Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man Used MP3 Player To Hack Cash Machines

Posted by ryuzaki0 on from the easy-money dept.

Juha-Matti Laurio writes "A man in Manchester, England has been convicted of using an MP3 player to hack cash machines. The MP3 player was plugged into the back of free standing cash machines in bars. Tones being recorded from the phone line were decoded with special software to a readable format. Later this information was used to clone credit cards."

14 of 156 comments (clear)

  1. Police found fake card. by Jawood · · Score: 4, Interesting
    Police uncovered the scam almost by accident when they stopped Parsons for making an illegal u-turn in a car in London. They found a fake bank card in his possession and searched his home in Manchester, where they found the evidence with which to prosecute.

    How does one know if it's a fake credit card? I have recieved cards from retailers for store credit that look like fake credit cards (Ikea). I assume that the fake credit cards look like the real thing. That's why when you go to Lowes, the cashier will ask to see the last four digits on your card. According to one of the clerks, Lowes has been a victim of phoney credit cards - theives will take a card and reprogram the magnetic strip on the back with a valid number.

    Also, do the British police have that kind of power that they can just investgate all of that over just a traffic stop?

    1. Re:Police found fake card. by fredklein · · Score: 2, Interesting

      Why are the cops comparing names on all the cards in his wallet for a trafic stop??

    2. Re:Police found fake card. by emilyridesabmx · · Score: 2, Interesting

      I imagine that the card was an unprinted blank, and this guy just programmed the mag strip with the correct info needed to withdrawal money. The actual printed info on the card has no bearing on how an ATM, or other reader,perceives it. That's only for cashiers. It's pretty difficult to imprint a blank with the raised numbers, colors and holograms. It's simple to program a mag strip. I'm suprised this doesn't happen much more frequently.

      --
      Et In Arcadia Ego
  2. No encryption by TorKlingberg · · Score: 4, Interesting

    Banks don't encrypt the communication between ATMs and the bank? Seriously?

    1. Re:No encryption by multisync · · Score: 2, Interesting

      Exactly. Why is it we always see headlines about people "hacking" this and that, but we never read about people responsible for putting our information - not to mention our credit ratings - at risk being hauled in front of a judge to answer for their negligence.

      --
      I don't care why you're posting AC
    2. Re:No encryption by dami99 · · Score: 2, Interesting

      I disagree.

      I think we can consider things like AES to be safe for awhile yet. (At the mimiumum, not worth cracking for someones PIN # or CC#)

      All the same, implementing a new encryption algorithm on these machines should, for the most part, be no more difficult than a firmware upgrade. I don't imagine that's too involved of a process to do every few years.

      "keeping up with all the different encryption methods would be cost prohibitive"
      --- I don't buy that either, encryption standards neither change often, nor vary wildly in their implementation.

  3. Not possible in the U.S. by Salvance · · Score: 5, Interesting

    This may be possible in Europe, but I don't believe it's possible in the U.S. anymore. 3DES has been the standard ATM encryption method for a few years, and almost all ATM machines have been converted to 3DES (by Dec 31st they apparently won't operate unless they are 3DES since the ATM networks will only allow encrypted communications).

    Even if someone can no longer use a generic man-in-the-middle attack in the future due to encryption, it's amazing how many other means for ATM fraud still exist. I couldn't believe this one when I saw it the other day.

    --
    Crack - Free with every butt and set of boobs
    1. Re:Not possible in the U.S. by Anonymous Coward · · Score: 1, Interesting

      part of the issue is that prior to signature-debit ... all debit transactions required the associated PIN ... and just skimming and replaying the rest of the transaction detail (replay attack including creating a counterfeit card for replay attack) wasn't sufficient to perform a fraudulent transaction.

      with the introduction of signature-debit, the rest of the information is now vulnerable to replay attacks (i.e. including creating a counterfeit card for use in pin-less signature-debit transactions).

      slight drift, new attacks on the financial PIN processing
      http://www.garlic.com/~lynn/2006u.html#47
      http://www.garlic.com/~lynn/2006u.html#48
      and
      http://www.garlic.com/~lynn/aadsm26.htm#6

      news item from last year comparing signature and pin debit fraud:
      http://www.digitaltransactions.net/newsstory.cfm?n ewsid=738

  4. Re:So the criminal is convicted... by YrWrstNtmr · · Score: 2, Interesting

    How about we call it the "Computer Responsibility Act (Provosional)"

    It's already illegal to do what this guy did. Make it harder, and you simply 'make it harder' for criminals, not impossible. I don't think what the ATM makers did (non-encryption) is 'far far worse'. Leaving your car unlocked is not 'far far worse' than the clown who steals it.

  5. Phreaking... by Cyno01 · · Score: 2, Interesting

    So payphones are more secure than ATMs? I still always keep a $.25 tone on my MP3 players, more for nostalgia than anything else.

    --
    "Sic Semper Tyrannosaurus Rex."
  6. There's law, and there's reality by Beryllium+Sphere(tm) · · Score: 2, Interesting

    If you're African-American on a lonely road with N Caucasian police officers around you from a jurisdiction known for unprofessionalism, standing on your rights might be unwise.

    Also be civil to the officer and don't make his/her job any harder than it already is. Remember that if the officer swears in court that you were throwing bags of white powder out the window and you swear that you weren't, the judge will believe the officer and uphold the search. *The officer knows this*. This happens in real life: I knew a criminal lawyer who'd seen a case like that. Many police officers are too honest to pull something like that, some will do it but only to nail down known criminals, some will rationalize it against anyone who acts like a jerk.

  7. Re:Um... by Marcion · · Score: 2, Interesting

    The worrying thing was that he was only caught because he was a crappy driver. The actual 'Link' cash machines (which cost £1.50) to use, are still there in pubs and bars. The banks do not seem to care that normal people are getting their cash stolen.

    How many other people are doing this? There seems to be no way to stop it until they recall every one of these machines and remove the USB ports.

    --
    My little Linux and tech blog
  8. novelty value only by pbjones · · Score: 2, Interesting

    the same could be done several different ways, just because they use an MP3 player as a recording device, shock/horror, doesn't mean that is should even have been the subject of a /. entry. I prefer th stories about the micro-camera above the keypad and the cardreader in the phoney face plate. I check for this each time. Or even better. friend ends up with the wrong card after leaving a bar, the barman had swapped the card and is recording pin numbers via a repositioned security camera.

    --
    There was an unknown error in the submission.
  9. Re:No encryption - Worse than you think. by MtlDty · · Score: 4, Interesting

    Its probably worse than you think. (I write software for card authorisation and Electronic Funds Transfer systems.)

    In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.

    You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).