back to article Jailed Romanian hacker repents, invents ATM security scheme

A Romanian man serving a five-year jail sentence for bank-machine fraud says he's come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers. Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Well...

    I certainly understand the concept of singing like a canary to get out of an East Europian jail, but inventing like one......

    1. horse of a different color
      Pint

      Re: Well...

      I, for one, welcome our inventive new avian overlords.

    2. LarsG
      Meh

      Re: Well...

      And his mates outside already have a device that can replicate this and steal the info....

      He's just getting things ready for when he is released..

  2. Anonymous Coward
    Anonymous Coward

    It must be Friday...

    A hacking story with a fairy-tale happy ending...

  3. Oninoshiko
    Go

    KISS

    brillent, and what's great is there really isn't much that can go wrong with it.

    Keep It Simple, Stupid.

    1. Haku
      Coat

      Re: KISS

      Yes you have to hand it to that guy for his sideways thinking...

  4. beast666
    Stop

    Chip n Pin

    Why doesn't the rest of the world do this instead?

    1. jubtastic1
      Thumb Up

      Re: Chip n Pin

      Or allow us to order a card without a stripe, come to think of it, I could erase the stripe myself and not have to worry about ATM skimmers again (UK, it's all C&P here).

      1. Cliff

        Re: Chip n Pin

        >>Or allow us to order a card without a stripe

        Would a bit of time with a neodymium magnet be the answer to your prayers?

      2. Paul Renault

        Re: Chip n Pin

        Came here to say the same thing. I believe that the near-100% prevalence of chip'n'pin cards in Canada has made skimmers obsolete.

        Now, if we can just get rid of white label ABMs...

  5. Herby

    Fine until...

    The skimmer is internal to the machine reading the card, and attaches itself to the logic circuity.

    Why not just build a circuit board that takes the output of the magnetics and intercepts it before passing it along. Man in the middle style. The bad guys seem to have access to the innards of machines these days (there was a news story about a gas (petrol) station here that was compromised on its inside.

    Still, a nice idea!

  6. Anonymous Coward
    Windows

    Erm.

    what about the PIN?

    These devices need a camera to record you input your PIN.

    Cover the keypad, they cant see your PIN and cant use your card!!!!!

    1. Richard 12 Silver badge

      Re: Erm.

      Can't use your card in the UK.

      There are lots of places that only use the mag stripe, one of them is quite large and called something like "Unsecured States of America", where they don't even ask for a signature a lot of the time.

      1. Matt Bryant Silver badge
        Happy

        Re: Erm.

        ".....where they don't even ask for a signature a lot of the time." One of my colleagues over from the States a few years back was shocked by the higher levels of credit-card security over here. It rendered his wife's non-C&P card unusable for the duration of their visit as the signature strip on the back was marked "CID", which apparently means "check ID to confirm the user is the card owner". Apparently, that also meant it was the cheapest holiday they'd had for years, so maybe not all bad.

      2. Rob 5

        Re: Erm.

        Yes and the specs for ATMs in the UK mandate "mag stripe fall back" in addition to a PIN reader.

        That's not always implemented, though, as I found out the other week...

      3. JCitizen
        Coffee/keyboard

        Re: Erm.

        Magneprint could end replays of skimming data; so using that technology would defeat skimmiers wihtout paying the huge costs of Chip-n-Pin. I've seen news stories of C&P being defeated by a simple paper clip. I'm not sure I wan't businesses in the US going down in flames from the bad investment in expensive technology that can be defeated anyway. If you can hack a computer - what makes you think the chip can't be cracked?

        With the nano technology and algorithms that exist in the MagnePrint system. you cannot replay or skim the information, because it is like trying to copy someone's finger prints only more difficult. No single swipe of the data band on a MagnePrint card is ever the same - so recording it is a fruitless effort - the authentication system would catch it in a heart beat - combine that with the very economical PassWindow, and you have double trouble for the crooks, and still have technology that can be affordable across the world. This system would also be greatly scalable with minimal expense. We don't fall for expensive failures in the "Unsecured States of America" Federal Insurance and other improvements to security will nail this problem without breaking the bank or the consumer's pocket book. That is the way we think in the US.

    2. Fred Flintstone Gold badge

      Re: Erm.

      Cover the keypad, they cant see your PIN and cant use your card!!!!!

      I suggest you enter "fake atm keypads" into Google and look at the images..

    3. Kevin McMurtrie Silver badge

      Re: Erm.

      No PIN is needed. Most ATM cards also work as credit cards, and retailers don't need to perform any security checks on credit cards if they're willing to pay high transaction fees.

  7. Haku

    On the subject of ATMs

    Does anyone else feel like they're Gulliver in Lilliput when using them? I'm only 6'2" and often have to bend right down to be able to see the screen because they appear to be designed for people who are four foot nothing, most cinemas appear to be designed for unusually short people too, where "legroom" is a taboo word (except The Screening Rooms in Cheltenham - highly highly reccomended!)

    1. Pen-y-gors Silver badge

      Re: On the subject of ATMs

      Absolutely agree! Perhaps they should line up several ATMs at different heights - one for normal people (6 ft plus), one for short people, and one for very short people - the same way they have different height urinals in the gents.

      1. Graham O'Brien

        Re: On the subject of ATMs

        "they should line up several ATMs at different heights"

        Move to the big city - that's very common in London.

      2. Anonymous Coward
        WTF?

        Re: On the subject of ATMs

        6 feet plus is normal? Where the hell do you live - Rivendell?

        1. asdf
          Trollface

          Re: On the subject of ATMs

          >6 feet plus is normal?

          Obviously not a Central European poster. Probably American. The Latin American genes really bring down the average there.

        2. chivo243 Silver badge
          Holmes

          Re: On the subject of ATMs

          No, it's Holland.... People are generally taller here than other places.

          http://www.wisegeek.org/which-country-has-the-tallest-people.htm

      3. Anonymous Coward
        Anonymous Coward

        Re: On the subject of ATMs

        They do. In the shithole City of Peterborough they have different height ones everywhere...

      4. MNB

        Re: On the subject of ATMs

        normal = 6ft+ does it? erm, no.

        The average man in England is apparently 5'9" whilst the average woman is 5'3" (see http://www.bbc.co.uk/news/uk-11534042 which references an ONS report from 2010)

        Unless of course you are Dutch, as the Netherlands is one of the few countries where the average height of a man is now over 6ft.

    2. Richard 12 Silver badge

      Re: On the subject of ATMs

      I gather they're supposed to be usable by those in wheelchairs and dwarfs, as those are more common than elves and giants.

    3. GitMeMyShootinIrons

      Re: On the subject of ATMs

      They also need them at pavement level in city centres - for those crawling (under the influence of copious quantities of alcoholic beverages) for a taxi and are in need of funds....

      1. Rob 5

        Re: On the subject of ATMs

        OK, but why are drive-through ATMs labelled up in Braille?

    4. Miek
      Linux

      Re: On the subject of ATMs

      I'm only 6 foot tall and I can remember one particularly bad Cash Machine that I had to kneel at to be able to see the screen properly.

  8. Tony W

    Over complex

    Why rotate? Sideways insertion is the vital point.

    1. Pookietoo
      Angel

      Re: Why rotate?

      So it's just a modification to the slot, rather than replacing the whole card reader mechanism?

    2. Anonymaus Cowark

      Re: Over complex

      exactly what I thought.

      The mechanic for turning the card are probably more complex than moving a reader head side ways

      1. Richard 12 Silver badge
        Boffin

        Re: Over complex

        Indeed, I'd just drive the head sideways as that's much less complex. Stick card in sideways mag-stripe first, head is driven along the stripe, chip'n'pin contacts click into place when the head hits the end of the track. Job done.

        The hard part of this (both his design and the much simpler variants) is ensuring the mechanism can't jam if the card is inserted 'wrong', because most people will try to stick it in the way they're used to, and there are cards like the "Mint" ones that are odd shapes.

    3. Def Silver badge

      Re: Over complex

      As I understand it the rotation is there so you can't stick a card reader over the top of the slot like you can right now - it would prevent the mechanism from turning and therefore the machine from working.

      By inserting your card stripe first you can only scan half the strip if you put a reader over the left half of the slot.

    4. Anonymous Coward
      Anonymous Coward

      Re: Over complex

      And what have a moving head read the magnetic stripe on the card. Even in a tape recorder or VHS it is always the magnetic tape that is moving, never the magnetic pick up head. If the head was re-engineered to be a moving part then it would probably fail, and fail often and fast.

      1. Mike Moyle
        FAIL

        Re: Over complex

        "Even in a tape recorder or VHS it is always the magnetic tape that is moving, never the magnetic pick up head."

        You COULD do the same with a tape player -- you'd just need a 200 foot long tape player and cartridge for the head to move across. I'm just guessing that THAT's the reason that they move the tape rather than the record/read head on those, but i'll admit that I could be wrong. By your argument, hard disk drives should fail after an hour or two of use because of all the travel that the read/write head has to do. By the standards of HDDs, a read head that moves laterally only, at a moderate speed -- say 3 inches in a second or two -- would likely be pretty robust.

      2. User McUser
        Boffin

        Re: Over complex

        "[in a] VHS it is always the magnetic tape that is moving, never the magnetic pick up head."

        Nope, in VHS both the tape and the read/write heads move. There simply isn't enough fidelity in linear recording for the extra video information. (Google "helical scan" for more info.)

        "If the head was re-engineered to be a moving part then it would probably fail, and fail often and fast."

        No more so than any other mechanical device.

  9. nigel 15

    You've got to say...

    ...that is pretty clever,

  10. techmind

    Some machines already employ an intermittent motor on the card insert mechanism

    presumably to thwart skimmers.

    The card judders as it is absorbed into the slot. This would make readng the magstripe challenging to say the least.

  11. Neil Barnes Silver badge
    Thumb Up

    Very neat

    But as noted above, doing away with mag strip readers is the more secure approach, at least in the short term.

    However you do it, anything which has access to the electronics or the transmission eventually has access to a man-in-the-middle attack, but at least this kills the scan'n'watch approach (which is sneaky because it works on a chip enabled reader even if the reader isn't using the strip).

    Though the obvious approach is to remove the mag strip completely. Thinks: I wonder how much utility I'd lose if I killed the mag strip with a degausser or simply wrote garbage over it...

    While I'm at it, what idiot thought that touchless payment technology was anything like a good idea? If I pay for something, I want it to be a positive act with at least one secret as an authorisor - not something that can take a tenner from my pocket before I've even decided which card to pay for (see http://www.bbc.co.uk/news/business-22545804 - terminals reading a contactless card while trying to pay with a different chip'n'pin).

  12. Anonymous Coward
    Anonymous Coward

    After awhile

    After he has served 35 years in prison, then he can be released and start repenting.

  13. DrXym Silver badge

    Sounds like a good idea

    The problem I see with this invention is not fraud but vindictiveness. Instead of card skimmers, you have people inserting their chewing gum into the moving parts or crims gluing them shut to discourage the design.

    1. John Brown (no body) Silver badge
      Unhappy

      Re: Sounds like a good idea

      vindictiveness."

      Most criminals aren't vindictive in the sense you describe. It's just another challenge to be overcome or time to move on to something new.

      The problem I see is the cost and time. It may not be possible that existing machines can be economically retrofitted so even if all the ATM manufactures go with the idea and decide to pay the royalties for the patented design, it could be many years before it's rolled out in any meaningfull quantities. After all, one of the largest ATM markets in the world still don't support chip'n'PIN yet.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sounds like a good idea

        "Most criminals aren't vindictive in the sense you describe."

        What do you mean I'm not vindictive? Enough with the generalisations please!!!

  14. Trevor 7
    FAIL

    that is not more secure

    You just make your mag stripe reader read the whole width of the card during the insertion mechanism.

    Now it would make the current readers not work, but it would probably be a few months before the new skimmers appeared.

    1. John Brown (no body) Silver badge
      Thumb Down

      Re: that is not more secure

      That would be an interesting form of read head since it needs to read many bits of information across a wid3e area. Based on what I know of old reel-to-reall and cassette recorders, the read head is relatively large with a tiny gap at the point where it reads the data, effectively a horseshoe electromagnet. The reader would need one for each bit, accurately aligned. I'm not sure if hall effect sensors are available in strips, which might work. Are there existing readers which can read a mag stripe all in one go? If not, then they'd have to be designed and built, which is much more difficult than using off-the-shelf components.

      I'd have thought a simple light/light sensor or similar across the card slot and /or reader assembly would detect if any sort of modification was inserted. That ought to work in existing readers.

  15. Anonymous Coward
    Anonymous Coward

    Three letters: NFC

    Many cards now give out their details if you query them by NFC, so why bother with mag stripe readers? Skimming just became a whole lot easier.

  16. This post has been deleted by its author

  17. Snivelling Wretch

    It looks to me like the physical motion of the device would be as much part of the security as the sideways insertion, Presumably if you tried to stick a device on the front it would just get pushed off by the spinny thing sticking out. Either that or the machine would fail to load the card and the transaction wouldn't happen.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021