All About Skimmers


30
Jul 20

Is Your Chip Card Secure? Much Depends on Where You Bank

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards.

A chip-based credit card. Image: Wikipedia.

Traditional payment cards encode cardholder account data in plain text on a magnetic stripe, which can be read and recorded by skimming devices or malicious software surreptitiously installed in payment terminals. That data can then be encoded onto anything else with a magnetic stripe and used to place fraudulent transactions.

Newer, chip-based cards employ a technology known as EMV that encrypts the account data stored in the chip. The technology causes a unique encryption key — referred to as a token or “cryptogram” — to be generated each time the chip card interacts with a chip-capable payment terminal.

Virtually all chip-based cards still have much of the same data that’s stored in the chip encoded on a magnetic stripe on the back of the card. This is largely for reasons of backward compatibility since many merchants — particularly those in the United States — still have not fully implemented chip card readers. This dual functionality also allows cardholders to swipe the stripe if for some reason the card’s chip or a merchant’s EMV-enabled terminal has malfunctioned.

But there are important differences between the cardholder data stored on EMV chips versus magnetic stripes. One of those is a component in the chip known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.”

The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and the use of that data to create counterfeit magnetic stripe cards. Both the iCVV and CVV values are unrelated to the three-digit security code that is visibly printed on the back of a card, which is used mainly for e-commerce transactions or for card verification over the phone.

The appeal of the EMV approach is that even if a skimmer or malware manages to intercept the transaction information when a chip card is dipped, the data is only valid for that one transaction and should not allow thieves to conduct fraudulent payments with it going forward.

However, for EMV’s security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction.

The trouble is that not all financial institutions have properly set up their systems this way. Unsurprisingly, thieves have known about this weakness for years. In 2017, I wrote about the increasing prevalence of “shimmers,” high-tech card skimming devices made to intercept data from chip card transactions.

A close-up of a shimmer found on a Canadian ATM. Source: RCMP.

More recently, researchers at Cyber R&D Labs published a paper detailing how they tested 11 chip card implementations from 10 different banks in Europe and the U.S. The researchers found they could harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions.

There are now strong indications the same method detailed by Cyber R&D Labs is being used by point-of-sale (POS) malware to capture EMV transaction data that can then be resold and used to fabricate magnetic stripe copies of chip-based cards.

Earlier this month, the world’s largest payment card network Visa released a security alert regarding a recent merchant compromise in which known POS malware families were apparently modified to target EMV chip-enabled POS terminals.

“The implementation of secure acceptance technology, such as EMV® Chip, significantly reduced the usability of the payment account data by threat actors as the available data only included personal account number (PAN), integrated circuit card verification value (iCVV) and expiration date,” Visa wrote. “Thus, provided iCVV is validated properly, the risk of counterfeit fraud was minimal. Additionally, many of the merchant locations employed point-to-point encryption (P2PE) which encrypted the PAN data and further reduced the risk to the payment accounts processed as EMV® Chip.”

Visa did not name the merchant in question, but something similar seems to have happened at Key Food Stores Co-Operative Inc., a supermarket chain in the northeastern United States. Key Food initially disclosed a card breach in March 2020, but two weeks ago updated its advisory to clarify that EMV transaction data also was intercepted.

“The POS devices at the store locations involved were EMV enabled,” Key Food explained. “For EMV transactions at these locations, we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code).”

While Key Food’s statement may be technically accurate, it glosses over the reality that the stolen EMV data could still be used by fraudsters to create magnetic stripe versions of EMV cards presented at the compromised store registers in cases where the card-issuing bank hadn’t implemented EMV correctly. Continue reading →


3
Jun 20

Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion

An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.

The multimedia investigation by the Organized Crime and Corruption Reporting Project (OCCRP) and several international journalism partners detailed the activities of the so-called Riviera Maya crime gang, allegedly a mafia-like group of Romanians who until very recently ran their own ATM company in Mexico called “Intacash” and installed sophisticated electronic card skimming devices inside at least 100 cash machines throughout Mexico.

According to the OCCRP, Riviera Maya’s skimming devices allowed thieves to clone the cards, which were used to withdraw funds from ATMs in other countries — often halfway around the world in places like India, Indonesia, and Taiwan.

Investigators say each skimmer captured on average 1,000 cards per month, siphoning about $200 from individual victim accounts. This allowed the crime gang to steal approximately $20 million monthly.

“The gang had little tricks,” OCCRP reporters recounted in their video documentary (above). “They would use the cards in different cities all over the globe and wait three months so banks would struggle to trace where the card had originally been cloned.”

In September 2015, I traveled to Mexico’s Yucatan Peninsula to find and document almost two dozen ATMs in the region that were compromised with Bluetooth-based skimming devices. Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based, allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device, I was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange bit, top right. The Bluetooth and data storage chips are in the middle.

Several days of wandering around Mexico’s top tourist areas uncovered these sophisticated skimmers inside ATMs in Cancun, Cozumel, Playa del Carmen and Tulum, including a compromised ATM in the lobby of my hotel in Cancun. OCCRP investigators said the gang also had installed the same skimmers in ATMs at tourist hotspots on the western coast of Mexico, in Puerto Vallarta, Sayulita and Tijuana.

Part III of my 2015 investigation concluded that Intacash was likely behind the scheme. An ATM industry source told KrebsOnSecurity at the time that his technicians had been approached by ATM installers affiliated with Intacash, offering those technicians many times their monthly salaries if they would provide periodic access to the machines they maintained.

The alleged leader of the Riviera Maya organization and principal owner of Intacash, 43-year-old Florian “The Shark” Tudor, is a Romanian with permanent residence in Mexico. Tudor claims he’s an innocent, legitimate businessman who’s been harassed and robbed by Mexican authorities.

Last year, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguard, Constantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Continue reading →


26
May 20

Report: ATM Skimmer Gang Had Protection from Mexican Attorney General’s Office

A group of Romanians operating an ATM company in Mexico and suspected of bribing technicians to install sophisticated Bluetooth-based skimmers in cash machines throughout several top Mexican tourist destinations have enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office, according to a new complaint filed with the government’s internal affairs division.

As detailed this week by the Mexican daily Reforma, several Mexican federal, state and municipal officers filed a complaint saying the attorney general office responsible for combating corruption had initiated formal proceedings against them for investigating Romanians living in Mexico who are thought to be part of the ATM skimming operation.

Florian Tudor (right) and his business associates at a press conference earlier this year. Image: Reforma.

Reforma said the complaint centers on Camilo Constantino Rivera, who heads the unit in the Mexican Special Prosecutor’s office responsible for fighting corruption. It alleges Rivera has an inherent conflict of interest because his brother has served as a security escort and lawyer for Floridan Tudor, the reputed boss of a Romanian crime syndicate recently targeted by the FBI for running an ATM skimming and human trafficking network that operates throughout Mexico and the United States.

Tudor, a.k.a. “Rechinu” or “The Shark,” and his ATM company Intacash, were the subject of a three part investigation by KrebsOnSecurity published in September 2015. That series tracked the activities of a crime gang which was rumored to be bribing and otherwise coercing ATM technicians into installing Bluetooth-based skimming devices inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

In 2018, 44-year-old Romanian national Sorinel Constantin Marcu was found shot dead in his car in Mexico. Marcu’s older brother told KrebsOnSecurity shortly after the murder that his brother was Tudor’s personal bodyguard but at some point had a falling out with Tudor and his associates over money. Marcu the elder said his brother was actually killed in front of a new apartment complex being built and paid for by Mr. Tudor, and that the dead man’s body was moved to make it look like he was slain in his car instead.

On March 31, 2019, police in Cancun, Mexico arrested 42-year-old Tudor and 37-year-old Adrian Nicholae Cosmin for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations. Two months later, a judge authorized the search of several of Tudor’s properties.

The Reforma report says Rivera’s office subsequently initiated proceedings against and removed several agents who investigated the crime ring, alleging those agents abused their authority and conducted illegal searches. The complaint against Rivera charges that the criminal protection racket also included the former chief of police in Cancun.

In September 2019, prosecutors with the Southern District of New York unsealed indictments and announced arrests against 18 people accused of running an ATM skimming and money laundering operation that netted $20 million. The defendants in that case — nearly all of whom are Romanians living in the United States and Mexico — included Florian Claudio Martin, described by Romanian newspapers as “the brother of Rechinu,” a.k.a. Tudor. Continue reading →


25
Nov 19

Hidden Cam Above Bluetooth Pump Skimmer

Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices.

Apparently, I’m not alone.

“I believe this is the first time I’ve seen a camera on a gas pump with a Bluetooth card skimmer,” said Detective Matt Jogodka of the Las Vegas Police Department, referring to the compromised fuel pump pictured below.

The fake panel (horizontal) above the “This Sale” display obscures a tiny hidden camera angled toward the gas pump’s PIN pad.

It may be difficult to tell from the angle of the photograph above, but the horizontal bar across the top of the machine (just above the “This Sale $” indicator) contains a hidden pinhole camera angled so as to record debit card users entering their PIN.

Here’s a look at the fake panel removed from the compromised pump:

A front view of the hidden camera panel.

Jogodka said although this pump’s PIN pad is encrypted, the hidden camera sidesteps that security feature.

“The PIN pad is encrypted, so this is a NEW way to capture the PIN,” Jogodka wrote in a message to a mailing list about skimming devices found on Arizona fuel pumps. “The camera was set on Motion, [to] save memory space and battery life. Sad for the suspect, it was recovered 2 hours after it was installed.” Continue reading →


14
Aug 19

Meet Bluetana, the Scourge of Pump Skimmers

Bluetana,” a new mobile app that looks for Bluetooth-based payment card skimmers hidden inside gas pumps, is helping police and state employees more rapidly and accurately locate compromised fuel stations across the nation, a study released this week suggests. Data collected in the course of the investigation also reveals some fascinating details that may help explain why these pump skimmers are so lucrative and ubiquitous.

The new app, now being used by agencies in several states, is the brainchild of computer scientists from the University of California San Diego and the University of Illinois Urbana-Champaign, who say they developed the software in tandem with technical input from the U.S. Secret Service (the federal agency most commonly called in to investigate pump skimming rings).

The Bluetooth pump skimmer scanner app ‘Bluetana’ in action.

Gas pumps are a perennial target of skimmer thieves for several reasons. They are usually unattended, and in too many cases a handful of master keys will open a great many pumps at a variety of filling stations.

The skimming devices can then be attached to electronics inside the pumps in a matter of seconds, and because they’re also wired to the pump’s internal power supply the skimmers can operate indefinitely without the need of short-lived batteries.

And increasingly, these pump skimmers are fashioned to relay stolen card data and PINs via Bluetooth wireless technology, meaning the thieves who install them can periodically download stolen card data just by pulling up to a compromised pump and remotely connecting to it from a Bluetooth-enabled mobile device or laptop.

According to the study, some 44 volunteers  — mostly law enforcement officials and state employees — were equipped with Bluetana over a year-long experiment to test the effectiveness of the scanning app.

The researchers said their volunteers collected Bluetooth scans at 1,185 gas stations across six states, and that Bluetana detected a total of 64 skimmers across four of those states. All of the skimmers were later collected by law enforcement, including two that were reportedly missed in manual safety inspections of the pumps six months earlier.

While several other Android-based apps designed to find pump skimmers are already available, the researchers said Bluetana was developed with an eye toward eliminating false-positives that some of these other apps can fail to distinguish.

“Bluetooth technology used in these skimmers are also used for legitimate products commonly seen at and near gas stations such as speed-limit signs, weather sensors and fleet tracking systems,” said Nishant Bhaskar, UC San Diego Ph.D. student and principal author of the study. “These products can be mistaken for skimmers by existing detection apps.” Continue reading →


4
Apr 19

Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico

An alleged top boss of a Romanian crime syndicate that U.S. authorities say is responsible for deploying card-skimming devices at Automated Teller Machines (ATMs) throughout North America was arrested in Mexico last week on firearms charges. The arrest comes months after the accused allegedly ordered the execution of a former bodyguard who was trying to help U.S. authorities bring down the group’s lucrative skimming operations.

On Mar. 31, police in Cancun, Mexico arrested two Romanian men, identified only as 42-year-old “Florian N” and 37-year-old “Adrian Nicholae N,” 37, for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations.

An uncaptioned photo published by the Mexican police. According to multiple sources, the individual on the left is Intacash boss Florian Tudor, along with his deputy Nicholae Cosmin.

The two men’s faces were partially obscured in the mugshots released to Mexican media. But according to multiple sources familiar with the investigation, the older man arrested (pictured on the left) is Florian “The Shark” Tudor, reputed to be in charge of a relatively new ATM company based in Mexico called Intacash. The man on the right has been identified as Nicolae Cosmin, Tudor’s deputy.

Intacash was the central focus of a threepart investigation KrebsOnSecurity published in September 2015. That story tracked the activities of a crime gang that was bribing and otherwise coercing ATM technicians to install sophisticated Bluetooth-based skimmers inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

Meanwhile, Intcash’s machines were about the only ATMs in top tourist spots in Mexico that weren’t getting compromised with these bluetooth skimming devices.

Law enforcement and ATM industry sources cited in that story said they believe Intacash is controlled by Romanian nationals and that its key principals were the ones paying ATM technicians to compromise machines at competing ATM providers.

As I discovered in reporting that series, it was possible to tell which ATMs were compromised in Mexico’s top tourist spots just by approaching each with a smart phone and looking for the presence of a Bluetooth signal beaconing out a wireless network with the name “Free2Move”.

This functionality allowed the crime syndicate to siphon credit and debit card details and PINs from hacked ATMs wirelessly, without ever again having to touch the compromised machines (see the video below for more on that investigation).

In April 2018, KrebsOnSecurity heard from a Romanian person who claimed to have been working for Intacash. This individual seemed extremely concerned for their safety, but at the same time eager to share details about the company’s operations and owners.

The source shared photographs of Intacash’s chief deputies, as well as screenshots of card data allegedly hoovered up by the company’s various skimming operations. The source repeatedly told me the Romanian gang was paying large sums of money to Mexican authorities to stay off their radar.

The last time I heard from that source was June 2018, just after a like-minded associate at Intacash was found shot dead in his car. The associate, 44-year-old Sorinel Constantin Marcu, was already wanted on a warrant from Interpol, the international criminal police organization.

In 2014, a Romanian court issued a criminal warrant for Marcu on allegations of attempted murder back in his hometown of Craiova, Romanian’s 6th-largest city. But Marcu was able to flee to Mexico before he could be tried. The court later convicted Marcu in abstentia, leveling a sentence of eight years in prison.

On  the evening of June 11, 2018, Marcu was shot in the head, reportedly while trying to kidnap a businessman in Mexico, according to multiple media accounts. A street surveillance video of the incident published by Romanian daily Gazeta de SUD shows a Dodge Nitro allegedly driven by Marcu hitting the businessman’s parked car.

The businessman manages to flee, and the passenger in Marcu’s vehicle briefly starts after him, before returning to the picture a few seconds later. Marcu’s passenger gets back in the vehicle, which then moves out of view of the security camera.

“Later, one of the businessman’s guards came out of the house and shot several gun shots in the car driven by Marcu, and he was killed on the spot,” Gazeta reported. Continue reading →


10
Mar 19

Insert Skimmer + Camera Cover PIN Stealer

Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.

And sometimes, the scammers just hijack the security camera built into the ATM itself.

Below is the hidden back-end of a skimmer found last month placed over top of the customer-facing security camera at a drive-up bank ATM in Hurst, Texas. The camera components (shown below in green and red) were angled toward the cash’s machine’s PIN pad to record victims entering their PINs. Wish I had a picture of this thing attached to the ATM.

This hidden camera was fixed to the underside of a fake lens cover for the skimmed ATM’s built-in security camera. Image: Hurst Police.

The clever PIN grabber was paired with an “insert skimmer,” a wafer-thin, usually metallic and battery powered skimmer made to be fitted straight into the mouth of the ATM’s card acceptance slot, so that the card skimmer cannot be seen from outside of the compromised ATM.

The insert skimmer, seen as inserted into the card acceptance device in the hacked ATM. Image: Hurst PD.

Continue reading →


21
Feb 19

New Breed of Fuel Pump Skimmer? Not Really

Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don’t hold water.

An earlier version of this story cited an alert sent by the U.S. Secret Service and interviews with a company that helps merchants secure their payment terminals. The claims were that a circular device found on the side of a gas pump was a skimmer that was believed to be responsible for communicating with other Bluetooth-based skimmers found embedded in the pumps, and that its purpose was to gather stolen card data and send it off wirelessly to the skimmer thieves via text message.

Since that story was published, I heard from a reader who works in security for the company that owns the compromised filling station in question. This person asked not to be quoted directly, but shared information showing that the mysterious circular device was not a Bluetooth anything. Rather, he said, it is little more than a GPS-based tracker that can be bought at Amazon and other online stores for about $100-$150.

The source shared a clearer image of the “skimmer,” and a review of the components shown there indicate this thing is indeed a GPS tracker — the kind of device that a suspicious husband or wife might attach to the undercarriage of the family car to track the other’s whereabouts in real time:

The most likely explanation as to why this tracker was on the side of a gas pump to begin with is that someone who was being tracked discovered it and left it at the station. The source also said claims that this was found beneath an NFC reader on the pump are not correct either. However, he said it was true that there were multiple gas pumps at the station that were internally compromised with Bluetooth skimming devices.

While I am not wild about having to post this correction, I also don’t believe it would be right to simply unpublish the original story — flawed as it is. So in the interests of full transparency, what follows is the original piece, minus the lede.

Continue reading →


2
Nov 18

SMS Phishing + Cardless ATM = Profit

Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.

A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.

Image: Mastercard.us

In May 2018, Cincinnati, Ohio-based financial institution Fifth Third Bank began hearing complaints from customers who were receiving text messages on their phones that claimed to be from the bank, warning recipients that their accounts had been locked.

The text messages contained a link to unlock their accounts and led customers to a Web site that mimicked the legitimate Fifth Third site. That phishing site prompted visitors to enter their account credentials — including usernames, passwords, one-time passcodes and PIN numbers — to unlock their accounts.

All told, that scam netted credentials for approximately 125 Fifth Third customers — most of them in or around the Cincinnati area. The crooks then used the phished data to withdraw $68,000 from 17 ATMs in Illinois, Michigan, and Ohio in less than two weeks using Fifth Third’s cardless ATM function.

According to court documents, the SMS phishing and fraudulent withdrawals at cardless ATMs continued through October 2018, earning the scammers an additional $40,000. That is, until the bank zeroed in on four individuals suspected of perpetrating the crime spree. Shortly thereafter, four men were arrested in connection with the crimes. Continue reading →


27
Sep 18

Secret Service Warns of Surge in ATM ‘Wiretapping’ Attacks

The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside the ATM.

According to a non-public alert distributed to banks this week and shared with KrebsOnSecurity by a financial industry source, the Secret Service has received multiple reports about a complex form of skimming that often takes thieves days to implement.

This type of attack, sometimes called ATM “wiretapping” or “eavesdropping,” starts when thieves use a drill to make a relatively large hole in the front of a cash machine. The hole is then concealed by a metal faceplate, or perhaps a decal featuring the bank’s logo or boilerplate instructions on how to use the ATM.

A thin metal faceplate is often used to conceal the hole drilled into the front of the ATM. The PIN pad shield pictured here is equipped with a hidden spy camera.

Skimmer thieves will fish the card skimming device through the hole and attach it to the internal card reader via a magnet.

Thieves often use a magnet to secure their card skimmer in place above the ATM’s internal card reader. Image: U.S. Secret Service.

Very often the fraudsters will be assisted in the skimmer installation by an endoscope, a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body. By connecting a USB-based endoscope to his smart phone, the intruder can then peek inside the ATM and ensure that his skimmer is correctly attached to the card reader. Continue reading →