Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man Used MP3 Player To Hack Cash Machines

Posted by ryuzaki0 on from the easy-money dept.

Juha-Matti Laurio writes "A man in Manchester, England has been convicted of using an MP3 player to hack cash machines. The MP3 player was plugged into the back of free standing cash machines in bars. Tones being recorded from the phone line were decoded with special software to a readable format. Later this information was used to clone credit cards."

13 of 156 comments (clear)

  1. Um... by Spazntwich · · Score: 4, Insightful

    So he performed a generic man in the middle attack, recording information transmitted by modem and decoding it?

    Hasn't this been done a million times before? Wouldn't it be easily performed with any sort of sound recorder?

  2. Remember folks... by davidwr · · Score: 5, Funny

    MP3 players don't defraud bank customers, people defraud bank customers.

    Unless of course they are Cylon MP3 players. Then they don't stop at fraud.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  3. Police found fake card. by Jawood · · Score: 4, Interesting
    Police uncovered the scam almost by accident when they stopped Parsons for making an illegal u-turn in a car in London. They found a fake bank card in his possession and searched his home in Manchester, where they found the evidence with which to prosecute.

    How does one know if it's a fake credit card? I have recieved cards from retailers for store credit that look like fake credit cards (Ikea). I assume that the fake credit cards look like the real thing. That's why when you go to Lowes, the cashier will ask to see the last four digits on your card. According to one of the clerks, Lowes has been a victim of phoney credit cards - theives will take a card and reprogram the magnetic strip on the back with a valid number.

    Also, do the British police have that kind of power that they can just investgate all of that over just a traffic stop?

    1. Re:Police found fake card. by hey! · · Score: 4, Informative
      How does one know if it's a fake credit card?


      By noticing that the name on the card didn't match the name on his driver's license?
      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    2. Re:Police found fake card. by Anonymous Coward · · Score: 5, Funny
      I'm not sure about the UK, but in the US cops are trained to notice everything.
      I have so much crap in my car that they wouldn't even notice a dead cop on my floorboard.
  4. No encryption by TorKlingberg · · Score: 4, Interesting

    Banks don't encrypt the communication between ATMs and the bank? Seriously?

  5. Not possible in the U.S. by Salvance · · Score: 5, Interesting

    This may be possible in Europe, but I don't believe it's possible in the U.S. anymore. 3DES has been the standard ATM encryption method for a few years, and almost all ATM machines have been converted to 3DES (by Dec 31st they apparently won't operate unless they are 3DES since the ATM networks will only allow encrypted communications).

    Even if someone can no longer use a generic man-in-the-middle attack in the future due to encryption, it's amazing how many other means for ATM fraud still exist. I couldn't believe this one when I saw it the other day.

    --
    Crack - Free with every butt and set of boobs
    1. Re:Not possible in the U.S. by fixer007 · · Score: 5, Informative

      The TDES encryption only encrypts the PIN block. The PAN and other card information is still in the clear.

      This is also mandated in Europe

    2. Re:Not possible in the U.S. by flawedconceptions · · Score: 4, Informative

      The link is to a story about a guy who reprogrammed an ATM to think it was dispensing 5s while it was actually dispensing 20s. I was able to find the default passwords and re-programming instructions (all in the owner's manual) on the net without much trouble. At least one owner didn't bother to change the default passwords. I wonder how many others failed to do so.

    3. Re:Not possible in the U.S. by xstonedogx · · Score: 4, Informative
      The idea that there's a "magic code" you can enter to edit ATM internals is ridiculous.

      Not when you realize they're talking about a default password.

      Bruce Schneier covered the story in question awhile ago. Lots of good comments on the page, too: http://www.schneier.com/blog/archives/2006/09/prog ramming_atm.html

    4. Re:Not possible in the U.S. by bluephone · · Score: 4, Informative

      "The video of the suspect is a fake. Fixed cameras can't track movement like that. Even a remote movable camera couldn't pan that smoothly. CNN should have the decency to say openly that the video is a dramatization."

      BUT a shoulder-mounted camera held by a cameraman pointed at a CCTV display and zoomed in on the suspect CAN track movement.

      "The idea that there's a "magic code" you can enter to edit ATM internals is ridiculous."

      Agreed, but it's true.

      "In order to edit any ATM internals you need to open the machine"

      Not true. Many kiosk ATMs are programmed from the front panel, there's not always a need to open the machine for various administrative actions.

      "which would give you direct access to the cash ANYWAY."

      Also not true. You can open it but the money is still in locked steel dispenser-cages, and those cages are usually locked into the machine even with the door open.

      --
      jX [ Make everything as simple as possible, but no simpler. - Einstein ]
  6. NO THEY DON'T!!!!! by no+reason+to+be+here · · Score: 4, Informative

    US police DO NOT have the right to search your car for a routine traffic stop. It is a violation of the 4th amendment, and every time a cop asks to search your vehicle without reason, and you let him, you are just throwing your constitutional rights away. If a cop pulls you over because you were speeding or your inspection is expired or because you didn't come to a complete stop at a stop sign, et al, he does not have the right to search your vehicle. I repeat:

    POLICE DO NOT HAVE THE RIGHT TO SEARCH YOUR CAR DURING A ROUTINE TRAFFIC STOP IN THE US!!!

    Now then, if something else is amiss, like say, when the cop turned on his lights, you started throwing bags of white powder out the windows onto the highway median, then he does have the right to search your vehicle.

    --
    my pet machine
  7. Re:No encryption - Worse than you think. by MtlDty · · Score: 4, Interesting

    Its probably worse than you think. (I write software for card authorisation and Electronic Funds Transfer systems.)

    In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.

    You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).