ATM Security

Next Generation ATM Skimmers

I was over on identitytheft.info watching some video feeds when I came across this one. It’s worth taking a look at not because the technique for attaching Bad Things is all that different, but because of the hardware the Bad Thing is using.

Check out the hardware used: a modified cell phone (to call home with numbers? how convenient!) a camera and an SD card. It’s the hack of the cell phone I find the most interesting. Of course, they didn’t give us any details on that, but I would be interested to know how it was modified, wouldn’t you?

Although identitytheft.info is rather self-serving in its presentation (providing a variety of services to “victims”) they often have newsfeed videos that are very well done.

For instance, there’s another video that shows a keypad that can capture the pin (instead of a camera) as you type it in glued over the regular keypad.

They recommend notifying the bank if you discover a skimmer; I recommend notifying the police. They’ll take care of notifying the bank(s).

Pumping Gas and Losing Your Shirt

I hadn’t really thought about it, but it made perfect sense the first time I read about it: thieves are capturing credit card and debit card data at the gas pump.

Given that the pump is acting as a big cash register, it makes perfect sense that skimmers could be attached the same way they are attached to an ATM.

Thieves open the pump using a skeleton key and install skimming devices to cables leading to the card reader and PIN pad that pulls data from a card’s magnetic stripe and records the cardholder’s PIN. If the PIN pad encrypts the PIN at the pump, they can attach a miniature camera to record PINS as cardholders enter them.

And this is what is significant: you can’t see the skimmer on the pump because it is inside the pump. There’s no way to know if you’re paying for gas and a little fraud, too.

The skimmers steal credit card numbers, but thieves prefer debit cards because they mean quick cash at automated teller machines. They use the information to make fake cards and hit ATMs – some across the country from the originating theft – for $200 to $800 a pop.

The money is often gone before the debit card holder knows it, and it can take time to correct the problem. One recommendation is to use the Credit rather than Debit feature when filling your tank. Debits allow immediate access to cash and don’t require a signature, two other reasons they are more attractive to criminals.

Skimming has been ramping up starting last year due to the bad economy; thieves need to access cash rather than goods they can resell elsewhere.

Thieves can leave these skimmers attached to pumps for months before removing them—and collecting data from thousands of credit cards. Then, the thieves either sell the credit card information on the internet or they make fraudulent duplicate cards with victim’s account numbers and expiration dates.

In one case, thieves left the same skimmer attached to a single gas pump in Washington for eleven months. (Did no one see this thing???) Then they came back, retrieved the device and drained hundreds of bank accounts in a single weekend.

In May 2008, an investigation was opened into a case in San Jose California in which thieves stole more than $200,000 from 180 victims. Authorities estimate that between $1 million and $3.5 million has been stolen from victims of gas pump identity theft in five states over recent months.

Best advice: If you do want to use a credit or debit card at the gas station, go inside and make the purchase there. Inconvenient, but so is losing all the money in your checking account, or having to close your credit card account.

ATMs that just spit out money - Nice!

As you may know, one of my favorite posting topics has to do with ATMs. I call them Automatic Theft Machines because there are way too many stories of equipment being hacked, and/or swiping hardware being installed, or people just driving away with them.

Well, along comes a story about the progression of this issue: In Eastern Europe, the bad guys have perfected the art of getting the machine to spit out all its money on demand.

According to the article (linked above), authorities say there must be some sort of inside access to allow software to be installed. The articles claims that after unlocking the security, the inside equipment is quite vulnerable.

Hmmm, hard on the outside, yummy and soft on the inside….where have we heard that before? And something else interesting to note: many of the ATMs appear to be Diebolds; the same company that makes voting machines for us……and was implicated in another attack earlier this year, also in Eastern Europe.

The ATMs utilize a scaled down version of Windows XP, which actually doesn’t make me feel any better at all.