Periscope ATM Skimmers

"Periscope skimmers" are the most sophisticated kind of ATM skimmers. They are entirely inside the ATM, meaning they're impossible to notice.

They've been found in the US.

Posted on September 19, 2016 at 6:16 AM • 35 Comments

Comments

CouchSeptember 19, 2016 10:40 AM

@sofa @editor

"They're being found", as "they've been found" suggests the red menace has been vanquished. This threat is present and continuous.

John MacdonaldSeptember 19, 2016 11:27 AM

@Couch In what way does it suggest that the menace has been vanquished? Finding some instances is only the first small step to vanquishing. It remains to be determined how many there really are (aside from the few that have been found), how many groups are planting the devices, and how to stop their deployment from continuing to occur.

My InfoSeptember 19, 2016 1:12 PM

They don't even need physical access to install "skimmers" at the bank ATMs. That's just a distraction. They infect the desktop M$ PCs of bank employees with malicious software, and they use this to gain administative access to the ATMs. Then they send "mules" or "runners" to collect the cash at prearranged times and dates.

Who?September 19, 2016 1:13 PM

What I fear the most on NSA firmware implants is that it remains undetected on our computers, just like the periscope skimmers. It is difficult fighting something you cannot see.

Yeah, right.September 19, 2016 2:37 PM

@Who?

Don't worry, they pinky swear not to abuse it unless you're a really really bad person... you know.. like a terrorist, or a non-american, or a congressperson, or living abroad, or a drug trafficker, or someone's girlfriend, or a tax evader, or a researcher, or an activist, or a political opponent, or a judge... etc etc etc...

You have nothing to hide, so you have nothing to fear, right?

Yeah, right.September 19, 2016 3:22 PM

... or a pedophile, or a muslim, or a black, or some crazy person who believes in "privacy", or any religious nut, or an atheist, or anyone who dares not to talk to a cop, or anyone who is not one of the "elite"... or anyone who is one of the "elite"...

Did I miss anyone? Sorry. You too. Yep. It's all very "targeted" you see.

rSeptember 19, 2016 3:39 PM

@Yeah, right.

Or someone on their way back from a casino or a private poker game, maybe your grandmother hit big on bingo this week. Uncle Scam has all five of his compound eyes on you, you and you.

Maybe that's why everyone is pulling their pants up with Apple etc, next it'll be your husband or your wife - maybe your mother or father. We all know how unamerican the eagles club's are for selling beer and liquore but euchre games. Maybe the VFW halls are next, anyone up for a friendly game of cat and mouse?

Yeah, right.September 19, 2016 4:01 PM

@r Exactly.

Every American commits 3 felonies per day. There's just so many ridiculous laws on the books that no upstanding moral person realizes they are committing one felony after another all day every day.

So add that to a world where there's omniscient surveillance by some evil overlords that see and know everything, and there will be nothing but 100% terror everywhere all the time. Because nobody is safe.

Privacy creates security. Lack of privacy creates insecurity and terror. There are hard times ahead before everyone learns this. Remind me why we bothered to fight in WWII? We have met the enemy and he is us.

'Murica!September 19, 2016 4:09 PM

Major grocery chain, PC on customer-facing counter to clock in, UID & PW is "time" and "clock". Office computer, PW is "qwerty". Branch of major US bank, teller YELLS out across bank, "What's the password again?", manager YELLS back, "1234". And they're all using Win-DOHs.

All together now: "HOW COULD THIS HAPPEN????"

I wouldn't use an ATM or bank online if you put a flamethrower to my head.

Yeah, right.September 19, 2016 4:11 PM

In case anyone thinks "but we're the good guys, not evil overlords"... consider the saying "power corrupts, absolute power corrupts absolutely"... In plain English:

Moral Person + Absolute Power = Evil Overlord

This is a natural law of nature.

65535September 19, 2016 6:22 PM

@ Clive Robinson
‘1, "Energy-Gap all systems" that store or process privileged, non-disclosable, confidential or other information…’

‘2, "Paper, paper, never data" for all communications --including voice-- that involve privileged, non-disclosable, confidential or other information that could lead to legal sanction be it criminal or otherwise.’

I have been thinking all weekend about your solution to my lawyer customers and I don’t see any clear cut solution.

The energy gap method could be done with considerable effort. But, if you are talking about setting up a room with a TEMPEST style security including, copper plates in walls, baffles on HVAC filtering or blocking all electrical outlets [say using battery power only by some unusual method], sound proofing the walls and so forth – that will be hard for lawyers who rent office space.

If by chance a renter would incorporate such a room in a rental building the additions to the TEMPEST room transfer to the building owner under law – of which could be far too expensive for a profit oriented business.

I like the idea about using paper. That would involve type writers… but, that would also involve copying machines and possibly word processors which have their leaking points. But, eventually pdf forms from court rooms and even the DOJ have to be filled out – pdf documents are now mostly server side and are a leaking point to the public. This would mean going to the web and downloading said legal forms or searching online using Lexisnexis, Findlaw, or other internet communication – breaking the paper only rule.

Worse, a lot of lawyers use mobile phones where their conversation could easily be monitored by police with “Stingray” scanners or Federal aircraft with DIRT boxes flying above. There is some evidence that Stingray type devices are trickling down to private security firms and Private Investigator which could cause the electronic equivalent of a “Black bag Jobs” only with private parties.

“…unless you "personaly courier it" yourself you will not know if the document package has been "intercepted" and copied.” – Clive

That is a huge concern because of the DHS and USPS use of the "mail cover act" where they copy all the covers of all mail items – and could open said items if need be.

Then there is the USA’s Boarder exception rule which can open anything at boarders and international airports [the USPS does using major airlines for mail service which is a part of being a commercial airline]. This is a sure interception point.

“…your "legal customers" have to make a "risk-judgment" decision on how they run their business and it boils down to my old meme of "Efficiency -v- Security"…” – Clive

You are correct that legal customers would have a risk judgment to make. It is possible to make concentric rings of security where the most important item is handled in the center and the least important at the outer DMZ’s.

There is probably a tiered method using a risk judgment to do what you suggest. But, I have not figured it out for actual viable business use.

I think some privacy legislation is in order. I don’t how they will be implement – if at all.

Lastly, is the current “pressure cooker bomber” in the news. This will be politically be spun like an out of balance washing machine - rippling and encouraging even more government digital surveillance by the government.

Jim NSeptember 19, 2016 6:54 PM

"Obviously, there's no security without physical security."

Dragnets of video surveillance cams have quickly creeped up most urban locales and others over past several years. It's easy to under estimate what high resolution video and adequate computing power can do. I think it's the most effective crime fighter we have today (not limited to computer crimes) besides neigherhood watchers.

Jim NSeptember 19, 2016 6:59 PM

@ Murica

"All together now: "HOW COULD THIS HAPPEN????""

I think it has to do with device fingerprinting at all levels and sometimes blackboxed, making password-yelling less of a security threat.

SimonSeptember 20, 2016 12:01 AM

My bank in Australia (CBA) has introduced a cardless cash system which nullifies attacks like this. It generates a code in their mobile app, and sends a 4 digit pin via sms, both numbers are unique for the transaction making them secure even on a compromised ATM.

Clive RobinsonSeptember 20, 2016 2:49 AM

@ Simon,

It generates a code in their mobile app, and sends a 4 digit pin via sms, both numbers are unique for the transaction making them secure even on a compromised ATM.

But not if the phone is compromised, which is ever more likely.

Further it's a good deal less likely to get police investigation time when --not if-- it happens. Because the crime would be on your phone not the ATM thus your dollar loss is small for that single theft than on an ATM where it could be hundreds of thefts for just one ATM compromise.

It's also a good trick by the banks, because they have also "externalized the risk". It would be very easy for them to say "it's your fault your phone got owned" and in many parts of the world that's enough for them to disown liability.

Clive RobinsonSeptember 20, 2016 3:13 AM

@ All,

Does anybody know who called it a "Periscope" skimmer? And more importantly why?

It's very misleading as a name, as it's function is quite unlike that of a Periscope[1]. Althoug still incorrect "microscope" would have been a better fit.

[1] The etymology of "periscope" is a typical English Victorion "mashup" from the Greek "peri" meaning around about or beyond (vicinity), and the Latin "scopium", from earlier Greek skopein "to look at" (examine).

ab praeceptisSeptember 20, 2016 3:30 AM

Clive Robinson

Your response is very generous. I stopped reading when a "4 digit pin" was mentioned. More proof isn't needed to support your suspicion that the real goal is risk externalization.

CallMeLateForSupperSeptember 20, 2016 12:15 PM

@Clive @All

"Periscope" here is inappropriate and misleading. Understanding that a periscope is an optical device, my brain sifted, sorted and crunched the article with the expectation that it would ultimately understand how the assumed optical device scoops up card data. But the periscope is not optical, of course; it is electrical. One better word to describe this thing is "probe". In fact, B.K. did employ "probe" several times, but I think the article would have benefitted from explaining at the outset that the "periscope" is an electronic probe, and not using "periscope" thereafter.

All that said, I think the probe does, in profile, somewhat resemble a submarine periscope.

RatioSeptember 20, 2016 9:11 PM

@Clive Robinson,

The etymology of "periscope" is a typical English Victorion "mashup" from the Greek "peri" meaning around about or beyond (vicinity), and the Latin "scopium", from earlier Greek skopein "to look at" (examine).

Both parts of "periscope" have Greek roots and the combination follows the same pattern as e.g. "telescope" and "microscope" from early 17th century Italy. How is that a typical English Victorian mashup?

Clive RobinsonSeptember 21, 2016 3:17 AM

@ Ratio,

How is that a typical English Victorian mashup?

There are two periods in pre twentieth century England where the number of words "invented" had peeks of interest. The first was via William Shakespeare, the second the Victorian age of enlightenment that gave us science and engineering as we practice them in this day and age. The number of new words easily doubled or trippled the number of words used depending on your social status / class (look up fissog / fizzog which came about from Physiognomy, and also see "phlematic").

One recognizable trait of many of the words invented in the Victorian era for science and engineering, was to fuse two or more words together from Greek and Latin as they were taught at that time (thus giving a class distinction jargon, that George Orwell later explored in his works such as "1984").

However as you note languages have roots in other languages, that build with association over time. "Modern Latin" --as taught at the time" had gained from several older languages including Greek. English it's self for instance has many "French" words, often where the meaning has changed (look up the french for left and right for instance).

As for the periscope, the modern take on it being to do with submarines, is coincidental. The original use was for an instrument in a tower where the hight and long focal length gave the ability to survey the suroundings in a way that was not possible at ground level with it's limited horizon. What is not clear is which came first the periscope or what we now would call the half periscope camera obscura which was a "dark chamber" at the top of a large tower where an image is projected down onto a white table. Certainly the pin-hole camera obscura had been used to observe the sun prior to the use of lenses.

TRXSeptember 21, 2016 7:20 AM

> I wouldn't use an ATM or bank online

I don't have an ATM card or debit card, and declined to set up a login to access my account via the net.

Back when they went to "electronic processing" by EFT instead of handling paper checks, I went down to my bank and had a long talk with their IT people and a senior VP. Their concept of "security" basically came down to "but that would never happen!"

I left enough money in the account to keep it open in case I want to write a check. And the account gives me money orders for "free", which I used to pay bills. Everything else, I use cash.

RatioSeptember 22, 2016 12:48 AM

@Clive Robinson,

Any evidence for your theory that the number of words "invented" in England had notable peaks in the eras of Shakespeare and Queen Victoria?

Fizzog (from physiognomy, as you say) is an "invention" on the level of bruv (from brother plus correct pronunciation), don't you think? As for phlegmatic, that's no more than a minuscule Germanic spelling adjustment to a French word of Greek origin.

English it's self for instance has many "French" words, often where the meaning has changed (look up the french for left and right for instance).
Words for left and right in various European languages have had (additional) meanings like those of the English gauche and adroit since at least the Latin sinister and dexter.

Clive RobinsonSeptember 22, 2016 11:52 AM

@ Ratio,

Any evidence for your theory that the number of words "invented" in England had notable peaks in the eras of Shakespeare and Queen Victoria?

Only that which fairly well known lexicographers have stated on broadcast programmes in the UK. As there are several that have done this including those who work on the OED I'm prepared to believe them unless others question or come up with evidence.

If the subject grabs you that much I guess you can go and find pro/con evidence of your own.

As for the Victorian era, it was a time when the likes of older UK Universities eased off the requirment for being ordained to be a fellow. And the likes of "natural philosophy" became what we now call both science and engineering, and displaced much in the way of artisanal craft. One such actually became mandated by law (steam boiler design) and the first of what we might call "health and safety legislation" came to pass.

As with all new fields of endevor they develop their own domain specific lexicon sometimes by repurposing an existing term (entropy in information theory being a modern example) or by inventing new words (look up what "diabetes mellitus" actually means). The Victorian "genteel scholars" from their grammar school and above education and preparing for the Cambridge Tripos etc were well versed in both Greek and Latin. Thus opted to do the fashionable "German thing" and concatenate words. Often this was a Greek word followed by a Latin word. Hence the domain specific lexicon we would call jargon. Such an expansion of fields of enquiry would quite naturally give an increase in new words, so I've no reason to question that it gave a peak in the Victorian era.

room 404September 23, 2016 12:36 AM

krebsonsecurity.com had a record DDoS attack launched against it and is down. Perhaps someone didn't like the blog, hired a teenager's botnet. They may have just rolled out a whole stack of ATM skimmers and are not happy ATM.

I haven't looked for any cached versions of the blog. Maybe some other article wasn't too popular. What ever it was, it generated one heck of a lot of bad requests in response. Compromised routers, webcams and other devices from all over the world have been infected with someone's botnet and the owners are completely oblivious to the fact their equipment was being used for malicious purposes, including largest recorded DDoS and there wasn't any reflection or amplification used to achieve it.

RatioSeptember 23, 2016 3:47 AM

@Clive Robinson,

[Evidence?] Only that which fairly well known lexicographers have stated on broadcast programmes in the UK. As there are several that have done this including those who work on the OED I'm prepared to believe them unless others question or come up with evidence.

Do you happen to have any pointers? I haven't been able to find anything.

If the subject grabs you that much I guess you can go and find pro/con evidence of your own.

Well, yeah, that's what I ended up doing. The OED's Aspects of English was quite informative, especially English in time.

First Shakespeare. Early modern English – an overview should mention him given the period it covers. And so it does: passages from both King Lear and Julius Caesar are quoted. But when it comes to neologisms (see Vocabulary expansion), Shakespeare is nowhere to be found. Sir Thomas Elyot does get a mention. Odd, that.

Another page perhaps? Let's see...

According to the OED‘s record, the number of words ‘available’ to speakers of English more than doubled between 1500 and 1650. Many of the new words were borrowed into English from the Latin or Greek of the Renaissance (for example, hypotenuse), or from the far-off countries visited by travelers and traders (e.g. pangolin), and must have seemed hard to understand to many of the population.

And Shakespeare? Nowhere to be found. Very odd.

Oh, well. Let's see if an overview of nineteenth-century English can save the Victorian era. There's even a section on new words. Here are the origins of the scientific words:

  • anaesthesia: coined by Oliver Wendell Holmes Sr., USA
  • anaesthetics: from anaesthesia
  • chloroform: from French chloroforme, coined by chemist Jean-Baptiste Dumas
  • stethoscope: from French stéthoscope, named by inventor René Laennec
  • appendicitis: US? ("Americanism")
  • conjunctivitis: ?
  • bronchitis: coined by Charles Badham, UK
  • biology: from Swedish biologi, first used by Carl Linnaeus
  • climatology: ?
  • ethnology: from Latin ethnologia, coined by Adam František Kollár from Hungary

Is this the fabled Victorian peak of English mash-ups? I'm sorry, but I can't find any evidence whatsoever for your claims.

As an aside, Breaking the code is a short post on the overlap between lexicography and cryptography.

Clive RobinsonSeptember 23, 2016 5:52 AM

@ Ratio,

First Shakespeare

He was one of the most recognisable of word smiths. His art in words came about due to a significant change shortly after the time of Chaucer when the use of vowles changed in what became known as "The Great Vowel Shift". As far as the written word is concerned it reached it's hights in the Shakespear / Elisabeth 1st era. And shakespear is credited with a great deal of it. Whilst we know he definitely invented many words, some of which still survive, it was the introduction of sonets that he took to heart and used the new vowel sounds to give shape to. Whilst the works of Chaucer are all but unreadable by a modern eye, the works of Shakespeare appear only slightly stilted.

Have a look at this,

http://www.thehistoryofenglish.com/history_early_modern.html

It was the second in the first page of the first Google search I made so took me less than a minute to find...

As I previously indicated you need to do your own searches colate what you find then see what supports, what does not support and those that neglect to mention either way and formulate your own thoughts on the subject.

TJSeptember 23, 2016 7:03 AM

No I beg to differ. These require insiders(ever seen the sensor networks for ATM enclosure security?). This is just as stealthy if not more stealthy and is out there being used in the wild. No insiders needed.

Pyton HarkerzSeptember 25, 2016 10:27 AM

ATM HACK: Do you know you can HACK any ATM Machine?!!!

We have a specially programmed ATM Card that can be use to hack ATM Machines, the ATM cards can be used to withdraw at the ATM or swipe at stores and POS. We sell this cards to all our customers and interested buyers worldwide, the card has a daily withdrawal limit of $5000 on ATM and up to $50,000 spending limit on in stores. And also if you in need of any other Cyber hack services, We are here for you anytime any day.

The prices are negotiable and include the shipping fees and charges, order now!

Here is our price lists for the ATM CARDS:
BALANCE - PRICE
$10,000 - $650
$20,000 - $1200
$35,000 - $1900
$50,000 - $2700
$100,000 - $5200

Contact us via:
Email Address: pytonwizards@cyberservices.com

Mobile number:
+1 518-480-2281 (Text & Viber Only)

Python Hackers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.