September 3, 2016

A frequent crime in Brazil is a scheme in which thieves kidnap people as they’re leaving a bank, and free them only after visiting a number of ATMs to withdraw cash. Now the crooks have introduced a new time-saving wrinkle into this scam: In these so-called “flash hijacks” the thieves pull out a wireless card reader, swipe a few debit transactions with the victim’s card, and then release the individual.

A story in the Brazilian newspaper Liberal documents one such recent flash hijacking, involving two musicians in their 20s who were accosted by a pair of robbers — one of whom was carrying a gun. The thieves forced the victims to divulge their debit card personal identification numbers (PINs), and then proceeded to swipe the victim’s cards on a handheld, wireless card machine.

First spotted in 2015, flash hijackings are becoming more common in Brazil, said Paulo Brito, a cybersecurity expert living in the Campinas area of Brazil. Brito said even his friend’s son was similarly victimized recently.

“Of course transactions can be traced as far as they are done with Brazilian banks, but these bad guys can evolve and transact with foreign banks,” Brito said.

I suppose it’s slightly less traumatic for the victim if the use of handheld machines by the crooks mean victims have a gun to their heads for a shorter duration. It’s also nice that the thieves are bringing the theft to the victim, instead of the other way around.

In any case, these attacks underscore a major point I try to make when adding updates to my All About Skimmers series: Most of us are far more likely to get mugged after withdrawing money from an ATM or bank than we are to encounter a skimming device in real life.

The most important security advice is to watch out for your own physical safety while using an ATM. Keep your wits about you as you transact in and leave the area, and try to be keenly aware of your immediate surroundings. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well.

35 thoughts on “‘Flash Hijacks’ Add New Twist to Muggings

  1. R Brown

    These have been a “thing for” fifteen years or so. Here’s a story from 2003

    Around this time there was a call for people to be provided with two PINs — one would only show and release minimal funds and coul be used during a Sequestro Relampago.

    One result was that Cash Machines in Brazil only pay out a max of c300 Reais in the small hours top avoid this. Of course the knock on has been that people are forced to buy electronic goods instead or that kidnapping are extended or timeshifted into weekdays.

    1. JCitizen

      They would probably just shoot me, because I can never remember my PIN. Good thing we have right to carry in my state, I’d just shoot them!

      1. JSD

        So I guess you never get to use your card. Might as well not carry it then. Thieves foiled.

      2. bob

        They’re pointing a gun at you. At what stage do you plan on drawing and firing your weapon? As they run off? Then thank-you for escalating the crime – as soon as news gets around, they’ll start KOing their victims.

        Put your dangerous toy away and grow up.

        1. The Truth

          Concealed carry, mugger is distracted for any reason (a trained person may throw their wallet away from the perps) gives an opportunity to defend oneself. I particularly like how bob just assumes that the person posting about a firearm is not trained how to use it, or how to handle themselves in a violent situation.

      3. SeymourB

        Nah, they’d just shoot you when you reach for your weapon.

        1. maybenot

          ‘Wallet guns’ can give potential victims the advantage..

          1. WalletGunEnthusiast

            Or it would give police a great excuse to shoot someone reaching for their wallet on a routine traffic stop

  2. Fernando

    I can see this type of crime going in different directions from being victimized several times to home invasion robberies – if the thieves decide to steal the victims personal information.

    1. R Brown

      Is that you Matt? We missed your spite!

      Good on you! The world’s a worse place without Matt’s poison and hate.

      There’s too much tech and thinking and discussion and never enough passion. Unmedicated passion.

    2. samak

      Agreed. This is why I don’t visit a terrible country with over 30,000 gun-deaths a year. Maybe Brian lives there…

      1. George G

        The VAST majority of them are gang members shooting each other, not visitors getting shot.

      2. George G

        Murder rates per 100,000 inhabitants:

        Brazil 24.6
        U.S.A. 3.9

        Yes, Brian lives in the safer place.

        Source: United Nations Office on Drugs and Crime.

        1. BrianKrebs Post author

          I’m sure Brazil is a gorgeous country, and that the majority of the people there are lovely. I’ve never been, sadly. However, you could not pay me to go there right now.

        2. Paul

          And what is the murder rate in Chicago or New Orleans per 100,000 for example?

          1. paul

            Chicago is projecting at 24.1 per CNN. And New Orleans is above 40 per 100,000 population.

  3. C/od

    The problem with having so many pins in your head to remember is ?, you become a pinhead. Stop it it hurts…

    1. Pinhead

      No tears, please. It’s a waste of good suffering. Ah, the sweet, sweet suffering.

  4. Clone

    Once a mugger has possession of *you*, the different methods which they choose to use to empty your bank account is relatively unimportant. The correct response is “take the money, and please point the gun away from me”.

    Some college kid in Chicago suburbs just this week was abducted at gunpoint, in broad daylight and driven around to ATMS very much like this scenario. Fortunately they let him go, and at least one of the muggers has been apprehended, charged and bail set at approximately 3 million dollars.

    Like a regular night out at the bar, with Ryan Lochte.

  5. Dan

    If the payment happens on a mobile terminal, surely the funds are transferred to the terminal owner electronically. It should be easy to trace the transaction and identify the machine or payment account. Maybe they are hoping the person/ bank/ police won’t chase it up, but once used the machine could be blacklisted and account traced to try recover funds and identify the account holder.

    Are we sure the machine is just not reading the may stripe and the info with pin are being used to clone the card for use at a real world ATM elsewhere? That seems more plausible and less risk of being traced?

  6. Mark

    I lived in Brasil and muggings are common. The bulk of the violence is between local drug lords (gangs). The muggings tend to target locals though sometimes a tourist gets hit. Tourism plays a big part of the economy in certain cities so the police come down very hard on muggers.

    There are all types of attempts at extortion in Brasil and you are wise to do what they say. If you park your car on the street you may be approached to pay a fee to “protect” it. This is a flannelinho aka a criminal who takes money to protect your car. If you don’t pay him, he’ll steal your car. You may also find yourself paying a toll because you drove down the wrong street. They may kidnap you, toss you in the trunk, drop you off somewhere and keep the car. Something as simple as looking at your phone while walking could get it stolen.

    This is less of a problem for tourists provided they stay out of certain areas. Don’t take a tour of a favela without a guide. Blend in, dress down and look like a local. Don’t carry or wear anything that identifies you have money. And if you use transit, always sit in the aisle seat so you won’t get mugged. If you sit against the windows you can get robbed on the bus. If you sit in the aisle you can get up and move if someone pushes a knife at you.

    And if you’re male, pay attention to the women that approach you. Folks in Brasil are much more friendly than in western society so it’s common to strike up a chat with someone especially if you speak Portuguese. There are women who are part of robbery rings who approach males, socialize & then drug their drink.

    Just keep your head up and don’t play tough guy. If you feel unsafe, get out of the area. And stay off any beach at night.

    1. Beeker

      Didn’t the US media tell that to us when the Olympic was in full swing?
      Many things you describe are common sense that most tourists tends not to follow and that makes them stand out to thieves. Then they act surprised that they were robbed.

  7. Rafael Martin

    Flash hijacks are happening now in Brazil at mall / market parking lots. Women are the prefered targets… Happened to a friend of mine a week ago. Pretty sad and scaring. They kept her for more than 3 hours.

  8. J. Tate

    While not a new issue, the innovation of thieves these days is astounding. Before the Con or the Hustle required street smarts, a dash of dare and a bit of social engineering. Here we have incorporated the Rob and Thug elements with a bit of technical prowess to effectively manage a low tech hold up.

    Not withstanding the criminality of the event, one must ask. Why aren’t we 4 steps ahead of this. Brian, you mentioned a very critical point- the transactions can be traced back to a processor but heres a cooler point. If these wireless POS-Scanners are all using some sort of MiFi- Im sure the criminal element has not grown so complex that particular safeguards are not “inventible” to ensure these attacks are less successful.

    Point- A gun in the face of a civilian is probably one of the most devastating experiences they could imagine. But Fact- the joke should be on the offender not the victim. Visa/Mastercard in the US has solutions for such activities, and even from a phone perspective Silent Circle has even a solution for the “Stickup Kid” issue for passwords and data access. One can be developed here.

    Great story Brian, always a fan.

  9. Andre Kenji(From São Paulo, Brazil)

    The story that you linked says credit, not debit card. 😉

    There is a difference. Besides that, there was the story of a guy that said that muggers used a debit car machine, but then Police discovered that he was lying and that he had spent the money with a prostitute.

    I don´t know if that´s story is true.

  10. Piere

    Brian Krebson always quick to point finger at other countries. Brazil. Russia. Is not so quick to point finger at own country. Why is this? Perhaps Brian Krebson is agent of his country. Is food for thought, yes?

    1. KFritz

      That particular thought of yours is the kind of food that vultures and cockroaches eat.

  11. KFritz

    Do the thieves also steal or destroy the victims’ cell phones so that they can’t disable the card’s info quickly?

  12. Jim

    Well, Brian an agent? Cool. But in this world off different legal systems, and criminal influences, one has to ponder, or ask why, is it the LAX attitude, your enemy? Friend? Harboring a bad guy? Or have those in control of your economy, not creating a need? And paying a living wage, leading to the any way but a legal economy? Creating a safe harbor, or a home for the nefarious? Krebs is the local news on an open platform, he cannot stop the problem, but expose it for others to be wary. That he does very well, yes, it’s a shame, but now we can be wary, too bad you didn’t warn us first, but this is usual there?

  13. Joe Smitien

    I now only use ATMs located inside shopping centers or at my bank., and never at night(bank ATMs). Why take the risk, just plan ahead for your cash needs.

  14. davidbolenge

    diplomatik! im subscribes an care statement bank unfortunaly consult premium medical and care site lost card lets great it up and secure then overdure bank health stages congrate diplomatik !

Comments are closed.