report comment
Reply
1. HackyTime says:
September 17, 2022 at 5:02 pm
Fake press some buttons before, during, and after entering your PIN,
even some mistake presses and undo/delete button
Report comment
Reply
2. AE7HD says:
September 19, 2022 at 1:46 pm
Wrist?
I think I’m going to start saying “the ankle of your hand”…
Report comment
Reply
1. The Commenter Formerly Known As Ren says:
September 25, 2022 at 3:57 pm
Note the “name” of the poster.
They are probably from Antares,
their physiology may be different from ours.
B^)
Report comment
Reply
13. bitrake says:
September 17, 2022 at 3:19 pm
Bottom line is the capital investment in present infrastructure isn’t going
to be abandoned unless an external force makes it mandatory. That external
force could be the users of the system or a governing body. Until such time
the cheapest band-aid that keeps the ball rolling will sticks.
Report comment
Reply
14. Sabas says:
September 19, 2022 at 7:29 am
HunterCat is an excellent anti skimmer
Report comment
Reply
15. David says:
September 25, 2022 at 1:36 pm
Covering your pin entry, “that’s apparently a precaution virtually no one
takes” is very likely because most just read the warning that makes them
think some shady character across the street with a long lens is spying on
them so they might glance around and not see one.
It’s understandable why machine makers dont want people to think there
might be spy cams but it needs to be spelled out.
Report comment
Reply
1. AE7HD says:
September 25, 2022 at 2:54 pm
There was actually a case years ago where someone who lived in an
apartment across the street from an ATM was watching people with a
telescope to get their PIN numbers, then taking their receipts from the
trash at the ATM to get their account numbers.
And more than once, I’ve caught the person behind me in line trying to
shoulder-surf my PIN number.
Report comment
Reply
LEAVE A REPLY CANCEL REPLY
Please be kind and respectful to help make the comments section excellent.
(Comment Policy)
This site uses Akismet to reduce spam. Learn how your comment data is processed.
SEARCH
Search for:
NEVER MISS A HACK
Follow on facebook Follow on twitter Follow on youtube Follow on rss Contact us
SUBSCRIBE
IF YOU MISSED IT
* ALL ABOUT USB-C: PINECIL SOLDERING IRON
36 Comments
* WHAT LOSING EVERYTHING TAUGHT ME ABOUT BACKING UP
114 Comments
* OPEN-SOURCING THE LISA, MAC’S BIGGER SISTER
21 Comments
* BROKEN GENES AND SCRAMBLED PROTEINS: HOW RADIATION CAUSES BIOLOGICAL DAMAGE
30 Comments
* NASA LUNAR PROBE FINDS OUT IT’S NOT EASY BEING GREEN
9 Comments
More from this category
OUR COLUMNS
* DRIVERLESS BUSES TAKE TO THE ROAD IN SCOTLAND
45 Comments
* RETRO GADGETS: THE CB CELL PHONE
28 Comments
* HACKADAY LINKS: JANUARY 29, 2023
18 Comments
* HACKADAY PODCAST 203: FLASHLIGHT FUEL FAILS, WEIRD DMA MACHINES, AND A 3D
PRINTED PROSTHETIC HAND FLEX
2 Comments
* THIS WEEK IN SECURITY: GTA, APPLE AND ANDROID, AND INSECURE BOOT
10 Comments
More from this category
SEARCH
Search for:
NEVER MISS A HACK
Follow on facebook Follow on twitter Follow on youtube Follow on rss Contact us
SUBSCRIBE
IF YOU MISSED IT
* ALL ABOUT USB-C: PINECIL SOLDERING IRON
36 Comments
* WHAT LOSING EVERYTHING TAUGHT ME ABOUT BACKING UP
114 Comments
* OPEN-SOURCING THE LISA, MAC’S BIGGER SISTER
21 Comments
* BROKEN GENES AND SCRAMBLED PROTEINS: HOW RADIATION CAUSES BIOLOGICAL DAMAGE
30 Comments
* NASA LUNAR PROBE FINDS OUT IT’S NOT EASY BEING GREEN
9 Comments
More from this category
CATEGORIES
Categories Select Category 3d Printer hacks Android Hacks Arduino Hacks ARM Art
Artificial Intelligence Ask Hackaday ATtiny Hacks Battery Hacks Beer Hacks
Biography blackberry hacks Business car hacks Cellphone Hacks chemistry hacks
classic hacks clock hacks cnc hacks computer hacks cons contests cooking hacks
Crowd Funding Curated Current Events Cyberdecks digital audio hacks digital
cameras hacks downloads hacks drone hacks Engine Hacks Engineering Fail of the
Week Featured Fiction firefox hacks FPGA g1 hacks Games google hacks gps hacks
green hacks Hackaday Columns Hackaday links Hackaday Store Hackerspaces HackIt
handhelds hacks hardware High Voltage History Holiday Hacks home entertainment
hacks home hacks how-to Interest internet hacks Interviews iphone hacks ipod
hacks Kindle hacks Kinect hacks laptops hacks Laser Hacks LED Hacks Lifehacks
Linux Hacks lockpicking hacks Mac Hacks Machine Learning Major Tom Medical Hacks
Microcontrollers Misc Hacks Multitouch Hacks Musical Hacks Netbook Hacks Network
Hacks News Nintendo DS Hacks Nintendo Game Boy Hacks Nintendo Hacks Nintendo Wii
Hacks Nook Hacks Original Art Palm Pre Hacks Parts PCB Hacks Peripherals Hacks
Phone Hacks Playstation Hacks Podcasts Portable Audio Hacks Portable Video Hacks
PSP Hacks Radio Hacks Rants Raspberry Pi Repair Hacks Retrocomputing
Retrotechtacular Reverse Engineering Reviews Robots Hacks Roundup Science
Security Hacks Skills Slider Software Development Software Hacks Solar Hacks
Space Tablet Hacks Teardown Tech Hacks The Hackaday Prize Tool Hacks Toy Hacks
Transportation Hacks Uncategorized Video Hacks Virtual Reality Weapons Hacks
Wearable Hacks Weekly Roundup Wireless Hacks Xbox Hacks
OUR COLUMNS
* DRIVERLESS BUSES TAKE TO THE ROAD IN SCOTLAND
45 Comments
* RETRO GADGETS: THE CB CELL PHONE
28 Comments
* HACKADAY LINKS: JANUARY 29, 2023
18 Comments
* HACKADAY PODCAST 203: FLASHLIGHT FUEL FAILS, WEIRD DMA MACHINES, AND A 3D
PRINTED PROSTHETIC HAND FLEX
2 Comments
* THIS WEEK IN SECURITY: GTA, APPLE AND ANDROID, AND INSECURE BOOT
10 Comments
More from this category
RECENT COMMENTS
* Luenardi De Polo on Counterfeit Cisco Hardware Bypasses Security Checks With
Modchips
* Dissy on Counterfeit Cisco Hardware Bypasses Security Checks With Modchips
* Pio on Classic Calculators Emulated In Browser
* Joseph Eoff on Driverless Buses Take To The Road In Scotland
* Bill Gates on Counterfeit Cisco Hardware Bypasses Security Checks With
Modchips
* Andrew on Driverless Buses Take To The Road In Scotland
* Jan Praegert on Counterfeit Cisco Hardware Bypasses Security Checks With
Modchips
* JKW on Counterfeit Cisco Hardware Bypasses Security Checks With Modchips
* ThisGuy on Driverless Buses Take To The Road In Scotland
* TerryMatthews on RetroArch On A LeapFrog Leapster GS
NOW ON HACKADAY.IO
* AB liked 3D printed BLDC servo with 30Nm torque ($60).
* AB liked OpenTorque Actuator.
* hesam.moshiri has updated the project titled Wireless Home Automation
(Control and Monitoring).
* hesam.moshiri has added details to Wireless Home Automation (Control and
Monitoring).
* Marius Taciuc has updated the project titled My B.E.A.M robots.
* Zpmqwertyuiop liked 3D PRINTED PORTABLE WIND TURBINE.
* jeremyowensimons liked Loko-the Tiniest GPS tracker with 270 days battery.
* seglion liked DIY Echosounder.
* seglion liked Field Computer.
* NuclearPhoenix has added a new log for All-In-One Gamma-Ray Spectrometer.
* Home
* Blog
* Hackaday.io
* Tindie
* Hackaday Prize
* Video
* Submit A Tip
* About
* Contact Us
NEVER MISS A HACK
Follow on facebook Follow on twitter Follow on youtube Follow on rss Contact us
SUBSCRIBE TO NEWSLETTER
Copyright © 2023 | Hackaday, Hack A Day, and the Skull and Wrenches Logo are
Trademarks of Hackaday.com | Privacy Policy | Terms of Service
Powered by WordPress VIP
By using our website and services, you expressly agree to the placement of our
performance, functionality and advertising cookies. Learn more
OK
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website