Jul 252014
 

 

All About Skimmers

 

KrebsOnSecurity

Direct Link:  http://krebsonsecurity.com/all-about-skimmers/

 

The series I’ve written about ATM skimmers, gas pump skimmers and other related fraud devices have become by far the most-read posts on this blog. I put this gallery together to showcase the entire series, and to give others a handy place to reference all of these stories in one place. Click the headline or the image associated with each blurb for the full story.

 

Jan. 15, 2010: Would You Have Spotted the Fraud?

Pictured here is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipecredit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution. This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?

 

 

 

 

 

 

 

 

 

ATM PIN capture device

Feb. 2, 2010: ATM Skimmers, Part II

The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.

 

 

 

 

 

 

 

 

 

March 25, 2010: Would You Have Spotted This ATM Fraud?

The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.

 

 

 

 

 

 

 

 

 

 

June 3, 2010: ATM Skimmers: Separating Cruft from Craft

The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

 

 

 

 

 

 

 

 

 

June 17, 2010: Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message

Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.

 

 

 

 

 

 

 

 

 

 

July 20, 2010: Skimmers Siphoning Card Data at the Pump

Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

 

 

 

 

 

 

 

 

 

 

Fun With ATM Skimmers, Part III

According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

 

 

 

 

 

 

 

 

Nov. 10, 2010: All-in-One Skimmers

ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.

 

 

 

 

 

 

 

Nov. 23, 2010: Crooks Rock Audio-based ATM Skimmers

The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs. EAST said it also discovered that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).

 

 

 

 

 

 

 

 

 

Dec. 13, 2010: Why GSM-based ATM Skimmers Rule

So, after locating an apparently reliable skimmer seller on an exclusive hacker forum, I chatted him up on instant message and asked for the sales pitch. This GSM skimmer vendor offered a first-hand account of why these cell-phone equipped fraud devices are safer and more efficient than less sophisticated models — that is, for the buyer at least (I have edited his sales pitch only slightly for readability and flow).

 

 

 

 

 

 

 


Jan. 17, 2011: ATM Skimmers, Up Close

I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

 

 

 

 

 

 

 

 

Jan. 31, 2011: ATM Skimmers That Never Touch the ATM….

Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.

 

 

 

 

 

Feb. 16, 2011: Having a Ball With ATM Skimmers

On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users. But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.

 

 

 

 

 

 

 

 

Mar. 11, 2011: Green Skimmers Skimming Green

To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

 

 

 

 

 

 

 

 

April 10, 2001: ATM Skimmers: Hacking the Cash Machine

Most of the ATM skimmers I’ve profiled in this blog are comprised of parts designed to mimic and to fit on top of existing cash machine components, such as card acceptance slots or PIN pads. But sometimes, skimmer thieves find success by swapping out ATM parts with compromised look-alikes.

 

 

 

 

 

 

 

 

May 18, 2011: Point-of-Sale Skimmers: Robbed at the Register

Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud.

 

 

 

 

 

 

 

 

 

Sept. 20, 2011: Gang Used 3D Printers for ATM Skimmers

An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. In June, a federal court indicted four men from South Texas (PDF) whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer.

 

 

 

 

 

 

 

Oct. 13, 2011: ATM Skimmer Powered by MP3 Player

Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices. The vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10-15 seconds).” But the catch with this skimmer is that the price tag is misleading. That’s because the audio files recorded by the device are encrypted. The Mp3 files are useless unless you also purchase the skimmer maker’s decryption service, which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.

 

 

 

 

 

 

 

 

Dec. 7, 2011: Pro Grade (3D Printer-Made?) ATM Skimmer…

In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.

 

 

 

 

 

 

 

April 25, 2012: Skimtacular: All-In-One ATM Skimmer…

I spent the past week vacationing (mostly) in Southern California, traveling from Los Angeles to Santa Barbara and on to the wine country in Santa Ynez. Along the way, I received some information from a law enforcement source in the area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer.

 

 

 

 

 

 

 

 

 

 

 

July 24, 2012: ATM Skimmers Get Wafer Thin…

It’s getting harder to detect some of the newer ATM skimmers, fraud devices attached to or inserted into cash machines and designed to steal card and PIN data. Among the latest and most difficult-to-spot skimmer innovations is a wafer-thin card reading device that can be inserted directly into the ATM’s card acceptance slot.

 

 

 

 

 

 

Sept. 5, 2012: A Handy Way to Foil ATM Skimmers…

I spent several hours this past week watching video footage from hidden cameras that skimmer thieves placed at ATMs to surreptitiously record customers entering their PINs. I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code.

 

 

 

 

 

 

 

cashtrapsingle Nov. 20, 2012: Beware Card- and Cash-trapping at the ATM…

Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.

 

 

 

 

 

 

 

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

Dec. 12, 2012: ATM Thieves Swap Security Camera for Keyboard…

This blog has featured stories about a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine.

 

 

 

 

 

 

 

 

 

 

 

verifone

Dec. 18, 2012: Point-of-Sale Skimmers: No Charge…Yet…

If you hand your credit or debit card to a merchant who is using a wireless point-of-sale (POS) device, you may want to later verify that the charge actually went through. A top vendor of POS skimmers ships devices that will print out “transaction approved” receipts, even though the machine is offline and is merely recording the customer’s card data and PIN for future fraudulent use.

 

 

 

 

 

device1-a

Feb. 1, 2013: Pro-Grade Point-of-Sale Skimmer….

Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.

 

 

 

 

 

hownot

Apr. 24, 2013: How Not To Install an ATM Skimmer….

Experts in the United States and Europe are tracking a marked increase in ATM skimmer scams. But let’s hope that at least some of that is the result of newbie crooks who fail as hard as the thief who tried to tamper with a Bank of America ATM earlier this week in Nashville.

 

 

 

 

 

 

 

The MSR-605 components combined with a battery and flash drive. The red stuff is 3M double-sided tape.

July 16, 2013: Getting Skimpy With ATM Skimmers

Cybercrooks can be notoriously cheap, considering how much they typically get for nothing. I’m reminded of this when I occasionally stumble upon underground forum members trying to sell a used ATM skimmer: Very often, the sales thread devolves into a flame war over whether the fully-assembled ATM skimmer is really worth more than the sum of its parts.

 

 

 

 

 

nordskim

Oct. 10, 2013: Norstrom Finds Cash Register Skimmers

Scam artists who deploy credit and debit card skimmers most often target ATMs, yet thieves can also use inexpensive, store-bought skimming devices to compromise modern-day cash registers. Just this past weekend, for instance, department store chain Nordstrom said it found a half-dozen of these skimmers affixed to registers at a store in Florida.

 

 

 

 

 

verifoneskimmer

Dec. 3, 2013: Simple But Effective Point-of-Sale Skimmer

Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.

 

 

 

 

fakeatm

Dec. 18, 2013: The Biggest Skimmers of All: Fake ATMs

This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.

 

 

 

 

 

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

Jul 252014
 

Cracks emerge in the cloud: Security weakness of cloud storage services

Science Daily
Source: The Agency for Science, Technology and Research (A*STAR)
July 19, 2014

 

Cracks emerge in the cloud: Security weakness of cloud storage services

Cracks emerge in the cloud: Security weakness of cloud storage services

 

As individual computer users increasingly access the Internet from different smartphones, tablets and laptops, many are choosing to use online cloud services to store and synchronize their digital content. Cloud storage allows consumers to retrieve their data from any location using any device and can provide critical backups in the case of hard disk failure. But while people are usually vigilant about enacting security measures on personal computers, they often neglect to consider how safe their files are in the cloud.

 

Now, findings from a team led by Jianying Zhou of the A*STAR Institute for Infocomm Research in Singapore promise to improve the security of popular online services and better protect users by revealing hidden flaws associated with an important cloud storage feature — the ability to share files with friends, co-workers or the public1.

Sharing content is an attractive way to let far-flung colleagues view and collaborate on projects without using email attachments, which often have strict file size limitations. Data sharing can be: public, with no access controls; private, in which the cloud service provider authenticates sharing through login controls; or ‘secret’ uniform resource locator (URL) sharing where people without an account on the cloud service can access data by following a specific web link.

The A*STAR-led researchers analyzed the security of three well-known cloud service providers — Dropbox, Google Drive and Microsoft SkyDrive — and found that all three had vulnerabilities many users might encounter. They uncovered several risks related to the sharing of secret URLs. Because URLs are saved in various network-based servers, browser histories and Internet bookmarks, frequent opportunities exist for third parties to access private data. Furthermore, the URL recipient may send the link to others without the data owner’s consent.

Another danger lies in the practice of URL shortening — reducing long web addresses to brief alphanumeric sequences for easier sharing on mobile devices. Although the original URL may point to a privately shared file, shortening changes this address into plain text unprotected by encryption. Zhou also notes that because short URLs have very limited lengths, they are susceptible to brute-force attacks that can dig out supposedly secret files.

Zhou explains that the root cause of cloud security problems lies in the need to balance usability with privacy protection. “Users should be careful when they share files in the cloud because no system is perfectly secure. The cloud industry, meanwhile, needs to constantly raise the bar against new attacks while keeping the service as functional as possible.”

 


Story Source:

The above story is based on materials provided by The Agency for Science, Technology and Research (A*STAR). Note: Materials may be edited for content and length.

 


Journal Reference:

  1. Cheng-Kang Chu, Wen-Tao Zhu, Jin Han, Joseph K. Liu, Jia Xu, Jianying Zhou.
  2. Security Concerns in Popular Cloud Storage Services. IEEE Pervasive Computing, 2013; 12 (4): 50 DOI: 10.1109/MPRV.2013.72

Jul 252014
 

Snowden plans to work on anti-surveillance technology

The former NSA contractor, still hidden within Russia, plans to develop anti-surveillance technology following the US government spying scandal.

 

ZDNet
By Charlie Osborne for Zero Day
July 21, 2014

 

 

Edward Snowden says he plans to develop and promote anti-surveillance technology to hamper government spying across the globe.

Edward Snowden says he plans to develop and promote anti-surveillance technology to hamper government spying across the globe.

 

The former US National Security Agency (NSA) contractor, who leaked confidential documents detailing the extensive surveillance activities of the NSA and the UK’s GCHQ, called for support at the Hackers On Planet Earth (HOPE) conference via a video link from Moscow, Russia.

Snowden addressed the conference on Saturday, requesting that the hacking community channel its resources into developing anti-surveillance technologies which will make government spying more difficult — and said that he planned to spend much of his future time doing the same.

The former NSA contractor said:

 

We the people — you the people, you in this room right now — have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day. [..] and that’s what a lot of my future work is going to be involved in, and I hope you’ll join me in making that a reality.

 

Speaking at the New York City conference, Snowden also defended his actions in relation to leaking confidential documents from the US intelligence agency to the media. The contractor said that most Americans have little concept of how wide-ranging their government’s surveillance activities are, but “have a right as Americans and as members of the global community to know the broad outlines of government policies that significantly impact on our lives.”

“If we’re going to have a democracy and an enlightened citizenry, if we’re going to provide the consent of the governed, we have to know what is going on, we have to know the broad outlines of a policy and we can’t have the government shut us out from every action that they’re doing,” Snowden commented.

Snowden is currently hidden in Russia after fleeing the United States last year. The former NSA contractor’s Russian visa expires at the end of July, and the former contractor has requested an extension. However, Snowden did not comment on whether his visa has been extended.

In an interview with The Guardian last week, Snowden said he is unlikely to have a fair trial if he returned to the US, being one of few whistleblowers in history to be charged under the Espionage Act.

VIDEO LINK:       Edward Snowden Speaks at HOPE X

 

Direct Link:  http://www.zdnet.com/snowden-plans-to-work-on-anti-surveillance-technology-7000031805/

 

Jul 202014
 

 

Veteran Pickpocket Explains How ATM Skimmers Are Ruining His Craft

 

GIZMODO
by Adam Clark Estes
July 20, 2014

 

 

ATM Hacking & ATM Skimmers

ATM Hacking & ATM Skimmers

 

There’s no better example of a petty criminal than the pickpocket, a fast-moving talent who lifts wallets as if he were picking up pennies off the sidewalk. But a profile of a veteran pickpocket in the New York Times this weekend shows that technology is destroying the art. Credit cards are just more lucrative.

It’s not a surprising revelation, but it’s oddly sad to hear Wilfred Rose, said veteran thief, bemoan the shift. “We’re disappearing,” he told the paper from prison. “In a few years, there won’t be any of us left.” Evidently Rose is just one of 50 pickpockets—”the Nifty Fifty”—that the NYPD still watches out for. ATM skimmers, the Times says, are taking over.

Who wouldn’t blame them? Besides the fact that hackers can make off with millions in a matter of hours by taking the high tech route to stealing cash, ATM skimmers can live in machines for months without detection. And even if they do get discovered, it’s almost impossible to link them back to a thief. Pickpockets were never so lucky. [NYT]

Direct Link:  http://gizmodo.com/veteran-pickpocket-explains-how-atm-skimmers-are-ruinin-1607948716

Jul 202014
 

Hackers Have Figured Out How to Steal Millions from ATMs

 

GIZMODO
by Adam Clark Estes
April 3, 2014

 

 

A woman withdraws money from an ATM in the Cypriot capital of Nicosia, on March 16, 2013. Eurozone finance ministers agreed on a bailout for Cyprus, the fifth international rescue package in three years of the debt crisis. AFP PHOTO/BARBARA LABORDE        (Photo credit should read BARBARA LABORDE/AFP/Getty Images)

A woman withdraws money from an ATM in the Cypriot capital of Nicosia, on March 16, 2013. Eurozone finance ministers agreed on a bailout for Cyprus, the fifth international rescue package in three years of the debt crisis. AFP PHOTO/BARBARA LABORDE (Photo credit should read BARBARA LABORDE/AFP/Getty Images)

 

Federal regulators just alerted banks across the country of a very dangerous new skill ATM hackers have picked up. They can trick ATMs into spitting out unlimited amounts of cash, regardless of the customer’s balance. Not only that, but also schedule the illicit withdrawals for holidays and weekends, when the ATMs are extra flush.

We’ve heard of crazy ATM hackers before, but this really takes the cake. It’s a triple threat, really. The ability to skirt around daily ATM withdrawal limits is bad enough, since the hackers isn’t limited to $500 or whatever the limit is on any single account. But the fact that the hackers can now extract more than what’s in a customers account combined with the scheduling method means that any given ATM theft could now be an all out heist. That’s why the Secret Service is calling this strategy Unlimited Operations.

Heists are exactly what’s happening, too. “A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts,” said the Federal Financial Institutions Examination Council in its alert to banks. The regulators believe that the hackers have actually been targeting bank employees with phishing scams in order to get their malware installed on the banks’ computer systems. The Los Angeles Times explains how it’s done:

Criminals use the malware to obtain employee login credentials and to determine how the institution accesses ATM control panels, often based online, that allow changes to be made in the amount of money customers may withdraw, geographic usage limits and how fraud reports are generated.

After hacking the control panel, criminals withdraw funds by using fraudulent cards they create with account information and personal identification numbers stolen through separate attacks, the regulators said. The PINs may be stolen by malicious software or scanning programs at merchant sales terminals or ATMs, or by hacking into computers.

It also doesn’t help that the recent Target breach put millions upon millions of card numbers out in the open, giving hackers even more fraudulent cards to work with.

For those that’ve been hit by one of these attacks, federal insurance will kick in, but it’s a huge pain in the ass for everyone. So in a twisted sort of way, these ATM hackers are inevitably taking your tax dollars. That mobile payments revolution everyone keeps talking about can’t come soon enough, can it? [LAT]

** RELATED ARTICLE: 

Hackers Can Force ATMs to Spit Out Money With a Text Message

 

Direct Link:  http://gizmodo.com/atm-hackers-have-figured-out-how-to-withdraw-unlimited-1557714644