Hacking Next Gen ATMs: From Capture to Cashout
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36300 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2412 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Hacker (term)Asynchronous Transfer ModePrincipal ideal domainBitAsynchronous Transfer ModeHacker (term)Demo (music)Event horizonNeuroinformatikSoftwareReverse engineeringSoftware testingRow (database)
00:54
BitFirmware
01:37
BitTelecommunicationPlastikkarteLevel (video gaming)Shift operatorForm (programming)Polygon meshDatabase transactionFluid staticsMemory cardMagnetic stripe cardDemo (music)Standard deviationDistributed computingChainExtension (kinesiology)Block (periodic table)
02:57
Software developerPlastikkarteStandard deviationMagnetic stripe cardShift operatorBitCellular automaton40 (number)PlastikkarteMultiplication signMaxima and minimaBitBookmark (World Wide Web)System programmingStandard deviationShift operatorCausalityPoint (geometry)
03:46
Memory cardScripting languageBinary fileAreaNumberMemory cardSystem identificationValidity (statistics)PlastikkarteDatabase transactionCodeBitParticle system
04:36
Memory cardElectric generatorNumberWebsiteRadio-frequency identificationSerial portDatabase transactionBitWeb pageTrail
05:19
InformationBitPasswordSoftwareDatabase transactionMessage passingSystem programmingSurfaceTime zoneError messageAsynchronous Transfer Mode
06:15
String (computer science)Discrete element methodWebsiteSoftwarePurchasingIntegrated development environmentInformationDatabase transactionFlagSimulationCoprocessorBitMultiplication signMessage passingWeb pageTime zonePasswordAsynchronous Transfer ModeFront and back ends
07:45
InformationNumerical digitSource codeCoprocessorType theoryGateway (telecommunications)InformationFirmwareDifferent (Kate Ryan album)BitConnected spaceCausalityComputer hardwareSoftwareAsynchronous Transfer ModeKey (cryptography)Data Encryption StandardFront and back endsPresentation of a group
08:59
Limit (category theory)Personal area networkString (computer science)Frame problemTape driveInformationMountain passMemory cardPlastikkarteReal numberTrailAuthenticationElectric generatorRAIDToken ringAsynchronous Transfer ModeFlagSet (mathematics)InformationDatabase transactionConnected spaceLimit (category theory)System identificationSoftwareNumberFlagBinary fileWebsiteDemo (music)Personal area networkMemory cardBitRadio-frequency identificationAuthenticationAsynchronous Transfer ModePlastikkarteLoop (music)Multiplication signPoint (geometry)TrailClassical physicsMagnetic stripe card
11:04
Process (computing)Limit (category theory)Database transactionVulnerability (computing)Communications protocolMultiplication signFiber (mathematics)SoftwareTelecommunicationPhysical systemAsynchronous Transfer ModePoint (geometry)Block (periodic table)Chain
11:53
1 (number)Self-organizationWebsiteFlagFrame problemIndependence (probability theory)Multiplication signDatabase transaction
12:51
Database transactionPower (physics)Touch typingPoint (geometry)Limit (category theory)Level (video gaming)Roundness (object)Process (computing)Mechanism designAsynchronous Transfer ModePlastikkarteSystem programming
13:41
PlastikkarteAsynchronous Transfer ModeInformationCountingLimit (category theory)Database transactionBitDifferent (Kate Ryan album)Limit (category theory)Process (computing)InformationExtension (kinesiology)System programmingOverlay-NetzLevel (video gaming)Asynchronous Transfer ModePlastikkarteAuthenticationCountingPoint (geometry)RootCache (computing)Computer animation
14:25
System programmingBitMereologyProof theory1 (number)Cache (computing)Point (geometry)
14:48
Software development kitAsynchronous Transfer Mode1 (number)Greatest elementElectric generatorObject (grammar)Service (economics)Cache (computing)
15:32
PlastikkarteDatabase transactionInformationPasswordWireless LANInternetworkingConnected spaceLecture/Conference
15:59
TwitterHypermediaCausality
16:56
Asynchronous Transfer ModeTwitterMultiplication signNumberInformationBroadcasting (networking)Database transactionLevel (video gaming)Front and back ends
17:24
Reflection (mathematics)Reflection (mathematics)TouchscreenAsynchronous Transfer ModePlastikkarteRoboticsPersonal identification numberDatabase transactionAndroid (robot)ComputerElectronic data processingProcess (computing)
18:36
Process (computing)Service (economics)Branch (computer science)WavenumberEmailLetterpress printingMereologyAsynchronous Transfer ModeBit
19:30
VideoconferencingMechanism designDisk read-and-write headMetropolitan area network1 (number)InjektivitätSystem programmingPlanningMagnetic stripe cardStandard deviationCausalityTheory
20:36
BuildingFront and back endsData Encryption StandardKey (cryptography)Asynchronous Transfer ModeDemo (music)Memory cardDatabase transactionCoprocessorGateway (telecommunications)Demo (music)Field (computer science)SimulationSign (mathematics)FlagPlastikkartePhysical systemInformationData Encryption StandardKey (cryptography)Set (mathematics)Software
21:59
PlastikkarteAsynchronous Transfer ModeRadical (chemistry)Process (computing)System programmingPresentation of a groupSoftwareWeb pageDatabase transactionPoint (geometry)Diagram
22:29
Memory cardDatabase transactionAreaSoftwareSystem programmingAsynchronous Transfer Mode
22:57
Overlay-NetzPersonal identification numberTracing (software)Overlay-NetzAsynchronous Transfer ModeRevision controlElectric generatorComputer animation
23:40
Motion captureOpen setAdditionOverlay-NetzGreatest elementKey (cryptography)SimulationCycle (graph theory)Object (grammar)Multiplication signAutomationSoftwareRight angle
24:37
Principal ideal domainComputer networkMemory cardBinary fileAsynchronous Transfer ModeLimit (category theory)PlastikkarteBranch (computer science)Asynchronous Transfer ModeDatabase transactionFlagDirection (geometry)SoftwareMaxima and minimaSet (mathematics)NumberLimit (category theory)CASE <Informatik>1 (number)BitMemory cardMultiplication signPoint (geometry)SurfaceFirmware
26:11
System programmingLimit (category theory)Asynchronous Transfer ModeWorkstation <Musikinstrument>PlastikkarteLimit (category theory)Memory cardPoint (geometry)PlastikkartePhysical systemObject (grammar)
26:57
Process (computing)CodeDemo (music)Goodness of fitLecture/Conference
27:22
Demo (music)Set (mathematics)NumberBinary fileCausalityDemo (music)Lipschitz-StetigkeitDifferent (Kate Ryan album)State of matterDatabase transactionTouchscreenMultiplication sign2 (number)Level (video gaming)HoaxGreatest element
29:24
Asynchronous Transfer ModeDemo (music)Personal identification numberNumberLecture/Conference
29:48
Demo (music)Information securityWeb pageLevel (video gaming)
Transcript: English(auto-generated)
00:00
uh so yeah you guys all showed up for uh basically us setting up the AV stuff pretty quick and uh yeah this is next gen hacking ATMs so I'm gonna jackpot this little baby it has $50,000 in it so it should be shooting all over the floor in a little bit and uh yeah so yeah I'm a senior engineer been doing pen testing for 11 years I speak a lot uh
00:21
spoke a lot at Def Con uh this is my third year in a row at Def Con so I just love the conventions love meeting the people and I spoke at Hope uh Takedown Con tons of other events so and I did a lot of reverse engineering I'm doing a talk later this week or on uh the demo labs on some uh software that actually makes computers immune to ransomware so I don't only do terrible things to ATMs I also try to make protections
00:41
too so and I did a lot of hotel hacking it's gonna be on uh also later this week on Sunday if you wanna make sure your talk's on the last day of the week make sure you do it on hacking uh hotels so and yeah safety first uh I drove an ATM machine about 1900 miles uh from Bismarck, North Dakota to Las Vegas, Nevada and I had once again I had an ATM
01:04
machine and a bunch of skimmers, shimmers, everything you can imagine so that was one of the things I took safety first and actually didn't push the firmware on the devices until I actually got to my hotel room at Mandalay Bay because I did this at Black Hat also so that's something where I like to take a little bit more safety precautions just when you're moving those things because I know in the past a lot of
01:21
people have uh you know accidentally forgot them in airplanes or uh you know had their vehicles broken into so I just did a little bit more new diligence and uh yeah just thought that was kinda neat I wish more people would do that because some of these things if they fall into the wrong hands um it's kinda scary to imagine what people would do with them so and yeah uh I'm gonna go over the actual attacks on the EMV uh some of them are
01:42
standards based some of the things are um things that weren't fixed in the past um from some of the talks previously so hopefully you guys have a little bit of uh understanding at least of what the chip and pin cards are uh if you if you bank somewhere where they still have the mag stripes I would uh maybe take a consideration into changing that so and yeah they're working through a lot of the card stock so everything in this uh United States is gonna be chip and pin here pretty soon so they have the next
02:03
liability shift that's coming up in 2017 so and uh that's what makes this a next gen talk actually I converted this uh ATM machine uh over to EMV so which I'll go into a little bit details here so a tour of the actual distribution system so I have an actual blockchain design that I imagine that the uh it actually makes it possible uh you know it's
02:24
not actually enabling people but it shows the capabilities of the extent that the bad guys are actually gonna go to uh when they actually start uh trying to sell these transactions cause the static data everybody's seen the Carter forms and things I'll get into greater detail later about that so and uh let's see here so I'm gonna look at the
02:42
communication back end um uh what the actual uh banking portion it's running on things like that I'm gonna introduce you to LaCara it's the automated cash out mesh method and I'm gonna go over the uh demo which is uh going in great detail it's actually gonna just jackpot on stage so and yeah so basically what is EMV it was uh integrated in the
03:02
early 80s in France and uh it's ear pay master card visa and it's a little chip and pin card the actual EMV Co is the one that actually monitors the standards for those so uh yeah it replaces the mag strip card which is around since the 1940s so it's a little old it could have uh participated in World War 2 so that is pretty old uh a liability
03:21
shift actually on uh gas pumps which is the bad guys favorite shimming and skimming spots is actually gonna be coming up here in 2017 for gas pumps and point of sale system or the uh gas pump and uh ATM machines so that's why I thought this talk was due I'd like to give the good guys a little bit of time to actually uh yeah fix some of these issues before they're actually used on the wild cause as soon as the mag strip data's are
03:43
cut off they're gonna have about 40 dollars of value so and what actually led me to this research is I have a ton of scripts that I have uh running online and they're actually monitoring bin numbers and uh some of the bank identification numbers that are for sale so if there's a larger breach in uh say for example like Bismarck, North Dakota or
04:00
something like that it'll you know it'll show that there's uh high validity or they have a lot of cards for sale in the North Dakota area which I'll show you and this is kind of how they offer it now it was one of the biggest breakthroughs that happened in uh carding history in the last little bit uh was pretty much over the last 4 or 5 years people have been able to literally filter by your area code like I live in Bismarck, North Dakota and these are all uh credit card transactions that wouldn't raise any
04:23
suspicion if I was the bad guy so that's like one of the bigger things that hit the this is how it evolved like before it was you know you didn't know if you were buying an Austin, Texas credit card or the bad guy didn't know if he was buying a a bad credit card so where it would get flagged for suspicion so so I actually took a kind of an approach on what I imagined some of the next generation sales methods would be and
04:43
uh how people would actually be able to sell EMV transactions and um some of the RFID and actually uh the old classic track 1, 2, and 3 data and uh as you guys have probably seen um they have professionally made shimmers out there now like a lot of them actually have like serial numbers and stuff on them so they are actually being professionally produced and uh that's something that uh yeah this is pretty much going to
05:04
take a little bit of a glimpse into the actual uh what I imagine future Carter sites would look like um being able to sell the EMV transactions which aren't static data so they're not something where you can buy it and use it in a week and a half it's literally uh as you'll see on the next page here it's actually the Carter site of the future so it has
05:22
actually complete with spelling errors so and yeah you can basically uh just select which FEMA region you're going to be in and uh automated if it's going to be automated you can push some additional commands and the actual time zone uh it's going to go into setting the fraud SMS system so that's like something where you can uh say for example if on the cash out ATM if people wanted to block the SMS messaging and things
05:43
like that because some of the banks will send the confirmed messages and stuff like that so uh there's a lot of uh actual attack surface that people can do with these so and uh you can basically put in two passwords and I'll go into a little bit of detail what those actually do later on in this transaction and uh yeah and I trust that this will make a lot more sense once I actually show you guys the blockchain so yeah you're
06:03
basically not buying static data anymore you're buying access or the bad guys are actually buying access to a network of shimmed devices where those devices are passing the information off to the cash out ATM so and yeah here's how it works actually so that person that was going through the bad Carter site so Mr. bad guy comes onto the
06:20
page uh picks which minute he's going to be doing uh standing at that ATM and uh you just he has to select what time zone he was in and some other things and it'll actually uh with one of those two passwords that he did he'll be able to put into delimited character where it'll be able to pick out where that transaction is so that you're getting a blockchain every single fraudulent transaction that is going on in this
06:40
shim network um I have there's like 150,000 bank accounts uh that are simulated on this back end then um there's a credit processor portion where all the the fraud flags are held and things so it will actually go through the transactions here in a little bit so this is actually gonna pass off into the blockchain pretty much all of the devices that is feeding this ATM machine so uh for since the 27th to last month I've actually
07:05
had a lot of transactions going on so there's little sims that are basically doing purchases and it's learning what a natural environment looks like and it actually uh the initial time when I ran it it uh shut down after seven transactions because I only had 150 accounts so it actually has the fraud uh the fraud flags in place to actually shut it
07:22
down so and basically so after you put the password in it's actually gonna go into uh giving you the character information you need to initiate the tunnel uh for the fraudulent back end so when the bad guys are connecting they actually get des keys that allow them to actually talk to the entire fraud back end so and this is um yeah this is
07:41
the first time that they'd be able to monetize this in a in a live scenario so and the information received so they get the tunnel information before so they're connecting to the tunnel and authenticating to the fraud network uh pretty much the same way that the ATM has des keys that talks to the gateway processor that talks to the banking back ends so without the des keys this uh ATM cannot talk to my uh gateway processor
08:03
network that I've set up and then also the banking back end or any of the bank accounts so that's something where uh your basic information is gonna go over the info type quality of the actual skim device so if it's one of the more trusted sources um where people paid more they'll get more preferential treatment on the actual blockchain so yeah so basically uh other than that you're gonna get your tunnel ID
08:24
information and then you're gonna get PIN information and uh this this device is actually automatically putting in PIN information which is uh one of the the last ways that it's actually possible to uh jackpot uh additionally cause um like Barnaby Jacked uh was did some great research made it a lot easier for people like me to be able to
08:41
present uh uh flaws in ATMs and things like that without being arrested or questioned by law enforcement so that's something where you know a lot of the front runners um his was actually a hardware attack where it actually attacked the firmware just told it to spit the actual uh money out so that's something where this is a little bit different research so and yeah so basically as you can see the connection
09:01
information is before your actual transaction in the blockchain so and what kind of information can be sold on these card or sites um so there's basically static magnetic data and track one and two and three data that's the classic data that's being sold right now there's EMV DDA which is the dynamic uh authentication which are some of the newer cards um if you got like one of the cards like three years ago four years
09:23
ago some of those had a lot more static information on them and uh some of the newer card stocks that banks are going through are the new these new two new two transactions so some of the issues that were you know spoke of in the past were actually fixed a little bit and uh some of them were were still available so some of the newer uh cards are still susceptible to these attacks and uh there will be some RFID
09:43
stuff so not the RFID in the sense of like the Apple Pay and the Google Pay uh it's actually the uh cards where you can click them and stuff like that though some of those will be able to be would be able to be sold on a fraudulent network so and yeah it actually the this device will if they're not uh I put a couple cards in there and I
10:01
removed them for demo purposes but uh that were like specifically only for food or things like that so it'll reject cards onto the network that are just set for flags that say it can only be used for food or gas so and uh aside from the card actually being passed off it'll also pass off the PIN and the ATM limit and that's one of the things that uh while I was going around some of those carder sites I was uh collecting a
10:21
lot of research and there was lots of um PANS uh they were collecting the actual PAN information so the account numbers and the BINs which are the bank identification numbers they were collecting the amounts that were most likely their point of sale limits and then some of their ATM transactions so it's something where they were looking to see how much these actual accounts they could get out of them so they'd know what to mark them up to but it's also uh anytime that they would compromise a
10:43
card using like a Lebanese loop or there's other devices where they would get them stuck in the ATM and come back for them um they were most likely you know taking these cards and looking at actual flag details so they're collecting all this information from the banking networks and that's what led me to believe that uh eventually they were going to be going after EMV transactions but why would they do it now because they have all
11:01
this low hanging fruit of all these magnetic card data so and yeah here's in a nutshell what is happening you have multiple shimmed devices and they're passing off to one device so this doesn't have to be in a huge block chain uh that was the method that I saw is where bad guys would be able to monetize this again and it's because of some of the latency uh that is introduced into the actual process um there's limitations with the
11:24
especially the uh backbone for fiber inside the United States there's some methods where they could uh actually be able to do online processing all the time and some of the weaknesses that are in these actual protocols that were exploited uh won't be able to be fully turned on for a couple years due to limitations on actual communication networks so but uh basically think of it as you know if one bad guy actually poisoned four
11:44
uh ATMs or point of sale systems they'd be able to uh relay those uh EMV transactions into the actual uh ATM so and here's the most likely method that the data gets sold uh so basically you have leased gear so there's people that would be mules for these
12:01
organizations and they would be you know installing these shimmers driving across the United States and then you have the uh fraudulent employees uh pretty much the same methods that they're using now uh you have the independent small breaches things like that where they're they're fed into a small Carter site and uh those were the ones where you know the smaller organizations where people are actually able you know there's like a five
12:22
person crew going around the United States you know cashing out that way so and when they have unused transactions they're actually able to pop them into the main Carter sites and that's kind of the same way it works now except for they're able to do it with these live EMV transactions and like it's saying it can't be held as static data it needs to be used within a certain time frame and uh it needs to match some of the
12:44
flags that it has coming over the top of it for when the uh a transaction's actually initiated so yeah and so basically this is what happens uh yeah some people ask me if it's actually cloning the card it's actually not it's uh what it is is it's basically intercepting after a certain portion uh initially it's just using the actual power
13:04
from the point of sale system and after that point uh once it gets the transaction actually started which I'll go through the actual uh process and then we'll get into the actual mechanics behind us and the actual uh shimmers so so basically it holds for round two uh once it's uh started the initial process it uses the power to actually power the
13:22
skimmer or the shimmer and the actual uh wireless inside the device so the actual stage one transaction once it's passed off to the ATM machine they just did the thirty eight dollar point of sale transaction and the uh fifteen hundred dollar ATM withdrawal happened without them even being the wiser and they didn't touch each other's limits because there's point of sale and ATM so and like I said this is not cloning the card
13:45
and uh there are four stages of the EMV transaction it's being released into the tunnel and it is literally imagine it as an extension to the actual ATM so uh the cache uh the cache root device uh basically regurgitates the exact same information that is sent from the shimmed point of sale system and I will go into a little bit more
14:02
detail about some of the ways to actually capture pins uh you guys have seen a lot of them in the wild um for example uh there's pin overlays I have a new one that's actually pretty pretty decent here so and uh the actual point of sale limit is shimmed and that won't uh count once again against the ATM limit so uh they actually have different
14:20
process portions that they're talking to about authentication so it's a little bit harder to catch some of these transactions also so and uh here's a a little bit of a pictures of some of the skimmers and shimmers that were uh caught in the wild the one up on the left actually was used for some downgrade attacks for some banks that had improperly uh integrated EMV and uh some of the other ones are some of the uh phone parts and things like that that I actually used to build some of the shimmers that I was
14:43
actually doing for my proof of concept so and yeah just your general point of sale system so and uh yeah cache out device stand alone so yeah uh this is meant to be like an auto service ATM it's supposed to be something that uh you know normally you wouldn't want it to fly out everywhere on the street but it's something where you would want to you know catch it and have it doing after hours if you're a bad person of
15:04
course and it's something that uh I uh the original concept that I had um was just like a huge fascia on the actual ATM and it would catch all the money and stuff but it's much better if it's just flying out of the bottom so and yeah and I'm gonna go into the actual cache out stand alone uh this is something that people were wondering about
15:20
because it's uh yeah there's foreign object detection on a lot of the new ones um I found several ways to actually deactivate a lot of that stuff and uh some of the newer devices uh inside the next generation ATMs so that's something that I'll go into a little bit more detail here and basically this is like the stand alone device you just literally need a cell phone and a or the bad guy only needs a cell phone and a credit
15:42
card that can impersonate some of the other EMV transactions so basically once this device is actually uh plugged into the machine it'll start replicating a lot of the information that they're getting from their blockchain so pretty much all they need is a password. So, and I'm gonna introduce LaCara which is uh roughly translated the face so
16:04
cause everything sounds more menacing in Spanish doesn't it so but yeah I know uh why would somebody want to automate something like this um yeah people are untrustable as you can see uh this was off of a couple guys Twitter feeds that got busted uh they were doing a cash out run yeah that's not uh conspicuous at all so yeah so the cash
16:22
out crews they were bragging about it on social media uh yeah when busted humans get busted they rat out and uh machines usually don't have Twitter accounts that's like one of the most positive things for the bad guys so and I wanted to go with the Def Con theme this year which was uh rise in the machines like immediately after Jeff told everybody what the theme was for the next year I was like I'm gonna make an ATM machine that can
16:43
do its own like fraud it'll be a beautiful thing so and uh yeah so going along with the theme uh like I was saying there is the stand alone which will be more practical and what I actually imagine the bad guys using in the wild so and Lecar does have its own Twitter account actually so and I was actually gonna broadcast the the uh uh
17:04
simulated and emulated uh banking back in transaction data I didn't have time to set all that up and I doubt that anyone would have watched a bunch of numbers fly across Twitter when I thought about it in hindsight so but yeah it would have shown a lot of how the staging works and uh how what'll happen if like two transactions are kicked into the blockchain how they take priority and a lot of that information so so yeah uh that
17:25
guy smiling like a child inside the reflection of that ATM screen is me uh that's last year after Def Con I actually bought an ATM machine started doing some research and uh everybody asks me including the press person who violently ripped the Lecar off there what's behind there and uh it's actually two Arduinos controlled by a Raspberry Pi
17:44
controlled by an Android so there's a lot of computer components and it's uh actually a bunch of servos uh that are entering the uh transaction amount so it'll say how much money it wants to take out it'll actually enter the pin number it'll accept it it'll say no receipt and then it'll go into the next transaction so there's a bunch of little baby robot
18:04
fingers inside there just pushing buttons and making money come out and the actual card is actually plugged into the Raspberry Pi and that does all the modulation and uh the actual data processing for the card so that's how the actual EMB card when it gets impersonated it needed something that's a little more beefy than an Arduino but as far as for
18:21
uh controlling the robot fingers that was pretty much uh what it came down to so and this could be a removable device like where if somebody didn't want to uh like I was saying they would most likely want to make it something that pops on quick that uh yeah is not made out of fiberglass in uh and I'm actually gonna go through some of the process of how yeah for some reason you know you send uh I have a couple buddies that
18:42
do 3D printing and you start sending them ATM parts and uh they quit answering your emails so so that's something where pretty much I was like okay I'm gonna do this the good old fashioned way you know like I used to do a lot of auto restoration when I was little how hard could this be so yeah I basically uh covered it in plastic made a buck mold and a plug mold and then I uh just put the you know fiberglass uh yeah the
19:03
fiberglass on the front of it and yeah this is actually nasty ATM is the name of that uh color of gray so and it could have been a little bit closer match but yeah you get the gist of it it's an out of service ATM it wouldn't rise any suspicion uh my actual branch ATM the bank that I work or the bank I don't work at a bank I work at Repet 7 but uh but the uh bank that I actually bank at uh their ATM was down for 2 days and I
19:23
was the first person to tell them so it's not something where out of service ATM will rise any suspicion so this is uh yeah so basically uh it's a Swiss army knife so this was one of the first keypads that I actually started training my Arduino system on so and uh yeah then I started um working into some of the more advanced methods like some
19:40
of the things that aren't even out yet and will only be integrated once the United States finally catches up to a lot of the other countries they'll be able to turn on a lot of these mechanisms cause I didn't want to just inject magnetic card data uh using like a mag spoof or like Sammy Kamkar has like that's an amazing device and uh that man is a brilliant genius I just want to give him props for I do use mag spoof on this one and several other ones so oh yeah so and there's one up in the corner uh they're
20:04
basically a little thing that can speak to the magnetic heads in the readers but it's a very very cool uh video to watch if you guys haven't seen it yet so but basically uh what I start one of the other devices I started out with uh just to see if this was uh possible you know cause it's one thing if it's a theory and it's another thing when you can actually do it and it's another thing you know when you're able to do it
20:21
wirelessly in a room and it's another thing when you can bounce it off of VPS up in Toronto so like that kind of latency compared to you know what's in a room and what's actually allowed by the standards um they actually you know planned for a lot of that stuff uh to actually be stopped so but yeah uh building your own banking back end so that's uh a lot of the actual systems like I was saying uh there's been since the uh I
20:43
think it's the 17th or the 27th of last month I've been doing uh a lot of these transactions and they're actually doing EMV transactions um like I said there's 15 bank financial institutions and it's over uh uh 150,000 uh bank accounts so those all are signed with uh card stock um and they actually have like a physical attachment to them so
21:02
anytime that a card is uh simulated into the reader it's gonna check with the bank the exact same the real networks would it's gonna flag it for fraud uh if I had like I was saying when I had 150 accounts after 7 accounts I got flagged for fraud because it was unusual suspicion and it was some of the natural settings on the banking network but now that I have 150,000 accounts it uh opened up to a lot more attacks uh since I was
21:23
gonna be doing several demos so and each like I was saying each one of these is uh this this is signed with DES keys uh so say for example if I get flagged for fraud this will kick me off of my uh gateway processor and I won't be able to talk to my bank accounts so I will end the demo so and I wanted to make it a little more real world because I just didn't want it to you know be like a a bad simulation like this one
21:44
actually has some of the field uh information where you can actually uh set some of the flags and uh yeah it uh initiates the risk just like it would with any other transaction so and uh the skimmer is uh generated uh yeah it's it's generating everything it's signing on with so and yeah so here's the EMV transaction so
22:02
this is in a nutshell this is not uh it literally took 1438 pages for me to fully understand it so this is uh my two powerpoint presentation example of that so it's basically gonna be uh the card is read by a point of sale terminal talks to the acquirer which talks to the bank and that's valid validating that the card's legitimate that the bank accounts are
22:21
legitimate and that the device the point of sale system or the actual ATM system is actually allowed on the network so that all that process is going on in the actual transaction and basically on step two is when this uh actual attack happens it gets passed off to as you can see in that little green area there it's actually getting passed off to the uh ATM machine here so uh imagine uh there should be technically about 3.1
22:43
transactions getting shot at this ATM uh every time because of the size of the network and the blockchain it is the only cash out device on the blockchain so it takes priority and it should be uh getting non-stop transactions after I pop on the actual uh lakara system so and yeah uh how will you capture the pin you have the chip that's like one
23:02
thing that's half the battle I was looking into some of the actual features uh for some of the next generation ATMs and uh they can actually change the pin on the fly uh and some of them are un-entry uh unencoded or uh actually unencrypted so uh there's the methods of the past there's the pinhole cameras that have been around for literally probably 12 or 13 years uh there's the pin overlays you'd be able to automate that uh kind of the same
23:24
way uh as um the actual version that I'm simulating the actual pin numbers here is uh based on uh open CV which I will go into in a second here so and unencrypted pin traces so if it's actually reading straight mechanical data it'll be able to grab the pins that way also and uh this is actually the method that I came up with because I was like I want a
23:43
way to 100% automate it so I actually got a a keypad and I sprayed some 3M glue on it and then I put a bunch of iron oxide like very small pieces of metal because I wanted to be able to get past the foreign object detection you know in this simulation so that's something where I basically put a little little radio on the bottom of it and went through
24:01
the actual key cycles and it actually uh basically has a different peak for each one of the keys threw it into open CV and now it's watching for those peaks and uh depending on the actual peak and the pitch on the peaks it'll actually uh tell you basically what what key was pushed so that was kind of like you know in addition to some of the overlays which would be automatable uh it was something else that I kind of wanted
24:20
uh yeah going to other ways of pin capturing so and that one was one that I hadn't seen before and I loved playing with software defined radios I got a Edison 210 at the beginning like right around Christmas time and I felt like an 11 year old again so if you guys aren't playing with software defined radios you definitely should be so they're amazingly fun so and yeah so uh aside from probing some of the networks they're
24:41
actually going to go into uh the actual network and card settings um they're looking at what the like I said they're collecting tons of data they're setting out their the bad guys are actually collecting you know what the what flags are set like what uh you know what uh limitations for per country like what the actual attack surface will be once the actual mag strip data dries up so and this is kind of the direction that I saw uh the
25:02
bad guys going with this so and branch ATMs versus uh on network ATMs um anybody who's ever you know tried to get $500 and had to do it in two transactions that's an off network ATM they like to uh get some of the extra fees it's just a little bit more risky so they uh break them down into several transactions and the on branch ones are like
25:21
the actual ones that are inside of the actual uh banks and stuff like that and I've you know personally I think I've taken out like uh you might have to adjust your point of sale limit but you can take up to like two three thousand dollars at a time from some of them depending on your uh years with your bank and things like that but some of the off branch ones are obviously not the ones that would be attacked so and also this uh that was one of the first things I did after I bought my ATM is I actually
25:42
converted it uh to EMV so that uh is one of the only modifications uh done to the actual uh circuit board is it has the more advanced firmware that can handle the EMV compared to the actual old credit cards so and yeah uh Chinese and Japanese ATMs uh they literally have like ten thousand dollar limits in some cases so there are uh I think uh I
26:02
forgot what the actual number was but I uh yeah it was several hundred that uh across the world that actually have ten thousand dollar plus limits so and they are in limited portions but uh most of them are in Japan and China so and yeah uh as 2017 is coming around um shimming of point of sale systems uh obviously they're gonna go for things that don't have a lot of the foreign object detection that's something that uh yeah it'll put
26:24
an end to a lot of that so uh habits of putting EMV in early what's uh like if it doesn't have that piece of paper that whatever they put on it like you know don't stick card in no chip or whatever like we put our card in there and it literally takes almost an eternity is what it feels like so that's one of the things where we want it to be
26:40
uninterrupted and uh yeah you can basically uh take your point of sale limits and uh yeah it's gonna be one of their favorite things to actually most likely to do the same way that they do now like a majority of the actual cards that were skimmed are from the actual uh uh gas pumps so yeah I would just like to give special thanks before I
27:00
kick off the demo and then I will uh answer some questions if anybody has questions which they should have a lot of them so I'm gonna give a shout out to my wife, my kids, uh Jesus, Barnaby Jack, uh Sami Kamkar, uh a ton of the Cambridge guys they did a really really good job um I got a lot of uh buddies with some of the Arduino issues I like to nest code sometimes and uh they helped me fix it so yeah and uh I'm
27:22
gonna go over the transaction cause I am eighteen hundred dollars short from my black hat demo so as you can see on the bottom uh Benjamin Franklin is puckered, puckered lips so it is not real money so and basically what I'm gonna go through this thing is loaded at fifty thousand dollars in uh fake it's not fake money it's not fraudulent money it's uh actual for motion picture use and it has written all over it I
27:43
mean it looks pretty good from ten feet or from wherever you're sitting in the crowd but it actually you can tell it from the bill on top it's not real so and uh it's gonna grab the uh the pan number and the uh bin number and actually go off if it's a five to nine hundred dollar per transaction so it's gonna most likely go anywhere from zero to sixty transactions before it's actually either shut down for
28:02
fraud or runs out of money so and uh the transaction time is gonna take about eighteen seconds I'm gonna kick off the demo here and I will start answering questions and uh yeah it's gonna enter the pin and uh so basically uh with the Arduino I needed to get it to a known state so I need to make sure that it's on the right screen and then I can kick it off and it'll actually start pumping uh transactions and it'll pump out
28:21
different uh based on the actual account number that comes into it it'll actually pop out a different set of money so and hopefully I don't fall off stage so clear jackpot
29:29
number so woo and I was scared my ATM demo was gonna blow up and the AV stuff uh went crazy there at the beginning so but yeah as you can hear it sounds like rattlesnakes those are little Arduino servos actually entering the pin number so and hopefully the money is
29:42
coming out good so but yeah uh does anybody have any questions if you want you come up to the microphones uh some of this is very very ridiculous and you have to read about fourteen hundred pages of some stuff but I will explain it to the best of my ability if anybody has any questions uh I'll also be on stage I just want to thank you all for coming so