While vacationing in Bali, [Matt South] walked into a nice, secure, air-conditioned cubicle housing an ATM. Knowing card skimmers are the bane of every traveller, [Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad. [Matt] found the PIN pad shield came off very easily and was soon the rightful owner of a block of injection molded plastic, a tiny camera, and a few bits of electronics.
The first thing that tipped [Matt] off to the existence of electronics in this brick of plastic was a single switch and a port with four contacts. These four pins could be anything, but guessing it was USB [Matt] eventually had access to a drive filled with 11GB of video taken from inside this PIN pad shield.
An investigation of the videos and the subsequent teardown of the device itself revealed exactly what you would expect. A tiny pinhole camera, probably taken from a ‘spy camera’ device, takes video whenever movement is detected. Oddly, there’s an audio track to these videos, but [Matt] says that makes sense; the scammers can hear the beeps made by the ATM with every keypress and correlate them to each button pressed.
Of course, the black hats behind this skimmer need two things: the card number, and the PIN. This tiny spy cam only gets the PIN, and there wasn’t a device over or in the card slot in the ATM. How did the scammers get the card number, then? Most likely, the thieves are getting the card number by sniffing the ATM’s connection to the outside world. It’s a bit more complex than sticking a magnetic card reader over the ATM’s card slot, but it’s harder to detect.
There aren’t too many details available about this hack, but we still thought it was interesting enough to share. YouTube user [Aussie50] seems to have figured out a way to install DOOM on an automated teller machine (ATM). Not only is the system running the software, it also appears that they are using the ATM’s built-in buttons to control the action in-game.
Many ATM’s today are simply computers that run a version of Windows, so one would assume it shouldn’t be too difficult to get an older game like DOOM running on the hardware. Towards the beginning of the video, you can quickly get a glimpse of what appears to be a default Windows XP background screen. You can see later in the video that [Aussie50] drops to what appears to be an MS-DOS command line. It stands to reason then that this particular model of ATM does run on Windows XP, but that [Aussie50] may have had to install MS-DOS emulation software such as DOSBOX as well.
At one point in the video, the camera man mentions they are using an I-PAC2. Some research will show you that this little PCB is designed to do USB keyboard emulation for arcade games. It looks like you can just hook up some simple momentary switches and the I-PAC2 will translate that into USB keyboard commands. It is therefore likely that [Aussie50] has hooked up the ATM’s buttons directly to this I-PAC2 board and bypassed the original button controller circuit altogether.
It is also mentioned in the video that [Aussie50] was able to get the receipt printer working. It would be interesting to somehow incorporate this into the DOOM game. Imagine receiving a receipt with your high score printed on it. This also gets us thinking about other possibilities of gaming on ATM hardware. Can you configure the game to require a deposit before being able to play? Can you configure it to dispense cash if you beat the high score? What if you modified the multiplayer deathmatch mode so all players must pay an entry fee and the winner takes all? What creative ideas can you come up with for gaming on ATM hardware? Continue reading “Playing DOOM on an ATM”
If there’s one thing Bitcoins can benefit from, it’s easier accessibility for first-time users. The process can be a bit daunting if you’re new to cryptocurrency, but [mayosmith] is developing an open Bitcoin ATM to help get coins in the hands of the masses. There are already some Bitcoin dispensers out there. The Lamassu is around 5k a pop, and then there’s always the option of low-tech Condom Vending Machine conversions.
[mayosmith’s] build is still in the proof-of-concept phase, but has some powerful functionality underway. The box is made from acrylic with a front plate of 12″x12″ aluminum sheet metal, held on by 2 aluminum angles and some bolts. Slots were carved out of the aluminum sheet for the thermal printer and for bill acceptor—the comments identify it as an Apex 7000. Inside is an Arduino with an SD Shield attached. Dollars inserted into the acceptor trigger the Arduino to spit out a previously-generated QR code for some coins via the thermal printer, though all values are pre-determined at the time of creation and stored sequentially on the SD card. Stick around for a quick video below, and check out the official page for more information: http://openbitcoinatm.org
Continue reading “Open Bitcoin ATM”
ATM information theft is nothing new. Neither is the use of skimmers to gain access to the data. But it’s a little surprising just how easy it has become to hack together the devices using audio equipment. The images above are samples of a skimmer for sale from an Eastern-European do-no-good. It is the magnetic stripe sniffer portion of the attack which captures card data as an audio recording. That is later turned into the binary code that was read from the card. We’re just speculating, but that looks an awful lot like the PCB from a pen recorder, something you can pick up for just a couple of bucks.
Of course this is used in conjunction with a camera to capture PIN data as the second part of the security protocol, but it really underscores the need for new ATM technology. Some skimmers don’t even require retrieval of the hardware, and you never know where the sketchy machines might pop up next.
[via Engadget and Slashdot]
A fake ATM machine, set to capture ATM information was found at Defcon 17 in vegas this year. Its design has a tinted plastic window at the top which attendees noticed had a computer in it. It was quickly removed by the police. Is this an amazing coincidence? We doubt it. Someone probably knew exactly who was going to be there and either wanted to scam some hackers or just wanted to have some fun.
When an unsuspecting person walks up to [Rob Ray’s] ATM machine, they are greeted with a surprise that doesn’t involve giving them their money. When they insert their card, the video above plays followed by a game where you control a beaver trying to save money during a recession. Surprisingly, people usually found it humorous and didn’t immediately freak out that their card was in a machine that wasn’t their ATM. His site has all kinds of pictures of various users as well as the construction of the project.
[via Wooster Collective]
You may want to be more careful where you put that ATM card. There are now ATM skimmers with SMS notification. ATM skimmers are placed over real ATM slots and the information off the cards as they’re inserted. The new models will send the skimmed information via SMS notifications to a phone that’s attached to a computer. This solves the problem of scammers needing to retrieve their skimmers without attracting the attention of police. ATM skimmer manufacturers have so far been really successful because of their commitment to security, from the paint they use to cover their skimmers to their exclusive clientele. The manufacturer of this particular model claims that none of their clients who’ve used this new ATM skimmer has been arrested, and they only accept business from “recommended” clients. We think it’s interesting and ironic how these criminals have adapted their security procedures to deal with institutions we wish were more secure.