Hackaday Links: June 27, 2021

Hackaday Links Column Banner

When asked why he robbed banks, career criminal Willie Sutton is reported to have said, “Because that’s where the money is.” It turns out that a reporter made up the quote, but it’s a truism that offers by extension insight into why ATMs and point-of-sale terminals are such a fat target for criminals today. There’s something far more valuable to be taken from ATMs than cash, though — data, in the form of credit and debit card numbers. And taking a look at some of the hardware used by criminals to get this information reveals some pretty sophisticated engineering. We’d heard of ATM “skimmers” before, but never the related “shimmers” that are now popping up, at least according to this interesting article on Krebs.

While skimmers target the magnetic stripe on the back of a card, simmers are aimed at reading the data from card chips instead. Shimmers are usually built on flex PCBs and are inserted into the card slot, where traces on the device make contact with the chip reader contacts. The article describes a sophisticated version of shimmer that steals power from the ATM itself, rather than requiring a separate battery. The shimmer sits inside the card slot, completely invisible to external inspection (sorry, Tom), and performs what amounts to man-in-the-middle attacks. Card numbers are either stored on the flash and read after the device is retrieved, or are read over a Bluetooth connection; PINs are stolen with the traditional hidden camera method. While we certainly don’t condone criminal behavior, sometimes you just can’t help but admire the ingenuity thieves apply to their craft.

In a bit of foreshadowing into how weird 2020 was going to be, back in January of that year we mentioned reports of swarms of mysterious UAVs moving in formation at night across the midwest United States. We never heard much else about this — attention shifted to other matters shortly thereafter — but now there are reports out of Arizona of a “super-drone” that can outrun law enforcement helicopters. The incidents allegedly occurred early this year, when a Border Patrol helicopter pilot reported almost colliding with a large unmanned aerial system (UAS) over Tucson, and then engaged them in a 70-mile chase at speeds over 100 knots. The chase was joined by a Tucson police helicopter, with the UAS reaching altitudes of 14,000 feet at one point. The pilots didn’t manage to get a good look at it, describing it only as having a single green light on its underside. The range on the drone was notable; the helicopter pilots hoped to exhaust its batteries and force it to land or return to base, but they themselves ran out of fuel long before the drone quit. We have to admit that we find it a little fishy that there’s apparently no photographic evidence to back this up, especially since law enforcement helicopters are fairly bristling with sensors, camera, and spotlights.

When is a backup not a backup? Apparently, when it’s an iCloud backup. At least that’s the experience of one iCloud user, who uses a long Twitter thread to vent about the loss of many years of drawings, sketches, and assorted files. The user, Erin Sparling, admits their situation is an edge case — he had been using an iPad to make sketches for years, backing everything up to an iCloud account. When he erased the iPad to loan it to a family member for use during the pandemic, he thought he’s be able to restore the drawings from his backups, but alas, more than six months had passed before he purchased a new iPad. Apparently iCloud just up and deletes everythign if you haven’t used the account in six months — ouch! We imagine that important little detail was somehere in the EULA fine print, but while that’s not going to help Erin, it may help you.

And less the Apple pitchfork crowd think that this is something only Cupertino could think up, know that some Western Digital external hard drive users are crying into their beer too, after a mass wiping of an unknown number of drives. The problem impacts users of the WD My Book Live storage devices, which as basically network attached storage (NAS) devices with a cloud-based interface. The data on these external drives is stored locally, but the cloud interface lets you configure the device and access the data from anywhere. You and apparently some random “threat actors”, as WD is calling them, who seem to have gotten into some devices and performed a factory reset. While we feel for the affected users, it is worth noting that WD dropped support for these devices in 2015; six years without patching makes a mighty stable codebase for attackers to work on. WD is recommending that users disconnect these devices from the internet ASAP, and while that seems like solid advice, we can think of like half a dozen other things that need to get done to secure the files that have accumulated on these things.

And finally, because we feel like we need a little palate cleanser after all that, we present this 3D-printed goat helmet for your approval. For whatever reason, the wee goat pictured was born with a hole in its skull, and some helpful humans decided to help the critter out with TPU headgear. Yes, the first picture looks like the helmet was poorly Photoshopped onto the goat, but scroll through the pics and you’ll see it’s really there. The goat looks resplendent in its new chapeau, and seems to be getting along fine in life so far. Here’s hoping that the hole in its skull fills in, but if it doesn’t, at least they can quickly print a new one as it grows.

 

24 thoughts on “Hackaday Links: June 27, 2021

  1. “While we certainly don’t condone criminal behavior, sometimes you just can’t help but admire the ingenuity thieves apply to their craft.” Someone who can make wine in a prison toilet can do anything!

  2. Re skimmers: According to the article, the data is read out with a special chip card (the blue PCB) which authenticates itself to the skimming device via the special card number.

    1. That PCB does not appear to have any chips on it, I could be wrong. It is a ‘chip card’ only because it is shaped like an actual chip card and has contacts on it. I would call it a breakout board, or a contact board.

    2. Interesting article and a list of things hackaday readers can do to keep themselves financially safer:
      a) erase the mag stripe on chip cards
      b) use obfuscating techniques when inputting your PIN – I use touch typing instead of one finger.
      c) For wireless cards, cut the antenna, the chip still works fine.
      d) If you do get defrauded, keep links to all these stories, so when the bank says “it’s secure, we won’t refund” you have a dossier of stuff to come back at them with.

      1. My tinfoil hat theory is that more secure tech benefits banks more than consumers, by giving them more excuses and shifting more of the responsibility to the user.

        Cryptocurrency is worst of all as it shifts 100% of the responsibility.

  3. “While we certainly don’t condone criminal behavior, sometimes you just can’t help but admire the ingenuity thieves apply to their craft.”

    Admire the waste.

    As for the super-drone the drug cartels would have the money and reason to attempt something like this.

      1. Fake drugs are not more illegal than real one so legality is not a reason for whether they are sold or not. I’m pretty sure that the market is already flooded with such stuff, and it doesn’t appear to be stopping anything.

    1. With the current non-border situation, they really have no reason to spend the money. They are also making more moving people than they are from moving drugs.

  4. My question is on the ATM’s how is it possible to get one of these data skimmers into a machine. It seems to me the people that have access to the inside of it are guilty. How else could anyone manage to get a card reading device in the slot that is barely big enough to get a card into? As far as the key pad, it’s the same, I fail to see how a device would be able to be installed over the real key pad and not be noticed. As far as the camera behind and above the access to the terminal, the perpetrator would still have to have the card in other to have access to any accounts.

    1. You underestimate how thin these devices can get. And there’s plenty of seams and ridges on unmodified ATM fascias, the photo in the article literally shows the keypad overlay matching an existing seam exactly.

  5. That super-drone story is cool as hell. How would you get power for that long and that much usage? Some sort of tiny onboard generator? I’m imagining something like one of the gas-powered engines for RC planes driving an electric motor as a generator. Would that even be good enough? I wish there were more details.

  6. “When is a backup not a backup? Apparently, when it’s an iCloud backup.”

    “..while that’s not going to help Erin, it may help you.”

    I can help myself by not using someone else’s cloud, but it is a shame that this is more difficult for non-technical users. Hopefully one day something like FreedomBox will be easy enough for regular people to use.

  7. Man, it looks to me like Brian Krebs is getting old. Is that a new banner pic on his site? (I type this while looking at myself in the screen reflection while thinking how old I look today – insert sad face).

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.