Feeds

Card-cloning crooks use 3D printers to make ever-better skimmers

Aussie ATMs vulnerable to precisely tailored devices, warn cops Down Under

High performance access to file storage

Vid Cybercrooks in Australia are using 3D printers and computer-aided design software to manufacture ATM skimming devices.

New South Wales Police recently arrested and charged a Romanian national with fraud involving the use of an ATM skimmer made on a 3D printer to fleece Sydney residents, Australia-based iTnews reports.

Police in Sydney set up a dedicated taskforce in June after recording an increase in cash machine theft offences.

The taskforce identified one gang that targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and stealing around AU$100,000 (US$92,000).

Commander of the NSW Fraud and Cybercrime Squad, Detective Superintendent Col Dyson, told iTnews the gang was using 3D printers and CAD technology. Two unnamed banks are being targeted.

"These devices are actually manufactured for specific models of ATMs so they fit better and can’t be detected as easily," Det Supt Dyson explained.

"Parts of the devices are internally fitted, either by the offenders moving part of the slot and replacing it with their own, and pushing circuitry into the machines. [Another model] is so small it’s entirely self-contained and entirely pushed in, with some force, into the card slot."

Skimmers are designed to fit around the card slot of cash machines in order to read and extract data from the mag stripe of cards as they are pushed into a compromised machine. The devices are often used in conjunction with a hidden miniature pin-hole video camera, or an unobtrusive keypad overlay, to record PIN data.

The collated information, sent to fraudsters using mobile phone technology or stored for later retrieval, provides enough data to clone a magnetic-stripe-only credit card. Fake cards are then used in combination with stolen PIN information to make fraudulent withdrawals. Pictures of hardware-based ATM skimming devices, fake cash machine fascias and more can be found in a blog post by cybersecurity blogger Brian Krebs here.

Skimmers have been used by fraudsters for years but introducing 3D manufacturing into the process has obvious advantages to cybercriminals, according to veteran IT security expert Paul Ducklin.

"Crooks can quickly try a new design (or tweak an old one) in order to make their devices as surreptitious as possible," Ducklin explains in a post on Sophos's Naked Security blog. "The better a skimmer fits, the more smoothly it blends with the ATM's shape, and the closer the colour, the more likely it is go unnoticed."

"Also, 3D printouts can be made on demand, so that the crooks can quickly replace skimmers that have been detected, removed and destroyed," he adds.

Previous controversial uses for 3D printers have famously included blueprints for "printing" parts for firearms at home. Home-made plastic gun parts routinely snap under the stresses of firing, if they work at all, but that hasn't stopped the issue of the “Liberator” 3D-printed pistol and derivatives from creating a media fire fight storm.

In response, Danish 3D printer maker Create It Real has decided to ensure [PDF] its products can't print a gun. Manufacturers might conceivably decide to do something similar to prevent 3D printers from being used to manufacture ATM skimmer parts.

One blacklisting snag might be that while blueprints for the Liberator gun are out there in public, any CAD design for an ATM skimmer would be a closely guarded secret.

If preventing the abuse of 3D printers isn't an option, we can at least attempt to bolster consumer awareness about the threat posed by ATM skimmers.

A video from the Queensland Police Service stars Fiscal the Fraud-Fighting Ferret, who tells consumers how to spot ATM skimmers and guard against the possibility of fraud when using cash machines.

The use of ATM skimmers is a problem worldwide. Extensive background information on the problem in Europe can be found on the European ATM Security Team's website here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.