Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

ATM skimmers that fit in the card-slot

Cory Doctorow at 8:39 am Tue, Jul 24, 2012

— FEATURED —

Science

Making sense of the confusing Supreme Court DNA patent ruling

Book Review

The 'Geisters: spooky, scary novel

Science

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

Feature

The Snowden Principle

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle


Police in an unidentified European nation have retrieved wafer-thin ATM skimmers that are so small that they can be fitted inside the credit-card insertion slot. Brian Krebs describes the finding:

That’s according to two recent reports from the European ATM Security Team (EAST), an organization that collects ATM fraud reports from countries in the region. In both reports, EAST said one country (it isn’t naming which) alerted them about a new form of skimming device that is thin enough to be inserted directly into the card reader slot. These devices record the data stored on the magnetic stripe on the back of the card as it is slid into a compromised ATM.

Another EAST report released this week indicates that these insert skimmers are continuing to evolve. Below are two more such devices. Insert skimmers require some secondary component to record customers entering their PINs, such as a PIN pad overlay or hidden camera.

ATM Skimmers Get Wafer Thin

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  atm • crime • security

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

  • Charlene Margaret

    Another reason why chip cards are a good idea.

    • http://www.figuiere.net/hub/ Hubert Figuière

       You can be sure they’ll defeat chip card. There are already know vulnerabilities on them.

  • inkfumes

    Another reason why cash is a good idea.

    • Andy Simmons

       Considering that these were found on ATMs, I’d say that it’s our reluctance to give up on physical currency that makes these devices a problem in the first place.

      • inkfumes

        I would counter that our reluctance to give up electronic forms of currency (which are inherently flawed, vulnerable to electronic hacking) makes these devices attractive to criminals.

        One good development I have seen is that my credit union’s new atm’s have a clear green plastic card scanner that lights up when being used… this lets you see that nothing has been added, modified or inserted to skim numbers.

        I got stung by a card scanner while driving through Oregon a few years ago… they don’t let you pump your own gas… and I didn’t get out of the car to watch the attendant. By the time I had returned to Northern California someone had passed on my numbers and made purchases somewhere in Southern California. Now I just take out enough cash to pay for gas and meals before I leave.

        • robdobbs

          You mean like this one?: http://krebsonsecurity.com/2011/03/green-skimmers-skimming-green/

          Or this one?: http://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-skimmer/

          Cash is a good idea.

        • Andy Simmons

          But you have to admit that we can’t just abandon electronic currency.  Physical currency can be lost, destroyed, or stolen, costs money to produce, and is horrible for long-distance transactions.  I think the answer lies in less fallible security.  Chipped cards, two-factor authentication via a mobile device, etc. 

          Note that when you got hit by the card scanner, it was not due solely to a flaw in the electronic currency, but also due to a flaw in the purchasing process: you literally handed the attendant everything he or she needed to make purchases against your card (not that that’s your fault, many vendors put us in this position on a regular basis).  If making purchases against your card required authorization via a temporary PIN — generated based on a security token on your phone, for example — the scan of your card would have been worthless.

        • brainflakes

          You think physical money is safer?? Keep $10,000 under your mattress and something happens to it (fire, theft) you are SOL. Keep $10,000 in the bank and it gets stolen electronically in most countries you are not liable and you can easily get the money back.

          • http://thebeatdown.disqus.com Franklin

             Yeah, try to get that $10,000 out of the bank during a blackout or true economic crisis and you’ll see the value of cash. Anyone who doesn’t have at least a month of living expenses in cash, in their home, will find themselves in a serious situation should the worst happen. Anybody who trusts banks 100% is a fool. The whole system is way more unstable than most people think. All it takes is one news item about a bank run and you will have mass panic. It’s happened already in Spain on a large scale

          • vrplumber

            That’s why you should keep the $10,000 under your mattress in the form of gold bars.

            That way if it melts due to fire, its still gold. :)

          • Tyler Collins

            @vrplumber: $10,000 in gold wouldn’t come in bars, just small coins.

      • jandrese

        I suppose inkfumes could always go in and talk to the teller directly, but then he has to give up his information to a person who could just memorize it and sell it on the black market.  Nothing we do today would be considered safe if you are paranoid enough. 

        • inkfumes

          I tried just writing my own promissory notes but it didn’t work out too well.

    • Shashwath T.R.

      Cash has its inherent problems too. If you lose your card, you can get it invalidated. If you lose cash, no such luck. If you want to make a large value purchase, you’d have to carry large amounts of cash, which is more risky.

      And that’s to say nothing for the amount of money it costs to print it. All those security features, the technology, the highly intricate engraving,… Doesn’t come cheap!

      I think electronic currency should be made more effective, instead of abandoning it.

      • http://thebeatdown.disqus.com Franklin

         cash is king. I think society’s growing attitude towards replacing hard currency is a dangerous one. say the cellular system goes down or there’s a blackout like the DC storm a few weeks ago – poof, all of a sudden you have nothing, no access to all the assets you’ve worked so hard for. You can’t even afford a sandwich after a few days

        • fuzzyfuzzyfungus

          While electronic systems are obnoxiously fragile(I’m not bitter and in IT or anything), a pile of fiat currency may not be your best hedge against a serious systemic collapse(even a temporary and fairly localized one).

          Ye Olde contemporary supply chain is frequently efficient(but taut) enough that it isn’t as though there will be any sandwiches on the shelves surprisingly soon after a disruption occurs(nor, in businesses with electronic POS systems, will there necessarily be any employees willing and authorized to sell them to you).

          I prefer paying cash, when dealing in person, if only to reduce the Visa tithe extracted from the economy; but if I were hedging against any sort of disruption that takes down the electronics, I’d be much more confident with a supply of actually-intrinsically-useful nonperishable goods, rather than a stack of US Treasury Gift Certificates…

        • graywh

          The phrase “cash is king” refers to liquid assets (your checking account), not physical currency (under your mattress).

    • Antinous / Moderator

      ○  I’ve been mugged and had cash stolen.
      ○  The corner mailbox was raided and checks that I had mailed were stolen, erased and re-used.
      ○  I’ve experienced credit card fraud.

      Nothing is 100% safe, but cards are a lot easier and more flexible to use.

      • Martijn

        In a modern setting, the second point should be replaced by somebody intercepting your internet banking. (Hasn’t happened to me yet, despite my bank being notoriously bad.)

    • Cowicide

      They just need to update the ATM machines to detect these things and make detection standard on most machines.  They already implement this technology, it just needs to become more widespread.

      • fuzzyfuzzyfungus

        For in-slot systems like this, I suspect that a mechanical engineer could come up with a modest modification to the card-eject mechanism that more aggressively shoves everything out of the card slot pretty quickly and easily…

        Getting something that will reliably perform a zillion cycles without jamming is why engineers are trained professionals; but having a little ejector ram that fills the entire card slot, expelling foreign objects, during the ejection phase isn’t conceptually tricky…(Nor, if you really have to have it solid state, would adding a cheapy webcam-style camera system, with IR illuminator, that continually inspects the card slot for foreign objects and automatically summons repair minions over the network if an anomaly is detected…

  • joeposts

    The best prevention is keeping as little money in your bank account as possible, and as little room on your credit card as possible. I’m golden. 

    • Restless

      I know you’re being humorous, but I sort of did something like this because I was tired of having my credit cards I use for my recurring bills jacked.  I have one credit card that I use for purchases that are “fishy,” with a one grand limit.  It’s the one I don’t mind handing to a waiter or using at a weird gas station.  I just pay it frequently.

      • http://www.nathanhornby.com/ Nathan Hornby

        Are credit cards not insured in the US?

        • Restless

           They are, but it’s a pain to go to all the sites I have automatic recurring payments on and change the card or shuffle the payments around when they cancel the card and send me another.

          Now I have one only for recurring payments, one for things where I feel I might get ripped off and others with higher limits for buying where I feel like I might not get ripped off (although I know that’s entirely possible on any of them).

          • http://www.nathanhornby.com/ Nathan Hornby

            Ah I see, the inconvenience, rather than the loss.

            True that.

        • Antinous / Moderator

          It used to be fairly easy to make a claim for a fraudulent charge, but they’ve made it more complicated in the last half-decade or so. The last time that I had a problem, I had to receive, then fill out actual paperwork which I then had to mail back to the card company. Probably a lot of people won’t bother doing that for a small fraudulent charge.

  • http://www.figuiere.net/hub/ Hubert Figuière

    The problem lies more with these vendors that sell “secure” solution that haven’t been audited, analyzed or publicized before being marketed, when after that they become an easy target with big pay day and large scale.

  • nate

    As someone who has been victimized recently and often by credit card number thieves, it’s just a matter of time I’m sure before someone gets my ATM number.

    The assault from the crooks above and the crooks below is really intensifying, and I’m finding it very hard not to surrender to the perennial philosophy that everyone is a crook, except maybe my wife, my daughter, and two or three very nice people I know.

  • http://germanwotd.com Amelia_G

    Are those things made to be pushed in the slot but then removed the same way, with a convenient tab e.g.? Or are they made to be left in place until found by ATM maintenance staff?

  • http://daniel.friesen.name/ Daniel Friesen

     *sigh* This isn’t an issue with skimmer creators or inherent issues with electronic currency. This is an issue with our financial system.
    From a security standpoint this is unacceptable.
    Banks are still using the same dated technology and won’t update their machines and processes to use any more security.
    We should have already had enough time to transition away from the magnetic stripe and be using chip-only cards with ATMs that use the chip. And yet banks are still relying on the same insecure magnetic stripe.
    We should also have already had the time to migrate to full mini-qwerty keyboards on these devices instead of this ridiculousness of using a 4-digit numeric pin.

    Security is a constant battle of building things more and more secure step by step. Each step eventually gets broken but you do what you can to keep a step ahead of the attackers and minimize the possible damage they can do.

    But the bank systems are not doing this at all. The first step is broken. The second step has been created. And they’re not even dropping the first step and moving to the second step. They should already be working on developing the third step before the second one gets broken.

  • jwkrk

    “But it’s only wafer thin…”

  • SoItBegins

    …this is why we can’t have nice things.