"atm skimmer

Sales pitch from an ATM-skimmer vendor

Brian Krebs tracked down a black-market retailer of mobile-phone-based ATM skimmers that capture your PIN and transmit it to fraudsters over the GSM network. The vendor gave him the whole sales-pitch for the efficiency and safety (for the criminals) of GSM-based skimmers. It's a fascinating read, unless you use ATMs, in which case, it's a terrifying one.

So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.

And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer - you lose equipment, and tracks, and money.

That's not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.

Read the rest

Commercially available ATM skimmers

Brian Krebs continues his excellent series of posts on ATM skimmers, this time with a report on the state of the art in commercially available artisan-crafted skimmers that can be bought through the criminal underground (accept no imitations!):
Generally, these custom-made devices are not cheap, and you won't find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro -- shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card's magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).

The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.

ATM Skimmers: Separating Cruft from Craft ATM skimmer -- could you spot it in the wild? Accused ATM-skimmer swallows USB drive in custody, doctors remove ... HOWTO build an RFID skimmer ATM skimmers: man, these things are scary Local man finds card skimmer on ATM Gadgets Read the rest

Accused ATM-skimmer swallows USB drive in custody, doctors remove from his gut

Smoking Gun reports that a NYC man accused of participating in an ATM-skimming ring was raided by feds, and in an unusual attempt to destroy evidence, grabbed a flash drive and swallowed it whole while in the custody of Secret Service agents:
[I]n the view of investigators, [Florin] Necula "grabbed Subject Flash Drive 2, which had been on his person at the time of his arrest, and swallowed," Agent Joseph Borger noted in the below February 25 search warrant affidavit. When Necula was unable to pass the item after about four days, doctors--concerned that the drive was not compatible with the suspect's GI tract--concluded he "would be injured if they allowed the flash drive to remain inside of him," reported Borger. Necula eventually agreed to allow doctors at New York Downtown Hospital to remove the item, according to a source familiar with the incident.

A Kingston executive said it was unclear if stomach acid could damage a flash drive. "As you might imagine, we have no actual experience with someone swallowing a USB," Mike Sager wrote in an e-mail to TSG.

Mr. Necula is currently being held without bail at a jail in Queens, New York. Here are the court documents.

Previously:ATM skimmer -- could you spot it in the wild? ATM card skimmer in real life ATM skimmers: man, these things are scary HOWTO build an RFID skimmer Read the rest

Chip-and-PIN is broken

Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".

It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above.

Read the rest

ATM skimmers: man, these things are scary

Brian Krebs continues to scare the pants off of me with his ongoing series on sophisticated ATM skimmers (devices that capture your card number, working with a hidden camera to catch your PIN). His slideshow of next-gen skimmers has me convinced that there's no way I'd notice a skimmer on an ATM that I was using: "According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said."

ATM Skimmers, Part II Previously: ATM card skimmer in real life -- Boing Boing Gadgets ATM skimmer -- could you spot it in the wild? Read the rest

ATM skimmer -- could you spot it in the wild?

Brian Krebs's "Krebs on Security" features an ATM skimmer that is chillingly well-camouflaged. After seeing photos of early, crude skimmers -- devices that capture your card number and work in concert with a hidden camera that records you punching in your PIN -- I assumed that I could rely on my own powers of observation to keep from falling victim to one. Now I don't think I can be so sanguine. Be sure to follow some of the links in the post for some hair-raising examples of the form.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?

This is fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim's movements as he or she enters their PIN at the ATM.

Would You Have Spotted the Fraud? (via Neatorama) Previously:Mouse nesting in ATM Boing Boing African ATM offers eight languages - Boing Boing Boing Boing: Fake ATM receipts for sale Citibank PIN/ATM fiasco "worst ever," involves more banks - Boing ... UK ATM cards' chips defeated with discount airfares - Boing Boing Ripoff: Visa/Mastercard's "Foreign transaction fee" - Boing Boing Boing Boing: Crook reprograms ATM in PA to think $20s are $1s Read the rest

Previous Page