Buy Your Own ATM Skimmer for $3000

I have no idea if this is real. If I had to guess, I would say no.

Posted on December 10, 2012 at 5:56 AM • 22 Comments

Comments

ramriotDecember 10, 2012 6:57 AM

I think you would be right, the going rate for a those would be much lower. At that price you would on average only break even.

williamDecember 10, 2012 7:42 AM

I have looked at the pictures. This devise will work, if you order it. That is how it skims $3000.00

wiredogDecember 10, 2012 7:55 AM

Off topic security fail of the day:
As part of the job search I logged on to Dice for the first time in a couple of years to update the resume. As part of that I changed my password.

Suddenly I couldn't log in anymore. So I went through the change process. Still couldn't log in. Contacted tech support. They reset the password, I logged in and changed ti to a more secure one. Then I couldn't log back in.

Contacted tech support again and got the following email:


Are you changing it to a password longer than 12 characters? If so 12 is the maximum and that could be causing your problem.

Clive RobinsonDecember 10, 2012 8:32 AM

@ Bruce,

I have no idea if this is real

The electronics in a MagStripe skimmer are releativly cheap you only need a "barber pole" MR sensor and a trivial op-amp CCTV to generate a waveform you could put into a PIC or similer microcontroler.

However you can by from a Company called Swann in Australia a 2.4GHz micro CCTV camera (either colour or low light / near IR) for less than 50USD which also has a sound channel.

So rather than use an OP-Amp circuit with MR sensor use something like an NE555 timer in an audiio oscillator mode where the frequency is controled by the resistance of the MR sensor and just put that into the 2.4GHz camera audio input.

That takes care of the ATM end electronics at the other end you use a 2.4GHz video receiver one of which comes withthe camera in the 50USD price. You then need some kind of solid state video recorder which you can pick up for 100USD with a good record time (some SD cards are doing upwards of an hour/GByte for nearly static video image.

However the electronics is the easy bit, the hard bit is making the appropriate realistic case and squeasing batteries with sufficient capacity into it.

Now there are a number of ways you can do this, one is to use "dental impression" gum (used for making "moulds" for crowns and dentures) which you can buy in most arts and crafts shops to make a cast in five or ten minutes tops. Making either drawings or another mold is then fairly trivial for somebody with "modelling" skills for "model railways OO/OH/N guages" or thoose "War craft" and other action figures. And there are plenty of people who will take appropriate cad drawings and pop them through a 3d printer no questions asked for fairly trivial amounts of money (50USD or less). I also know of several companies who will etch or laser cut thin brass sheet or cast Whites metal or acrylic again for fairly trivial amounts. I've used such organisations frequently when making custom housings for surveillance equipment using near IR cameras and two or four channel audio.

So 3000USD is definatly on the high side, if you consider the usual manufacturing 10:1 mark up.

That said I was usually charging in excess of 7500USD for short turn around custom cased surveillance equipment.

MikeDecember 10, 2012 8:32 AM

Another Off topic security fail of the day:
I tried to register for Monster.com to look at jobs and upload my resume. I couldn't register because according to them, my zip code didn't exist. I live in the US and no, the zip code is not new. I have been in the same zip code for 12 years. I sent them an email over a week ago..no response.

jahDecember 10, 2012 9:18 AM

Clive,

Please try to improve your grammar, spelling and use of punctuation: if you really must post long, rambling, disjointed comments then at least make some attempt, I beg you, at readability.

Bruce,

I wonder if you might consider changing the layout of comments so that the commenter's name appears above their comment.

nonDecember 10, 2012 10:28 AM

@william

I think you beat me to the same conclusion.

The seller of these devices doesn't need to use them out on the street, he just needs to sell a few.

Bill StewartDecember 10, 2012 11:33 AM

As with the Nigerian 419 scam, this has the advantage that the victim can't go to the police and complain about being ripped off while trying to buy an illegal device. Theoretically the seller could also try to blackmail the buyer, but probably wouldn't bother - that takes real work, and this is an "easier to scam a crook than do real work scamming bank users" crime, and it's too likely that the buyer would be using fake credentials as well (such as a stolen credit card.)

FigureitoutDecember 10, 2012 12:14 PM

Maybe enter a bunch of random key presses before and give a skimmer sh*t data, that may even make them think something's wrong w/ their skimmer. Or just go inside to your bank like the old days and have some human-human interaction.

nikDecember 10, 2012 1:00 PM

Clive, Please try to improve your grammar, spelling and use of punctuation: if you really must post long, rambling, disjointed comments then at least make some attempt, I beg you, at readability.


I disagree, I have read pretty much all of the post and never had any problem with either. In fact, I'm focussing on the content and grammar / typos don't even register.

Maybe It's beacuse my typing is horrendouns.



Bruce,
I wonder if you might consider changing the layout of comments so that the commenter's name appears above their comment.


That I like a lot. +1

mooDecember 11, 2012 1:11 AM

@jah:

Who cares if the occasional word is misspelled? Clive's posts are always interesting, and pedantry doesn't really add anything to the discussion.

SpellucciDecember 11, 2012 6:01 AM

@Clive, don't change a thing. I learn from your every post. Especially the spellings: it reminds me that my spellchecker is quietly watching everything I type.

Clive RobinsonDecember 11, 2012 1:40 PM

@ Spellucci,

Especially the spellings: it reminds me that my spellchecker is quietly watching everything I type

You have just given me a horrible idea...

The way most spell checkers work is to compare what you are typing to what is in effect a file of words.

Now it would seem appropriate for the spell checker to work at a low level and also be privileged to see the raw key strokes.

However the actuall file would not ordinarily be privileged in any way, it would be a general file open to most processes for reading.

This means that unless carefully written (which it almost certainly won't be) the spell checker could leak information about what is being typed by the user through it's access to the common file.

All that is needed for a covert channel to exist is for another unprivileged process to be somehow capable (say via the cache or other shared memory) of determaning what words are being looked up...

I'll have a think on it for a few days.

DavidDecember 11, 2012 3:44 PM

@ wiredog

Another off topic security of the day...

At one of my banks, their page to update one's password allowed up to 20 characters. What they didn't tell you is that they only used the first 12 characters. I only found out because I had trouble logging into the bank from my iPhone. The web page only passed the first 12 characters, whereas the iPhone passed all 20 characters (and therefore the login failed when I used my iPhone).

And worse, it still acts the same today, even though I have pointed out the problem over two years ago.

ianDecember 11, 2012 8:22 PM

@jah:

Sorry, but that is clueless. @Clive is IMHO the most brilliantly insightful and experienced commentator here.

KeithDecember 12, 2012 3:35 AM

@ Clive.
think this kind of attack would be even easier on a smart phones predictive text. With Spell Checker you are watching what it looks at.
On the Smart phone you only have to give the user a reason to pick your add-on keyboard and we in keylogger heaven!

bobDecember 12, 2012 8:44 AM

Re: jah's "Please try to improve your..."

Yeah Clive, sod the content - I want it prettier!

Also Bruce, please spend some time making this blog prettier. I know it'll cut into your interesting work but who cares about that, eh?

Clive RobinsonDecember 12, 2012 9:56 AM

@ Keith,

@ Clive think this kind of attack would be even easier on a smart phones predictive text.

Yup.

Now the 64,000 cent question, how long before either of these get reported in the wild?

I give it max of two years min of three months and I'm favouriing the short end of the range.

Maybe we should get Bruce to organise a "sweepstake".

Clive RobinsonApril 5, 2013 1:09 PM

@ Bruce / Moderator

I sugest you remove the above post #c1261778.

This is not just because the product being advertised would be illegal to use for the advertised purpose but also as the product has no other reasonable use it's sale can only be made as part of aiding and abetting / commisioning a crime which carries fairly stiff penalties in the UK.

But worse as I've pointed out in the past the cost of making such low grade skimming devices is paltry, even paying overblown high street shop prices the parts and the tools required to "roll your own" is less than 1/20th of the prices being asked for. So the person involved is not jusst aiding and abetting but also taking significant and unjustified pecunary advantage in selling a product that is almost certainly not allowed (ie no CE approvals) to be sold on the "Open Market" (which is a crime with a 5000GBP fine per item).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.