Comments on: Would You Have Spotted this ATM Fraud? http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/ In-depth security news and investigation Sat, 11 Feb 2012 19:29:31 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Antony John http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-22962 Antony John Wed, 08 Jun 2011 04:34:56 +0000 http://www.krebsonsecurity.com/?p=1993#comment-22962 I think smart card technology is the way to go forward. Even with Side Chanel Attack, it is not possible to do skimming a card and crack encryption based chip tech in short time frames that people use an ATM. Besides it is infinitesimally complex to do so compared to magnetic stripes skimming. I don't think it is possible to do such comprehensive analysis -it is a complicated evidence(tell tale signals) based technique in the short time window of an ATM card use. Even if readers are developed that can be placed on an ATM as surrogates in future. And it also makes a possible future skimmer more costly and less accessible to all thieves. One should also remember that smart cards have more physical variety compared to magnetic stripe technology, another factor that complicates an SCA attack. And cryptoanalysis (the soft side) techniques also needs larger time frames than typical ATM card use but it is possible to upgrade the firmware (like how we upgrade computers to keep the protection more relevant). To sum up I feel it is the transition cost factor that is stopping the adoption. The mobile industry embraced the technology early on so we find chip cards in mobiles while banking industry went the magnetic stripe way and now feels a compulsion to move forward I think smart card technology is the way to go forward. Even with Side Chanel Attack, it is not possible to do skimming a card and crack encryption based chip tech in short time frames that people use an ATM. Besides it is infinitesimally complex to do so compared to magnetic stripes skimming.
I don’t think it is possible to do such comprehensive analysis -it is a complicated evidence(tell tale signals) based technique in the short time window of an ATM card use. Even if readers are developed that can be placed on an ATM as surrogates in future. And it also makes a possible future skimmer more costly and less accessible to all thieves. One should also remember that smart cards have more physical variety compared to magnetic stripe technology, another factor that complicates an SCA attack.
And cryptoanalysis (the soft side) techniques also needs larger time frames than typical ATM card use but it is possible to upgrade the firmware (like how we upgrade computers to keep the protection more relevant).
To sum up I feel it is the transition cost factor that is stopping the adoption. The mobile industry embraced the technology early on so we find chip cards in mobiles while banking industry went the magnetic stripe way and now feels a compulsion to move forward

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Rory http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-21845 Rory Wed, 11 May 2011 14:51:15 +0000 http://www.krebsonsecurity.com/?p=1993#comment-21845 The idea that decision-makers are hesitant to replace a seriously broken technology with a more secure one "because it might not be secure in the future", is absurd. No one would look back, 10 years from now, and say "Damnit, they hacked the chip cards. I wish we could go back to Mag stripes." It's just money. The cost of dealing with theft is currently not more than the cost of upgrading the system. It's as simple as that. They're pinching pennies while the public gets ripped off. The only banks doing it are ones that think they can sign more high-end customers simply because their cards were more secure.

The idea that decision-makers are hesitant to replace a seriously broken technology with a more secure one “because it might not be secure in the future”, is absurd. No one would look back, 10 years from now, and say “Damnit, they hacked the chip cards. I wish we could go back to Mag stripes.”

It’s just money. The cost of dealing with theft is currently not more than the cost of upgrading the system. It’s as simple as that. They’re pinching pennies while the public gets ripped off. The only banks doing it are ones that think they can sign more high-end customers simply because their cards were more secure.

Well-loved. Like or Dislike: Thumb up 7 Thumb down 0
]]> By: Matthew Walker http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-18267 Matthew Walker Tue, 15 Feb 2011 23:08:17 +0000 http://www.krebsonsecurity.com/?p=1993#comment-18267 @Jose NAVARRO Actually since this post I saw a recent demonstration of this device http://www.riscure.com/inspector/product-description/inspector-sca.html which is for sale right now at a reasonable price. They had a table at CARTES in Paris and were pulling the secret sopposedly hidden keys off all types of smart cards right there in front of all the smart card manufacturers. Caused quite a stir. It didnt matter about the encryption used as they had configurable cryptanalysis modules for SPA, DPA and higher-order DPA on a large number of algorithms including 3-DES, AES, RSA and ECC etc. You can see by the photos it still the size of a small science kit but I would say its only a few years away before the next generation of this is small enough to be used fraudulently and sold alongside the magnetic stripe read/writers if it isnt being used already in some way.

@Jose NAVARRO
Actually since this post I saw a recent demonstration of this device http://www.riscure.com/inspector/product-description/inspector-sca.html which is for sale right now at a reasonable price.
They had a table at CARTES in Paris and were pulling the secret sopposedly hidden keys off all types of smart cards right there in front of all the smart card manufacturers. Caused quite a stir. It didnt matter about the encryption used as they had configurable cryptanalysis modules for SPA, DPA and higher-order DPA on a large number of algorithms including 3-DES, AES, RSA and ECC etc.
You can see by the photos it still the size of a small science kit but I would say its only a few years away before the next generation of this is small enough to be used fraudulently and sold alongside the magnetic stripe read/writers if it isnt being used already in some way.

Well-loved. Like or Dislike: Thumb up 6 Thumb down 0
]]> By: Jose NAVARRO http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-18251 Jose NAVARRO Tue, 15 Feb 2011 22:17:55 +0000 http://www.krebsonsecurity.com/?p=1993#comment-18251 The technology that you mention that can be read from a distance is not the same that is being used in ATM's. There are contact chips and proximity chips. The exposure with proximity chips is that they can be read at a certain distance even when they are in you wallet. You are right, in 5 or 10 years from now the technology might be avaialble to decrypt the keys on the chips, but for that time the billions of dollars saved in fraud will pay for the technology that will reinforce the chip to the point that it will take 150 years to beak the encryption code in the, by then the owner of the card will be long gone or dead. The technology that you mention that can be read from a distance is not the same that is being used in ATM’s. There are contact chips and proximity chips. The exposure with proximity chips is that they can be read at a certain distance even when they are in you wallet. You are right, in 5 or 10 years from now the technology might be avaialble to decrypt the keys on the chips, but for that time the billions of dollars saved in fraud will pay for the technology that will reinforce the chip to the point that it will take 150 years to beak the encryption code in the, by then the owner of the card will be long gone or dead.

Like or Dislike: Thumb up 3 Thumb down 0
]]> By: Gil Daspit, Jr. http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-18237 Gil Daspit, Jr. Tue, 15 Feb 2011 15:39:42 +0000 http://www.krebsonsecurity.com/?p=1993#comment-18237 Mr. Krebs: I sent you a previous comment this morning -- I’m the TV producer for the City of Tallahassee’s government TV channel who's producing a story about ID theft and ATM skimming. I’m producing a story about ID Theft and one of the topics covered is ATM skimming. I've found a second picture you’ve run in your blog I would like to use in my story. This picture is located at krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/ As I noted above, our channel is a cable-access channel, so we’re not broadcast over the city but are available to Tallahassee cable subscribers. Please let me know by return e-mail if it’s ok to use your image in my story. Thanks, Gil Daspit, Jr. TV Producer, WCOT Ofc: (850) 891-2052/Cell: (850) 566-4862 Mr. Krebs:
I sent you a previous comment this morning — I’m the TV producer for the City of Tallahassee’s government TV channel who’s producing a story about ID theft and ATM skimming.
I’m producing a story about ID Theft and one of the topics covered is ATM skimming. I’ve found a second picture you’ve run in your blog I would like to use in my story. This picture is located at krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/
As I noted above, our channel is a cable-access channel, so we’re not broadcast over the city but are available to Tallahassee cable subscribers.
Please let me know by return e-mail if it’s ok to use your image in my story.

Thanks,
Gil Daspit, Jr.
TV Producer, WCOT
Ofc: (850) 891-2052/Cell: (850) 566-4862

Like or Dislike: Thumb up 2 Thumb down 1
]]> By: Dan Robertson http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-17626 Dan Robertson Mon, 07 Feb 2011 15:04:24 +0000 http://www.krebsonsecurity.com/?p=1993#comment-17626 There is one difference between the skimmer and the original ATM that is easy to see. Look at the ring of lights around the entry slot. The skimmer has a spot that does not have a light. This is where the mechanism for reading the card is. If you look at the original ATM entry slot, the ring of lights is unbroken.

There is one difference between the skimmer and the original ATM that is easy to see. Look at the ring of lights around the entry slot. The skimmer has a spot that does not have a light. This is where the mechanism for reading the card is. If you look at the original ATM entry slot, the ring of lights is unbroken.

Hot debate. What do you think? Thumb up 7 Thumb down 4
]]> By: Elwood Mihm http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-17073 Elwood Mihm Thu, 27 Jan 2011 19:11:17 +0000 http://www.krebsonsecurity.com/?p=1993#comment-17073 thanks for the information!!!!!!! Hidden due to low comment rating. Click here to see.

Poorly-rated. Like or Dislike: Thumb up 0 Thumb down 6
]]> By: Ian http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-16931 Ian Sat, 22 Jan 2011 06:16:42 +0000 http://www.krebsonsecurity.com/?p=1993#comment-16931 Herp a derp. Not all "chips" are the same.

Herp a derp. Not all “chips” are the same.

Well-loved. Like or Dislike: Thumb up 11 Thumb down 0
]]> By: Jose L. Navarro http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-13035 Jose L. Navarro Tue, 30 Nov 2010 19:21:57 +0000 http://www.krebsonsecurity.com/?p=1993#comment-13035 Canadian Banks are deploying chip technology in credit and debit cards. Their weakness, that we have to leave the mag stripe so that when clients travel to the US or Europe they can use their credit or debit cards. I believe a scandinavian country legislated chip cards for all citizens and mag stripe readers are available on ATMs for tourists. Their fraud has been reduced to 0.o1% and I beleive it is mag stripe related. I personnaly demagnitized the mag stripe in my debit card, since my Bank recognized the chip on the card and I do not purchase any items with merchants that do not read the chip. Is time to get with the times, for those of you that think that you do not pay for the fraud on ATMs, yous just have to look at your banking service charges to realize you pay and quite handsomely.

Canadian Banks are deploying chip technology in credit and debit cards. Their weakness, that we have to leave the mag stripe so that when clients travel to the US or Europe they can use their credit or debit cards.

I believe a scandinavian country legislated chip cards for all citizens and mag stripe readers are available on ATMs for tourists. Their fraud has been reduced to 0.o1% and I beleive it is mag stripe related.

I personnaly demagnitized the mag stripe in my debit card, since my Bank recognized the chip on the card and I do not purchase any items with merchants that do not read the chip.

Is time to get with the times, for those of you that think that you do not pay for the fraud on ATMs, yous just have to look at your banking service charges to realize you pay and quite handsomely.

Well-loved. Like or Dislike: Thumb up 6 Thumb down 0
]]> By: Elizabeth Wood http://krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/comment-page-2/#comment-12937 Elizabeth Wood Sun, 28 Nov 2010 16:16:15 +0000 http://www.krebsonsecurity.com/?p=1993#comment-12937 I disagree with you there. It is better to stay with the magstrip. It will be costly to have a chip cards. Think it will cost to have a PC chip in our computers. The theives will hack the chips like on the PC. It seem to be secure. The crooks ever run out of ideas to beat the system. They alwasy figure out ways to get around of stealing peop;e money.It will cost more to have a chips then the credit cards nd debits cards. I would think, Hidden due to low comment rating. Click here to see.

Poorly-rated. Like or Dislike: Thumb up 5 Thumb down 24
]]>