Aussie ATM criminals embrace 3D printers for cashpoint crimes

Filed Under: Featured, Law & order, Security threats

In our recent #sophospuzzle, we gave away a 3D printer as a prize.

The winner was pretty pleased, and although it hasn't arrived yet, he's already emailed us with some ideas of what he's thinking of using it for. (Nothing controversial, honest!)

3D printers work by building up an object layer by layer, typically out of some kind of polymer, accumulating material in the desired pattern until you have a finished product.

The trendy term for this is additive manufacturing, unlike a milling machine, which cuts away the parts you don't want until what's left behind is the finished product.

As you can probably imagine, it didn't take long for controversial uses to emerge for 3D printers, and one of the most newsworthy was the idea of "printing" parts for firearms.

In particular, US law allows you to acquire the hard-to-make components of some firearms, such as the barrel and breech, without any sort of licensing, as though they weren't parts of a lethal weapon at all.

Apparently, it all depends on how the weapon disassembles, because it's the part where the serial number is stamped that legally constitutes the firearm.

In the notable case of the AR-15 rifle, the serial number is on the lower receiver, a comparatively modest part that is just within the capabilities of a 3D polymer printer, so you can make one at home.

Plug your home-made lower into a shop-bought upper receiver, and you just sidestepped firearm licensing laws, at least until your home-made plastic part snaps under the stresses of firing.

It seems, however, it's not just gun parts that have attracted the attention of fans of additive manufacturing.

According to Aussie-based IT News, Sydney police have reported their first cases of ATM skimming machines made on 3D printers.

A gang of suspected Romanian criminals is using 3D printers and computer-aided design (CAD) to manufacture “sophisticated” ATM skimming devices used to fleece Sydney residents.

[New South Wales] Police recently arrested and charged a Romanian national with fraud after a money transfer officer contacted police over a suspicious transaction.

A skimmer is a device that fits onto, around or into an ATM's own "lower receiver" (i.e. the card slot).

The skimmer reads your card on its way into the real slot, where it is read again by the machine itelf.

That gives the crooks enough information to clone a magnetic-stripe-only credit card.

If they also have a hidden video camera, or an unobtrusive keypad overlay, they may be able to record your PIN at the same time, match it later with your cloned card, and raid your account for hard cash.

One obvious "advantage" of 3D printed skimmers is that the crooks can quickly try a new design (or tweak an old one) in order to make their devices as surreptitious as possible.

The better a skimmer fits, the more smoothly it blends with the ATM's shape, and the closer the colour, the more likely it is go unnoticed.

Also, 3D printouts can be made on demand, so that the crooks can quickly replace skimmers that have been detected, removed and destroyed.

Fortunately, we don't need to over-react by banning ATMs, or 3D printers, or both.

A few simple precautions when you are drawing cash can go a long way to reducing your risk of being skimmed.

Neither the skimmer, nor the video camera, nor the fake keyboard overlay, can be made completely invisible.

If you are alert you are likely to be able to spot them:

(Video from our intrepid human cybercrime fighting chums of the Queensland Police Service.)

, , , , , , , , , ,

You might like

6 Responses to Aussie ATM criminals embrace 3D printers for cashpoint crimes

  1. Cartman · 400 days ago

    Poor guy, if he owned one of those 'Too Big to Fail' Wall Street banks, he could of stole all the money he wanted, and not done any time, plus Congress would have given him a big bunch of money.

  2. Steve-O · 399 days ago

    Cool, I have a new security hero! I mean, besides Paul. That and I learned how to acquire illegal firearms, some assembly required...

    • Paul Ducklin · 399 days ago

      If I have read the discussions surrounding this correctly, the deal is that it is't illegal, since technically you haven't bought or sold the weapon, but made it yourself, despite the parts you bought in, like the upper receiver.

  3. J.G.Frajkor2 · 399 days ago

    these guys using 3D printers are crazy. Why make rifle parts, and skimmers for ATM machines, when you can make coins? No, not modern coins, which are usually not as high-denomination as paper or plastic money. Make Coins that were recovered from those Spanish, French, etc., ships that were sunk or looted by pirates and the British navy way back a few centuries ago.. Coins which antique collectors and museums pay thousands of dollars to get when divers recover them.
    " Make Money ! " is what I say to my kids and my employees. Why not say it to 3D printing guys? ( good joke, eh?)

    • Paul Ducklin · 399 days ago

      Most 3D printers don't work with metal, though. A polymer doubloon might be a bit of a giveaway, wouldn't you say?

  4. Deramin · 396 days ago

    The cycle of invention:
    1. Clever person comes up with new invention that makes doing things easier, faster, or cheaper
    2. Invention takes off and Makers use it for all kinds of neat stuff
    3. Other clever people use it for evil

    How positively people feel about the invention long term may depend on on what order 2 and 3 happen in. 2 then 3 generally means a well received invention. 3 then 2, or 3 and 2 and we tend to get all up in arms about how the new invention will ruin everything. But really it comes down to people being good, evil, misguided, misinformed, etc. If we really want to ban anything in such away that it fixes the problem, we'd have to ban ourselves. Not sure that's in our best interests.

    Maybe we need to update the design on ATMs and POS terminals, though. Make it easier to cover the pin pad while using one hand, or design it with a cover built in. Use a separate pin on ATM transactions vs. POS transactions. Give us a biometric option (if India can build this into it's national ID system, I think we can afford this) along with our pin. Maybe train the security guards to test for card skimmers at least once a day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog