Posts Tagged: T-Mobile


27
Jul 17

Gas Pump Skimmer Sends Card Data Via Text

Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.

Skimmers that transmit stolen card data wirelessly via GSM text messages and other mobile-based communications methods are not new; they have been present — if not prevalent — in ATM skimming devices for ages.

But this is the first instance KrebsOnSecurity is aware of in which such SMS skimmers have been found inside gas pumps, and that matches the experience of several states hardest hit by pump skimming activity.

The beauty of the GSM-based skimmer is that it can transmit stolen card data wirelessly via text message, meaning thieves can receive real-time transmissions of the card data anywhere in the world — never needing to return to the scene of the crime. That data can then be turned into counterfeit physical copies of the cards.

Here’s a look at a new skimmer pulled from compromised gas pumps at three different filling stations in New York this month. Like other pump skimmers, this device was hooked up to the pump’s internal power, allowing it to operate indefinitely without relying on batteries.

A GSM-based card skimmer found embedded in a gas pump in the northeastern United States.

A GSM-based card skimmer found embedded in a gas pump in the northeastern United States.

It may be difficult to see from the picture above, but the skimmer includes a GSM-based device with a SIM card produced by cellular operator T-Mobile. The image below shows the other side of the pump skimmer, with the SIM card visible in the upper right corner of the circuitboard:

The reverse side of this GSM-based pump skimmer shows a SIM card from T-Mobile.

The reverse side of this GSM-based pump skimmer shows a SIM card from T-Mobile.

It’s not clear what type of mobile device was used in this skimmer, and the police officer who shared these images with KrebsOnSecurity said the forensic analysis of the device was ongoing. Continue reading →


18
Jul 11

Is Your Voicemail Wide Open?

The “phone-hacking” scandal that has gripped the U.K. is now making waves on this side of the pond. It stems from an alleged series of intrusions into the wireless voicemail boxes of high profile celebrities and 9/11 victims. The news stories about this scandal make it sound as if the attacks were sophisticated — an investigation into exactly what happened is still pending — but many people would be surprised to learn just how easy it is to “hack” into someone’s voicemail.

For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that if you haven’t set up your voicemail account to require a PIN for access, your messages may be vulnerable to snooping by anyone who has access to caller ID “spoofing” technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.

I wanted to check whether this is possible with my AT&T account — so I chose my wife’s new iPhone as the target; I was reasonably sure she hadn’t set a PIN on her voicemail. I surfed over to spooftel.com and found that I still had $10 in credits in my account. I instructed Spooftel to call her number, and to use that same number as the caller ID information that gets transmitted to my wife’s phone. Her phone rang 4 times before going to voicemail; I pressed the # sign on my iPhone and was immediately presented with her saved messages. Continue reading →