Cheap audio equipment makes ATM theft easier

ATM information theft is nothing new. Neither is the use of skimmers to gain access to the data. But it’s a little surprising just how easy it has become to hack together the devices using audio equipment. The images above are samples of a skimmer for sale from an Eastern-European do-no-good. It is the magnetic stripe sniffer portion of the attack which captures card data as an audio recording. That is later turned into the binary code that was read from the card. We’re just speculating, but that looks an awful lot like the PCB from a pen recorder, something you can pick up for just a couple of bucks.

Of course this is used in conjunction with a camera to capture PIN data as the second part of the security protocol, but it really underscores the need for new ATM technology. Some skimmers don’t even require retrieval of the hardware, and you never know where the sketchy machines might pop up next.

[via Engadget and Slashdot]

Comments

  1. jcprojects says:

    So is it using the microphone to sense the card’s magnetic signature? I guess I could see that but not sure if it’s just the standard mic or not.

  2. BiOzZ says:

    wow there getting smaller and smaller

    i dont use ATMs any more because of that big scare at defcon

  3. steven-x says:

    I followed some links off the main article, looks like crooks are getting smarter. At least some- most of the on-line ad for skimmers were scams to steal from would-be theives (some poetic justice here). The scariest ones were the devices hidden inside gas pumps… there you have no indication anythin was amiss. They did mention the most outlying pumps were the most targeted.

    Personally, I avoid ATMs, and use credit cards (more protection and no link to my account). Even my paypal account is linked to a small credit union account to prevent some black-hat hacker from draining my life savings.

    Some of there devices have wi-fi links or send test messages… maybe we need to hack up a simple RF sniffer to detect them.

  4. Addidis says:

    All you people who think stealing is ok as long as it steals from some one who might have been planning to steal are absolutely no better then those you complain about. Karma is a b#&@.

  5. davo1111 says:

    Addis – nobody said stealing is ok you spastic. The article is talking about the simple technology used by professional thieves to skim cards. Get your head out of your ass.

  6. Maave says:

    I thought of something like this just recently. I was thinking of using that mini spy microphone that HaD posted to send the data to a remote computer, where the data would later be decoded.

  7. Shaddack says:

    The thing on the picture is not an audio recorder, but a “spy pen” – a cheap videocamera with audio input. I got one and played around and here is a more detailed technical specification.
    http://shaddack.twibright.com/projects/reveng_spypen/

    It seems that in addition to using its guts, the perpetrators also boosted its internal battery with third-party Li-poly packs. Which is a prudent thing to do, as the record time is limited by the battery capacity (~2 hours), not by memory (~20 hours at 2GB model, IIRC).

  8. ejonesss says:

    i suspect that the technology in the digital electronics are rather low tech to where a simple loud sharp noise would be read as a 1 and lack of noise as a 0.

    so you the loud crack of dropping a pool ball on the pavement or the bang of a gun shot.

    so in theory i guess if you had a way to have your friends time guns firing or banging pool balls on the pavement you could emulate the binary string on the card.

    a way they could fix that problem is in the same security that garage door openers use.

    when the card is swiped the atm sends the data to the bank then the bank tells the atm to write a new string of data to the card so if the card is copied then the next use of the card voids out 1 card so no 2 or more working copies could exist.

    you do a transaction at the atm and the card gets written with a new code.

    the skimmers make a new card and if they are able to use that code before you do another purchase on the card it will roll again making your card will no longer work alerting you to a problem.

    you call up to find out what’s wrong and get a new card as a result of a stolen card being used.

  9. Addidis says:

    Learn to read davo

    “to steal from would-be theives (some poetic justice here).” Posted at 10:05 am on Nov 26th, 2010 by steven-x

  10. Addidis says:

    Cant believe im gonna contribute to this lol, but @ejonesss,

    That being the case wouldnt it be easier to use something like Propellorheadz Reason , and lay out the binary in a synthesizer I think this would be a little easier then throwing billard balls, and give much better accuracy. Then just generate a wav or what ever audio file this uses drop it in and you can generate credit card numbers. :P

  11. xorpunk says:

    put a bank or contract for challenge/response that can’t be dumped and has a decent protocol..it’s been working for all the non-TI RFID in car keys since the 80s..

    Mag stripe data is too easy to clone

  12. gottabethatguy says:

    Addidas, He never said stealing was ok, he stated that there was “some poetic justice here”.

    Go and google what poetic justice means and if you feel like still defending your statement I feel sorry for you.

  13. Till says:

    Aren’t those mics normally capacitive versions?
    Aren’t there 4 lanes of data in parallel?
    I don’t see this thing on the picture working at all for cardcloning.
    I guess Shaddack is right – this is only the video-pinlogger.
    The real skimmer is more sophisticated at the sensorlevel.

  14. Till says:

    P.S. checked wiki ;)
    3 lanes of data – one for backup at a different bitdensity and codeing. Third lane is not standardized.

  15. xorpunk says:

    Ahh looks like a company already thought of my idea and it works to some degree, still need a embedded challenge response though: http://www.schneier.com/blog/archives/2009/12/magneprint_tech.html

  16. zeropointmodule says:

    yet another example of the adage “the criminal mind is always superior, it has to be”..

    you’d think that the banks would have added anti-tamper circuitry by now, which alerts the victim to the fact via a silent flashing warning on the screen..

    (fwiw i had the same problem with one of these cameras, the battery life was horrible for the intended application of a model helicopter cam)…

  17. Grovenstien says:

    CASH IS KING!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,354 other followers