10 comments

[ 2.8 ms ] story [ 32.1 ms ] thread
This doesn't work in the US because we don't have smart cards.

Edit: My point stands that this particular attack does not exist in the US and people don't need to worry about it. Existing precautions against magstripe card skimming are adequate.

What? It's even easier in the US. Credit card data is just text. Hook up a magstripe reader to a PIC and go to town (literally hah). People have been doing it for years especially at gas stations and seedy bars where it's too dark to notice/patrons are too drunk to care.

http://www.identitytheft.com/article/identity_theft_gas_stat...

Since US cards are "dumb", the ATM doesn't need to send PIN information to it. The ATM card # can be stolen, however, that's not enough to complete the transaction.
Talking about old mag stripe card, the system used to authenticate the transaction is this:

1. The account number is crypted in DES (ora a variant) with a PIN key, the cryptogram is then decimalized and the first 4-5 digit extracted to obtain the so-called natural PIN.

2. The user then can change is PIN by using an offset: user PIN + offset = natural PIN.

3. Account number and offset are stored in the card.

4. The ATM knows the PIN key (wich is a shared key common to all the ATMs system of a certain bank) and when a card is inserted the ATM calculates the natural PIN from the account number. Then it verifies the PIN number: if user PIN = natural PIN + offset then SUCCESS

Copying credit cards in the US is trivial since you don't have chips in the cards.
I believe that the current attack in the US combines the aforementioned technology with a small camera mounted on the top of the ATM to capture a user's pin number.
It's even simplier, the crook usually stands in line behind the victin watching when the PIN is inserted. It's called should-surfing.

More sophisticated techniques are a hidden spy camera mounted on the top of the ATM (as you say) or even a fake PIN pad wich logs every button pressed. However the majority of attacks are usually performed trough social engineering.

Anyway to stole credit card information for forgery you need to retrieve the data stored in the card and the PIN. Skimming/Shimming is about the first part only, and the data obtained is useless without a valid PIN.

For this reason next generation ATM will avoid PIN insertion by using biometric technologies. Actually Japan an Poland are the first country in the world with biometric ATMs, for what I know.

Interesting, but how could collected data be retrieved? Could a wireless transmitter be built to fit on this 0.1mm card?
Perhaps the thieves return later to remove the shim and its data.
From my understanding of smart cards, I don't see how this is possible.

Communication between the card and the reader is typically done using encryption with a Diffie-Hellman key exchange with a man-in-the-middle resistant protocol. You would need to attack whatever encryption algorithm is being used, which is non-trivial even with physical access. You would need to either perform differential power analysis attack or a timing attack or attack a weakness in the algorithm.

Seeing as how one of the primary purposes of smart cards was to eliminate skimming and similar attacks, I can't fathom why any reader would ever be created that didn't support session encryption. Why use a chip if it's basically the same as a magnetic stripe? I'll plead ignorance on the workings of the European debit system as I'm Canadian and we're just getting smart cards now.

Does anyone have a better source than the linked article?

EDIT: Nevermind, apparently the security was broken a while ago:

http://www.cl.cam.ac.uk/research/security/banking/nopin/oakl...