Just a minor point but it really weakened the article for me: The photo at the beginning purporting to show a skimmer sitting in front of an ATM in fact shows a standard ATM without a skimmer.
Then the 'keypad overlay' in the second image is just a photoshop of a keypad.
Fortunately, the rest of the article was interesting enough to outweigh these issues. The best advice contained in the article, for me, was that interfering with ATM skimmers and camera modules can result in direct intervention by the criminals who may be watching nearby. The best strategy is to leave it alone and alert the bank immediately.
Some banks over here (Europe) now let you block mag-stripe credit card transactions. Actually sounds like a good way to prevent ATM fraud as long as you are not visiting the US.
The whole situation in the US is silly. Some background: when a major iOS version comes out, thanks to Apple not allowing downgrades (grrrrr...), my company buys a new set of test devices for each major iOS version. When iOS 9 came out, I went to Walmart with my manager's company credit card to get some iPods (cheapest iOS test devices).
The clerk asked me what I wanted and I said "5 iPods please". I would be suspicious if anyone asked for that many iDevices. When they realized they only had 3 iPods, I said I'd take those. When I went to check out, I asked them to break up the transactions into < $500 chunks so as to not cause additional oversight, they obliged.
This was the first time I had ever used a chip-enabled card. It was obvious to the cashier, I was fumbling around with the card and had to ask how to operate it. Finally, after I bought three iPods in two transactions with a card I had obviously never used before, with the merchandise in a bag in hand, they ask for the credit card and my ID to verify the name. Busted, I thought! But no, after explaining that I was buying the devices on behalf of my boss (with no proof of this) they let me go on my merry way. I was flabbergasted.
TLDR: If you have a stolen credit card and want to use it to buy expensive electronics to fence, go to the Electronics department at the West Lafayette Walmart. Chip and signature cards offer no improvement in security, even when faced with at least five big red flags that indicate fraud.
You're right. Lots of people split orders, probably one out of 4 or 5 fumble for things, and quite a few buy for their company. The phone the person bought was an iPhone rather than some weird one. Had the comment said iPods I'd have expected a bit more skepticism from cashier.
Yet, a company sends someone to buy a set of mainstream phones split on two transactions? Totally believable for a cashier and not as crazy as people's grocery orders have gotten while I was in line. ;)
If you swipe your card at a machine that supports chip it will be disabled until the next time you use the chip.
However, if the card reader doesn't support chip you can still swipe. Essentially all machines support chip now. Only vending machines / parking meters still use swipe.
In the UK one of our larger train companies is still using pre-hated handheld card terminals they bought from British Airways over 20 years ago on their buffet counters.
Fun fact: They apparently aren't connected to anything, and transactions are processed later, so basically any valid card will go through regardless of funds etc.
The market for shoddy bacon baguette & gin fraud is presumably fairly limited.
>Fun fact: They apparently aren't connected to anything, and transactions are processed later, so basically any valid card will go through regardless of funds etc.
Cards however have a special "service code" on the mag stripe/chip. Certain cards like the Monese debit card or debit cards for customers who are not allowed to go into overdraft can only be used for online transactions. So they wouldn't work in this case where the transaction is authorized offline.
Source: My experience with cards in Germany where the train company is processing credit cards the same way.
Another fun fact. Before card terminals became universal, it was common for different cards to require their own handheld terminal. A sales desk may have had half a dozen or so, in order top process the card.
I really wish I could find that video again. It was interesting.
I think it says exactly what it is meant to say. It's 'pre-hated' as opposed to 'pre-loved', that being a common euphemism for 'second hand'. The implication being that BA sold on a bunch of old, beaten up card-reader terminals that they no longer had any use for...
Faraday cages do not block all signals. From wikipedia:
> A common misconception is that a Faraday cage provides full blockage or attenuation, this is not true. The reception or transmission of radio waves, a form of electromagnetic radiation, to or from an antenna within a Faraday cage is heavily attenuated or blocked by the cage. However, a Faraday cage has varied attenuation depending on wave form, frequency or distance from receiver. Near field High powered frequency transmissions like HF RFID are more likely to penetrate. Solid steel cages provide better attenuation over mesh cages.
I actually tried this the other day with my new Bosch wall oven microwave. It appeared to block the signals enough to prevent my phone from receiving calls, which is what I would have expected from any microwave. I figured a microwave is probably the best Faraday cage that people have sitting right in their house.
I'm surprised that the phone in the video was able to receive a signal.
I wonder how much 2.4 GHz power is leaking from that thing.
A microwave with a bad shield has the potential to leak a ton of power at a frequency that's used by many devices.
Instead of banks spending millions on fraud detection how about they invent a system of moving money around that doesn't require you to give your username and password to a 3rd party and hope they only remove the amount of money they say they will?
Like some kind of cryptographically authenticated public pseudonymous ledger maintained by a peer-to-peer network and constantly audited by millions of participants? Aren't you afraid that would destroy civilization?
Funny reply but simpler: today's banks with basic changes in authentication and limits on each party doing a charge in amount or timing. Would deal with parent's concern. Maybe add whitelisting, too, if people just wanted to use their main accounts for certain stores or bills. Just one extra transaction in a traditional database with some simple COBOL. Not much work.
Note: Brian Krebs recommended the same thing as a barrier to ACH fraud where the recipients were whitelisted with maybe in-person, strong-auth registration.
I think that what the parent refers to in a larger sense is the way the current financial system "pulls" money - if I for example set up Auto-Pay with the cable company, every month I pray they get the amount right. Because if they don't, it becomes a huge use of my time to fix all the damage.
The only thing I kept thinking about. Police could already know about it and could have been just waiting for the owner of the skimmer to grab him. How on earth would they explain that it's not theirs?
Also, if you're not police, you shouldn't be taking evidence of a crime for your own homebrew investigation. Call the cops and wait there until you see them dismantle the skimmer if you're so concerned about others.
"Also, if you're not police, you shouldn't be taking evidence of a crime for your own homebrew investigation."
This immediately jumped out at me. Most likely, you might get scolded or in trouble for screwing up chain of evidence or something. In a rare scenario, they might be watching the place with the skimmer there waiting for the perp to show up. Not sure of the risk there.
There was debate on how to handle it on Krebs. I think one person's suggestion of sending an anonymous tip about a skimmer to number on ATM was a good one. Keeps you out of FBI's microscope, local thugs watching don't get you, no convincing store clerks, and the skimmer gets taken care of somehow. Maybe best idea.
It amazes me that cards with magstripe are still being issued. I have never needed to use magnet instead of chip despite having traveled quite a bit. I used to ask my bank to disable magstripe on my cards, but now they changed this to the default option for all new cards.
I'm in Boston, and have yet to encounter a single reader that takes chips. They have started having the slot lately, but it's always taped over or there's a sign telling you not to use it. Or if you try to use it, the cashier gives you a weird look and has no idea what you're doing and tells you to swipe.
Madison WI. Gas stations (at the pump) and grocery stores are the only places I go to that don't have or use the chips (taped over). I understand both have extra time to rollout.
I assumed it had rolled out across most of the US at this point since most of the smaller places had even implemented it.
I've been told that card processors will get charged more going forward if they don't implement the chips, or for non-chip transactions because of the added risk involved. That should help speed up the transition or at least activate it on those readers that have it.
> I've been told that card processors will get charged more going forward if they don't implement the chips, or for non-chip transactions because of the added risk involved.
This is true. It's also weird, since really they should be charging less for chip-and-pin, not more for magstripes. By moving to chip-and-pin they immediately release themselves from the hook for card theft, moving the liability to the card holder. The high transaction costs in card networks have historically been defended as largely stemming from fraud costs. Yet, we're expected to pay the same fees.
It's a good time to be in the card processing business.
I've actually noticed many of the pay at the pump not working with my chip card at all lately and having to go inside or use my other card that doesn't have a chip yet.
The worst part about that is it's going to start forming consumer habits. Everyone will trust the taped over sign as being from the merchant, when it could just as easily have been installed by a skimmer. Furthermore, if people get into the habit of swiping first, then using the chip when the terminal asks them to, that still leaves an opportunity to skim.
A fraudster taping over the chip slot would be detected after a single skim though, since the terminal won't accept a swipe from a chip enabled card if it's set to process chip payments.
I'm in Indianapolis area. The chip reader requirement is spreading everywhere I go. Target, Lowes, Kroger etc. it's getting to the point now that I use the chip more than swipe per week
Recently, October 2015, the liability shift has happened from banks to merchants if they do not upgrade payment systems to chip-enabled devices. Some areas, notably gas stations, are exempted from this until few years later, that might explain why other commentators complained about them. Citing [1]:
"Beginning in October 2015, that liability will shift to the merchants in certain cases unless they have replaced or upgraded their card acceptance and processing systems to use chip-enabled devices and applications to process payment transactions."
It's worse than that: contactless payment has two modes, and one of them just lets you read the magswipe track 2 data (including card number) through the contactless interface.
I'm in Seattle.
You go to one store and try to swipe..."No, you have to use the chip".
Next place you try to use the chip..."No, that doesn't work yet. You need to swipe it".
We had this in Europe for a few months, it was painful there too, but eventually everywhere will be chip only and the swipe will be literally removed.
I understand the US is doing a slightly slower rollout so you guys might have to put up with either/or for almost a year, but once it is done you'll get used to using the chip pretty quickly.
The two "big" dates for EMV in the US is Oct 2015 (liability shift: merchants) and October 2017 (liability shift: fuel dispensers and ATMs)[0]. After Oct 2017 there will be no reason for banks to issue cards with a magnetic strip at all (although they CAN for travel).
In Europe some banks no longer issue cards with magnetic strips (chip only).
One thing I don't like about the chip is it seems to take a much longer time to authenticate. Is this the same in Europe as well? Would be nice if it was as fast as a swipe. But I rather have better security.
My main gripe, which is pretty trivial I guess, is that I'm so used to just swiping the card and throwing it back in my wallet. Using the chip requires leaving the card in the reader until the transaction is complete, so I've almost walked off without my card a couple times. I agree though. I'd rather have better security. I just need to adjust my habits :)
I just returned from Belgium. I made sure that all the cards I took had chips. Results were mixed: The train station kiosks recognized the cards as chip + signature even though I had a PIN for them, so I had to use the clerk to buy tickets. The payment terminals in restaurants asked for my PIN, but then rejected it. I suspect my bank (despite assurances) didn't enable it. I have no way to test my cards now that I'm back in the US, as the readers (for the stores that have them enabled) default to signature "verification". The whole situation is a mess.
It's been a while, but the last time I researched credit cards for chip+pin the US didn't have any readily available - they're all chip+signature. Even though you have a PIN I can guarantee that it's only good for cash-withdrawal transactions (e.g. as a debit card or a high APR cash advance).
Authentication methods is an agreement between card and POS terminal with card having the final word. So yes, blame your bank for not configuring card parameters correctly.
BTW it also works very nicely for those hotel key cards that have a magnetic stripe. You'll be safely kept away from the minibar of your room if you put your key card in the same pocket with the phone.
My card (German) looks like it doesn't have a magstripe any more. It's got a black stripe on the back all right, but that's only half the usual height and has writing on it. I'm about to visit the US in a couple of weeks so we'll see if it works...
There isn't any publicized actual fraud based on cloning the chips or extracting data from them - out the whole huge amount of CC fraud.
They are vulnerable to a set of physical attacks e.g. etching off the surface of the chip, scanning it with sensitive microscope and attempting to deduce stored data from that (IIRC there were some proof of concept videos posted on HN a few months ago) but it's not a major risk as it (a) requires physical possession of the card, (b) takes time and is destructive, and the result is useless once the owner reports the lost/stolen card, and (c) has significant costs (rare expensive equipment, specialized skills, lots of time) that far exceed the limits on normal credit cards.
If I'm reading this right, it still doesn't compromise the data on chip (i.e., the card cannot be copied, the limits enforced by chip are kept, etc) but allowed to modify the chip so that a physically stolen card can be used without knowing the PIN because the POS erroneously accepts a PIN verification response from another chip. This described hack seems to be impossible in recent chip implementations as well, but I'm not eager to dig through specs to check.
Still, it is still similar to the chip analysis vulnerability in risk as it (a) requires physically stealing the card and modifying it - thus it doesn't enable the far more common scenarios of skimming the card by an ATM device or a person e.g. waiter; and (b) doesn't allow to clone the card, so purchases must be made quickly by people physically close to the thieves and operators doing the chip-modification, so it means a much greater chance of arresting the whole team than in the currently common fate of stolen US card data where you can just sell the data to people anonymously over internet, and they themselves can easily make cloned cards to make the risky part of actually obtaining the money/goods.
A skimmed card will just work on the first try. A card modified like this is still likely to trigger "stolen, call the police" message on the POS terminal.
Well, they literally can't be read without an authentication code from the bank, so pretty secure. Anyone can copy a whole magstripe, but the chip can't be read directly.
The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys.
The keys on ATMs I've used don't actually move much, so you could put several fingers on the keys at once and press only slightly harder with the one you intended. It might confuse any PIN pad overlays too, which by design have to activate with less pressure than the real switches so as not to arouse any more suspicion.
> Cover your PIN with your hand This will not protect you from PIN overlays, but it will hide your PIN from hidden cameras. Plus it’s so easy to do, why wouldn’t you?
Here in Fiji, ATMs have a an opaque plastic guard over the keypad to keep the pin out of view of a camera.
In comments, it's ok to ask how to read an article and
to help other users do so. But please don't post
complaints about paywalls. Those are off topic.
Even things that do scale, don't often scale automatically. If I spring for Heroku to host my blog over GoDaddy, it's still going to go down the minute it hits the front page of Hacker News.
https://www.flickr.com/photos/angusf/4450137156
Then the 'keypad overlay' in the second image is just a photoshop of a keypad.
Fortunately, the rest of the article was interesting enough to outweigh these issues. The best advice contained in the article, for me, was that interfering with ATM skimmers and camera modules can result in direct intervention by the criminals who may be watching nearby. The best strategy is to leave it alone and alert the bank immediately.