Poland solved this problem pretty neat. I don't even remember using my credit card with ATM.
You open your mobile bank app, click BLIK icon and a 6-digit code is generated. You enter the code in ATM and you choose amount to withdraw. You accept the amount on your mobile phone and money comes out.
"The measurement card has a carefully etched set of traces in the magnetic stripe, (aligning with each of the three data tracks). When a read head contacts the card it bridges a pair of electrical traces and completes a circuit back to the microcontroller."
This seems to me to be a detective control which relies a bit too heavily on obscurity, obscurity which is now blown. Having knowledge of how this works, ATM skimming gangs who's devices might be found by local authorities with this device can now take the active counter-measure of placing a piece of Kapton tape over the read-head.
This is very cool. Basically a 'fake' card that can detect when it passes by more than one 'read' head in the machine.
It should be possible to build this into a credit card sized device that you could just swipe with and have it illuminate a red or green LED when it detects a skimmer.
Well, you have a point there.
But don't you think the "credit card sized device" will again be used for fraudulent purposes?
Maybe to trace EM emissions or something else?
We should really add 2FA to cards. E.g. if I withdraw a large sum or make an unusual transaction prompt for a 2FA code.
For small transactions it makes no sense, but for anything above a user defined limit we should have this option. e.g. I only withdraw more than £50 in unusual circumstances.
In EU all banks have to implement 3D Card Secure - when making an online payment over a certain amount, or of an unusual type the vendors website redirects you to your bank's website where you have to authenticate the payment(usually provide an SMS code or answer some security questions).
My bank has a user-defined limit after which transactions must be authorized either by phone call or in web or mobile app (or by visting a bank office in person), all the ways are equal. The thing is that the lower bound for that feature is ≈$300.
I imagine ordinary 2FA probably wouldn't work... the timeout would have to be too long.
But I don't see why 2-factor pre-authentication shouldn't work? Before purchasing, just authorize a larger charge on your card than a limit you or your bank previously set. If it works, then great. Worst case is it doesn't work (app breaks, phone out of juice, whatever), in which case you're back to the current situation.
Are you liable for unauthorized withdrawals? Here in the US the bank is usually liable - so while it can be an administrative headache - from a customer perspective 2FA seems like a pain
In the US they generally have both if issued in the last few years, but many places still accept magnetic strips. I don't use an ATM often anymore, maybe once or twice a year at most, but I've yet to see an ATM that only demands the chip instead of forcing you to insert the whole card, so chip-only debit and credit cards can't come soon enough.
Curious if there's an easy way to make my stripe unreadable with my most used credit card, especially for dining where your card can disappear for several minutes at a time.
I just don't understand why my card even has a magnetic stripe anymore. It's been years since I've seen any terminals that could actually accept it, it's all chip and pin over here. If I could get a card without the strip I'd gladly do so.
The United States is still predominantly magstripe. We’ve had chip-and-no-pin for a few years but many large retailers haven’t enabled it, possibly because transactions are so much slower (usually 30-60 seconds) and less reliable.
It's all chip and pin where I live too, and has been for ages.
Often enough, the chip or the reader is dirty and fails to read, the terminal will prompt you to swipe the card through the mag-reader instead. Usually, it will prompt you to try the card reader again, then back to the mag-reader for a final swipe before continuing.
in parts of Europe you can use Revolut, where you can choose whether to enable or disable contactless payments, chip and pin, ATM withdrawals and online payments, depending on what you want to use the card for. You can even keep all of them off and only activate a specific feature for a few minutes when needed.
Having just travelled in the almost-cashless country of Norway, I found a surprising example: the Oslo airport fast train gates operate by magswiping a payment card. I suppose it's because contactless doesn't reliably work internationally.
As an anti tamper measure, the ATM will not just pull in the card and read it; instead, it's movement is somewhat randomised, as to increase the difficulty of obtaining an illicit read.
(At least the ATMs in my country are said to usually do that)
As a result, the ATM's read head might pass over the detection spot multiple times.
Maybe you can force the measurement device to move only in one direction, but if I were to design the ATM, it would detect inconsistent, physical card movement.
> Maybe you can force the measurement device to move only in one direction, but if I were to design the ATM, it would detect inconsistent, physical card movement.
That would be very prone to false positives. Weather variations (temperature, humidity), card types, dirt (grease , dust) and foreign objects (stickers on the card) etc etc would all make the card movement inconsistent.
When running backwards and forwards you get the same sequence 3 times, once in reverse. It seems to me like that could be detected and reversed statistically with good odds. Especially if you take into account the 'total length' of the card swipe and have a lower bound on the distance of a jitter. (so you don't have to worry about 10 01 10 being a jitter)
Doesn't the track data contain the card number? (Not looked into mag stripe cards in a while so my knowledge of them is rusty). If it does doesn't the card number itself contain a check digit? If so if a skimmer recorded everything it saw passing though it the data could be recalculated like how rocqua stated.
Sure the data wouldn't be immediately available and require some post processing but unless the skimmer only recorded a fixed length I can see that method of protection bypassed very quickly and easily.
I know your posting about the skim detection tool but it just seems to me like a bad method of trying to defeat skimmers. I would guess such systems are used for trying to detect a "Lebanese loop" which traps the card when it tries to eject.
It would be nice if I could clip on a thin piece of plastic/foil to my card to block out the magnetic strip if I know the device I'm inserting it into only needs the chip.
I live in the US where you essentially have no liability for fraudulent transactions (if you identify them in a reasonable amount of time) - so while it’s annoying to have to get a card reissued once every couple of years, it doesn’t seem like such a big deal
I can't recommend SMS alerts for all transactions highly enough... that way even traveling you know what went through, when, and for what amount.
However, once a year seems optimistic for card replacement, if you use them at a lot of POS (gas stations). I've seen replacements at once a week (every time they filled up) and the gas station attendent doesn't care either.
>There’s one thing that’s fundamental to overlay and deep-insert skimmers – they have to actually read your card data! This requires a read head pressed against the magnetic track on the card with a spring mechanism. Furthermore, the head must be a conductor and in practice seems to always be metallic.
next up: skimmers with "undetectable" read heads (lined with plastic)
I've seen cashiers sandwich cards between pieces of paper to get problematic cards to read, which makes think that while the read head must be metal, it doesn't have to be in contact with the card to work.
Better than hoping your customers are carrying their own detection device, build such a detection mechanism into the rear of the card slot and have it periodically "sweep" itself.
There is a clever solution to this from a bank in Slovakia (Tatrabanka), you can use their mobile banking application to generate a one-time numerical code for the withdrawal. So you can just generate the code and enter it on any ATM that is owned by this bank. You don't need to have the card with you (and you can forward this code to your wife for example). Also 100% of cards in Europe are also protected by PIN, so simple skimmers won't work.
PIN does not protect you from skimmers... Everything you need is on the magnetic stripe, PIN is only needed if you use the chip - which an attacker obviously wouldn't.
The whole concept of chip+pin is pretty pathetic considering that the magnetic stripe is still there for backwards compatibility.
And now with wireless cards it is even less secure than a magnetic stripe.
BBVA in Spain has the same thing, it directly asks which phone number to send the code to, in case you want another person to withdraw the money: https://www.youtube.com/watch?v=Hb6KNWSKXmE
Does it work without a mobile data connection? Regardless this is a great idea and I would love to know what it would take to convince other banks to do the same.
While you can tell revolut to block transactions that use the magnetic stripe, it doesn't physically disable the stripe, so they can still pull your data from it which maybe enough for them to carry out an attack.
[+] [-] ahes|7 years ago|reply
You open your mobile bank app, click BLIK icon and a 6-digit code is generated. You enter the code in ATM and you choose amount to withdraw. You accept the amount on your mobile phone and money comes out.
This is how it looks: https://www.mbank.pl/indywidualny/uslugi/uslugi/blik/
[+] [-] patcheudor|7 years ago|reply
This seems to me to be a detective control which relies a bit too heavily on obscurity, obscurity which is now blown. Having knowledge of how this works, ATM skimming gangs who's devices might be found by local authorities with this device can now take the active counter-measure of placing a piece of Kapton tape over the read-head.
[+] [-] kw71|7 years ago|reply
[+] [-] ChuckMcM|7 years ago|reply
It should be possible to build this into a credit card sized device that you could just swipe with and have it illuminate a red or green LED when it detects a skimmer.
[+] [-] godelmachine|7 years ago|reply
[+] [-] fabricexpert|7 years ago|reply
For small transactions it makes no sense, but for anything above a user defined limit we should have this option. e.g. I only withdraw more than £50 in unusual circumstances.
[+] [-] gambiting|7 years ago|reply
[+] [-] chupasaurus|7 years ago|reply
[+] [-] mehrdadn|7 years ago|reply
But I don't see why 2-factor pre-authentication shouldn't work? Before purchasing, just authorize a larger charge on your card than a limit you or your bank previously set. If it works, then great. Worst case is it doesn't work (app breaks, phone out of juice, whatever), in which case you're back to the current situation.
[+] [-] CPLX|7 years ago|reply
[+] [-] kowdermeister|7 years ago|reply
[+] [-] cascom|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] ChrisSD|7 years ago|reply
[+] [-] Covzire|7 years ago|reply
Curious if there's an easy way to make my stripe unreadable with my most used credit card, especially for dining where your card can disappear for several minutes at a time.
[+] [-] cbhl|7 years ago|reply
[+] [-] gambiting|7 years ago|reply
[+] [-] acdha|7 years ago|reply
[+] [-] NickNameNick|7 years ago|reply
Often enough, the chip or the reader is dirty and fails to read, the terminal will prompt you to swipe the card through the mag-reader instead. Usually, it will prompt you to try the card reader again, then back to the mag-reader for a final swipe before continuing.
[+] [-] gabipurcaru|7 years ago|reply
[+] [-] pjc50|7 years ago|reply
[+] [-] dhimes|7 years ago|reply
[+] [-] sizzle|7 years ago|reply
[+] [-] archi42|7 years ago|reply
As a result, the ATM's read head might pass over the detection spot multiple times.
Maybe you can force the measurement device to move only in one direction, but if I were to design the ATM, it would detect inconsistent, physical card movement.
[+] [-] LeonM|7 years ago|reply
That would be very prone to false positives. Weather variations (temperature, humidity), card types, dirt (grease , dust) and foreign objects (stickers on the card) etc etc would all make the card movement inconsistent.
[+] [-] rocqua|7 years ago|reply
[+] [-] Crosseye_Jack|7 years ago|reply
Sure the data wouldn't be immediately available and require some post processing but unless the skimmer only recorded a fixed length I can see that method of protection bypassed very quickly and easily.
I know your posting about the skim detection tool but it just seems to me like a bad method of trying to defeat skimmers. I would guess such systems are used for trying to detect a "Lebanese loop" which traps the card when it tries to eject.
[+] [-] doctorless|7 years ago|reply
[+] [-] Paul-ish|7 years ago|reply
[+] [-] azinman2|7 years ago|reply
[+] [-] cascom|7 years ago|reply
[+] [-] kurthr|7 years ago|reply
However, once a year seems optimistic for card replacement, if you use them at a lot of POS (gas stations). I've seen replacements at once a week (every time they filled up) and the gas station attendent doesn't care either.
[+] [-] gruez|7 years ago|reply
next up: skimmers with "undetectable" read heads (lined with plastic)
I've seen cashiers sandwich cards between pieces of paper to get problematic cards to read, which makes think that while the read head must be metal, it doesn't have to be in contact with the card to work.
[+] [-] gruez|7 years ago|reply
What's the point of wiretapping the emv chip? Isn't EMV supposed to be immune to skimming?
[+] [-] javadocmd|7 years ago|reply
[+] [-] Daniel_sk|7 years ago|reply
[+] [-] tjoff|7 years ago|reply
The whole concept of chip+pin is pretty pathetic considering that the magnetic stripe is still there for backwards compatibility.
And now with wireless cards it is even less secure than a magnetic stripe.
[+] [-] JorgeGT|7 years ago|reply
[+] [-] eboyjr|7 years ago|reply
[+] [-] therealmarv|7 years ago|reply
[+] [-] nullify88|7 years ago|reply
[+] [-] swsieber|7 years ago|reply
[+] [-] gamersp|7 years ago|reply
[deleted]
[+] [-] fortmart93|7 years ago|reply
[deleted]
[+] [-] deacon789|7 years ago|reply
[deleted]