ATM scam

David Wadsworth dwadsw at etna.demon.co.uk
Tue, 8 Jun 1999 17:21:49 +0100 

In article <Pine.GSO.3.95-960729.990607223458.23881A-
100000@aidan.ncl.ac.uk>, Quentin Campbell <Q.G.Campbell@newcastle.ac.uk>
writes
>An aquaintance of ours recently lost 600 pounds through unauthorised
>withdrawls from ATMs. It transpires that 200 pounds was withdrawn each day
>from her account over the Bank Holiday weekend. She had previously used
>her card in an ATM at a local supermarket just before the Bank Holiday. 
>
>I understand that there has been a spate of similar thefts of card info
>recently by tampering with the ATM in such a way that card details and PIN
>can be recorded remotely. Does anyone have any further information on the
>technique(s) used?  Are ATMs in bank lobbies less vulnerable? 
>
There were reports on this in the papers last week (I believe it was
somewhere in the Times). It was what I like to call the 'Machine in the
Middle' attack. A false front was installed over the front of the ATM,
which intercepted and recorded the card details and the PIN numbers via
a superimposed keyboard and magnetic card reader. The thieves chose
Supermarket locations, and the Bank Holiday, when people were in a
hurry, and weren't likely to ask questions about why the ATM had changed
its external appearance. Also being a Bank holiday, large amounts of
cash could then be withdrawn without arousing suspicion, and without the
victims noticing the transactions until it was too late.

I can think of a few ways to defeat this attack, but they cost money, so
they probably won't be implemented. The ATM could be modified to detect
any overlay, using one or more photo cells or capacitive detectors. It
might also be possible to project an external magnetic field around the
card slot, to mess up any attempts to read the card externally, although
this couldn't be too strong or it would delete info on the card. Perhaps
a mu-metal extension to the card slot would hamper the thieves. The
better crypto solution would be to use a smart card and a challenge-
response protocol which didn't betray any information to an
eavesdropping third party.

Cheers   
-- 
David Wadsworth         | Tonto.... I've got a feeling we're not in Kansas
dwadsw@etna.demon.co.uk | anymore        .....The Lone Ranger of Oz