back to article Card skimmers targeting more than ATMs, says EU

Crooks are branching out beyond bank ATMs by installing card skimming devices on a payment terminals ranging from train ticket kiosks to parking meters, according to European anti-fraud experts. At least five countries have logged skimming attacks against railway, bus or metro ticket machines, the European ATM Security Team ( …

COMMENTS

This topic is closed for new posts.
  1. Gordon Pryra

    Funny Stuff

    From the very inception of the "Pin Code" we have been laughing at how insecure this system is.

    Using your card to pay for anything has become a gamble, who know where that reader you are given has come from? Its so easy to make your own its not funny.

    The whole point of "Chip and Pin" is to move the ownership of loss and fraud to the account holder, it has nothing to do with security,

    When last did anyone check the card itself? I've been using my wife joint account card by mistake (same pin) for months, yet it has her premarital name and the word "Miss" on it.

    Whats a more pertinent question is just how did the banks get this through, and who greased the wheels, or turned a blind eye to the blatant self serving nature of the system.

    1. Anonymous Coward
      Anonymous Coward

      Re: Funny Stuff

      1) Care to suggest anything better than a PIN? Something workable, easy to remember and reliable (typically a bank wouldn't touch something without 5x9s.)

      2) Card fraud by is going down, in countries which use chip and pin.

      3) Liability for fraud lies with the bank, unless it can be proven that the customer was at fault - this includes a stolen card with PIN being used, unless the bank can show that the customer wrote down their PIN.

      4) People not checking the card is hardly a criticism of chip and pin, it's the merchant's problem and them who has to deal with it, should there be fraud.

      5) It's not a conspiracy, just looking at the card present fraud numbers can show you that.

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Funny Stuff

          Cite sources.

          I know there have been a few examples, but it's only a few and the banks involved have been given a serious arse-kicking by the regulator. There are also a few examples where banks have treated customers badly, but because they've been trying to defraud the banks, these are often held up as cases where the banks are bastards, but usually they're just trying to protect their investors/customers from fraud.

        2. Phil O'Sophical Silver badge
          Thumb Down

          Re: Funny Stuff

          > Read the news stories about how banks have treated fraud victims with C&P cards.

          Better, ask the real victims. I was defrauded of ~ 1500 euros on a chip & PIN card, which had been cloned or skimmed and was used for online purchases. I was reimbursed by my bank in under a month, with no problems whatsoever.

          1. Alan Brown Silver badge

            Re: Funny Stuff

            You aren't the victim.

            Whoever sold 1500 euro of stuff is, because they're now out of pocket for the goods AND got whacked with punitive extra charges by the bank as well. Banks are more than happy to reimburse you, because they're taking it back from the merchants.

            It's fairly reliably estimated that banks make substantially more from card fraud incidents than they do from genuine sales - which is one reason they're not in any hurry to change the system.

      2. Mad Mike

        Re: Funny Stuff

        Answers:-

        1) Biometrics, although they have their own risks. Various other options have been looked at over time, but banks also like something cheap. This removes some options. I think some people would disagree that PINs are easy to remember.

        2) This is partially a case of damn statistics. Reported card fraud is partially going down due to banks pretty much not accepting anything as fraud if the PIN is entered unless you can absolutely and categorically prove it couldn't be you. They're using the old cashpoint excuse of right PIN entered, therefore it has to be you!! So, fraud isn't declining by as much as they make out. They're partially at least, manipulating the figures.

        3) Theoretically true, but easily got round. The bank simply shows the PIN was used and therefore it's your fault!! Simple as that. If you were skimmed at a cashpoint and the PIN recorded (say by camera), most banks will claim future withdrawals etc. were you regardless. Of course, they have cameras on the ATMs etc. themselves, but you can't get to that footage without their permission.......sort of chicken and egg.

        4) People not checking the card has always been an issue, but is worse now because chip and PIN supposedly sorts everything!! It's always been a fault of human nature. The more 'foolproof' something is claimed to be, the less people check it!! I remember working on a checkout in the school holidays etc. (yes, some time ago) and catching fake/stolen etc. cards was a money maker. £50 each. Result.

        5) I have worked for banks in the past and I can assure you part of the point of chip and PIN is to make the retailer or cardholder liable for the fraud. Always has been. Not to say that chip and PIN doesn't help, but if that wasn't the case, why have the fraud rules changed since chip and PIN? In theory, if the retailer touches your card during the transaction, they've taken liability from the bank!! The whole point of chip and PIN (and strict interpretation of the rules), is that the only person who touches the card should be the cardholder. Where does this happen? I'm not saying it is a total conspiracy, but the banks have their agenda as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: Funny Stuff

          1) Biometrics are slow an unreliable, expensive and can be faked.

          2) The burden of proof lies with the banks, they're not allowed to use "the right PIN was used" as proof.

          3) See 2

          4) That's hardly the fault of the banks, it's the merchants all the instructions from banks say that you must check the card.

          5) I've worked for banks too, I can assure you that this is not the case.

          1. Mad Mike

            Re: Funny Stuff

            "1) Biometrics are slow an unreliable, expensive and can be faked.

            2) The burden of proof lies with the banks, they're not allowed to use "the right PIN was used" as proof.

            3) See 2

            4) That's hardly the fault of the banks, it's the merchants all the instructions from banks say that you must check the card.

            5) I've worked for banks too, I can assure you that this is not the case."

            1) Absolute nonsense. Used to be, but not really now. The issue is it's part of you and the lengths some people will go to.

            2) They have a long and glorious history of doing so, starting with the original ATM cards till today. I've heard it many times before and know loads of people who have been told this.

            3) See 2.

            4) Agreed. Merchants should do what they're told. However, implementing a system that ignores the basics of human nature is not really that smart. It was obvious from the start these checks wouldn't occur, so relying on them is willful blindness at minimum.

            5) In what departments? I worked in IT and it was common knowledge. Even worked on one of the first big smart card trials - Mondex for NatWest. Ever read the terms for that one as well? Interesting!!

          2. Tom 35

            Re: Funny Stuff

            "5) I've worked for banks too, I can assure you that this is not the case."

            You might want to read the card agreement that came with the chip and pin cards. At least in Canada there are paragraphs of text that boil down to chip and pin is perfect, it's your fault. All of this text was new for chip and pin cards. In any case where chip and pin is used they assume you gave your card to a "friend" who bought stuff while you setup proof that you were someplace else at the time, then got the card back later.

            1. David Hicks
              Meh

              Re: Funny Stuff - Tom 35

              You might want to read the card agreement that came with the chip and pin cards. At least in Canada there are paragraphs of text that boil down to chip and pin is perfect, it's your fault. All of this text was new for chip and pin cards. In any case where chip and pin is used they assume you gave your card to a "friend" who bought stuff while you setup proof that you were someplace else at the time, then got the card back later.

              In the UK it is their responsibility to prove that the transaction was not fraud if you say it was. With credit cards they are a party to the debt and this is their legal resposibility as lenders - return the money now, investigate later. With debit I'm less sure, but the banking code tends to support the same thing.

        2. Anonymous Coward
          Anonymous Coward

          Re: Funny Stuff

          Biometrics can work, they've been using finger scans (vein patterns) successfully elsewhere.

          But it does mean that if you are accessing services for someone else (as you are caring for them) that you also need to be registered.

          1. Mad Mike

            Re: Funny Stuff

            "But it does mean that if you are accessing services for someone else (as you are caring for them) that you also need to be registered."

            That would need to be the case anyway. The PIN is for the holder only and nobody else for any reason. It's in the T's and C's. So, someone disclosing their PIN to another immediately makes them liable, regardless of the reason.

            So, being able to store several means of identification (whether PINs or biometrics) for a card would make caring for the disabled etc. much easier.

      3. John Smith 19 Gold badge
        Meh

        Re: Funny Stuff

        "3) Liability for fraud lies with the bank, unless it can be proven that the customer was at fault - this includes a stolen card with PIN being used, unless the bank can show that the customer wrote down their PIN."

        That statement, and posting AC, got my down vote.

        1. Dave 126 Silver badge

          Re: Funny Stuff

          >From the very inception of the "Pin Code" we have been laughing at how insecure this system is.

          That's all well and good, but the risk has to be compared to the alternatives. I haven't done the sums on the risk of losing money through card fraud versus the risk of losing money through losing your wallet, or having a £20 slip from your pocket.

        2. Anonymous Coward
          Anonymous Coward

          Re: Funny Stuff

          In general I only post as AC, but in this situation even if I didn't I wouldn't have posted as my name because I have about 15years history working in financial services IT and I don't want to jeopordise that or reveal my employer.

      4. Anonymous Coward
        Anonymous Coward

        Re: Funny Stuff

        Exactly right. Plus the problem is also the uncontrolled migration of crooks from Eastern Europe to the UK. That's not to say all people coming here are crooks, but the dodgier characters seem to know where all the easy money to rob is.

        I see this as a design flaw in modern ATMs. Some of the older generation machines had a plexiglass cover that lifted up when you inserted your card in. Obviously this only hinders tampering, but it is better than what we have now.

        I would propose these ideas too:

        1. Have the ATM machine inside a booth/reception area which you can only gain access to by swiping your card.

        2. CCTV inside the booth.

        3. If the machine is tampered with, lock the door (slight problem if someone else is in there at the time though).

        4. A way of reading the card without a slot. Maybe a tray or just swipe it?

        1. David Hicks
          Happy

          Re: Funny Stuff - RE: AC

          "1. Have the ATM machine inside a booth/reception area which you can only gain access to by swiping your card."

          Guess where the fraudsters attach their skimming device then?

          I'm not even kidding, I saw this one on tv years ago!

    2. David Hicks
      FAIL

      Re: Funny Stuff

      "The whole point of "Chip and Pin" is to move the ownership of loss and fraud to the account holder, it has nothing to do with security,"

      FAIL.

      It's to move liability to the merchant. Also yes, it has a lot to do with security, and despite a few attacks being published, has largely succeeded in at least part of its mission to reduce card copying and related fraud.

    3. Captain Scarlet Silver badge
      Holmes

      Re: Funny Stuff

      Well every time I use them, I don't think Tesco would be please if I attempted to pay for things with my Nectar Card.

    4. Anonymous Coward
      Boffin

      @Gordon

      From the very inception of the "Pin Code" we have been laughing at how insecure this system is.

      True, but my humor wasn't aimed at the pin code itself but the usage of a magnetic strip which got swiped, thus very easily read and copied.

      Which basically supports your criticism in my opinion; the sheer time alone before certain banks finally switched from using the magnetic strip to the chip itself, some took ages. The fun part was that at a given time my creditcard (visa) had already implemented this system way before the "common" banks had.

      But there's another aspect... In theory I think "chipping" (electronic wallet) is much more secure than pinning. After all; with an electronic wallet you can only loose what's on the wallet itself, people can't easily copy your card and gain access to your whole bank account. Another pro, in my opinion, is that you can pay by simply clicking "yes". No pin or such required at all, only when transferring money.

      Yet the electronic wallet is something which according to many people has to go (here in Holland at least). In most places you can only pay with your pin code and no longer with the "chipknip" (Dutch name for electronic wallet).

      Which makes me conclude that a lot of banks and electronic payment providers don't have safety and security at the top of their priorities list. It needs to be cheap, it needs to work and it needs to provide them with revenue.

  2. Gordon Pryra

    Playing devils advocate or just being bloody minded?

    Care to suggest anything better than a PIN?

    Hows about a signature and a look at the card to see if the user looks like the name on the card?

    Card fraud is going down, true, because its not being reported as card fraud. Your pin was used, so its not fraud, its your fault.

    "People not checking the card is hardly a criticism of chip and pin"

    Actually, its a direct result of taking the onus away from the merchant and instilling misplaced trust in the transaction.

    Anyway, you carry on sticking your card into a reader at a pub, restaurant or any other outlet and take the risk.

    Oh yeah, I wont even go into the fun to be had with contact-less payment, where you don't even need to know the pin, yet the transaction is reported as chip and pin. (on top of that the £15 a day limit is also toss, having used it myself at to at least £40 in a single day)

    1. Androgynous Cupboard Silver badge

      Re: Playing devils advocate or just being bloody minded?

      Signature? Oh please, how many times have you tried signing "M Mouse" to see if it works? Always, in my experience. Unless the girl behind the till has a degree in graphology signatures are a joke.

      As for biometrics, I look forward to the day the queue at the cashpoint is moving as quickly as the queue at the Heathrow IRIS line.

      1. Anonymous Coward
        Anonymous Coward

        Re: Playing devils advocate or just being bloody minded?

        I remember, back in the middle ages when this were all fields and I were a lad, I bought a load of CDs in Our Price (for those who weren't alive 20 years ago, Our Price was a chain of music stores). The guy in front of me had at least 20 CDs (which were at least £10 each), and paid for them all by cheque. He signed the cheque "Ronald McDonald". The cashier just accepted the cheque with the Guarantee card (no idea what name that was under). By the time I got to the counter and told the cashier what I'd seen, the guy had already vanished.

        1. John Brown (no body) Silver badge

          Re: Playing devils advocate or just being bloody minded?

          "at least 20 CDs (which were at least £10 each)...accepted the cheque with the Guarantee card"

          20 years ago, a cheque guarantee card would only authorise up to £50, maybe as much as a £100.

        2. Steven Roper

          @AC 10:35 re: Ronald McDonald

          How do you know the guy's name wasn't actually Ronald McDonald? Just because a major hamburger chain uses the name doesn't mean that nobody else was ever christened that. McDonald is a very common Scottish surname to start with, and Ronald isn't exactly rare either.

          Like my own name. Yes, Steven Roper is my real name; it is on my birth certificate. I'm also very aware of the American syndicated comic strip Steve Roper, intrepid photographer, and his dependable sidekick Chief Wahoo. It's been a cause of people questioning my identity before now, and no doubt will again. In fact, I actually like it, because it means that people Googling me will find loads of pages relating to the comic strip, or to men of the name Steven Roper who are more successful and/or famous than I, long before they come across anything of mine (and even then it most likely will only be links to my comments on El Reg!)

          So don't be too quick to assume that guy with the cheque was using a fake name, just because it happens to be linked to a famous brand. I wonder how many Michael Jacksons there are, or John Lennons? I imagine they also must have a hard time of it with people thinking they're using fake names.

    2. Anonymous Coward
      Anonymous Coward

      Re: Playing devils advocate or just being bloody minded?

      Signatures are rubbish, easily forged. The whole point of chip and pin is "something you have and something you know." If the something you have has the something you know recorded on it, that's a piss-poor solution.

      The transaction is not reported as chip and pin, the transactional limit tends to be £15 not the daily limit, and number of uses is reset each time you pin auth at an ATM or PED.

      I'm happy to use my card, I'm aware that anything is not zero risk - particularly carrying round wads of cash because I'm too paranoid to use plastic - what could possibly go wrong.

    3. David Hicks
      Stop

      Re: Playing devils advocate or just being bloody minded?

      "Oh yeah, I wont even go into the fun to be had with contact-less payment, where you don't even need to know the pin, yet the transaction is reported as chip and pin. (on top of that the £15 a day limit is also toss, having used it myself at to at least £40 in a single day)"

      Your limit is personal to you and is more about transaction limits than daily limits.

      It is absolutely not reported as Chip and Pin though it is processed in much the same way.

      The liability is between the bank and the merchant, so it really shouldn't worry you.

      1. Mad Mike

        Re: Playing devils advocate or just being bloody minded?

        Contactless has always confused me a lot.

        What's the point in going through all the PIN upgrade and then creating cards that only have to be swiped near a sensor and payment is made? Yes, the fraud may not be great, but it's dead easy and your chances of being caught, pretty close to zero. Obviously, PINs are still used for higher values, but I'd rather use PINs for all values and get my card caught as soon as possible!! I don't even want small value fraudulent transactions...........

        1. David Hicks

          Re: Playing devils advocate or just being bloody minded?

          "I don't even want small value fraudulent transactions..........."

          Are many cards actually stolen? Contactless still prevents skimming, which I think was the major target of EMV and Contactless.

          Nobody *wants* fraudulent transactions. The banks figure that using their cryptographic protections ensures a card must be genuine, and that the constraints "must be a genuine card" and "can only be used for small amounts" fall within the level of acceptable risk for them.

          And if you're not passing your card into/through any sort of reader at all then nobody gets to read and copy the mag stripe.

          1. Mad Mike

            Re: Playing devils advocate or just being bloody minded?

            "Are many cards actually stolen? Contactless still prevents skimming, which I think was the major target of EMV and Contactless.

            Nobody *wants* fraudulent transactions. The banks figure that using their cryptographic protections ensures a card must be genuine, and that the constraints "must be a genuine card" and "can only be used for small amounts" fall within the level of acceptable risk for them.

            And if you're not passing your card into/through any sort of reader at all then nobody gets to read and copy the mag stripe."

            Yes, a huge number of cards are stolen. It's a very big business. With a chip in the card, skimming of cards should be pretty pointless. After all, the systems should be expecting a chip and they're very difficult to copy....so what's the point of skimming? I know a lot of this goes to countries that don't use chip and PIN but some still occurs in this country. Surely, it would be more sensible for banks to issue people cards without stripes unless specifically asked to include them for reasons such as going abroad etc. There are a huge number of cards that are never used outside of the UK, let alone outside of the chip and PIN areas.

            1. David Hicks
              Stop

              Re: Playing devils advocate or just being bloody minded?

              "Yes, a huge number of cards are stolen. It's a very big business. With a chip in the card, skimming of cards should be pretty pointless. After all, the systems should be expecting a chip and they're very difficult to copy....so what's the point of skimming?"

              You have your wires crossed. I meant actually, physically stolen cards.

              We were talking about contactless cards and the ability for small-scale fraud, I was noting that in order to do this you need the *actual* card, you can't just skim.

      2. Chloe Cresswell Silver badge

        Re: Playing devils advocate or just being bloody minded?

        I love the reporting systems the banks have for classing the transaction as chip and pin.

        I've had problems with fraud, I contact the bank, and I'm told the fraudulent transaction was verified by chip and pin.

        Only problem - I don't have a chip and pin card!

        1. Anonymous Coward
          Anonymous Coward

          Re: Playing devils advocate or just being bloody minded?

          sorry, but you're going to have to do a lot better than that - Anyone can just say things like this, but there are far too many questions, here are a few for a start:

          Did you or the person you spoke to misunderstand what you were talking about.

          Did the person you spoke to just see "authorised" on their screen an mis-read it.

          Do you actually have a piece of paper saying chip and pin authorised and a matching mag stripe card?

          etc.

          etc.

        2. Mad Mike

          Re: Playing devils advocate or just being bloody minded?

          "I love the reporting systems the banks have for classing the transaction as chip and pin.

          I've had problems with fraud, I contact the bank, and I'm told the fraudulent transaction was verified by chip and pin.

          Only problem - I don't have a chip and pin card!"

          So, is this an example of the banks systems being so poor they don't know who has chip and pin and who doesn't, or is it an example of the banks trying to bullsh*t you off until you push them?

          Either way, not exactly and endorsement of banks.

          P.S.

          I have personal experience of my employers (a bank) ransacking my current account without my permission and telling me that as an employee they had every right!!

          1. This post has been deleted by its author

    4. ravenviz Silver badge
      Coat

      Re: Playing devils advocate or just being bloody minded?

      Heh, he said onus.

  3. Ross K Silver badge
    Devil

    Funny that this type of fraud...

    ...seems to be the exclusive domain of a certain section of the Romanian population.

  4. Phil O'Sophical Silver badge

    How to address skimming?

    ATMs are designed to be tough, hard to smash and easy to clean. Perhaps they also need to design them so that it's hard to fit a false front? Any ideas?

    It won't be that hard to shape them so that a cover can't be fitted over them without it being obvious, or just have an optical sensor that switches off the machine & triggers a visual alarm if covered?

    Add a hologram to the front surface?

    Change the card slot so that it reads the chip, and only when the card is fully inserted (2cm or so), so that a fake front can't see enough card to skim the stripe?

    1. Anonymous Coward
      Anonymous Coward

      Re: How to address skimming?

      @Phil - The card slot does read the chip, but because there are still areas where only magstripe is used ALL global ATMs need to support magstripe for the cards that aren't chipped. That said, you'll generally find that if a card has a chip (or should have a chip) many ATMs won't allow it to be used with magstripe.

      1. Anonymous Coward
        Anonymous Coward

        Re: How to address skimming?

        That said, you'll generally find that if a card has a chip (or should have a chip) many ATMs won't allow it to be used with magstripe.

        The crooks solved that one too. A bit of nail varnish will ensure the EVM is not sensed, and so the terminal can fall back on mag swipe :(

        1. Anonymous Coward
          Anonymous Coward

          Re: How to address skimming?

          Like I said - if a card SHOULD HAVE a chip, it usually won't be able to be used with magstripe, certainly not in high risk areas.

        2. David Hicks
          Stop

          Re: How to address skimming?

          "The crooks solved that one too. A bit of nail varnish will ensure the EVM is not sensed, and so the terminal can fall back on mag swipe :("

          At which point the liability is with the terminal operator, because there is a code on the stripe that says "I'm a chip card, process me at your peril".

          1. Mad Mike

            Re: How to address skimming?

            "At which point the liability is with the terminal operator, because there is a code on the stripe that says "I'm a chip card, process me at your peril"."

            Bearing in mind how easy it is to change the mag stripe, isn't that code about as much use as a chocolate fireguard? They nail varnish the chip contacts and then change the stripe. Easy. It would be much better if the cashpoint contacted the bank with the card number etc. and was then told 'you'd better ensure this is a chip transaction..........'

            Putting it on the mag stripe is absolutely pointless.

            1. Anonymous Coward
              Anonymous Coward

              Re: How to address skimming?

              @Mad Mike - For someone who claims to know about this sort of thing and have been involved in the projects, you do seem to know sod all about it.

              You can easily clone or change a magstripe, yes, but you can't easily construct a valid magstripe to read what you want it to and not what you don't. For example, you can't just make it fail to mention that there isn't a chip. If the magstripe has been changed and somehow is valid, this will still be picked up by an online transaction in any case.

              1. Mad Mike
                Facepalm

                Re: How to address skimming?

                "You can easily clone or change a magstripe, yes, but you can't easily construct a valid magstripe to read what you want it to and not what you don't. For example, you can't just make it fail to mention that there isn't a chip. If the magstripe has been changed and somehow is valid, this will still be picked up by an online transaction in any case."

                Errr. The magstripe contents and information is easily available and openly published. So, I'm not really sure how 'you can't easily construct a valid magstripe'? I certainly never had any problems in the past when I was doing it for banks!!

                "If the magstripe has been changed and somehow is valid, this will still be picked up by an online transaction in any case."

                Indeed. But, that was my point wasn't it. Putting it on the stripe is pointless. Getting the central system to tell the cashpoint it should be using the chip renders the information on the stripe irrelevant. So, why have it? Only for when the cashpoint is offline, which should be very rare these days.

                So, as I said, the chip information on the magstripe can easily be changed (I have done it many times for banks) and is actually totally pointless!!

                1. David Hicks
                  Thumb Down

                  Re: How to address skimming?

                  @Mike - "Errr. The magstripe contents and information is easily available and openly published."

                  And when the bank check the track2 data in the transaction, BOOM, transaction declined because it doesn't match a known card.

      2. Robert Carnegie Silver badge

        Protect yourself, kill the mag stripe

        The last I heard on BBC radio's "Moneybox" programme, banks have to supply your card with a working magnetic stripe, but you don't have to keep it that way. I used a magnetic bulk eraser on mine, or you could probably just file it off. If the bad guys can't read your mag stripe then you're probably safe.

        If you do find an ATM set up for skimming, bear in mind that the bad guys are probably nearby reading data wirelessly, and if you interfere with it, they may switch to Plan B of mugging you. Likewise if you get your phone out at the machine. You could be OK if you pre-emptively go nuts and beat the hell out of the machine when it doesn't give you money, but make sure that skimming is the reason for that.

        1. Anonymous Coward
          Anonymous Coward

          Re: Protect yourself, kill the mag stripe

          @Robert - that's fine, until you need to use your card in another country, such as the USA.

          Also never physically alter your card - it's not yours, it's your bank's and it should be retained by a merchant and certainly will be by your bank if it's damaged.

          1. Robert Carnegie Silver badge

            So take another card overseas.

            I have an everyday bank debit card, but I'd probably use a credit card if I was going to make risky transactions. So I only degauss the debit card.

            I reckon if you scrape off the brown or black stuff of the magnetic strip on the card, and then colour it in with a permanent marker pen, then no one will notice, let alone mind. And if your card doesn't work at all then you're unlikely to be blamed, particularly if you only use the chip anyway.

            Having said that, the next generation of card fraudsters may, um, do something about that. I can think of a few ideas that they probably can think of for themselves too, but nevertheless I don't want to give them any help.

          2. Vic

            Re: Protect yourself, kill the mag stripe

            > it should be retained by a merchant ... if it's damaged.

            It won't be.

            I've been using a damaged card for months. I've even told the cashiers to be careful because it's falling to bits. Not one has even mentioned retaining it.

            I've got a replacement this week :-)

            Vic.

    2. Raumkraut

      Re: How to address skimming?

      > ATMs are designed to be tough, hard to smash and easy to clean. Perhaps they also need to design them so that it's hard to fit a false front? Any ideas?

      If ATMs are so tough to smash, maybe we should be equipping each one with a sledgehammer, and encouraging customers to wail on the machines before use? That should sort out any false fascia - or at least increase the costs significantly for the crims making them.

      1. Ross K Silver badge
        WTF?

        Re: How to address skimming?

        If ATMs are so tough to smash, maybe we should be equipping each one with a sledgehammer, and encouraging customers to wail on the machines before use? That should sort out any false fascia - or at least increase the costs significantly for the crims making them.

        You don't need to "wail" on it with a sledgehammer.

        Maybe just give the area around the card slot a good tug if it seems suspicious?

      2. Mad Mike

        Re: How to address skimming?

        "ATMs are designed to be tough, hard to smash and easy to clean. Perhaps they also need to design them so that it's hard to fit a false front? Any ideas?"

        People should probably watch the video of an ATM being attacked in a petrol station in Hampshire. After the explosion, money was showered everywhere. Bit of a design flaw there methinks. Bearing in mind they used gas, I assume the gas was injected into the ATM through cracks etc. and then ignited. The pressure wave produced would blow the ATM apart, hence the cash just laying around.

        A side reference to The Italian Job is obviously required here.

        1. Anonymous Coward
          Anonymous Coward

          Re: How to address skimming?

          > Bit of a design flaw there methinks.

          True, and one that is being (has been?) addressed.

          Simple solutions are best. BT used to have a problem with yobs in one area thinking it was funny to piss into the coin slots of phone booths (remember them?) so the poor sod who collected the cash got a box of corroded 10p coins swimming in urine.

          After several high-tech proposals were rejected they opted for the simple approach. A hole drilled in the coin chute connected to a tube that poured any liquid that came in back out over the trousers of the person standing in front of the box.

          There's a similar solution to the gas-in-the ATM trick.

  5. Winkypop Silver badge
    Alert

    Careful with that card Eugene!

    One must be careful where one places one's 'card'.

    - Public transport kiosks, no.

    - Car park machines, no.

    - Street vendors, no.

    People, standards, please!

    1. Lars Silver badge
      Coat

      Re: Careful with that card Eugene!

      Yes, I rather use a ATM to get some cash than use the card elsewhere, depending on the sum, not always possible of course. Cards without chips are not good at all but the fault lies with the banks not with the customer.A ATM suddenly not able to read the chip on a card with a chip should not work at all. If the bank can check your account it should know what type of card you have. How to add security is the question and to be honest I don't really have any worthwhile suggestions taking into account the costs.

      1. Lars Silver badge
        Coat

        Re: Careful with that card Eugene!

        I forgot to mention I believe it should be possible to make it more difficult to read the ATM keyboard from afar by some body else.

  6. Why Not?
    Boffin

    Signatures = good

    Electronically verified signatures are fine. The speed and manner in which you write is as unique as a fingerprint. That can be captured & analysed by the average PC. No graphology expert required.

    Set different levels for different authorisation requirements.

    <£15 NFC

    <£100 chip & Pin

    <£500 chip & Pin + signature

    <£1000 Chip, pin & delivery address = card holders + Signature

    If there is a suspicion the card has been stolen move up the tree.

    all depends what shape the attacks are after a card is stolen.

    1. Anonymous Coward
      Anonymous Coward

      Re: Signatures = good

      Banks already do operate increased checking on increased risk transactions - you'll often find you're called up if a large or suspicious transaction occurs. Electronic verification of a signature just isn't a goer though. I required far too much technology and infrastructure changes, it's also not nearly reliable enough.

      1. Mad Mike
        Facepalm

        Re: Signatures = good

        "Electronic verification of a signature just isn't a goer though. I required far too much technology and infrastructure changes, it's also not nearly reliable enough."

        You mean like installing chip and pin readers into millions of retailers? That's dead easy isn't it!!

        "Banks already do operate increased checking on increased risk transactions - you'll often find you're called up if a large or suspicious transaction occurs."

        Of course. Like when I was buying a car on debit card. £10k ish. Phoned the bank to let them know in advance, including dealership, when the transaction was going to take place etc. Said they couldn't take any information and would simply call me on my mobile at the time. Fair enough I said, just trying to make it easier. Did the transaction. Went through in seconds, no call, no nothing. Never heard a thing. So, either they lied to me on the phone and actually recorded the information, or they didn't give a damn about me putting £10k through a debit card? In fact, the transaction was authorised by the terminal so quickly, it can't possibly have been referred at the back end.

        Shows how much some banks care about £10k!!

        1. Anonymous Coward
          Anonymous Coward

          Re: Signatures = good

          Chip and pin rollout used relatively inexpensive equipment, a keypad, some microcontrollers and a cheapo LCD matrix screen, usually attached to a port on a pre-existing merchant terminal.

          Rollout of something which monitors the pace, direction and pressure of a pen stroke, while displaying a high resolution image of what you're doing would not use cheapo components. Added to that, offline approval by the card wouldn't be possible because the processing required would be significantly larger than that which is available on the cards' chips.

          Regarding your story about buying a car: If you knew as much as you claim about payment processing, you'd know that each individual merchant has a pre-approved limit and risk associated with them. It's very likely that a car dealership will be able to approve very large transactions - because that's what they do, sell things that cost a lot.

        2. Anonymous Coward
          Anonymous Coward

          Re: Signatures = good

          "Did the transaction. Went through in seconds, no call, no nothing. Never heard a thing."

          They didn't call you because you told them. They had a note on file about your call. When the large transaction appear on the Fraud operators screen, they would also have seen the note and hence let it through without any further intervention. This can happen in the 15 seconds allowed for payment authorisation.

    2. Dan 55 Silver badge

      Re: Signatures = good

      If you want signatures to be checked electronically while the transaction is being processed you'd have to use a pen and touchpad to capture it, but I can't think of any time that I've scrawled something that looks remotely like my signature on one of those.

      You'd have to raise the chip and pin limit otherwise you'll have everyone signing and keying their PIN for their weekly shop and the queues would reach round the shop.

      1. Vic

        Re: Signatures = good

        > I can't think of any time that I've scrawled something that looks remotely like my signature

        In the days before chip&pin, I had a bad hand injury. I could not use my right hand at all.

        Using my card at supermarkets was fun - I would tell them that I could not sign, and they'd sya something along the lines of "oh, just try with your left hand". What I signed bore no relation whatsoever to my real signature.

        I still got my stuff...

        Vic.

    3. Lars Silver badge
      Pint

      Re: Signatures = good

      I suppose restaurants would hate an electronically verified signature, I might hate it too.

  7. taxman

    What no solutions?

    So we have:

    1 - Signature. No good, easily forged.

    2 - Magnetic strip. No good, easily forged.

    3 - Chip & Pin. No good, if cloned banks won't believe you

    4 - Cash. No good, easily lost, mugged, washed, spent......

    So guys. What is the answer?

    All I've seen is plenty of moaning about the cons of the above (with a few pros) but not one realistic solution. And forget about biometrics - here, just spit on this please.

    As for me. I'm 'happy' with C&P knowing that there is risk but that I have some control over that risk.

    1. David Hicks

      Re: What no solutions?

      "Chip & Pin. No good, if cloned banks won't believe you"

      Err, chip cards are very hard to clone, and the bank doesn't have to believe you've been subject to fraud - they have to prove it wasn't you if they want to not refund you (in the case of credit cards this is by the CCA, debit cards are covered by banking codes and other laws).

      1. Mad Mike

        Re: What no solutions?

        "Err, chip cards are very hard to clone, and the bank doesn't have to believe you've been subject to fraud - they have to prove it wasn't you if they want to not refund you (in the case of credit cards this is by the CCA, debit cards are covered by banking codes and other laws)."

        As this is a civil matter, they simply have to show on balance of probability that it was you. They constantly use the 'correct PIN' entered excuse for this. I know of quite a few people who have suffered from this until, they got very, very stroppy with the banks and involved (or threatened) regulators etc. Banks consider the correct PIN being entered as proof it was you; at least, until you go for them.

        Banks certainly don't seem to regard it as their job to prove it was you and from the people I know who have experienced this, tend to ask you to prove it wasn't you!!

        1. David Ward 1

          Re: What no solutions?

          "Banks certainly don't seem to regard it as their job to prove it was you and from the people I know who have experienced this, tend to ask you to prove it wasn't you!!"

          And there are plenty of people who don't experience this, guess it depends on the bank.

          1. Mad Mike

            Re: What no solutions?

            "And there are plenty of people who don't experience this, guess it depends on the bank."

            I'm sure it does. It probably also depends on the exact circumstances. If they know you're phoning them from a UK telephone and are registered in the UK, but the card is being used somewhere abroad where you simply couldn't be, the situation is easier. I do know of people who have had no issues as well. The situation seems very variable. I'm not aware of any pattern by bank, but different banks could have different rules.

            Not saying everyone is bad. Just that the situation isn't the bed of roses being presented by some and that some people have all manner of grief trying to get their money back............and some never succeed.

        2. David Hicks
          Thumb Down

          Re: What no solutions?

          "As this is a civil matter, they simply have to show on balance of probability that it was you."

          With a credit card this is incorrect. They have to return the money now, pending investigation, as they are a party to the debt and you have disputed it. They will likely get you to sign something to the effect that you agree it is fraud under penalty of perjury, but that's the law.

    2. Paul 70

      Re: What no solutions?

      I've always thought that the problem is that the PAN and PIN are too closely coupled and easy to get at. If one of these was changed to some other method then problem solved

      1) One Time passwords (bank gives you a dongle or incorporates it in the card)

      2) Challenge responses at the ATM

      3) Anything else.

      I'm convinced that (even online) just having a 16 digit number - which can be obtained photographically as well as magnetically - and a 3 digit verification number (again photographic) or 4 digit PIN (we know how easy it is to get that) is not enough. The banks insist on making the PAN unreadable/unstorable for PCI reasons for retailers, but not just make it completely valueless.

      I know this will need a complete overhaul of the card industry, but if the banks are really into solving fraud then this is what needs to be done. I've got a feeling that the banks do not consider it to be in their interest so nothing will happen - except throwing the liability for fraud squarely on teh retailers and customers. The miniscule amount that can't be lobbed in that direction will hardly dent their profits, so why bother?

  8. Allan George Dyer

    Banks don't think things through...

    Last time I went to an ATM, the card slot had sprouted a green plastic thing...

    the hotline eventually confirmed it was legitimate but they are idiots for not putting a warning on the screen.

  9. Jediben
    Big Brother

    Time to get a hand on this

    Literally. Thumb + forefinger print recognition along with a card and a PIN. Sadly it means we're going to be screwed over with feature creep etc ("I say Mr Chancellor, is that a big brown envelope you have there? would you like us to send this database anywhere special?") but the effort one would need to go to in order to fake it would virtually eliminate small scale shenanigans.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to get a hand on this

      Won't work, for the same reasons that it wouldn't work for national ID cards:

      Not everyone has fingerprints - builders, chemists, hairdressers are top of the list.

      Not everyone has fingers.

      Your fingers are attached to you, so a ruthless mugger will just remove them.

      You can't change your fingerprints and you leave them literally everywhere.

      It's fairly easy to make fake fingerprints.

      1. Mad Mike

        Re: Time to get a hand on this

        "Won't work, for the same reasons that it wouldn't work for national ID cards:

        Not everyone has fingerprints - builders, chemists, hairdressers are top of the list.

        Not everyone has fingers.

        Your fingers are attached to you, so a ruthless mugger will just remove them.

        You can't change your fingerprints and you leave them literally everywhere.

        It's fairly easy to make fake fingerprints."

        That's one of the benefits of the new vein pattern recognition method. You don't leave them anywhere and chopping the item off will render the pattern unreadable!! Theoretically, a finger (or thumb) is easiest, but it could be any part of the anatomy in theory.

  10. BagOfSpanners

    Why are ATM fascias so complicated and intricate?

    I think the design of ATM machines makes it easier to attach card-skimming devices. They have lots of joints, recesses, protrusions, badges, unnecessary styling features and so on. Even genuine ones look like they've been assembled from various mismatched components over a period of years.

    If the entire ATM facia was a single large moulded piece of smooth curved plastic, preferably flush with the wall of the building, it would be easier to spot at a glance recently attached card-skimming devices.

    1. Nigel 11
      Coat

      Re: Why are ATM fascias so complicated and intricate?

      The answer? An ATM designed by Apple!

  11. Fihart

    The only safe way.

    If enough people boycotted ATM and other card machines the skimmers would have to find another scam. Hopefully the banks would also take security more seriously than (for example) the PIN system which was revealed as defective even before it was introduced. PIN was used by the banks to try to place the onus for fraud on customers by claiming that it was uncrackable without negligence by customers.

    I have never used an ATM and manage my pocket cash needs by leaving cash in an instant access account with a book which I must produce to make withdrawals. It's slightly inconvenient but less so than having money stolen.

    1. Anonymous Coward
      Anonymous Coward

      Re: The only safe way.

      "I have never used an ATM and manage my pocket cash needs by leaving cash in an instant access account with a book which I must produce to make withdrawals. It's slightly inconvenient but less so than having money stolen."

      Seriously? Why don't you stick it in your matress, you know it's the only way to be sure.

    2. Anonymous Coward
      Anonymous Coward

      Re: The only safe way.

      @Filhart:

      Yeah, that's great. How exactly do you plan on convincing everyone that having to waste hours of every week going to the bank to get cash out for regular expenditures, as well as losing annual leave due to taking time off to go to the bank for every unplanned expenditure that arises, is worth while?

      You've also failed to consider that the anonymous nature of cash is highly valued by thieves, so your suggestion would, in addition to making an awful lot of people's lives far more inconvenient, be coupled with a marked increase in the rate of incidence of muggings.

      1. John Brown (no body) Silver badge
        Happy

        Re: The only safe way.

        "waste hours of every week going to the bank to get cash out"

        Maybe you're just too young to know that not so very long ago, that was the only option. Luckily, my bank was open on a Saturday morning and cashing a cheque for £50 did me for the week, including petrol for the car.

        Regularly occurring bill? Standing order/direct debit.

        Unexpected large purchase/bill? Write a cheque.

        I'm not saying I especially want to go back to that system as my only choice, but it certainly wasn't as bad as you seem to think. Maybe you only learned about the "bad old days" from history books? :-)

        1. Anonymous Coward
          Anonymous Coward

          Re: The only safe way.

          "Maybe you're just too young to know that not so very long ago, that was the only option."

          Which is exactly why the ATM was invented. Since we're now allowed to take more than £5 abroad when we go on holidays it becomes impractical to order travellers checks, and unsafe to carry cash, every time we pop away for the weekend. Being able to use ATMs abroad is one of the greatest boons to frequent travellers.

          Bank book & local branch might have worked for my grandad (well, in fact it didn't) but it's totally impractical for anyone who doesn't spend their life mostly in one place.

    3. Fihart

      Re: The only safe way.

      @ the many downvoters

      I did mention that my approach was only for pocket cash. For larger/unexpected transactions and abroad I keep a credit card handy. I just steer clear of ATMs.

  12. Kubla Cant
    Unhappy

    ATMs not the problem

    Most of the posts here have homed in on banks and ATMs. The banks may be bastards and ATMs less secure than they pretend to be, but I don't think these are the main source of concern. ATMs are mostly big and expensive, and the fact that they dispense real cash means they're relatively well maintained.

    Car park ticket machines, for example, are a different kettle of fish. Often unreliable or non-functioning, located in isolated places where they can be easily tampered with. The same applies to parking meters, which are so numerous that they are obviously built to lower standards than ATMs. But I'm sure I'm not the only one who's used a card when I'm rushing to catch a train and I haven't got the right change.

    The surprising thing is that it's taken as long as it has for crooks to home in on these machines.

  13. Anonymous Coward
    Anonymous Coward

    Cough Cough

    http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

    But they dont really need to know the pin for stolen cards (see above)... plus as for its very hard to clone chip and pin.. you dont need to, just clone the mag strip, make the pin unreadable... super glue over one of the chip contacts or what ever and your given the option to complete the sale through swipe and sign in most places!

    As for NFC...

    https://www.youtube.com/watch?v=Otg3RWkggSw

    https://www.youtube.com/watch?v=vmajlKJlT3U

    http://www.youtube.com/watch?v=BR-JXDdzCko

    https://www.youtube.com/watch?v=VWIzW0rRw_s

    https://www.youtube.com/watch?v=cs4I-hURT7A

    As for the people moaning about no one has given any good alternatives... why cant we just go multi factor authentication of some form, using something like:

    http://1.bp.blogspot.com/-2sAzS2m6mas/TWKcDxPkrsI/AAAAAAAAAAU/_ewdqaZ91Fg/s1600/PayPalDual.jpg

    (i know cards are coming with this built in)

    So you have your pin (you know), your card (you have) and a time generated code (one time auth).

    So if your going to have to type in say a 6 digit code first (a one time code) and then your pin number... the issue with this is your trading off convenience for security... so thats not likely to happen.

    What would be far better would be for a one time code to be generated and transmitted by rfid or displayed as a qr code (and scanned optically) or transmitted through the chip interface and then the normal chip and pin process would take place once the first one time auth had completed... thus keeping a system that close to normal chip and pin... remove the magnetic strip full stop and remove the signature.

    This means no more cloned cards, no more chip/pin (first video) spoofing, skimming no longer works...

    Just an idea..

  14. Remy Redert

    Just a nice note for the people who think rendering their magstripe unreadable will prevent people from copying the magstripe. For redundancy reasons your friendly banks included the FULL MAGSTRIPE on the chip which can be sent in the clear to the point of sale terminal. This was pointed out in Defcon 20 and only the most recent types of chip do anything to fix it.

    Additionally, the majority of chip and pin cards will accept an offline authentication whereby they verify the PIN between the chip and the point of sale. Again, they send this data back and forth unencrypted. As for cloning the chip, while more expensive than cloning a magstripe it is very doable. The only reason it isn't being done much is because it's far less effort to just copy the magstripe and your PIN via the handily provided chip and pin system, then make a magstripe card and use it to commit your fraud.

    By the time the bank catches on, the crook is a fair bit richer and long gone. They don't care who gets hit with the bill after all.

    1. David Hicks
      WTF?

      For redundancy reasons your friendly banks included the FULL MAGSTRIPE on the chip which can be sent in the clear to the point of sale terminal.

      Actually it's only a Track 2 equivalent, not the full track 2 details.

      Additionally, the majority of chip and pin cards will accept an offline authentication whereby they verify the PIN between the chip and the point of sale. Again, they send this data back and forth unencrypted

      This is factually false, the PIN is encrypted ASAP and never transported around the place as plaintext.

      And If you have a chip cloning method I'm sure the class would love to hear about it.

      1. Remy Redert

        I had to check the Youtube playlists for this and it turns out it was Defcon 19, not 20, that detailed just how broken chip and pin is.

        http://www.youtube.com/watch?v=JABJlvrZWbY

        It does not detail the process or methods of cloning a chip, however it does detail skimming them, it does detail how you can use the information from the chip to create a fully functioning magstripe from most chip and pin chips and yes, it details how you can get a point of sale terminal to transmit the PIN in the clear to the chip.

  15. John Ruddy
    FAIL

    Not really news - someone I know had their card cloned by a device attached to a petrol pump - you know the sort which suggest you pay at the pump instead of going into the shop.

  16. Anonymous Coward
    Anonymous Coward

    Already happening United States

    Card skimmers have been found on gasoline (petrol) pumps for a few years now here in the U.S.

  17. D@v3

    because everyone loves anecdotal evidence.

    I was travelling round Europe, by car, a few years ago, and had to cut my trip short because my bank had noticed that my account (by card) had been accessed several times over the course of a week, in three different countries. They decided it was probably fraudulent activity, and put a hold on my account. Nice to know they care, bit of a pain getting back from Italy, with only the change in my pocket.

    I'm sure there are dozens (hundreds?) of people out there with vastly conflicting experiences.

    Doesn't help if your card is cloned and used locally, but from what I hear, that seems to rarely be the case.

    1. Phil O'Sophical Silver badge

      Re: because everyone loves anecdotal evidence.

      I've had that happen, although a quick call to the bank fixed it. It seems to depend on what you buy, typical holiday spending like food or petrol doesn't usually trigger it, but buying a TV or a washing machine will certainly ring alarm bells.

    2. Jediben
      Joke

      Re: because everyone loves anecdotal evidence.

      I know that my bank suggests I advise them when I'm leaving the country to avoid this sort of thing. They never accept the invitation to view my holiday snaps after though.

  18. Anonymous Coward
    Anonymous Coward

    Lebanese Loop ..

    "Other scams include the use of cash claws designed to trap cash withdrawals made by genuine customers."

    Why is it called a Lebanese Loop?

This topic is closed for new posts.

Other stories you might like