skimmer
Latest
Hacks turn Square's reader into a card-stealing machine (updated)
As helpful as a Square Reader may be for purchases at trendy stores, you'll want to watch out -- in the right circumstances, they can also be used to steal your credit card info. Security researchers have discovered that you can physically disable the encryption the device uses to protect your financial info, turning the Reader into a tiny, portable card skimmer. There's also a way to record the signal created by your card when you swipe its magnetic stripe on an unmodified Reader, which theoretically lets evildoers charge your card without approval.
Account-stealing bank machine skimmers are now virtually invisible
Bank machine skimmers, which swipe your account as you insert your card, have been getting increasingly harder to spot as the years go by; now, it looks like they're just about undetectable. Researchers at the European ATM Security Team have found skimmers that not only fit neatly into a card slot, but do a good job of hiding any other equipment they need to steal your info. One example (shown below) combined a virtually invisible skimmer with a cleverly hidden spy camera that recorded PIN code entries. Another disguised a system that captured card info through audio, and there are now translucent mini-scanners that even a keen eye might miss.
The definition of karma: PayPal president's credit card gets hacked
If you've ever lost access to your PayPal holdings through no fault of your own -- say, following a shady money transfer -- you may be tempted to enjoy a little schadenfreude today. PayPal president David Marcus reports that someone used a skimming device to clone his credit card while he was in the UK, letting the perpetrator make a "ton" of fraudulent purchases. It's virtually the embodiment of karmic payback, isn't it? In fairness, the executive is right when he notes that the incident wouldn't have happened if the merchant accepted PayPal; the company would have masked the card number and rendered the skimmer useless. And we sincerely hope that Marcus' finances are back in order. All the same, the affair shows just why business leaders should be sympathetic to their customers' problems -- one day, they may be stuck in the same boat.
Security researchers find new wafer-thin ATM card skimmers in use
ATM card skimming is hardly a new activity, and neither are card skimmers that continue to get smaller and more discreet. As Brian Krebs of the Krebs on Security blog reports, though, a new development out of Europe has now crossed a key, and potentially troublesome threshold. The European ATM Security Team (otherwise known as EAST) has discovered a new type of wafer-thin card skimmer in use in at least one unnamed European country that's small enough to fit directly in the ATM's card slot -- that's as opposed to most current skimmers that can be well-disguised but generally sit on top of the card slot. As you can imagine, that makes it considerably more difficult to spot for even the most attentive ATM users, but Krebs notes that the skimmer still requires a secondary device like a camera or keypad overlay to record a person entering their PIN.
Black Hat hackers demo Square card skimmer, feed it stolen credit card numbers
Here's some more fun out of Vegas, this time involving Jack Dorsey's Square and a little thing we like to call credit card fraud. Researchers from Aperture Labs (seriously) held two demonstrations at the Black Hat Conference. The first used a script, written by Adam Laurie, to convert stolen credit card data into a series of audio tones that were then fed to the Square app via the headphone jack on a phone -- removing the need to have a physical card. A second avenue of fraud, also using code authored by Laurie, turned the Square dongle into a skimmer. It intercepted incoming data, which is unencrypted, and spit out human readable numbers that could easily be used to clone a card. New hardware that encrypts information pulled from the magnetic strip is in the pipeline but, until then, it seems everyone's favorite smartphone-based payment service has some troublesome holes to fill.
Criminals constructing ATM skimmers from DAPs
A recent article from Brian Krebs highlights a new trend in ATM skimmers: by using parts from cut-rate audio players and spy cams, criminals are able to construct something called an audio skimmer that records the data from the magnetic strip for later playback. Also included in the device is a miniature spy cam, which captures the user's PIN. The basic methodology behind the device is nothing new (for instance, it could be found in an issue of Phrack dating back to 1992) although the use of DAPs means that the whole thing is a lot more elegant than it was in the days of the portable cassette recorder. According to a recent report by the European ATM Security Team (EAST), devices of this type have been found in five countries, two of them "major ATM deployers" (with 40,000 active ATMs or more). Please guys, don't get any ideas. PR from EAST after the break.
ATM scam at DEFCON clearly the work of ironic criminals
The hooligans in this case have a dry sense of humor or are extremely unlucky: Either way, we can't help but get a chuckle out of the fact that someone placed their smart card skimmin' faux ATM at the Riviera Hotel Casino in Las Vegas -- during DEFCON, the world's largest hacker convention. No one can say exactly how long the kiosk was there -- at least the kids were smart enough to place it right outside the security office, one of the few places in the conference center not under surveillance. It was picking up on this last fact that aroused the suspicion of Brian Markus, CEO of Aries Security. When shining a light through the glass panel that should house a camera, he instead found the PC that was set up to skim people's data. He then notified security, who removed the device and once again made the world safe for hackers and their bank accounts.
