Comments on: ATM Skimmers: Separating Cruft from Craft

By: nike pas cher

nike pas cher — Thu, 31 Mar 2011 06:40:38 +0000

Why not put all ATM’s in a Faraday enclosure to prevent any wireless communication at all. It would block 3G, WiFi and blue tooth transmissions.
http://www.tnairmax90.com/5-nike-air-max-90-pas-cher

Like or Dislike: 0 0

By: nike pas cher

nike pas cher — Thu, 31 Mar 2011 06:38:05 +0000

The bad guys would have to hardwire of come back later and manually download the data

Like or Dislike: 0 0

By: Matthew Slyman

Matthew Slyman — Tue, 22 Mar 2011 21:37:57 +0000

“…the idea of entering your pin number backwards”—There are adverse security implications that might actually be part of the reason Michael Boyd’s reverse PIN entry police alert system was not adopted.

Allowing a transaction to proceed based on an incorrect PIN would increase the probability of criminals succeeding in getting cash (almost doubling an attacker’s chances of success, if I’m not mistaken).

Accidental mis-entry by legitimate customers would slightly increase the number of false alerts for police.

Consider also, the possibility of criminals using such a system to deliberately distract the town’s police whilst conducting a real heist in another part of town. There would be no voice recording of a 911 caller to identify the source of the alert…

Despite the possibility of accidental reverse entry by the senile, or malicious reverse entry; the police might regard the alert as an urgent case—potentially compromising the lives of other people who genuinely need the police at that time.

Consider alternatively, the malicious use of skimmed card details/PINs to wear down the police with bogus call-outs until they ignore reverse PIN entries as a waste of their time.

Consider also, how difficult it would be for the average person to mentally reverse their PIN number while a gun is being pointed at their head/ back. Many people in that situation would reverse their PIN incorrectly and end up like these two French PhD students in London:
http://www.guardian.co.uk/uk/2009/jun/04/french-student-murder-violence-history
One of the two got marched under duress to an ATM, which rejected his PIN. The two students were murdered by two crack-addicted madmen.

On the whole, it appears to me that following Michael Boyd’s proposals would actually have increased the range of possible attacks on the ATM system/ police dispatching infrastructure.

You potentially underestimate the motives and expertise of the committee that rejected that proposal.

Like or Dislike: 0 0

By: Matthew Slyman

Matthew Slyman — Tue, 22 Mar 2011 21:09:36 +0000

Interesting idea—although perhaps not practical in cases where the ATM is not physically located inside a bank building that is itself a Faraday cage. Look at the pictures of these skimming devices. They’re typically located on the exposed front face of the ATM. This precludes the possibility of securing the ATM inside a Faraday enclosure (unless of course you demand for bank customers to step inside a metal cage before using the ATM.)

Like or Dislike: 0 0

By: Matthew Slyman

Matthew Slyman — Tue, 22 Mar 2011 20:58:28 +0000

Unless your code was ridiculously (and impractically) long, the probability of an attacker guessing correctly (based on a video recording of your randomly extended PIN entry) would actually be very high. Think about it. There are only 7 (seven) ways to choose four consecutive digits within a 10 (ten) digit number…

OK—try improving your scheme. Insert digits randomly before, after and BETWEEN the digits of the PIN… Then what? You’re compromising your system in a different way, because you increase the chances that if an attacker gets the PIN wrong, their entry will still be accepted (since your PIN verification routines must now accept random digits in between the digits of the PIN. So any PIN that happens to contain the PIN in the right order, regardless of the other digits, would be accepted.)

Basically, your method is expensive (in terms of implementation practicality), and gives very little benefit in return. Nice idea, but sorry, there are better alternatives.

Like or Dislike: 0 0

By: Matthew Slyman

Matthew Slyman — Tue, 22 Mar 2011 20:51:45 +0000

ABUSE: This comment is a duplicate of Matt’s comment from June 4, 2010 at 11:05 pm

Like or Dislike: 0 0

By: Matthew Slyman

Matthew Slyman — Tue, 22 Mar 2011 20:00:44 +0000

“I believe it is possible to dispense with credit cards altogether using correct software routines to correctly validate users.”—Would you mind explaining how you propose to do this?
http://www.cl.cam.ac.uk/~rja14/book.html
Check out Chapter 2 of Professor Anderson’s book, which includes some interesting material on user authentication.

Criminals in Europe have already found ways to circumvent chip and pin security. They pose as terminal engineers, and con shop staff into letting them replace pin entry terminals with modified alternatives.

Like or Dislike: 1 0

By: Matthew Slyman

Matthew Slyman — Tue, 22 Mar 2011 19:52:57 +0000

You can get thin transparent layers of touch-sensitive material. It’s not outside the realm of possibility that a criminal could overlay one touch-screen on top of another. An extra shiny bezel around the screen might go unnoticed, if carefully fitted.

Like or Dislike: 1 0

By: rick

rick — Thu, 17 Jun 2010 20:11:53 +0000

Why not put all ATM’s in a Faraday enclosure to prevent any wireless communication at all. It would block 3G, WiFi and blue tooth transmissions.

The bad guys would have to hardwire of come back later and manually download the data.

ATM locations that are not in such enclosures would be required to be labled as such and “buyer beware”.

Like or Dislike: 1 0

By: Matt

Matt — Tue, 15 Jun 2010 22:06:01 +0000

You will get red thumbed into oblivion as the readers here are very sensitive about any specific product or company promotion however if you would like to contribute to the conversation you can give your take on the reverse pin number ATM alarm method I mentioned above.

Like or Dislike: 2 1