Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices.
Using audio to capture credit and debit card data is not a new technique, but it is becoming vogue: Square, an increasingly popular credit card reader built for the iPhone, works by plugging into the headphone jack on the iPhone and converting credit card data stored on the card into audio files.
The device pictured here is a card skimmer designed to fit over the card acceptance slot on a Diebold Opteva 760, one of the most common ATMs around. The green circuit board on the left was taken from an MP3 player (no idea which make or model). When a card is slid past the magnetic reader (the small black rectangle at the end of the black and red wires near the center of the picture), the MP3 player “hears” the data stored on the card’s magnetic stripe, and records it as an audio file to a tiny embedded flash memory device.
The card skimmer comes with a false panel that fits snugly into the top of the ATM; it contains a miniature video camera that records victims entering their PIN when the card skimmer slot is activated. The battery included in the hidden camera lasts for six hours, according to the ad posted by the skimmer’s designer. The entire package costs $1,500, payable via virtual currencies such as WebMoney and Liberty Reserve.
The vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10-15 seconds).” But the catch with this skimmer is that the price tag is misleading. That’s because the audio files recorded by the device are encrypted. The Mp3 files are useless unless you also purchase the skimmer maker’s decryption service, which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.
In fairness, the seller does note in the fine print that third party software is required to decrypt the audio files, and that he is “working closely with another partner for this service.” That partner is a different fraudster who will decrypt the audio files in exchange for 20 percent of the stolen card numbers and PINs.
[EPSB]
Have you seen:
Gang Used 3D Printers for ATM Skimmers…An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say.
[/EPSB]
I know someone who can detail this car I am selling you, honest guy.
I think that thieves remain thieves, but also banks are responsible for these thefts. Many banks don’t use track 3 to generate some kind of token to enforce security, also they are still using this outdated technology.
I guarantee that the “service” keeps (skims) a percentage of the data.
“That partner is a different fraudster who will decrypt the audio files in exchange for 20 percent of the stolen card numbers and PINs.”
Last line of Brian’s post.
Like or hate what they’re doing, but you have to admit they have some real ingenuity. I mean, hot wiring iPods and stuff to skim ATM cards? Is McGuyver working for them?
So, thieves are also stealing from other thieves.
That looks like the first Ipod shuffle