"atm skimmer

Here are the creeps who sell ATM skimmers on Alibaba

Last week I posted about a guy who came across a well-made skimmer at an ATM in Vienna. I wondered who made such a fine looking piece of sociopathic hardware. Turns out this company sells such devices in bulk via Alibaba. Don't you love that the company is using a photo of the Australian QPS Detective Superintendent holding up some confiscated skimmers to advertise their own skimmers?

This company isn't the only one selling ATM skimmers on Alibaba. There are 12,425 skimmer sellers on Alibaba. Read the rest

ATM skimmer spotted in Vienna

Ben Tedesco of the cybersecurity company Carbon Black found an ATM skimmer while he was on vacation in Vienna, Austria.

A skimmer is a card reader that fits over an ATM card slot. It scans and records the information on the magnetic strip. Some skimmers have little built-in cameras to record card holders' pins as they enter it on the ATM keypad. If not, the sleazy criminal will mount a video camera nearby, or even install a counterfeit keypad.

From YouTube description:

While on vacation with my family in Vienna, Austria I went to grab some cash from an ATM, being security paranoid I went repeated my typical habit of checking the card reader as I have 100's of times... today's the day when my security awareness paid off! Check out how perfectly made this skimmer is that was custom made for this ATM MACHINE!

Read the rest

Deep Insert skimmers: undetectable, disposable short-lived ATM skimmers

NCR reports in-the-wild sightings of "deep skimmers" (tiny, disposable card-skimmers that run on watch batteries and use crude radios to transmit to a nearby base-station) on ATMs around the world: "Greece, Ireland, Italy, Switzerland, Sweden, Bulgaria, Turkey, United Kingdom and the United States." Read the rest

Ad for freelance Russian bank-robbers

Brian Krebs has published an ad from "Foreign Agents," a notorious Russian crime service. They're advertising the availability of foot soldiers in the USA who can help cash out hacked bank accounts and credit cards. Unlike traditional bank-fraud mules, who don't know that they're part of a scam, these "associates" are "неразводные" ("nerazvodni" or "not deceived").

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

According to the advertisement, customers of this service get their very own login to a remote panel, where they can interact with the cashout service and monitor the progress of their thievery operations. The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year.

Say what you will about their criminal tendencies, those bank robbers have excellent art direction. Read the rest

HOWTO protect yourself from ATM skimmers

Brian Krebs, who has written many excellent investigative pieces on ATM skimmers, spent several hours watching footage seized from hidden skimmer cameras, and has concluded that covering your hand while you enter your PIN really works in many cases -- and that many people don't bother to take this elementary step.

Some readers may thinking, “Wait a minute: Isn’t it more difficult to use both hands when you’re withdrawing cash from a drive-thru ATM while seated in your car?” Maybe. You might think, then, that it would be more common to see regular walk-up ATM users observing this simple security practice. But that’s not what I found after watching 90 minutes of footage from another ATM scam that was recently shared by a law enforcement source. In this attack, the fraudster installed an all-in-one skimmer, and none of the 19 customers caught on camera before the scheme was foiled made any effort to shield the PIN pad.

Krebs goes on to note that this doesn't work in instances where the skimmer includes a compromised PIN pad, and it seems likely that if covering PINs became more routine that crooks would take up this technique more broadly. But for now, covering your PIN with your free hand is a free, effective means of protecting yourself from ATM skimmers.

A Handy Way to Foil ATM Skimmer Scams Read the rest

ATM skimmers that fit in the card-slot

Police in an unidentified European nation have retrieved wafer-thin ATM skimmers that are so small that they can be fitted inside the credit-card insertion slot. Brian Krebs describes the finding:

That’s according to two recent reports from the European ATM Security Team (EAST), an organization that collects ATM fraud reports from countries in the region. In both reports, EAST said one country (it isn’t naming which) alerted them about a new form of skimming device that is thin enough to be inserted directly into the card reader slot. These devices record the data stored on the magnetic stripe on the back of the card as it is slid into a compromised ATM.

Another EAST report released this week indicates that these insert skimmers are continuing to evolve. Below are two more such devices. Insert skimmers require some secondary component to record customers entering their PINs, such as a PIN pad overlay or hidden camera.

ATM Skimmers Get Wafer Thin Read the rest

@NeedADebitCard collects tweeted photos of debit cards

People are posting photos of their debit and credit cards on Twitter. Some of them are lightly blurred– such as the one above which has a fake tilt shift effect added to it –but most are just straight photos of the cards with all the information unobscured. Mostly these are new cardholders bragging about their newly-acquired financial freedom, a few people shared photos of cards they'd snapped in half.

They're all publicly available photos, and the Twitter account @NeedADebitCard dutifully collects them all in one place, ostensibly to teach people not to post their goddamned financial information all over the Internet. Why bother with ATM skimmers when you can just search the web?

@NeedADebitCard's Twitter Thanks, DeMarko! Read the rest

Nigh-undetectable ATM skimmer

If the previous ATM skimmer posts didn't scare the pants off you, this one from San Fernando Valley, which Brian Krebs reports on, might. It has a near-undetectable pinhole camera for recording timestamped footage of your PIN entry, and apart from that indicator, the only way to spot it is to yank hard on the front of the ATM before you start using it.

A few tips about ATM skimmers and skimming scams. It’s difficult — once you’re aware of how sophisticated some of these skimmers can be — to avoid being paranoid around ATMs; friends and family often tease me for stopping to tug at ATMs that I pass on the street, even when I have no intention of withdrawing money from the machines.

Still, it’s good and healthy to be somewhat paranoid while at an ATM. Make sure nobody is “shoulder surfing” you to watch you enter your PIN. A simple precaution defeats shoulder surfing and many other types of video-based PIN stealing mechanism: Cover the PIN pad with your hand or another object when you enter your PIN.

Skimtacular: All-in-One ATM Skimmer Read the rest

Author Diane Duane's bank account cleaned out by ATM skimmers, buy her ebooks at 20% off to help her out!

Much-loved fantasy and science fiction author Diane Duane has had a lot of bad luck lately, but this takes the cake: her ATM card was skimmed and the joint account she and her husband share has been zeroed out, and she has no money left at all to cover daily bills while her bank tries to sort out the mess and restore her balance, which could take a long time. She's asking her fans to buy her ebooks to help her through this brutal patch, and offering a 20 percent discount to sweeten the deal:

W. T. F. My bank card has been skimmed.

It’s toast now (thrown in the fire a few minutes ago, a new one ordered over the phone). But so much for the bills that needed to be paid this week. 2012 had better start getting its act together, as this is not an auspicious beginning.

The bank will cover this expense when its fraud department has digested all the details. But meanwhile, the household is skint. So: if you feel inclined to spit in the eye of the nameless rogue(s) who’ve briefly ruined the domestic tranquility around here, I invite you you to go over to the Ebooks Direct store and buy something using the discount code DDGOTSKIMMED, which will give you 20% off whatever you buy.

Whoopee, our bank account has been cleaned out...* (via Scalzi!) Read the rest

Extremely sophisticated, 3D printed (?) ATM skimmer

This ATM skimmer was retrieved from a Chase ATM in West Hills, CA, and it appears to have been 3D printed. It is very sophisticated, with "true geek factor."

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.

The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.

Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here.

Pro Grade (3D Printer-Made?) ATM Skimmer Read the rest

ATM skimmer gang invested proceeds in 3D printer to make better ATM skimmers

Last February, i.materialise reported that they'd declined an offer to 3D print a new fascia for an ATM, because they suspected it was part of an ATM skimmer (a device used to capture peoples' ATM PINs and card numbers). The news may have inspired another ATM skimmer gang, four men from South Texas who were indicted in June. Prosecutors say the crooks had saved their pennies from earlier ATM ripoffs and invested in a 3D printer that they used to print their own fascia without having to go through an intermediary like i.materialise.
“When [Lall was] put in jail, we asked, ‘What are we going to do?’ and we had to figure it out and that’s when we came up with this unit,” Paz allegedly told the undercover officer.

The government alleges Paz also was the guy who encoded the stolen card data onto counterfeit cards. The feds say Albert Richard of Missouri City, Texas prepared ATMs at numerous banks where the skimming devices were installed, by covering the ATM cameras or spray-painting over them, and by acting as a lookout.

A fourth defendant, John Griffin, is alleged to have used the counterfeit cards to withdraw funds at different ATMs around Texas. Prosecutors allege the group stole more than $400,000 between Aug. 2009 and June 2011. Prior to their arrest this summer, the gang started making decent money but they split the profits between them. Federal prosecutors say the men stole $57.808.14 in month of April 2011 alone (yes, that’s an odd amount to have come out of ATMs, but I digress).

Read the rest

Mr 3D Printing Goes to Washington: free conference for Hill rats on Apr 28

Public Knowledge -- whose white paper on the law and 3D printing is required reading -- is throwing a conference in DC for wonks, policymakers, regulators, staffers and all manner of Hill rat. The event's on April 28, and it's free:
On April 28th at 3Dâš¡DC, the 3D printing community will descend on Washington, DC to show policymakers what they are up to. Panels will introduce the 3D printing community to the DC policy community, and explore some of the policy issues that this disruptive technology will implicate. During a demonstration phase, you will be able to see this technology in action first hand, and speak one-on-one with people and companies on the cutting edge. Be the first person in your caucus, at your GS level, or on your adult kickball team to see 3D printing live
3Dâš¡DC: 3D Printing Comes to the Nation's Capitol | Public Knowledge (via Makerbot)  White paper on 3D printing and the law: the coming copyfight ... 3D printing's first copyright complaint goes away, but things are ... 3D print-shop receives an order for an ATM skimmer - Boing Boing 3D printing year-in-review - Boing Boing Is it legal to print Settlers of Catan tiles on a 3D printer ... Will 3D plans for bongs become illegal, too? - Boing Boing Read the rest

ATM ripoff uses glued-down keys

ATM crooks in San Francisco have a clever trick: they glue down the ENTER, CANCEL and CLEAR buttons on an ATM, and wait for customers to go into the bank to complain. The fraudsters then complete the transaction using the on-screen equivalents -- the victim having already keyed in a PIN -- and skip away before the victim comes back out.
Since January, there have been four such thefts in the Richmond District alone, Corriea said.

"And you have to figure it's not always reported to us," Corriea said.

Often, bank customers don't notice the thefts for days, San Francisco police spokesman Officer Albie Esparza said.

"Best thing for consumers is to monitor their bank account," Esparza said.

There are several nonviolent ways crooks can steal cash from ATMs, but the glue method is less risky, Corriea said.

A thief caught applying glue to an ATM would be slapped with a misdemeanor vandalism charge, but likely won't face a felony fraud charge because it isn't easy to prove that the crook intended to steal, Corriea said.

Glue-gun goons target unwary ATM users (via Schneier)

(Image: Glue, a Creative Commons Attribution (2.0) image from kodomut's photostream)  Flashmob of ATM crooks scores $9 million in 49 cities - Boing Boing Local man finds card skimmer on ATM - Boing Boing ATM skimmer -- could you spot it in the wild? - Boing Boing ATM skimmers: man, these things are scary - Boing Boing ATM user interface fail - Boing Boing Commercially available ATM skimmers - Boing Boing ATM skimmer that doesn't require any modifications to the ATM ... Read the rest

Is it legal to print Settlers of Catan tiles on a 3D printer?

When a Thingiverse contributor uploaded 3D-print-ready homebrew tiles for German superboardgame Settlers of Catan, it raised a bunch of interesting legal questions. Is it illegal to make your own Settlers tiles? To download 3D files describing these tiles? To host the files? To print the files?

Now, Public Knowledge provides some legal analysis:

Let's start with copyright. Settlers of Catan is probably protected by copyright. Importantly, that protection does not cover the entirety of the game. Instead, copyright protects the design on the game tiles. This makes sense - the image on the tile (of pastures, or fields, or rocky quarries, or the like) is just a picture, and pictures are well within the scope of copyright. However, Sublime's 3D designs make no attempt to copy the images on the tiles. Copyright might also protect the shapes of the pieces, except these shapes are so generic and utilitarian (rectangles for roads, simple houses for settlements) that any protection would be extremely limited. Moreover, Sublime's pieces are generally more ornate that the official versions.

Copyright does not protect the shapes of the tiles (they are designed to fit together, and are therefore most likely "functional objects" outside of the scope of copyright). Nor does copyright protect the actual rules of Settlers of Catan. Game rules, like recipes, have a limited number of ways that they can be expressed. Copyright protects expressions, not ideas. Therefore, in order to protect the free flow of ideas, recipes and game rules are rarely protected by copyright.

Read the rest

3D print-shop receives an order for an ATM skimmer

Last June, Belgian 3D printing shop i.materialise received (and declined) its first order for a custom, 3D-printed ATM skimmer faceplate. Good on the i.materialisers, but get set for a lot more of this sort of thing, as more of us end up with our own 3D printers that produce parts on demand, without any nose service bureau to tell us that committing bank fraud is an inappropriate technological choice.
The 3D model of the device was very well designed, and we would like to urge everyone to be aware and take extreme caution when dealing with ATM machines. Should your credit/debit card be compromised, immediately contact the authorities as well as your local bank.

Rest assured i.materialise as part of Materialise Group will never support and/or produce questionable devices that may cause illegal activities. We are sharing this information in an effort to inform as well as prevent a potential crime.

ATTENTION: ATM skimming device (Thanks, Alice!)  ATM skimmer -- could you spot it in the wild? - Boing Boing ATM skimmer that doesn't require any modifications to the ATM ... Commercially available ATM skimmers - Boing Boing ATM skimmers: man, these things are scary - Boing Boing Sales pitch from an ATM-skimmer vendor - Boing Boing Accused ATM-skimmer swallows USB drive in custody, doctors remove ... ATM card skimmer in real life -- Boing Boing Gadgets - Boing Boing Read the rest

ATM skimmer that doesn't require any modifications to the ATM

Brian Krebs reports on a new wrinkle in ATM skimmer design: if the ATM is in its own lobby, crooks can steal your card number and PIN without ever touching the ATM. Instead, they attach the skimmer to the door-lock (you know those doors that only open if you swipe your card?) and then use a hidden camera to record you keying in your PIN. Clever, in a horrible way, especially since ATMs in their own lobby feel more secure.
On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an "Out of Order" sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.

Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right...

The attackers hitting this ATM were either very persistent, or varied: A source familiar with the July 24 incident said this particular door lock would be stolen and modified a total of nine times in 2009.

The camera used in this attack retails for about $150, can record up to 2 GB (about two hours worth) of video, and runs on a rechargeable lithium ion battery.

Read the rest

Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:
Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera.

Read the rest

Next page