“Nobody should ever be so excited about potentially being a victim of fraud, but there I was, grinning like an idiot in the farmer’s market,” Nardi wrote. “Like any hunter I quickly snapped a picture of my quarry for posterity, and then attempted to free it from the host machine.”
“I yanked it in every direction, tried to spin it, did everything short of kicking it; but absolutely no movement. In fact, I noticed that when pulling on the skimmer the whole face plate of the ATM bulged out a bit. I realized this thing wasn’t just glued onto the machine, it must have actually been installed inside of it.”
Nardi had to leave the device in the ATM, but emailed the photo he had taken to the ATM’s owner, so they would be able to take care of the skimmer before anyone fell victim to it. However, he soon received a reply from the owner, informing him that the plastic inside the machine was not a card skimmer but a specially designed 3D printed card reader, which replaced the ATM’s original hardware in an effort to prevent an actual skimmer from being installed, “by virtue of being unexpected.”
We often hear stories of people using 3D printing to get past security measures, from 3D printed fingerprints and keys to safe-cracking, 3D printed masks to fool facial recognition software, and even 3D printed card skimmers. So it stands to reason that 3D printing technology can also be used to increase security.
“One of the key elements of a successful skimmer installation is investigating the ATM you want to target, in this case a Nautilus Hyosung 1800 SE,” Nardi explained. “Once an attacker knows which machine they are dealing with, they can buy a replacement card reader for it online and know that whatever device they design to fit it will work on the ‘live’ machine when they go to install it. For some of these machines, 3D models of the card readers are already available online if you know where to look.”
But if the card reader on the type of ATM that a criminal has targeted is completely different than what was researched, such as the 3D printed card reader Nardi came across, the plan is foiled.
Though Nardi’s offer of discussing the card reader with the ATM owner for a blog post was rejected, due to the person’s need to maintain anonymity for the plan to work, he was still interested in the idea of a custom 3D printed card reader, and thought about using 3D printing to make “keyed” ATM card readers.
“Creating a custom reader like the owners of this machine have done is an excellent first step, but it’s still a static design that can be accounted for eventually,” Nardi wrote. “What if, instead of printing out identical card readers for all your ATMs, you made each one unique, making it nearly impossible to anticipate?”
He thought that using a parametric CAD tool, like OpenSCAD, to randomly augment the surface of the card reader might work. The tool could be used to generate small geometric protuberances in the device, and custom readers could even be regularly 3D printed and used in high value markets, where you typically see more card skimmers. Nardi wrote an OpenSCAD script for his project, which randomizes the height and number of pins on the card reader’s face; the layout of the pins can change each time a new STL is generated, making the surface unpredictable. This, in turn, would make it difficult to conceal a skimmer.
“A fully realized version of this script could make more drastic changes to the reader, fundamentally changing its geometry each time the STL was generated; making adaptation all but impossible,” Nardi wrote. “Imagine a thief coming to attach their skimmer, only to find that the reader has changed into an oval since the last time they were there.”
Unfortunately, while using a 3D printed part to make an ATM machine’s card reader safer may seem like a simple, inexpensive way to get past would-be thieves, Nardi ultimately called it “an unworkable solution.”
“If you’re telling consumers to always be on the lookout for suspect looking hardware attached to ATMs, attaching your own suspect looking hardware to the ATM as a deterrent doesn’t make much sense,” Nardi explained.
It’s like the little boy who cried wolf – if you tell people enough times that something they thought was dangerous may not be dangerous at all, they won’t recognize danger when it’s actually there. Consumers could start to have a false sense of security about strange components or devices at the ATM, and may not take the time to report what turn out to be real card skimmers.
Let us know your thoughts on this and other 3D printing topics at 3DPrintBoard.com or share in the Facebook comments below.[Images: Hackaday, unless otherwise noted]