back to article EU urges wise-up to combat rampant ATM crime

The rise in ATM-related crime has prompted a EU security agency to urge consumers to be more careful about withdrawing money from cash machines. ENISA (European Network and Information Security Agency) estimates that annual cash machine losses in Europe have increased to around €500m, a 149 per cent increase year-on-year. …

COMMENTS

This topic is closed for new posts.
  1. James 5
    Happy

    Is it beyond....

    ... the ingenuity of the ATM manufacturers to design an ATM that knows when it's been tampered with?

    At the very least it could then warn the service provider and shut down.

    Even better if it had big metal arms that could "arrest" the tamperer shouting "Thief, thief" at the top of it's voice so that members of the public could pelt the miscreant with tomatoes, rotten eggs etc.

    Perhaps also a video camera that recognises if the same person or people have been hanging around it for more than appropriate time.. !!

    A few years ago in Sardinia (it would be) I used a cash machine that was in a protective cubicle. Only one person can get in, then when the transaction was in progress the doors were locked. Only when you'd taken your card plus money did the doors release. Mind you, the potential for "revenge of the machines" is fairly high so I don't think I'd recommend it !

  2. OFI
    Thumb Up

    Card Details

    Knowing how poorly some companies look after our card details it seems almost a waste of time worrying about the odd ATM withdrawal :-(

    I've had my card cloned yet again recently and i'm sure it wasn't from an ATM as I completely cover the keypad and check for false fronts.

    Just glad the banks are a lot quicker on blocking dodgy transactions even if it does mean sometimes blocking genuine transactions.

  3. Sooty

    even better

    would be to remove the mag stripes from cards, which are negligibly easy to skim.

  4. Anonymous Coward
    Anonymous Coward

    Statistics

    Around 10000 people's cards has been skimmed in Europe last year? I call it BS. I had it twice so far this year and quite a few of my friends. Some of the cash points are even famous for skimming cards (ASDA at Isle of Dogs, London for example).

    Funny part is that they could just put a camera inside the ATM and then review the photos when skimmer is found. I mean camera not a fricking camcorder so the photos are actually useful for something. But I suppose that will mean spending some cash... Poor banks.

  5. It wasnt me

    Why bother

    Why bother modifying the things. Most pubs / clubs just buy one these days then charge you £1.75 to use it. I even saw one this weekend charging £3.00.

    All perfectly legal as well.

    Thats an even worse form of robbery.

  6. Anonymous Coward
    WTF?

    It's not complex

    Just make the banks automatically 100% liable for all losses unless they can prove beyond reasonable doubt that either

    1) the "customer" had left the cash machine at the point at which they were physically mugged

    2) the customer was deliberately defrauding them

    We need to emphasise the burden of proof - they need to prove that the customer was doing something fraudulent, not parrot their current assumption that it's our fault until we have to drag Which? Private Eye and 18 lawyers into it...

    Then, we'll end up with an ATM system that the banks actually care about security. 4 digit PINs FFS, who do they think they're kidding? Security my shiny metal butt.

  7. EnricoSuarve
    FAIL

    Aren't they missing something?

    The sheer number of systems in use at shops and the fact that people have become used to the "hang on the chip thingy doesn't always work I'll just put it in this reader, nope that didn't work, ah that did, now type your pin in there while I'm watching and in the presence of this security camera" conversation

    OK, the last bit isn't usually spoken out loud but the above multiple reader scenario happens so often (even at my local B&Q so not just small shops), that to skim a mag strip at a shop and record the associated pin would be a negligable exercise for a fraudster and probably is

    Thats without even going on about the C&P terminals that actually HAVE been hacked!

    They designed a system that would be cheap to maintain for them and focussed on ways of putting the blame on the consumer rather than concetrating on obvious actual security improvements such as removing mag strips, seperating out ATM and shop pins, using pattern rather than number based pins etc. Hell when C&P first came out even the little bit of plastic to hide your hand was too much for them to bother with (although it'd been a standard feature in Europe for years)

    Now the system has backfired on them and we are supposed to care about the banks?

    Not likely

    I can't wait for the first Barclaycard contactless cards to get hacked from a distance just so I can piss myself laughing at anyone who accepted one

  8. Stephen Dooley
    Thumb Up

    If only...

    ...we had the technology to give each individual some kind of unique attribute to complement cash withdrawal....

  9. Anonymous Coward
    Anonymous Coward

    Comments...

    Yes, it would be nice to drop the magstripe, but it is needed for fallback as certain countries (USA would be the main one) don't use chip'n'pin and our cards won't work over there and theirs won't work over here if the magstripe is dropped. This is a major issue.

    ATMs do have cameras in them.

    There was a local atm to me renouned for lifting people's PIN and resulting in clones, everyone *knew* that it was a dodgy ATM, although it turns out that it wasn't the ATM, it was the petrol station tills which, for some reason had been switched back to magstripe rather than c&p.

    There is no evidence that a c&p terminal has been sucessfully hacked.

    Obtaining money remotely from a contactless card would be potentially possible, but you kind of have to be a marchant, so you're not going to get away with it as there is an audit trail straight back to you.

    Please stop banging on about c&p being a banking conspiracy to make the customer pay, would you rather have rampant fraud being paid for by you, the customer, or have the bank do something about it. There is no evidence that any attack on c&p has worked outside of a lab setting without the customer having handed over their pin in one way or another.

  10. -tim

    Easy way to raise the bar?

    The fastest solution that could be rolled out next week would be to change the pin screen to say "Please add 1021 to your PIN and enter it" where the number is a random collection of 0, 1 & 2 (in order to keep down the hard math). One ATM vendor has already done this at least in their demo software.

  11. Tony Paulazzo
    FAIL

    In America

    I believe, each ATM has a working camera that by law has to record the transaction, something to do with being resposible for the customer using their ATM. No such requirement over here, so no working camera - years ago I used to do software upgrades on the new ATMs, an NCR engineer was telling us why the camera space was there.

    Perhaps the EU should be urging the banks to tighten up their security if there are so many holes in it.

    As for watching out for tampered with machines, sometimes you cannot tell, the fixture looks like part of the machine.

    Funny, isn't it, after the near collapse of western civilasation when our masters had to give them a load more of our money, how nothing changed.

  12. Adam 10

    Shoulder surfing?

    I can't speak for the Continent, but I have noticed that standing too near to someone at a cashpoint or till *just isn't done* here in the UK. There seems to be an imaginary line about 6 feet in front of a cashpoint that people don't cross until it's available.

    The only time I've had someone break the distance rule on me was an old lady in the supermarket who stood right next to me until the cashier told her "Could you please step back, this gentleman would like to enter his PIN."... I put that down to her being elderly so working on the principle of everybody using cash.

  13. EnricoSuarve
    FAIL

    Re: Comments.... 7th 16:00

    [...drop the magstripe, but it is needed for fallback as certain countries ...don't use chip'n'pin and our cards won't work over there and theirs won't work over here...]

    True but surely it makes more sense to offer people the option of a card that does not have a magnetic strip? I can't remember the last time I went to a country that really needed it, and I'd be happy to check if I needed to get a separate 'compatibility' card before going abroad

    There is no evidence that a c&p terminal has been sucessfully hacked.

    http://software.silicon.com/security/0,39024655,39165665,00.htm

    * http://news.bbc.co.uk/2/hi/business/7557956.stm

    http://www.silicon.com/financialservices/0,3800010322,39170202,00.htm

    http://www.cl.cam.ac.uk/~mkb23/interceptor/

    * http://www.theinquirer.net/inquirer/news/1021124/chip-pin-hack-exposed

    The ones starred are in my opinion the most interesting

    ...Obtaining money remotely from a contactless card would be potentially possible, but you kind of have to be a m[e]rchant, so you're not going to get away with it...

    Nope - It just makes the crime a little bit more complex, but that will just put off fraudsters who don't have the ability to create dummy companies, shell accounts and forward money to offshore banks. Plenty of crimes already involve such frauds, this will just potentially add to the list.

    ...Please stop banging on about c&p being a banking conspiracy to make the customer pay, would you rather have rampant fraud being paid for by you, the customer, or have the bank do something about it. There is no evidence that any attack on c&p has worked outside of a lab setting without the customer having handed over their pin in one way or another...

    Firstly - see above (especially the comment attributed to Det Ch Insp John Folan, of the Dedicated Cheque and Plastic Crime Unit [chip and pin terminals that have been hacked into have been found in 30 shops in the UK]).

    Secondly - In my experience the rampant fraud IS being paid for by the customer, in most cases I have heard of the victim of fraud (the customer) is basically told - 'our systems are perfect, chip and pin is perfect, therefore you are to blame, pay up'. The systems they are implementing, chip and pin, verified by visa etc are flawed and poorly implemented; they all have one thing in common, however - they put the onus of security and proof of fraud on the victim (the customer), more than one person was involved in the decision to do this so by definition it’s a conspiracy.

    Thirdly - Make me ;)

    Still fail I'm afraid

  14. Anonymous Coward
    Grenade

    cynicism

    you guys aren't cynical enough.

    The whole point of chip-and-pin was to allow the bank's fraud insurers to get out of coughing up. with c+p, the small print says your pin is "your signature", ergo a txn with the correct pin is not forged, ergo they dont pay up.

    Pre c+p, the bank swipe-cards magnetic strip contains the account number encoded with the pin, in such a way as with one you can get the other (thats why the account number isn't helpfully on the card). That made it laughably easy to record pins and produce fake cards.

    All you need to do to record new c+p details is to steal a machine, dress up as a service techie with overalls and a clipboard, and visit shops with 'replacements' for 'defective' machines (cheeky smile and brass neck not included).

    Your inserted custom gizmo can SMS you all the details you can eat at your card-faking workshop, just in time for xmas.

    Moral of story: use cash.

  15. Anonymous Coward
    Anonymous Coward

    @Enrico

    I don't have time to address everything you said, but quickly here is a little rebuttal:

    http://software.silicon.com/security/0,39024655,39165665,00.htm

    This isn't a hack of the terminal, they take the insides out of a terminal and replace them with their own kit. This also relies upon scraping the back off the card and attaching wires, which then connect to the laptop. This 'hack' was dealt with by the banks by reducing the timeouts on the transaction so it isn't really feasable. Also, you'd get found out straight away as all the 'victim' would have to do is remember that they were paying for lunch when the £2k at the jewellers was charged.

    http://news.bbc.co.uk/2/hi/business/7557956.stm

    Ok, the terminal got opened, not good, but the device that has been inserted is separate to the PED, merely housed within it, it is not claimed that the chip is being read and it is not claimed that the people who had the equipment were capable of cloning a chip.

    http://www.silicon.com/financialservices/0,3800010322,39170202,00.htm

    So they managed to tap onto a dataline, but crucially weren't able to obtain the contents of the chip, only enough information to generate a magstripe, which is far more easily obtainable.

    http://www.cl.cam.ac.uk/~mkb23/interceptor/

    Did you see the bits in bold where they say 'this doesn't copy the chip' and that it can only be used to generate a magstripe?

    * http://www.theinquirer.net/inquirer/news/1021124/chip-pin-hack-exposed

    I can't find much out about this one, but you will notice that the faud happened overseas, meaning that the magstrip is all that has been obtained.

    Like I said above, we need to get rid of the magstripe...

This topic is closed for new posts.

Other stories you might like