Also I'm really liking the use of different media that decorates/enhances the article, whether it be the animated GIFs of footage, or interactive timelines etc.
Was nice to see the credits at the end there too, with the developers and designers getting a shout out for their contribution in putting the piece together.
>As far as anyone knows, there has never been a gas attack on an American ATM. The leading theory points to the country’s primitive ATM cards. Along with Mongolia, Papua New Guinea, and not many other countries, the U.S. doesn’t require its plastic to contain an encryption chip, so stealing cards remains an effective, nonviolent way to get at the cash in an ATM.
Would this really be the reason why there hasn't been a gas attack in the US? Even if a criminal stole an ATM card they would still need a PIN. How does a criminal get the PIN? Especially in a non-violent manner?
Based on what I've read in e.g. Krebs On Security, one scheme is to add hardware to an ATM that reads the magstripe data and photographs the person tapping out their pin. I'm glad to say that even before I read of this my general paranoia had me covering that process up ^_^.
Since our cards only have magstripes---heck, it wouldn't even matter if their data was encrypted since this is a playback attack that needs something like a challenge-response protocol a chip in a pin could implement---you just write that data to other cards and have people go to ATMs and make withdrawals with the fake cards and captured PINs.
Ah, yeah, for withdrawals from my major bank, I only use an ATM that's in a retail establishment that's open 24x7. Compromise of it is unlikely when there are so many others that are much much safer.
Well, this is one right outside a branch of its bank, all is part of the retail establishment.
Although I'd agree with something related to your point, an ATM that's part of a bank like mine or the ones you try to use are observed by bank personnel, who you can hope will be a bit more suspicious of any physical changes to it.
What I've noticed is American thieves seem to use a brute force approach when they want to empty an ATM. Truck, forklift, crowbar and sledge; that sort of thing. But just like the rest of industry, crime has innovations and adopts new technologies and ideas. This might well be such an adoption.
>What I've noticed is American thieves seem to use a brute force approach
i think it is important that in US people with mid-education/IQ/life skills/from working class family/etc... have much more opportunities and thus the path of traditional crime (like robberies, etc...) is much less appealing.
I look forward to the day the whole concept of getting pieces of paper from a machine in a wall is looked upon as a vaguely amusing aspect of the past.
ah so your the one fumbling with a credit card and holding every one up at the bar when I want to get a round in.
Personally I like having access to cash reduces the attack surface for me when compared to handing over my card for every transaction and DONT! get me started on NFC credit cards that can be debited with NO interactinon
> ah so your the one fumbling with a credit card and holding every one up at the bar when I want to get a round in.
Here in Canada I just tap my card on the machine and walk away - much, much faster than trying to count out the right amount of cash, then waiting for change, etc.
> and DONT! get me started on NFC credit cards that can be debited with NO interactinon
Let me guess, you also didn't like when it was possible to make CC payments over the phone with no signature (!)
And you also didn't like when it was possible to make CC payments over the web with no signature AND no actual human (!!!!!!)
It's a risk, but you can fix it on the backend, away from the end-user. If they were bitcoins then sure you need interaction for NFC. But credit cards are a closed system on the merchant side, any new identity pulling only NFC traffic would be very suspicious. NFC would always be an expected proportion of overall captures. So it's simple to defend against this attack without killing the feature.
3SI, a company which produces other bank security devices (eg, exploding dye packs) claims to have methods to neutralize the explosive gasses in these attacks:
I'd be very curious to know if/how this works. So far I haven't been able to turn up patents or any technical details.
The Bloomberg article mentioned that no US ATM has been attacked in this way. Must be tough to be a US-based company trying to sell a product to defend against attacks that aren't common here.
If it was me, I'd buy off-the-shelf explosive gas detectors (which already commonly exist) and when they went off instead of sounding an alarm I'd release nitrogen or argon gas. Both are inert or inert for all intents and purposes (as with nitrogen).
Inert gases are already used in fire suppression systems. Even if the flammable gas was still flammable when mixed with our almost inert gases, its would still likely slow down the burn and reduces pressure within the ATM/cash point.
However there is likely a realistic limit on how much gas you'd store in the ATM, so they could trick the system into pre-firing, wait a few minutes, and then try again. So you'd likely want to set off the building's alarms to stop such an attack vector (even assuming a 10 minute police response, they likely cannot try the attack twice).
I was thinking along those lines too. A 46" high nitrogen tank holds around 125 cubic feet. As a wild guess, if an ATM contains 5 cubic feet of air then you could completely change the air 25 times with one tank. Does that sound reasonable?
You don't really need to stop the explosion so much as make it not worth the thieves' while. Just spray the money with indelible die as soon as you detect the gas. You may lose a few ATMs this way, but the thieves will pretty rapidly give up on those from any bank that widely deploys such a device.
Wouldn't a simple solution simply be a vent? Constantly vent out all the air in the machine. Seems a lot more effective than trying to build bomb proof hardware...
How about just using a fan? Make the whole machine positive pressure and I don't think you could get enough mix into the chamber for long enough to get a blast.
Something that would hit all of these fuel-air explosive mixtures would be an oxygen scavenger, which would also likely make the electrical and mechanical stuff inside the machine happier.
Not sure how practical that would be. Another scheme would be one or more sensors detecting an attack triggering the release of a lot of CO2 to keep the fuel-oxygen mixture in the machine at a minimum.
One defence could be to detect the gasses and to stain the cash with exploding dye packs, so if the thieves destroy the ATM and grab the money it is permanently marked and traceable back to them.
Yeah, there's even this: "In Wirral, one team paused moments before attacking the ATM when an oblivious citizen walked up. They hid as he made a transaction and departed." Terrorists would have hurt the guy to, well, incite terror. More hardened criminals might have killed him just to avoid "loose ends." These guys sound downright friendly, by comparison.
These criminals weren't too smart. To begin with, the risk/reward ratio on an attack like that is pretty high. Repeated attacks in the same physical area, even worse. Using people already known to police? Not so smart. And the icing on the cake: involving lots of people!
Very interesting read, what's even more interesting to me is that the place this article focused on is only around 10/15 minutes from where I live and I had absolutely no idea this had ever happened!
Also I'm really liking the use of different media that decorates/enhances the article, whether it be the animated GIFs of footage, or interactive timelines etc.
Was nice to see the credits at the end there too, with the developers and designers getting a shout out for their contribution in putting the piece together.