News report of ATM card skimming in Perth WA (AUS)

[wilfred]

https://www.abc.net.au/news/2019-10-04/wa-police-charge-estonian-man-over-perth-atm-card-skimming-scam/11575106

That is a link to a news story about a card skimming scam in Perth Western Australia.  It has a few photos of the devices. I think the article has got it slightly wrong but it did make me curious how these devices work.

I expected to see some means to mimic the card slot and read the cards magnetic stripe. But that would alert the user if the card failed to go through to the ATM. I would just go inside the branch if it was open and report the fault. Or maybe I'd try the next machine along. If the machines were supposed to be identical and one had an extra device it would be easy to spot.

There is another device that the article says is a magnetic strip but it looks like the photos show some flex-PCB with a pad of some sort at the end which I expect is meant to transfer captured data to the read head of the ATM. But wouldn't it be easier id the pad was on some card sized plate so aligning with the read head was easier.

Also I thought magnetic stripes were basically superceded by a chip in the card. Mine are.

And you still need the PIN.

[wraper]

I expected to see some means to mimic the card slot and read the cards magnetic stripe. But that would alert the user if the card failed to go through to the ATM. I would just go inside the branch if it was open and report the fault. Or maybe I'd try the next machine along. If the machines were supposed to be identical and one had an extra device it would be easy to spot.

Why would it cause any fail? It just reads magnetic stripe while card is moving inside the slot.

Also I thought magnetic stripes were basically superceded by a chip in the card. Mine are.

All that crap because of US and their refusal to get rid of it, and their use of signature instead of PIN. Because of that this legacy security killing crap is still present on the cards worldwide. Also you don't need pin to make online purchases. Yes there is 3D secure/SecureCode but again, it's basically useless since you can still buy without verification from retailers refusing letting off their legacy crap.

[GlennSprigg]

Every time I use an ATM, I can't help looking for anything different.
I will "Pull" at the card entry area, to see if it has any movement....

[ConKbot]

]
All that crap because of US and their refusal to get rid of it, and their use of signature instead of PIN. Because of that this legacy security killing crap is still present on the cards worldwide.

Without chip and pin, if my information gets stolen, I report it, get the charge refunded. With chip and pin, the bank has the option to go "no, this is a magical unhackable system, and the pin was used, so we're not refunding that charge"

From an end user perspective, one of these systems is vastly superior to the other.

[wraper]

From an end user perspective, one of these systems is vastly superior to the other.

From the user perspective is best to not experience it to begin with = get rid of that freaking magnetic stripe. And BTW PIN can be easily stolen, and in combination with cloned magnetic stripe used. Not with a chip unless it has serious security vulnerability to be hacked in a second.

[ConKbot]

From an end user perspective, one of these systems is vastly superior to the other.

From the user perspective is best to not experience it to begin with = get rid of that freaking magnetic stripe. And BTW PIN can be easily stolen, and in combination with cloned magnetic stripe used. Not with a chip unless it has serious security vulnerability to be hacked in a second.

https://www.theregister.co.uk/2012/09/13/chip_and_pin_security_flaw_research/ researchers finding vulnerabilities in 2012.

https://www.creditcards.com/credit-card-news/new-card-skimming-is-called-shimming.php shimming in 2015

https://www.kaspersky.com/blog/chip-n-pin-cloning/21502/ malware on POS terminals last year.

Chips being compromised isn't new.  At least solutions can (slowly)be implemented through updates, unlike mag stripe. But the whole "if a pin was used, it must have been your fault, no money back for you" schtick  banks try to pull still means that it provides no benefit for the end user.
I'll take my account being compromised half a dozen times, and having to wait for replacement cards in the mail, but no financial cost to me over having to bear the cost of fraud because the system is "unhackable" any day of the week.

[MyHeadHz]

https://krebsonsecurity.com/all-about-skimmers/

That is a good site with in-depth data that thoroughly covers a lot of skimming variants, with plenty of pictures.  They can be quite convincing.

It takes someone quite well-versed in these technologies in order to not be victims, unfortunately.

[Halcyon]

]
All that crap because of US and their refusal to get rid of it, and their use of signature instead of PIN. Because of that this legacy security killing crap is still present on the cards worldwide.

Without chip and pin, if my information gets stolen, I report it, get the charge refunded. With chip and pin, the bank has the option to go "no, this is a magical unhackable system, and the pin was used, so we're not refunding that charge"

From an end user perspective, one of these systems is vastly superior to the other.

Chip and pin is no different to magstripe and PIN, except that the chip is far more secure. Secondly, ATMs normally have CCTV, it would be trivial for a bank to see who took the funds out. Signatures can be forged too and it relies it being checked at point of sales. I remember when signature was a thing here, it would be checked maybe 1 out of 10 times. Most banks in Australia will refund a disputed amount without any investigation if the amount is small. 

[wraper]

Chip and pin is no different to magstripe and PIN, except that the chip is far more secure. Secondly, ATMs normally have CCTV, it would be trivial for a bank to see who took the funds out. Signatures can be forged too and it relies it being checked at point of sales. I remember when signature was a thing here, it would be checked maybe 1 out of 10 times. Most banks in Australia will refund a disputed amount without any investigation if the amount is small.

Chip does not allow cloning unless particular hardware implementation is flawed. Magnetic stripe cloning is as simple as copying audio tape.