Man Used MP3 Player To Hack Cash Machines

Juha-Matti Laurio writes "A man in Manchester, England has been convicted of using an MP3 player to hack cash machines. The MP3 player was plugged into the back of free standing cash machines in bars. Tones being recorded from the phone line were decoded with special software to a readable format. Later this information was used to clone credit cards."

Um...

[Spazntwich]

So he performed a generic man in the middle attack, recording information transmitted by modem and decoding it?

Hasn't this been done a million times before? Wouldn't it be easily performed with any sort of sound recorder?

Remember folks...

[davidwr]

MP3 players don't defraud bank customers, people defraud bank customers.

Unless of course they are Cylon MP3 players. Then they don't stop at fraud.

Excellent

[Sqwubbsy]

You see, my friends ridiculed me for getting an Archos Jukebox instead of an iPod.
Guess they never saw the money making potential.

Police found fake card.

[Jawood]

Police uncovered the scam almost by accident when they stopped Parsons for making an illegal u-turn in a car in London. They found a fake bank card in his possession and searched his home in Manchester, where they found the evidence with which to prosecute.

How does one know if it's a fake credit card? I have recieved cards from retailers for store credit that look like fake credit cards (Ikea). I assume that the fake credit cards look like the real thing. That's why when you go to Lowes, the cashier will ask to see the last four digits on your card. According to one of the clerks, Lowes has been a victim of phoney credit cards - theives will take a card and reprogram the magnetic strip on the back with a valid number.

Also, do the British police have that kind of power that they can just investgate all of that over just a traffic stop?

Re:Police found fake card.

[hey!]

How does one know if it's a fake credit card?

By noticing that the name on the card didn't match the name on his driver's license?

Re:Police found fake card.

[hey!]

TFA doesn't say that they went through his wallet. Only that they "They found a fake bank card in his possession..."

Whether it was proper or not depends on how they found the bank card, and what the rules in UK say about searches. Remember -- clever doesn't necessarily mean smart. It took a clever person to dream up the scam. But a smart person wouldn't travel around with incriminating evidence unless it is well hidden. For all we know he may have had a pile of loose credit cards on the passenger seat. That's the kind of blunder many clever people I know would be likely to commit.

Re:Police found fake card.

I'm not sure about the UK, but in the US cops are trained to notice everything.

I have so much crap in my car that they wouldn't even notice a dead cop on my floorboard.

No encryption

[TorKlingberg]

Banks don't encrypt the communication between ATMs and the bank? Seriously?

On the downside

[edwardpickman]

The ATM charged him for all the illegal download music on his MP3 player so the robbery was a net loss.

Not possible in the U.S.

[Salvance]

This may be possible in Europe, but I don't believe it's possible in the U.S. anymore. 3DES has been the standard ATM encryption method for a few years, and almost all ATM machines have been converted to 3DES (by Dec 31st they apparently won't operate unless they are 3DES since the ATM networks will only allow encrypted communications).

Even if someone can no longer use a generic man-in-the-middle attack in the future due to encryption, it's amazing how many other means for ATM fraud still exist. I couldn't believe this one when I saw it the other day.

Re:Not possible in the U.S.

[fixer007]

The TDES encryption only encrypts the PIN block. The PAN and other card information is still in the clear.

This is also mandated in Europe

Re:Not possible in the U.S.

Are you a retard? Why do you think the infinite wisdom of average IQ morons on YouTube somehow makes a statement of irrefutable fact?

Are you familiar with video editing? The video was "zoomed in" and as the suspect moved around, the zoomed in frame was moved around to focus on his movements. This is a very common procedure for CCTV footage aired on TV.

Re:Not possible in the U.S.

[flawedconceptions]

The link is to a story about a guy who reprogrammed an ATM to think it was dispensing 5s while it was actually dispensing 20s. I was able to find the default passwords and re-programming instructions (all in the owner's manual) on the net without much trouble. At least one owner didn't bother to change the default passwords. I wonder how many others failed to do so.

Re:Not possible in the U.S.

[xstonedogx]

The idea that there's a "magic code" you can enter to edit ATM internals is ridiculous.

Not when you realize they're talking about a default password.

Bruce Schneier covered the story in question awhile ago. Lots of good comments on the page, too: http://www.schneier.com/blog/archives/2006/09/prog ramming_atm.html

Re:Not possible in the U.S.

[bluephone]

"The video of the suspect is a fake. Fixed cameras can't track movement like that. Even a remote movable camera couldn't pan that smoothly. CNN should have the decency to say openly that the video is a dramatization."

BUT a shoulder-mounted camera held by a cameraman pointed at a CCTV display and zoomed in on the suspect CAN track movement.

"The idea that there's a "magic code" you can enter to edit ATM internals is ridiculous."

Agreed, but it's true.

"In order to edit any ATM internals you need to open the machine"

Not true. Many kiosk ATMs are programmed from the front panel, there's not always a need to open the machine for various administrative actions.

"which would give you direct access to the cash ANYWAY."

Also not true. You can open it but the money is still in locked steel dispenser-cages, and those cages are usually locked into the machine even with the door open.

Movie

[z_gringo]

I saw this movie! Harrison Ford was in it, and lots of people were talking about how stupid it was, except he used the MP3 wired to a fax machine to "read" the numbers off the screen, which was pretty stupid.

It's too bad they didn't think up something more plausible like what this guy did.

NO THEY DON'T!!!!!

[no+reason+to+be+here]

US police DO NOT have the right to search your car for a routine traffic stop. It is a violation of the 4th amendment, and every time a cop asks to search your vehicle without reason, and you let him, you are just throwing your constitutional rights away. If a cop pulls you over because you were speeding or your inspection is expired or because you didn't come to a complete stop at a stop sign, et al, he does not have the right to search your vehicle. I repeat:

POLICE DO NOT HAVE THE RIGHT TO SEARCH YOUR CAR DURING A ROUTINE TRAFFIC STOP IN THE US!!!

Now then, if something else is amiss, like say, when the cop turned on his lights, you started throwing bags of white powder out the windows onto the highway median, then he does have the right to search your vehicle.

Ogg Players

If it had been an Ogg Vorbis player, instead of allowing the man to steal for himself, it would have taken the total balance on the cash machine and redistributed it equally to all accounts.

4th, 5th, 6th Amendment Wallet Cards to carry

[bewert]

NORML's is here, and another one from a lawyer is here. Well worth printing out and laminating and keeping in your billfold. Two things to note: 1) If you happen to be on a military base, even just to turn around and leave because you made a wrong turn, your rights are severely abridged. If you are on their property the military is free to search anything they want. 2) The War On Drugs has created a lot more room for officers to manuever in if the key phrase "drugs" is used. Here is a rather disheartening discussion about this "special" area of search law.

Re:No encryption - Worse than you think.

[MtlDty]

Its probably worse than you think. (I write software for card authorisation and Electronic Funds Transfer systems.)

In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.

You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).