Man Used MP3 Player To Hack Cash Machines

Juha-Matti Laurio writes "A man in Manchester, England has been convicted of using an MP3 player to hack cash machines. The MP3 player was plugged into the back of free standing cash machines in bars. Tones being recorded from the phone line were decoded with special software to a readable format. Later this information was used to clone credit cards."

Um...

So he performed a generic man in the middle attack, recording information transmitted by modem and decoding it?

Hasn't this been done a million times before? Wouldn't it be easily performed with any sort of sound recorder?

Not possible in the U.S.

This may be possible in Europe, but I don't believe it's possible in the U.S. anymore. 3DES has been the standard ATM encryption method for a few years, and almost all ATM machines have been converted to 3DES (by Dec 31st they apparently won't operate [atmmachine.com] unless they are 3DES since the ATM networks will only allow encrypted communications).

Even if someone can no longer use a generic man-in-the-middle attack in the future due to encryption, it's amazing how many other means for ATM fraud still exist. I couldn't believe this one [youtube.com] when I saw it the other day.

Re:Not possible in the U.S.

The TDES encryption only encrypts the PIN block. The PAN and other card information is still in the clear.

This is also mandated in Europe

Re:Not possible in the U.S.

The link is to a story about a guy who reprogrammed an ATM to think it was dispensing 5s while it was actually dispensing 20s. I was able to find the default passwords and re-programming instructions (all in the owner's manual) on the net without much trouble. At least one owner didn't bother to change the default passwords. I wonder how many others failed to do so.

Re:

Are you a retard? Why do you think the infinite wisdom of average IQ morons on YouTube somehow makes a statement of irrefutable fact?

Are you familiar with video editing? The video was "zoomed in" and as the suspect moved around, the zoomed in frame was mov

Re:Not possible in the U.S.

The idea that there's a "magic code" you can enter to edit ATM internals is ridiculous.

Not when you realize they're talking about a default password.

Bruce Schneier covered the story in question awhile ago. Lots of good comments on the page, too: http://www.schneier.com/blog/archives/2006/09/prog ramming_atm.html [schneier.com]

Re:Not possible in the U.S.

"The video of the suspect is a fake. Fixed cameras can't track movement like that. Even a remote movable camera couldn't pan that smoothly. CNN should have the decency to say openly that the video is a dramatization."

BUT a shoulder-mounted camera held by a cameraman pointed at a CCTV display and zoomed in on the suspect CAN track movement.

"The idea that there's a "magic code" you can enter to edit ATM internals is ridiculous."

Agreed, but it's true.

"In order to edit any ATM internals you need to open the machine"

Not true. Many kiosk ATMs are programmed from the front panel, there's not always a need to open the machine for various administrative actions.

"which would give you direct access to the cash ANYWAY."

Also not true. You can open it but the money is still in locked steel dispenser-cages, and those cages are usually locked into the machine even with the door open.

Re:

Hasn't this been done a million times before? Wouldn't it be easily performed with any sort of sound recorder?

Like the scene in Wargames when Broderick's character asks the dumb guard to let him go to the bathroom and he uses a microrecorder to record tone

Re:

The worrying thing was that he was only caught because he was a crappy driver. The actual 'Link' cash machines (which cost £1.50) to use, are still there in pubs and bars. The banks do not seem to care that normal people are getting their cash stolen

Remember folks...

MP3 players don't defraud bank customers, people defraud bank customers.

Unless of course they are Cylon MP3 players. Then they don't stop at fraud.

Excellent

You see, my friends ridiculed me for getting an Archos Jukebox instead of an iPod.
Guess they never saw the money making potential.

Police found fake card.

Police uncovered the scam almost by accident when they stopped Parsons for making an illegal u-turn in a car in London. They found a fake bank card in his possession and searched his home in Manchester, where they found the evidence with which to prosecute.

How does one know if it's a fake credit card? I have recieved cards from retailers for store credit that look like fake credit cards (Ikea). I assume that the fake credit cards look like the real thing. That's why when you go to Lowes, the cashier will ask to see the last four digits on your card. According to one of the clerks, Lowes has been a victim of phoney credit cards - theives will take a card and reprogram the magnetic strip on the back with a valid number.

Also, do the British police have that kind of power that they can just investgate all of that over just a traffic stop?

Re:Police found fake card.

How does one know if it's a fake credit card?

By noticing that the name on the card didn't match the name on his driver's license?

Re:

Why are the cops comparing names on all the cards in his wallet for a trafic stop??

Re:Police found fake card.

TFA doesn't say that they went through his wallet. Only that they "They found a fake bank card in his possession..."

Whether it was proper or not depends on how they found the bank card, and what the rules in UK say about searches. Remember -- clever doesn't necessarily mean smart. It took a clever person to dream up the scam. But a smart person wouldn't travel around with incriminating evidence unless it is well hidden. For all we know he may have had a pile of loose credit cards on the passenger seat. That's the kind of blunder many clever people I know would be likely to commit.

Re:

Another possibility is that this crook is neither clever, nor smart, and is not the one who dreamed up the scheme but is just a lacky who doing the dirty work for somebody else. From the article:

Though £200,000 was spent on the cards, police said

Re:

You can have a credit card issued with Donald Duck printed on it. Some banks will ask you what name do you want on the CC they issue. It is up to you and no law says it has to be your legal name.

Re:

I don't know about the rules regarding searches in the UK.

To do the kind of home search performed by the Manchester England police in the US, you need a warrant supported by probable cause. Probable cause is not definitive proof, it is "Information suffic

Re:

I imagine that the card was an unprinted blank, and this guy just programmed the mag strip with the correct info needed to withdrawal money. The actual printed info on the card has no bearing on how an ATM, or other reader,perceives it. That's only for cas

Re:Police found fake card.

I'm not sure about the UK, but in the US cops are trained to notice everything.

I have so much crap in my car that they wouldn't even notice a dead cop on my floorboard.

NO THEY DON'T!!!!!

US police DO NOT have the right to search your car for a routine traffic stop. It is a violation of the 4th amendment, and every time a cop asks to search your vehicle without reason, and you let him, you are just throwing your constitutional rights away. If a cop pulls you over because you were speeding or your inspection is expired or because you didn't come to a complete stop at a stop sign, et al, he does not have the right to search your vehicle. I repeat:

POLICE DO NOT HAVE THE RIGHT TO SEARCH YOUR CAR DURING A ROUTINE TRAFFIC STOP IN THE US!!!

Now then, if something else is amiss, like say, when the cop turned on his lights, you started throwing bags of white powder out the windows onto the highway median, then he does have the right to search your vehicle.

MOD PARENT UP

Also, watch this video: How to Avoid being Arrested by Cops [google.com]

The video shows people obviously doing things both legal and illegal, and explains how they can avoid arrest and conviction.

4th, 5th, 6th Amendment Wallet Cards to carry

NORML's is here [norml.org], and another one from a lawyer is here. [legalpaladin.com] Well worth printing out and laminating and keeping in your billfold. Two things to note: 1) If you happen to be on a military base, even just to turn around and leave because you made a wrong turn, y

There's law, and there's reality

If you're African-American on a lonely road with N Caucasian police officers around you from a jurisdiction known for unprofessionalism, standing on your rights might be unwise.

Also be civil to the officer and don't make his/her job any harder than it alre

"I thought I smelled marijuana"

...and your rights are gone. They might even bring the K9 unit out and get the dog to bark on command.

Re:

If I'm arrested by British policemen in London, I won't forget to remind them the constitution and its 4th amendment...And if they laugh and I will ask kindly but firmly to talk to their president.

No encryption

Banks don't encrypt the communication between ATMs and the bank? Seriously?

Re:

Exactly. Why is it we always see headlines about people "hacking" this and that, but we never read about people responsible for putting our information - not to mention our credit ratings - at risk being hauled in front of a judge to answer for their negli

Re:

Maybe not in Europe, but in the U.S. all information is encrypted using 3DES or other encryption algorithms (it's now mandatory by law). On some machines (like the Diebold ATMs), hardware encryption is used in the keypad. This ensures that even if you so

Re:No encryption - Worse than you think.

Its probably worse than you think. (I write software for card authorisation and Electronic Funds Transfer systems.)

In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.

You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).

Re:

But what good is that? There's only 10000 possible pins, for current computers that can do millions of hashes a second that's a bit on the useless side.

On the downside

The ATM charged him for all the illegal download music on his MP3 player so the robbery was a net loss.

Wow

Life imitates art [imdb.com] :)

Re:

I was thinking of the beginning of another movie [imdb.com], when the boy plugs a device into an ATM to scan for a card number and/or PIN so he can finagle some cash out of it.

Re:

(looks at respective UID's) Hey! You kids get off my lawn!

Movie

I saw this movie! Harrison Ford was in it, and lots of people were talking about how stupid it was, except he used the MP3 wired to a fax machine to "read" the numbers off the screen, which was pretty stupid.

It's too bad they didn't think up something more plausible like what this guy did.

What brand of mp3 player?

It's just me wondering what brand of mp3 player he used, then, is it?

I don't suppose it matters if he's just capturing audio data; in fact it's hardly even important that he was using an mp3 player - he could just have easily used one of those handheld cas

Phreaking...

So payphones are more secure than ATMs? I still always keep a $.25 tone on my MP3 players, more for nostalgia than anything else.

Oh Noes!

Oh no! We must immediately ban all MP3 players! Terrorists could use them to fund their War Against America.

Ogg Players

If it had been an Ogg Vorbis player, instead of allowing the man to steal for himself, it would have taken the total balance on the cash machine and redistributed it equally to all accounts.

One more thing I didn't think of

He wouldn't have got caught had he used Ogg Vorbis!!

Whose liability is it?

When this man stole the money, whose liability was it? To the bank, the withdrawals looked like those customers, and they couldn't have known it was fraud. When the victims find out, can they go to the bank to get their money back, or is the bank immune?

Melissa

there's a better way...

....just become a bank. Really, why go low scale? You are allowed to loan money which doesn't even exist, and to receive back the theoretical principal along with *interest*. It's the biggest economic scam and legalized theft scheme out there, and it is wi

novelty value only

the same could be done several different ways, just because they use an MP3 player as a recording device, shock/horror, doesn't mean that is should even have been the subject of a /. entry. I prefer th stories about the micro-camera above the keypad and the cardreader in the phoney face plate. I check for this each time. Or even better. friend ends up with the wrong card after leaving a bar, the barman had swapped the card and is recording pin numbers via a repositioned security camera.

Re:

How about we call it the "Computer Responsibility Act (Provosional)"

It's already illegal to do what this guy did. Make it harder, and you simply 'make it harder' for criminals, not impossible. I don't think what the ATM makers did (non-encryption) is 'fa

Re:

I've always used the idea of an act such as that as a piss take for whenever we see hacked boxes that is clearly the users fault. Obviously such an act would never come into force and nor would I support it (except on 1st April). On the whole theft of det

Re:

>I don't think what the ATM makers did (non-encryption) is 'far far worse'.

Thief: steals from dozens or hundreds and extracts tens of thousands of dollars.
ATM system designers: endanger millions of people and billions of dollars.
Thief: subject to all th

Re:

Just go in looking like a technician, with a briefcase of tools, plus a fake ID with the logo of the ATM manufacturer on it. Nobody would know, especially in a hotel etc, and you'd probably get unrestricted access to the machine - maybe even more than that

Re:

I AM A FISH!

Fishes are mute, dammit!

Re:

Really. We need to ban MP3 players and send terrorists (illegal MP3 player users) to Gitmo.

Actually just make them use Zune players. They won't play music so I doubt they'd be any good for hacking bank security.