Given how entrenched the ATM card standards are, it will be hard to make fundamental changes to improve security. If one could replace all ATMs in existence, one obvious solution is to issue RNG cards. Perhaps, to make them easy to use, the challenge/response could be electronic ala the "Java Ring" technologies (from TI) advocated by Sun a decade ago.
What could be done given that the fundamental use of an ATM machine (put in card, type in PIN) can't be changed overnight?
On machines capable of displaying pictures, users could be shown what the insertion slot ought to look like so they could compare.
A shroud could be placed over the keypad to reduce the viewing angles available to a pinhole camera.
Could smart phones be used to provide a "have something" security model? Let's say you paid $0.25 less per ATM transaction if you used your bank's iPhone app to generate a unique pin for every visit.
A simple thing that is actually being done: ATMs pulling in the card with a randomly changing speed. This makes it very hard for the skimmer to get a reliable reading. The actual reading by the ATM is done during the second phase, inside the ATM.
That's something companies like JPMC and Citi are doing. But there are tens of thousands of crappy Tranax deli-style ATMs out there that aren't going to change.
Interesting, I called my bank about this annoying "feature" and was told it is for security reasons, but never understood why (and they were unwilling or unable to inform me). Enlightening. This functionality is very common in Australia, at least in Sydney.
Perhaps the in-store machines are safer because it would be harder install and later retrieve the skimmer? Or, maybe an insider allows the skimmer to be installed? Aren't many small, retail ATMs owner-serviced, so no one with an incentive to audit would ever check it out?
That's a good idea. But I guess it's only a matter of time (and feasibility) before they add an optical sensor to pick up the card speed. Or more low-tech: a rubber wheel.
Why does that make it harder? It's a row of bits sliding by, right? Why does the speed matter?
(I'm not saying your wrong, I'm just wondering why it would help?)
There are a lot of credit card machines where the purchases swipes the card themselves. Since the speed that people swipe is going to be variable, it can't be too hard to read a card without knowing the speed. (Like, say, putting 10101010 at the beginning, which you could use for calibration) So I'm not sure how a random speed helps things. Maybe ATM bits aren't encoded like credit cards?
"Since the speed that people swipe is going to be variable, it can't be too hard to read a card without knowing the speed."
The speed just has to be fairly constant within a single swipe - then you can adjust for it. It usually is when humans do that - human hand has quite an inertia.
The security feature on ATMs makes it vary wildly within a single swipe.
There is a very simple solution: pass a law that automatically absolves customers of any fraud, and places burden of proof on the banks. Transactions reported fraudulent should be automatically reversed, unless the bank can provide proof (satisfying the standards expected in civil courts) that the customer was at fault.
As an example, this was largely the case with transactions not involving PINs (signed-for purchases). Recent introduction of EMV (chip-and-pin cards) was really done to shift responsibility for such transactions back onto the customers and reduce banks' losses.
This is also the case with stolen cards (in the UK and Ireland, at least): losses related to such cases are covered by the bank, even for losses occurring before the card was reported stolen. This is the reason banks implement various pattern-matching techniques to try and detect such transactions as soon as possible.
In Europe, they could do away with the magnetic strip on cash cards. All terminals from recent years support the smartcard interface to the chip on the card. Presumably they keep the strip around for when you visit a country that doesn't use the smart card interface, so they can charge you an arm and a leg for exchanging currencies. And that recent case in Germany where the chips didn't support the year 2010, so you could only withdraw cash when you masked the interface with tape.
The smartcard mechanism hopefully uses some challenge-response setup that makes it impossible to read out by scammers. (aside from the difficulty of interfacing with the chip during the split second it's in the right position)
I don't know exactly how it's implemented (tptacek and cperciva would probably have a field day with it) but I think the idea is to prevent exactly such replay attacks by generating the challenge on the bank's central servers.
True, but then I would lose the option to use it at the few places where they don't understand the chip yet. Might be the better choice, though.
Thinking a bit further, perhaps it would be possible to create some fake information on the magnet stripe that would identify anybody who uses it as a thief?
Yeah, I'm not seriously recommending you reprogram your bank card... Maybe you could strap an alternative magnetic strip to the card, which you'd only take off if you really need the real strip.
Magstripe skimmers are a solved problem here in Europe; we moved on to chip and pin (EMV technology) nearly a decade ago specifically because of this kind of attack (and, in the case of the UK, because of this: http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/ ).
There are concerns over the cryptographic integrity of PIN codes in some chip and pin implementations, but it's a much harder target for ATM skimmers, which is why organized criminals have switched to tampering with retail EPOS terminals instead. And the threshold for that is a lot higher, too. (http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173...) Overall, the level of card crime in the UK seems to have diminished significantly since the switchover, although the general rule applies: if you build a better safe, you'll attract a better class of safe-cracker.
Could smart phones be used to provide a "have something" security model?
Could an OTP generator like RSA SecurID do the trick? Let's say you enter two memorized numbers and then the last two numbers on the fob to make the four digit PIN (you would not want the whole PIN to be on the fob). Bonus: you need to use it for web logon as well.
Some customers will pay extra for such services. Potentially avoiding hassles like ATM fraud and identity theft in the first place is worth a small fee per month to me because of the massive timesuck that could take place if they happened.
Another thought... When someone steals account information using such methods, it is unlikely the ATM owner/operator who is responsible for losses. After all, it would be really hard to prove conclusively that it was the fault of a particular ATM's lack of security that led to future thefts. Perhaps strong correlation could be shown, but the legal costs associated with reimbursement likely outweigh the efforts, at least in the short term.
Do ATM owners have any incentive to prevent thefts? I suppose those who process mostly the transactions of their own customers (BoA in SF, etc.) have the greatest incentive as the problem is their own.
I was just a victim of ATM fraud (presumably by skimmer) and according to the detective who handled the police report, there is almost no cooperation from banks and card providers. It is not in their interest that you know how much fraud there is out there. I have heard figures of over 8-10% in the US. That's a lot of overhead to be passing onto the consumer.
Very simple, actually. They didn't even require a police report but I filed one anyway. The detective even sent me a picture of the suspect because they had the location and exact time of day. That's probably the end of it, though.
I'm always terribly suspicious of ATMs--especially those off-brand ones that pop up in random establishments that don't take debit cards nowadays. I understand some businesses just don't want to pay the fees behind accepting debit cards, but I'm increasingly becoming of the ilk where if you don't accept debit/credit I'm not shopping with you. Sure, you have folks that will handle your card and still do nefarious things with it, but at least you're not walking up to a machine prone to this kind of thing.
And for the first skimmer, I'd be suspicious of why they had to put a diagram to show you how to use what should be a universally understood sort of thing now. Slot? Card. The others, no, I wouldn't have caught those. :\
> I'd be suspicious of why they had to put a diagram to show you how to use what should be a universally understood sort of thing now.
Clearly you've never seen someone in a self-checkout aisle trying oh so hard to scan their discount card through the magnetic reader when the video on the POS is telling you to swipe it. Or vice versa.
There will always be someone too dumb to use something.
I think a slot for a credit/debit card isn't terribly intuitive, especially if the reader only accepts one orientation of the magnetic stripe, in which case a diagram is almost necessary.
There are readers that have asymmetric widths on the entry mechanism (strangely worded, but looks like [1]). This is an extremely subtle hint regarding the orientation (magnetic stripe goes with the wider part), that I would imagine the majority of people don't pick up on.
You might also look at this article [2] to see that legitimate ATMs do offer diagrams indicating the proper orientation of a magnetic stripe card.
I'm curious about the video monitoring on the machines that have been tampered with. What do these security cameras normally see? Do the perps block the camera so it can't see them installing their hardware? If so, couldn't some program be written to determine that the image of a person is abnormal (measure the amount of "whitespace"" around a subject) and trigger some sort of real-time alarm?
Most recorders only record about 24 hours of video before they recycle. The really robust ones can keep about a week at once, but that's it. They're designed to help the banks out when you call and say that you just got held up--not a month later when police finally realize that a given ATM is ripping someone off. (In fact, early ATMs with cameras took a still photo, and only then while you withdrew cash--totally useless in this scenario.)
I don't think most of the video cameras on ATM machines are actually pointed at the machine; they're designed to capture the user's face.
I would imagine that gluing a piece of plastic onto an ATM can look just like a regular transaction - person walks up, looks at the screen while their hands are doing something below.
I wonder if the cameras are proactively monitor-able or if they exist for after-the-fact, reactive evidence in the case of a mugging. Obviously, ATM owners could upgrade to better systems though. Perhaps images with suspicious light levels over time could be shown to a human for assessment.
Ever since I read about these a few years ago I got into the habit of pushing and trying to move around parts of the ATM, like windows, the card reader, brochure boxes, etc to see if they can come off.
Also, inspect by touch for places where a camera or stray wire could hide, that are out of view, under perhaps a display sign, brochure box, on the upper part of the keypad that might be hidden from view.
Also, use other hand to cover up fingers when entering pin.
I've started to pull and wiggle the card slot a bit before sticking the card in. From these photo's, I have the impression these skimming devices should be a little 'looser' than the regular thing. However, it may be completely useless.
My second countermeasure is screening the number pad with my hand while entering my PIN. They can probably make out the PIN from hand movements, but I'm hoping it'll be too much trouble for them and they will just move on to the next, easier, target.
I've mastered the ability to type my PIN with three fingers all hitting different buttons each time (but only one, and it differs for each number, actually hitting it hard enough to register). With the right recording and enough time I doubt it would stop a truly committed thief, but it makes me feel safer.
If they crack that, the $20 I keep in my ATM account to prevent over-drawn fees are all theirs.
i also wiggle the slot and tend to use my entire body to cover the key pad when i type in my pin number. i do so because i have friends who were skimmed and it has made me paranoid.
My bank (ANZ) has new ATMs with prominent, translucent green housings around the card slot that flash when the card is inserted or removed. It's a very distinctive design, and one that I feel must have been crafted specifically to mitigate these kinds of attacks.
I've noticed some newer ATMs around these parts started doing that as well. However, is is of absolutely no use without associated customer education. The machines don't even say "here is what the slot should look like, please check it before entering your PIN." There were even reports of people calling the police thinking this security feature was a skimming device, since it looks so out of place and different from what's usually on the machines.
There is actually a very simple solution that a bank could use to mitigate this issue - just send a SMS everytime there is an ATM withdrawal.
I believe the bank I've just moved to (http://www.kotak.com/) does do this. It sends me an SMS for every transaction done so far (I haven't used the ATM yet).
That scared the shit out of me, because I'm a Citibank customer, and I live in Woodland Hills. In fact, I just noticed that they just put a giant opaque enclosure around their ATMs for privacy recently, wonder if this is why.
OC, luckily, I never actually use the Citi ATMs, thank god.
What could be done given that the fundamental use of an ATM machine (put in card, type in PIN) can't be changed overnight?
On machines capable of displaying pictures, users could be shown what the insertion slot ought to look like so they could compare.
A shroud could be placed over the keypad to reduce the viewing angles available to a pinhole camera.
Could smart phones be used to provide a "have something" security model? Let's say you paid $0.25 less per ATM transaction if you used your bank's iPhone app to generate a unique pin for every visit.
What else could be done simply?