Forgot your password?
typodupeerror

Man Used MP3 Player To Hack Cash Machines 156

Posted by CowboyNeal
from the easy-money dept.
Juha-Matti Laurio writes "A man in Manchester, England has been convicted of using an MP3 player to hack cash machines. The MP3 player was plugged into the back of free standing cash machines in bars. Tones being recorded from the phone line were decoded with special software to a readable format. Later this information was used to clone credit cards."
This discussion has been archived. No new comments can be posted.

Man Used MP3 Player To Hack Cash Machines

Comments Filter:
  • Um... (Score:5, Insightful)

    by Spazntwich (208070) on Saturday November 18, 2006 @12:26PM (#16896580)
    So he performed a generic man in the middle attack, recording information transmitted by modem and decoding it?

    Hasn't this been done a million times before? Wouldn't it be easily performed with any sort of sound recorder?
    • by Salvance (1014001) * on Saturday November 18, 2006 @12:50PM (#16896766) Homepage Journal
      This may be possible in Europe, but I don't believe it's possible in the U.S. anymore. 3DES has been the standard ATM encryption method for a few years, and almost all ATM machines have been converted to 3DES (by Dec 31st they apparently won't operate [atmmachine.com] unless they are 3DES since the ATM networks will only allow encrypted communications).

      Even if someone can no longer use a generic man-in-the-middle attack in the future due to encryption, it's amazing how many other means for ATM fraud still exist. I couldn't believe this one [youtube.com] when I saw it the other day.
      • by fixer007 (851350) on Saturday November 18, 2006 @01:16PM (#16896918)
        The TDES encryption only encrypts the PIN block. The PAN and other card information is still in the clear.

        This is also mandated in Europe
      • by flawedconceptions (1000049) on Saturday November 18, 2006 @01:41PM (#16897082)
        The link is to a story about a guy who reprogrammed an ATM to think it was dispensing 5s while it was actually dispensing 20s. I was able to find the default passwords and re-programming instructions (all in the owner's manual) on the net without much trouble. At least one owner didn't bother to change the default passwords. I wonder how many others failed to do so.
    • Hasn't this been done a million times before? Wouldn't it be easily performed with any sort of sound recorder?

      Like the scene in Wargames when Broderick's character asks the dumb guard to let him go to the bathroom and he uses a microrecorder to record tones from the keypad.

      The kid in Terminator 2 used a similar technique to rip off an ATM. Even Hollywood understands man-in-the-middle attacks.
    • Re: (Score:3, Interesting)

      by Marcion (876801)
      The worrying thing was that he was only caught because he was a crappy driver. The actual 'Link' cash machines (which cost £1.50) to use, are still there in pubs and bars. The banks do not seem to care that normal people are getting their cash stolen.

      How many other people are doing this? There seems to be no way to stop it until they recall every one of these machines and remove the USB ports.
  • by davidwr (791652) on Saturday November 18, 2006 @12:28PM (#16896594) Homepage Journal
    MP3 players don't defraud bank customers, people defraud bank customers.

    Unless of course they are Cylon MP3 players. Then they don't stop at fraud.
  • Excellent (Score:3, Funny)

    by Sqwubbsy (723014) on Saturday November 18, 2006 @12:29PM (#16896602) Homepage Journal
    You see, my friends ridiculed me for getting an Archos Jukebox instead of an iPod.
    Guess they never saw the money making potential.
    • by LindseyJ (983603)
      My friends ridiculed me for getting an iPod instead of another brand of mp3 player.

      Little did they know, I own Apple stock ;)
    • by loraksus (171574)
      I wouldn't be surprised if he was using one - the clarity of the recordings on my jukebox v2 is simply amazing. Hmm... I wonder how hard would it be to create an adapter for the archos to tape phone calls...
  • by Jawood (1024129) on Saturday November 18, 2006 @12:29PM (#16896610) Journal
    Police uncovered the scam almost by accident when they stopped Parsons for making an illegal u-turn in a car in London. They found a fake bank card in his possession and searched his home in Manchester, where they found the evidence with which to prosecute.

    How does one know if it's a fake credit card? I have recieved cards from retailers for store credit that look like fake credit cards (Ikea). I assume that the fake credit cards look like the real thing. That's why when you go to Lowes, the cashier will ask to see the last four digits on your card. According to one of the clerks, Lowes has been a victim of phoney credit cards - theives will take a card and reprogram the magnetic strip on the back with a valid number.

    Also, do the British police have that kind of power that they can just investgate all of that over just a traffic stop?

    • by hey! (33014) on Saturday November 18, 2006 @12:34PM (#16896666) Homepage Journal
      How does one know if it's a fake credit card?


      By noticing that the name on the card didn't match the name on his driver's license?
      • Re: (Score:3, Interesting)

        by fredklein (532096)
        Why are the cops comparing names on all the cards in his wallet for a trafic stop??
        • by hey! (33014) on Saturday November 18, 2006 @01:19PM (#16896938) Homepage Journal
          TFA doesn't say that they went through his wallet. Only that they "They found a fake bank card in his possession..."

          Whether it was proper or not depends on how they found the bank card, and what the rules in UK say about searches. Remember -- clever doesn't necessarily mean smart. It took a clever person to dream up the scam. But a smart person wouldn't travel around with incriminating evidence unless it is well hidden. For all we know he may have had a pile of loose credit cards on the passenger seat. That's the kind of blunder many clever people I know would be likely to commit.
          • Re: (Score:3, Insightful)

            by aoteoroa (596031)

            Another possibility is that this crook is neither clever, nor smart, and is not the one who dreamed up the scheme but is just a lacky who doing the dirty work for somebody else. From the article:

            Though £200,000 was spent on the cards, police said they believed that Parsons himself only earned £14,000 through it.

            This implies that there are more people involved.
      • by frakir (760204)
        You can have a credit card issued with Donald Duck printed on it. Some banks will ask you what name do you want on the CC they issue. It is up to you and no law says it has to be your legal name.
        • Re: (Score:3, Insightful)

          by hey! (33014)
          I don't know about the rules regarding searches in the UK.

          To do the kind of home search performed by the Manchester England police in the US, you need a warrant supported by probable cause. Probable cause is not definitive proof, it is "Information sufficient to warrant a prudent person's belief that the wanted individual had committed a crime or that evidence of a crime or contraband would be found in a search."

          A credit card in the name "Donald Duck" might not be enough to raise a prudent person's suspici
      • by twosmokes (704364)
        Yeah, but I'm curious as to why the cops were even looking at his CC.
      • Re: (Score:1, Funny)

        by Anonymous Coward
        Um, what do cops ask for over there when they pull you over for a u-turn? Licence, registration, and credit card???
      • Re: (Score:2, Interesting)

        I imagine that the card was an unprinted blank, and this guy just programmed the mag strip with the correct info needed to withdrawal money. The actual printed info on the card has no bearing on how an ATM, or other reader,perceives it. That's only for cashiers. It's pretty difficult to imprint a blank with the raised numbers, colors and holograms. It's simple to program a mag strip. I'm suprised this doesn't happen much more frequently.
      • by adolf (21054)
        Perhaps.

        But you must realize that none of these cards are really very secure.

        I can only speak of Ohio, but: Driver's licenses here are produced using commercial, off-the-shelf printers. There's barcodes and a magstripe, but those are hardly authentication mechanisms. The information contained in those stripes and barcodes is only a plaintext copy in industry-standard form of some of the same information that is printed plainly on the front of the card, and is therefore useless for authentication. There'
    • by stuffL0r (1001028)
      Also, do the British police have that kind of power that they can just investgate all of that over just a traffic stop?
      There's no concept of Probable Cause in British law. A cop doesn't even need to witness an illegal u-turn to stop and search you and your car.
    • US police have the right to search you over a simple traffic violation as well...
      • NO THEY DON'T!!!!! (Score:5, Informative)

        by no reason to be here (218628) on Saturday November 18, 2006 @01:34PM (#16897024) Homepage
        US police DO NOT have the right to search your car for a routine traffic stop. It is a violation of the 4th amendment, and every time a cop asks to search your vehicle without reason, and you let him, you are just throwing your constitutional rights away. If a cop pulls you over because you were speeding or your inspection is expired or because you didn't come to a complete stop at a stop sign, et al, he does not have the right to search your vehicle. I repeat:

        POLICE DO NOT HAVE THE RIGHT TO SEARCH YOUR CAR DURING A ROUTINE TRAFFIC STOP IN THE US!!!

        Now then, if something else is amiss, like say, when the cop turned on his lights, you started throwing bags of white powder out the windows onto the highway median, then he does have the right to search your vehicle.
        • Also, watch this video: How to Avoid being Arrested by Cops [google.com]

          The video shows people obviously doing things both legal and illegal, and explains how they can avoid arrest and conviction.
          • NORML's is here [norml.org], and another one from a lawyer is here. [legalpaladin.com] Well worth printing out and laminating and keeping in your billfold. Two things to note: 1) If you happen to be on a military base, even just to turn around and leave because you made a wrong turn, your rights are severely abridged. If you are on their property the military is free to search anything they want. 2) The War On Drugs has created a lot more room for officers to manuever in if the key phrase "drugs" is used. Here [blogspot.com] is a rather disheartening
        • If you're African-American on a lonely road with N Caucasian police officers around you from a jurisdiction known for unprofessionalism, standing on your rights might be unwise.

          Also be civil to the officer and don't make his/her job any harder than it already is. Remember that if the officer swears in court that you were throwing bags of white powder out the window and you swear that you weren't, the judge will believe the officer and uphold the search. *The officer knows this*. This happens in real life: I
        • They have to have probable cause to search a car without permission. What that boils down to basically is a reasonable belief that a crime has been committed. The bags out the window in the parents example would provide that. However a simple traffic stop does not, by itself. Now of course they could always force the issue, it's not like you can really stop them, but it does mean that if they don't have probable cause, anything they find will be thrown out in court (and a good defense attorney will challeng
          • by Thansal (999464)

            The standard is actually the same for searching a home, the difference is that except in some extenuating circumstances the police have to present the probable cause to a judge beforehand and get a warrant for a home search, whereas they can conduct a search of a car with no warrant and then present the probable cause later in court. Either way the standard is basically the same, they've got to have some reason to believe a crime was committed.

            For refference, the piece of law you are reffering to is reffere

        • by Fastolfe (1470)
          I had a friend of mine in college get pulled over for something benign, but they suspected something more was going on, so they asked to search his car. He stood up to them and said no. 3 hours later, surrounded by 3 other police cars and after some drug-sniffing dogs had gone over the outside of their car, they were allowed to leave with tickets for 2 or 3 minor offenses (basically everything the police could find to charge them with).

          But you're right: they never searched his car. I understand it was qu
        • ...and your rights are gone. They might even bring the K9 unit out and get the dog to bark on command.
        • Re: (Score:3, Funny)

          by oliderid (710055)
          If I'm arrested by British policemen in London, I won't forget to remind them the constitution and its 4th amendment...And if they laugh and I will ask kindly but firmly to talk to their president.
    • by runcible (306937)
      A few years ago while working a contract doing security software, I found myself in possession of several exciting pieces of tech, including a mag strip reader/writer and a stack of blanks -- actual blanks, totally white on both sides except for the mag strip itself, no numeric impressions. Bored one Saturday, I cloned one of the credit cards in my pocket and walked around the corner to a bodega, got a pack of cigarettes and a coke, and attempted to pay with the totally unmarked card. The guy took it -- loo
    • by MWoody (222806)
      Well, presumably, the card wasn't designed to fool a person; just an ATM machine. So it was probably just a rectangular slice of plastic with a magnetic strip that he couldn't explain.
  • No encryption (Score:5, Interesting)

    by TorKlingberg (599697) on Saturday November 18, 2006 @12:31PM (#16896636)
    Banks don't encrypt the communication between ATMs and the bank? Seriously?
    • Re: (Score:2, Interesting)

      by multisync (218450)
      Exactly. Why is it we always see headlines about people "hacking" this and that, but we never read about people responsible for putting our information - not to mention our credit ratings - at risk being hauled in front of a judge to answer for their negligence.
    • by fixer007 (851350)
      Usually only the PIN block is encrypted between an ATM and a Host. This wouldn't really stop anyone from getting the card information, but without the PIN, theoretically that information would be useless.

      I've also seen encrypting modems being used between ATMs and Hosts.
      • But what good is that? There's only 10000 possible pins, for current computers that can do millions of hashes a second that's a bit on the useless side.
      • by asuffield (111848)

        This wouldn't really stop anyone from getting the card information, but without the PIN, theoretically that information would be useless.

        I have been making online purchases with my cards for years, and at no point have I been asked for a PIN. This one falls under "security through weakly hoping that nobody wants to steal any money".

        Standard technique is to capture the card numbers and use them to make online purchases of goods which are highly liquid on the grey market - jewelry, DVDs, consumer electronics.

    • Re: (Score:3, Informative)

      by Salvance (1014001) *
      Maybe not in Europe, but in the U.S. all information is encrypted using 3DES or other encryption algorithms (it's now mandatory by law). On some machines (like the Diebold ATMs), hardware encryption is used in the keypad. This ensures that even if you somehow planted a device inside the ATM to capture data sent from the keypad to the CPU you still wouldn't be able to get personal information.
      • by GooberToo (74388)
        As someone posted above, only the PIN is encrypted. The card number is available as clear text.
    • Most of the time an atm in a bar isn't owned by any bank and keeping up with all the different encryption methods would be cost prohibitive unless everyone who owns atm's decided on one to use exclusively. You know that won't work because any encryption will be cracked and it would be "dog chasing tail" from then on. The pragmatic truth is that the fraud generated is cheaper than prevention and the publicity that comes with it's failure.
      • Re: (Score:2, Interesting)

        by dami99 (1014687)
        I disagree.

        I think we can consider things like AES to be safe for awhile yet. (At the mimiumum, not worth cracking for someones PIN # or CC#)

        All the same, implementing a new encryption algorithm on these machines should, for the most part, be no more difficult than a firmware upgrade. I don't imagine that's too involved of a process to do every few years.

        "keeping up with all the different encryption methods would be cost prohibitive"
        --- I don't buy that either, encryption standards neither change often, no
    • by MtlDty (711230) on Saturday November 18, 2006 @09:50PM (#16901080)
      Its probably worse than you think. (I write software for card authorisation and Electronic Funds Transfer systems.)

      In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.

      You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).
    • by shish (588640)
      not only that, but some are indirectly connected to the net -- the only things between them and it being unfirewalled windows boxes, hence a flood of them getting hit by blaster. If one could have exploited that hole to get a rootkit instead of a reboot, a lot of ATMs could have been thoroughly owned :-/
  • by Anonymous Coward
    Really. We need to ban MP3 players and send terrorists (illegal MP3 player users) to Gitmo.
    • If you outlaw mp3 players, only outlaws will have them.
    • Really. We need to ban MP3 players and send terrorists (illegal MP3 player users) to Gitmo.

      Actually just make them use Zune players. They won't play music so I doubt they'd be any good for hacking bank security.

  • But what about the companies that send data in clear down an insecure medium?

    Perhaps it is time our government created another act (Yes, I know we've got too many) which would be called the 'Computer responsible use act' which bans anyone from sending sensitive data in clear, bans all none bluetooth wireless keyboards and makes it an offense to have an unpatched machine on the internet.

    Ok, what he did was illegal however what the ATM makers did is far far worse. So which banks care about ID theft?
    • Re: (Score:3, Interesting)

      by YrWrstNtmr (564987)
      How about we call it the "Computer Responsibility Act (Provosional)"

      It's already illegal to do what this guy did. Make it harder, and you simply 'make it harder' for criminals, not impossible. I don't think what the ATM makers did (non-encryption) is 'far far worse'. Leaving your car unlocked is not 'far far worse' than the clown who steals it.
      • by GeffDE (712146)
        Bad analogy -5. A better analogy is a clown leaving a rental car unlocked and having it stolen. In this case, the rental car company is the person using the machine, the personal info is the car and the clown is the insecure ATM. The thief stars in a cameo role. The ATM makers did do something far, far worse. They are leaving personal information that is not theirs available to anyone who tries to get it. That is called Gross Negligence and should be prosecuted. I mean, some people have been, but not
      • Re: (Score:2, Insightful)

        by Limax Maximus (640354)
        I've always used the idea of an act such as that as a piss take for whenever we see hacked boxes that is clearly the users fault. Obviously such an act would never come into force and nor would I support it (except on 1st April). On the whole theft of details business I'd disagree over it being worse to steal details than making them available. Banks are always blaming their customers for leaving details in bins and so on yet when they make such a monumental fuck up all they do is get the person prosecute
      • >I don't think what the ATM makers did (non-encryption) is 'far far worse'.

        Thief: steals from dozens or hundreds and extracts tens of thousands of dollars.
        ATM system designers: endanger millions of people and billions of dollars.
        Thief: subject to all the machinery of the criminal justice system.
        ATM system designers: legally protected.
        Thief: expected to be a thief. We have a chance to take precautions.
        ATM system designers: trusted by default. Very few of us have checked the encryption on ATMs before using
  • So now all mp3 player owners can pay the RIAA ..... well i guess it all will workout ....
  • by edwardpickman (965122) on Saturday November 18, 2006 @12:37PM (#16896690)
    The ATM charged him for all the illegal download music on his MP3 player so the robbery was a net loss.
  • Wow (Score:3, Funny)

    by Demona (7994) on Saturday November 18, 2006 @12:50PM (#16896770) Homepage
    Life imitates art [imdb.com] :)
    • by Patik (584959)
      I was thinking of the beginning of another movie [imdb.com], when the boy plugs a device into an ATM to scan for a card number and/or PIN so he can finagle some cash out of it.
  • Movie (Score:4, Funny)

    by z_gringo (452163) <z_gringo@hotm[ ].com ['ail' in gap]> on Saturday November 18, 2006 @12:51PM (#16896780)
    I saw this movie! Harrison Ford was in it, and lots of people were talking about how stupid it was, except he used the MP3 wired to a fax machine to "read" the numbers off the screen, which was pretty stupid.

    It's too bad they didn't think up something more plausible like what this guy did.

  • by Joebert (946227)
    I'm suprized nobody ever noticed this guy rigging the back of the ATMs.
    Surely there isn't a ready-made plugin for my iPod in the back of theese things. Is there ?
    • Re: (Score:2, Informative)

      by leenks (906881)
      Just go in looking like a technician, with a briefcase of tools, plus a fake ID with the logo of the ATM manufacturer on it. Nobody would know, especially in a hotel etc, and you'd probably get unrestricted access to the machine - maybe even more than that, eg access to all the documentation for it, the hotel account details etc.
    • by kd5ujz (640580)
      Possibly using an acoustic pickup?
  • It's just me wondering what brand of mp3 player he used, then, is it?

    I don't suppose it matters if he's just capturing audio data; in fact it's hardly even important that he was using an mp3 player - he could just have easily used one of those handheld cassette recorders.
    • by pimpimpim (811140)
      Yes, but mp3 players are the source of all Evil! In fact, the ATM designer probably has the best chance to nail this guy by sueing him for copying the sound combinations (aka music) from the device, that are of course the IP of the ATM designer. He's not even a thief, he's a bloody pirate!
  • Phreaking... (Score:3, Interesting)

    by Cyno01 (573917) <Cyno01@hotmail.com> on Saturday November 18, 2006 @01:23PM (#16896962) Homepage
    So payphones are more secure than ATMs? I still always keep a $.25 tone on my MP3 players, more for nostalgia than anything else.
  • by breadiu (706188)
    That is so Firewall. Harrison Ford would be proud.
  • Oh no! We must immediately ban all MP3 players! Terrorists could use them to fund their War Against America.
  • Ogg Players (Score:3, Funny)

    by Anonymous Coward on Saturday November 18, 2006 @01:50PM (#16897172)
    If it had been an Ogg Vorbis player, instead of allowing the man to steal for himself, it would have taken the total balance on the cash machine and redistributed it equally to all accounts.
  • He wouldn't have got caught had he used Ogg Vorbis!!
  • by Myria (562655) on Saturday November 18, 2006 @01:53PM (#16897206)
    When this man stole the money, whose liability was it? To the bank, the withdrawals looked like those customers, and they couldn't have known it was fraud. When the victims find out, can they go to the bank to get their money back, or is the bank immune?

    Melissa
    • by jb.hl.com (782137)
      Probably the bank, but you can bet that the banks will fight any attempt to get compensation out of them every step of the way. Part of the beauty of the new Chip and PIN (EMV) system in the UK is that the liability for fraud is shifted from the bank (they thought the fraudster was a legitimate customer) to the cardholder (who can't prove they didn't make the payments). I presume the same deal applies here.
  • by Anonymous Coward
    ....just become a bank. Really, why go low scale? You are allowed to loan money which doesn't even exist, and to receive back the theoretical principal along with *interest*. It's the biggest economic scam and legalized theft scheme out there, and it is widespread in the vast number of nations simply because it is such a wonderful way for those goons to "make money" without working for it.

    http://en.wikipedia.org/wiki/Fractional-reserve_ba nking [wikipedia.org]

    Cops are in general just retarded, just follow orders from their
    • by xenocide2 (231786)
      Maybe I'm just reading this Wikipedia wrong, but isn't this just talking about loaning money placed in savings accounts? It's not like they're secretly minting money in the back room, they're just not holding onto all the money given to them in the bank. The amount they keep on hand is the fractional reserve. The money they loan out comes directly from deposits. Now, economically, giving out these loans does create money, but you'd have to have had quite a few drinks before your econ class to learn this and
    • by FooAtWFU (699187)

      Really, why go low scale? You are allowed to loan money which doesn't even exist, and to receive back the theoretical principal along with *interest*.

      How is this any different from the rest of the money supply? I don't know if you noticed this, but we're using fiat money [wikipedia.org] around these parts, which is really just money because people believe it's money. It's as immaterial and illusionary as everything else. (The one thing in particular about this illusion, people frequently believe they will be able to pay t

  • This Guardian (UK) article states that Technology imported from Ukraine was used to decode the tones from the transactions and turn them into [computer] information:
    http://www.guardian.co.uk/crime/article/0,,1948026 ,00.html [guardian.co.uk]
  • I guess MP3 player owners really are thieves [neowin.net] after all.
  • by GooberToo (74388)
    Seems like he should be charged under the DMCA too.
    • by Marcion (876801)
      Seems like he should be charged under the DMCA too.

      He is in the UK, And US laws do not apply here... Unless they are Illinois laws!!! [spamhaus.org]
  • novelty value only (Score:3, Interesting)

    by pbjones (315127) on Saturday November 18, 2006 @05:25PM (#16899090)
    the same could be done several different ways, just because they use an MP3 player as a recording device, shock/horror, doesn't mean that is should even have been the subject of a /. entry. I prefer th stories about the micro-camera above the keypad and the cardreader in the phoney face plate. I check for this each time. Or even better. friend ends up with the wrong card after leaving a bar, the barman had swapped the card and is recording pin numbers via a repositioned security camera.
  • .. he should go to jail, and it was bad thing to do.

    But what a monstrously cool - um - "solution".

  • ... the fact that I don't condone what he did at all with the fact that I am nevertheless also thoroughly impressed with the fact somebody actually did it. I mean, serously... hacking a bank machine with an MP3 player? Before this became news, who woulda thunk it?

Nothing succeeds like success. -- Alexandre Dumas

Working...