September 20, 2011

An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say.

Before I get to the gang, let me explain briefly how ATM skimmers work, and why 3D printing is a noteworthy development in this type of fraud. Many of the ATM skimmers profiled in my skimmer series are carefully hand-made and crafted to blend in with the targeted cash machine in both form and paint color. Some skimmer makers even ask customers for a photo of the targeted cash machine before beginning their work.

The skimmer components typically include a card skimmer that fits over the card acceptance slot and steals the data stored on the card’s magnetic stripe, and a pinhole camera built into a false panel that thieves can fit above or beside the PIN pad. If these components don’t match just-so, they’re more likely to be discovered and removed by customers or bank personnel, leaving the thieves without their stolen card data.

Enter the 3D printer. This fascinating technology, explained succinctly in the video below from 3D printing company i.materialise, takes two dimensional computer images and builds them into three dimensional models by laying down successive layers of powder that are heated, shaped and hardened.

3D printing in action from i.materialise on Vimeo.

Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. Last year, i-materialise blogged about receiving a client’s order for building a card skimmer. The company said it denied the request when it became clear the ordered product was a fraud device.

3D printer firm i.materialise received and promptly declined orders for this skimmer device - a card acceptance slot overlay

In June, a federal court indicted four men from South Texas (PDF) whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer. According to statements by the U.S. Secret Service, the gang’s leader, Jason Lall of Houston, was sent to prison for ATM fraud in 2009. Lall was instrumental in obtaining skimming devices, and the gang soon found themselves needing to procure their own skimmers. The trouble is, skimmer kits aren’t cheap: They range from $2,000 to more than $10,000 per kit.

Secret Service agents said in court records that on May 4, 2011, their undercover informer engaged in a secretly taped discussion with the ring’s members about a strategy for obtaining new skimmers. John Paz of Houston, one of the defendants, was allegedly the techie who built the skimming devices using a 3-D printer that the suspects purchased together. The Secret Service allege they have Paz on tape explaining the purchase of the expensive printer.

“When [Lall was] put in jail, we asked, ‘What are we going to do?’ and we had to figure it out and that’s when we came up with this unit,” Paz allegedly told the undercover officer.

The government alleges Paz also was the guy who encoded the stolen card data onto counterfeit cards. The feds say Albert Richard of Missouri City, Texas prepared ATMs at numerous banks where the skimming devices were installed, by covering the ATM cameras or spray-painting over them, and by acting as a lookout.

A fourth defendant, John Griffin, is alleged to have used the counterfeit cards to withdraw funds at different ATMs around Texas. Prosecutors allege the group stole more than $400,000 between Aug. 2009 and June 2011. Prior to their arrest this summer, the gang started making decent money but they split the profits amongst them. Federal prosecutors say the men stole $57,808.14 in month of April 2011 alone (yes, that’s an odd amount to have come out of ATMs, but I digress).

The court documents don’t say how much the men spent on the 3D printer, nor do they include pictures of the fraud devices. The Secret Service declined to offer more details, citing an ongoing investigation. But i.materialize’s Franky De Schouwer said a high quality 3D printer can be had for between $10,000 and $20,000.

“Just looking at the idea of 3D printing a potential skimming device, a criminal could invest in buying a desktop 3D printer,” De Schouwer wrote in an email to KrebsOnSecurity. “Not a kit printer in the line of a Makerbot or a RepMan but a desktop printer of a high end manufacturer of 3D printers like Objet, 3D Systems or Stratasys (HP). You could get one of those between $10,000 – $20,000 and they will print a high quality skimming device that, including some post finishing, will look like the real thing.”

De Schouwer said his company thankfully hasn’t had any more requests to print ATM skimming devices. But that doesn’t mean the demand has gone away.

“We do notice that some people end up on our blog with the keywords ‘I want to buy an ATM skimming device,” he said.

A copy of the original complaint in this case is available here (PDF).


87 thoughts on “Gang Used 3D Printers for ATM Skimmers

  1. JCitizen

    I was just reading tonight about using 3D printers to manufacture organs for medical transplants. Will human ingenuity never cease?

    Yep! – stupid question. :p

    1. Natanael L

      They’re commonly used for prototyping, so no, not really, if you’ve already got a garage full of CNCs and such tools.

  2. grumpy

    The odd amount stolen could include fees for using ATMs – since the cost was forced on the card owners without prior consent, it’s technically theft. It’s like bank robbers dropping part of the take by mistake – it doesn’t lessen the amount they took out of the register. However much the thieves actually got away with is only of passing interest to a court of law.

    But it’s an interesting development. 3D printers are hereby officially commodities. 🙂

    1. BrianKrebs Post author

      Ah, you’re probably right, Grumpy. I hadn’t thought of that. The complaint against these guys doesn’t mention any victims outside the U.S., but then again why would it? 🙂

  3. a problem with spam?

    Same goes with devices used to counterfit currency, high value items with only a limited number of buyers and more importantly a select number of sellers it would be very easy for government agencys to track

    they could also be using the yellow dot technique like they do for normal printers to track counterfitting,

    also would the software used to create the images detect that they are pieces for atms like such software as adobe photoshop detects bank notes and stops the image.

  4. wiredog

    The first google hit for “I want to buy an ATM skimming device” is this place. Some Russian site that reprints this story was number 3 or 4.

  5. Paul Chernoff

    Nice article. I noticed the bit about criminals disabling the security cameras in various ways. Should the banks automatically disable ATMs whenever there is a security camera problem, and the ATM can be turned on only after a person checks the ATM? This way someone could check for an ATM skimmer after a temporary camera outage.

    Which gives me another idea. Perhaps ATMs could be marked at specific places, and if these marks were covered up the camera could detect this change and shut down the ATM?

    1. F-3000

      I wonder why anything alike is not in use already, that the ATM turns off if the camera view is tampered.

      Colourful dots in specific positions in the ATM that a program watches thru the camera. And if any of those spots has disappeared once a person leaves at the front of the ATM (a program should be able to recognize when there’s a person at the front of the ATM), an alarm is given – at least.

      Two cameras, and you’ll have stereo-view, which can be used to measure the position of the dots: if skimmer with painted markers is added, which (if) changes the depth of the spots, would still cause alarm.

      If camera quality is good, the dots don’t have to be *clearly* visible for human eye.

      False alarms would propably become a problem, but it would be a lot more secure to use those damn ATMs.

      1. KJ

        I doubt that ATM camera images are viewed in real-time and are probably stored locally on hard-drive or tape. This would make remote disabling unlikely when tampering is done to the camera that does not trigger inertial or breakage type alarms (I’m assuming that ATMs use some type of local or remote alarms if knocked over or bashed with a hammer). Maybe some type of local automated monitoring of camera images could be done, but this adds complexity and cost.

        1. Dave

          Sure, but it should be fairly trivial for an ATM system to recognize that it is not getting a good image, especially if that image is blacked out.

          Simple pattern matching would go a long way.

          1. KJ

            Sophisticated techniques could be used but I doubt that they are. I would guess that most ATMs are simple dumb terminals using dedicated phone lines. It wouldn’t surprise me if the cameras in a large fraction of ATMs don’t work or are just decoys. Who is actually liable when a customer is victimized by an ATM skimmer? Does the bank make it up or does the bank say the customer should have noticed the ATM had been tampered with? The cameras are probably there more to discourage physical theft of money from the ATM than to prevent ID theft.

            1. John David Galt

              Depends on the country. In the US, consumer liability is capped at $50 (credit cards) or $500 (debit cards) unless the consumer waits a long time to report a loss (which effectively means, unless the charge showed up on the consumer’s monthly statement and he didn’t speak up within a month), so the bank winds up “eating” most ATM fraud costs (but if fraud is conducted by buying at a store or web site, the merchant probably has to “eat” the cost instead).

            2. Jason

              The Diebold ATMs I am sort of familiar with run Windows XP or Windows XP-E. They have a “dumb terminal” application that interfaces with the PIN pad and the bank systems. That app is locked down hard. I’m pretty sure Windows is used to manage remote access controls. I know there is anti-virus and a software firewall in place as well as a third-party remote desktop app.
              Also, their connections are either cellular or WAN with very few still using dial-up.
              I haven’t seen the inside of an ATM in a long time, but I’m pretty sure that there is a little keyboard in there for interfacing with Windows.
              Newer ATMs do all sorts of fancy things that they probably oughtn’t. You can watch full TV commercials on the screens before swiping your card.

        2. Anton

          It all comes down to economics.
          Banks could come up with much more secure ATMs, much more secure internet banking, but it would cost. The figure the cost of the controls vs the probability of losses. Think “ALE”.

          So long as the customer doesn’t feel the cost, as other contributors to this article have noted about credit card ID theft, so long as the banks and the vendor absorb the cost and the the customer doesn’t scream for the government to do something, the criminals will get away with whatever level of theft the banks allow so long as it is within their risk-loss calculations.

          As long as it fits in the risk-loss calculations there will never be security upgrades.

          Oh, as engineers we can figure out great protective and detective controls; no doubt the criminals are ingenious too 🙂 But enhancements cost money and the whole ATM thing is a money-saving effort — make the customer do the transaction without the bank having to pay for staff and premises.

          1. KJ

            Credit card, debit card and the old type of bank cards all operate under different levels of regulation. Credit cards are the most regulated and offer the best fraud protection. As long as the card or the usage of its number is reported in a timely manner, the victim is made good (excluding a minimum of or was $50). theft amount is basically distributed among all the users of the credit card company. Debit cards and bank cards (that offer access to one’s own personnel bank account) have little to no regulation and fraud protection. Making good the theft is probably dependent on a bank decision or through criminal/civil courts once the culprit is caught.

          2. JCitizen

            Brian provided me a link below that leads me to believe, that cost-be-damned = VISA is converting the world to chip-and-pin. I never thought I’d see that, I tell ya!

            Looks like they will be shouldering most of the cost!

            1. BrianKrebs Post author

              Hrm. I think the group that will shoulder the cost in the short run are the merchants who have to replace all their terminals to be able to handle EMV and contactless cards.

              1. JCitizen

                Yes, but the article you linked, mentions some kind of compensation system for merchants. Maybe I’m just not reading the King’s English correctly?

                Sounds like another good subject for another article!!

              2. JCitizen

                I quot this from your link source:

                “Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer
                processors to support chip acceptance and the introduction of U.S. liability shift policies.

                Specifically, Visa will waive PCI DSS compliance validation requirements to encourage merchant investment in
                contact and contactless chip payment terminals. Visa will also require acquirer processors to ensure their
                systems support dynamic data acceptance, i.e., chip, and will institute a domestic and cross-border counterfeit
                liability shift.”

                And Brian, forgive me for not thanking you for that link; it was derelict of me! :p

              3. F-3000

                @Brian,
                “Short run”? The process of switching from strip to chip has been ongoing least ten years in Finland. Only lately it has become more common to have the chip-readers (per my experience).

                1. BrianKrebs Post author

                  JCitizen’s question was about US retailers. I’ve written several skimmer articles about how the US is behind the rest of the world in this regard.

                2. JCitizen

                  Now that VISA is apparently taking the lead; I shouldn’t doubt that the US banking system will be shortly adopting Chip & Pin as well. The costs should go down considerably – especially compared to the liablity costs.

                  I would think VISA is one of the biggest banking institutions in the world; they have the deep pockets to finally see this through in the US.

      2. anon

        Much more simpler checks can be done (and in fact are, at least in Europe and Australia AFAIK), [not to mention so-called antiskimming devices] :

        ‘proximity sensor’ which checks presence of any strange object near the card slot, for the time longer than usual (to avoid false alarms during standard ATM operation).

    2. Datz

      Here in India we have a better solution. We place a security guard in front of the ATM 24h. Which, if you ask me defeats the very purpose of an ATM (to reduce the number of personnel employed by the bank), but then we have so many people available any way 🙂

      1. Bob

        and we trust that the security guard isn’t the one doing the skimming, or the cleaner pushing a mop around the lobby…

      2. Jason

        That works for banks, but not for other locations.
        In the US, gas stations typically have ATMs tied to one bank or another. Also, there are ATM terminals at some retailers that let folks withdraw money at the POS (for places that don’t want to go through the expense of accepting credit cards). There are even ATMs with cellular connections on the back of trucks that are wheeled to sporting events or concerts temporarily.

  6. lostgen

    The odd amount could come from money withdrawals in foreign countries and thus reflect exchange rates.

  7. timeless

    Brian, minor thing:
    > $57.808.14

    I presume that the first =period= should be a =comma=, I don’t know of a locale where the thousands and decimal separator are the same (and I’m glad to be back in North America where the thousands separator is the comma and the decimal separator is the period).

  8. Bob

    Repeat, Card Skimmers,
    Card Skimmers,
    Card Skimmers, …

    they’re not ATM skimmers, POS skimmers, gas pump skimmers, lobby door swipe skimmers,
    they’re not skimming the ATM,
    they’re skimming the data from the card.

    Card Skimmers.

    The issue is with the card, not the ATM.

    1. F-3000

      You know what, Bob… I got two Visa electron cards, both with a chip. Plus, the damn magnet strip for backwards compatibility. If the strip wasn’t needed, I would destroy it, but there’s quite a handful of shops that got old equipment.

      But you’re correct. The problem is with the card.

  9. Cindy Faith

    Must admit that even after closely reading your article about skimmers in the spring, I fell victim to one! I believe it was installed in a bank of gas pumps in a remote gas station in Delaware. Although my credit card was safely in my possession, someone ended up with a newly minted card with my account number on it. They, in turn, enjoyed a one-day $5,000 shopping spree in Pennsylvania. Fortunately my VISA vendor recognized the aberrant shopping pattern and called me within 24 hours. What galls me is that the cost of this crime was absorbed between the VISA vendor and various merchants. The criminal got away….with lots of material goods.
    Grrrr…..!

  10. Chrome

    “…the street finds its own uses for things” – “Burning Chrome” – William Gibson, 1982

    1. JCitizen

      I always did want that magazine “OMNI” that featured some of his work. But I never was able to afford the subscription.

  11. Rob

    Chip and PIN would remove the problem. Magstripe is the absolute weakest link in the chain and the sooner its forcibly removed by the schemes/government/financial regulators the better. Chip and PIN cant (currently) be copied, just the stupid magstripe that the US and a few other third world countries seem determined to hang on :o) All the time criminal gangs take the money, then invest it into something else that equally criminal (drugs, gungs etc etc) and the authorities site back and let it happen.

    Saying that, I could use a 3d printer to make an axe and go on an axe killing spree, hardly the 3d printers fault is it..

    1. Andy W

      Sorry Rob, but chip and PIN can absolutely be copied, and often is. Replace the card reader with a doctored version is one way. All you need is to shoulder-surf the PIN (or not actually need to know it at all) and you can make a copy card within minutes. It’s safer than stripe, but only just.

      http://www.guardian.co.uk/technology/2008/jan/03/hitechcrime.news
      http://news.bbc.co.uk/1/hi/business/7557956.stm
      http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

      1. Tim

        I would definitely trust chip and pin to mean my card can’t be cloned, and here’s why

        The way I understand it, chip cards work by challenge response authentication – when inserted into a reader the chip gives its id number (Similar to what you get on a magnetic strip), and the ATM presents the card with a challenge – the answer can only be computed using the secret key stored on the chip. The chip computes the response and returns it. The secret key is never exposed during this process, and the challenge will be different each time to prevent obvious attacks. The only way I can see that this could fail is:

        1.) There is a security vulnerability in the firmware on the chip which can be exploited to get the chip to reveal the secret key (Unlikely, but possible, and if found newer versions of the card would be issued once a fix for the vulnerability is found)

        2.) An attacker got their hands on the card and somehow managed to extract the key by forensic analysis ie: taking apart the chip (This would usually cost far more than the value stored in the account, and would require posession of the card for a considerable amount of time)

        3.) An attacker manages to memorise the card number, name, expiry date and cvv as printed on the card (possibly by taking a digital image of the card) and uses these for internet style transactions (This does not compromise the security of the chip, but rather a weakness in e-commerce)

        In the links Andy provided:

        The first looks like a case where sellers computers are not connected to the bank (some systems work in this way where the network is unreliable), and therefore cannot validate the transaction. (As soon as such a connection is made they would see the fraud and would not be able to charge your account in any case)

        The second appears to be a case of number 3 – where the secret key was not compromised, but the visible details on the card were copied – the card was not cloned.

        The third requires possession of the card and relies on an older protocol that is being phased out (The chip and pin cards have fall backs for older modes of authentication.) Granted this is disturbing, but once again the card was not cloned.

        I feel that the chip and pin system is great, but that something similar for online transactions is required for real security – it is like the banks have locked the front door only to leave the window open.

        1. JCitizen

          Chip & Pin is a very expensive and failed technology. I feel their are better, more simple tech out there.

          C&P has been pwned in so many ways, it isn’t even worth it to provide links here. Just google it.

          Yes it could prevent many problems, but at what cost? This is why the US has not adopted it, and will never.

            1. JCitizen

              Only VISA would have the deep pockets and world wide ubiquity, to make such a system affordable. I wonder what they will do about RFID cracking on those contact-less cards?

              I must admit, the math would work for them, in that if you build enough of them, the cost drops to practically nothing, but getting merchants on board will be heroic; I got to tip my hat to them. Maybe they figure the loss on startup cost is finally cheaper than the fraud.

              I was very disappointing the other day to learn Discover Card is dropping their Secure Online Card Number system. They obviously decided paying for the fraud was cheaper than that system!

    2. KJ

      I think the main point of criminals using skimmers on ATMs is to capture the PIN along with the card data. This allows them access to cash. Obtaining the card information alone allows the criminal to purchase items in physical stores or on-line which they can use or more likely resell to obtain cash. Cloning the card whether it has a mag strip with or without a chip is secondary, not primary.

      1. JCitizen

        Not so on Magneprint technology POS devices. If you attempt to replay the swipe, the transaction will be rejected. However – that predisposes
        that all readers are Magneprint. They would get away with it on a regular card reader.

        I shouldn’t think one would have to put a pencil to this to figure out it is cheaper than Chip&Pin, and practically impossible to counterfeit.(as far as anti-cloning goes)

        1. Nick P

          Magprint is certainly one of the best defenses available today that is commercially viable on a large scale. The next best thing would be something like IBM’s ZTIC. Would go on your key chain and you’d use it for POS & online transactions.

  12. SZG

    Part of the problem is that the amounts are still small percentages of the total transaction amounts and the thefts are violence free.
    I had $2000 taken from an account and the bank conducted an “investigation” and 10 days later paid me back. They knew where the card was skimmed by looking at the transactions and locations of other cards that had been skimmed. They told me that they knew who was doing it, or had a very good idea of who was at fault.
    I asked if charges were pending. I was told that because the number was less than their “limit” per transaction, the criminal would not be even chased. The amounts taken are less than the replacement cost for the cards and readers with secure technology, so the accountants take the loss on theft rather than on capital costs of machine and card replacement. Just add another point to the fee and cover the cost.
    My final question to the bank was “if this was a robbery, where the their came into the bank with a gun or a note and held up the teller for the $2k, would you let them walk because it was below a limit?”
    Not surprisingly, the bank had no real answer.
    Funny thing in that bank – they removed the cash drawers from the tellers to increase security and installed a cash dispenser behind the counter. Figuring that it had to hold many thousands of dollars to cover the day’s transactions, I asked the manager why it was not secured to the wall and had wheels. The next day it was locked to the wall. I should have sent them a bill for consulting – as long as it was below their limit, I guess they would have paid it!

  13. Paul Gray

    Very nice read and what I call news as apposed to something recycled.

    It amazes me how much of our life’s and indeed resources and monies go into covering against criminal acts. From having encryption, door locks, phone locks, insurance from theft etc etc whole industires exist purely becasue of crime. I would go as far as saying that if you were to cost up all those direct and indirect costs from the extra electricity to run your encyrption etc from your door key you will find that we spend more on preventing crime than we do experience from it. Indeed we wouldn’t need police or any of that. When you think about it you realise its too depressing too work out the true numbers involved and just accept it sadly.

    Also how long until your able to take a photo on your mobile phone that will produce a 3D image of a key somebody is holding at 100m away and then print that out and get into your car/house/garage etc.

    Why oh why I have to ask don’t banks have a simple visual recognition system that constantly scans the front important bits of the cashpoint to detect changes. We have facial recognition systems that do work, so how hard can it be to have a cashpoint that can detect and deter these skimmers which are in effect add-on covers to the cashpoints there conning.

    1. JCitizen

      Even our weapons systems recognize enemy targets automatically. But then they cost Billions/Trillions of dollars.

      You are correct to complain though. The technology could be had cheap, if it were made in high enough volume.

      1. John David Galt

        If our weapons systems were that good, we would have nailed Bin Laden 20 years ago instead of that pesticide factory in Sudan.

  14. Steve

    Love the article, was curious tho, I’m I the first one to get the idea of buying one of these printers and feeding in a picture of Megan Fox to see what happens? 🙂

    (I always have to reduce it to that level :p)

    1. KJ

      For a small scale replica of her. I don’t even know if a full scale replicator for an object of her size exists. If so, it must be extremely expensive to purchase and use.
      Now that I think about it, a market for such a device would be huge, even given the expenses.

  15. Peter

    Lets blame the banks instead of the thieves, most camera’s for catching thieves are so poor (compared to a consumer camera like for example the canon 60d) Why dont they use better security cams, require also fingerprint and a facial view (iris scan).

    But no, they are making it to easy.
    Also when a camera notices that someone is placing something in front of the device, why doesnt it notice police with a silent alarm, and burn the money inside

    It would also be wise to have some kind of room to enter, like a small phoneoffice size, and only return money if people are there, against explosives it should have vents to deal with pressure (and in case of explosive attacks, use a bit of fosfor to destroy the money).

    I’m realy pissed off that this week for the second time they exploded an ATM nearby and that not much tech is used to prevent this.

    1. JCitizen

      Maybe it would help to get tough on criminals. Maybe that would do it. Maybe if we would start treating drug users instead of over crowding our jails, maybe we could keep them behind bars longer. Perhaps that would keep them from repeating their crimes, and committing them in the first place.

      We haven’t even looked at the “correctional” penal system since the fifties.

  16. AlphaCentauri

    Infrared cameras can “see through” solid objects if there is a lens cap blocking out the visible spectrum. Would a surveillance camera like that be able to detect the extra hardware inside a skimmer overlay from differences in their infrared pattern?

    1. hhhhobbit

      Brian, this is an excellent article.

      Infrared doesn’t penetrate through anything opaque. X-rays can partially penetrate opaque objects but they are on the other end of the visible wavelength spectrum from infrared. X-rays do detect invisible flaws in aircraft engines for example. Infrared film and sensors do detect heat. If the original card reader had an invisible heated spot the skimmer may cover it up. The location of the heated area would have to change in such a way that it would be hard to replicate with a skimmer. The loss or attenuation of the heat dot caused by an attached skimmer could be used by an infrared sensor to detect tampering. X-ray scan systems may also show a difference between the original card reader and those that have a skimmer. But just training users in how to detect the presence of a skimmer would be a good first step in making the users more secure.

      Chip and pin kind of reminds me of the US Treasury going less than a third of the way they need to go toward making T-bills as counterfeit proof as possible, within reason. Making T-bills more colorful IS within reason for me. I could care less that they aren’t the old familiar green or greenish tinge if making them colorful makes the counterfeiting infinitely harder. The Euro has done it so why can’t the US Treasury do it?

      What we really need is something that provides a quantum leap in security for both money and card (widget) financial transfers. So put your heads together and work on what will achieve that goal. I gave some of what is needed for the paper (cloth) side. The problem is, I didn’t read the solutions that are better than chip and pin here. What are they? I am asking the chip and pin detractors to tell us the better alternatives IF they have them and they are practical. If there aren’t any better practical solutions we need a think tank compromised of people who can come up with something much better than what we have now. I am not one of those people. I came here searching for the better solutions than chip and pin!

      1. AlphaCentauri

        The infrared issue has come up because home video cameras were being sold with infrared capability, apparently because new parents wanted to take pictures of their children in their cribs at night, not being satisfied with taking video the other 16 hours a day. People quickly found out that if you took pictures of people in daylight with the lens cap on, you got a pretty good picture of someone’s body beneath their clothes. The cameras were modified so they wouldn’t function with the cap on, but people just used filters.

        Anything that affected the distribution of heat on the surface of the ATM ought to change its appearance on infrared. That could be blocking the expected appearance with the overlay (which I would expect skimmer-manufacturers to start trying to mimic as soon as banks start looking for it), or it could be creating a new hot spot because of the overlay itself, which would be harder to hide.

        1. Nick P

          A friend of mine bought one of those a few years ago. It worked as advertised. I found that it was also useful for spotting concealed weapons or devices. The whole thing was too creepy for me to mess with any further. Last thing we want is chicks suddenly being afraid to take good pics with us.

          1. JCitizen

            I tried to give you a thumbs up Nick, and something is fouling up the control here. I don’t know if it is the latest java update or what. I don’t know what Brian uses for his system here. Apparenty for me, the voting system is now broke.

            I tried it with all three of the big browsers; FF, Chrome, and IE9 – no dice. I do have a page scanner for controls that may be blocking them, but it only does that for infected controls. I’m not ready to believe they are infected here yet.

            1. hhhobbit

              I have never had problems here with Chrome, Firefox, and Opera from Linux. One of my systems does not have Java on it if that helps you – I use it to test really bad web-sites. It just fixed itself? Strange. I would still like to hear of a definitive new technology we can go to because if the wise people here don’t propose it we will get chip and pin. IOW, don’t just criticize chip and pin. Give a realistic alternative we can scramble to. Businesses probably have only enough resources for one technology shift over the next ten years which means what ever we get will be in place for a long time.

              1. JCitizen

                Thanks hhhobbit; it was probably just a quirk in my scanner.

                I myself would go to a combination of MagnePrint and PassWindow for multi-factor authentication and anti-cloning technology.

                http://www.techrepublic.com/blog/security/counterfeit-creditdebit-card-fraud-lets-stop-it-now/2825

                These would be simple and cheaper to implement, and therefor not such a loss once the criminals find a way around them. Both those would be difficult to bypass at an ATM. I don’t think it could be done.

                1. hhhobbit

                  Thanks! That is precisely what I was looking for. Now we just need to twist the banks into looking into this and other measures for wired transfers. I don’t like half way measures for either wired transfers or US Federal Reserve Notes as long as the costs are reasonable. Why don’t they go for something much stronger right off the bat for both of them? I want paper money that is at least as difficult to counterfeit as the Euro is. I want something much better for wired transfers. People here need to read about the three Seattle people who used war driving and other techniques to steal money and equipment:

                  http://www.latimes.com/news/nationworld/nation/la-na-wardrivers-20110922,0,3144733.story

                  Note that even the US attorney in the story had $1000 of her own money taken in an ATM skimming operation.

                2. Nick P

                  We’ve solved this problem over and over. It requires trusted hardware, trusted path to user, crypto on trusted hardware and a communication link with untrusted PC that contains the GUI, transport stack, etc. I designed something like this to stop ACH fraud for $200-5000 a unit, depending on level of assurance. The reason I take this route is the device might be made multipurpose, able to perform many security roles. See the discussion of this and other methods.

                  http://www.schneier.com/blog/archives/2011/06/court_ruling_on.html#c552667

                  As for Magneprint, there was a huge discussion in our comments section that involved several key players in the company. Huge debates ensued about potential avenues of attack. I focused on attacking the issuing process & the database that ties card numbers to PUF signatures. I was also concerned at how much more severe an inside attack could be made. Clive and a few others focused on the technology & how it could be faked using esoteric methods, in theory. Clive did point out that dupping at restaurants could be effective. By the end of the discussion, I found the technology to be awesome in a number of ways, but certain risks have yet to be measured. Hence, I prefer a solution where we can know exactly what level of risk we face & truly mitigate many types of attacks.

                  https://www.schneier.com/blog/archives/2009/12/magneprint_tech.html

                  The solution I was working on for the credit/debit card issues comes down to view/sign. Both use a dedicated device with trusted path: input/output path where user knows for sure nothing is spoofed or keylogged. The low end has an untrusted system initiate the transaction, the user views a few key details on a tiny device, enters a PIN, and the devices produces a one-time PIN that the bank verifies. In some schemes, no transaction details are displayed & it’s merely a 2-factor authentication. One bank (Barclays?) little one-time pin appliances are an example: pull out the calculator-looking device, swipe ur card at the top, enter a master PIN, and it generates a transaction specific one-time PIN. (I might be missing a step.) IBM’s ZTIC does the signing and stuff itself. It’s a USB stick with a tiny LCD screen that shows key transaction details & user authorizes with one click.

                  The high end (like my transaction appliance) uses a robust, secure device connected to the untrusted GUI/transport/whatever machine. The user sets up the transaction, that machine sends a simplified version of it to the secure device, the secure device displays it to the user (with a hash), user verifies it’s unchanged, initiates signing, transaction is sent to untrusted PC with signature, and untrusted PC sends both to the bank. The bank registers the key of each transaction appliance during issuance & the servers/apps are program to reject any transaction unsigned by the transaction appliance or bank staff.

                  This can be used for more than credit cards: notaries; digital timestamping; secure signatures in general; password managers (combined with Mark Currie’s scheme). All sorts of things. And a medium assurance version can be as small as an old electronic organizer at a price of around $30-100. The key problems in adoption of such solutions are court’s current views on liability, the solutions are unknown, and users often don’t care to go through the trouble. It’s really no surprise when you read articles like these:

                  http://money.cnn.com/2010/12/14/technology/firesheep_starbucks/index.htm

                  So, there you go people, we’ve solved the problem completely all over again. We’ve done it for $10-3000. Still, no adoption and more bogus programs. *cough* chip & pin *cough* verified by whoever *cough* whatever they’re thinking up next *no coughs left*. The problem isn’t related to technology or cost: it’s politics, sociology & risk management.

                  1. hhhobbit

                    Although you think this first part isn’t going to the heart of the problem it really is. What size hash are you using? I voiced my thoughts to kernel.org and the Linux Foundation every way I could that they should shift from using SHA1 to SHA256. I am doing it again right now. Kernel.org is still down right now (2011-09-27) due to them being hacked with a rootkit. The time difference between the two hashes is trivial for the approximately 1700 files (some are symlinks but sha1sum and sha256sum follow all of the links until they get to the actual file) in /usr/bin on this machine: 0m1.383s for SHA1 versus 0m1.588s for SHA256. Wow – I needed a whopping 15% extra time to do SHA256 instead of using SHA1 (160 bits). I used time sum and piped that to tail -30. I threw the first run using sha1sum away. The first run is always a lot slower than subsequent runs. On the second run I used sha256sum. On the third and final run I used sha1sum again. That may not provide a fair comparison but it is a good ball-park estimate. My OpenPGP keys have SHA256 as the first hash of choice. When machines become more powerful I will shift to SHA512 as hash of first choice. I also provide the SHA256 hash of critical files with the Internet filters I provide which almost nobody uses. But any time a hash is used for something important I don’t want it to be SHA1 or less unless it is for something transitory. I do use an MD5 sum for the filters I provide but that is only to make sure nothing got mangled in transit and that is all it guards agaist. OpenPGP detached signature files are provided for those who want to be sure the files really came from me. But kernel.org and the other lords of Linux believe that SHA1 is cryptographically secure? Something is seriously wrong here! I am sorry, but I have saw stolen SHA1 RealTek certificates stuffed into ordinary malware. It passed muster with Microsoft and the AV sotware until I gave it to the AV companies via my now closed back end route to them.

                    That Firesheep article sums up what the real problem is. Technology isn’t the problem. The human factor is the main problem. People cavalierly risk having their Facebook and other social accounts compromised. They spend money on specious products advertised in email spam where you have no way ascertain whether the products are safe or not. That even ended up in the program Doc Martin shown on PBS with the kid using fake Viagra almost dying. That is because in the real world things like that are actually happening with products from fake pharmacies. The reason the rest of us get spam is because there is a ROI for the spammers. People take chances on their machines getting infected by doing almost nothing or even nothing to prevent it from happening. Finally they take risks on having their money stolen. Some of it may be due to ignorance but most of it seems to be because they just don’t care. Some people paradoxically hate making themselves more secure in any of these areas. I know some of them personally.

                    I have this sinking feeling either nothing will be done on this or we will have chip and pin at best. How can you fix something when most people don’t want it fixed? I don’t have Facebook, Twitter or other social accounts. I don’t have infected machines. Instead I have two boxes that are normally running Linux and they don’t trust each other. I don’t have any money to lose to an ATM skimmer. The loss of $1000 would be a major catastrophe for me. I am not posing a hypothetical. I personally NEED something better than the card and PIN we have now. I guess I am only one of the few that needs something better. Now I know why I am not going to get it. The vast majority of people don’t want it.

                    1. JCitizen

                      I read most of the links and still don’t see an argument against the anti-cloning ability of MagnePrint. The unique pattern on the stripe of the card lends itself to a stochiometric math that recognizes no two swipe readings will be the same. The reader system POS devices will work with regular strips, so adoption can be absorbed economically. These devices are capable of identifying the card even though no two swipes can possibly be the same. Some of this has to do with the “DNA” pattern and the physical way a human swipes a card through the magnetic field. Trying to replay the signal will result in a re-swipe message. If the same swipe image is repeated, an alert will be sent out to the ATM service and also the card holder.

                      Combining this with PassWindow, seems especially effective with ATMs in that incomplete information is sent to the ATM, that only the card can complete properly for authentication. Even cameras cannot capture the particular authentication session, because of the polarization of the pass-window – although anything the client enters is subject to surveillance of course. This could start out cheap, and is very scalable to changes that are much cheaper than chip & pin is at present. It could quickly be configured to never use the same authentication code for the next transaction, so key-logging or camera work, would be null and void. I am only talking about ATMs and POS devices as these are hardware devices that could be constructed to high assurance standards.

                      As far as PCs are concerned, I think the browser should be left out of the equation, to make it hard for a Zeus style injection attacks. I’ve seen similar software, like Discover Online Card Numbers, that uses communications through SSH/SSL without a browser, so that taking over the session will at least have to be re-invented by the criminals. However, I think this dual technology should be more successful for hardware devices, as previously discussed( in my opinion).

                    2. Nick P

                      hhhobbit, was your post with hash info a reply to mine? Because if it was, it’s quite misinformed. The “heart of the problem” is preventing spoofing & only allowing properly authenticated transactions. My proposal displays what is to be authenticated on a secure device, optionally accepts user-entered secret, signs it with a private key stored on that device, and sends the resulting authorization to the bank over any untrusted channel. This high-level design solves the problem & has many potential implementation strategies.

                      The point of hashes is to make modification obvious by both human and automated reviews. There are two types of attacks on hashes: collision and preimage attack. A collision attack isn’t relevant for my review feature. A second preimage attack is where the attacker makes a specific change (e.g. destination account or amount) in such a way that the hash stays the same. There are NO PREIMAGE ATTACKS (of any kind) for SHA or >>even MD5<<. All practical attacks have been collision attacks. Hence, you could use MD5 for this part and it would still be secure. And this is mathematically provable.

                      (I would use a SHA for increased security, small message length compared to SHA-256, & possible cheap hardware acceleration. I use AES-based constructs for same reason.)

                      Don't focus too much on the crypto algorithms in secure system design: focus on the system & its components, especially hardware and trusted software. Have a crypto expert or security engineer do the crypto stuff. Like Bruce Schneier says, "crypto is usually the strongest link in the security chain" and attackers usually compromise systems by hitting other flaws. My system embeds good security design from hardware up to the application & sideways by using good protocols & easily-parsed, platform neutral file formats. It also integrates with legacy GUI or transport stacks by leveraging the trusted device to do security critical stuff & properly using crypto to use the untrusted stuff safely. Moreover, there are actual products that implement these design concepts & new one's are being introduced. One from SafeNet protects the root key of highest CA's.

  17. Sam

    Great post and site. I made my article based on yours and its quite popular, and of course that is because of you. Thanks.

    Bookmarked your site and will be back.

  18. Nick P

    I’m surprised it took them this long. I actually used 3D printers in schemes to defeat various security measures back in 2002 & 2003. They were costly & only useful if what they produced got a payoff that significantly exceeded the costs. I didn’t think about skimmers (or ATM fraud) back then as I was focused on pen testing for companies & general security engineering.

    My applications were mainly about subverting things to defeat access controls, like an overlay on a keypad system. I also looked into printing an unlocker for certain retail item seals. The stuff was kind of fragile & malleable compared to metal, so we could only make keys for locks & seals that didn’t squeeze it too much. Finally, it was useful for producing innocent looking room bugs, although I never deployed any in practice. (We did create something similar to the Great Seal Bug because it’s just a hollow object with a carefully chosen shape. Wood is still the better material, though.)

    I’m sure there are many more interesting applications we have overlooked. I can’t wait for them to get even cheaper and the resulting materials stronger.

  19. Charles

    Since a 3-D printer can be manufactured relatively easily at low cost criminals will find further uses.

    Combined with the ability to create CAD drawings from photos of an object….yo0u have a 3-D duplicator.

    Look for fake antiques especially silver & gold as they are currently printed….

  20. hhhobbit

    @Nick P

    My comments were NOT about what you were doing. They were just about the general malaise I am seeeing toward security. I used Kernel.org and the Linux Foundation to make that point because they said that SHA1 was cryptographically secure. That depends on how it is used.

    SHA1, MD5 or even less is probably apropos for an ATM where you are also using encryption. By the time somebody cracks it, it is usually useless. There is always a time factor when encryption is involved.

    Kernel.org and the Linux Foundation didn’t mention OpenPGP detached sig files or encryption in conjunction with saying SHA1 was crytpographically secure. So I am assuming they are talking about simple hashes. I stand by that statement that I would be happier if they used sha256sum instead of sha1sum to detect if a file has been altered. It goes without saying that the files containing the hashes should be written off to a removable drive and if the machine gets compromized they write copies of those files onto shiny media from a safer, less exposed machine. By that I mean they are doing a find of all the files in a build tree, sorting that into an input file, creating a file name using something like:

    STRING=`date -u +”%F-%H:%M”`
    HASHFILE=/media/MyDrive/${STRING}.sha256

    Then they touch that file, cat the list of files in a script and do the following for each of the files like so:

    cat filenames | read FILE
    do
    sha256sum -b ${FILE} >> ${HASHFILE}
    done

    If you get compromised you first write that file that is probably on a flash drive to write once shiny media from a safe machine, then put the shiny media (CD) into that machine that has your compromised machine’s drive attached (mounted – hopefully ro) and do a:

    cp /media/shiny/2011-09-29-04:33.sha256 BUILDTOP
    cd BUILDTOP
    sha256sum -c 2011-09-29-04:33.sha256

    For any that don’t match you have a problem there. That was what I was referring to. For this use the hash sum can be hanging around an awfully long time. They didn’t mention OpenPGP so I assume they are referring to just the hash sums of the files. If the hash sum changes the file has been altered in some way. The problem is, I have (maybe had – I purge old malware regularly) malware that used that Realtek SHA1 cert that was used in Stuxnet. It passed muster. Windows saw it as a valid certificate until they revoked it. For these more static purposes I am far happier with SHA256. Does that answer your question? Make sure what you are using is appropriate. It sounds like what you have is appropriate. But what the lords of Linux are using (SHA1) is not appropriate.

    Even with an OpenPGP detached signature I would be happier if they used SHA256 over SHA1 unless they have a special key like Werner Koch (or who ever is over the GnuPG project is right now) has. gpg/gpg2 take infinitely less time than it takes for me to type my pass-phrase to create the detached sig file. Here, let me test it on fairly large tar ball: 105_485_248 bytes:

    real 0m15.486s
    user 0m3.200s
    sys 0m0.069s

    Here is the time for the verify (remember, I am using SHA256):

    real 0m3.675s
    user 0m3.601s
    sys 0m0.072s

    I still believe either nothing is going to be done to avoid skimming or we will probably just get chip and pin. The reason? General malaise over taking security seriously. I hope I am wrong but I don’t think you are going to sell anything but chip and pin to the banks unless you make a pretty compelling argument. They want something that takes no more time than you need to do it now or only slightly more time. You also have to convince them it is more secure than chip and pin but the time factor is pretty important to them. The implementation also has to be inexpensive. All I know is I need that something better than chip and pin.

    1. Nick P

      Thanks for the clarification. I agree that my scheme wouldn’t take off in a big way in the US. I’d have better luck in other countries like Belgium that are doing similar things already. The courts in the US have already ruled that having the user enter their username and password on a possibly infected machine constitutes “reasonable” security. With rulings like that & the patent issues, there’s no way I can introduce a secure banking product with an assurance of ROI for the investor. It would have to be non-profit or foundation funded.

      1. Jason

        Unless regulations have changed, the only part of an ATMs network traffic that is required to be encrypted (3DES) is the PIN.

  21. Scott

    It seems like this is a design defect with the cards. Chip-and-pin cards used by more advanced countries authenticate each transaction with the information from the smartchip on the card; so a copy of the account number and pin is worthless without the original card.

    That said, a bit of googling seems interceptors have been built for chip-and-pin transactions so that the data can be used in foreign countries that accept magnetic stripe transactions
    http://www.cl.cam.ac.uk/~mkb23/interceptor/

    Why can’t we move to more secure technology?

    1. hhhobbit

      Look at many of the previous responses and you will see why we don’t have more secure technology. Anything better than chip and pin is mostly theoretical. I believe even three years from now people still will not have come up with something better than chip and pin. By that I don’t mean something theoretical but black boxes that are demonstrably better that can be attacked and hardened. Remember that each transaction must be done in either the same or only slightly more time than it takes now with magnetic stripe. Maybe the real question is, which would you rather have for that next three to seven years as an interim measure for them to design that solution that is better than chip and pin? Magnetic stripe or the best of breed chip and pin?

      1. JCitizen

        I’d rather try something cheaper, so that we don’t end up with a giant economic disaster like some of the hair-brained ideas that almost broke the government and economy of Japan, when they adopted an obsolete tech that the people refused to use.

        I still see no valid arguments against the physical part of these cheaper technologies. I’ll let the experts figure out the details on the hardware assurance side of the equation; but it takes less expense and effort to change the hardware as well on these plans.

Comments are closed.