Man Used MP3 Player To Hack Cash Machines 156
Juha-Matti Laurio writes "A man in Manchester, England has been convicted of using an MP3 player to hack cash machines. The MP3 player was plugged into the back of free standing cash machines in bars. Tones being recorded from the phone line were decoded with special software to a readable format. Later this information was used to clone credit cards."
Um... (Score:5, Insightful)
Hasn't this been done a million times before? Wouldn't it be easily performed with any sort of sound recorder?
Not possible in the U.S. (Score:5, Interesting)
Even if someone can no longer use a generic man-in-the-middle attack in the future due to encryption, it's amazing how many other means for ATM fraud still exist. I couldn't believe this one [youtube.com] when I saw it the other day.
Re:Not possible in the U.S. (Score:5, Informative)
This is also mandated in Europe
Re:Not possible in the U.S. (Score:4, Informative)
Re: (Score:3, Informative)
Are you familiar with video editing? The video was "zoomed in" and as the suspect moved around, the zoomed in frame was moved around to focus on his movements. This is a very common procedure for CCTV footage aired on TV.
Re:Not possible in the U.S. (Score:5, Informative)
Not when you realize they're talking about a default password.
Bruce Schneier covered the story in question awhile ago. Lots of good comments on the page, too: http://www.schneier.com/blog/archives/2006/09/pro
Re:Not possible in the U.S. (Score:5, Informative)
"The video of the suspect is a fake. Fixed cameras can't track movement like that. Even a remote movable camera couldn't pan that smoothly. CNN should have the decency to say openly that the video is a dramatization."
BUT a shoulder-mounted camera held by a cameraman pointed at a CCTV display and zoomed in on the suspect CAN track movement.
"The idea that there's a "magic code" you can enter to edit ATM internals is ridiculous."
Agreed, but it's true.
"In order to edit any ATM internals you need to open the machine"
Not true. Many kiosk ATMs are programmed from the front panel, there's not always a need to open the machine for various administrative actions.
"which would give you direct access to the cash ANYWAY."
Also not true. You can open it but the money is still in locked steel dispenser-cages, and those cages are usually locked into the machine even with the door open.
Re: (Score:2)
No ATM req'd. (Score:2)
Re: (Score:2)
Like the scene in Wargames when Broderick's character asks the dumb guard to let him go to the bathroom and he uses a microrecorder to record tones from the keypad.
The kid in Terminator 2 used a similar technique to rip off an ATM. Even Hollywood understands man-in-the-middle attacks.
Re: (Score:3, Interesting)
How many other people are doing this? There seems to be no way to stop it until they recall every one of these machines and remove the USB ports.
Remember folks... (Score:5, Funny)
Unless of course they are Cylon MP3 players. Then they don't stop at fraud.
Re: (Score:1)
Excellent (Score:3, Funny)
Guess they never saw the money making potential.
Re: (Score:1)
Little did they know, I own Apple stock
Re: (Score:2)
Police found fake card. (Score:4, Interesting)
How does one know if it's a fake credit card? I have recieved cards from retailers for store credit that look like fake credit cards (Ikea). I assume that the fake credit cards look like the real thing. That's why when you go to Lowes, the cashier will ask to see the last four digits on your card. According to one of the clerks, Lowes has been a victim of phoney credit cards - theives will take a card and reprogram the magnetic strip on the back with a valid number.
Also, do the British police have that kind of power that they can just investgate all of that over just a traffic stop?
Re:Police found fake card. (Score:5, Informative)
By noticing that the name on the card didn't match the name on his driver's license?
Re: (Score:3, Interesting)
Re:Police found fake card. (Score:4, Insightful)
Whether it was proper or not depends on how they found the bank card, and what the rules in UK say about searches. Remember -- clever doesn't necessarily mean smart. It took a clever person to dream up the scam. But a smart person wouldn't travel around with incriminating evidence unless it is well hidden. For all we know he may have had a pile of loose credit cards on the passenger seat. That's the kind of blunder many clever people I know would be likely to commit.
Re: (Score:3, Insightful)
Another possibility is that this crook is neither clever, nor smart, and is not the one who dreamed up the scheme but is just a lacky who doing the dirty work for somebody else. From the article:
Though £200,000 was spent on the cards, police said they believed that Parsons himself only earned £14,000 through it.
This implies that there are more people involved.Re: (Score:2)
Re: (Score:3, Insightful)
To do the kind of home search performed by the Manchester England police in the US, you need a warrant supported by probable cause. Probable cause is not definitive proof, it is "Information sufficient to warrant a prudent person's belief that the wanted individual had committed a crime or that evidence of a crime or contraband would be found in a search."
A credit card in the name "Donald Duck" might not be enough to raise a prudent person's suspici
Re: (Score:1)
Re:Police found fake card. (Score:5, Funny)
Re: (Score:2)
Re: (Score:1, Funny)
Re: (Score:2, Interesting)
Re: (Score:2)
But you must realize that none of these cards are really very secure.
I can only speak of Ohio, but: Driver's licenses here are produced using commercial, off-the-shelf printers. There's barcodes and a magstripe, but those are hardly authentication mechanisms. The information contained in those stripes and barcodes is only a plaintext copy in industry-standard form of some of the same information that is printed plainly on the front of the card, and is therefore useless for authentication. There'
Re: (Score:2)
When I go to Lowe's and pay with my debit card, they always ask me to hand it to them. And then they look at the back of it, see that my signature is vague/distorted/old, and ask to see my license. Every fucking time. Therefore, both items (the bank card and the license card) need to match.
And: The cardholder name is recorded on the mag stripe, and is often shown various POS displays during the sale, and is trivially compared to the na
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
NO THEY DON'T!!!!! (Score:5, Informative)
POLICE DO NOT HAVE THE RIGHT TO SEARCH YOUR CAR DURING A ROUTINE TRAFFIC STOP IN THE US!!!
Now then, if something else is amiss, like say, when the cop turned on his lights, you started throwing bags of white powder out the windows onto the highway median, then he does have the right to search your vehicle.
MOD PARENT UP (Score:2)
The video shows people obviously doing things both legal and illegal, and explains how they can avoid arrest and conviction.
4th, 5th, 6th Amendment Wallet Cards to carry (Score:3, Informative)
There's law, and there's reality (Score:3, Interesting)
Also be civil to the officer and don't make his/her job any harder than it already is. Remember that if the officer swears in court that you were throwing bags of white powder out the window and you swear that you weren't, the judge will believe the officer and uphold the search. *The officer knows this*. This happens in real life: I
Specifically (Score:2)
Re: (Score:2)
For refference, the piece of law you are reffering to is reffere
Re: (Score:2)
But you're right: they never searched his car. I understand it was qu
"I thought I smelled marijuana" (Score:3, Informative)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
1) Stop speeding (seriously, what every you have done to get pulled over 10 times, just stop).
2) Make your objections clear, if they insist, LET THEM. Anything they find is inadmisable as evidence (any decent lawyer will get it thrown out).
3) If you regularly are gettign harrassed, report it. If nothing gets done, escelate your report to the next highest point you can find (lather, rinse, repeate)
Re: (Score:2)
Re: (Score:2)
Just some thoughts (Score:2)
I wonder, I don't have to have anything illegal in order for me to not want the police to search my vehicle. I have been stopped in the past and had the vehicle searched even when I did not give persmission. I had nothing illegal. I just don't feel that a police state is a good thing. Another thing that pisses me off is the fact that in the name of fighting drunk drivers many police dep
Re: (Score:1)
Re: (Score:2)
No encryption (Score:5, Interesting)
Re: (Score:2, Interesting)
Re: (Score:1)
I've also seen encrypting modems being used between ATMs and Hosts.
Re: (Score:2)
Re: (Score:2)
I have been making online purchases with my cards for years, and at no point have I been asked for a PIN. This one falls under "security through weakly hoping that nobody wants to steal any money".
Standard technique is to capture the card numbers and use them to make online purchases of goods which are highly liquid on the grey market - jewelry, DVDs, consumer electronics.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Interesting)
I think we can consider things like AES to be safe for awhile yet. (At the mimiumum, not worth cracking for someones PIN # or CC#)
All the same, implementing a new encryption algorithm on these machines should, for the most part, be no more difficult than a firmware upgrade. I don't imagine that's too involved of a process to do every few years.
"keeping up with all the different encryption methods would be cost prohibitive"
--- I don't buy that either, encryption standards neither change often, no
Re:No encryption - Worse than you think. (Score:4, Interesting)
In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.
You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).
Re: (Score:2)
There's only one solution (Score:1, Funny)
Re: (Score:1)
Re: (Score:2)
Actually just make them use Zune players. They won't play music so I doubt they'd be any good for hacking bank security.
So the criminal is convicted... (Score:1)
Perhaps it is time our government created another act (Yes, I know we've got too many) which would be called the 'Computer responsible use act' which bans anyone from sending sensitive data in clear, bans all none bluetooth wireless keyboards and makes it an offense to have an unpatched machine on the internet.
Ok, what he did was illegal however what the ATM makers did is far far worse. So which banks care about ID theft?
Re: (Score:3, Interesting)
It's already illegal to do what this guy did. Make it harder, and you simply 'make it harder' for criminals, not impossible. I don't think what the ATM makers did (non-encryption) is 'far far worse'. Leaving your car unlocked is not 'far far worse' than the clown who steals it.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2, Insightful)
Re: (Score:2)
Thief: steals from dozens or hundreds and extracts tens of thousands of dollars.
ATM system designers: endanger millions of people and billions of dollars.
Thief: subject to all the machinery of the criminal justice system.
ATM system designers: legally protected.
Thief: expected to be a thief. We have a chance to take precautions.
ATM system designers: trusted by default. Very few of us have checked the encryption on ATMs before using
now you can get $$ (Score:1)
On the downside (Score:4, Funny)
Wow (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Movie (Score:4, Funny)
It's too bad they didn't think up something more plausible like what this guy did.
Wow (Score:1)
Surely there isn't a ready-made plugin for my iPod in the back of theese things. Is there ?
Re: (Score:2, Informative)
Re: (Score:2)
What brand of mp3 player? (Score:2, Insightful)
I don't suppose it matters if he's just capturing audio data; in fact it's hardly even important that he was using an mp3 player - he could just have easily used one of those handheld cassette recorders.
Re: (Score:2)
Phreaking... (Score:3, Interesting)
Wow (Score:1)
Oh Noes! (Score:2)
Ogg Players (Score:3, Funny)
One more thing I didn't think of (Score:2, Funny)
Whose liability is it? (Score:3, Insightful)
Melissa
Re: (Score:2)
there's a better way... (Score:2, Informative)
http://en.wikipedia.org/wiki/Fractional-reserve_ba nking [wikipedia.org]
Cops are in general just retarded, just follow orders from their
Re: (Score:2)
Re: (Score:2)
How is this any different from the rest of the money supply? I don't know if you noticed this, but we're using fiat money [wikipedia.org] around these parts, which is really just money because people believe it's money. It's as immaterial and illusionary as everything else. (The one thing in particular about this illusion, people frequently believe they will be able to pay t
Technology being used was Ukraine origin (Score:1)
http://www.guardian.co.uk/crime/article/0,,194802
I guess... (Score:1)
DMCA (Score:2)
Re: (Score:2)
He is in the UK, And US laws do not apply here... Unless they are Illinois laws!!! [spamhaus.org]
Re: (Score:2)
But, since you're such a loser, too dumb to realize how the world works, we'll just have to laugh and point at you while the world goes on.
novelty value only (Score:3, Interesting)
Yes, it's illegal, and yes... (Score:2)
But what a monstrously cool - um - "solution".
I am having difficulty reconciling... (Score:2)
Re: (Score:2, Funny)
Re: (Score:1)