While waiting for part 2, I'm wondering if this is not a very dangerous thing to be investigating. Working in a foreign country with criminal organizations (though maybe less in tourist parts of Cancun) and actively and personally interfering with a presumably lucrative funding source of said organizations seems like a bad idea.
Is this just my US-centric view of the world saying this or is it really a questionable move if one values their personal safety?
Anyway this is very much the topic of more than one novel I'm sure and given he has survived to blog the tale I guess I can be less concerned about his welfare.
Yeah, this guy met with spammers who had a love-hate relationship with them, including open threats of murder. Unrelated but also hilarious, Eastern European hackers sending coke to his house to have him SWAT-ed, not knowing he reads their forums and knew in advance.
For the former, read his book Spam Nation. It is a wonderful book from the beginning of his adventures into infosec journalism. I finished it in three days.
Is it dangerous? absolutely. But, consider: he is just checking and fixing ATM machines and notifying people of the hack, is not like he is pointing fingers at anything more than "bought out" low-level technicians, and he is a relatively well known American journalist. It is also a super touristic destination where all parties (legit, criminal and semi-criminal) make their money only contingent on it being known to be a "safe destination". Would a criminal enterprise benefit of harming him? Or would it be easier to wait, let him debug all the ATMs he wants and then get a different model of bug and start again 1 month later with what is probably one of many revenue streams for whomever is in charge?
Mexico is a very dangerous place for journalists and becoming more dangerous every year, but even when we hear about Mexican journalists getting murdered, it's usually for pointing fingers much higher up than "ATM hackers" (the most famous recent case has to do with an investigation into a Governor's activities). One has to assume the threshold for causing an international incident is even higher. The people being busted here are "just" scammers, even if embedded within a larger criminal network.
p.s. My only qualification for answering this is having lived in Mexico. I claim no knowledge of criminal structures there other than what is known from general news and culture. I would not bet my own life on this analysis.
Sure. Just saying, there is risky and then there is risky. One wouldn't be all that safe doing this in Detroit either. I just think there are way scarier people out there for which "American Journalist found dead in an alley in Cancun" in the newspapers is not an acceptable mess to have to clean, not over something like this. Not that I would bet on it, though...
If you check his previous blog posts, you'll see that Brian Krebs spends a lot of time trying to find some pretty nasty individuals. Doing it in person, in a strange country probably causes some direct danger, but I'm pretty sure he's on some lists already.
yeah, I'm going to go with "he is making all of this up."
The only way I would have written a factual - as in, not blatantly made up - blog post like we just read (absent basically any mention whatsoever of personal danger) is if the whole thing really took place in Southeast China, oh, and in 1996, oh and it wasn't ATM machines it was vending machines - and it wasn't bluetooth it was FM radio. With literally every detail changed. Throw in a picture of a hotel in Mexico and you're good to go.
The alternative, that he is just making all of this up, seems just so much more plausible.
I've now also watched the video. I don't know - would bluetooth signals from deep inside a machine - as you can see, in the video, the bluetooth transmitter is occluded by an entire printed circuit board - go all the way across the lobby to reach him? (as in the video)
Secondly, since it is SO innocuous to take out a cell phone in front of an ATM (I would have zero qualms doing this) to check, wouldn't this post have generated literally hundreds of comments from people checking an ATM and finding said signal? Nobody would mind doing that.
(By the way, I don't have an issue with the "laziness" of the solution he purportedly uncovered, i.e. transmitting a bluetooth device signal with the default name, as it is not obvious how to make a transmitter turn on only in response to a signal from a commodity cell phone that has nothing incriminating on it. So technologically it seems to be okay for me.)
But the whole story doesn't really add up. Someone else here mentions that supposedly he regularly reads some spammer forum where they coordinated sending him cocaine in the mail and then SWATting his house. This just seems so incredibly unlikely to me - i.e. a fabrication. How many forums can one person read?
It just seems to be made up. (Unless he changed huge amounts of details to other, similar details). But that seems unlikely.
EDIT: Kindly respond to the point I raise below, if you disagree. How would a bluetooth transmitter from inside a metal enclosure that is not designed to pass wireless signals, be easily read from across a lobby? It's way out of range!
In the video, do you really expect him to be able to read the ATM from across the lobby (given your experience with bluetooth, and as you can see, earlier in the video he shows the chip snuggled under a PCB, deep inside a metal enclosure?) I mean signal drops with square of distance. Bluetooth has a basic range of "typically less than 10m" (32 feet) or quite a bit less than those machines seem to be, even though those machines were not designed to be good transmission enclosures. Take a look:
- That that phone is picking up a commodity bluetooth signal from that distance that we see, and
- The iPhone doesn't pick up said signal even if the iphone is next to it.
Or:
2: That
- He has two bluetooth transmitters near the phone he is using
- He mentioned that an iPhone doesn't work so that people aren't surprised when they can't reproduce anywhere.
Also, notice that the original text includes NO reference to what is in Part 2, which makes me think he is writing it in such a way that he leaves part 2 open to addressing any concerns incredulous people might raise.
Most of the video is just still shots from sources you can see online. There's no recording of a meeting taking place. It just looks like some guy, with an over-the-top story and zero concern, whatsoever, for his safety.
If others here think my analysis is unwarranted, could you address the specific issues I raise?
EDIT: Please stop downvoting me without a response. If you address my specific concerns I'm happy to delete this comment.
You’re getting downvoted because Brian has a long and storied history as a security researcher and consultant. He has very little to gain from making a story like this up, and quite a lot to lost. Also, if you really believed your arguments then why make them from a throwaway account?
Regarding your issue with metal enclosures, there’s plenty of non-metal or thin-metal windows: the screen for one.
I wish you had replied earlier (at least 9 people thought to downnvote the comments before a reply.)
Why does he feel immune from Mexican violence? (i.e. please give me a plausible answer.) It seems absolutely rampant there, people are literally - no exaggeration - murdered there.
(Obviously the reason for a throwaway account is because I don't want to associate even two steps removed with violence in Mexico as well as, for example, the knee-jerk downvoting.)
Secondly, did you click the video? (I link a specific spot.) It's hard to judge due to the distance and the fisheye distortion, but how far do you think those two ATM's are? Why do you think an iPhone won't connect with them? (Even from much closer)? If the signal is weak, as opposed to being in the gadgetry next to him, then why do both bluetooth connections show up instantly, as opposed to one after the other, given the huge distance?
I now realize he has a large established reputation - though I don't have time to review all of his past writing. It's too much to review it all.
I would like to know why he can pick up a weak bluetooth transmitter from deep inside an ATM and under a massively attenuating circuit board, from far outside the nominal bluetooth range - which are figures for a purpose-built transmission enclosure, not being hidden under a circuit board, and then put inside an ATM. It simply does not seem plausible to me, and I would like an answer. I've worked a little bit with wireless equipment (not much) and the video does not seem realistic to me.
Further: bBlatantly exposing a well-funded mexican crime syndicate also does not seem in-character for anyone. What makes this guy so immune? Why are there no steps whatsoever to protect his identity, even while in Mexico? He reports a meeting with 6 employee (no photos included, including after blurring their faces) any one of whom could have reported his meddling to an associated syndicate, before his stay was even over. Wasn't he scared?
These are specific objections I have, and I'm sorry I don't have time to review his entire reputation and history; Lance Armstrong had never once tested positive for PED's while winning 7 Tour De France titles and having a good claim to being possibly the most-tested athlete on Earth; Bernie Madoff had been the Chairman - literally the Chairman - of the NASDAQ. Yes, the whole stock exchange. He also had an operation going back 30 years, was a preeminent community member and managed the endowments of several charities.
So please don't appeal to authority, and instead answer my two specific questions. Also, since his exposure, anyone found such a transmitter themselves?
I find the technical facts he proposes to be entirely plausible.
There are three classes of Bluetooth(0). Since the module is hardwired into the PCB within the ATM, there are no power concerns, so Class 1 (100m range) would work just fine, and easily escape the partially metal confines of within the ATM (as others mentioned, through the screen is one possible avenue).
There are no steps to protect his identity simply because the reputation he's built up for many years as an infosec journalist is that of a badass. You said you don't have time to review all his work, maybe if you did you'd be able to answer your own question on his motives to not hide in the shadows or behind a mask (its because this is his livelihood and reputation).
No appeal to authority, just the facts as I see them. Not sure what Lance has to do with this, but you seem to be reaching for straws.
Well, they weren't that sophisticated if they left the bluetooth device transmitting. Pretty stupid if you ask me.
If it were me, I would have either:
1. Require a secret pin to be entered in order to activate the bluetooth.
2. Don't use bluetooth. For example the nRF51822 chip (e.g. in this module [1] allows you to implement your own radio protocols. You could make it impossible to detect - it could only respond when send a secret code of some sort.
Criminals do not care for sophistication nor gimmicks. They use the easiest way to get what they want. This current method has probably worked very well for them, and if it was not for 'Krabs' maybe it would have continued for even longer. Hindsight is 20/20. I am sure the criminals are reading the blog post and looking for the next slightly better method just enough to evade discovery.
I in fact wonder about the criminals who've already thought of all this, are successfully avoiding anything like this detection and making their $$$. I hope not to fall prey to something like this, incredible just how many risks there are.
It sounds from the blog post like this skimming device is reading the electrical signal from the card reader, not reading the mag-stipe directly. So it's unclear how much this would help.
I would think chip and pin should mitigate this kind of card skimming though...
Is this just my US-centric view of the world saying this or is it really a questionable move if one values their personal safety?
Anyway this is very much the topic of more than one novel I'm sure and given he has survived to blog the tale I guess I can be less concerned about his welfare.