Jailed Romanian hacker repents, invents ATM security scheme A Romanian man serving a five-year jail sentence for bank-machine fraud says he's come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers. Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy …
The skimmer is internal to the machine reading the card, and attaches itself to the logic circuity.
Why not just build a circuit board that takes the output of the magnetics and intercepts it before passing it along. Man in the middle style. The bad guys seem to have access to the innards of machines these days (there was a news story about a gas (petrol) station here that was compromised on its inside.
Still, a nice idea!
".....where they don't even ask for a signature a lot of the time." One of my colleagues over from the States a few years back was shocked by the higher levels of credit-card security over here. It rendered his wife's non-C&P card unusable for the duration of their visit as the signature strip on the back was marked "CID", which apparently means "check ID to confirm the user is the card owner". Apparently, that also meant it was the cheapest holiday they'd had for years, so maybe not all bad.
Magneprint could end replays of skimming data; so using that technology would defeat skimmiers wihtout paying the huge costs of Chip-n-Pin. I've seen news stories of C&P being defeated by a simple paper clip. I'm not sure I wan't businesses in the US going down in flames from the bad investment in expensive technology that can be defeated anyway. If you can hack a computer - what makes you think the chip can't be cracked?
With the nano technology and algorithms that exist in the MagnePrint system. you cannot replay or skim the information, because it is like trying to copy someone's finger prints only more difficult. No single swipe of the data band on a MagnePrint card is ever the same - so recording it is a fruitless effort - the authentication system would catch it in a heart beat - combine that with the very economical PassWindow, and you have double trouble for the crooks, and still have technology that can be affordable across the world. This system would also be greatly scalable with minimal expense. We don't fall for expensive failures in the "Unsecured States of America" Federal Insurance and other improvements to security will nail this problem without breaking the bank or the consumer's pocket book. That is the way we think in the US.
Does anyone else feel like they're Gulliver in Lilliput when using them? I'm only 6'2" and often have to bend right down to be able to see the screen because they appear to be designed for people who are four foot nothing, most cinemas appear to be designed for unusually short people too, where "legroom" is a taboo word (except The Screening Rooms in Cheltenham - highly highly reccomended!)
normal = 6ft+ does it? erm, no.
The average man in England is apparently 5'9" whilst the average woman is 5'3" (see http://www.bbc.co.uk/news/uk-11534042 which references an ONS report from 2010)
Unless of course you are Dutch, as the Netherlands is one of the few countries where the average height of a man is now over 6ft.
Indeed, I'd just drive the head sideways as that's much less complex. Stick card in sideways mag-stripe first, head is driven along the stripe, chip'n'pin contacts click into place when the head hits the end of the track. Job done.
The hard part of this (both his design and the much simpler variants) is ensuring the mechanism can't jam if the card is inserted 'wrong', because most people will try to stick it in the way they're used to, and there are cards like the "Mint" ones that are odd shapes.
This post has been deleted by its author
And what have a moving head read the magnetic stripe on the card. Even in a tape recorder or VHS it is always the magnetic tape that is moving, never the magnetic pick up head. If the head was re-engineered to be a moving part then it would probably fail, and fail often and fast.
"Even in a tape recorder or VHS it is always the magnetic tape that is moving, never the magnetic pick up head."
You COULD do the same with a tape player -- you'd just need a 200 foot long tape player and cartridge for the head to move across. I'm just guessing that THAT's the reason that they move the tape rather than the record/read head on those, but i'll admit that I could be wrong. By your argument, hard disk drives should fail after an hour or two of use because of all the travel that the read/write head has to do. By the standards of HDDs, a read head that moves laterally only, at a moderate speed -- say 3 inches in a second or two -- would likely be pretty robust.
"[in a] VHS it is always the magnetic tape that is moving, never the magnetic pick up head."
Nope, in VHS both the tape and the read/write heads move. There simply isn't enough fidelity in linear recording for the extra video information. (Google "helical scan" for more info.)
"If the head was re-engineered to be a moving part then it would probably fail, and fail often and fast."
No more so than any other mechanical device.
But as noted above, doing away with mag strip readers is the more secure approach, at least in the short term.
However you do it, anything which has access to the electronics or the transmission eventually has access to a man-in-the-middle attack, but at least this kills the scan'n'watch approach (which is sneaky because it works on a chip enabled reader even if the reader isn't using the strip).
Though the obvious approach is to remove the mag strip completely. Thinks: I wonder how much utility I'd lose if I killed the mag strip with a degausser or simply wrote garbage over it...
While I'm at it, what idiot thought that touchless payment technology was anything like a good idea? If I pay for something, I want it to be a positive act with at least one secret as an authorisor - not something that can take a tenner from my pocket before I've even decided which card to pay for (see http://www.bbc.co.uk/news/business-22545804 - terminals reading a contactless card while trying to pay with a different chip'n'pin).
vindictiveness."
Most criminals aren't vindictive in the sense you describe. It's just another challenge to be overcome or time to move on to something new.
The problem I see is the cost and time. It may not be possible that existing machines can be economically retrofitted so even if all the ATM manufactures go with the idea and decide to pay the royalties for the patented design, it could be many years before it's rolled out in any meaningfull quantities. After all, one of the largest ATM markets in the world still don't support chip'n'PIN yet.
That would be an interesting form of read head since it needs to read many bits of information across a wid3e area. Based on what I know of old reel-to-reall and cassette recorders, the read head is relatively large with a tiny gap at the point where it reads the data, effectively a horseshoe electromagnet. The reader would need one for each bit, accurately aligned. I'm not sure if hall effect sensors are available in strips, which might work. Are there existing readers which can read a mag stripe all in one go? If not, then they'd have to be designed and built, which is much more difficult than using off-the-shelf components.
I'd have thought a simple light/light sensor or similar across the card slot and /or reader assembly would detect if any sort of modification was inserted. That ought to work in existing readers.
This post has been deleted by its author
It looks to me like the physical motion of the device would be as much part of the security as the sideways insertion, Presumably if you tried to stick a device on the front it would just get pushed off by the spinny thing sticking out. Either that or the machine would fail to load the card and the transaction wouldn't happen.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
