• On CHOW: Groundbreaking hangover cure
October 9, 2008 4:37 PM PDT

High-tech bank robbers phone it in

by Robert Vamosi

Your ordinary bank robber can now steal hundreds of account numbers from ATMs without so much as lifting a finger. Instead, he skims.

Skimming is the physical use of secondary readers to capture the magnetic tracks on the backs of credit and debit cards. On ATMs, skimmers and secondary keypads are used to capture account numbers and PINs. Often, the ATM transaction goes through, and the customer doesn't realize that the account has been compromised until later.

Two risks these high-tech criminals face are being caught fitting a faux cover over an ordinary ATM card slot and keypad, then later retrieving the skimmers in order to get the account information.

With the arrest last week of "Chao," a Turkish ATM skimmer, comes new information on the lifestyles of modern bank robbers, including details on new devices that send captured account data via SMS to their smartphones.

For about $8,000, skimmers can have their own ATM overlay capable of transmitting 1,856 cards via SMS. Bulk pricing is available. And if they don't want the information sent card by card, they can dial into the device and download the data at their convenience.

You're probably saying, "wait, I'd notice the compromise." Not so fast. These guys are good. Very good. See the photos of a compromised ATM machine on Snopes.com. Or watch this video to see how ATM skimming with SMS was accomplished last year in Pennsylvania.

Skimming got its start in South Africa, and since 2004, there have been a handful of noteworthy cases in the United States, affecting ATMs in Seattle, San Francisco, Los Angeles, and Austin, Texas. Late last year, Citibank replaced debit cards for its Manhattan customers because of a skimming operation there.

Last February, during a presentation by Billy Rios and Nitesh Dhanjani at the Black Hat conference in Washington, I saw a photograph of a warehouse full of ATM card input overlays from one of the criminal enterprises they stumbled upon. You want black? They got black. You want beige? They have that. What about white or gray? Covered.

Industry standardization of ATM readers makes it easier for criminals to copy, so a bank robber needs only to match the look and style. A second photo showed boxes of keypad overlays. Large. Small. Again, you need only to match the look and style.

Once the account information is captured, the criminals tend to burn it onto blank magnetic stripe cards (ISO standard 7810), then use it at ATMs worldwide.

How are they able to fool so many people? In a blog on ZDNet, Dancho Danchev speculates that there might be some collusion with individuals working with ATM manufacturers. His blog is full of details from a site offering these overlays.

There is a downside to having the SMS service. As with a cell phone, the devices need batteries, which wear out. And some SMS transmissions simply fail. Still, if a criminal gets 1,500 bank account numbers, I don't think they're going to mind.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Criminal Hackers,

Security

Tags:

security,

ATM,

skimming,

skimmers,

SMS,

Chao,

Dancho Danchev

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Q&A: Schneier warns of marketers and dancing pigs
Beloved boardgame Settlers of Catan comes to iPhone
Part 2: Q&A with Jeff Moss on computer hacking
Leaking crypto keys from mobile devices
Corporate bank accounts targeted in online fraud
OLED chair lights up when you rock
2010 VW GTI: The hottest hatch
LG Chocolate Touch is now official
Add a Comment (Log in or register) (12 Comments)
  • prev
  • 1
  • next
by Michichael October 9, 2008 5:36 PM PDT
Scary stuff. It's shocking to see what some hackers can do now adays. I've seen hacks that exploit vulnerabilities in nVidia motherboards to change BIOS settings - including overclocking and voltage in some nTune capable boards. Long and short of it, a hacker could theoretically overvolt your memory, processor, whatever, and destroy physical components of ones computer.
Reply to this comment
by rdidit October 9, 2008 6:23 PM PDT
Clever, these thieves, and the bleeding heart liberals criminal prosecutions bleat leniency. I say the guilty go to jail forever.
Reply to this comment
by The_Decider October 24, 2008 4:29 PM PDT
I say that straw man abusers should go to jail forever.
by JaquesLenoir October 10, 2008 2:08 AM PDT
Hello!!! Still using magnetic cards where the rest of the world is using the "Smart Cards". Just got what you deserve for using such obsolete technology.

F.
Reply to this comment
by patch991 October 10, 2008 8:14 AM PDT
A$$!
by The_Decider October 24, 2008 4:28 PM PDT
Yeah, because is it harder to get information off of a smart card.

Oh wait, it is just as easy.
by davidsmi October 10, 2008 6:16 AM PDT
WOW - Canada is very advanced - our criminals have been doing this for years!

I guess the cost of the loss is less then the cost of smart cards - hard to belive!!!
Reply to this comment
by Maarek Stele October 10, 2008 8:39 AM PDT
Only use your bank. Almost ALL places use credit/debit cards.

I always test the system with my AAA card which will open any ATM door because they only require a magnetic strip. Now I've used MY ATM many times and all the branches have the same machine. If it's different I DON'T USE IT.

It's that simple.

This isn't scary, it's common sense.

I've seen scammers put up signs saying "swipe to clean your card" when it's actualy a recorder. It's just COMMON sense people.

If you're not sure, than your right and DON'T use it!
Reply to this comment
by shinycars October 14, 2008 1:20 PM PDT
We need to use an INDIVIDUAL FINGERPRINT for all ATM, CC or Debit Card transactions -- Problem Solved. This is already being done in parts of Europe. It costs $ to implement it and I've heard the American banks and CC's dont want to pay it. But....an extra $850 Billion showed up recently. Seriously this is the simple and effective answer to all this fraud, ID theft, etc.
Reply to this comment
by The_Decider October 24, 2008 4:31 PM PDT
Fingerprint scanners are not foolproof. There are ways of using the fingerprint of the person who used it before you.

Fingerprints get digitized that means it can be spoofed.

Biometrics is a false security blanket.
by lolumadkid December 9, 2008 10:33 AM PST
Credit card companies aren't wasting their money because they know that the 'Smart Cards' as just as easily spoofed as the regular cards. They're not stupid and neither are criminals.

You can introduce a card with finger print recognition, voice recognition, retina recognition, full 3D body scan of the card holder and GPS tracking and you STILL won't stop skimming. The only thing that can be done to stop skimming is to stop using credit cards and debit cards and carry huge wads of cash around. But if this happened there would be about 200 million muggings per day where people get physically injured. So that's why debit and credit cards are still around. If they were any harder to use no one would use them and they wouldn't be convenient.

You CANNOT stop skimming just like you cannot stop hacking. The more technology you add to a card to easier it is for a criminal to alter.

You've all heard of that 'Credit Monitoring' or that Anti-Identity theft commercial where the guy had his real SSN number on a big truck driving through town so confident that it would work.

That company has now had a lot of complaints of false advertising because the clients STILL had their information stolen and money stolen.

You cannot stop it.

Like I said, credit card companies and banks both know this. They can introduce whatever they want to new ATM's but they know all they'll be doing is satisfying the customers 'piece of mind', but won't do much because it won't stop the crime.

That is all.
Reply to this comment
by dumpseller May 4, 2009 8:32 PM PDT
Hello all.
We glad to represent service on sale dump (track2, track2+track1), dumps received only by hacking method.
Dumps are not generated !!!
Always in stock fresh dumps, often updates, mostly dumps coming with track2 only, but also has dumps with track1 (original).
USA,Canada,European Union and other countries dumps in stock right now.
Dumps checking by ask, we dont replace checked staff, unchecked staff we can replace but only in 24 hrs.
Binlist only after first deal.
Also we can help in choosing right bins for state/country.

USA
VISA,Master CLASSIC - 25$ , GOLD,PLATINUM/BUSINESS/CORP/SIGNATURE - 35$
VISA PURCHASING - 40$
Master World - 40$
AMEX - 20$
DISCOVER - 30$

Canada
VISA,Master classic - 40$
VISA,Master Gold/Platinum/Corporate/Signature/Business - 50$

European Union
VISA,Master classic - 100$
VISA,Master Gold/Platinum/Corporate/Signature/Business - 130$

Other countries
VISA,Master classic - 90$
VISA,Master Gold/Platinum/Corporate/Signature/Business - 110$

Please dont ask us about dumps with PIN or with fullinfo.
Very good discount system (resellers attention!!!).
Dumps with exp date on end of month we sell in half of price.

Samples:
Track1:B553XXX000003XXXX^KUENZ/CHELSAE^11091010000000000100000000XXX000000
Track2:553XXX000003XXXX=1109101100000000XXX

Track1:B486XXX101199XXXX^LUND/BLINNIE^090610100000000000000000XXX000000
Track2:486XXX101199XXXX=09061010000000XXX

Track1:B374XXX04245XXXX^Chris/Martenson^100710107047955200XXX
Track2:374XXX04245XXXX=100710107047955200XXX

Minimal order - 1 dump (for Webmoney (WMZ) payment method)
For Western Union(WU) or Money Gram minimal order - 970$ + 8% fee

*We sell dumps,at the same time SELL CC.FULLZ(USA.Canada.EU.Asia.Brazil...),all fresh,prices contact us.

Support1 ICQ: 598235122 (for new customers)
Support2 ICQ: 590306319
Support3 ICQ: 562456418
YM: bestdumpseller1@yahoo.com
Email: dumpsellersupport1@gmail.com (Only for emergency)
Reply to this comment
(12 Comments)
  • prev
  • 1
  • next
advertisement
Click Here

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET