While vacationing in Bali, [Matt South] walked into a nice, secure, air-conditioned cubicle housing an ATM. Knowing card skimmers are the bane of every traveller, [Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad. [Matt] found the PIN pad shield came off very easily and was soon the rightful owner of a block of injection molded plastic, a tiny camera, and a few bits of electronics.
The first thing that tipped [Matt] off to the existence of electronics in this brick of plastic was a single switch and a port with four contacts. These four pins could be anything, but guessing it was USB [Matt] eventually had access to a drive filled with 11GB of video taken from inside this PIN pad shield.
An investigation of the videos and the subsequent teardown of the device itself revealed exactly what you would expect. A tiny pinhole camera, probably taken from a ‘spy camera’ device, takes video whenever movement is detected. Oddly, there’s an audio track to these videos, but [Matt] says that makes sense; the scammers can hear the beeps made by the ATM with every keypress and correlate them to each button pressed.
Of course, the black hats behind this skimmer need two things: the card number, and the PIN. This tiny spy cam only gets the PIN, and there wasn’t a device over or in the card slot in the ATM. How did the scammers get the card number, then? Most likely, the thieves are getting the card number by sniffing the ATM’s connection to the outside world. It’s a bit more complex than sticking a magnetic card reader over the ATM’s card slot, but it’s harder to detect.
“[Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad.” Brian Krebs would be proud.
I’m not sure I’d call Matt the rightful owner of the skimmer, but it’s probably doing the world more good in his hands than on the face of the ATM, so I’ll approve anyway.
Well presuming the installers of the skimmer didn’t leave contact information and probably won’t come claim it from a lost and found, I think it’s safe to call it “abandoned”.
There is an old saying, a man who steals from thieves does not steal.
Just don’t steal from the Mafia (any Mafia, Russian, Japanese, Colombian, Sicilian…) B^)
You should tell the local police. . . should, I’d keep it too exactly for these purposes. better in his hands than police who’ll shrug and bin it
the scammers probably just try to steal the card after the mark leaves the cubicle. then have a different person get the video with the pin
Because Shodan. They don’t want everyone to steal the data they are stealing…just one out of 1000 people.
If ip is accessible over internet – 100%. Thanks to advances in computing you can now scan whole internet in under an hour.
shodan isn’t sh1t of all devices. good encryption will solve 99% of shodan crap. That said battery life with even a bulk GSM or 3g upload will cripple it when you can have a crack mug rip it back off for you. P.S got a good connection with a reasonable packet limit? you can scan 1000 ports on all IP’s in under a week, screw the dan of sho
SHODAN’s not some magic tyrannical AI that can get passed any password. IP cameras aren’t instantly vulnerable. Just don’t use the default password and you’re for the better part dandy.
Much higher power usage then a cam that logs directly to an SD card. 11gb of data to be transmitted wirelessly is a lot of power.
zigbee does not have the bandwidth to transmit video of any resolution or size.
because you need to stay local. they dump these on 30 machines across the city, then leave them for 24 hours and then collect.
they dont want to hang around 1 machine and get caught
They want to keep them as cheap as possible for a situation like this where someone swipes their hardware.
@Annie, spending stolen money you have isn’t any different than spending not stolen money that you have.
The pic of the actual device would make a much better image Brain.
its possible this particular ATM had a card reader skimmer attached to it but the card reader skimmer is now gone (e.g. removed by the crooks at some point without removing the hidden camera, removed by the bank/by the cops, removed by someone else who found it randomly)
One thing I have seen from some banks that I really like (e.g. the Commonwealth Bank here in Australia) is the ability to withdraw money without using your card. You go to the mobile banking app on your phone and access the feature which then gives you one code on your device screen and another code sent to you via SMS. Then you activate the “cardless cash” feature on the ATM and input both codes and you get money without ever inserting your card so no risk of card/pin number skimming.
No security problems since the codes are one-time-use-only and are only valid for a short period of time (and people using the feature are likely to do it when they are near the ATM) so there is no risk if an attacker somehow steals the codes as they get input into the ATM and there is very little risk even if a hacker is able to steal the codes somehow before they get used.
Oh and the feature is protected by the same internet baking security as everything else which means any attacker who can get into the internet baking app and use the feature can just as easily use a direct bank transfer to transfer the funds out to another account and not need to actually go to an ATM to do it)
This is pretty clever, wish my bank would do these sort of things
The rumors are that big banks here in the US are working on Apple/Android pay integration with ATMs rather than adding chip readers. That’s a step in the right direction. I boldly predict that by the time my child has children that those kids will get credit cards without a magnetic stripe on the back at all.
In europe, a lot of cards already lost their magnetic strip…
we use a chip…. (not swipable, but still skimmable by introducing a stealth chip reader) however: copying the card is near impossible
Maybe I wouldn’t touch a skimmer. I’d fear to be pummeled by the crooks who installed it and would like to have it back…
Or a police officer/bank employee happen to arrive at that exact moment. Being caught taking the skimmers might not be great. A best practice if you’re not planning to reverse engineer the hardware would be to call the bank right there from the ATM if possible. That way you aren’t caught taking it, and the crook won’t come recover it when you go for assistance.
The good news is that bank ATMs are under video surveillance. When they review the footage, they’ll hopefully notice that you aren’t the same guy that stuck it on there in the first place.
Not really, they may work in gangs so a different person may pick it up. Maybe even pay a homeless guy to pick it up , bank employees may have noticed it and are waiting for the crooks to grab it.
This /\ i agree
If I suspected a device that didn’t belong there, I’m not touching it. Call the cops or the bank. Last thing I want is someone claiming that I’m part of the problem. I’ve never seen a skimmer but the bank once sent me a new card because an ATM at a 7/11 was ‘compromised’.
Talking about this i wonder if it’s a good idea to publish his teardown on his own blog with his full name…
I wouldn’t have touched this thing, just call the bank or maybe the police.
Agreed. This was my first thought. I’d hate to backpedal my way out of getting caught with that in a foreign country.
I’d do what he did and show it being dragged out and waved about unlike an organisation that’ll pocket it right after if you watch the video on link. Then you get to break funny hardware apart. If you informed the police they’d just write up a paragraph and bin it
Pummelled…!
Is this an Enid Blyton story from the Famous Five? (!)
Seriously, are people using cash anymore?
But on a more sincere note, magstripe cards are way to weak. Here (Scandinavia) chip has been required for many years, and last year they even stopped having magstripe on cards as default (though you can still get one if you need it). EMV rollout in some parts of the world has gone at a glacial pace (yes, I’m looking at you America!) and has been a serious hinderance for updating payment cards to new and more secure technologies.
Which might be the explanation why he saw no card reader, they were content with getting the pin, the card would be “acquired” through other means.
Tell ICA chips are required my prepay card has just a mag stripe.
>Seriously, are people using cash anymore?
Using a paycard (what’s the right word?) produces a lot of data. If you worry about NSA and other criminals cash is a really god thing…
I’d say more than half the places I eat at are cash only. There’s a better profit margin on cash.
Cash is easier to use when the power goes out. I used to carry less than 50 bucks at a time but on February the power was out for a week! Otherwise, I do use bank card for most everything except some stores that I don’t trust. I do wonder if someday the bank network or internet fails and the more complex systems will not work. So, cash on hand just in case.
Air-conditioned booth without surveillance camera, ATM without surveillance camera, bank that doesn’t give a shit about their users being robbed … pretty place that Indonesia.
Do you need need blank atm card with pin? that can help you withdraw Cash at any program atm machine, pay bills, shop online, pay bills via POS? here is your chance to rob the government and become rich.
Email: atmmachine75@gmail.com or whatsapp on +2349055948786 for more info
Yeah, seems legit…
The last few comments are clearly generated by bots.
Ian “ATM card by name, ATM card by nature”, how could you not trust him?
i just want to share my experience with everyone. I have being hearing about this blank ATM card for a while and i never really paid any interest to it because of my doubts. Until one day i discovered a hacking guy called Barry Ben. he is really good at what he is doing. Back to the point, I inquired about The Blank ATM Card. If it works or even Exist. he told me
Yes and that its a card programmed for random money withdraws without being noticed and can also be used for free on-line purchases of any kind. This was shocking and i still had my doubts. Then i gave it a try and asked for the card and agreed to their terms and conditions. Hoping and praying it was not a scam. 3 days later i received my card and tried with the closest ATM machine close to me, It worked like magic. I was able to withdraw up to $11000. i also used it on-line and it was a success, i am very happy i can now put food on my family table and also pay my bills too. For those of you out there who needs financial stability, blank or creaked atm card is what you need, blank ATM has really change my life, try it and see things for yourself, If you want to contact them, Here is the email address crackedatmcards@gmail.com .
My name is Gary jones i’m here to testify about Mr.Harry hacker ATM Blank Card. I was very poor before and have no job.I saw so many testimony about how Harry send them the ATM blank card and use it to collect money in any ATM machine and become rich. I email him also and he sent me the blank card. I have use it to get 700.000 dollars. withdraw the maximum of $ 5000 daily. Harry is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (harrylee62@live.com)for how to get it and its cost,and how to also hack credit cards and send the money to your self..
I got my already programmed blanked ATM card to withdraw the maximum of $50,000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $100,000. Mr Stanley is giving out the card just to help the poor and needy though it is illegal but it is something nice and he is not like other scam pretending to have the blank ATM cards. And no one gets caught when using the card. get yours TODAY. contact him via phone Number (+13152903241) or e-mail him via
(atmhacker131@gmail.com)
Don’t fall into the hands of scams trying to get the blank ATM card on the internet. I came across so many comments of a blank ATM card worth’s millions, thus i doubted all this but there was this comment made by George corminal including his email for confirmation regarding the card. I contacted George and he told me everything and how he programs the card. immediately i contacted the email address he gave me, {georgecorminal1512.com}. Few hours later i got a response and was told all the processing which i agreed willing to see the end. Three days later i received an email regarding my tracking number to my parcel and before i knew it, the CARD was delivered by the FedEx courier service. I did not believe all this even when i was holding the ATM card, until i was able to withdraw the $5,000.00 he told me i can withdrew per day. Today i am a company owner with so many other properties, all thanks to George corminal. I took time to make this comment to avoid anyone falling into the hands of scam, so i advice you never to contact any other ATM card seller expect this very man because he is for real. Contact him today via email: georgecorminal1512.com
How the blank ATM card experience changed my whole life.
Hi, i am Ryan Gregory, from Jacksonville FL, USA. I am announcing this amazing testimonial on this blog, about how the blank ATM card experience changed my whole life. I was living in poverty, and couldn’t found any available job that can help me meet up with my needs. Until one faithful day, i was on the internet searching for solutions, so luckily i read about the blank ATM card exercise and how it has made people become rich. I contacted the email address i attached to the testimonial of some beneficiaries and here i am today, all thanks to Global Tech Hackers Team Incorporation world wide for helping me with a blank ATM Card. Now all my financial worries are over. All you need to do is send a message to the email address provided: blankatmcardservices@hotmail.com
Thank you everyone for this wonderful time to share with you. God Bless!
testimony of my life
Good day everyone, i am here to testify about how i
got a real and working blank ATM card from a good
hacker on the internet, i was very poor before and i
have been unemployed since 2010, i came across a
post on the internet concerning the blank ATM card
and i decided to give it a try,i agreed to the terms and
conditions to receive the card.
it worked like magic when i received this card and i
was able to withdraw 5000$ daily with this card, i have
a car of my own now and i have gotten a house too.
if you need a real blank ATM card, contact this good
hacker on her email marianclarkatm@gmail.com
i post this here because i know you can also be
favored by this testimony.
thanks
this blank atm card is tested and trusted and i am a
living witness to this blank atm card because it helped
me solve all my financial problems
contact this email to apply for one card and put it to
test
Email marianclarkatm@gmail.com
Thanks.
I got my already programmed and blanked ATM card to
withdraw the maximum of $50,000 daily for a maximum of 20
days. I am so happy about this because i got mine last week
and I have used it to get $100,000. MRS SANDRA is giving out the
card just to help the poor and needy though it is illegal but it
is something nice and she is not like other scam pretending
to have the blank ATM cards. And no one gets caught when
using the card. get yours from her. Just send her an email
On atmmachine88@gmail.com
One evening, i was reading a blog of how so many people got this blank card online when i was trying to search for a new job, but it didn’t seem clear to me so i ignored. Three days later, i was so surprised to see a comment by my cousin on how he got the blank card worth Millions of Dollars and without hesitation i gave him a call to come over to the house to tell me more about the card and he told me that its a miracle that i needed to per-take. He gave me the email address of the hackers and i contact them for the card and they responded and told me all the procedures and terms of the card which was also what my cousin told me, i agreed and completed their requirement to get the card. Four days later, i heard knock on my door an behold was the courier agent who brought the parcel to my house and today i am $17,Millionaire richer and i thank God to this hackers and to my cousin brother who lead me to them. It might sounds odd but you can get yours via email:{Johnsonwhitefirm@yahoo.com}