Entries Tagged "theft"

Page 11 of 22

Hacking ATMs

Hacking ATMs to spit out money, demonstrated at the Black Hat conference:

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

EDITED TO ADD (7/30): Another two articles.

Posted on July 30, 2010 at 8:55 AMView Comments

Burglary Detection through Video Analytics

This is interesting:

Some of the scenarios where we have installed video analytics for our clients include:

  • to detect someone walking in an area of their yard (veering off of the main path) that they are not supposed to be;
  • to send an alarm if someone is standing too close to the front of a store window/front door after hours;
  • to alert security guards about someone in a parkade during specific hours;
  • to count the number of people coming into (and out of) a store during the day;

In the case of burglary prevention, getting an early warning about someone trespassing makes a huge difference for our response teams. Now, rather than waiting for a detector in the house to trip, we can receive an alarm signal while a potential burglar is still outside.

Effectiveness is going to be a question of limiting false positives.

Posted on July 14, 2010 at 12:54 PMView Comments

Buying an ATM Skimmer

Interesting:

ATM skimmers—or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data—are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.

The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web.

EDITED TO ADD (6/23): Another post.

Posted on June 22, 2010 at 6:49 AMView Comments

Protecting Cars with The Club

From the Freakonomics blog:

At some point, the Club was mentioned. The professional thieves laughed and exchanged knowing glances. What we knew was that the Club is a hardened steel device that attaches to the steering wheel and the brake pedal to prevent steering and/or braking. What we found out was that a pro thief would carry a short piece of a hacksaw blade to cut through the plastic steering wheel in a couple seconds. They were then able to release The Club and use it to apply a huge amount of torque to the steering wheel and break the lock on the steering column (which most cars were already equipped with). The pro thieves actually sought out cars with The Club on them because they didn’t want to carry a long pry bar that was too hard to conceal.

Posted on June 14, 2010 at 1:46 PMView Comments

Low-Tech Burglars to Get Lighter Sentences in Louisiana

This is the kind of law that annoys me:

A Senate bill to toughen penalties for crimes committed with the aid of Internet-generated “virtual maps,” including acts of terrorism, won quick approval Monday in the House.

[…]

Adley’s bill defines a “virtual street-level map” as one that is available on the Internet and can generate the location or picture of a home or building by entering the address of the structure or an individual’s name on a website.

Rep. Henry Burns, R-Haughton, who handled Adley’s bill on the House floor, said that if the map is used in an act of terrorism, the legislation requires a judge to impose an additional minimum sentence of at least 10 years onto the terrorist act.

If the map is used in the commission of a crime like burglary, Burns said, the bill calls for the addition of at least one year in jail to be added to the burglary sentence.

Crimes are crimes, regardless of the ancillary technology used to plan them.

Posted on May 28, 2010 at 6:24 AMView Comments

Security Fog

An odd burglary prevention tool:

If a burglar breaks in, the system floods the business with a dense fog similar to what’s used in theaters and nightclubs. An intense strobe light blinds and disorients the crook.

[..]

Mazrouei said the cost to install the system starts at around $3,000.

Police point out that the system blinds interior security cameras as well as criminals. Officers who respond to a burglary also will not enter a building when they can’t see who’s inside. Local firefighters must be informed so they don’t mistake the fog for smoke.

EDITED TO ADD (4/21): I blogged about the same thing in 2007, though that version was marketed to homeowners. It’s interesting how much more negative my reaction is to fog as a home security device than as a security device to protect retail stock.

Posted on April 21, 2010 at 12:55 PMView Comments

Master Thief

The amazing story of Gerald Blanchard.

Thorough as ever, Blanchard had spent many previous nights infiltrating the bank to do recon or to tamper with the locks while James acted as lookout, scanning the vicinity with binoculars and providing updates via a scrambled-band walkie-talkie. He had put a transmitter behind an electrical outlet, a pinhole video camera in a thermostat, and a cheap baby monitor behind the wall. He had even mounted handles on the drywall panels so he could remove them to enter and exit the ATM room. Blanchard had also taken detailed measurements of the room and set up a dummy version in a friend’s nearby machine shop. With practice, he had gotten his ATM-cracking routine down to where he needed only 90 seconds after the alarm tripped to finish and escape with his score.

As Blanchard approached, he saw that the door to the ATM room was unlocked and wide open. Sometimes you get lucky. All he had to do was walk inside.

From here he knew the drill by heart. There were seven machines, each with four drawers. He set to work quickly, using just the right technique to spring the machines open without causing any telltale damage. Well rehearsed, Blanchard wheeled out boxes full of cash and several money counters, locked the door behind him, and headed to a van he had parked nearby.

Eight minutes after Blanchard broke into the first ATM, the Winnipeg Police Service arrived in response to the alarm. However, the officers found the doors locked and assumed the alarm had been an error. As the police pronounced the bank secure, Blanchard was zipping away with more than half a million dollars.

Posted on March 29, 2010 at 1:48 PMView Comments

Acrobatic Thieves

Some movie-plot attacks actually happen:

They never touched the floor—that would have set off an alarm.

They didn’t appear on store security cameras. They cut a hole in the roof and came in at a spot where the cameras were obscured by advertising banners.

And they left with some $26,000 in laptop computers, departing the same way they came in—down a 3-inch gas pipe that runs from the roof to the ground outside the store.

EDITED TO ADD (4/13): Similar heists.

Posted on March 24, 2010 at 1:51 PMView Comments

Car-Key Copier

This is neat:

The Impressioner consists of a sensor that goes into the lock and sends information back to a computer via USB about the location of the lock’s tumblers—a corresponding computer program comes up with the code, depending on the make of car you’ve entered beforehand. Once you know the code, a key-cutting machine can use it to carve up a key.

Right now, it’s a prototype that only works on Ford car locks. The article points out that both locksmiths and thieves can use this device.

Another article.

EDITED TO ADD (2/16): How it likely works.

Posted on February 12, 2010 at 6:23 AMView Comments

$3.2 Million Jewelry Store Theft

I’ve written about this sort of thing before:

A robber bored a hole through the wall of jewelry shop and walked off with about 200 luxury watches worth 300 million yen ($3.2 million) in Tokyo’s upscale Ginza district, police said Saturday.

From Secrets and Lies, p. 318:

Threat modeling is, for the most part, ad hoc. You think about the threats until you can’t think of any more, then you stop. And then you’re annoyed and surprised when some attacker thinks of an attack you didn’t. My favorite example is a band of California art thieves that would break into people’s houses by cutting a hole in their walls with a chainsaw. The attacker completely bypassed the threat model of the defender. The countermeasures that the homeowner put in place were door and window alarms; they didn’t make a difference to this attack.

One of the important things to consider in threat modeling is whether the attacker is looking for any victim, or is specifically targeting you. If the attacker is looking for any victim, then countermeasures that make you a less attractive target than other people are generally good enough. If the attacker is specifically targeting you, then you need to consider a greater level of security.

Posted on January 14, 2010 at 12:43 PMView Comments

1 9 10 11 12 13 22

Sidebar photo of Bruce Schneier by Joe MacInnis.