Smoking Gun reports
that a NYC man accused of participating in an ATM-skimming ring was raided by feds, and in an unusual attempt to destroy evidence, grabbed a flash drive and swallowed it whole while in the custody of Secret Service agents:
[I]n the view of investigators, [Florin] Necula "grabbed Subject Flash Drive 2, which had been on his person at the time of his arrest, and swallowed," Agent Joseph Borger noted in the below February 25 search warrant affidavit. When Necula was unable to pass the item after about four days, doctors--concerned that the drive was not compatible with the suspect's GI tract--concluded he "would be injured if they allowed the flash drive to remain inside of him," reported Borger. Necula eventually agreed to allow doctors at New York Downtown Hospital to remove the item, according to a source familiar with the incident.
A Kingston executive said it was unclear if stomach acid could damage a flash drive. "As you might imagine, we have no actual experience with someone swallowing a USB," Mike Sager wrote in an e-mail to TSG.
Mr. Necula is currently being held without bail at a jail in Queens, New York. Here are the court documents
Previously:ATM skimmer -- could you spot it in the wild?
ATM card skimmer in real life
ATM skimmers: man, these things are scary
HOWTO build an RFID skimmer
Read the rest
Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Read the rest
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above.
Brian Krebs continues to scare the pants off of me with his ongoing series on sophisticated ATM skimmers (devices that capture your card number, working with a hidden camera to catch your PIN). His slideshow of next-gen skimmers has me convinced that there's no way I'd notice a skimmer on an ATM that I was using: "According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said."
ATM Skimmers, Part II
ATM card skimmer in real life -- Boing Boing Gadgets
ATM skimmer -- could you spot it in the wild?
Read the rest
Brian Krebs's "Krebs on Security" features an ATM skimmer that is chillingly well-camouflaged. After seeing photos of early, crude skimmers -- devices that capture your card number and work in concert with a hidden camera that records you punching in your PIN -- I assumed that I could rely on my own powers of observation to keep from falling victim to one. Now I don't think I can be so sanguine. Be sure to follow some of the links in the post for some hair-raising examples of the form.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
Would You Have Spotted the Fraud?
This is fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim's movements as he or she enters their PIN at the ATM.
Previously:Mouse nesting in ATM Boing Boing
African ATM offers eight languages - Boing Boing
Boing Boing: Fake ATM receipts for sale
Citibank PIN/ATM fiasco "worst ever," involves more banks - Boing ...
UK ATM cards' chips defeated with discount airfares - Boing Boing
Ripoff: Visa/Mastercard's "Foreign transaction fee" - Boing Boing
Boing Boing: Crook reprograms ATM in PA to think $20s are $1s Read the rest