26 comments

[ 3.0 ms ] story [ 96.4 ms ] thread
My advice to people visiting Mexico regarding ATMs is to try to use one at an actual bank location, or at least operated by a major bank. Even in the US I'm skeptical of third party ATMs.
I had some suspicions that the previous installment was a fabricated story, and after correspondence with the author my suspicions were confirmed to my satisfaction: that this entire adventure is an out and out fabrication.

I am reading Part 2 with great interest to see if it could easily be fabricated or if it includes any evidence not trivially produced. In fact, (I am not done reading), Part 2 confirms my suspicions:

To wit, any normal person returning to Marriott CasaMagna and documenting his adventures would have felt great satisfaction to see the ATM unplugged in response to his complaints, and taken a trophy photo. This journalist did not. (Because the entire story is fabricated, at no point were the ATM's unplugged.)

You heard it here, folks. This entire adventure is fabricated. My correspondence with the author confirms this to my satisfaction. (You can also see my previous comments for what initially raised my suspicions.)

It's still crazy to me that they left the BLE devices transmitting (and all the same name!) rather than one of:

a) Don't set the name.

b) Trigger advertising when you type in a specific pin.

c) Use a custom radio protocol (much easier than you'd think - you could even use a pre-written one like Nordic's Gazell).

Its most likely a massive operation spanning few cities (if not countries), you dont want to provide IT support for random lowlifes employed by the gangs, this forces you to standardize on something every smartphone is capable of doing, and simplifying the process to the point of click for bacon.
I wonder what other protocols you could use. Perhaps a WiFi system that looks for a WiFi hotspot with a specific name (easy to do on most smartphones) which then connects automatically? Or just instruct your goons to set their phone's bluetooth name to a particular value and then initiate a bluetooth send to any phones with that name.
Keying in a specific pin might actually be an incriminating and video-recorded action, so while it would probably make a compromised ATM harder to spot, it would be risky. Passing by with no physical contact is less incriminating, even if it does become suspicious.
Well, now that Mexican cartel hackers are reading your comment, we can expect - in a years time or so - an equivalent HN article along the lines of "Mexican ATM's are the most sophisticated phishing system on the planet".

I'll be here to read it when it happens.

I just don't think there was a reason not to. Obviously these skimmers have been completely successful and I doubt even Krebs could make a dent in that.
You can't operate a network of ATM skimmers across this large an area without the police in your pocket. They were probably just using cheap, mass-produced skimmer tech from China; doing much more just costs more and makes it more complex.

Besides, why should they care? That area of Mexico is incredibly violent; nobody would dare fuck with the cartels' money because they kill for far less than that. Krebs had better watch his back on this one; the cartels have a long history of murdering journalists who expose their activities.

That area of Mexico being the Yucatan coast, it's not known for recent incredible violence or cartel activity. It's pretty quiet since the country and region are pushing the Maya Rivera as a safe tourist destination.
Quintana Roo is also where drugs come in and out of Mexico from the Caribbean and narco-states like Venezuela (they travel over water into Mexico where they are shipped over land along established trafficking routes to the US). The tourist areas stay pretty quiet because the cartels own most of the resorts so it would just be bad business. But Cancun (the town a mile inland, not the tourist area on the water) is a very violent place where a number of mayors, reporters and even a Mexican army general leading anti-trafficking efforts have been murdered in the last 5 years.

It's only quiet because both the cartels and the government have a vested interest in keeping the violence out of the media (they have intimidated and killed journalists to keep them from reporting on cartel violence in the area). But make no mistake, the cartels own the area and I wouldn't go sticking my nose in anything illegal, even as a reporter. The police are more likely to work for the cartels than they are the government.

To the guy with the throwaway account who seems on a mission to discredit Krebs and this story (with as little evidence as you would expect), please stop. Your comments are ridiculous.

As for the series, it's fantastic. I've always enjoyed Kreb's writing but never shared his fascination with skimmers, I always thought it was kind of niche and not really much of a big deal. Seems it's a lot more widespread than people think.

(not the same throwaway you are referring to :)

I enjoy Krebs's writing, but to be honest I was underwhelmed by this. Based on the buildup in the first part I expected some insights into the workings of the skimmer group in the second one, but really it could have been summed up as "I walked along the tourist places in Mexico and found a bunch of skimmers of the type I described in the first part."

Still interesting to see how widespread it is. I can only assume the next version will use a custom RF protocol or somehow hide the beacon unless provided with the right challenge from the phone.

I didn't find the followup to be particularly enlightening. Basically, tl;dr: don't use an ATM in Mexico, you'll regret it. They're all hacked.
(This throwaway account is hellbanned at the moment, so only someone with showdead on would see it.)

I actually have no beef at all with Krebs. I personally simply found it very unlikely that the configuration he showed in https://www.youtube.com/watch?v=Pi6y2soOp8Y&t=3m30s (after sighing and clearing his throat, at the place I linked, before starting on his explanation), in that configuration, nestled between two PCB's, would be seen by the phone from the distance at https://www.youtube.com/watch?v=Pi6y2soOp8Y&t=4m45s - it's outside class 2 bluetooth range (most phones are class 2) and class 1 chips usually even have an external antenna. PCB's like what the chip is sandwiched between are highly attenuating; but both signals show up at once, from an implausible distance, from inside an enclosure (the ATM) that is not designed to transmit well at all.

I have many other specific reasons that confirm my suspicion, including in the video included in the present installment. To me it is completely obvious. (I also did a very light investigation in a brief email exchange with the author.)

But just make a mental note of this throwaway, maybe in a few years someone else will pubicly discredit him. (I have no intention of doing so.)

In the meantime, sure, he reads a forum where he realized spammers are planning to send him cocaine in the mail and SWAT his house, and averted it just in time.

If you would like the other reasons I'm quite sure, then, you can reply with a brief comment and I can email you (you have your profile information linked.)

It's obviously quite an egregious case of journalistic fraud if true, but there have been bigger ones. I have no beef with the guy, except that I don't find his story credible. I'm not on a mission to discredit him.

Here is my take on it - I'm skeptical. Sure I'll believe that a number of ATMs are compromised. But it seems like every ATM he walked up to was broadcasting this. To me this seems like an, arguably exploitable, maintenance tool than a ring of ATM thieves. Free2Move appears to be a standard tool for serial over bluetooth [1].

He can't possibly be the first and only person to find this - so I attempted to google "free2move atm" and only his article shows up (about skimming).

I'm not saying this is a fake article - but to me seems amateuristic for someone of his stature. I would have expected he would work with at least one authority figure to show that without a doubt an ATM is compromised - along with a tear down of the device.

Also I'm not sure how I feel about him convincing people not to use an ATM that may or may not be compromised. If he did believe 100% it was compromised he should have talked to someone in management to have the ATM unplugged and serviced (that would make for an interesting article to see if they actually take him seriously and not just plug it back in when he leaves).

My two cents...

[1] http://www.amazon.co.uk/Cablematic-Free2Move-Bluetooth-Seria...

read the article. He did talk to people "in management" at a couple of places and only one took the suspect ATM offline.

demanding that he "work with at least one authority figure" is a bit naive in Mexico.

Only if you're not from Mexico and realized that their banking industry is robust and well regulated...
> read the article. He did talk to people "in management" at a couple of places and only one took the suspect ATM offline.

I don't think we read the same article. Maybe in the first one he did - but in the linked article all I see is him walking up and down streets looking for the bluetooth broadcast. I won't blindly believe that each of the ATMs he found broadcasting was exploited. I'm not saying I would use them nor would I recommend using one in Mexico - but just seeing a bluetooth signal isn't enough for me to assume that it's exploited. With all the sensational articles floating on the web - I'm just skeptical that's all.

> demanding that he "work with at least one authority figure" is a bit naive in Mexico.

I didn't demand it - I just expected it. Even though I'm sure there are a lot of bribes happening in Mexico - there has to be someone he can contact and work with that may or may not care.

It was in the first one, although the second article alludes to the fact that the hotel took the ATM offline, eventually. The first part also goes into some detail regarding the hardware and the fact that he was approached by an ATM firm. They'd probably know if the BT beacon was a maintenance tool.

Having an openly visible BT signal emanate from your illicit snooping device seems amateurish on the face of it, but it does make connecting to it easier for technically challenged criminals, who I assume don't have a bachelor in CS or EE. They'll be happy to escalate to a harder to detect wireless signal if it becomes necessary.

Brian Krebs either has a death wish or balls the size of the moon. Never in a million years would I go and actually try to track down the ATMs compromised by well-funded, sophisticated organized crime gangs. In Latin America, no less, where killing random people only improves your rep and buying police protection is cheap.
He does mention in the comments that he only published the story once he was out of the country. Certainly publishing it while in Mexico would be courting disaster.
I'd still be concerned for his safety right now. Hope he can get some protection stateside, just in case.
Oh wow! This happened to me just recently; I was in Akumal and Tulum and only used a couple of different cash machines. My card info was stolen and then used in Mexico and Florida for withdrawals.