Feeds

back to article Jailed Romanian hacker repents, invents ATM security scheme

A Romanian man serving a five-year jail sentence for bank-machine fraud says he's come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers. Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy the …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Well...

I certainly understand the concept of singing like a canary to get out of an East Europian jail, but inventing like one......

2
1
Pint

Re: Well...

I, for one, welcome our inventive new avian overlords.

4
0
Silver badge
Meh

Re: Well...

And his mates outside already have a device that can replicate this and steal the info....

He's just getting things ready for when he is released..

0
0
Anonymous Coward

It must be Friday...

A hacking story with a fairy-tale happy ending...

2
0
Silver badge
Go

KISS

brillent, and what's great is there really isn't much that can go wrong with it.

Keep It Simple, Stupid.

2
0
Bronze badge
Coat

Re: KISS

Yes you have to hand it to that guy for his sideways thinking...

4
0
Stop

Chip n Pin

Why doesn't the rest of the world do this instead?

1
0
Bronze badge
Thumb Up

Re: Chip n Pin

Or allow us to order a card without a stripe, come to think of it, I could erase the stripe myself and not have to worry about ATM skimmers again (UK, it's all C&P here).

4
0
Silver badge

Re: Chip n Pin

>>Or allow us to order a card without a stripe

Would a bit of time with a neodymium magnet be the answer to your prayers?

0
0

Re: Chip n Pin

Came here to say the same thing. I believe that the near-100% prevalence of chip'n'pin cards in Canada has made skimmers obsolete.

Now, if we can just get rid of white label ABMs...

0
0
Bronze badge

Fine until...

The skimmer is internal to the machine reading the card, and attaches itself to the logic circuity.

Why not just build a circuit board that takes the output of the magnetics and intercepts it before passing it along. Man in the middle style. The bad guys seem to have access to the innards of machines these days (there was a news story about a gas (petrol) station here that was compromised on its inside.

Still, a nice idea!

0
0
Silver badge
Windows

Erm.

what about the PIN?

These devices need a camera to record you input your PIN.

Cover the keypad, they cant see your PIN and cant use your card!!!!!

0
0
Silver badge

Re: Erm.

Can't use your card in the UK.

There are lots of places that only use the mag stripe, one of them is quite large and called something like "Unsecured States of America", where they don't even ask for a signature a lot of the time.

2
1
Gold badge

Re: Erm.

Cover the keypad, they cant see your PIN and cant use your card!!!!!

I suggest you enter "fake atm keypads" into Google and look at the images..

0
0
Bronze badge

Re: Erm.

No PIN is needed. Most ATM cards also work as credit cards, and retailers don't need to perform any security checks on credit cards if they're willing to pay high transaction fees.

0
0
Silver badge
Happy

Re: Erm.

".....where they don't even ask for a signature a lot of the time." One of my colleagues over from the States a few years back was shocked by the higher levels of credit-card security over here. It rendered his wife's non-C&P card unusable for the duration of their visit as the signature strip on the back was marked "CID", which apparently means "check ID to confirm the user is the card owner". Apparently, that also meant it was the cheapest holiday they'd had for years, so maybe not all bad.

0
1

Re: Erm.

Yes and the specs for ATMs in the UK mandate "mag stripe fall back" in addition to a PIN reader.

That's not always implemented, though, as I found out the other week...

0
0
Bronze badge
Coffee/keyboard

Re: Erm.

Magneprint could end replays of skimming data; so using that technology would defeat skimmiers wihtout paying the huge costs of Chip-n-Pin. I've seen news stories of C&P being defeated by a simple paper clip. I'm not sure I wan't businesses in the US going down in flames from the bad investment in expensive technology that can be defeated anyway. If you can hack a computer - what makes you think the chip can't be cracked?

With the nano technology and algorithms that exist in the MagnePrint system. you cannot replay or skim the information, because it is like trying to copy someone's finger prints only more difficult. No single swipe of the data band on a MagnePrint card is ever the same - so recording it is a fruitless effort - the authentication system would catch it in a heart beat - combine that with the very economical PassWindow, and you have double trouble for the crooks, and still have technology that can be affordable across the world. This system would also be greatly scalable with minimal expense. We don't fall for expensive failures in the "Unsecured States of America" Federal Insurance and other improvements to security will nail this problem without breaking the bank or the consumer's pocket book. That is the way we think in the US.

0
0
Bronze badge

On the subject of ATMs

Does anyone else feel like they're Gulliver in Lilliput when using them? I'm only 6'2" and often have to bend right down to be able to see the screen because they appear to be designed for people who are four foot nothing, most cinemas appear to be designed for unusually short people too, where "legroom" is a taboo word (except The Screening Rooms in Cheltenham - highly highly reccomended!)

2
0
Silver badge

Re: On the subject of ATMs

Absolutely agree! Perhaps they should line up several ATMs at different heights - one for normal people (6 ft plus), one for short people, and one for very short people - the same way they have different height urinals in the gents.

0
0
Silver badge

Re: On the subject of ATMs

I gather they're supposed to be usable by those in wheelchairs and dwarfs, as those are more common than elves and giants.

3
1

Re: On the subject of ATMs

"they should line up several ATMs at different heights"

Move to the big city - that's very common in London.

0
0
Bronze badge

Re: On the subject of ATMs

They also need them at pavement level in city centres - for those crawling (under the influence of copious quantities of alcoholic beverages) for a taxi and are in need of funds....

1
0
Silver badge
WTF?

Re: On the subject of ATMs

6 feet plus is normal? Where the hell do you live - Rivendell?

5
0

Re: On the subject of ATMs

They do. In the shithole City of Peterborough they have different height ones everywhere...

0
0
Silver badge
Trollface

Re: On the subject of ATMs

>6 feet plus is normal?

Obviously not a Central European poster. Probably American. The Latin American genes really bring down the average there.

0
0
Holmes

Re: On the subject of ATMs

No, it's Holland.... People are generally taller here than other places.

http://www.wisegeek.org/which-country-has-the-tallest-people.htm

0
0
MNB

Re: On the subject of ATMs

normal = 6ft+ does it? erm, no.

The average man in England is apparently 5'9" whilst the average woman is 5'3" (see http://www.bbc.co.uk/news/uk-11534042 which references an ONS report from 2010)

Unless of course you are Dutch, as the Netherlands is one of the few countries where the average height of a man is now over 6ft.

0
1

Re: On the subject of ATMs

OK, but why are drive-through ATMs labelled up in Braille?

4
0
Silver badge
Linux

Re: On the subject of ATMs

I'm only 6 foot tall and I can remember one particularly bad Cash Machine that I had to kneel at to be able to see the screen properly.

0
0

Over complex

Why rotate? Sideways insertion is the vital point.

1
0
Bronze badge
Angel

Re: Why rotate?

So it's just a modification to the slot, rather than replacing the whole card reader mechanism?

2
0

Re: Over complex

exactly what I thought.

The mechanic for turning the card are probably more complex than moving a reader head side ways

0
0
Silver badge
Boffin

Re: Over complex

Indeed, I'd just drive the head sideways as that's much less complex. Stick card in sideways mag-stripe first, head is driven along the stripe, chip'n'pin contacts click into place when the head hits the end of the track. Job done.

The hard part of this (both his design and the much simpler variants) is ensuring the mechanism can't jam if the card is inserted 'wrong', because most people will try to stick it in the way they're used to, and there are cards like the "Mint" ones that are odd shapes.

0
1
Def
Bronze badge

Re: Over complex

As I understand it the rotation is there so you can't stick a card reader over the top of the slot like you can right now - it would prevent the mechanism from turning and therefore the machine from working.

By inserting your card stripe first you can only scan half the strip if you put a reader over the left half of the slot.

0
0
Anonymous Coward

Re: Over complex

And what have a moving head read the magnetic stripe on the card. Even in a tape recorder or VHS it is always the magnetic tape that is moving, never the magnetic pick up head. If the head was re-engineered to be a moving part then it would probably fail, and fail often and fast.

1
1
Bronze badge
FAIL

Re: Over complex

"Even in a tape recorder or VHS it is always the magnetic tape that is moving, never the magnetic pick up head."

You COULD do the same with a tape player -- you'd just need a 200 foot long tape player and cartridge for the head to move across. I'm just guessing that THAT's the reason that they move the tape rather than the record/read head on those, but i'll admit that I could be wrong. By your argument, hard disk drives should fail after an hour or two of use because of all the travel that the read/write head has to do. By the standards of HDDs, a read head that moves laterally only, at a moderate speed -- say 3 inches in a second or two -- would likely be pretty robust.

0
0
Bronze badge
Boffin

Re: Over complex

"[in a] VHS it is always the magnetic tape that is moving, never the magnetic pick up head."

Nope, in VHS both the tape and the read/write heads move. There simply isn't enough fidelity in linear recording for the extra video information. (Google "helical scan" for more info.)

"If the head was re-engineered to be a moving part then it would probably fail, and fail often and fast."

No more so than any other mechanical device.

0
0

You've got to say...

...that is pretty clever,

0
0

Some machines already employ an intermittent motor on the card insert mechanism

presumably to thwart skimmers.

The card judders as it is absorbed into the slot. This would make readng the magstripe challenging to say the least.

1
0
Silver badge
Thumb Up

Very neat

But as noted above, doing away with mag strip readers is the more secure approach, at least in the short term.

However you do it, anything which has access to the electronics or the transmission eventually has access to a man-in-the-middle attack, but at least this kills the scan'n'watch approach (which is sneaky because it works on a chip enabled reader even if the reader isn't using the strip).

Though the obvious approach is to remove the mag strip completely. Thinks: I wonder how much utility I'd lose if I killed the mag strip with a degausser or simply wrote garbage over it...

While I'm at it, what idiot thought that touchless payment technology was anything like a good idea? If I pay for something, I want it to be a positive act with at least one secret as an authorisor - not something that can take a tenner from my pocket before I've even decided which card to pay for (see http://www.bbc.co.uk/news/business-22545804 - terminals reading a contactless card while trying to pay with a different chip'n'pin).

0
0
Anonymous Coward

After awhile

After he has served 35 years in prison, then he can be released and start repenting.

0
1
Silver badge

Sounds like a good idea

The problem I see with this invention is not fraud but vindictiveness. Instead of card skimmers, you have people inserting their chewing gum into the moving parts or crims gluing them shut to discourage the design.

0
0
Bronze badge
Unhappy

Re: Sounds like a good idea

vindictiveness."

Most criminals aren't vindictive in the sense you describe. It's just another challenge to be overcome or time to move on to something new.

The problem I see is the cost and time. It may not be possible that existing machines can be economically retrofitted so even if all the ATM manufactures go with the idea and decide to pay the royalties for the patented design, it could be many years before it's rolled out in any meaningfull quantities. After all, one of the largest ATM markets in the world still don't support chip'n'PIN yet.

1
0
Anonymous Coward

Re: Sounds like a good idea

"Most criminals aren't vindictive in the sense you describe."

What do you mean I'm not vindictive? Enough with the generalisations please!!!

0
0
FAIL

that is not more secure

You just make your mag stripe reader read the whole width of the card during the insertion mechanism.

Now it would make the current readers not work, but it would probably be a few months before the new skimmers appeared.

0
0
Bronze badge
Thumb Down

Re: that is not more secure

That would be an interesting form of read head since it needs to read many bits of information across a wid3e area. Based on what I know of old reel-to-reall and cassette recorders, the read head is relatively large with a tiny gap at the point where it reads the data, effectively a horseshoe electromagnet. The reader would need one for each bit, accurately aligned. I'm not sure if hall effect sensors are available in strips, which might work. Are there existing readers which can read a mag stripe all in one go? If not, then they'd have to be designed and built, which is much more difficult than using off-the-shelf components.

I'd have thought a simple light/light sensor or similar across the card slot and /or reader assembly would detect if any sort of modification was inserted. That ought to work in existing readers.

1
0
Anonymous Coward

Three letters: NFC

Many cards now give out their details if you query them by NFC, so why bother with mag stripe readers? Skimming just became a whole lot easier.

2
0

This post has been deleted by its author

It looks to me like the physical motion of the device would be as much part of the security as the sideways insertion, Presumably if you tried to stick a device on the front it would just get pushed off by the spinny thing sticking out. Either that or the machine would fail to load the card and the transaction wouldn't happen.

0
0
This topic is closed for new posts.