It's a nice idea (inserting the card widthways), but it's completely over-engineered. It's never going to be used as a retro-fit - it looks too much like a skimmer. In fact, if they became commonplace, it would make fitting skimmers that look like this device so much easier than trying to hide a skimmer in a discrete housing.
Instead, allowing the card to be inserted widthways, and pulling it into the ATM as normal, then within the ATM read the card either by moving it sideways into a normal card reader (so that the card moves left, rather than forward), or more likely, a reader where the head moves across the magstripe as the card is held in place.
Anyway, as has been pointed out by another poster, chip-and-pin makes magstripes effectively obsolete, I imagine the magstripe is only included for backwards compatibility.
In the Netherlands they're already outfitting ATMs and other credit machines with addons on the outside. Most ATMs also display a picture on the screen of what it's supposed to look like. So no, it's not that over engineered I think.
On the other hand, because of the moving parts involved it is probably going to be much more expensive. And with the current chips on the card already, I don't think the banks are going to invest in those things as it simply will not provide them with enough ROI.
Even better, the Dutch railways (NS) employ an add on that requires you to insert your card sideways, and then push it in. Solving the problem in the same fashion, yet not requiring any weird over-engineered rotation system.
> In fact, if they became commonplace, it would make fitting skimmers that look like this device so much easier than trying to hide a skimmer in a discrete housing.
It's sad, but this was my very first thought as well.
Nice innovation. Being a convicted hacker myself and serving time in a federal camp, I give him credit for wanting to make amends, that is definitely an awesome motivation...not buying the part about being happy about being caught (forced intervention), since I know from experience and people I've met.
I understand being liberated, starting your consequence (the nickel sentence), and feeling hope of change when your out....but to simply put it...."happy," is a strong word. I know this may come off as semantics, but when you talk about 5yrs of someone's life, happiness does not come to mind.
Thanks for the post, I was wondering how someone else having been through similar circumstances would have felt about someone being 'happy' to be caught.
All said, it probably gets him a similar recognition from ATM mfg'rs & business people as an advanced degree, no? Couldn't a certain type of mind see an arrest like this as a badge of honor or starting sales platform to build a career in security?
That's an honest question. Arrest records seem to be a death sentence in so many professional industries, and the 'reformed hacker' professional seems to be a real identity for some professionals. How hard was it to find work after your run-in?
The conviction can get notoriety in the security field, but as any criminal, black hat hacker, or just coder will tell you....it's ALL trial and error. Where a conviction may benefit someone is if they are doing their own business...as far as employment.
An employer may be hesitant to hire a criminal simply for the liability they presume over their employee. I can get a job fairly easy in coding since I have no restrictions on computer usage and some employers are amazed by my crime (google my name Michael Largent), but I'm a little different than maybe this individual (I get anxiety attacks sometimes).
As for me and employment, I've been through interviews some employers in the field will offer me a position, but coding is more of a hobby to me than a profession. I run my own business, because my conviction affects my self-esteem though...so I can't speak for others. I'm an awesome coder, but am afraid of rejection, so sometimes I won't apply for a job or I'll pass on a job offer.
Don't mind at all. I just don't want to thread jack the OP.
To get back on topic a little bit. I understand how he could want to make amends for what he's done, I do coding, algorithms, and websites usually for free and help others with any questions they may have that I have an answer for, but the PR being portrayed here is that he is "happy," to be caught.
The quoting words just sounds like he's trying to capitalize on a conviction (example: who did the video rendering? and I've seen this done ALOT inside)...not that there's anything wrong with using your circumstances to your advantage, but just careful with the wording.
ATMs have metallic keypads and as few moving parts as possible for one simple reason, which is vandalism. People will hit and break ATM display in anger, because it didn't register their touch selection made with a hotdog. They will break, bend, twist and pull apart anything that as much as hints that it's possible. Something that swings 90 degrees and requires reasonably precise alignment of moving parts to work - that's just asking for it.
I think this design might work better if the pivoting part were moved internal to the ATM. It'd avoid vandalism, and maintain the benefit of the sliding behavior occurring along a path inaccessible to the skimmer. The obvious downside to such a design is that you'd need to replace all of your ATMs which is why, I'm assuming, this design included the pivot mechanism on the outside.
Yes, in Europe Chip-and-PIN cards are the norm - the card has an embedded microchip which the reader communicates with electronically. But they still have the magstripe as well, for backwards compatibility.
Yes but I have yet to see an ATM anywhere that uses a chip reader slot, they all pull in the card in the same manner as a magstripe ATM (if they use the chip internally, I do not know).
Why are ATMs not 100% flat with 3 holes - for a keypad, note delivery and a hole for the bank card to go in. A skimming device can then not be added without making it very obvious the ATM has been altered.
An ATM could also have a video camera installed that monitors the area where the card is entered - if something changes the ATM does not work and a warning message is displayed.
Like other readers have said, the real step forward in this area would be chip and pin. That raises a potentially more interesting question though, how do you transfer a country the size of the US from swiping to the chip and pin?
Even here in the UK, where absolutely everywhere that uses a card is using the chip, a bank can't ditch the magnetic strip because then suddenly they're the only bank where you can't use your credit card abroad.
Would ATMs that read the chip without actually taking the card in the whole way work to obsolete these skimmers? (The chip is always at one end of it, so why does the rest of the card need to enter the machine?)
I don't know much about the mechanical implications of this, but why not move the sensor instead of the card? Put the card in longways first, halfway in. Motorized sensor moves across card to scan it. There wouldn't be enough room left over for a skimmer that would still allow the ATM to read it and even if there was a skimmer, it makes the skimmer that much more expensive, since it would have to have a motor too.
I assume it would just be prohibitively expensive.
But chip cards already sidestep the problem of skimming.
You only insert half of the card into the chip reader slot and, for what I remember or could imagine, let the ATM exercise some challenge-response protocol with the on-card chip so that there's no way to and there would be no point in actually trying to copy the chip because all you see from the chip is an interface to it.
I haven't had the magnetic stripe on any of my cards swiped for at least a couple of years. Last time I did was probably because of dirt or grease on the chip's contacts prevented reading it. The magnetic stripes still exist for now but everywhere I go there are chip readers, from pizza restaurants to little shoppes.
I came up with a similar idea years ago but I'm not interested in creating hardware. This needs to be built into the machine, not a bolt-on. The machine itself needs to only accept cards in horizontally.
I remember reading about a solution where the ATM would move the card back and forth while pulling it in (maybe even reading it at the same time, but it's not even necessary), preventing the skimmer from successfully reading it. Sounds like a better solution to me. (The problem with chips are, at the moment, is that the magnetic stripe is still used. So if they can read it then the card is stolen.)
I agree with a comment in the story - we need a better framework that actually supports non-replayable (ie, one-time) codes being transferred.
If Blizzard can give keyfobs to gamers for auth, why cant banks include that in tech for ATMs?
More and more I think corruption and fraud are the likely reasons - those are features the establishment wants to support, not prevent... they can profit from all of it.
If Blizzard can give keyfobs to gamers for auth, why cant banks include that in tech for ATMs?
Well, banks here in Portugal do offer one-time authorization codes, either by SMS (default) or keyfob, but only for online operations, not in ATMs.
That said, a Chip and PIN solution prevents (in theory) this problem, since it can actually authenticate the transaction by providing a cryptographic signature, without ever exposing the private key to either the ATM or any skimmer.
Banks already are liable for much of the fraud that would result from skimmed PIN or credit card data, so stuff like this would help the bank directly.
It's plausible that select banks would implement it for publicity benefits.
The problem then occurs, as always, on the end users steps in their own security....ex 'would people at a casino care about their security, or will they pay that $10 fee or whatever it is just to pull money out of that unsecured atm."
Current skimmers need a horizontal swipe to read. This device requires the user to insert the card in the wrong orientation for the skimmer. The device holds onto the magnetic strip end of the card while it rotates, so it's not possible to skim after the device has performed the rotation. It's not clear how difficult or easy it is to make a skimmer that reads a card that is swiped vertically, though.
It looks like the maximum amount a track can hold is 79 7-bit words [1], which comes out to 553 bits. Theoretically, a parallel reader would need 553 sensors, which seems fairly easy given today's manufacturing standards.
But, think about if a criminal duplicates the design and screws it to the front of existing / old machines? Most users will think that it's not a skimmer but the "secure" device.
Also: Place the skimmer to the LEFT most portion of the horizontal hole. The card is the rotated and pushed past the skimmer as it's inserted into the machine :)
> Also: Place the skimmer to the LEFT most portion of the horizontal hole. The card is the rotated and pushed past the skimmer as it's inserted into the machine :)
The non-magnetic part of the card is pushed past the skimmer...
This seems pretty obvious. I can't imagine folks whose job it is to build these machines to not have hopped onto this idea. This raises the question what's the downside of these?
The moving parts have to be a big downside. If US banks really thought skimming was a problem they would just implement chipped cards. Right now it's apparently cheaper to not rely on a chip and deal with all the fraud that comes with it.
looks like modern day Frank Abagnale Jr. to me. Only thing is it has a lot of moving parts. I think more maintenance and power issues. Hope they work out the case when the machine fails in middle of operation. People will break this add on in that case.
Instead, allowing the card to be inserted widthways, and pulling it into the ATM as normal, then within the ATM read the card either by moving it sideways into a normal card reader (so that the card moves left, rather than forward), or more likely, a reader where the head moves across the magstripe as the card is held in place.
Anyway, as has been pointed out by another poster, chip-and-pin makes magstripes effectively obsolete, I imagine the magstripe is only included for backwards compatibility.