[SecurityRatty] tag: atm

Knock, Knock, Knockin' on Carder's Door

Thu, 02 Oct 2008 06:59:00 +0000

This video of Cha0's bust earlier this month in Turkey, is a perfect example of what happens when someone starts over-performing in the field of carding.

Try counting the desktops, and notice the "full package" a carder can dream of - the box full of ATM skimmers, the holograms, the plastic cards machine, the suitcase with the POS (point of sale) terminals, the house and swimming pool, and, of course, the hard cash.

Protect yourselves from identity fraud

Mon, 29 Sep 2008 09:32:18 +0000

Soon you’ll be seeing the infomercials on late nite TV.
Its becoming very profitable, easy set up, even tutoring.

clipped from news.cnet.com

Behind the scenes of online fraud

Fraudsters aren’t just targeting bank customers. They are also luring victims off social networks, where they harvest sensitive private information, and online gaming sites, where they steal accomplished avatars and accounts and sell them for money, Rivner says.

Online fraud tools have price tags just like any other software. For example, the Mpack Infection Kit costs $700, a Dream BotBuilder costs $500, and at just $350, the Limbo Trojan is practically a steal, according to Rivner.

For people who don’t have the skills to install, run, and manage their own Trojans and other tools, fraudsters are offering fraud software as a service for $299 a month, “which means anyone can do it,” he says.

While online attacks get the headlines, a bigger risk is from skimmers, fake faceplates for ATM machines that steal card data from the magnetic strip. The data is then used to make forged cards.

A pro's tips on ATM fraud

Sun, 28 Sep 2008 20:00:00 +0000

A bank-machine hacker who reportedly was arrested earlier this month in Turkey gave would-be fraudsters tips on how to install rogue card-reading devices, including advising them to target drive-through ATMs (automated teller machines) and avoid towns with fewer than 15,000 residents.

First Bust Ever for ATM Reprogramming Scam

Wed, 24 Sep 2008 06:33:04 +0000

The pair allegedly reprogrammed the machines to believe they were loaded with one-dollar bills instead of tens and twenties. A withdrawal of $20 would thus net $380. The Nebraska case marks the first reported arrests for the keypad capers.

Two Arrested in First Bust for ATM Reprogramming Scam

Tue, 23 Sep 2008 17:45:00 +0000

Two 21-year-old men are in a Nebraska jail after being caught allegedly scoring $13,000 by reprogramming ATM machines to think they're loaded with $1 bills, instead of tens and twenties.

Turkish Police Arrest Alleged ATM Hacker-Kidnapper

Fri, 12 Sep 2008 19:46:00 +0000

Turkish officials nabbed an alleged ATM-hacking kingpin, according to news reports. The hacker, named Cha0, allegedly tortured an informer and said not even the FBI could catch him.

Thoughts on Token Security

Tue, 26 Aug 2008 12:35:23 +0000

RSnake has a piece up on Token Security which raises some good points, but also misses some perspective. Firstly any article that makes a serious attempt at mitigating FUD is most welcome, especially in a space that is as overloaded as identity. That said, I think RSnake is taking too narrow of a view, specifically B2C, on federation and tokens. It is true that works on the web eventually filters into the enterprise, but it is also true that sometimes that things that start out as enterprise technologies later become cost effective on the web. So I would not assume that the current status quo on the web will hold. I don't think it will, the identity problems are too big and there is too much money at stake.

I encourage you to read his article, here are some of my thoughts

"consumers hate tokens."

Except that people use atm cards every day. Consumers will absolutely be inconvenienced, if there is some value created. The problem today is not the token, its the lack of a value proposition to the person you are inconveniencing.

"Everyone wants to be the single federation platform for everyone else."

This will never work. and that's a good thing. i think most companies already realize this though. I think the walled garden model has gone the way of the dodo.

"Federation will never work. It won’t work because the single most important consumer Web applications in the world are scared of it. Banks hate the concept because it becomes a weakest link in the chain problem."

Federation works quite well. have a look at google for one example. The reason banks hate federation is that their infosec people have a mainframe mindset, they are focused only on resource protection. the problem is they dont run mainframes on closed networks, they went and connected it to the web and so now they need to think about subject and claim security not just resource security. its not hatred its a lack of understanding stemming from a legacy mindset.

Linking up identity providers and relying parties into a federation has been a solved problem for quite some time.

"Tokens don’t actually solve most security problems, like man-in-the-middle, phishing, and keystroke-logging malware."

Rule 1. there are no silver bullets in security

Rule 2. dont forget rule 1

but...

...there is a rule 3

rule 3. just because a security mechanism doesnt solve all of our problems doesnt mean its worthless.

I see this with security consultants all the time, they playa hate on static analysis or some scanning tool where they can find hundreds of things the tool doesn't. Fair point except 99.9999% of IT can't and won't find them. Engineering is about solving one incremental problem at a time.

"Oh yes, and finally, consumers are going to have to carry around 13 of them just to make sure they can log into whatever they need to log into since no one will federate."

This misses the point of federation. i carry around one atm card its up to banks, Visa, Cirrus and so on to make sure i get my cash. the funny thing about banks not understanding federation is that they have the bet example right in front of their noses, the problem is its in a different department so they never see it.

"Global federation is nowhere near a solid concept in the consumer space, despite what the vendors will try to sell you."

rule 4. do your own due diligence

Tokens and federation are important building blocks for our digital future. I will leave you with a story that Robert Morris Sr. told at Defcon several years ago:

"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.

When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.

And I ask the lady "what country is this?"

She scratched her head for a bit, and said "well I think its Norway"

I said "well who plows the roads?"

"well Norway does, but he have to pay them."

There is a triple boundary in this town that I was in between Norway, Finland and Russia.

But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.

And the problem that I have in mind is
- who are all the participants in an ATM transaction?
- what do those participants need to satisfy their problems?
- how is that in fact done?

In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.

Technology Tales from Thailand: KBank Fraud Management

Wed, 20 Aug 2008 03:16:51 +0000

In The Magical ATM Card and SMS Message in Thailand we talked about booking flights and securely paying using a SMS PayCode and ATM transfer, avoiding the possibility of on-line credit card fraud; and in Keyloggers: Why Banks Need Two-Factor Authentication I described how KBank uses SMS-based one-time-passwords (OTP) to authenticate transactions.

In addition to the above services, KBank offers a service that permits users to receive an SMS message that details any change in account balance and/or point-of-sale (POS) transaction with your debit card. I really like this service and the feeling of security knowing when, where and by how much my balance changes or my debit card is used in a transaction. The KBank POS SMS notification is so fast that when I present my card to a merchant I normally receive an SMS message detailing the transaction before the merchant returns for my signature. (There is an unfortunate lag in the balance change notification that can run minutes to hours behind real-time, but the POS VISA debit card notification is real-time).

As the story goes, I should have been using my KBank card and account a few weeks ago and not my US-based VISA debit dard. Why?

My US-based VISA debit card was cloned sometime on or before August 8th. I am really careful with this card, so I was surprised the magnetic strip was cloned at a POS merchant. The fraudster made 7 fraudulent transactions beginning on August 8th for a total of around $2500 USD, mostly on August 11th, before I discovered the fraudulent transactions viewing my account on-line.

This would not have happened with KBank SMS-based transaction notification services.

The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water”). If I was using my KBank card, I would have received an immediate SMS message detailing a POS transaction in Bangkok when I was physically far away from Bangkok in Chiang Mai. I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven.

In addition, KBank offers what they call a Web-Shopping VISA card, where you can go into your on-line account (verified by SMS OTP as mentioned) and request a VISA debit card number (with expiration date, CCV etc). You set the limit from 0 to 500,000 THB (Thai Baht) per day; and you can login to your account and change this anytime (authenticating your transaction with another SMS-based OTP). You can also block or cancel this number anytime and apply for another one.

I am amazed that in Thailand I receive much better anti-fraud prevention and detection services than with banks in the US. I know of no bank or brokerage in the US that offers the same quality of service and security as KBank in Thailand.

Hacker Reportedly Kidnaps, Tortures Informant, Posts Picture as Warning

Fri, 15 Aug 2008 15:05:22 +0000

Computer crime gets tough, as a Turkish hacker who specializes in selling ATM skimmers allegedly exacts revenge on an informant who was helping the media and police.

The Magical ATM Card and SMS Message in Thailand

Sun, 03 Aug 2008 09:30:52 +0000

It was not too long ago that I penned Keyloggers: Why Banks Need Two-Factor Authentication. In that post, I briefly mentioned how a number of banks in Thailand use inexpensive SMS-based two-factor authentication (2FA) with one-time password (OTP) to authenticate transactions.

One of my favorite banks in Thailand is K-Bank. With K-Bank I can simply walk up to an ATM machine and pay a mobile phone bill, purchase mutual funds, buy insurance, or transact an ever-growing list of services payable at the modern and sleek K-Bank ATM.

For example, tomorrow I fly to Chiang Mai in Northern Thailand and found K-Bank’s service amazingly better than in the US. For example, I booked my flight as usual (over the phone, but could have used the Internet) and told the reservation agent I was going to pay by ATM. He simply gave me a PayCode and told me I had three hours to go to the ATM and enter the PayCode to perfect my reservation. I also got the PayCode via SMS. This gave me the time I needed to make sure I had booked the perfect boutique hotel in Chiang Mai, the Fern Paradise.

Then, I went out into the beautiful Thai weather and completely my airplane reservation at the ATM machine; which also printed out a receipt with my flight details and reservation number.

It sometimes amazes me how much further advanced some services are in Thailand compared to the US. To me, it feels more secure not to use an on-line payment center or give out my credit card details over the phone. I can simply book a ticket, take a PayCode, and complete the transaction at a nice modern, shiny, K-Bank ATM machine.

Who knows, maybe soon I can select the perfect window seat at the ATM and the receipt will act as my boarding pass!