Dual use technologies are everywhere. Myself and colleagues have been presenting Phish and Chips, and the Man-in-the-Middle Defence at the Security Protocols Workshop this week, in which we describe how the EMV protocol suite can be modified in unintended ways, and that a card interceptor can be used for both fraudulent and beneficial activities.
A second example is how the waters in which internet phishermen angle for account details regularly become muddied by the marketing departments of enterprising banks. Every once in a while, these chaps manage to send out genuine emails entreating the user to click on the link in the email, or to navigate to a site not clearly part of the bank’s site, then provide their personal details.
Today I discovered that the same dilemma has been playing out in the fight to secure the fascia of cash machines against the attachment of illicit skimmers. I was off to work promtly this morning, to open up shop for an ITN TV crew doing a piece on Chip and PIN. After cleverly managing to miss my train, I was forced to take a rather expensive taxi ride to Cambridge — so much so that I had to have the taxi stop for me to withdraw some cash. It was then that I spotted this device attached to the slot of the Barclays Bank ATM on White Horse road in Baldock, Hertfordshire.
It’s a grotty little metal attachment clipped over the card slot. Pressed for time though I was, I didn’t like the idea of feeding my card through the thing. I had a quick go and dislodging it from the slot but it wouldn’t seem to budge, and on closer inspection it appeared the device had taken damage in the corner, presumably from a previous attempt to remove it. The second image taken looking up at the device shows that it is quite clearly “stuck on”.
I decided to play it safe and went to the Nationwide ATM round the corner instead. For that matter this more familiar looking ATM helpfully displayed a number that I might call to report a suspicious looking device, and I did just that. Settling back in the taxi and thinking I tried to decide if this modification to the fascia was genuine. Was it feature or fraud?
Once we’d exorcised the camera crew from the building that morning, I showed off the photos to my colleagues. Now I have done a fair bit of research into skimming, including compiling a list of pictures of ATM skimmers for my Phantom Withdrawals site, and a study of the cost and difficulty of making a skimmer which could attach to the chip card slot of a Point-of-Sale terminal, the design of which is reported on my interceptor page and in a previous LBT post Chip and Skim. Also we were aware that anti-fraud attachments have been trialled on Barclays ATMs about a year ago. But for the life of me, I did not know for certain whether this was a genuine skimmer, or a product of my own paranoia and Barclays unusual decision to literally “release a patch” for their ATM.
Now there are clearly a small number of people who could answer this question in seconds: a policeman from the fraud unit, or a Barclays security manager. But then what chance does the average customer have of identifying skimming and phishing attacks if even an ATM security researcher like myself who is familiar with the threat, and who has an analytical mind, is still unable to make his mind up? What about education education education? Poster initiatives have been trialled to show pictures of how the genuine machine should look, and some Barclays ATMs now display photographs of how the card slot should look on their own colour screens — much more expensive to counterfeit than the poster. So what are dynamics of arms races involving educating and re-educating customers, who will win this one, and what will the POS skimmer arms race look like?
My final hunch remains that the device probably was a genuine barclays anti-fraud device, even though I was fooled at first into reporting it as suspicious. There is a neat argument why it is genuine: cash machines now strictly tell customers “DO NOT REMOVE ANY SUSPICIOUS LOOKING DEVICES” in capitals on the main screen. I used to think that this was so they could retrieve and forensically analyse the devices, but now I have a new theory… too many customers were trying themselves to lever off Barclays’ own suspicious looking devices! That even explains the damage to the device shown in the first photo. Credit to Barclays for making such efforts to combat phantom withdrawals, but this is a race which is far from being won.