Atm Skimmers

[jonocarroll]

I am also going to argue about the journalistic integrity of NewScientist.

Fine. How about Sophos? Do you trust them?

http://www.sophos.com/blogs/gc/g/2009/03/1...re-lurking-atm/
http://www.sophos.com/blogs/gc/g/2009/03/1...jan-horse-case/

Sheesh, I was just pointing out a link to read about it, I wasn't following up the journalism myself. Then again, I read the article. Or don't you trust any unverifiable news sources? Or don't you trust anyone? Is anything real? Is it solipsistic in here or is it just me?

 

[bum]

Do I trust a company selling data security products in regard to the starting of baseless scaremongering?

Surprisingly not.

I do however trust those malware coders who try to sell me software security programs.

Jumping to near Matrixian philosophy so soon?

 

[MartinS]

And neither do most people. It will NOT take off.

QB, as Pollux points out, current technology is designed so that no insertion of chips is required. Even the initial card chip readers only required about of a third of the card to go in. Cards only go all the way in to read the strip.

But chipped cards still need contact with a reader. They're not the same thing as proximity cards.

The reason they WILL take off is as follows: The more places that require that the chip be used when present (rather than just swiping the magnetic strip), the harder it is for card skimmers to do their work. You can't "skim" the chip itself without destroying it. The chip contains a really big secret number that is shared with the bank. The bank and the card have a little chat during which the card proves it knows the number without either side mentioning the number.

Once all the cards have chips, and all readers reject swiping of chipped cards (which is becoming much more common now), there'll be absolutely no point in putting skimmers on ATMs.

 

[bum]

http://www.cl.cam.ac.uk/~mkb23/interceptor/

 

[Leigh]

...and you question the integrity of a reputatble journal like New Scientist Bum? [shakeshead] LOL

 

[mwd]

http://www.cl.cam.ac.uk/~mkb23/interceptor/

And that was back in 2006 Ancient history in the tech world.

All really scary stuff when your bank balance suddenly goes negative.

 

[bum]

The technology is still current (in fact, the card shown is the same as the one I have in my wallet now). Regardless, the "eavesdropping and relay attacks" section is still true today.

Leigh, are you suggesting that Cambridge University is a poor source? For serious, yo? Let's not pretend that NewScientist is a peer-reviewed journal - it is, for the large part, gimmicky dross designed to appeal to the layman written by journalists rather than scientists.

 

[jonocarroll]

Let's not pretend that NewScientist is a peer-reviewed journal - it is, for the large part, gimmicky dross designed to appeal to the layman written by journalists rather than scientists.

Oh, FFS. I posted it as a news article. Who the F was pretending the link was a current state-of-the-art study? Do you have a particular complaint about the journalism content, or have you just decided that if it's in NS then there must be fakery afoot!

How come I don't see you foaming at the mouth any time someone posts a news.com.au link??? :blink:

 

[bum]

You're the only one frothing at the mouth, QB. Settle down. I responded to a post. I was talking about the magazine in general in the post quoted. Nothing to do with the article you posted. But since you bring it up it's probably a perfect article to back up my claim. It is about fraud. Not science.

I do still doubt the veracity of the article in your link.

 

[MartinS]

http://www.cl.cam.ac.uk/~mkb23/interceptor/

If you take a look at that, it doesn't actually help the crooks:

It does not copy the chip! It only gains enough information from overhearing the conversation to make a magnetic stripe counterfeit.

Most card readers are fitted with both a magnetic reader and a chip reader. If someone wanted to clone the magnetic bit of your card, they'd just swipe the magnetic strip. That device is only interesting from a cryptographic point of view. You're not going to see those devices in the hands of criminals.

The banks don't care about it, because in 3-4 years when the bank completely reject swipes of chipped cards, the magnetic card details will be useless.

 

[MartinS]

It is about fraud. Not science.

That's just nonsense. How do you think fraud is detected? Do you think it's done by bank employees looking through receipt stubs?

Finding new methods of breaking these systems is a very large and important field of science. Improving the systems to make them stronger is a related but separate field. Detecting the fraud is another field again.

 

[jonocarroll]

If you take a look at that, it doesn't actually help the crooks:

Unfortunately, I think that's a bit of a misread on your part;

Such account details and PINs could be used to make counterfeit magnetic stripe cards which could be used in foreign countries which do not have Chip and PIN, or in Chip and PIN countries where the magnetic stripe "fallback" system works side by side with the chip system. In the UK magnetic stripe fallback is possible at some but not all cash machines; also some UK cash machines have not even been upgraded to read chips at all.

They're still copying the chip, but then transferring the data to be used in a magnetic stipe elsewhere.

Oh, and the NS article is filed under 'Science in Society'. Not exactly out of context. It's a moot point anyway - you're grabbing at straws to defend your dislike of the magazine.

We're plenty off topic. The point was 'these guys are out to get your money'.

 

[MartinS]

They're still copying the chip, but then transferring the data to be used in a magnetic stipe elsewhere.

In 3-4 years, they won't be able to use the strip in most countries, because the banks know the terminal should have forced a chip read, and will reject the charge.

If someone were to try using the strip in a physical terminal outside Australia today, the charge will be rejected pending contact with me. The fraud detection systems are not dumb, and have a pretty good idea I'm not in Estonia right now.

The thing is, we don't normally notice it when we travel because we've usually had some pattern of purchases that satisfy the fraud detection systems that it's plausible we're overseas - usually something as simple as buying a plane ticket, but sometimes it's a lot more subtle.

Sure, it could be used today, but the banks don't care, because it's much easier for crooks to just use magnetic skimmers. In the future, the criminals have to use the details overseas, and there are already pretty good systems in place to combat that.

 

[bum]

I'm sorry, MartinS, you're saying "science" but all I'm hearing is "IT". And as we all know IT is just manual labour for nerds.

They're still copying the chip, but then transferring the data to be used in a magnetic stipe elsewhere.

If I remember correctly the article also mentions the ability to amend the transaction that that is being "listened" to. This would obviously require an "inside man" to be pulled off successfully but is still entirely do-able. Apologies if I've remembered that arse-about.

 

[MartinS]

They're still copying the chip, but then transferring the data to be used in a magnetic stipe elsewhere.

I'm sorry, MartinS, you're saying "science" but all I'm hearing is "IT". And as we all know IT is just manual labour for nerds.

They're not copying the chip. This is not an "IT" hack - it's a mathematical one. They aren't just listening to the data being sent and recording it, they're processing the data in a way that reveals information that wasn't explicitly being sent.

If by IT you mean that it involves computers and information processing, then yes, this is IT. If you think cryptography and cryptoanalysis are fields that nerds could advance through manual labour, you're deluded. Or are you going to go down the "mathematicians are not scientists path"?