Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking a Bluetooth ATM Skimming Gang In Mexico

Posted by Soulskill on from the automatic-theft-machine dept.

tsu doh nimh writes: Brian Krebs has an interesting and entertaining three-part series this week on how he spent his summer vacation: driving around the Cancun area looking for ATMs beaconing out Bluetooth signals indicating the machines are compromised by crooks. Turns out, he didn't have to look for: His own hotel had a hacked machine. Krebs said he first learned about the scheme when an ATM industry insider reached out to say that some Eastern European guys had approached all of his ATM technicians offering bribes if the technicians allowed physical access to the machines. Once inside, the crooks installed two tiny Bluetooth radios — one for the card reader and one for the PIN pad. Krebs's series concludes with a closer look at Intacash, a new ATM company whose machines now blanket Cancun and other tourist areas but which is suspected of being connected to the skimming activity.

44 comments

  1. Once again the weak link is people by Anonymous Coward · · Score: 5, Insightful

    Screw penetrating layers of complex, trusted security systems. Meager bribe to one underpaid and overworked average joe and you get the keys to the kingdom.

    If I were doing a serious pen test know where I'd look first? HR. Turnover and employee dissatisfaction will highlight where the biggest security holes are.

    1. Re:Once again the weak link is people by Nidi62 · · Score: 1

      Clearly the most logical way to secure your systems are to actually terminate employees who have been let go. On the plus side this lets you avoid having to pay out those pesky severance packages.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    2. Re:Once again the weak link is people by swb · · Score: 1

      I knew that shitcanning anyone who didn't drink the kool-aid was the right thing to do. No fucking malcontents on my watch.

    3. Re:Once again the weak link is people by p51d007 · · Score: 0, Troll

      Here, let me fix this for you! Because police in the US are ruled by the DEMOCRATS, they are in bed with the criminals. They hate us and want to steal from us. Constantly.

    4. Re:Once again the weak link is people by Anonymous Coward · · Score: 1

      are you ... serious ? I fucking hate living in seattle because of you liberal fucktards. And I'm from seattle. I am socially liberal. But I'm not a fucktard.

      Maybe you're joking though ?

    5. Re:Once again the weak link is people by Anonymous Coward · · Score: 5, Funny

      Unless they are terminated by dismemberment. Then you'll be needing several severance packages.

    6. Re:Once again the weak link is people by maeka · · Score: 1

      Once again the weak link is people

      If you had read the article and not just the summary you would have learned that the first problem of bribed field technicians has a technological solution (dual key/user required for hardware or software modifications) which most likely wasn't being used.

      And that the second problem, the company in question most likely is a criminal shell corporation, no need to bribe its employees, fraud is their business.

    7. Re:Once again the weak link is people by Anonymous Coward · · Score: 0

      Well played, AC.

    8. Re:Once again the weak link is people by Anonymous Coward · · Score: 0

      Even with untrustworthy people in the field, the security could still be a lot better with chip+PIN than with magstripe+PIN.

    9. Re:Once again the weak link is people by Anonymous Coward · · Score: 0

      I don't know why there isn't any oversight in ATMs. These should be built so the minimum wage "security" dumbasses that deliver the cash don't have access to anything other than the cash in the system. Then someone who gets a really, really good wage (read: unbribable wage) would have access to a secure black box in side to do updates. Thus the peons filling up the cash in there, have no access to USB ports or anything else inside the ATM.

      They could also log all access, a security code should be required every single time, taking pictures all around the ATM every time someone opens the box. If a compromise happened, the "security guard" who's code got entered to open the box gets tossed in jail.

    10. Re:Once again the weak link is people by Anonymous Coward · · Score: 0

      Dual user measures will never be used for field service work because no one will want to pay 2 field techs. Give the second access key to an employee of the host business? 17 yo old convenient store workers would never just toss the tech the second key/code and go back to doing whatever I am sure. Especially not if they are the only employee on staff and have other duties.

    11. Re: Once again the weak link is people by mc551995 · · Score: 0

      Some crooks driving around the Cancun area looking for ATM beacon for hack them out via Bluetooth signals US check that. These indicating the machines are compromised.

  2. Brian Krebs rocks by Kludge · · Score: 2

    Brian Krebs is awesome.

    1. Re:Brian Krebs rocks by FirstOne · · Score: 1

      He got lucky, that these criminals aren't a bit smarter and invested a bit more effort into their hack. I.E.Adding a BT stealth mode.

      Where the hacked modules shut down BT transmission, until they received certain mac id's. Which would make them completely undetectable except by close visual inspection. :-(

      A somewhat reliable counter measure would be to,
      1st, Separate the money loading into a different compartment that doesn't give access to the electronics.
      2nd, Restrict down (people wise) and log all access to electronics section.
      3rd, The moment the electronics bay is opened, the ATM is disabled. (Except for testing), until turned back on by head quarters.
      4th, When the tech is done servicing the electronics sections he/she sends a time stamped photos of electronics+visible serial number+selfie (in front of locked up ATM still in diag mode) to HQ and then calls in to re-activate ATM

  3. Nothing good happens in Mexico by Anonymous Coward · · Score: 2, Funny

    You're asking for trouble if you visit that shithole.

    Trump 2016!!!

    1. Re:Nothing good happens in Mexico by known_coward_69 · · Score: 1

      yep. just came out today that AT&T is suing a few former employees who facilitated the whole iphone unlocking thing a few years back. they took $10,000 to install some software on their systems to allow swift unlocks to unlock iphones

    2. Re:Nothing good happens in Mexico by p51d007 · · Score: 0

      Well, I'm not a Trump fan, I don't trust him one bit, but, if it were between him, and the socialist/communist Bernie Sanders, I'd go with Trump. Bernie is about as close to a Mao/Stalinist as we've ever come.

    3. Re:Nothing good happens in Mexico by Anonymous Coward · · Score: 0

      How do you choose between a giant douche and a turd sandwich?

    4. Re: Nothing good happens in Mexico by Anonymous Coward · · Score: 0

      No please don't!!!

    5. Re:Nothing good happens in Mexico by Anonymous Coward · · Score: 0

      How do you choose between a giant douche and a turd sandwich?

      Ever have that “not so fresh feeling”

    6. Re:Nothing good happens in Mexico by Anonymous Coward · · Score: 0

      Give each one a taste! Mmmmm!

    7. Re:Nothing good happens in Mexico by myowntrueself · · Score: 2

      Well, I'm not a Trump fan, I don't trust him one bit

      You trust other politicians??

      --
      In the free world the media isn't government run; the government is media run.
  4. analogy by Anonymous Coward · · Score: 0

    If the video game industry should remove all the DRM and HBO give away free GoT due to the stupid cow principle (it just takes one smart cow to let the herd through), maybe the ATMs and banks should just give away free money?

    Answer: people stop caring about their work.

  5. They already are by SuperKendall · · Score: 1

    maybe the ATMs and banks should just give away free money?

    Didn't you read the article? They are.

    It's just the money they are giving away is yours, to the people installing bluetooth skimmers.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. "Turns out, he didn't have to look for" by Camel+Pilot · · Score: 4, Informative

    Should that be "far"? Editors to the main deck pelase.

    1. Re:"Turns out, he didn't have to look for" by Anonymous Coward · · Score: 1

      Slashdot has editors?

  7. This is why I like my low credit limit cards by RPGonAS400 · · Score: 2
    This was one of the first times I took the time to RTFA - not just one, but all 3 installments. It was a really interesting read.

    I like using a low credit limit card for most transactions just for the very reason that I lack trust in the system.

  8. Hmmmm by koan · · Score: 1

    While I applaud his research, making cartels mad is an unhealthy idea.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Hmmmm by Anonymous Coward · · Score: 0

      Yeah, and its not like they don't have friends/associates in the U.S. either.
      I think he may have stepped on some pretty serious toes this time.

  9. Call me a pussy... by Anonymous Coward · · Score: 1

    ... but personally I prefer less risky vacations, such as trying to find the gas leak under my house with a candle, or going on a safari, unarmed, while wearing a shirt made of bacon.

    1. Re:Call me a pussy... by HairyNevus · · Score: 1

      Call me a pussy[...]while wearing a shirt made of bacon.

      IANAD, but I think bacon smell down there is a sign of gonorrhea. Unless you meant shirt of salmon?

      --
      You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
  10. Bluetooth? Or "Bluetooth Smart" / BLE? by Ungrounded+Lightning · · Score: 1

    Bluetooth? Or "Bluetooth Smart" / "BLE" ("Bluetooth Low Energy")?

    This sounds like a converted commodity iBeacon, which would be BLE, the new Internet of Things protocol.

    Though promulgated by the Bluetooth SIG and using some of the upper layer organization, at the lower layers BLE is a very different radio system and protocol.

    It's also very convenient for building stuff: The chips have powerful computers (which sleep most of the time so the batteries last), reasonable amounts of RAM and FLASH, built-in radios, several GPIO and comm ports (UART, USB, SPI, ...), are dirt cheap, and can be easily reprogrammed by easy-to-get and quite cheap equipment and tools.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  11. Re:Bluetooth? Or "Bluetooth Smart" / BLE? by Ungrounded+Lightning · · Score: 1

    Though promulgated by the Bluetooth SIG and using some of the upper layer organization, at the lower layers BLE is a very different radio system and protocol.

    Its definition is promulgated by being added to the Bluetooth standard, with the first version added at 4.0.

    If these devices ARE BLE-based, and If your laptop or smartphone Bluetooth peripheral is 4.0 or higher (4.2 just came out), you'll be able to run stock apps (such as bluez's hcitool with the lescan option on Linux, or lightblue on an iDevice) to look for the "beacons" described in the article.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  12. Great Read by Anonymous Coward · · Score: 0

    Very interesting read.

    But, now that the word is out, it may be that the technology will be updated, and need an RFID card nearby to activate the radio, or type a passcode into the keypad or something.
    Changing the name from Free2Go to other things would also make it more difficult to spot.

  13. Do A Search by Toad-san · · Score: 1

    More interesting / scary stuff out there. Esp. about Intacash:

    http://www.getoto.net/noise/ta...

    And how to do the checking yourself:

    http://networktoolbox.de/check...