Interesting physical attack using specially made printed circuit boards that slide into the card reader slot. Designing a robust ATM has got to be up there in terms of safety platform engineering.
I had a few problems with the circuit-board-in-credit-card-slot part of it. Why would an ATM designer allow more than a few discreet signals (card inserted, card withdrawn, magsstripe data ready) and the magstripe data itself from the card reader into the ATM computer? It would cost a lot of money to make a card reader that can do more than that, wouldn't it? You'd also have to spend money on the device driver software to do more fancy stuff.
It's probably connected with a standard interface like USB. It costs a lot less money to use a mass-produced connection than something custom, and you don't have to write any drivers.
Because people aren't using the fucking magstripes anymore, thank god (at least if you're outside the US, where chip+pin is basically not existing!).
Everyone sane is using the smartcard interface because usually the chips cannot be cloned whereas a magstripe writer sets you back $150 and about 10 cents for a blank card. Just for the lulz: many payment terminals allow you for reading the WHOLE RAW STRIPE DATA by a command... so you hack the PoS software to issue a CardSwipe command before issuing the payment command. Unsuspecting store clerk will follow the instructions on the terminal: 1) swipe the card, 2) see the terminal saying again "Please swipe card", 3) think the first swipe failed 4) swipe again and do the normal payment. This is trivially done with any ZVT or OPI-based payment terminal. And it fucking works. (If anyone is interested, drop me an email. I develop PoS software and can send you a demo video)
The smartcard interface is the thing where the problems lie: PC/SC is a quite easy API, but most of the software will be written in C and suffer from the usual bugs: boundary checks done wrong, overflows, missing sanity checks... this uber-long PCB is essentially not needed at all. You could entirely implement everything on e.g. a BasicCard ($10 apiece for the high-memory+RFID card) or any other programmable smart card.
Edit: I've been asked by email by some people for the demo video. It'll be ready by Tuesday, I'll also submit it to HackerNews.
Actually my system is open-source, with monthly fees being hardware rental and support. Sure, buying a system is possible too, but these systems must be continually updated e.g. to reflect changes in regulation, bugfixes etc.
Perhaps they are exploiting the smart card (a.k.a., chip card or EMV card) interface. (The magnetic stripe is pretty much obsolete in the rest of world outside of the USA.)
A commenter on the Krebs site make the same point about the smart card interface:
12 comments
[ 3.4 ms ] story [ 46.3 ms ] threadEveryone sane is using the smartcard interface because usually the chips cannot be cloned whereas a magstripe writer sets you back $150 and about 10 cents for a blank card. Just for the lulz: many payment terminals allow you for reading the WHOLE RAW STRIPE DATA by a command... so you hack the PoS software to issue a CardSwipe command before issuing the payment command. Unsuspecting store clerk will follow the instructions on the terminal: 1) swipe the card, 2) see the terminal saying again "Please swipe card", 3) think the first swipe failed 4) swipe again and do the normal payment. This is trivially done with any ZVT or OPI-based payment terminal. And it fucking works. (If anyone is interested, drop me an email. I develop PoS software and can send you a demo video)
The smartcard interface is the thing where the problems lie: PC/SC is a quite easy API, but most of the software will be written in C and suffer from the usual bugs: boundary checks done wrong, overflows, missing sanity checks... this uber-long PCB is essentially not needed at all. You could entirely implement everything on e.g. a BasicCard ($10 apiece for the high-memory+RFID card) or any other programmable smart card.
Edit: I've been asked by email by some people for the demo video. It'll be ready by Tuesday, I'll also submit it to HackerNews.
A commenter on the Krebs site make the same point about the smart card interface:
http://krebsonsecurity.com/2014/05/thieves-planted-malware-t...
http://webcache.googleusercontent.com/search?q=cache:YOzSV2s...