Not guilty!
No-one really knows what proportion of ATMs across Europe currently employ anti-skimming measures, but their adoption, although a necessary line of defence, is in reality only part of the solution. The fundamental contribution would be universal abandoning of the magnetic strip in favour of chip-only cards, followed in short order by replacement of the currently dominant Static Data Authentication (SDA) chip and pin verification system with Dynamic Data Authentication (DDA).
Physically cloning a chip card, although not as blindingly elementary as magnetic stripe cloning, is not beyond the practical capacity of a dedicated and well-financed fraudster. Because SDA validates the card with the issuing bank using symmetric cryptography online, a clone of an SDA card can still be used for fraud. Such a card shares a secret key with the bank, so a clone can be identified as such when an online transaction (at an ATM for example) is attempted. Maliciously extracting the key from the chip is considered impractical. However the card can also be used for transactions with an offline portable EPOS terminal, which does not know the key. In this case, the key cannot used to validate the card, and the clone card can be set to verify any entered PIN. The transaction is only discovered as fraudulent when the terminal uploads to the bank some time later. By that time the fraudster is long gone with the "purchased" goods, which are later fenced.
DDA on the other hand uses asymmetric encryption, one key being held in the chip on the legitimate card and the other on the legitimate terminal. This allows the terminal itself to valdate the card as genuine. As he does not have access to the key in the chip, the fraudster has no realistic chance of cloning the card successfully. Sadly, DDA has not so far been widely adopted for reasons of cost.
On the lookout
Generally, heise likes to point out at the end of its articles how people can protect themselves. But both the police and banks advise people to refrain from overtly checking ATMs to see if they have been manipulated. It is very likely that the perpetrators are close by, and it is hard to tell how they would react to someone tampering with their expensive equipment. Savings banks recommend that you contact the emergency security hotline provided for every ATM if you are suspicious – or if you are left holding the skimming equipment yourself.
But there are a few things you can do regardless, such as covering the keypad with a newspaper, for example, when you enter your card's PIN, which is generally recorded from a camera above. This procedure also prevents anyone standing behind you from getting a glimpse. In addition, you should also get used to checking your account more frequently so you can quickly react to unexpected withdrawals and have your account blocked. However, recovering any lost funds may prove more or less difficult depending where you live.
In the UK, the Banking Code (PDF file) section 12.12 states "Unless we can show that you have acted fraudulently or without reasonable care, your liability for the misuse of your card will be limited..." essentially to a maximum of 50 UK pounds. However, the code is voluntary, and the onus is usually still on the customer to prove the fraudulent nature of the transaction. The initial position of the UK banks is generally to insist that customer has exhibited contributory negligence.
In other jurisdictions, notably Germany, banks have so far covered all the losses from skimming as a gesture of goodwill provided evidence could be demonstrated that fraud had indeed occurred. There has reportedly been no case in which a German bank has left a victim empty-handed. (mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
