"atm skimmer

Ad for freelance Russian bank-robbers

Brian Krebs has published an ad from "Foreign Agents," a notorious Russian crime service. They're advertising the availability of foot soldiers in the USA who can help cash out hacked bank accounts and credit cards. Unlike traditional bank-fraud mules, who don't know that they're part of a scam, these "associates" are "неразводные" ("nerazvodni" or "not deceived").

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

According to the advertisement, customers of this service get their very own login to a remote panel, where they can interact with the cashout service and monitor the progress of their thievery operations. The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year.

Say what you will about their criminal tendencies, those bank robbers have excellent art direction. Read the rest

HOWTO protect yourself from ATM skimmers

Brian Krebs, who has written many excellent investigative pieces on ATM skimmers, spent several hours watching footage seized from hidden skimmer cameras, and has concluded that covering your hand while you enter your PIN really works in many cases -- and that many people don't bother to take this elementary step.

Some readers may thinking, “Wait a minute: Isn’t it more difficult to use both hands when you’re withdrawing cash from a drive-thru ATM while seated in your car?” Maybe. You might think, then, that it would be more common to see regular walk-up ATM users observing this simple security practice. But that’s not what I found after watching 90 minutes of footage from another ATM scam that was recently shared by a law enforcement source. In this attack, the fraudster installed an all-in-one skimmer, and none of the 19 customers caught on camera before the scheme was foiled made any effort to shield the PIN pad.

Krebs goes on to note that this doesn't work in instances where the skimmer includes a compromised PIN pad, and it seems likely that if covering PINs became more routine that crooks would take up this technique more broadly. But for now, covering your PIN with your free hand is a free, effective means of protecting yourself from ATM skimmers.

A Handy Way to Foil ATM Skimmer Scams Read the rest

@NeedADebitCard collects tweeted photos of debit cards

People are posting photos of their debit and credit cards on Twitter. Some of them are lightly blurred– such as the one above which has a fake tilt shift effect added to it –but most are just straight photos of the cards with all the information unobscured. Mostly these are new cardholders bragging about their newly-acquired financial freedom, a few people shared photos of cards they'd snapped in half.

They're all publicly available photos, and the Twitter account @NeedADebitCard dutifully collects them all in one place, ostensibly to teach people not to post their goddamned financial information all over the Internet. Why bother with ATM skimmers when you can just search the web?

@NeedADebitCard's Twitter Thanks, DeMarko! Read the rest

Nigh-undetectable ATM skimmer

If the previous ATM skimmer posts didn't scare the pants off you, this one from San Fernando Valley, which Brian Krebs reports on, might. It has a near-undetectable pinhole camera for recording timestamped footage of your PIN entry, and apart from that indicator, the only way to spot it is to yank hard on the front of the ATM before you start using it.

A few tips about ATM skimmers and skimming scams. It’s difficult — once you’re aware of how sophisticated some of these skimmers can be — to avoid being paranoid around ATMs; friends and family often tease me for stopping to tug at ATMs that I pass on the street, even when I have no intention of withdrawing money from the machines.

Still, it’s good and healthy to be somewhat paranoid while at an ATM. Make sure nobody is “shoulder surfing” you to watch you enter your PIN. A simple precaution defeats shoulder surfing and many other types of video-based PIN stealing mechanism: Cover the PIN pad with your hand or another object when you enter your PIN.

Skimtacular: All-in-One ATM Skimmer Read the rest

Author Diane Duane's bank account cleaned out by ATM skimmers, buy her ebooks at 20% off to help her out!

Much-loved fantasy and science fiction author Diane Duane has had a lot of bad luck lately, but this takes the cake: her ATM card was skimmed and the joint account she and her husband share has been zeroed out, and she has no money left at all to cover daily bills while her bank tries to sort out the mess and restore her balance, which could take a long time. She's asking her fans to buy her ebooks to help her through this brutal patch, and offering a 20 percent discount to sweeten the deal:

W. T. F. My bank card has been skimmed.

It’s toast now (thrown in the fire a few minutes ago, a new one ordered over the phone). But so much for the bills that needed to be paid this week. 2012 had better start getting its act together, as this is not an auspicious beginning.

The bank will cover this expense when its fraud department has digested all the details. But meanwhile, the household is skint. So: if you feel inclined to spit in the eye of the nameless rogue(s) who’ve briefly ruined the domestic tranquility around here, I invite you you to go over to the Ebooks Direct store and buy something using the discount code DDGOTSKIMMED, which will give you 20% off whatever you buy.

Whoopee, our bank account has been cleaned out...* (via Scalzi!) Read the rest

Extremely sophisticated, 3D printed (?) ATM skimmer

This ATM skimmer was retrieved from a Chase ATM in West Hills, CA, and it appears to have been 3D printed. It is very sophisticated, with "true geek factor."

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.

The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.

Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here.

Pro Grade (3D Printer-Made?) ATM Skimmer Read the rest

ATM skimmer gang invested proceeds in 3D printer to make better ATM skimmers

Last February, i.materialise reported that they'd declined an offer to 3D print a new fascia for an ATM, because they suspected it was part of an ATM skimmer (a device used to capture peoples' ATM PINs and card numbers). The news may have inspired another ATM skimmer gang, four men from South Texas who were indicted in June. Prosecutors say the crooks had saved their pennies from earlier ATM ripoffs and invested in a 3D printer that they used to print their own fascia without having to go through an intermediary like i.materialise.
“When [Lall was] put in jail, we asked, ‘What are we going to do?’ and we had to figure it out and that’s when we came up with this unit,” Paz allegedly told the undercover officer.

The government alleges Paz also was the guy who encoded the stolen card data onto counterfeit cards. The feds say Albert Richard of Missouri City, Texas prepared ATMs at numerous banks where the skimming devices were installed, by covering the ATM cameras or spray-painting over them, and by acting as a lookout.

A fourth defendant, John Griffin, is alleged to have used the counterfeit cards to withdraw funds at different ATMs around Texas. Prosecutors allege the group stole more than $400,000 between Aug. 2009 and June 2011. Prior to their arrest this summer, the gang started making decent money but they split the profits between them. Federal prosecutors say the men stole $57.808.14 in month of April 2011 alone (yes, that’s an odd amount to have come out of ATMs, but I digress).

Read the rest

ATM ripoff uses glued-down keys

ATM crooks in San Francisco have a clever trick: they glue down the ENTER, CANCEL and CLEAR buttons on an ATM, and wait for customers to go into the bank to complain. The fraudsters then complete the transaction using the on-screen equivalents -- the victim having already keyed in a PIN -- and skip away before the victim comes back out.
Since January, there have been four such thefts in the Richmond District alone, Corriea said.

"And you have to figure it's not always reported to us," Corriea said.

Often, bank customers don't notice the thefts for days, San Francisco police spokesman Officer Albie Esparza said.

"Best thing for consumers is to monitor their bank account," Esparza said.

There are several nonviolent ways crooks can steal cash from ATMs, but the glue method is less risky, Corriea said.

A thief caught applying glue to an ATM would be slapped with a misdemeanor vandalism charge, but likely won't face a felony fraud charge because it isn't easy to prove that the crook intended to steal, Corriea said.

Glue-gun goons target unwary ATM users (via Schneier)

(Image: Glue, a Creative Commons Attribution (2.0) image from kodomut's photostream)  Flashmob of ATM crooks scores $9 million in 49 cities - Boing Boing Local man finds card skimmer on ATM - Boing Boing ATM skimmer -- could you spot it in the wild? - Boing Boing ATM skimmers: man, these things are scary - Boing Boing ATM user interface fail - Boing Boing Commercially available ATM skimmers - Boing Boing ATM skimmer that doesn't require any modifications to the ATM ... Read the rest

Is it legal to print Settlers of Catan tiles on a 3D printer?

When a Thingiverse contributor uploaded 3D-print-ready homebrew tiles for German superboardgame Settlers of Catan, it raised a bunch of interesting legal questions. Is it illegal to make your own Settlers tiles? To download 3D files describing these tiles? To host the files? To print the files?

Now, Public Knowledge provides some legal analysis:

Let's start with copyright. Settlers of Catan is probably protected by copyright. Importantly, that protection does not cover the entirety of the game. Instead, copyright protects the design on the game tiles. This makes sense - the image on the tile (of pastures, or fields, or rocky quarries, or the like) is just a picture, and pictures are well within the scope of copyright. However, Sublime's 3D designs make no attempt to copy the images on the tiles. Copyright might also protect the shapes of the pieces, except these shapes are so generic and utilitarian (rectangles for roads, simple houses for settlements) that any protection would be extremely limited. Moreover, Sublime's pieces are generally more ornate that the official versions.

Copyright does not protect the shapes of the tiles (they are designed to fit together, and are therefore most likely "functional objects" outside of the scope of copyright). Nor does copyright protect the actual rules of Settlers of Catan. Game rules, like recipes, have a limited number of ways that they can be expressed. Copyright protects expressions, not ideas. Therefore, in order to protect the free flow of ideas, recipes and game rules are rarely protected by copyright.

Read the rest

3D print-shop receives an order for an ATM skimmer

Last June, Belgian 3D printing shop i.materialise received (and declined) its first order for a custom, 3D-printed ATM skimmer faceplate. Good on the i.materialisers, but get set for a lot more of this sort of thing, as more of us end up with our own 3D printers that produce parts on demand, without any nose service bureau to tell us that committing bank fraud is an inappropriate technological choice.
The 3D model of the device was very well designed, and we would like to urge everyone to be aware and take extreme caution when dealing with ATM machines. Should your credit/debit card be compromised, immediately contact the authorities as well as your local bank.

Rest assured i.materialise as part of Materialise Group will never support and/or produce questionable devices that may cause illegal activities. We are sharing this information in an effort to inform as well as prevent a potential crime.

ATTENTION: ATM skimming device (Thanks, Alice!)  ATM skimmer -- could you spot it in the wild? - Boing Boing ATM skimmer that doesn't require any modifications to the ATM ... Commercially available ATM skimmers - Boing Boing ATM skimmers: man, these things are scary - Boing Boing Sales pitch from an ATM-skimmer vendor - Boing Boing Accused ATM-skimmer swallows USB drive in custody, doctors remove ... ATM card skimmer in real life -- Boing Boing Gadgets - Boing Boing Read the rest

ATM skimmer that doesn't require any modifications to the ATM

Brian Krebs reports on a new wrinkle in ATM skimmer design: if the ATM is in its own lobby, crooks can steal your card number and PIN without ever touching the ATM. Instead, they attach the skimmer to the door-lock (you know those doors that only open if you swipe your card?) and then use a hidden camera to record you keying in your PIN. Clever, in a horrible way, especially since ATMs in their own lobby feel more secure.
On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an "Out of Order" sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.

Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right...

The attackers hitting this ATM were either very persistent, or varied: A source familiar with the July 24 incident said this particular door lock would be stolen and modified a total of nine times in 2009.

The camera used in this attack retails for about $150, can record up to 2 GB (about two hours worth) of video, and runs on a rechargeable lithium ion battery.

Read the rest

Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:
Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera.

Read the rest

Sales pitch from an ATM-skimmer vendor

Brian Krebs tracked down a black-market retailer of mobile-phone-based ATM skimmers that capture your PIN and transmit it to fraudsters over the GSM network. The vendor gave him the whole sales-pitch for the efficiency and safety (for the criminals) of GSM-based skimmers. It's a fascinating read, unless you use ATMs, in which case, it's a terrifying one.

So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.

And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer - you lose equipment, and tracks, and money.

That's not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.

Read the rest

Commercially available ATM skimmers

Brian Krebs continues his excellent series of posts on ATM skimmers, this time with a report on the state of the art in commercially available artisan-crafted skimmers that can be bought through the criminal underground (accept no imitations!):
Generally, these custom-made devices are not cheap, and you won't find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro -- shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card's magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).

The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.

ATM Skimmers: Separating Cruft from Craft ATM skimmer -- could you spot it in the wild? Accused ATM-skimmer swallows USB drive in custody, doctors remove ... HOWTO build an RFID skimmer ATM skimmers: man, these things are scary Local man finds card skimmer on ATM Gadgets Read the rest

Accused ATM-skimmer swallows USB drive in custody, doctors remove from his gut

Smoking Gun reports that a NYC man accused of participating in an ATM-skimming ring was raided by feds, and in an unusual attempt to destroy evidence, grabbed a flash drive and swallowed it whole while in the custody of Secret Service agents:
[I]n the view of investigators, [Florin] Necula "grabbed Subject Flash Drive 2, which had been on his person at the time of his arrest, and swallowed," Agent Joseph Borger noted in the below February 25 search warrant affidavit. When Necula was unable to pass the item after about four days, doctors--concerned that the drive was not compatible with the suspect's GI tract--concluded he "would be injured if they allowed the flash drive to remain inside of him," reported Borger. Necula eventually agreed to allow doctors at New York Downtown Hospital to remove the item, according to a source familiar with the incident.

A Kingston executive said it was unclear if stomach acid could damage a flash drive. "As you might imagine, we have no actual experience with someone swallowing a USB," Mike Sager wrote in an e-mail to TSG.

Mr. Necula is currently being held without bail at a jail in Queens, New York. Here are the court documents.

Previously:ATM skimmer -- could you spot it in the wild? ATM card skimmer in real life ATM skimmers: man, these things are scary HOWTO build an RFID skimmer Read the rest

Next page