April 25, 2012

I spent the past week vacationing (mostly) in Southern California, traveling from Los Angeles to Santa Barbara and on to the wine country in Santa Ynez. Along the way, I received some information from a law enforcement source in the area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer.

The skimmer pictured below is the backside of a card acceptance slot overlay. It was recovered by a customer at a bank in the San Fernando Valley who called the cops upon her discovery. Police in the region still have no leads on who might have placed the device. The numeral “5” engraved in the upper right portion of this skimmer suggests that it was one in a series of fraud devices produced by this skimmer maker.

Backside of an all-in-one ATM skimmer found this year at a bank in the San Fernando Valley area of California.

The skimmer appears to be powered by a phone battery, which connects to the card reader device and to the circuit board for a video camera. Here’s a close-up of the video card+skimmer connection.

Flip the device around, and you can see the tiny pinhole where the attached camera peers through the skimmer front to capture timestamped footage of victims entering their PINs.

Notice the pinhole for the built-in camera, upper right.

Of course, looking straight on at the skimmer as it would appear attached to a compromised ATM, it might be difficult to spot the pinhole, as shown in the following picture.

A few tips about ATM skimmers and skimming scams. It’s difficult — once you’re aware of how sophisticated some of these skimmers can be — to avoid being paranoid around ATMs; friends and family often tease me for stopping to tug at ATMs that I pass on the street, even when I have no intention of withdrawing money from the machines.

Still, it’s good and healthy to be somewhat paranoid while at an ATM. Make sure nobody is “shoulder surfing” you to watch you enter your PIN. A simple precaution defeats shoulder surfing and many other types of video-based PIN stealing mechanisms: Cover the PIN pad with your hand or another object when you enter your PIN.

If you are withdrawing cash after hours, visit only well-lit ATMs and those that are in plain view of other public spaces. In the unlikely event that you discover a skimming device attached to the ATM, alert the bank or proprietor immediately. Do not attempt to walk away from a compromised ATM with a skimmer in hand. For one thing, thieves who place skimmers often lurk nearby to prevent such occurrences. Also, consider how you might explain to a police officer that the device you just removed from the ATM is not yours. If you must leave with evidence, take a picture of the compromised ATM using your mobile phone (and if you get a nice picture, please consider sending it to me!).


64 thoughts on “Skimtacular: All-in-One ATM Skimmer

  1. catch

    It’s silly for you to be paranoid and it’s silly to scare your readers.

    Why do you pay your bank to protect your money, if you know… you’re still the one protecting your money.

    Attempting to patch users is a major security dumb and coddling the banks by allowing them to transfer risk to us, their paying customers, is a general dumb.

    1. Jason

      We all need to have some responsibility for our privacy and our security. It’s the banks’ major responsibility, yes, but why should we let scammers get away making their money if there is something we can do additionally to help. It’s not hard to tug at card scanners or cover our fingers while entering numbers so why call such a thing useless?

      It’s the job of the police to protect us, but that doesn’t mean we shouldn’t watch who is around us or avoid dark alleys. We can’t put it *all* on the police when there are things we can do to help protect ourselves.

      1. catch

        Jason, you’ve completely missed the point.

        We all like to be proactive heros, but accepting another’s risk does nothing beyond allowing them to not address it.

        Why aren’t you even asking “What can my bank do about this and why are they not doing it?”

        You’re promoting stagnancy and ultimately pushing more risk on to your less informed peers.

        1. mat

          Way to not embetter the universe Catch!

          To throw your world view into stark contrast :
          THEY employ people clean the beach, I see broken glass on the beach but know that children with gashed feet will send a clear message to said beach cleaners to do better at cleaning said beach…

          This attitude is so disengaged from the community you live within that I despair for those who live around you.

          Great article btw, I feel enlightened but not frightened.

          1. catch

            First off all Mat, a private company, that exists to provide financial assurances is not analogous to a public beach. We all own the beach… the bank however makes money off of the community.

            It’s bad enough that we need to offset their risk through bailouts… now we need to take care of their ATM security too? Why not see if they need volunteers? Maybe they could use some free office work?

            Seriously though, by accepting this transfer of risk, you are reducing pressure on the bank to resolve the problem and in the end creating more of an issue for less informed or just plain busy peers members of your community.

            Look at the big picture.

        2. Jason

          You’re not promoting stagnancy and taking some steps to protect yourself. I guess if I see a guy pull a gun on someone, I should just ignore it as if I tell the police about it, I’ll be helping them to do their jobs and therefore lead to a worse police force. Honestly, dude, you’re blaming the wrong person here. And I didn’t see you attacking the bank, you attacked Brian for helping people to understand the risk and how they might lower it. There will always be scammers trying to take advantage of people. If we do nothing to protect ourselves, we’re not making better banks, we’re making stupider people.

          1. catch

            I feel like you’re being intentionally obtuse Jason.

            Can you honestly not tell the difference between a civic organization, public saftey, etc and a private, corporation charged with protecting your money which boosts it’s own profits by pushing its risks onto its customers?

            I won’t bother replying again, this thread is a perfect example of why information security is such a failure… people don’t even realize where the fundemental responsibilities lie and just muddy the waters with strawmen.

            1. AlphaCentauri

              When it comes to things like banking, the distinction between private business and public utility is not so absolute.

              If I don’t like the vegetables at the supermarket, I can grow my own or join a coop. If I don’t like the way my mechanic fixes my car, I can learn to repair it myself. But an individual or small group of individuals cannot replace the services a bank provides by pooling the resources of a large number of businesses and individuals in the community. If my bank’s costs go up, my bank’s fees will go up, and I and my neighbors will pay. The bank isn’t minting money in their basement after hours to make up for extra expenses.

              1. JCitizen

                We have a solution to that in our community also AlphaC. It is called a Credit Union. Owned and operated by the people who use it. And I will by God report any such device on our equipment in a heart beat!! This is PERSONAL in more ways than one!!!

                1. AlphaCentauri

                  I thought of that, too, but credit unions generally don’t have many ATM locations the way banks do, and people don’t have free choice of which credit union to join. We are members of a credit union through a professional organization, but its physical location is inconvenient and it doesn’t provide ATM or debit card services at all. We’ve always been able to get better deals on loans elsewhere, too. So while I agree in principal, it doesn’t always work out in practice.

                  1. JCitizen

                    Sorry about that! We have ATMs at all local communities, at convenient locations, and our (VISA) debit/credit cards are accepted everywhere. Of course you don’t want to be using a debit card everywhere, but we know that.

                    We have a choice, because we CREATED the association. It has been around for many years; probably before my time. We also own the stock which can be paid out to heirs of our estates upon passing. There are big differences between types of Credit Unions, I’m not sure, but ours may be referred to as an association.

                    When I took personal finance in college, our instructor told us it is wise to shop around to find the right one, that preferably fits this model.

            2. nilsby

              catch, a vital part you’re missing is that not every atm you use is owned by your bank. is it now every banks’ responsibility to patrol atms that are privately owned by stores, bars, and clubs? it is not the bank’s responsibility to protect you from using tampered equipment which is not owned by them, not associated with them, and not controlled by them.

              it’s the same as if you were phished for your online banking information – the protections exist for the consumer, but does that really mean you should go putting your credit card number into every site that asks for it willy-nilly, just because you expect your paternal bank to stop all the bad guys? a little bit of personal responsibility goes a long way.

    2. catch

      I am absolutely dumbfounded by the number of people who disagree with my basic statement that the banks should be doing more instead of just pushing risk on to their customers.

      You think you’re being good citizens, but you don’t understand risk management and are being manipulated by those who make billions in this exact field.

      1. Mike

        “I am absolutely dumbfounded by the number of people who disagree with my basic statement that the banks should be doing more instead of just pushing risk on to their customers.”

        We’re not saying that banks don’t have a responsibility or that they shouldn’t be doing more.

        What we’re saying is 1) that we’re all in this together and 2) by looking out for one another, we all benefit.

        I’m sorry to hear that you have no interest in looking out for anyone besides yourself. And maybe, just maybe you should consider what the responses to your statement mean, both in general and as to how they reflect on your personal attitudes towards other people.

    3. BrianKrebs Post author

      Hrm. More trolls that usual here in the comments lately. Odd.

      Anyway, yes, in the US at least, ATM customers have rights, and they are not going to be held liable for skimming losses — although they may temporarily have stolen funds unavailable until the bank recognizes and rectifies the situation.

      But don’t forget about your physical safety. Anytime you’re in public handling large amounts of cash, there’s a better than even chance that someone might just try to take it from you. Hence, awareness of your immediate surroundings is a must.

      1. Nicholas Weaver

        Agreed on both fronts, and I’ve had a similar protocol to Brian’s for years (ALWAYS tug/pull forward the card slot), specifically because of skimmers, and I only use built-in-to-bank ATMs (no Point-of-sale use of my ATM card as those have an even larger problem with skimmers etc, and my ATM card is ATM only, no Visa/MC logo)

        I know that, in case of fraud, I’m not liable, but there is a lot more hastle in ATM fraud than credit card fraud: With credit card fraud, it’s the credit card company’s money until I pay the bill, so they have an even greater incentive to solve the problem than my bank does.

        And I also wonder what is the ratio of dollars lost to skimmers to dollars lost to muggers at ATMs (and mugging is far more painful, too…).

        Which is why I put my situational awareness dial up to 11 when using the ATM.

      2. Mark

        The oddity to me is the number of people who villify banks for making money. All businesses make money. Why not villify grocery stores, car delaerships, and hot-dog stands? They make money too. What, do these people want all banks to stop making money and go out of business? “Odd” is an understatement. Particularly when you consider (as has been pointed out) the fact that banks are on the hook to refund consumers for fraud perpetrated against their accounts. People don’t lose money from this kind of fraud. People are inconvenieinced, and banks lose money. Like a lot of banks, the one where I work just upgraded all of its ATMs with anti-skimming devices. I agree with the comments that we are all in this thing together.

        1. SkiddMarx

          Banks used to make their money off interest from the loans they made, but with interest rates so low, they have turned to customer fees for their income, which is the reason for the customer ire.

          1. JCitizen

            I’m not a financial genius to be sure, but I don’t understand this system. You would think with the Fed charging near zero interest for banks to borrow money, they could easily afford to loan it out, and make a buck. Instead they dump credit card debt on us, so they can charge usurious rates, and keep us in the gutter. If I had known Bank of America was breaking the Fed laws by refusing me a personal loan to reduce my credit card debt, I would have turned them into the SEC a long time ago. They said they would LOVE to charge it to my credit card!!

            Banks love charging fees and credit card debt, but hate doing business as usual, where they would be truly servicing the customers. This is why I hate the banks; too much greed and not enough give a sh*t for the community!! We should have blocked letting banks issue credit cards a long time ago; like it used to be – it was only the promise they’d not abuse the system, that they were allowed to do it in the first place. They are not obeying this principal, and they are not servicing the communities that put them in charge of our money. I went to the association/credit union model a long time ago! Good riddance to the old banking model! I’ll not cry over your grave!

      3. Robert Spotswood

        While I agree with most of what you said, especially the “awareness of your immediate surroundings is a must.” But in a way, that directly conflicts with your earlier advice “visit only well-lit ATMs [after hours]”.

        Having worked at a haunted house for many years, I know full well that being lit up doesn’t make you safe. People can see into light places from dark places quite well, but people can’t see from well lit places into shadows. Being lit up makes it easy for any mugger to (a) spot you using the ATM, and (b) see if you took out any cash.

    4. catch22

      Spoken with the grammar and pompousness of a phisher – Security is everyone’s responsibility, not just the banks, silly.

  2. Marty

    Hi Kreb,

    I’ve been reading your blog rabidly and quite frankly am scared of how crazy some of this stuff is.

    I was wondering on sites like badB where people are selling cards for as little as $2 which is frankly scary.

    what do they do with the cards? What can they do , they cant really buy anything im sure the bank tracks them, dont they?

    I thought I’d post this again just in case you didn’t see it.

    1. Corey

      I had this happen to me. Somebody got my PIN to my bank card. They take your card number and make their own card to use with your numbers. Sure the banks tracks everything, but it may take a while before red flags start to show. I live in Texas and somebody in California charged $1200 in about 6 hours. They charged 200 at one walmart, 200 at another walmart, 300 at target, several stores multiple times, I guess they got hungry because they stopped at a Quiznos and then a Jamba Juice, and then a 100 dollar hotel room. I received a courtesy call from my bank but i was in an area with no reception so i didnt get the call till the next day. Some of my bills were late, it took my bank a week to process my claim. I only had 300 in checking so the rest came out of savings and an overdraft loan.

      1. Moike

        >I only had 300 in checking so the rest came out of savings and an overdraft loan.

        Wow – even thieves get rich from bank overdrafts!

    2. Nic

      There’s another poster above who wrote that they were “enlightened but not frightened.” This is a good position to take.

      Brian shows us how these scams work. Using that knowledge we can sidestep the scams. For example, instead of swiping a credit card at a gas station pump, I pay inside. Instead of using random ATM machines, I make withdrawals in person or at least use at ATM machine physically inside my own bank.

      Don’t be scared, just put Brian’s investigative work into action. 🙂

  3. Bill in Casco, Michigan

    Great pictures, Brian! Fascinating to see how sophisticated crooks are getting. I think that’s a spring opposite the magnetic head, isn’t it?

    1. BrianKrebs Post author

      Correct. If you look through some of the other images from past skimmer posts, you’ll see the same. It just needs to create a magnetic field between it and the magnet below so that it can tell when a card is inserted.

  4. Lee

    I find myself tugging on the ATM machines all the time. I do the same at gas stations and I tend to stick to the same gas station and pumps as much as possible. I should notice a difference if anything is out of place.

    I also do not use ATM machines to get cash; I use the cash-back feature that most grocery stores offer. I tend to only use a small limit credit card at gas pumps and pay it off every payday.

  5. Dayve

    As a technician that works on ATMs I recognize these photos from some of the many trainings I’ve been too within the company. I can assure you these photos are used in security bulletins and trainings for combating these kinds of attacks and also assure you that my company works very closely with all it’s banking customers to make them aware and provide service to prevent these devices from working. The banks and the ATM companies are NOT sitting idle on this.

    1. Jason

      Thanks for replying, Dayve. It’s good of you to share your viewpoint. My bank in the past has notified me multiple times when they believe my card has been skimmed. In every case, they notified me before the culprits were able to extract money.

      It makes no sense for people to just blame banks when banks are responsible financially for any funds that are taken. There’s a strong incentive for banks on that basis to take strong action.

  6. Kevin

    Can you describe more about what is used to attach the skimmer, at least for a majority of the types, both past and more recent present? just two-sided tape? (grin)

    What could one reasonably expect by ‘tugging’ on the card-reader housing? would most of these skimmers actually come loose?

    Thanks

    1. AlphaCentauri

      The skimmers are expensive, and they can’t stay in one place long. As Dayve pointed out, the banks do look for them. That’s why Brian keeps telling people to assume the thieves are nearby watching. They attach the skimmers quickly, and they must remove them quickly to retrieve them for another use. While some skimmers transmit the data by Bluetooth (again, thieves must still be nearby) or even text message the thieves, others simply store the data until they are retrieved.

    2. Dayve

      Typically the data is stored on a local flash card type of device and the person that affixed it to the ATM will come by and grab it later when no one is around. That is why if something looks suspicious you may want to tug on it and see if it is loose or comes off. Double sticky tape to widely used so it’s easy to tell.

      We are trained that when we see one to never touch it. We contact the financial institution and tell them to mark the ATM out of service through the network. Keep in mind that just because an ATM may be sitting in a remote area with little foot traffic does not mean it is forgotten. There are several teams of people that visit the ATM often if not every day such as cash handlers (Brinks, Loomis, etc) and balancing teams that are trained to look at the machine prior to leaving and reporting any suspicious items. The reason we do not touch the suspected device is obvious, the detectives and/or local authorities will want to collect as much evidence as possible including but not limited to finger prints.

      Our ATMs are coming installed with standard preventative measures and additional options can be added on to really protect the ATM including Anti-Skimming, Anti-Fishing, Jitter, Tilt, Proxmity, so on and so forth. Some ATMs are configured to shut down and notify the host network right away when devices are suspected.

      One of the craziest setups I’ve seen is a remote DLink Camera nicely hidden behind and above the customer that would video record and transmit to a nearby thief the pin that they typed in. Keep in mind, it is not just the card reader that is attacked. They have pinhole cameras that can be hidden in light fixtures, envelope holders, bogus keypad overlays can be on the original keypad. It is a never ending battle but if you use a reputable ATM from a company like Diebold, NCR, Wincor then your chances are growing less and less that you’ll become a victim. Coupled with if you’re with some of the bigger banks like Bank Of America, Wells Fargo then they are the ones that spend even more money for the extra protection.

      1. Tony Smit

        “We are trained that when we see one to never touch it.”

        Which means the rest of us should not be tugging on them?

        1. Nick P

          I was thinking the same thing. I figure if we reported it to the police and cited Brian’s recommendation to tug on them as a precaution, then they would dismiss our fingerprints if they found them. You could always do it with your shirt sleeve or jacket. Or wear gloves that don’t look suspicious.

          1. AlphaCentauri

            As far as the outside of the skimmer, there will be too many fingerprints to be useful. It makes sense to be careful not to start poking around the stuff inside.

            I have a feeling that if one of us called a bank and said we thought there was a skimmer attached to their ATM, they might not be so quick to shut the terminal down via their network as they would if someone like Dayve called.

  7. Julia

    re: well-lit ATMs
    What about drive-up ATMs at a bank that are well-lit but totally deserted in the evening. Is it any safer to be in a car when withdrawing cash? I probably wouldn’t notice anyone approaching while I am busy at the display & keypad.

    1. Dayve

      I think it is a little safer to be in a car but I would never use an ATM if it is not in a well lit area and I was by myself. The most common attack is the good ol’ “stick’em up” robbery. These ATMs have good cameras and record everything, even when there is not a transaction occurring.

  8. Thirsty

    Were the chip ID numbers removed from the image or were they no longer visible on the chip package?

      1. Marty

        @Brian,

        It’s amazing how you spotted these. I probably’d be none the wiser.

        Also I just got told by someone that they had lost $1200 from fraud, but I also heard that some people are ordering stuff online with stolen details, WTF can they actually do that. Ie: send stuff to their house and not get caught?

          1. Marty

            @Brian

            Wow that’s crazy.

            Don’t sites that sell things like the macbooks and Imacs (I actually had a friend who had 20 apple products charged to his debit card) recognize that the card is fraudulent, assuming that they buy from the big guys like amazon?

            Also since reading this blog I have started to tighten up my slack on things, thank you for making me more aware.

            1. AlphaCentauri

              The bank that issued the credit card is the entity that would notice the unusual activity. Some are more vigilant than others. (We can’t go on vacation without notifying Citibank first, because they’ll cancel our card if we charge gas in multiple states and aren’t home when they call our house.)

              But I suspect that even if the bank is fairly vigilant, a company like Amazon may have already shipped the product before they get a chargeback and find out the card was bad. The merchant eats the charges, and the product is already on its way to the reshipping mule.

              When our credit card numbers have been stolen, getting the charges removed has meant having all the cardholders go to a notary to sign a form saying the charges weren’t ours. So I suspect the charges were initially approved.

        1. xspork

          Great article and really something people need to look out for. I’ve been skimmed before. Luckily my bank caught it because the skimmer (or the person who bought the information) was physically trying to swipe the same card that I had just swiped at a gas station in another state. The FBI called me a few days later as part of an ongoing investigation. Apparently this person was using a magnetic writer to write the information from the skimmer onto blank cards. They would take the cards an electronics store use them to purchase several thousand dollars of electronics, games and DVDs. I was one of the lucky ones that didn’t lose any money, but I have learned my lesson never the less!

  9. marty

    I am wondering, where the camera for for the PinPad is.

    1. arp

      Looks like its on the end of those copper coloured ribbon cables in the 2nd photo

  10. Nowheredude

    How much does it cost to make something like that? And no, I’m going to make one. Thanks.

    1. Nowheredude

      NOT going to make one. Sheesh. I need an editor.

    1. JCitizen

      Excellent example! Thank you bert!! 🙂

  11. Jerry Benjamin

    Yes, tug on the ATMs. If a skimmer comes out, stomp that sucker flat and run like hell!

  12. Bill Mercer

    A skimming victim may not be legally liable for charges, but try to tell that to your landlord when your rent check bounces because you got skimmed, or the collection agency who starts calling you.

    This whole notion that your liability is limited, therefore it’s not a big deal can only be coming from people who have never been the victims of fraud or identity theft.

    Catch may have irritated a lot of people with his rude initial comment and his casual attitute, but he DOES have one legitimate point. It’s imperative that customers hold their banks’ feet to the fire on security.

    Next time you read an article about a skimmer in your area, call your bank and ask them what they are doing to protect you.

    And if you happen to encounter such a device, call the police AND the news media. I’m not a fan of the way today’s news media rely on sensationalism and drama rather than factual reporting, but bad press is one of the few effective tools customers have to protect themselves from corporate laziness.

  13. jw

    I work for a large bank and sit adjacent to the folks who call customers with overdrawn accounts. What I hear day in and day out is that while, technically, the customer is not responsible for fraudulent charges, it can (and does) take awhile for our Security Department to properly investigate a claim. Meanwhile the customer is without the stolen funds. We don’t refund the missing money until we’ve confirmed that the funds were stolen from a customer (not /by/ a customer claiming it wasn’t their fault: you’d be amazed, frankly).

    While, yes, you’ll get your money back eventually, why put yourself through all that when there are a few simple things you can do to keep yourself safe(r)?

    1. The Regulator

      Regulation E requires that the financial institution provide at least provisional credit to the customer within 10 business days of being notified of the error. Of course if the issue is resolved earlier, credit would be provided earlier.

  14. Jason

    The machines have colour displays on them, can’t they show a picture of what the slot is supposed to look like on the screen before you put your card in?

    1. Nick P

      I’ve recommended this. Of course, there is the risk that the attacker will make a skimmer that looks like the real thing. The countermeasure might make that difficult b/c most skimmers’ electronics take up a decent amount of space. A downside is that the graphics on most ATM’s I’ve seen are almost cartoonish. What is pictured looks *something like* the real thing. Hence, the attacker making the card reader look a bit different on ATM’s like that might not set off alarms.

      After we beat skimming, the next attack will be on ATM’s themselves. One researcher at Black Hat has already shown the machines’ OS’s are ridiculously insecure. If I recall correctly, quite a few still run OS/2. It’s definitely reliable, but OS’s like INTEGRITY have excellent security & reliability. Most of these safety-critical OS’s have GUI’s, networking, etc. Even QNX is better and it has tons of middleware.

      The ATM’s need secure OS’s and IOMMU’s to prevent them being hacked. I wonder how many are rooted right now.

      1. JCitizen

        Something I’ve always wondered about myself. Do ATMs have firewalls? Seems like they’d certainly be VPN’ed to a service behind a very secure gateway device. But just when you thing common sense would be the norm; BOOM! You find out your worst fears were right! ]:)

        Of course if a POS can be compromised by hardware, so can an ATM – I suppose.

      2. Clive Robinson

        Nick P,

        First off “skimming” will always exist as long as it is possible to do it somewhere…

        The banks know only to well that “Mag stripe” is trivialy vulnerable and in Europe have replaced it with Chip-n-Pin, however there is a nasty little catch,

        “Backwards compatability allied to customer service”.

        Basicaly because the Banks in the US and other places don’t want to give up Mag-Stripe and don’t recognise “Chip-n-Pin”, for customer service reasons your European card still comes with a “Mag-Stripe” and as US cards don’t come with Chip-n-Pin then European ATM systems were designed to fall back to Mag-Stripe if the chip wass “not present”.

        Thus a little bit of nail varnish on the chip contacts turned a European “Chip-n-Pin” card back to an old style very insecure “Mag-Stripe” card…

        And this glaring loop hole is very much down to the banks, merchants and card issuers.

        Now I need to make a disclaimer here, I don’t like “Chip-n-Pin” it was badly designed speciffically to externalise risk away to those who could least afford to protect themselves, ie the customers. And in the UK certainly most major banks have been caught out lying to customers over their legal rights in very recent times (ie less than a month or so ago).

        So I can understand part of “Catch’s” argument that more preasure needs to be put on banks.

        As for O/S2 yes it’s still in use and the reason is one of licencing fees to Microsoft. The details go back well into the last millennium and revolve around agreements thrashed out between IBM and Microsoft, due to which Banks and other organisations that took up O/S2 licences got preferential support terms that in the case of large banks is a very big saver in expenditure.

        Worse however is some ATM’s appear to run either on early MS Windows or worse Win CE or worse still “windows mobile”…

        From what I have been told (but cannot verify) Microsoft are so desperate to get Win CE / Win Mobile used they are offering more “licencing deals of the Millennium” just to get some market uptake…

        Now whilst I would agree that the O/S situation is woefully inadequate in ATM systems, I’m still more concerned about the “legacy effects” of “Mag-Stripe” especialy with some companies offering what is very close to “snake oil” (magnetic partical/domain noise as a card fingerprint) to extend “Mag-Stripe” and thus “skimming” life…

        1. Nick P

          @ Clive Robinson

          “skimming will always exist as long as it’s possible to do it somewhere”

          Rare slow moment, eh Clive? I’m not worrying about it technically 100% eradicated world-wide. I’m talking about eliminating that risk for my bank account and others that push better practices. I don’t care if some other bank is using inferior practices.

          Re: Chip-n-Pin. Totally agree, especially on shifting losses. It’s a dirty scheme. Ross Anderson has blasted it repeatedly.

          Re: OS2 & Microsoft. I could be wrong, but IBM owns it. This is evidenced by their unilateral decision not to opensource it. There might be a dual royalty agreement or something. They also licensed the technology to eComStation, which updated it & supports it. Aside from legacy, it’s community touts its reliability. However, ATM use case, a RTOS with middleware is usually more reliable.

          “Worse however is some ATM’s appear to run either on early MS Windows or worse Win CE or worse still “windows mobile”… From what I have been told (but cannot verify) Microsoft are so desperate to get Win CE / Win Mobile used they are offering more “licencing deals of the Millennium” just to get some market uptake…”

          I really hope not. I saw it coming, but it’s a horrible possibility. Complex WinCE devices I’ve owned would randomly crash or break. Windows Embedded worked more reliably! Both are inferior to OS’s like INTEGRITY, QNX, LynxOS, etc. They should just throw OpenBSD at it if they want it cheap with most of the RAS & security benefits. Melt the USB connectors & use serial/SATA-in-serial-mode for local access w/out big security issues. All aforementioned OS’s have reliable drivers for both & neither are DMA. No direct graphics access for apps: virtual framebuffers. Trusted boot. There’s Freescale POWER boards with crypto acceleration that could meet these requirements. However, all in all, we both know it won’t be done & next they’ll be putting Windows 95 default installs on them. Virtualized with VirtualBox to “ensure total isolation.”

          Re: Magstrip PUF technology. I think you’re a bit hard on them. Our discussions with them on Schneier’s forum (and here too?) got plenty of useful information. So long as the fingerprints are accurate & compatible readers are mandated, it should make cheap duplicated-based fraud really hard. This would reduce risk quite a bit. I mean, really, what level of sophistication and cost does your attack take to fake one card? And where people wouldn’t notice (consistently)?

          1. JCitizen

            We’ve also discussed the technology of “MagnePrint”(to be exact) exhaustively on several forums, and so far nobody can shoot it down. I’m not sure what others are referring to, but the concept is solid as far as I can tell.

            I personally think combining it with PassWindow, may be a killer combination. If for no other reason, the technology is cheap to implement, and no one has convincingly defeated either of them, so why not take the cheaper risk. Chip & Pin has its legitimate detractors; and is very expensive.

            1. Nick P

              Yeah, I think the MagnePrint technology is good enough. I’m always for eliminating the low hanging fruit. Legacy & marketing will always be a major obstacle for securing anything, especially credit cards. Magneprint, if their spokespeople were honest, is in the best position to stop card duping.

              I like your idea of combining it with PassWindow. I really wish that wasn’t patented. Right now they’re competitors. Might be tricky to get them to work together & get banks to roll it out en masse.

  15. MTCHflow

    Why no leave us alone Brian???? We has no money like you whites has in Americas, ok????? We need to steal rich for poor survive, only can be natural thing see?

Comments are closed.