[+] Wayc0de's Blog[+]

14/10/11

ATM Skimmer Powered by MP3 Player

Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices.

Using audio to capture credit and debit card data is not a new technique, but it is becoming vogue: Square, an increasingly popular credit card reader built for the iPhone, works by plugging into the headphone jack on the iPhone and converting credit card data stored on the card into audio files.

An audio skimmer for a Diebold ATM.

The device pictured here is a card skimmer designed to fit over the card acceptance slot on a Diebold Opteva 760, one of the most common ATMs around. The green circuit board on the left was taken from an MP3 player (no idea which make or model). When a card is slid past the magnetic reader (the small black rectangle at the end of the black and red wires near the center of the picture), the MP3 player “hears” the data stored on the card’s magnetic stripe, and records it as an audio file to a tiny embedded flash memory device.


The card skimmer comes with a false panel that fits snugly into the top of the ATM; it contains a miniature video camera that records victims entering their PIN when the card skimmer slot is activated. The battery included in the hidden camera lasts for six hours, according to the ad posted by the skimmer’s designer. The entire package costs $1,500, payable via virtual currencies such as WebMoney and Liberty Reserve.

The vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10-15 seconds).” But the catch with this skimmer is that the price tag is misleading. That’s because the audio files recorded by the device are encrypted. The Mp3 files are useless unless you also purchase the skimmer maker’s decryption service, which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.

In fairness, the seller does note in the fine print that third party software is required to decrypt the audio files, and that he is “working closely with another partner for this service.” That partner is a different fraudster who will decrypt the audio files in exchange for 20 percent of the stolen card numbers and PINs.

Tidak ada komentar:

Posting Komentar