I have a confession to make: ever since the first time I read about them online, I’ve been desperate to find an ATM skimmer in the wild. It’s the same kind of morbid curiosity that keeps us from turning away from a car accident, you don’t want to be witness to anyone getting hurt, but there’s still that desire to see the potential for danger up close. While admittedly my interest is largely selfish (I already know on which shelf I would display it), there would still be tangible benefits to the community should an ATM skimmer cross my path. Obviously I would remove it from the machine and prevent others from falling prey to it, and the inevitable teardown would make interesting content for the good readers of Hackaday. It’s a win for everyone, surely fate should be on my side in this quest.
So when my fingers brushed against that unmistakable knobby feel of 3D printed plastic as I went to insert my card at a local ATM, my heart skipped a beat. After all these years, my dream had come true. Nobody should ever be so excited about potentially being a victim of fraud, but there I was, grinning like an idiot in the farmer’s market. Like any hunter I quickly snapped a picture of my quarry for posterity, and then attempted to free it from the host machine.
But things did not go as expected. I spend most of my free time writing blog posts for Hackaday, so it’s safe to say that physical strength is not an attribute I possess in great quantity, but even still it seemed odd I couldn’t get the skimmer detached. I yanked it in every direction, tried to spin it, did everything short of kicking it; but absolutely no movement. In fact, I noticed that when pulling on the skimmer the whole face plate of the ATM bulged out a bit. I realized this thing wasn’t just glued onto the machine, it must have actually been installed inside of it.
I was heartbroken to leave my prize behind, but at the very least I would be able to alert the responsible party. The contact info for the ATM’s owner was written on the machine, so I emailed them the picture as well as all the relevant information in hopes that they could come check the machine out before anyone got ripped off.
Continue reading “When a Skimmer Isn’t a Skimmer”
While vacationing in Bali, [Matt South] walked into a nice, secure, air-conditioned cubicle housing an ATM. Knowing card skimmers are the bane of every traveller, [Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad. [Matt] found the PIN pad shield came off very easily and was soon the rightful owner of a block of injection molded plastic, a tiny camera, and a few bits of electronics.
The first thing that tipped [Matt] off to the existence of electronics in this brick of plastic was a single switch and a port with four contacts. These four pins could be anything, but guessing it was USB [Matt] eventually had access to a drive filled with 11GB of video taken from inside this PIN pad shield.
An investigation of the videos and the subsequent teardown of the device itself revealed exactly what you would expect. A tiny pinhole camera, probably taken from a ‘spy camera’ device, takes video whenever movement is detected. Oddly, there’s an audio track to these videos, but [Matt] says that makes sense; the scammers can hear the beeps made by the ATM with every keypress and correlate them to each button pressed.
Of course, the black hats behind this skimmer need two things: the card number, and the PIN. This tiny spy cam only gets the PIN, and there wasn’t a device over or in the card slot in the ATM. How did the scammers get the card number, then? Most likely, the thieves are getting the card number by sniffing the ATM’s connection to the outside world. It’s a bit more complex than sticking a magnetic card reader over the ATM’s card slot, but it’s harder to detect.
There aren’t too many details available about this hack, but we still thought it was interesting enough to share. YouTube user [Aussie50] seems to have figured out a way to install DOOM on an automated teller machine (ATM). Not only is the system running the software, it also appears that they are using the ATM’s built-in buttons to control the action in-game.
Many ATM’s today are simply computers that run a version of Windows, so one would assume it shouldn’t be too difficult to get an older game like DOOM running on the hardware. Towards the beginning of the video, you can quickly get a glimpse of what appears to be a default Windows XP background screen. You can see later in the video that [Aussie50] drops to what appears to be an MS-DOS command line. It stands to reason then that this particular model of ATM does run on Windows XP, but that [Aussie50] may have had to install MS-DOS emulation software such as DOSBOX as well.
At one point in the video, the camera man mentions they are using an I-PAC2. Some research will show you that this little PCB is designed to do USB keyboard emulation for arcade games. It looks like you can just hook up some simple momentary switches and the I-PAC2 will translate that into USB keyboard commands. It is therefore likely that [Aussie50] has hooked up the ATM’s buttons directly to this I-PAC2 board and bypassed the original button controller circuit altogether.
It is also mentioned in the video that [Aussie50] was able to get the receipt printer working. It would be interesting to somehow incorporate this into the DOOM game. Imagine receiving a receipt with your high score printed on it. This also gets us thinking about other possibilities of gaming on ATM hardware. Can you configure the game to require a deposit before being able to play? Can you configure it to dispense cash if you beat the high score? What if you modified the multiplayer deathmatch mode so all players must pay an entry fee and the winner takes all? What creative ideas can you come up with for gaming on ATM hardware? Continue reading “Playing DOOM on an ATM”
If there’s one thing Bitcoins can benefit from, it’s easier accessibility for first-time users. The process can be a bit daunting if you’re new to cryptocurrency, but [mayosmith] is developing an open Bitcoin ATM to help get coins in the hands of the masses. There are already some Bitcoin dispensers out there. The Lamassu is around 5k a pop, and then there’s always the option of low-tech Condom Vending Machine conversions.
[mayosmith’s] build is still in the proof-of-concept phase, but has some powerful functionality underway. The box is made from acrylic with a front plate of 12″x12″ aluminum sheet metal, held on by 2 aluminum angles and some bolts. Slots were carved out of the aluminum sheet for the thermal printer and for bill acceptor—the comments identify it as an Apex 7000. Inside is an Arduino with an SD Shield attached. Dollars inserted into the acceptor trigger the Arduino to spit out a previously-generated QR code for some coins via the thermal printer, though all values are pre-determined at the time of creation and stored sequentially on the SD card. Stick around for a quick video below, and check out the official page for more information: http://openbitcoinatm.org
Continue reading “Open Bitcoin ATM”
ATM information theft is nothing new. Neither is the use of skimmers to gain access to the data. But it’s a little surprising just how easy it has become to hack together the devices using audio equipment. The images above are samples of a skimmer for sale from an Eastern-European do-no-good. It is the magnetic stripe sniffer portion of the attack which captures card data as an audio recording. That is later turned into the binary code that was read from the card. We’re just speculating, but that looks an awful lot like the PCB from a pen recorder, something you can pick up for just a couple of bucks.
Of course this is used in conjunction with a camera to capture PIN data as the second part of the security protocol, but it really underscores the need for new ATM technology. Some skimmers don’t even require retrieval of the hardware, and you never know where the sketchy machines might pop up next.
[via Engadget and Slashdot]
A fake ATM machine, set to capture ATM information was found at Defcon 17 in vegas this year. Its design has a tinted plastic window at the top which attendees noticed had a computer in it. It was quickly removed by the police. Is this an amazing coincidence? We doubt it. Someone probably knew exactly who was going to be there and either wanted to scam some hackers or just wanted to have some fun.
When an unsuspecting person walks up to [Rob Ray’s] ATM machine, they are greeted with a surprise that doesn’t involve giving them their money. When they insert their card, the video above plays followed by a game where you control a beaver trying to save money during a recession. Surprisingly, people usually found it humorous and didn’t immediately freak out that their card was in a machine that wasn’t their ATM. His site has all kinds of pictures of various users as well as the construction of the project.
[via Wooster Collective]