Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Black Hat, Day 1: Cracking GSM and skimming ATMs

By Nathan McFeters | February 20, 2008, 5:40pm PST

Summary

Day 1 at Black Hat brought some outstanding talks. The day started off with David Hulton (aka h1kari, also the producer of ToorCon) and Steve (from THC), who presented on “Cracking GSM”. It was quite interesting due to the tie-in that David has with Pico and their use of FPGAs [...]

Topics

Black Hat, FPGA, GSM, Phishing, ATM, Cyberthreats, Network Technology, Spam, Networking, Security, Spam And Phishing, Nate McFeters

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Biography

Dancho Danchev

Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
Vendor HotSpot
Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Day 1 at Black Hat brought some outstanding talks. The day started off with David Hulton (aka h1kari, also the producer of ToorCon) and Steve (from THC), who presented on “Cracking GSM”. It was quite interesting due to the tie-in that David has with Pico and their use of FPGAs (Field Programmable Gate Array).

Basically, they were able to capture GSM traffic — the traffic most of our cell phones use — and decrypt that traffic. They reverse-engineered the encryption process and then used the FPGAs to increase the speed of the whole process by an amazing amount. I don’t have the exact numbers, but let’s just say it went from impossible to potentially done in 30 seconds. As always, David is brilliant. The talk, while complex, was easy to follow and understand and the audience had some great questions.

The next talk I watched was a presentation by my good friends Billy Rios and Nitesh Dhanjani called “Bad Sushi”. I have to say that this was the best talk of the whole day — completely unique and untouched upon by previous research. Basically they were able to track down phisher’s and paint a picture of the ecosystem and economy that drives phishing. It was unbelievable the lack of sophistication used in a majority of these attacks, yet they are still so successful. This seems to be contrary to the corporate belief that phishers are elite hackers with hardcore ninja hacking skills. They also moved into a process called ATM skimming whereby people retrofit ATM machines with their own hardware that is actually able to capture card swipes and pin entries, while still maintaining the functionality of the original ATM device. This was unbelievable to see, and I honestly believe I’ll never use an ATM machine again. Also of note, it was clear that phishing is not really the major concern; identity theft is the concern, and the people exploiting this are using any means possible.

Rob Carter and I followed up the “Bad Sushi” talk with our talk on “URI Use and Abuse”. More of the same research you’ve seen us talk about over the last year with a fresh set of vulnerabilities including a format string flaw on the Mac OS X. I won’t elaborate much and toot my own horn, but the talk went really well and the audience seemed to be entertained and engaged. I can’t begin to mention how much of an honor it was to speak at Black Hat again. I can remember saying when I was younger that if I ever spoke at Black Hat, I’d know that I had made it in the security world, right after watching David Litchfield present at my first ever Black Hat. Today, we delivered our presentation while Litchfield was in the next room talking about Oracle security — a bit of a surreal experience really.

That’s all for today and I’m off to the bar to celebrate a great day!

Disclosure

Nathan McFeters

http://i.zdnet.com/images/auth/nmcfeters_53x53.jpg

Biography

Nathan McFeters

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios.

More from “Zero Day”

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion

Talkback Most Recent of 36 Talkback(s)

  • a Congrats to you George.
    It sounds like those would have been some interesting talks, I would have loved to have been there, especialy for those two. Good job then, to you two for being right up there with the big boys. Anagi congrats to you George for achieving one of your goals in live. -d
    ZDNet Gravatar
    dawgit
    02/21/2008 06:47 AM
  • too bad it was actually Nathan McFeters that attended (NT)
    Not George (NT)
    ZDNet Gravatar
    fireman949
    02/21/2008 08:31 AM
  • I see that now...
    You are correct, thanks for pointing that out to me. Well my earlier 'Congrats' went to the wrong person.
    I hope he (the right guy, this time) gets it. It was a good article IHMO, so, I hope he keeps writing them. -d
    edited to ask: what did they do to 'edit'?
    ZDNet Gravatar
    dawgit
    02/21/2008 10:10 AM
  • RE: Black Hat, Day 1: Cracking GSM and skimming ATMs
    This was a great story. I just love it. Keep up the great work.
    ZDNet Gravatar
    MrT8970@...
    02/21/2008 07:29 AM
  • Retrofitting ATMs
    I'm not surprised that someone could redesign ATM hardware and software to capture card swipes and pin entries. What would be of more interest is how hard or easy is it to circumvent the hardware security to replace the legit ATM with the bogus one, what means exist for a financial institution to query the hardware for legitimacy, and how hard is it to detect by either the remote financial institution or the person who comes out to service the machine?
    ZDNet Gravatar
    Dr_Zinj
    02/21/2008 08:06 AM
  • Oh dear!
    Around most of the world ATM this has already been done.
    One case involved using a stolen ATM machine in a fake bank which actually gave money when the customer asked for it while taking all the required information. The customers had no clue what-so-ever that this was taking place.
    A more common occurence is a small device mounted to the card reader slot that reads the card details while a remote camera inside the kiosk takes sneek peeks at your keystrokes.
    In most ATM's in europe they already issue warnings not to use ATM's if you suspect that ATM looks different from the ordinary. Many ATMs have a plastic see-thro device that prevents them from installing such a piggy-back reader device. Also the card from most ATM's are now fed and ejected very slowly to prevent such devices from reading the MCR tracks.
    ZDNet Gravatar
    jsargent
    02/21/2008 09:13 AM
  • I saw this nearly five years ago...
    I used to work at the Royal Bank of Scotland in London and there was a fake ATM in a shopping mall nearby - it took your card, let you enter your PIN and then told you that the service was currently unavailable... The only reason it was found out was that one of the guys responsible for the ATM network saw an out of date screen on it!
    ZDNet Gravatar
    Wallsy
    02/21/2008 09:07 PM
  • Card Duplication
    AFAIK

    If the entire swipe is recorded... It is an easy matter to take any mag stripe card and write the information back to it.

    No logo required just the PIN and Mag Stripe Info...

    This is why we will probably be forced to Smart Cards and BioMetrics

    Of course then the really innovative thieves will just cut your finger off!

    Mike Sr.
    ZDNet Gravatar
    madrucke@...
    02/21/2008 09:45 AM
  • true
    exactly true. There is a show on truTV (formerly CourtTV) called "The Real Hustle" where a group of hustlers did exactly this stunt. They wrote the information onto a standard hotel keycard and successfully used it in the ATM.
    ZDNet Gravatar
    brandon@...
    02/21/2008 09:51 AM
  • That's not really new...
    In fact, the article makes it appear to be easier. What used to have been done was to catch one just as it was going on-line (with a dial-up connection. Still in use, in too many places) and just 'listen in' VPN makes that a little harder. But not hard enough it seems.
    ZDNet Gravatar
    dawgit
    02/21/2008 10:15 AM
  • wha
    Why would you service a machine that has no money in it and is only capturing PIN and card information?

    You could take everyone's money and buy a new machine while probably still making a profit. THe machine could just be considered expendible.

    Lauren
    ZDNet Gravatar
    lauren.glenn@...
    03/03/2008 08:24 PM
  • This isn't new...
    Basically you just put a "faceplate" card reader in front of the other card reader and it reads the info. I read about this back in 2004.

    I'm not sure how they would do the pin capture unless they did another faceplate on it.

    Then they can retrieve the data at their leisure and boom! All of a sudden, your account is empty.

    So if you find that the ATM you normally use suddenly looks different, make sure it was actually upgraded BY THE BANK.
    ZDNet Gravatar
    alphawiz
    02/21/2008 08:42 AM
  • No, they don't need another face plate
    Just some sort of a visual recording of you entering your pin. either a camera on the ATM or somewhere close by.
    ZDNet Gravatar
    thespasticone
    02/21/2008 09:17 AM
  • They usually add a faceplate that has an extra reader for
    the magnetic stripe.
    However, the battle is not completely lost yet.
    In some places in europe the banks installed secret pinhole-cameras to catch the action of fitting the reader. They then get the police to track them and get to catch them as they withdraw cash from someones bankaccount.
    Pretty quick and VERY efficient.
    ZDNet Gravatar
    hkommedal
    02/21/2008 09:48 AM
  • how to capture pin
    the Pin is captured by a tiny integrated camera aimed at the pin pad on the ATM. refer to my 'true' post about me seeing this stunt pulled on a "reality"-like show on truTV
    ZDNet Gravatar
    brandon@...
    02/21/2008 09:55 AM
View More Comments

Talkback - Tell Us What You Think

advertisement

Get it the way you want it

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
advertisement