
Can’t Hack a Hacker: Reverse Engineering a Discovered ATM Skimmer - ProfDreamer
https://trustfoundry.net/reverse-engineering-a-discovered-atm-skimmer/
======
Spare_account
Just a minor point but it really weakened the article for me: The photo at the
beginning purporting to show a skimmer sitting in front of an ATM in fact
shows a standard ATM without a skimmer.

[https://www.flickr.com/photos/angusf/4450137156](https://www.flickr.com/photos/angusf/4450137156)

Then the 'keypad overlay' in the second image is just a photoshop of a keypad.

Fortunately, the rest of the article was interesting enough to outweigh these
issues. The best advice contained in the article, for me, was that interfering
with ATM skimmers and camera modules can result in direct intervention by the
criminals who may be watching nearby. The best strategy is to leave it alone
and alert the bank immediately.

~~~
dizzy3gg
I'd be cautious putting my card in that slot, but I've seen many legit
machines that look a bit ropey.

------
duaneb
Google cached copy:
[https://webcache.googleusercontent.com/search?q=cache:72ebLH...](https://webcache.googleusercontent.com/search?q=cache:72ebLHTY2bMJ:https://trustfoundry.net/reverse-
engineering-a-discovered-atm-skimmer/+&cd=1&hl=en&ct=clnk&gl=us)

------
thesimon
Some banks over here (Europe) now let you block mag-stripe credit card
transactions. Actually sounds like a good way to prevent ATM fraud as long as
you are not visiting the US.

~~~
jevinskie
The whole situation in the US is silly. Some background: when a major iOS
version comes out, thanks to Apple not allowing downgrades (grrrrr...), my
company buys a new set of test devices for each major iOS version. When iOS 9
came out, I went to Walmart with my manager's company credit card to get some
iPods (cheapest iOS test devices).

The clerk asked me what I wanted and I said "5 iPods please". I would be
suspicious if anyone asked for that many iDevices. When they realized they
only had 3 iPods, I said I'd take those. When I went to check out, I asked
them to break up the transactions into < $500 chunks so as to not cause
additional oversight, they obliged.

This was the first time I had ever used a chip-enabled card. It was obvious to
the cashier, I was fumbling around with the card and had to ask how to operate
it. Finally, after I bought three iPods in two transactions with a card I had
obviously never used before, with the merchandise in a bag in hand, they ask
for the credit card and my ID to verify the name. Busted, I thought! But no,
after explaining that I was buying the devices on behalf of my boss (with no
proof of this) they let me go on my merry way. I was flabbergasted.

TLDR: If you have a stolen credit card and want to use it to buy expensive
electronics to fence, go to the Electronics department at the West Lafayette
Walmart. Chip and signature cards offer no improvement in security, even when
faced with at least five big red flags that indicate fraud.

~~~
duaneb
To be honest, all of the behavior you would have seen as fraudulent is pretty
typical in retail.

Furthermore, it's always been obvious that the chip'd cards provide no
improvement for online fraud.

It's a PR move to hide the fact that the banks and creditors rely so heavily
on transaction disputing to fend off fraud.

~~~
nickpsecurity
You're right. Lots of people split orders, probably one out of 4 or 5 fumble
for things, and quite a few buy for their company. The phone the person bought
was an iPhone rather than some weird one. Had the comment said i _Pods_ I'd
have expected a bit more skepticism from cashier.

Yet, a company sends someone to buy a set of mainstream phones split on two
transactions? Totally believable for a cashier and not as crazy as people's
grocery orders have gotten while I was in line. ;)

------
ck2
Wrapping in aluminum foil does not make a Faraday cage.

Don't believe me? Wrap your smartphone in foil and then call it.

Mine rang. Freaked me out when I discovered this.

It didn't ring when I put it in the freezer though.

~~~
jobvandervoort
Faraday cages do not block all signals. From wikipedia:

> A common misconception is that a Faraday cage provides full blockage or
> attenuation, this is not true. The reception or transmission of radio waves,
> a form of electromagnetic radiation, to or from an antenna within a Faraday
> cage is heavily attenuated or blocked by the cage. However, a Faraday cage
> has varied attenuation depending on wave form, frequency or distance from
> receiver. Near field High powered frequency transmissions like HF RFID are
> more likely to penetrate. Solid steel cages provide better attenuation over
> mesh cages.

~~~
ck2
You know those old school lead bags they used to use for carrying film through
airport x-ray scanners?

[https://www.google.com/search?q=lead+bag+for+film&gbv=1&prmd...](https://www.google.com/search?q=lead+bag+for+film&gbv=1&prmd=ivns&source=lnms&tbm=isch)

I wonder if that would be far better to almost completely kill a signal.

------
MrQuincle
Next step: put a tracking device in the skimmer to find out where their
headquarters are. :-)

------
mavhc
Instead of banks spending millions on fraud detection how about they invent a
system of moving money around that doesn't require you to give your username
and password to a 3rd party and hope they only remove the amount of money they
say they will?

~~~
kragen
Like some kind of cryptographically authenticated public pseudonymous ledger
maintained by a peer-to-peer network and constantly audited by millions of
participants? Aren't you afraid that would destroy civilization?

~~~
nickpsecurity
Funny reply but simpler: today's banks with basic changes in authentication
and limits on each party doing a charge in amount or timing. Would deal with
parent's concern. Maybe add whitelisting, too, if people just wanted to use
their main accounts for certain stores or bills. Just one extra transaction in
a traditional database with some simple COBOL. Not much work.

Note: Brian Krebs recommended the same thing as a barrier to ACH fraud where
the recipients were whitelisted with maybe in-person, strong-auth
registration.

------
SnaKeZ
Risky decision take home the skimmer

~~~
mattdotc
Also, if you're not police, you shouldn't be taking evidence of a crime for
your own homebrew investigation. Call the cops and wait there until you see
them dismantle the skimmer if you're so concerned about others.

~~~
nickpsecurity
"Also, if you're not police, you shouldn't be taking evidence of a crime for
your own homebrew investigation."

This immediately jumped out at me. Most likely, you might get scolded or in
trouble for screwing up chain of evidence or something. In a rare scenario,
they might be watching the place with the skimmer there waiting for the perp
to show up. Not sure of the risk there.

There was debate on how to handle it on Krebs. I think one person's suggestion
of sending an anonymous tip about a skimmer to number on ATM was a good one.
Keeps you out of FBI's microscope, local thugs watching don't get you, no
convincing store clerks, and the skimmer gets taken care of somehow. Maybe
best idea.

------
kbart
It amazes me that cards with magstripe are still being issued. I have _never_
needed to use magnet instead of chip despite having traveled quite a bit. I
used to ask my bank to disable magstripe on my cards, but now they changed
this to the default option for all new cards.

~~~
dmd
I'm in Boston, and have yet to encounter a single reader that takes chips.
They have started having the slot lately, but it's always taped over or
there's a sign telling you not to use it. Or if you try to use it, the cashier
gives you a weird look and has no idea what you're doing and tells you to
swipe.

~~~
james-skemp
Madison WI. Gas stations (at the pump) and grocery stores are the only places
I go to that don't have or use the chips (taped over). I understand both have
extra time to rollout.

I assumed it had rolled out across most of the US at this point since most of
the smaller places had even implemented it.

~~~
surge
I've been told that card processors will get charged more going forward if
they don't implement the chips, or for non-chip transactions because of the
added risk involved. That should help speed up the transition or at least
activate it on those readers that have it.

~~~
throwaway7767
> I've been told that card processors will get charged more going forward if
> they don't implement the chips, or for non-chip transactions because of the
> added risk involved.

This is true. It's also weird, since really they should be charging less for
chip-and-pin, not more for magstripes. By moving to chip-and-pin they
immediately release themselves from the hook for card theft, moving the
liability to the card holder. The high transaction costs in card networks have
historically been defended as largely stemming from fraud costs. Yet, we're
expected to pay the same fees.

It's a good time to be in the card processing business.

------
userbinator
_The beeps correspond to actual keypresses, so you can’t fool the skimmer by
pretending to touch multiple keys._

The keys on ATMs I've used don't actually move much, so you could put several
fingers on the keys at once and press only slightly harder with the one you
intended. It might confuse any PIN pad overlays too, which by design have to
activate with less pressure than the real switches so as not to arouse any
more suspicion.

~~~
ck2
Or type a series of numbers, hit clear, enter real pin.

Though not to hard to realize last four are pin.

If the atm has a backspace instead of all clear, numbers, backspace one or
two, numbers.

Still, not the usual routine.

------
markdown
> Cover your PIN with your hand This will not protect you from PIN overlays,
> but it will hide your PIN from hidden cameras. Plus it’s so easy to do, why
> wouldn’t you?

Here in Fiji, ATMs have a an opaque plastic guard over the keypad to keep the
pin out of view of a camera.

Kinda like this one but bigger: [http://thumbs.dreamstime.com/x/atm-
keypad-22036137.jpg](http://thumbs.dreamstime.com/x/atm-keypad-22036137.jpg)

~~~
chatmasta
If you read the article, so did this ATM. Except it wasn't a guard... it was a
skimmer with a pinhole camera in it.

------
Pinatubo
He's worried about being shot by gang members for stealing the skimmer, and
then he posts this story with his picture?

~~~
stefs
"Kansas City Penetration Testing & Information Security"

they're probably back in the u.s. again. it's unlikely they'll send an
assassin overseas.

------
siluvatari
Please warn in tweet when you link to paywalls

~~~
Jaruzel
From the FAQ:

    
    
      In comments, it's ok to ask how to read an article and 
      to help other users do so. But please don't post 
      complaints about paywalls. Those are off topic.

------
nthcolumn
mupeng

------
coldcode
"Error establishing a database connection". Why does this still happen to
people in 2016?

~~~
josefresco
I get it but ... front page Hacker News is kind of a big deal, hosting is sold
very cheaply - sadly not everything scales.

~~~
colinbartlett
Even things that do scale, don't often scale automatically. If I spring for
Heroku to host my blog over GoDaddy, it's still going to go down the minute it
hits the front page of Hacker News.

