It happens that a seemingly familiar thing meets with such a twist, after which you start to look at this thing completely differently. So it happened for me... a couple of years I was withdrawing money from a card in a hundred places and did not know the troubles... and then I came to one town and at the first ATM I met this very highlight. And the place and circumstance were such that for a couple of moments of food for thought and impressions accumulated for two weeks ahead.
For some reason, I thought that this could only happen in the country of evergreen presidents, and we simply do not have the personnel to do this. It turns out that I was deeply mistaken. It's just not every day that you meet something that you've only read about in magazines / the Internet or seen in movies [ by the way, I don't remember a single movie that featured a skimmer
].
What is a skimmer? If you make a request in Yandex, it will become clear from the first lines that this is some kind of pump for cleaning swimming pools. But judge for yourself-the pump and the ATM... something is wrong. Although, pumping money from an ATM is quite possible )
Without going into the history of the origin of the name, a skimmer is a small device that can help intruders take advantage of your plastic card.
Those who are in the subject, now probably read and giggle at my interpretation, but this is the first interpretation that came to my mind.
A skimmer usually consists of two elements – an overhead keyboard (pin pad) and a magnetic tape scanner of the card.
The pin pad is placed exactly on top of the ATM's native keyboard and allows attackers to find out your PIN code (a miniature camera can also be used for this), while the scanner is hung on top of the card receiving slot. Moreover, disguise does its dirty work.
You insert the card into the ATM (without suspecting that you are inserting it into the intruders ' card scanner, after which the card gets into the ATM slot you need) - voila, your card data (dump) is already either on the data storage device in the scanner, or has already been transferred to someone via the wireless interface. Then you enter the PIN code, which is also either saved or immediately sent. All you need to do to use your money is to make a duplicate card, which seems to be done quite easily – using a dump, a faceless piece of plastic is programmed and you're done.
By the way, it is much worse if there is no overhead keyboard on the ATM card receiving device or just someone is firing when you enter the PIN code. Even worse, if at the same time you came out of your mirror-washed Audi Q7 (99, third boomer, lancer-underline), in a major sheepskin coat, with a headset, but without a helmet. In this case, there is every chance to stupidly get something heavy on the head and with the same success give money from the card. But this case is not so interesting – the gop stop was everywhere and always.
Even though I always look at the ATM before inserting the card, I did insert it that time. We were not alone, it was not up to the ATM. I was about to enter the PIN code when I noticed that the keyboard is not flat, but convex, as it should not be. After quickly comparing the invoice of Klava and the ATM with my finger, I mentally try to convince myself that everything is OK. After a second I tell my friends:
"Geez, I'm going to go skimmer."
They froze. I pry the keyboard with my fingernail... first the nail entered, then the finger...solid sex ). When I realized that Klava was leaving, I decided that I had broken the ATM and that there would be nothing under the buttons, and I would stupidly glue it back and withdraw money.
Picking up the keyboard, we were stunned – there was an exact copy of our keyboard, only perfectly smoothly embedded in the surface of the ATM.
- E-mae, Burumych, skimmer! A fucking skimmer! Oh Gods, this is the first time I've seen this, turn around and let me take a picture!
- Yes, I also see it for the first time. Only my dump is already there, and someone else's dump should be yours )
I turn my gaze to the card reader and try to pull out the map without thinking. It doesn't work. I remember about the "Cancel" button, I click-the map climbs out. Huh.
Picking up the protruding card reader with his fingernails, he also moves away – which only added to the horror. We look at the device for a couple of seconds – some light bulbs are on, the battery is on, the soldering is neat... yes, it is clear that this issue is being taken seriously. After another moment, the thought occurs to all of us simultaneously that we shouldn't be here anymore )
Then everything is like in the movie ) The cops promised to arrive within an hour, which in our case, of course, did not make us any weather. The skimmer was returned to its rightful owners in a peaceful manner ) And we, realizing that we were walking under God, teleported.
In general, approximately such emotions were at the first meeting. What kind of food for thought did we get then?
First, it was the first practical lesson – we learned what it looks like, what it is, by whom and how it is protected. The rest of the text is guesswork.
From unreliable sources, the price for a set of devices of this type (the hardware itself, software, etc.) costs about 3-5 thousand dollars (despite the fact that there is nothing supernatural there), which is at least a reason not to leave the device unattended. The price depends on the design and configuration. Something can work independently for a long time, something can store dumps on its memory card, something-immediately transmits information to the owners (exotic).
Quote from some website: "Information about skimmers has appeared in the news more than once, but the devices are improving every day. This time, the skimmer no longer needs to go to the ATM to withdraw information — it is sent via SMS. The device can send up to 1856 SMS messages on a single charge. It costs 8,5 thousand dollars. Moreover, paint for external parts is purchased at the same factories as ATM manufacturers, taking into account the temperature, angle of inclination, and time of painting. At first glance, it is almost impossible to distinguish.
"BUT ... if bank employees react quickly and track the attacker's SIM card, it may be easier to catch them..."
Therefore, there is definitely someone somewhere in the line of sight, even if you can't see them. But they see you, for example, from the tinted nine across the street Since the job of the observer is essentially to protect the object, I am almost sure that his proportions are like those of a decent security guard
If you think that you have fooled everyone by ripping off the skimmer and running away-do not rush to rejoice. They can find a dump, they could drop their passport - anything can happen but then a happy ending may not happen. So think about whether you should contact us at all – maybe it's easier to withdraw money elsewhere?
Then you can think about the habitats of skimmers. It is clear that the ideal place is where there are more people, and not students with scholarships, but normal such people. I think you'll find a skimmer at train stations, airports, casinos, coffee shops, movie theaters, hardware stores, and other hot spots – in short, in places where people need to withdraw more money.
After wandering around sovk and gorbushka for a couple of hours, passing a couple of railway stations – I didn't find anything interesting. Hence, again, the conclusion suggests that the devices are not always in their proper places.
I assume that first the guys find out in what mode the fish place is served – on what days and at what time the collectors come to pay money, at what time they pass, and so on. Since the collectors are probably different every time,then the attacker should not hope for their humanity to the skimmer. Therefore, it is likely that skimmers are glued and removed several times a day.
But again something follows from this. Even the loneliest ATM usually has cameras, which someone has to watch from the security services. And I don't even talk about ATMs in bank branches. Thus, I will not believe that every time you hang a device on an ATM, no one notices this and does nothing. Yes, an attacker can cover the camera for a couple of seconds, having managed to do their job... but this must happen several times a day!?! I think you don't even need to constantly hang up the device – just hang for a couple of hours on one of the evenings of the holiday.
What conclusion does this suggest? And such that everyone knows about it perfectly well. And if the girl at the reception should just turn a blind eye to this, then the owners of banks probably live not only on the interest of depositors =) otherwise, there is no point in breeding such a feeder under their noses. Thus, the attitude of the banking sector to the average user, an honest person, is once again proved. What a pity )
Once I went to the bank, at the entrance I met a security guard who was going out to smoke. Without thinking twice, I decided to talk to him – this is the dialogue we had:
- Hello, I wanted to ask you a couple of questions about ATM security.
"Try it."
(head-on) - Do you know what a skimmer is?
"Mm, I heard, why?
— I recently met such a device for the first time – I found it only when I already inserted the card, but didn't enter the code. Can they pay on my behalf without knowing the PIN code, for example, on the Internet or in simple stores?
"I honestly don't know. But God takes care of you – go in, get out, and change the code, it will take 10 minutes. Where did you find the thing?"
"That's it. But, to be honest, I was surprised – I thought that this is only in the states, and they write about them only in magazines.
- Heh...in the states =) you live in Russia. While the Americans are coming up with something, we will already make an "anti"one. They have viruses, we already have antivirus programs, and vice versa. So in the country of the desire to row money without doing anything, such devices cannot but exist.
"Even so! And we have a lot... in Moscow?
- Yes, it is enough. Is that where you live?"
— That's it
"Well ... not far from me. Search and you'll find it.)
"Interesting. And why is no one fighting them?
- Yes, as if they are not fighting... fighting. It's just that if they exist, then someone needs it.
"That's right, there's no smoke without fire. And how does the bank authorities feel about this, do they know?
(Cheering up) - Of course! )
- Vah. Ie, it turns out that they do not clean up at least just because it is also profitable for the authorities?
(Smiling) - Well ... things happen. What do you need all this for anyway?
- Yes, I ran into it by accident, I wanted to find out.
"Watch out, be careful. Do you have any law studies at the institute?
— No, but there was something similar.
— And what, they didn't teach you what questions and who you can ask and who you can't ask?
— They didn't teach me, but I came to you exclusively for peaceful purposes.)
- Yes, I understand. Just sometimes, asking a seemingly safe question can cause an inadequate reaction. The same goes for the behavior. Did you know that you can't knock on an ATM?
- Nope, but what, in response, beats?
- no. But this may already fall under property damage. So we had a drunk guy come in the other day, hit him, and a van arrived, rolled him up, and took him away. There's also a lot of sensors inside... and go prove that you didn't want to hack it.
"Seriously here. Okay, let's go back. Tell us something about their design, how they are fixed, how they are serviced?
— Well, what's there to tell? I don't know exactly how they work, but it's not too hard to find out. These 80-year-old grannies, who have been fucked up by the state all this time, can no longer understand these jokes, and if you see something sticking out, don't stick it out and that's it, take it off somewhere else.
- And if they tear it off and run away?
- Well, tear it off =) You know, these things are not left unattended... not immediately, so then they will be found somewhere. They'll pat you on the shoulder before you know it.
"I wonder... so no one really cares about all this?"
— Well, why... there are, sometimes, demonstration performances-specialists pass by, everyone who needs their fingers bent for a tick... and then everything falls into place again.
— Did you have anything interesting here?
— Nope, it's more like ATMs without banks, although all sorts of things happen.
"Oh, well, you've got a bank over there, haven't you…
- At most, it happened that the money was snatched away... but this is again, whose mistake? There, look... he came out with a wad of money... what's not to hide right away, not to remove? You can count it later... or enter pin codes without closing... and you can peek in a thousand ways. And then they complain…
— Where's your machine gun?"
(smiling) - Yes, I'm out on the tank today. They won't run far if anything happens.) Okay, come on, not May month, I'll go. Keep your wits about you.
- Success, thank you!
In general, such a dialogue came out, but there are almost no specifics. Later, by chance, I managed to find a person in the topic on the network, which I couldn't find again ) I didn't take much time from him, but still, a little information, again confirming my guesses, appeared:
Me: What are the types (storage method, transfer method, power supply)? What are the different sizes? What are the approximate prices and what do they depend on? Where do they come from – are they mass-produced?
He: Each device is individually tailored to a specific ATM, because the main required property is invisibility. No one makes them serially, because it is still a criminal offense, but this does not mean that they are all made manually. The price of a turnkey skimmer is from 5000 and above. Basically, these are autonomous devices with built — in memory - "put it on, waited, removed it", I didn't have any options with data transfer, but it is obvious that this is much safer for the owners.
// Here the interlocutor did not tell me about the size of the devices, but I found a couple of interesting images on the Internet. Yes, even such a "lighter" (more correctly, a "Cube") in the hand of a person next to you is able to draw down your fortune.
Me: How are they fixed? It happens stupidly on top of the keyboard and slots. But I've heard that more often they just put cameras on. Maybe you've come up with something else?
He: That's right — in simple models, it is attached only to the card reader + camera for removing the pincode. There are many ways to mount the camera.
// After looking at the photo of the ATM, I figure out where I could hide the camera. If it's not an "extra" camera in a jar that looks like a real one, then there aren't many options left. If a person is tall, then the camera can be glued to the upper part of the ATM protruding above the keyboard – you can't just see them, but slightly bending down is easy. Or you can hang your own" lamp "for lighting, in the transparent plastic of which you can hide the "seed" from the camera (have you seen the size of the camera in some video intercoms? “.” – slightly larger than this point)
Or just like on a photo from the Internet – in a box for advertising, initially awarded only with an informational function.
Well, or your code can be stupidly peeked at by nearby people Therefore, mirrors on ATMs are glued for a reason. Banks that care about customers also put special "fences" on the keyboard on their ATMs, which help not to burn the code.
Me: Where are they most often found – in closed or open ATMs? Maybe some ATMs or banks are particularly irresponsible about this, and some value their customers? Favorite habitats? Where is more-in Moscow or St. Petersburg?
On: Open ATMs are preferable. The more traffic people have, the better. About banks-xs. Any phreaker will not tell you this or will knowingly "change" the necessary names of banks. Of course, everyone is watching, but no one will say that their ATM has been skimmed. Where more-imho, in St. Petersburg. But in Moscow, of course, there is also enough.
Me again: A little more at prices – can you buy only on the Internet or are they also sold in supermarkets? What changes in this case? What should a person do if they have removed the skimmer?)
He: A ready-made kit bought at Mitino or somewhere else will turn out to be non-working or already used in 99%, and then it's hard to find what you need. On the Internet, people are much more willing to make contact, but you can also buy the wrong thing or at an inflated price. The price, again, under the order-from 5000. If you managed to remove the skimmer-it's a small matter — to merge the information from there and sell it to carders. Or drops. Draining the money equivalent yourself is equivalent to turning yourself in to the authorities.
// Hmm, something again this figure in 5K usd On the forums, the offers are completely different – from 1K to 15.
Me: Who is doing this at all — after all, not just pioneers of radio engineering? How do they install them — they put them under the ATM camera every day in the morning and remove them before the collectors arrive? Or even they are not a hindrance?)
He: Who does it? Smart and careful phreakers (not to be confused with freaks-my note). The most common installation method is after the arrival and departure of the collection group, after 5-10 minutes the "group" returns. and he's leaving again. The scheme is acceptable for organized criminal groups, which can allow them to imitate the workwear of craftsmen. A simpler option is to set it for evening-night, i.e. there are few people, and the collection will not arrive until morning (the arrival time is calculated by simple observation), but the security is also higher. Skimmers are also installed and removed, usually by a "noisy group of students", i.e. the crowd surrounds the ATM ("blocks suckers"), a skimmer is placed... well, options for fantasy…
Me: I want some numbers ) Their risk is at least justified — how profitable is such fishing? Or if not in dollars, then at least in the number of dumps. How often do skimmers run? )
He: The price of freedom is different for everyone, some take risks, some don't. But you don't always have to do everything yourself do not offend with % and everything will be fine. Number of dumps = the number of cards inserted into the ATM. The catch is that no one has ever said specific numbers. But it pays off not only the device, but also enough for a new one. Maybe I heard the song "There are dinners in the restaurant, there are no neighbors in the house, and the BMW 7 series is more successful than a bicycle"
Me: I heard And what do they do with dumps in general, what is their further path? Does a person need to change the PIN code if they only inserted the card, but did not enter the code? How quickly does the dump fall into "dark hands" and how much time does a person have to save the babos? Then they make a copy of the card, or what can be done with a dump with the removed pin? How long does decryption take, or is it just 5 seconds?
He: see above — they are drained to carders or drops. Who has what contacts? If the PIN is not entered — you don't need to change it. The dump usually gets into the hands of drops within a day or two after the skimmer is removed. However, if the "operation" was successful, the person will find out that money was withdrawn from their account only via SMS banking or at the next card check. Decrypt what? Dump? The dump is not decrypted. It's just being cloned. Yes, drops have card cloning machines (also expensive).
It's not as ambiguous as in the first dialog, but nevertheless, the picture is getting clearer and clearer. If they had given me the Da Vinci manuscripts, I would have solved them in an instant
Having crawled through various forums on the Internet, I was surprised at how much information is freely available. Diagrams, desoldering, firmware, manuals, step – by – step instructions and, most importantly, people who have the most valuable-knowledge, information.
Diagram of the scanner readout head
GSM skimmer diagram
Just like that, of course, no one will tell you anything ) They didn't even ambiguously dare to tell me anything, it's their bread. On the other hand, you can't cash out all the money, and someone in our country still earns honestly. And so it turns out – on one end of the phone — people who are afraid of harassment, on the other-people who are afraid of losing money. And yet, do not forget that someone else is working honestly.
What conclusions to draw from this, everyone makes for himself For those who are too lazy to think about it, I will give you a couple of tips that will help you not lose the latest coupons on your card without any luck:
1. Before approaching the ATM, take a look around. If you are drunk or notice something strange or suspicious, please postpone the meal until better times. Do not be paranoid for the sake of safety - look around in the same way as when crossing the road.
2. You should clearly know what your bank's ATM looks like (if you do not withdraw money with a commission from everything in a row). Most of them have: a keyboard that does not protrude from a flat plane, a flat or indented slot of the card receiver. If you see that the keyboard sticks out at least a couple of millimeters or the card reader sticks out – remove the money in another place. If you decide to show courage and decide to call, no matter where – in 02 or in the bank service-do it not at the ATM!
3. After inserting the card, do not rush to enter the pin-code – look around again=) There should be nothing non-standard on the ATM. If someone is standing nearby, enter the code without being seen.
4. When you withdraw money, don't swing it left and right. They pulled out the card > removed it > took out the money > quickly counted it and immediately put it away securely > took the check > disappeared.
5. One day you may get a phone call allegedly from the bank and say: "Hello, dear Loshidze Baobab Babosovich, you are concerned about the security service of your bank. For the security of our customers, we transfer them from a 4-digit PIN code to a 6-digit one. Please provide your current PIN code and the new one you want, or do the same by coming to our bank." Naturally, many people will be too lazy to worry and mess with paperwork, so I dare say that a good half will stupidly say their code. So.... NEVER tell ANYONE your PIN code! No aunts in the store at the checkout, or, especially, uncles. Not even the bank's employees-from the receptionist aunts to the board of directors-under any pretext. They already have a lot of options on how to leave you without pants
6. If you are already beaten – shout loudly — there are more of them;=)))
For dessert – a couple of photos of what your kidnapper might look like:
1. The keyboard may look like this:
Usually the buttons are flat, but it happens that the buttons stick out... No, no, no, there's definitely nothing in them, this is definitely paranoia... or...))
2. Card reader:
The device in the last picture causes me some doubts – on the one hand, its right part is free (the part where the magnetic tape will be), i.e. in fact, the scanner should not fit there and this device, as a result – the so-called antiskimmer. But here it is made so badly (including in execution) that it is indistinguishable from a skimmer. Or you can tear it off and stick a skimmer in its place... in general, they did something stupid )
As for anti-skimmers-banks could have secured the card reader without any problems – use an absolutely flat slot, special bumps that prevent installation on top of any object - but again... if they wanted to, they did ) Here are examples of attempts to complicate life:
(Also a stupid idea, in fact, because it is easy to disguise the skimmer as such a case, but even the anti-skimmer itself again already suggests some thoughts)
Sometimes you can find stickers or stands "how an ATM should look", and, they say, if it looks different, do not use it. It is clear that you can stick anything on top of this EVERYTHING, just not to work! )
Good luck!
(с) https://habr.com/ru/articles/67141/
For some reason, I thought that this could only happen in the country of evergreen presidents, and we simply do not have the personnel to do this. It turns out that I was deeply mistaken. It's just not every day that you meet something that you've only read about in magazines / the Internet or seen in movies [ by the way, I don't remember a single movie that featured a skimmer
].What is a skimmer? If you make a request in Yandex, it will become clear from the first lines that this is some kind of pump for cleaning swimming pools. But judge for yourself-the pump and the ATM... something is wrong. Although, pumping money from an ATM is quite possible )
Without going into the history of the origin of the name, a skimmer is a small device that can help intruders take advantage of your plastic card.
Those who are in the subject, now probably read and giggle at my interpretation, but this is the first interpretation that came to my mind.
A skimmer usually consists of two elements – an overhead keyboard (pin pad) and a magnetic tape scanner of the card.
The pin pad is placed exactly on top of the ATM's native keyboard and allows attackers to find out your PIN code (a miniature camera can also be used for this), while the scanner is hung on top of the card receiving slot. Moreover, disguise does its dirty work.
You insert the card into the ATM (without suspecting that you are inserting it into the intruders ' card scanner, after which the card gets into the ATM slot you need) - voila, your card data (dump) is already either on the data storage device in the scanner, or has already been transferred to someone via the wireless interface. Then you enter the PIN code, which is also either saved or immediately sent. All you need to do to use your money is to make a duplicate card, which seems to be done quite easily – using a dump, a faceless piece of plastic is programmed and you're done.
By the way, it is much worse if there is no overhead keyboard on the ATM card receiving device or just someone is firing when you enter the PIN code. Even worse, if at the same time you came out of your mirror-washed Audi Q7 (99, third boomer, lancer-underline), in a major sheepskin coat, with a headset, but without a helmet. In this case, there is every chance to stupidly get something heavy on the head and with the same success give money from the card. But this case is not so interesting – the gop stop was everywhere and always.
Even though I always look at the ATM before inserting the card, I did insert it that time. We were not alone, it was not up to the ATM. I was about to enter the PIN code when I noticed that the keyboard is not flat, but convex, as it should not be. After quickly comparing the invoice of Klava and the ATM with my finger, I mentally try to convince myself that everything is OK. After a second I tell my friends:
"Geez, I'm going to go skimmer."
They froze. I pry the keyboard with my fingernail... first the nail entered, then the finger...solid sex ). When I realized that Klava was leaving, I decided that I had broken the ATM and that there would be nothing under the buttons, and I would stupidly glue it back and withdraw money.
Picking up the keyboard, we were stunned – there was an exact copy of our keyboard, only perfectly smoothly embedded in the surface of the ATM.
- E-mae, Burumych, skimmer! A fucking skimmer! Oh Gods, this is the first time I've seen this, turn around and let me take a picture!
- Yes, I also see it for the first time. Only my dump is already there, and someone else's dump should be yours )
I turn my gaze to the card reader and try to pull out the map without thinking. It doesn't work. I remember about the "Cancel" button, I click-the map climbs out. Huh.
Picking up the protruding card reader with his fingernails, he also moves away – which only added to the horror. We look at the device for a couple of seconds – some light bulbs are on, the battery is on, the soldering is neat... yes, it is clear that this issue is being taken seriously. After another moment, the thought occurs to all of us simultaneously that we shouldn't be here anymore )
Then everything is like in the movie ) The cops promised to arrive within an hour, which in our case, of course, did not make us any weather. The skimmer was returned to its rightful owners in a peaceful manner ) And we, realizing that we were walking under God, teleported.
In general, approximately such emotions were at the first meeting. What kind of food for thought did we get then?
First, it was the first practical lesson – we learned what it looks like, what it is, by whom and how it is protected. The rest of the text is guesswork.
From unreliable sources, the price for a set of devices of this type (the hardware itself, software, etc.) costs about 3-5 thousand dollars (despite the fact that there is nothing supernatural there), which is at least a reason not to leave the device unattended. The price depends on the design and configuration. Something can work independently for a long time, something can store dumps on its memory card, something-immediately transmits information to the owners (exotic).
Quote from some website: "Information about skimmers has appeared in the news more than once, but the devices are improving every day. This time, the skimmer no longer needs to go to the ATM to withdraw information — it is sent via SMS. The device can send up to 1856 SMS messages on a single charge. It costs 8,5 thousand dollars. Moreover, paint for external parts is purchased at the same factories as ATM manufacturers, taking into account the temperature, angle of inclination, and time of painting. At first glance, it is almost impossible to distinguish.
"BUT ... if bank employees react quickly and track the attacker's SIM card, it may be easier to catch them..."
Therefore, there is definitely someone somewhere in the line of sight, even if you can't see them. But they see you, for example, from the tinted nine across the street
Since the job of the observer is essentially to protect the object, I am almost sure that his proportions are like those of a decent security guard If you think that you have fooled everyone by ripping off the skimmer and running away-do not rush to rejoice. They can find a dump, they could drop their passport - anything can happen
but then a happy ending may not happen. So think about whether you should contact us at all – maybe it's easier to withdraw money elsewhere?Then you can think about the habitats of skimmers. It is clear that the ideal place is where there are more people, and not students with scholarships, but normal such people. I think you'll find a skimmer at train stations, airports, casinos, coffee shops, movie theaters, hardware stores, and other hot spots – in short, in places where people need to withdraw more money.
After wandering around sovk and gorbushka for a couple of hours, passing a couple of railway stations – I didn't find anything interesting. Hence, again, the conclusion suggests that the devices are not always in their proper places.
I assume that first the guys find out in what mode the fish place is served – on what days and at what time the collectors come to pay money, at what time they pass, and so on. Since the collectors are probably different every time,then the attacker should not hope for their humanity to the skimmer. Therefore, it is likely that skimmers are glued and removed several times a day.
But again something follows from this. Even the loneliest ATM usually has cameras, which someone has to watch from the security services. And I don't even talk about ATMs in bank branches. Thus, I will not believe that every time you hang a device on an ATM, no one notices this and does nothing. Yes, an attacker can cover the camera for a couple of seconds, having managed to do their job... but this must happen several times a day!?! I think you don't even need to constantly hang up the device – just hang for a couple of hours on one of the evenings of the holiday.
What conclusion does this suggest? And such that everyone knows about it perfectly well. And if the girl at the reception should just turn a blind eye to this, then the owners of banks probably live not only on the interest of depositors =) otherwise, there is no point in breeding such a feeder under their noses. Thus, the attitude of the banking sector to the average user, an honest person, is once again proved. What a pity )
Once I went to the bank, at the entrance I met a security guard who was going out to smoke. Without thinking twice, I decided to talk to him – this is the dialogue we had:
- Hello, I wanted to ask you a couple of questions about ATM security.
"Try it."
(head-on) - Do you know what a skimmer is?
"Mm, I heard, why?
— I recently met such a device for the first time – I found it only when I already inserted the card, but didn't enter the code. Can they pay on my behalf without knowing the PIN code, for example, on the Internet or in simple stores?
"I honestly don't know. But God takes care of you – go in, get out, and change the code, it will take 10 minutes. Where did you find the thing?"
"That's it. But, to be honest, I was surprised – I thought that this is only in the states, and they write about them only in magazines.
- Heh...in the states =) you live in Russia. While the Americans are coming up with something, we will already make an "anti"one. They have viruses, we already have antivirus programs, and vice versa. So in the country of the desire to row money without doing anything, such devices cannot but exist.
"Even so! And we have a lot... in Moscow?
- Yes, it is enough. Is that where you live?"
— That's it
"Well ... not far from me. Search and you'll find it.)
"Interesting. And why is no one fighting them?
- Yes, as if they are not fighting... fighting. It's just that if they exist, then someone needs it.
"That's right, there's no smoke without fire. And how does the bank authorities feel about this, do they know?
(Cheering up) - Of course! )
- Vah. Ie, it turns out that they do not clean up at least just because it is also profitable for the authorities?
(Smiling) - Well ... things happen. What do you need all this for anyway?
- Yes, I ran into it by accident, I wanted to find out.
"Watch out, be careful. Do you have any law studies at the institute?
— No, but there was something similar.
— And what, they didn't teach you what questions and who you can ask and who you can't ask?
— They didn't teach me, but I came to you exclusively for peaceful purposes.)
- Yes, I understand. Just sometimes, asking a seemingly safe question can cause an inadequate reaction. The same goes for the behavior. Did you know that you can't knock on an ATM?
- Nope, but what, in response, beats?
- no. But this may already fall under property damage. So we had a drunk guy come in the other day, hit him, and a van arrived, rolled him up, and took him away. There's also a lot of sensors inside... and go prove that you didn't want to hack it.
"Seriously here. Okay, let's go back. Tell us something about their design, how they are fixed, how they are serviced?
— Well, what's there to tell? I don't know exactly how they work, but it's not too hard to find out. These 80-year-old grannies, who have been fucked up by the state all this time, can no longer understand these jokes, and if you see something sticking out, don't stick it out and that's it, take it off somewhere else.
- And if they tear it off and run away?
- Well, tear it off =) You know, these things are not left unattended... not immediately, so then they will be found somewhere. They'll pat you on the shoulder before you know it.
"I wonder... so no one really cares about all this?"
— Well, why... there are, sometimes, demonstration performances-specialists pass by, everyone who needs their fingers bent for a tick... and then everything falls into place again.
— Did you have anything interesting here?
— Nope, it's more like ATMs without banks, although all sorts of things happen.
"Oh, well, you've got a bank over there, haven't you…
- At most, it happened that the money was snatched away... but this is again, whose mistake? There, look... he came out with a wad of money... what's not to hide right away, not to remove? You can count it later... or enter pin codes without closing... and you can peek in a thousand ways. And then they complain…
— Where's your machine gun?"
(smiling) - Yes, I'm out on the tank today. They won't run far if anything happens.) Okay, come on, not May month, I'll go. Keep your wits about you.
- Success, thank you!
In general, such a dialogue came out, but there are almost no specifics. Later, by chance, I managed to find a person in the topic on the network, which I couldn't find again ) I didn't take much time from him, but still, a little information, again confirming my guesses, appeared:
Me: What are the types (storage method, transfer method, power supply)? What are the different sizes? What are the approximate prices and what do they depend on? Where do they come from – are they mass-produced?
He: Each device is individually tailored to a specific ATM, because the main required property is invisibility. No one makes them serially, because it is still a criminal offense, but this does not mean that they are all made manually. The price of a turnkey skimmer is from 5000 and above. Basically, these are autonomous devices with built — in memory - "put it on, waited, removed it", I didn't have any options with data transfer, but it is obvious that this is much safer for the owners.
// Here the interlocutor did not tell me about the size of the devices, but I found a couple of interesting images on the Internet. Yes, even such a "lighter" (more correctly, a "Cube") in the hand of a person next to you is able to draw down your fortune.
Me: How are they fixed? It happens stupidly on top of the keyboard and slots. But I've heard that more often they just put cameras on. Maybe you've come up with something else?
He: That's right — in simple models, it is attached only to the card reader + camera for removing the pincode. There are many ways to mount the camera.
// After looking at the photo of the ATM, I figure out where I could hide the camera. If it's not an "extra" camera in a jar that looks like a real one, then there aren't many options left. If a person is tall, then the camera can be glued to the upper part of the ATM protruding above the keyboard – you can't just see them, but slightly bending down is easy. Or you can hang your own" lamp "for lighting, in the transparent plastic of which you can hide the "seed" from the camera (have you seen the size of the camera in some video intercoms? “.” – slightly larger than this point)
Or just like on a photo from the Internet – in a box for advertising, initially awarded only with an informational function.
Well, or your code can be stupidly peeked at by nearby people
Therefore, mirrors on ATMs are glued for a reason. Banks that care about customers also put special "fences" on the keyboard on their ATMs, which help not to burn the code.
Me: Where are they most often found – in closed or open ATMs? Maybe some ATMs or banks are particularly irresponsible about this, and some value their customers? Favorite habitats? Where is more-in Moscow or St. Petersburg?
On: Open ATMs are preferable. The more traffic people have, the better. About banks-xs. Any phreaker will not tell you this or will knowingly "change" the necessary names of banks.
Of course, everyone is watching, but no one will say that their ATM has been skimmed. Where more-imho, in St. Petersburg. But in Moscow, of course, there is also enough.Me again: A little more at prices – can you buy only on the Internet or are they also sold in supermarkets?
What changes in this case? What should a person do if they have removed the skimmer?)He: A ready-made kit bought at Mitino or somewhere else will turn out to be non-working or already used in 99%, and then it's hard to find what you need. On the Internet, people are much more willing to make contact, but you can also buy the wrong thing or at an inflated price. The price, again, under the order-from 5000. If you managed to remove the skimmer-it's a small matter — to merge the information from there and sell it to carders. Or drops. Draining the money equivalent yourself is equivalent to turning yourself in to the authorities.
// Hmm, something again this figure in 5K usd
On the forums, the offers are completely different – from 1K to 15.Me: Who is doing this at all — after all, not just pioneers of radio engineering? How do they install them — they put them under the ATM camera every day in the morning and remove them before the collectors arrive? Or even they are not a hindrance?)
He: Who does it? Smart and careful phreakers (not to be confused with freaks-my note). The most common installation method is after the arrival and departure of the collection group, after 5-10 minutes the "group" returns. and he's leaving again. The scheme is acceptable for organized criminal groups, which can allow them to imitate the workwear of craftsmen. A simpler option is to set it for evening-night, i.e. there are few people, and the collection will not arrive until morning (the arrival time is calculated by simple observation), but the security is also higher. Skimmers are also installed and removed, usually by a "noisy group of students", i.e. the crowd surrounds the ATM ("blocks suckers"), a skimmer is placed... well, options for fantasy…
Me: I want some numbers ) Their risk is at least justified — how profitable is such fishing? Or if not in dollars, then at least in the number of dumps. How often do skimmers run? )
He: The price of freedom is different for everyone, some take risks, some don't. But you don't always have to do everything yourself
do not offend with % and everything will be fine. Number of dumps = the number of cards inserted into the ATM. The catch is that no one has ever said specific numbers. But it pays off not only the device, but also enough for a new one. Maybe I heard the song "There are dinners in the restaurant, there are no neighbors in the house, and the BMW 7 series is more successful than a bicycle"
Me: I heard
And what do they do with dumps in general, what is their further path? Does a person need to change the PIN code if they only inserted the card, but did not enter the code? How quickly does the dump fall into "dark hands" and how much time does a person have to save the babos? Then they make a copy of the card, or what can be done with a dump with the removed pin? How long does decryption take, or is it just 5 seconds?He: see above — they are drained to carders or drops. Who has what contacts? If the PIN is not entered — you don't need to change it. The dump usually gets into the hands of drops within a day or two after the skimmer is removed. However, if the "operation" was successful, the person will find out that money was withdrawn from their account only via SMS banking or at the next card check. Decrypt what? Dump? The dump is not decrypted. It's just being cloned. Yes, drops have card cloning machines (also expensive).
It's not as ambiguous as in the first dialog, but nevertheless, the picture is getting clearer and clearer. If they had given me the Da Vinci manuscripts, I would have solved them in an instant
Having crawled through various forums on the Internet, I was surprised at how much information is freely available. Diagrams, desoldering, firmware, manuals, step – by – step instructions and, most importantly, people who have the most valuable-knowledge, information.
Diagram of the scanner readout head
GSM skimmer diagram
Just like that, of course, no one will tell you anything ) They didn't even ambiguously dare to tell me anything, it's their bread. On the other hand, you can't cash out all the money, and someone in our country still earns honestly. And so it turns out – on one end of the phone — people who are afraid of harassment, on the other-people who are afraid of losing money. And yet, do not forget that someone else is working honestly.
What conclusions to draw from this, everyone makes for himself
For those who are too lazy to think about it, I will give you a couple of tips that will help you not lose the latest coupons on your card without any luck:1. Before approaching the ATM, take a look around. If you are drunk or notice something strange or suspicious, please postpone the meal until better times. Do not be paranoid for the sake of safety - look around in the same way as when crossing the road.
2. You should clearly know what your bank's ATM looks like (if you do not withdraw money with a commission from everything in a row). Most of them have: a keyboard that does not protrude from a flat plane, a flat or indented slot of the card receiver. If you see that the keyboard sticks out at least a couple of millimeters or the card reader sticks out – remove the money in another place. If you decide to show courage and decide to call, no matter where – in 02 or in the bank service-do it not at the ATM!
3. After inserting the card, do not rush to enter the pin-code – look around again=) There should be nothing non-standard on the ATM. If someone is standing nearby, enter the code without being seen.
4. When you withdraw money, don't swing it left and right. They pulled out the card > removed it > took out the money > quickly counted it and immediately put it away securely > took the check > disappeared.
5. One day you may get a phone call allegedly from the bank and say: "Hello, dear Loshidze Baobab Babosovich, you are concerned about the security service of your bank. For the security of our customers, we transfer them from a 4-digit PIN code to a 6-digit one. Please provide your current PIN code and the new one you want, or do the same by coming to our bank." Naturally, many people will be too lazy to worry and mess with paperwork, so I dare say that a good half will stupidly say their code. So.... NEVER tell ANYONE your PIN code! No aunts in the store at the checkout, or, especially, uncles. Not even the bank's employees-from the receptionist aunts to the board of directors-under any pretext. They already have a lot of options on how to leave you without pants
6. If you are already beaten – shout loudly — there are more of them;=)))
For dessert – a couple of photos of what your kidnapper might look like:
1. The keyboard may look like this:
Usually the buttons are flat, but it happens that the buttons stick out... No, no, no, there's definitely nothing in them, this is definitely paranoia... or...
))
2. Card reader:
The device in the last picture causes me some doubts – on the one hand, its right part is free (the part where the magnetic tape will be), i.e. in fact, the scanner should not fit there and this device, as a result – the so-called antiskimmer. But here it is made so badly (including in execution) that it is indistinguishable from a skimmer. Or you can tear it off and stick a skimmer in its place... in general, they did something stupid )
As for anti-skimmers-banks could have secured the card reader without any problems – use an absolutely flat slot, special bumps that prevent installation on top of any object - but again... if they wanted to, they did ) Here are examples of attempts to complicate life:
(Also a stupid idea, in fact, because it is easy to disguise the skimmer as such a case, but even the anti-skimmer itself again already suggests some thoughts)
Sometimes you can find stickers or stands "how an ATM should look", and, they say, if it looks different, do not use it. It is clear that you can stick anything on top of this
EVERYTHING, just not to work! )Good luck!
(с) https://habr.com/ru/articles/67141/
