50 comments

[ 3.8 ms ] story [ 102 ms ] thread
What I don't understand about this is... why don't ATMs just put a damn motorized door in front of the card reader slot, or alternatively stick out a tray that you put the card in. The door approach makes it so that the thief has very small time window in which to install the skimmer. The tray approach can make it so that a simple internal image of the empty tray can determine if anything is ever left on it which is out of whack.

Yes it costs a little bit more, but CD-ROM drives have been doing both of these approaches for ages, and it would make the installation of a skimmer reader much, much harder.

It costs more but it's also likely to break often and would be a liability. The tray could snap off or a finger could get stuck in it. How annoying would it be if the machine is constantly out of order?

A machine that deals with the general public on a scale of tens of millions has to be rock solid. People can behave really strangely (think drunk people) and all kinds of ridiculous outcomes can happen.

In NYC, there seem to be crews that scout out unmanned subway turnstiles, and in the event of a fairly lonely one (I'm looking at you, 116th St. stop on the Bronx-bound B/C), the vending machines (which are built like tanks) somehow inevitably fail to accept bills, coins, credit cards, or any kind of money at all, actually. And guess what; In these situations, if you're caught without a Metrocard, there's usually a helpful street urchin on site, ready to swipe you through the turnstile for a reasonable fee.

I'm not saying this is what will happen to a CD-ROM-style tray approach, I'm just trying to add some context to the idea. Machines exposed to enclosed, semi-public areas have to withstand a lot of deliberate, brutal sabotage, that'll make you scratch your head, and ask why on earth?

With that in mind, protruding parts and orifices generally don't fare well with machines subjected to the abuses of the general public. I think it'd probably cost more that a little bit extra...

I recently had a similar situation at the Gare du Nord station in Paris. We were trying to purchase tickets for the train when this guy comes along and forcefully takes over the machine saying it doesn't take credit cards (which we knew it did because we've used them before). He changed the language back to French and proceeded to buy the cheapest metro ticket available then asked us to give him cash based on the more expensive distance we actually wanted to go. Luckily, we didn't have any cash, he even offered to accept pounds or dollars! Eventually after skulking off we went back to the machine and worked it out. If we had taken his tickets we likely would have been picked up by one of the frequent ticket inspections and given a hefty fine.
Designing a skimmer-proof ATM is much like designing a squirrel-proof birdfeeder. It looks good on paper but you never know what these guys are going to do.

Even if there were a skim-proof ATM, they could probably get a retired machine on the cheap, program it to accept cards and pins and then print 'Sorry, this machine is out of operation. Please call 1-800-FAK-ENUM to notify a technician' and place it somewhere reasonable.

> Even if there were a skim-proof ATM, they could probably get a retired machine on the cheap, program it to accept cards and pins and then print 'Sorry, this machine is out of operation. Please call 1-800-FAK-ENUM to notify a technician' and place it somewhere reasonable.

It's been done. As has creating an entire fake facade and putting in front of the real ATM.

Adding any deterrent (more, better, larger, etc.) seems to me like a "chicken or the egg" game. ATMs get stronger security, scammers develop better methods to skim. Skimmers improve, ATMs get better security. It becomes a viscous circle of who can outwit the other for a longer time and prove more successful.

Personally, I am more interested in improving security via credit card chips or contactless payment (cards or phones). Chips alone would heavily improve security due to the inherent cost (hopefully) of cracking the chip's data.

Don't want to come over as a nitpicker, but the correct term here would probably be a 'cat-and-mouse game'.
Although "chicken and egg" is an excellent description for the process of getting chips deployed.
Yup, I agree. Had a brain-fart trying to think of the right term last night.
Too many moving parts that can break, pinch and mutilate. Plus, given previous attempts, it would only block crooks for a fairly small amount of time before they figured out how to counteract it. The best course of action here is to get rid of the sixty year old tech and finish moving to chip and pin, where there is no magstrip to skim.
At least in Orlando, the new Bank of America ATMs have a slot loading mechanism that takes your card in automatically (as in, you gently place the card in the slot and a motorized mechanism pulls it in).

I wasn't sure of the reasoning for this initially, but my assumption is that it makes it more difficult to skim. The actual 'swipe' in which the mag strip is read seems to occur inside the machine, so a skimmer would need to be mounted with the machine opened up.

Couldn't the skimmer be mounted externally and read the stripe as the motor pulls it in?
(comment deleted)
My understanding is that the motor pulls the card in using random speeds which vary as the card is getting sucked in (start sucking, slow, fast, slow, fast, etc, fully sucked in). The machine knows how to account for the variance, but the skimmer doesn't (in general skimmer's assume a constant swipe speed). You can kind of see it cause the machine does the same thing when spitting out your card. It would be more convenient to spit your card out fast like a transport ticket, but then your card could be skimmed on the way out.
If variable speed would prevent the reader from working, how do the manual swipe readers work?
Cards are usually swiped in a somewhat smooth motion. Even then, it's easy to fail the motion, and you often need to swipe again.

The anti-skimmer moves the card very fast in short bursts, so while it may seem just a bit jittery (averaged out), the skimmer will end skipping whole pieces of band or losing sync.

Maybe they could use small rubber rollers to detect velocity and sync appropriately, like in a mouse.

That does not deter skimmers in any measurable sense. Most of the ATMs in Europe pull your card in by motorized mechanism and still skimmers are occasionally found on them.
Better yet, if only the USA banks would finally get to this millennium and start using chip-and-pin cards. Then there would be no need for this nonsense. My European credit card still has a magnetic stripe just because I might go to USA. In this side of Atlantic Ocean many stores, bars, gas stations etc. have a card reader in which the card goes only a few centimeters in to read the chip.
They are going to chips now. (But not pin, so it's chip-and-signature. Not quite as secure, but still much better than a magnetic stripe.) I have two credit cards with chips already, and expect all of them to switch within a year as changes to fraud liability rules coming into effect late 2015 essentially force everything to change over.
> Better yet, if only the USA banks would finally get to this millennium and start using chip-and-pin cards. Then there would be no need for this nonsense.

What about a chip-and-pin card prevents a skimmer from either monitoring or emulating the radio conversation between the card and the terminal (and thus capturing the card number) and another keypad skimmer from capturing the PIN?

It seems to me that the problem is that everything required to conduct a transaction is handed to every merchant and/or untrusted machine of the merchant. (Compare to public key cryptography, where I remain in possession of a private key.) What about chip-and-pin changes that situation?

Chip and pin cards use public key cryptography. From my understanding, you would have to provide the PIN code to the device to first unlock it, and then you could verify the authenticity of the card by reading a public key, which identifies the card (and is used in transactions), and providing some nonce for it to sign for offline verification.

They also require the pin code to start the process, so you would have to skim that as well.

In addition to this, in the online scenario it can interact with the payment provider's servers to provide security.

The combination of these methods make rapid stealing of EMV cards difficult.

More info here: http://www.emvco.com/download_agreement.aspx?id=653

Can you actually read the public key from the card? A secure system should sign the transaction on the chip, so even a manipulated machine could not steal the card data.
Card's and issuer's public keys can be read from the chip, but these are not directly relevant to actual transaction signing.

Even if these keys was relevant, the important part is that they are public keys, not private keys. You cannot get card's private key from the chip by normal means (ie. without doing something that is classified as attack, be it side-channel, physical inspection or exploiting some firmware bug/backdoor).

It is slightly more complex than that. EMV is designed as to allow configurable methods of card holder verification and to be backward compatible with back-end systems. This means that PIN is not required to unlock card and even not mandatory for successful transaction. This is configurable and whether PIN is actually required depends on both card's and terminal's configuration and current state, this allows for things like small payments without PIN (which is how NFC cards usually work).

Because of backward compatibility, the transaction signature generated by the card has to fit into 8 BCD digits, which essentially precludes use of any kind of public key cryptography. Actual algorithm for how signatures are generated and verified is issuer defined and only card issuer can actually verify signatures (terminal just blindly trusts whatever was returned by card).

Public key cryptography (ie. RSA) is used in EMV to verify that card was really issued by claimed issuer (card contains data structure that is signed by issuer's key) and to optionally encrypt PIN sent to card for offline verification (PIN is somehow regarded as super-sensitive by banking industry)

One can certainly imagine better design than EMV (eg. without various implicit trust relationships), but in all, it is pretty reasonable mechanism nonetheless.

I don't know too much about the protocol used by these cards, but it would be easy to e.g. have a secret key on the chip, which signs the transaction (date and time, amount, location) if the right PIN is provided to it. Even listening in to all the communication between the card and the machine would not allow an attacker to make a bogus transaction.

Apart from that, making a skimmer that sits between the chip of the card and the contacts of the machine would be much harder to make than the current skimmers. So even if the chip would not sign the transaction but just provide static data if given the right PIN, the situation would be significantly improved.

This article has details about how cards using the EMV protocl work, and discusses a vulnerability that seems to have been exploited in the wild regarding predictability of a nonce (called the "unpredictable number", funny enough).

http://www.cl.cam.ac.uk/~sjm217/papers/oakland14chipandskim....

Chip and Skim: cloning EMV cards with the pre-play attack Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, Ross Anderson Computer Laboratory, University of Cambridge, UK

There is no radio conversation in the most typical setup. The payment terminal has electrical connection to the contact surfaces of the smart card. While eavesdropping this link might be possible as well, it must require a lot more sophisticated equipment than stripe skimming.

Wireless payment by NFC is also a possibility, but at least with my card, no payments bigger than 25€ can be done through NFC.

In the UK we have chip and pin but the ATM's do not use them, we get skimmed just the same. http://www.bbc.co.uk/news/uk-england-london-28879973
Afaik UK ATMs do use chip-and-pin -- the thiefs you referenced installed a pinhole camera in order to retrieve PINs.

I do agree that skimming exists over here as well, a friend of mine got his card cloned once. He'd used it with an ATM located in a very central and visible place, famous for night-time entertainment -- thiefs must have thought drunk people don't pay too much attention to this sort of thing, especially when they've been queuing for a while (which they typically have to, at this location).

Same in Italy and France, last I heard; places where banks are extremely fraud/security-conscious and continuously maintain their infrastructure to guard from these threats.

Yes, was walking passed UK bank as it opened the other day and the anti-pinhole camera protocol was being carried out. One of the staff went round all the ATMs sweeping his hand across all surfaces to check that there wasn't anything untoward.
Alternatively they could take the approach of some ATMs in Australia and let you authorise the payment from your phone (using the banks app), not requiring the card at all.
Because an ATM has to be proof against many things, not just skimmers!

For instance, there are jerks who would simply wreck them. In fact, the skimmers could simply wreck them until the non-asshole proof version was brought back and then happily continue to ply their trade.

It's like designing a vault, only it has to open up to total strangers who happen to have digital keys, and to complicate manners stuff has to go in as well as out and there is a whole bunch of user interface components strapped onto it.

Designing an ATM that satisfies all criteria is very much non-trivial and any 'why don't they 'x'' should be followed by a short period of thinking about what other boundary conditions need to be satisfied.

In Germany the part where you put in your card is made of green transparent plastic which is illuminated from the inside. Inbaddition if is shaped in a way which makes it really hard to add some skimming mechanism in there.
Couldn't they just avoid all this fuss if you insert your card horizontally?
Can't be done. They would have to change the arrows on all the cards... ;)
What do you mean?
Imagine giving the ATM a high-five.
I've been saying this for 10 years. Pull the card in horizontally instead of vertically and read it inside the machine. Skimming problem solved.

This presents a non-trivial UI problem. Users are conditioned to only insert cards a certain way. Changing that can be very confusing. I guarantee a large percentage of users will try putting their cards in the "normal" way and get confused when it doesn't work.

One of the more interesting ways of protecting ATMs that I've seen in the Bay Area is that (this applies more to bank branches) instead of ATMs being built into a wall and facing the outside, like they normally do, you need to swipe your ATM card to be allowed access to the room that the ATMs are located in.
That is usually just done to keep homeless people from using the ATM vestibule as a makeshift shelter. Almost any basic magstripe card will unlock the door to the ATM, it's not a level of fraud prevention.
That's not new or interesting. Many banks do this. The reader at the door doesn't check the card at all, you can use any mag stripe card to get in. Many don't even check the mag stripe. They just have a physical switch that's activated when the card presses against it.
So what's the best way to inspect the ATM before use?
Just put a smart card chip and the pin code entering mechanism on the card (or authentication token. It doesn't necessarily need to be a "card"). This way you don't have to trust the ATMs. (Or any other device you don't control. How many times do you buy stuff using your credit card?)
Commonwealth Bank in Australia does something like that. They have a feature in their iOS/Android app that lets you withdraw cash without a card. It generates a code on the phone and also sends you a 4 digit code via sms. Then you enter both codes to their nearest atm. Good for when you've forgotten your card or the atm looks dodhy.
You mean like rest of civilized world for the last >10 years? Whats next? NFC? free direct money transfers? you sound crazy