Skimming: AIB new atms

900913

http://krebsonsecurity.com/2011/03/green-skimmers-skimming-green/

Atm with Skimmer:





Atm without skimmer:





There's some good info on krebsonsecurity.com about what to look out for on skimming.


Apparently some Russian guy who is selling these skimmers claims his skimmer won’t work on Russian ATMs: “It will immediately disrupt those wishing to operate via Russian ATMs: A majority of the BINs [Bank Identification Numbers] of Russian banks are hardwired into the chip; they are not processed.”

It's bad news for us in Ireland, as these AIB atm's are very new and there already getting around them.

BaconZombie

Larger version of the pic's in the original thread :

Skimmer for New AIB ATM caught in the wild!!!!
http://www.boards.ie/vbulletin/showthread.php?p=70467996

900913

It's also posted in a local Limeirck newspaper. http://www.limerickleader.ie/news/local/man_arrested_by_limerick_gardai_in_connection_with_global_fraud_operation_1_2457742

The part I don't understand is why would a Russian fraudster be bothered about hard coding the chip to ignore Russian BINs [Bank Identification Numbers].

Thomas_S_Hunterson

900913 wrote: »

The part I don't understand is why would a Russian fraudster be bothered about hard coding the chip to ignore Russian BINs [Bank Identification Numbers].

You don't piss in your own swimming pool.

900913

Normal fraudsters don't have swimming pools, urinals or morales.

They would piss on anything with a profit in it.

It's like an Irish bank robber robbing a bank and just taking all the foreign currency.

900913

The Banks could stop skimming if they wanted to.

eg.

The skimmers want your 4 digit pin number.

To get into my bank of Ireland 365 online account I have to enter a random 3 digits of my 6 digit pin.

What about having a "secret 6 digit" pin that only randomly asks for lets say the 1st , 4th and 5th today followed by you bank pin,
Now your get cash pin is 7 random digits.

Now lets see some skimmer guess the first 3 digits of your 7 digit pine code.

To make it harder for the skimmer you could randomise if the pin or the secret 6 digit pin get asked first.

Stupid w/*ankers

900913

I just thought .

Anything more than a 4 digit pin messes up the banks main income.

ie:
Any shop with a cc outlet.

Its up to the banks the secure there lame 4 digit pin joke for atm's.

But if the fix the atm problem, I'm guessing that will have an effect on all there shop(atm cc) sales.

As I see it, the banks should be liable for all illegal transactions made from an account that is using a 4 digit numerical pin.

Maybe 20 years ago a 4 digit password was great, But this is 2011 and many atm's are still running on window 2000.

Would a qwerty layout keyboard kill the bankers or the skimmers?

line6

900913 wrote: »

It's also posted in a local Limeirck newspaper. http://www.limerickleader.ie/news/local/man_arrested_by_limerick_gardai_in_connection_with_global_fraud_operation_1_2457742

The part I don't understand is why would a Russian fraudster be bothered about hard coding the chip to ignore Russian BINs [Bank Identification Numbers].

backhanders from that crowd?

900913

Quote:
Originally Posted by 900913
It's also posted in a local Limeirck newspaper. http://www.limerickleader.ie/news/lo...tion_1_2457742

The part I don't understand is why would a Russian fraudster be bothered about hard coding the chip to ignore Russian BINs [Bank Identification Numbers].

backhanders from that crowd?

.gov backhanders, never..

o1s1n

Argh, I got a phonecall a minute ago from the AIB saying my ATM card had been skimmed. Rang my girlfriend to mention it to her and she said she'd just gotten the exact same phone call a moment before. I guess we both used the same ATM machine. Have to cancel my card. Pain in the arse!

h57xiucj2z946q

o1s1n wrote: »

Argh, I got a phonecall a minute ago from the AIB saying my ATM card had been skimmed. Rang my girlfriend to mention it to her and she said she'd just gotten the exact same phone call a moment before. I guess we both used the same ATM machine. Have to cancel my card. Pain in the arse!

Post the ATM location, just in case fellow boardsies are at risk.

Procasinator

900913 wrote: »

As I see it, the banks should be liable for all illegal transactions made from an account that is using a 4 digit numerical pin.

I think they are, as long as you took due precaution (don't shout your pin around town and give your card to strangers).

Spear

Procasinator wrote: »

I think they are, as long as you took due precaution (don't shout your pin around town and give your card to strangers).

They are and they do return the money. I got skimmed for €1200 about three weeks ago (probably an AIB ATM too) and it was returned by BoI after only 2 days once I submitted the form and ATM card back to them.

900913

As I see it, the banks should be liable for all illegal transactions made from an account that is using a 4 digit numerical pin.

I think they are, as long as you took due precaution (don't shout your pin around town and give your card to strangers).

I'm still pissing my self laughing . The illegal should be replaced with questionable . That sounds worse. but It will do for now..

Redshift

They should use a scrambled keypad for entering the pin. The possition of digits on the keypad changes each time it's used. If the viewing angle was also restricted physically and using a polarised filter to allow viewing at about where the users head is then it would make it much harder to get the pin.
They could also integrate high powered IR leds to try and blind a camera as most of them are sensitive to infrared but the human user wont see it

This is an example of a scramblepad for door access, I install and service these for some clients and they are quite effective.

http://www.hirschelectronics.com/products-services/physical-security/readers-keypads-biometrics/scramblepad/ds47l

900913

Keep the Ideas flowing, Theres some good ones.

The criminals will always adapt to any new security feature, And usually the the more sophisticated the security gets,
the less sophisticated and more violent the criminals get.

An example is car immobilisers, Now instead of stealing your car form your garden, the f'ers break into your home while your sleeping just to get the keys. And if you disturb them they wouldn't think twice of hurting you.

AlmostQuick

o1s1n wrote: »

Argh, I got a phonecall a minute ago from the AIB saying my ATM card had been skimmed. Rang my girlfriend to mention it to her and she said she'd just gotten the exact same phone call a moment before. I guess we both used the same ATM machine. Have to cancel my card. Pain in the arse!

I got the same call a couple of weeks ago, card used in Brazil! At least the bank's security systems seem to pinpoint fraud fairly quickly. The money was returned to my account this week but when I queried where the card may have been skimmed the bank wouldn't discuss that. I use around three or four local ATM's regularly but I'm wondering every time I put the card in now...

Razzuh

900913 wrote: »

I just thought .
Would a qwerty layout keyboard kill the bankers or the skimmers?

I was in Luxembourg recently and was surprised to see that the atms there have qwerty keyboards. First time I've seen it, great idea in my opinion.

Capt'n Midnight

900913 wrote: »

Keep the Ideas flowing, Theres some good ones.

We don't need good ideas.

We just need the banks to take back responsibility for chip and pin losses since it's been demonstrated many times that chip and pin is not secure.

When the banks take the risk then they will have a reason to spend money to increase security, until then they won't.

Unfortunatly it is that simple.

Capt'n Midnight

900913 wrote: »

The part I don't understand is why would a Russian fraudster be bothered about hard coding the chip to ignore Russian BINs [Bank Identification Numbers].

It's so he won't be arrested in Russia , the theory is if no Russian banks are skimmed. Not sure how well that works in practice but it would draw less attention from local law enforcement.

900913

What you said is true, Its the organization behind the "no Russian Banks skimming" thats gets me thinking.

I've never heard of a criminal saying ,"not in my country".

btw is there any money in the Russian atm' as Our's are nearly empty.

*edit

I hope the smart Russian atm skimmer/makers have removed the Ireland BIN code Too.

No Money Here,,,,

Capt'n Midnight wrote: »

It's so he won't be arrested in Russia , the theory is if no Russian banks are skimmed. Not sure how well that works in practice but it would draw less attention from local law enforcement.

Rucking_Fetard

Wot is disss?^

Khannie

Rucking_Fetard wrote: »

Wot is disss?^

Was someone trying to sell stolen credit card information. Deleted now.

Rucking_Fetard

Khannie wrote: »

Was someone trying to sell stolen credit card information. Deleted now.

Oh, google had loads of results, pastebin page was empty.

Rucking_Fetard

bedlam wrote: »

You are looking at it wrong, if you had cards to sell would you dump the cards and pin to pastebin/boards/wherever or your contact details

OOOps:o


Where have you been hiding?

Rucking_Fetard

Tyupkin cash machine hack 'dispenses wads'

hmmm

Speaking of the AIB ATMs, I don't understand the reasoning behind the big green flashy yoke. It seems odd to me that you're training clients to put their card into what is obviously a very odd looking attachment which is not flush with the rest of the machine. To be honest when I first saw it on an ATM I took a doubletake and decided to go elsewhere.

_Tombstone_

Skimmers Hijack ATM Network Cables

If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.

In an alert sent to customers Feb. 8, NCR said it received reliable reports of NCR and Diebold ATMs being attacked through the use of external skimming devices that hijack the cash machine’s phone or Internet jack.

No Encryption on these things??

Must be a foreign thing to have ATMs not bolted down/in a wall.

L1011

You see ISDN NTs and DSL modems under/beside instore ATMs all over the place in the US.