Your ordinary bank robber can now steal hundreds of account numbers from ATMs without so much as lifting a finger. Instead, he skims.
Skimming is the physical use of secondary readers to capture the magnetic tracks on the backs of credit and debit cards. On ATMs, skimmers and secondary keypads are used to capture account numbers and PINs. Often, the ATM transaction goes through, and the customer doesn't realize that the account has been compromised until later.
Two risks these high-tech criminals face are being caught fitting a faux cover over an ordinary ATM card slot and keypad, then later retrieving the skimmers in order to get the account information.
With the arrest last week of "Chao," a Turkish ATM skimmer, comes new information on the lifestyles of modern bank robbers, including details on new devices that send captured account data via SMS to their smartphones.
For about $8,000, skimmers can have their own ATM overlay capable of transmitting 1,856 cards via SMS. Bulk pricing is available. And if they don't want the information sent card by card, they can dial into the device and download the data at their convenience.
You're probably saying, "wait, I'd notice the compromise." Not so fast. These guys are good. Very good. See the photos of a compromised ATM machine on Snopes.com. Or watch this video to see how ATM skimming with SMS was accomplished last year in Pennsylvania.
Skimming got its start in South Africa, and since 2004, there have been a handful of noteworthy cases in the United States, affecting ATMs in Seattle, San Francisco, Los Angeles, and Austin, Texas. Late last year, Citibank replaced debit cards for its Manhattan customers because of a skimming operation there.
Last February, during a presentation by Billy Rios and Nitesh Dhanjani at the Black Hat conference in Washington, I saw a photograph of a warehouse full of ATM card input overlays from one of the criminal enterprises they stumbled upon. You want black? They got black. You want beige? They have that. What about white or gray? Covered.
Industry standardization of ATM readers makes it easier for criminals to copy, so a bank robber needs only to match the look and style. A second photo showed boxes of keypad overlays. Large. Small. Again, you need only to match the look and style.
Once the account information is captured, the criminals tend to burn it onto blank magnetic stripe cards (ISO standard 7810), then use it at ATMs worldwide.
How are they able to fool so many people? In a blog on ZDNet, Dancho Danchev speculates that there might be some collusion with individuals working with ATM manufacturers. His blog is full of details from a site offering these overlays.
There is a downside to having the SMS service. As with a cell phone, the devices need batteries, which wear out. And some SMS transmissions simply fail. Still, if a criminal gets 1,500 bank account numbers, I don't think they're going to mind.
Recent e-mails stating that the U.S. has already attacked Iran and, in some cases, also offering links to a video purportedly from a soldier, are not to be believed, according to Websense. The security vendor said in an advisory Wednesday that it has linked the provocative e-mails to the Storm worm.
Storm got its name because it first took advantage of a huge winter storm in Northern Europe in early 2007. Since then, it has used a variety of social engineering tricks, including the use of political themes, to get unsuspecting users to open its malicious payload.
This time Storm is offering form.exe and iran_occupation.exe as executable payloads.
Acording to Dancho Danchev over at ZDNet, the latest iteration of Storm appears to be using the following domains:
- statenewsworld . com
- morenewsonline . com
- dailydotnews . com
- dotdailynews . com
- newsworldnow . com
A link from one of the Storm worm e-mails leads to this page.
(Credit: Websense)
Last weekend, several hundred Lithuanian Web sites were defaced with pro-Soviet and anti-Lithuanian slogans, according to The New York Times.
Last Friday, Lithuanian government sites were warned of an impending Web attack and mounted appropriate defenses. Several hundred commercial sites did not do so and over the weekend took the brunt of the attack. By Monday, most all of the sites had been restored.
As with last year's Estonian denial-of-service attacks, the new attacks appear to be in reaction to a law outlawing the display of Soviet symbols in Lithuania. Germany has similar laws outlawing the display of Nazi symbols.
Early evidence suggests a group of criminal hackers may have organized the attacks. The IPs used in the attacks appear to be from a variety of nations, but Reston, Va.-based iDefense told the Washington Post that one site, hack-war.ru, appeared to have organized the protest.
Over at our sister site ZDNet, Dancho Danchev examines whether the defacements could escalate into denial-of-service attacks, and concludes they might.
Meanwhile, in his blog, Brian Krebs speculates on nations or nationalistic parties within nations mounting or defending themselves against cyberattacks such as these in the future.
While Operation CyberStorm is intended to improve our ability to defend against a foreign cyberattack, the Air Force is talking openly about our ability to launch a preemptive attack in cyberspace.
In the May 2008 issue of Armed Forces Journal, Col. Charles W. Williamson III wrote that "America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack."
He argues, "The time for fortresses on the Internet also has passed, even though America has not recognized it. Now, the only consequence for an adversary who intrudes into or attacks our networks is to get kicked out--if we can find him and if he has not installed a hidden back door. That is not enough."
He concludes: "While America must harden itself in cyberspace, we cannot afford to let adversaries maneuver in that domain uncontested. The af.mil botnet brings the capability to help defeat an enemy attack or hit him before he hits our shores."
"Although it's hard to prove it," said Yuval Ben-Itzhak, CTO at Finjin, "I believe the cyberspace is already in use by various governments for intelligence purposes. The disclosure that the Air Force plans to have offensive cybertools should not surprise us since many systems rely on the Internet to operate/communicate." He added that someone will also need to make sure these systems can be protected when needed.
That's a sentiment echoed by Dancho Danchev, who offers some insight on ZDNet. Among his observations is that these systems can be spoofed or otherwise fooled. For example, attacks against the U.S. may appear to originate in a country that the enemy wants us to DDoS (perhaps for them).
Over on F-Secure, a poll of readers worldwide showed on Thursday that nearly 70 percent of the respondents feel the U.S. should not build its own offensive botnet.
- prev
- 1
- next
