ATM Eavesdropping Attack
I’m amazed that ATMs still don’t have basic communications security measures. One fraudster inserted a recording device into the ATM’s phone line and recorded customer card numbers and PINs.
Entries Tagged "crime"
Page 28 of 39
Skimming RFID Credit Cards
It’s easy to skim personal information off an RFID credit card.
From The New York Times:
They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. ‘Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?’ Mr. Heydt-Benjamin, a graduate student, asked.
And from The Register:
The attack uses off-the-shelf radio and card reader equipment that could cost as little as $150. Although the attack fails to yield verification codes normally needed to make online purchases, it would still be potentially possible for crooks to use the data to order goods and services from online stores that don’t request this information.
Despite assurances by the issuing companies that data contained on RFID-based credit cards would be encrypted, the researchers found that the majority of cards they tested did not use encryption or other data protection technology.
And from the RFID Journal:
I don’t think the exposing of potential vulnerabilities of these cards is a huge black eye for the credit-card industry or for the RFID industry. Millions of people won’t suddenly have their credit-card numbers exposed to thieves the way they do when someone hacks a bank’s database or an employee loses a laptop with the card numbers on it. But it is likely that these vulnerabilities will need to be addressed as the technology becomes more mature and criminals start figuring out ways to abuse it.
Insider Identity Theft
CEO arrested for stealing the identities of his employees:
Terrence D. Chalk, 44, of White Plains was arraigned in federal court in White Plains, along with his nephew, Damon T. Chalk, 35, after an FBI investigation turned up the curious lending and spending habits. The pair are charged with submitting some $1 million worth of credit applications using the names and personal information—names, addresses and social security numbers—of some of Compulinx’s 50 employees. According to federal prosecutors, the employees’ information was used without their knowledge; the Chalks falsely represented to the lending institutions, in writing and in face-to-face meetings, that the employees were actually officers of the company.
Real-World Social Engineering Crime
Late on Monday, two thieves used a swipe card to drive a van up to Easynet’s Brick Lane headquarters. Once inside they began loading equipment into their van. They were watched by two security guards—one was doing his rounds and the other watched by CCTV—but both assumed the thieves, with their legitimate swipe cards also had a legitimate reason to take the kit, according to our sources.
EDITED TO ADD (11/25): Here’s another story (link in Turkish). The police receive an anonymous emergency call from someone claiming to have planted an explosive in the Haydarpasa Numune Hospital. They evaculate the hospital (100 patients plus doctors, staff, visitors, etc.) and search the place for two hours. They find nothing. When patients and visitors return, they realize that their valuables were stolen.
Lousy Home Security Installation
Impressively bad. (Yes, it’s an advertisement. But there are still important security lessons in the blog post.)
1. The keypad is actually the control panel. This particular model is called a Lynx and is manufactured by Honeywell. However, most of the major manufacturers have their own version of an “all-in-one” control panel, siren & keypad (Here is a link to GE’s version). These all-in-one models were designed to simplify installation and are typically part of “free” or low-cost alarm systems. They are all equally useless.
The most important problem with systems like this is the fact that you need to have a delay time in order to open your door and get to the keypad each time you enter your home. So, when a crook breaks in, they also have the same amount of time. If the crook follows the sound of the beeping keypad they will be standing in front of not only the keypad, but the brains of the alarm system. So, rather than punching in a valid code, the crook could simply rip the entire unit off of the wall.
Provided that they rip the panel off of the wall before the alarm sends its first signal, it will never be able to send a signal.
2. If point #1 wasn’t bad enough (or maybe because the installer who put the ‘system’ in realized how useless it was going to be) the power supply for the system is located right beside the keypad/control panel. Unplug the transformer (which is just barely able to stay plugged in as it is) and the alarm loses power. This provides a really convenient way for someone to either accidentally or intentionally unplug the system and wait for the back-up battery to die.
3. Even worse, the phone jack has also been located beside the power supply. The phone jack is the alarm systems only connection to the outside world. If it gets unplugged, the system cannot communicate and a crook would not have to go through the hassle of ripping the panel off of the wall.
Interview with a Pickpocket Expert
How do you track down pickpockets?
I stuff my wallet with paper and keep it in my pants pocket. Then I linger in prime tourist spots in foreign cities. Sooner or later, someone steals the wallet, and I try to steal it back.Really?
Yeah. If I successfully steal the wallet back—and I often do—the thief is usually willing to share the latest techniques.
Programming ATMs to Believe $20 Bills Are $5 Bills
Clever attack:
Last month, a man reprogrammed an automated teller machine at a gas station on Lynnhaven Parkway to spit out four times as much money as it should.
He then made off with an undisclosed amount of cash.
No one noticed until nine days later, when a customer told the clerk at a Crown gas station that the machine was disbursing more money than it should. Police are now investigating the incident as fraud.
Police spokeswoman Rene Ball said the first withdrawal occurred at 6:17 p.m. Aug. 19. Surveillance footage documented a man about 5-foot-8 with a thin build walking into the gas station on the 2400 block of Lynnhaven Parkway and swiping an ATM card.
The man then punched a series of numbers on the machine’s keypad, breaking the security code. The ATM was programmed to disburse $20 bills. The man reprogrammed the machine so it recorded each $20 bill as a $5 debit to his account.
The suspect returned to the gas station a short time later and took more money, but authorities did not say how much. Because the account was pre-paid and the card could be purchased at several places, police are not sure who is behind the theft.
What’s weird is that it seems that this is easy. The ATM is a Tranax Mini Bank 1500. And you can buy the manuals from the Tranax website. And they’re useful for this sort of thing:
I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are:
- Instructions on how to enter the diagnostic mode
Default passwords
- Default Combinations For the Safe
Do not ask me for them. If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately.
This is from an eWeek article:
“If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,” Goldsmith said.
Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the company’s Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.
So, as long as you can use an account that’s not traceable back to you, and you disguise yourself for the ATM cameras, this is a pretty easy crime.
eWeek claims you can get a copy of the manual simply by Googling for it. (Here’s one on eBay.
And Tranax is promising a fix that will force operators to change the default passwords. But honestly, what’s the liklihood that someone who can’t be bothered to change the default password will take the time to install a software patch?
EDITED TO ADD (9/22): Here’s the manual.
Screaming Cell Phones
Does it pay to scream if your cell phone is stolen? Synchronica, a mobile device management company, thinks so. If you use the company’s Mobile Manager service and your handset is stolen, the company, once contacted, will remotely lockdown your phone, erase all its data and trigger it to emit a blood-curdling scream to scare the bejesus out of the thief.
The general category of this sort of security countermeasure is “benefit denial.” It’s like those dye tags on expensive clothing; if you shoplift the clothing and try to remove the tag, dye spills all over the clothes and makes them unwearable. The effectiveness of this kind of thing relies on the thief knowing that the security measure is there, or is reasonably likely to be there. It’s an effective shoplifting deterrent; my guess is that it will be less effective against cell phone thieves.
Remotely erasing data on stolen cell phones is a good idea regardless, though. And since cell phones are far more often lost than stolen, how about the phone calmly announcing that it is lost and it would like to be returned to its owner?
Organized Cybercrime
Cybercrime is getting organized:
Cyberscams are increasingly being committed by organized crime syndicates out to profit from sophisticated ruses rather than hackers keen to make an online name for themselves, according to a top U.S. official.
Christopher Painter, deputy chief of the computer crimes and intellectual property section at the Department of Justice, said there had been a distinct shift in recent years in the type of cybercriminals that online detectives now encounter.
“There has been a change in the people who attack computer networks, away from the ‘bragging hacker’ toward those driven by monetary motives,” Painter told Reuters in an interview this week.
Although media reports often focus on stories about teenage hackers tracked down in their bedroom, the greater danger lies in the more anonymous virtual interlopers.
“There are still instances of these ‘lone-gunman’ hackers but more and more we are seeing organized criminal groups, groups that are often organized online targeting victims via the internet,” said Painter, in London for a cybercrime conference.
I’ve been saying this sort of thing for years, and have long complained that cyberterrorism gets all the press while cybercrime is the real threat. I don’t think this article is fear and hype; it’s a real problem.
Sidebar photo of Bruce Schneier by Joe MacInnis.