... bringing his ATM trick to the masses, always making us believe he`s the mankind`s savior.

A SERIOUS question: In your countries, are not the banks obliged by law to pay your money back in case you're a victim of an ATM/POS fraud???
In Venezuela at least, they are, unless you can`t bring your credit/debit card with you at the time you make your claim.

On a side note: Interesting presentation, hope it changes the way banks and ATMs providers think about the security measures they have in place for those devices.

Seconded as well... There are sooo many troubles with ATMs this days, and not only with weak configured OSs (or weak/inappropiate ones) but with other technical issues as the underlying app that manages the transaction with the "host" system and the ways it communicates, and the banks internal processes regarding the handling of the ATMs (a non-technical issue, but a MAJOR one).

In some cases you can plain and simple obtain all the data needed to clone cards, and you should think that by sniffing it out off the wire (which is possible in a lot of cases) but no, you only need to look on a plain-text file for the data you need and goodbye misissippi!. Ok but you need local access... no problem, chances are that the poorly-built door which guard the pc inside the atm is open (or with the key attached to the lock), or attack it remotely (common is windows xp, cant be very hard), usually because the patch management unit of the bank are excluding the atms because they're not servers or workstations..and so on.

There are several ATMs that runs on OS/2 as well, they're NOT more secure than the winxp ones, just almost the same kind of vulnerabilities (the vast majority coming out of the app that handles the transaction).

It's a fun world out there on the finnancial channels (POS, WEB and alternative channels and dispensers included), and is always good to know of these efforts on bringing the truth to the surface...in despite of my fears about the potentials bad consequences it may have.

"mentions that Chavez complained about a specific website posting false information" Yes, there were postings that one of his ministers was dead... wrote by an user of their forum... and it was removed some time after when the forum admin noticed it. So, anyway, this is a good excuse to control the internet in Venezuela. Be at ease, this time was this fact, but it could have been anything, the government here don't care anymore if it can be used as an excuse or not...Things are made without any opposition, Justice and Congress are controlled by the government. The fear to Chavez's declarations is that, if we learned something from the past, is that if a threat is told by Chavez, it will be accomplished as soon as possible: take for examples the takeover of several industries (food industries at the east of the country), large commercial companies (fama de america, exito), malls (Sambil La Candelaria) farms, etc. Several with the excuse that they're strategic for the state (which business isn't?) or with no excuses at all... well and the most symbolic one, the "closedown" of one of the most critical TV channel, RCTV. (some in the forum said that they are still broadcasting on cable, and that is not true anymore). The best of all is that every trample to the private property is disguised as legal!!! So, my point is... the fear is founded, and we know what's coming next. Next, several links of expropiaciones, made by the government, there are a lot more, is only matter of google them. http://www.bbc.co.uk/mundo/economia/2010/01/100117_0029_exito_expropiacion_gm.shtml http://www.abn.info.ve/noticia.php?articulo=163072&lee=10 http://www.vtv.gov.ve/noticias-nacionales/31666 http://www.enoriente.com/noticias-magazine-105/econommagazine-116/17262-expropiacion-de-fama-de-america-en-gaceta-oficial

You got me here. I think I think sort of the same way. In my opinion and experience, touch screens are convenient for use on the smartphones or in that kind of devices (even when I lose my amazing mutant power of writing sms's without even looking, which made me popular with my co-workers - isn't that hard anyway), because you usually don't have a lot of keys to press and the interfaces becomes as flexible yet intuitive as can be... but in pc's or laptops, there must be a big revolution in the way to interact, not only that you drive the pointer across the screen with your finger. (Not to mention the cheetos/butter/grease experience...any laptop must come with its own mini-rainy cloud to clean it)

What if 2 of that bits are ninjas?, and what if they have tiny shurikens? by the way...AMAZING and beautiful article.

IMHO, you're trying to look at the good stuff of this government just overseeing the objectives of the plans they have implemented, not the real outcome of those. This "gentleman" Chavez, has 10 years in the power..10 YEARS, and still the responsible of all the bad stuff Venezuela has is "the 40 previous years"...COME ON!, 10 years isn't enough for something? Dude, I live in Venezuela, I've been robbed 3 times and I consider myself lucky to not be harmed in any of those assaults. All my friends has been robbed at least once, and when I say robbed I mean, with a gun, and not in dangerous places...anywhere, even malls. It's easy to be seduced by the promise of a better world based on the principles that Chavez have popularized, but i think you're just as a lot of people here: seduced by his words, and by the cynic vision of the government. And by that many people here trust more in what they heard from them than in what they faces everyday. You mentioned that your parents teaches you several things besides TV and Video Games, and thats how it's meant to be..YOUR PARENTS, not your BIG BROTHER CHAVEZ. Of course, if you care enough the issue and watch news from Venezuela, i advice you to try to watch both sides of the coin...regrettably each side (opposition and government) have influenced the media so much that you don't know which one is telling the truth, but is fair to hear both sides without prejudice, if after that, you're still thinking Chavez is the man, i dare you to come and live this utopia of country for the rest of your life, where the government, and not you, decides what your children learn in schools, overthrown elected authorities just because they aren't of his party, throw chemical weapons at rallies, and supress your rights to argue. I'm not a rich guy, I'm not a poor guy either, I'm just your average neighborhood guy who enjoy freedom and to be alive for as long as possible. I just hope that you and your family, in whatever country you live, don't have to live in a cage, as us.

There are so many things to do in this country that this legislation is just and plain ridiculous. Is like legislate about how the humans will have to penalize a predator for flying on a pterodactyl too low on a rainy day, while there are poverty, crime, corruption, inflation and scarcity of several basic products (all of which we actually have!). If they want to do something about it (and it won't work either), they could be enforcing compliance of the rating that comes with each videogame (+18, M, PG, i don't know and don't even care, because I'm a grown up)

And you for sure are the kind of people that can't see how biased are the news, AND DOCUMENTALS, you're the kind that likes all the Michael Moore documentaries because they're unbiased. That documentary you're talking about interviews some very VERY dumb rich people, and show one side of the story, however, there is another side. SO: I formally invite you to come to my Strong Venezuela to live face to face this Socialist Dream we're living free of the chains of the CIA, Slavery and Ignorance you're talking about. Stop seeing the objective reality and come here and LIVE it...our visas are far more easy to obtain than any other visas in the world.

I would exchange the 3 or 4 of the blind people who posted here for the 4 millions blind pigs that voted this pig in the elections. Several (A LOT) of people vote here under the pressure that if they don't vote for chavez they won't keep their jobs, of course, all of them work for the government and the nationalized industries (which everyday are more and more: oil-PDVSA, telecommunications-CANTV-MOVILNET, several basic industries, etc.) I don't understand anymore that excuse that Chavez is "democratically elected": if you vote me for president, I have the rights to do whatever I like in despite of the consequences? instigate violence? prohibit everything I think is bad for me?. And just to let other people know, every other "power" here is controlled by the same party: judicial and legislative power are all servants of Chavez. We're trapped and doomed here. (Well, as I said before, I'm leaving)

Yes, well, you have a little taste of the cynicism that my country lives on everyday. Sometime ago I said "If they touch Internet in ANY WAY, I'll be immediately packing my stuff and moving to the "empire" as they refer to the USA, or Europe in second instance, but I DIDN'T SEE THIS CRAP COMING. So, I'm packing now (xbox360 included) ...by the way: I'm a Information Security Specialist, with 5 years of experience doing Incident Handling, Forensic Analysis and offering consulting services...Any employer interested? PLEASE!?!?

Yes, well, another reason may be that if your money is stolen using a debit card it is stolen directly from your account, and if the bank delays a lot giving your money back, that could be a huge inconvenience for you. If there are laws that force the bank to respond quick after a "debit" fraud happens, it's ok. If the money is stolen in the form of a charge to your credit card THAT MONEY EVEN WASN'T YOURS...so your money in your account isn't touched. I was pointing (or trying to point) in my previous comment, that the underlying reason you exposed for use more frequently credit cards it wasn't as safe as you thought. But for your convenience, sure, is better that the thief carries away credit that you don't have to pay, that money you need to buy your stuff.

Yes, but all of the information needed to perform transactions is being transmitted in clear text. So it's even easier to clone a credit card than to clone a debit card... stop doing that! (unless visa, or your bank pays all when your card info has been compromised).

Hey that's a way to make things happen!, and I'm not being ironic here. Here we have laws that practically obliges banks to pay almost any fraud claim to the customers, and we have laws and resolutions that forces the banks to increase the security of the electronic financial channels (POS, ATMs, etc.) with very specific measures. So if anyone have to lost money, they'll be the Bank.

only problem is the time it takes to deploy a world based on smart cards and what we do in the interim??? there are some studies that have figured ways to produce fake cards from the data stored in a smartcard. There are some data components of the chip that are customizable by the Banks or whatever company issues smart cards, and there can be foolish and stupid things people could do, as for example, copy the data of the magnetic stripe on the chip (don't ask me what for, but they have!). So I won't be so at ease if I were you...MUHUHOHOHAHA... even so, yes...smart cards are WAY more secure than magnetic stripes (pretty obvious isn't?).

If you think is easy to "trick the devices into giving the master key", then you know nothing about really bad procedures and the threat they are to information security. Until about two years ago in my country every ATM of every and each of the Banks were used to have a static DES key to encrypt the PIN. This key was trivial as hell AND EVERYONE KNEW IT!. Decrypting the PIN was a matter of ... NOTHING, just walk away with your track2 info + DES encrypted PIN and start manufacturing fake cards. Here that's not a problem anymore. PLEASE BANKS, you have to change the scheme to a dynamic and ever changing and unique-for-each-ATM 3DES (at least) key. This 'technical' approach mitigates a little the procedures flaws like giving such a critical information to some unconscious technician. But that is only a part of the problem, what about credit cards? (which usually doesn't use a PIN). In the article they mention that the Master Key is stored in several modules. In my experience that's not true (anymore, maybe 4 or more years ago it was true), the keys are used to be stored in a special tamper-proof memory which is located in the keypad of the ATMs (EPP, Encrypted Pin Pad) and in "encryption boxes" placed in the bank, secure enough if you ask me. The flaw here, again, has been a thing of really stinking procedures and lack of vision of future (nobody asks what-if anymore???). Other thing is that the ATMs providers KNOWS THAT ALREADY (and since 2 years ago at least) and they seems to do nothing about spreading the word and proposing solutions to their customers around the world. That's an amazing business oportunity!!!. If anyone would like to give me a job to help solve this scheme...I'm more than pleased to help!!! Sorry for the long comment guys...