Can’t Hack a Hacker: Reverse Engineering a Discovered ATM Skimmer

Background

When traveling, Elizabeth and I are always a little bit extra cautious; we hide money in special belts, we carry emergency cards in 3 separate places, we never withdraw more than $100 from the ATM. One precaution Elizabeth always takes, is covering her PIN number with her left hand while she types it with her right. At first, I thought it was over-paranoid, but being a security researcher, I was soon covering my PIN every time I typed it as well. Little did I know that this precaution would soon pay off…

What is a Skimmer?

Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:

They want your card number They want your PIN number

To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine.

The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming”.

Once they have your card number, the second part of the equation is getting you PIN. Not surprisingly, the creativity of the criminal mind offers a few ways to do this. Most often, some sort of hidden camera is placed where they can view you typing the PIN. This is harder than it sounds because a camera will need power and a way to download footage to the attackers.

PIN pad overlays are devices that sit on top of the pin pad to record typed numbers. Similarly, making an overlay isn’t as easy as it sounds. In addition to looking like a legitimate part of the ATM, these PIN pad overlays need power, storage and download capabilities to be effective. Here is a video of a team of thieves installing a card skimmer overlay at a convenience store:

How do you protect yourself?

Krebs recommends two simple protections.

Jiggle that ATM

Give the card reader area a good yank. Don’t get out your crowbar, just see if any pieces of the ATM come-off easily. Usually the skimmers will snap into place or use light adhesive so they can be easily removed and swapped-out by the thieves. Cover your PIN with your hand

This will not protect you from PIN overlays, but it will hide your PIN from hidden cameras. Plus it’s so easy to do, why wouldn’t you?

Finding a Skimmer in Bali, Indonesia

Outside of a popular tourist grocery store, there is a bank of ATMs.

The photo doesn’t do it much justice, but each ATM has it’s own entrance and tiny, air-conditioned cubicle. Tourists feel safe because no one can see them pocketing cash from the street.

We have used this ATM before. This time, when I went with Elizabeth to get some cash, I jiggled pieces of the ATM. The card reader was solid, but when I pulled on the guard that hides your hands when you type your PIN, it came right off.

A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.

I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!

We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.

By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.

The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.

Reverse Engineering

Probing the Ports

The night we got it home, I couldn’t wait to figure this thing out. The thing that stood-out the most was the port on the front. I imagined it was a way for the criminal to download the footage recorded.

This cable would use 4 wires and I immediately thought “USB”. I wasn’t at home with my lab and soldering iron, so I had to make due with what I had. I cut one of my cell-phone chargers in half and stripped the 4 wires inside.

Next, I had to guess at the order of the wires. I thought the port resembled the USB pins on a motherboard so I used an image of the wiring order as my guide.

Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and….

It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.

After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down].

The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual key-presses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.

Some other interesting footage include the skimmer being installed. Unfortunately, you don’t see the person’s face or any tattoos that could identify them.

The most entertaining is probably the discovery of the device by Elizabeth and I.

How is the device made

Next I took to disassembling the device. This was a pain because it was an injection-molded plastic shell with Sculpy and hot glue inside. The sketch below should give you an idea of how the components are arranged and concealed.

The outer shell looked like an actual hand-guard that would have been ordered from somewhere. The yellow stuff was added and sculpted by the criminal. It was difficult to chisel away the yellow material without damaging the electronics inside. It took some time, but I was finally able to dig down to the components inside.

On the left you see the power source [Samsung battery], the controller board is on the right with some ribbon cable that goes up to the pinhole camera.

Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.

Final Thoughts

The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.

Also, choosing to use a pre-made spy camera has lot of advantages:

Size Motion detection built-in Storage built-in USB connection built-in Low power consumption



The device is handmade not mass-produced. Since the attacker has to manually remove and download the contents of the device, they must have more than one so they can be swapped. I predict that the criminals produced only a handful of the skimmers. To check this theory I went back to the ATM a few days later…

I never found a physical card skimmer (the part of the system that grabs the card number). The wires visible behind the machine make me think the card numbers are probably being skimmed over the network. Fear of being shot prevented me from spending too much time investigating at the ATM site after the initial find.

Although the bank had my phone number, the bank never called me back and I didn’t press the matter because I’m not sure how well the Indonesian judicial system works. I was happy to get to research a cool device without getting entangled in legal proceedings.

I hope this encourages you to keep your eyes peeled for skimmers. Remember to wiggle those card readers and cover up those PINs. Happy hunting!

Update: 4 May 2016

According to this news report, the police in Bali recently nabbed a criminal skimming in much the same way. The Bulgarian man was caught placing a skimming device on an ATM 30 minutes away from the one I found.

“The staff saw a foreigner doing something suspicious on March 27. He had apparently changed the ATM’s keypad canopy with one that had an ATM skimming device. Ivanov allegedly used two devices — a router to steal the bank data of customers using Wi-Fi and a key pad canopy that had a camera and a USB to steal data, Reinhard said.”

This sounds very simliar to the device I found and confirms my suspicion that they were getting card numbers over the network. I doubt this individual was working alone, but I consder this a major win for the Bali Police and tourists visiting Bali.



We can help keep bad guys like these from exploiting weaknesses in your company.