[HN Gopher] Crazy Thin 'Deep Insert' ATM Skimmers
___________________________________________________________________
Crazy Thin 'Deep Insert' ATM Skimmers
Author : todsacerdoti
Score : 102 points
Date : 2022-09-14 21:56 UTC (1 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| divbzero wrote:
| I like how this old-fashioned security measure still applies:
|
| _Lastly but most importantly, covering the PIN pad with your
| hand defeats one key component of most skimmer scams: The spy
| camera that thieves typically hide somewhere on or near the
| compromised ATM to capture customers entering their PINs._
| skunkworker wrote:
| I'm still a little surprised I can't easily get chip-only credit
| cards that have no magnetic strip on the rear, but rather have a
| backup card that has a strip, and use chip/tap for everything
| else.
| Scoundreller wrote:
| Could always cut out the chip and place it on another recipient
| card. Nobody looks at the card for chip+pin transactions, but
| you'll lose "tap" payment ability.
|
| I suppose you could get an "associate card" and destructively
| disable the chip and magstripe to accomplish your goal.
| [deleted]
| mwint wrote:
| Would a good rubbing with a rare earth magnet clear the
| magstripe?
| btown wrote:
| I've always wondered about how modern contactless methods are
| more resistant to skimming. Couldn't someone compromise two
| machines and essentially MITM the NFC communcations, intercepting
| the card's response from the first machine, and replaying it
| against another remote machine, along with the PIN recorded from
| a camera? Though I suppose the ATM company could combat this by
| encoding the machine's ID or a nonce with the message that the
| card's smart chip responds to, so it only works when replayed on
| that first machine - is this what happens in practice?
| kaladin-jasnah wrote:
| From my understanding you can't really skim these cards as the
| cards sign some piece of data using a private key stored only
| on the card that never gets exposed in the transaction. I might
| be _totally_ wrong though.
| woodruffw wrote:
| > Though I suppose the ATM company could combat this by
| encoding the machine's ID or a nonce with the message that the
| card's smart chip responds to, so it only works when replayed
| on that first machine - is this what happens in practice?
|
| Yes, more or less. The chip and contactless flows defined by
| EMV both require the card to generate a nonce for the
| transaction. The terminal also generates its own nonce[1].
|
| [1]: https://www.cs.ru.nl/E.Poll/papers/EMVtechreport.pdf
| seanp2k2 wrote:
| Is anyone else annoyed that: - We could have had chip & PIN, but
| for some reason (I'm guessing it's to do with how merchants take
| the hit for card fraud and VISA + MC think having to punch in a
| few numbers each sale will lead to fewer sales)
|
| - Those tap targets on CC readers sometimes aren't where the
| antenna is, and you have to rub your card all over the reader to
| get it to work?
|
| - Chip transactions take way longer than tap transactions, like
| 10 seconds? Why?
| gpt5 wrote:
| Contactless transactions using your phone are fast, secure and
| easy. Over time they will replace almost all current usage of
| chip & pin or magnetic stripe.
| schwartzworld wrote:
| Sounds like a nightmare
| akira2501 wrote:
| No thanks. I like things that work without having to be
| charged.
| renewiltord wrote:
| I use contactless to get money out of the ATM. It looks like
| they'd get my PIN in this method but they can't replicate the
| card, then, right?
| gauravphoenix wrote:
| Not a payment security expect, but based on my limited
| knowledge, the transaction is verified with the chip embedded
| in the card/device itself so I don't think that skimming
| devices like these can bypass NFC protections.
| jahnu wrote:
| So glad almost 90% of the machines I use have this these days
| mh- wrote:
| Correct. I'm not familiar with the implementation details, but
| there's a handshake involved in the NFC tap that prevents it
| from being cloned using a "dumb" skimmer like this.
| reaperducer wrote:
| One of my banks lets you use a QR code from the app. I
| haven't tried it yet to see how well it works.
| mh- wrote:
| yeah, I think BofA has this but I haven't tried it either.
| rolph wrote:
| when they get the pin they have a physical accomplice do a bump
| n dump on you for the card.
| renewiltord wrote:
| The final line of defence is my bank's ridiculously low max
| withdrawal amounts (I think it's like a fraction of a percent
| of my cash there).
| ilaksh wrote:
| ATMs, ATM cards, banks and fiat currency are all obsolescent
| technologies.
| austinjp wrote:
| Yeah I'm not super convinced. If I want untraceable
| transactions, cash is hard to beat. (Pleeeeeease nobody mention
| crypto I beg you.)
| naet wrote:
| Curious what you use if you don't use an ATM, ATM card, a bank,
| or fiat currency?
|
| People like to use this type of rhetoric around crypto and
| crypto-maximalism, but you absolutely cannot function day to
| day using purely crypto at this point in time.
| sneak wrote:
| Most technologies with a huge installed base are obsolete
| compared to the state of the art.
|
| The larger the installed base, the higher the likelihood it is
| lagging behind the current patch revision.
|
| Magstripes and internal combustion engine ground vehicles are
| probably the two biggest examples outside of
| sociology/government.
| Eduard wrote:
| What's the state of art for sociology/government?
| sp332 wrote:
| Gift economy and post-scarcity is where it's at.
| ilaksh wrote:
| Not at all what I am suggesting.
|
| The cards are very insecure and primitive and have been
| replaced by smart phones in most areas.
|
| One core way they are insecure is based on the main concept
| of the money which fails to utilize cryptography. Any money
| that uses cryptography to prevent the need for sharing
| secrets to execute transactions is a cryptocurrency. Any
| currency that does not use cryptography is obsolete.
|
| Using physical pieces of paper is also ridiculous at this
| point. The only real utility is to avoid any kind of
| taxation, and the only reason that is needed by people is
| because governmental structures are also horrible and
| obsolescent.
| willhackett wrote:
| I think the magnetic strip needs to go. We hardly use them in
| Australia to the point where one of our major banks actually has
| a touch reader on their machine.
|
| Some sort of one-time verification would be great. An SMS or a
| push notification would go a long way to making this type of
| scraping harder.
|
| Or eliminate the card altogether - Cardless Cash.
| nvr219 wrote:
| [deleted]
| tomcam wrote:
| bryan0 wrote:
| It's crazy how I never carry cash anymore. I can't even think of
| the last time I used an ATM. I often just leave the house with my
| phone and buy stuff with apple pay.
|
| Also how is magnetic strip still a thing? I thought this was
| replaced with chip and tap years ago...
| bastardoperator wrote:
| Same, to be honest I feel like I haven't seen actual money in
| years. I'm always surprised how much it changes every time I
| get close enough or actually handle a bill.
|
| To be fair though, after seeing physical Canadian money (got
| some bills and coins for my son), US money isn't nearly as
| cool.
| pdntspa wrote:
| The chips on my card have a habit of not working, and my bank
| doesn't give NFC "tap" cards. Mag-stripe has saved my bacon a
| couple times after the chip wouldnt read.
|
| And the fancy Amex tap card barely works -- Apple Pay is more
| reliable.
| naet wrote:
| I love using cash.
|
| Sometimes I don't when my local ATM is down (which seems to
| happen so often...), but when I can it feels much better to me.
| No digital records, no potential for this type of skimmer or
| other scam, don't have to give up my ATM pin, no worrying about
| my phone running out of charge, able to give it away freely to
| anyone in need without setting up a digital transfer, the old
| taco truck still only takes cash, etc.
|
| I will be sad when cash starts to be less accepted. Already
| there are a (small) number of modern restaurants that don't
| accept cash in my area.
| kQq9oHeAz6wLLS wrote:
| > Already there are a (small) number of modern restaurants
| that don't accept cash in my area.
|
| Is that even legal?
| kube-system wrote:
| Broadly speaking, doing business on the internet doesn't
| have a separate set of laws. Many online retailers don't
| accept cash.
| vkou wrote:
| Yes, if they are pay up front establishments.
| woodruffw wrote:
| It isn't in NYC[1]. We have some local businesses that
| ignore the law, and are (supposedly) being fined daily for
| continuing to violate it[2]. I'm not sure if the city has
| managed to collect yet.
|
| [1]: https://legistar.council.nyc.gov/LegislationDetail.asp
| x?ID=3...
|
| [2]: https://nypost.com/2021/12/04/nyc-businesses-told-to-
| pay-up-...
| naet wrote:
| It must be in my area, and it seems to be legal at the
| federal level in the USA.
|
| "There is no federal statute mandating that a private
| business, a person, or an organization must accept currency
| or coins as payment for goods or services. Private
| businesses are free to develop their own policies on
| whether to accept cash unless there is a state law that
| says otherwise."
|
| https://www.federalreserve.gov/faqs/currency_12772.htm
|
| It may be illegal to refuse cash as payment for an existing
| debt, but businesses are free to choose how (and who) they
| conduct business including which forms of payment they
| accept.
| kQq9oHeAz6wLLS wrote:
| Interesting, thank you
| dijonman2 wrote:
| Cash is king. Always tip and buy in cash, tax is always
| included.
| david_allison wrote:
| Card reader didn't work on the bus yesterday.
|
| It would have been nice to have a backup.
| iamben wrote:
| London buses don't even take cash any more.
| tialaramex wrote:
| As the article says, some smaller outfits still use card stripe
| data.
|
| The impetus to get retailers to _start_ using the chip was
| "Liability shift". The payment networks gradually changed the
| rules (I think in the US pay-at-pump gasoline purchases were
| last to get this, while big retail stores were earlier) so that
| the liability if a transaction is latterly discovered to be
| fraudulent is with the retailer who accepted the dodgy
| transaction, not the payment network _if_ the retailer didn 't
| use the chip.
|
| But I imagine if you're a little store in the country, maybe
| you do six card transactions per day, almost all of them with
| customers you know personally who just find the card more
| convenient, liability shift isn't a huge worry for you, while
| the cost of a new payment terminal is a significant issue.
|
| The actual payment infrastructure doesn't care about any of
| this. Those old impression machines? Mag stripe? Put the card
| in manually? Tap your iPhone? In all cases the actual
| transaction which moves money, "Settlement", just needs the
| account number to take money from and amount to transfer. These
| different methods have different "Authorization" behaviour but
| Authorization is about mitigating risk for the retailer, and
| the bank, and only very tangentially intended to have any
| benefit for you to customer, it doesn't move money, and it
| isn't mandatory.
| kube-system wrote:
| > Those old impression machines?
|
| Good point. Not only do I still have cards with mag stripes,
| I still have some with embossed numbers. And probably half of
| the people with credit cards are younger than the date when
| that was obsoleted.
| reaperducer wrote:
| _I often just leave the house with my phone and buy stuff with
| apple pay._
|
| I admire your uncomplicated, predictable life.
|
| Sometimes I want to buy something from a guy with the ice cream
| cart at the park. Sometimes I need to tip a valet, a doorman, a
| hotel maid, or another service worker. Sometimes I want to buy
| Girl Scout cookies from the girl with the table on the corner.
| Sometimes I want to buy something from one of the 35 million
| Americans without a bank account. Sometimes tow truck drivers
| take cash only. Many of the late-night restaurants and food
| carts in my city are cash only.
|
| Some day I'll go cash-free. But my life is not yet that simple.
| bolasanibk wrote:
| I agree with a lot of the other things. But for this:
|
| >Sometimes I want to buy Girl Scout cookies from the girl
| with the table on the corner
|
| I have seen a lot of them carry Square dongles or accept
| Venmo payments. I guess they got tired of people telling them
| they do not have cash.
| phinnaeus wrote:
| I think it's clear the person you're replying to isn't from
| the US since they seem unaware of how prevalent even magnetic
| swiping is in the US (or was when I left before the pandemic,
| when I visited a few months ago it seems interest in
| contactless has finally started to catch on).
| maherbeg wrote:
| You'd be surprised how often you can ask "do you have a
| venmo?" and just tip service workers via the QR code.
| Bakary wrote:
| Half a decade ago in China it was already common for
| beggars to carry QR codes for this purpose
| notch656a wrote:
| As a double advantage, it ensures the workers tips are
| 1099-K'd when their venmo hits $600 aggregate and they
| can't weasel out of the social contract of paying up for
| muh roads.
| woodruffw wrote:
| I can't help but smile when I see these skimmers. It's amazing
| how advanced they are!
|
| I would love it if my bank would let me use my virtual debit card
| with a contactless flow to withdraw cash. I'd imagine that's much
| harder to replay or otherwise manipulate. I've seen some ATMs
| (mostly Chase?) with the contactless symbol on them, but I've
| never been able to get them to work.
| powvans wrote:
| I always use the Chase Debit cards stored in my Apple Wallet to
| access Chase ATMs. Works great. You can use the Apple Wallet
| cards to unlock the ATM vestibule doors after hours too.
| woodruffw wrote:
| Good to know that it works with their own cards! I don't
| actually have a Chase debit card; I was hoping that my
| virtual debit card would work with their machines :-)
|
| (The bank I use does actually use JPMC as their customer
| bank, so I was hoping that Chase ATMs would see my card as a
| "whitelabeled" Chase card. But no such luck.)
| TaylorAlexander wrote:
| This is why I really like the added security of the new Apple
| magnetic wallet I got. The wallet holds your cards and attaches
| to the back of the phone using magnets. While the inside of the
| wallet is magnetically shielded, I've found it's nearly
| impossible when actually handling the magnetic wallet not to
| accidentally pass the card past the outside of the magnetic
| wallet. I have found that my card no longer works in pure
| magstripe readers such as parking meters and other older devices.
| Having ruined my magnetic stripe, Apple has protected me from mag
| stripe attacks. An idea so bold, no one but Apple could have
| thought of the magnetic card wallet.
| wil421 wrote:
| I've had an Apple Wallet since they came out and never had any
| cards lose their magnetic strip. Same with my wife.
| hammock wrote:
| With just about everything either chip or tap now, is there any
| danger in just scratching out the mag stripe of my cards?
| basicplus2 wrote:
| Always put the other hand over the hand typing in the pin..
| Scoundreller wrote:
| Or just type it in wrong, cancel the transction and walk away!
| [deleted]
| bparsons wrote:
| At this point, this is simply the negligence of the banks. Most
| OECD countries switched to chip technology over a decade ago.
| AnotherGoodName wrote:
| It may be worth running a magnet over your cards at this point.
| I can't think of a time I've used the mag-stripe.
|
| The skimmers here have a passthrough hole for the chip which
| means the mag-stripe only exists to feed the skimmers. So even
| this use case that gets skimmed isn't even using the mag-stripe
| itself!
|
| Fuck it. Where's my magnet.
___________________________________________________________________
(page generated 2022-09-14 23:00 UTC)