Clever real-world credit card thieves apparently have a new high-tech tool in their arsenal. A credit card terminal maker says it has discovered the existence of small, number-stealing electronic bugs. The devices can be secretly placed inside store terminals, where they skim card numbers with each transaction. The bugs are even smart enough to trick a terminal into phoning home, delivering batches of stolen numbers to fake credit card manufacturing locations. While acknowledging the threat may be real, Visa International and other terminal makers caution that use of the James Bond-esque device is hardly widespread. <snip> http://www.msnbc.com/news/589575.asp
On Mon, 25 Jun 2001, John Doe #N wrote:
http://www.msnbc.com/news/589575.asp ... Visa International and other terminal makers caution that use of the James Bond-esque device is hardly widespread.
I can't imagine why not. It's not as though the hardware is difficult to fabricate or purchase, and driver source code is just all over the place for free. Here's a convenient package with all the electronic parts necessary, selling for under $80. http://www.register5.com/register5/magmin.html (You can probably find it cheaper, that's just the first place I looked) Add a microdrive and one of those PC-on-a-chip things with a 386 plus minimal hardware and a teeny linux distribution, like you can find at http://www.tiqit.com for under $1000, then download the appropriate driver from the reader manufacturer, compile it with gcc, and you're in business. It would take about two days to build this device, cost under $1500, and the driver is so dead-simple it's probably no effort at all to port, but allocate another day of work for that. After that it's just a matter of dumping the info to the hard drive and writing a script to phone home once in a while. Any geek with about $1500 to spend and a few days to put it together could build the equivalent device; don't marvel at the high-tech, 'cause card-reader drivers are publicly available, even simpler than a keyboard driver, and the hardware is prefab. The only remotely-interesting question is how and when did the perps get private access to the gimmicked card readers? Or were the card readers compromised before they were installed? If you've got an hour or so with a good scope, you can even save yourself the cost of the card reader and associated fab problems mounting it into the card reader machine; just tap the relevant wires from the card reader that is already installed in the device. However, this would require you to write your own driver and put some diodes on the lines so you don't interfere with the other system driving the mag readers, so it's technically harder. Bear
On 25 Jun 2001, at 18:11, Ray Dillinger wrote:
Add a microdrive and one of those PC-on-a-chip things with a 386 plus minimal hardware and a teeny linux distribution, like you can find at http://www.tiqit.com for under $1000, then download the appropriate driver from the reader manufacturer, compile it with gcc, and you're in business.
Too expensive. Just wire the card reader into the serial port of your handy Palm (III|V|VII) and collect away. I saw several articles (sorry, no links) last year about skimming, and at least three of them had accompanying pictures of a Palm-based skimmer unit with attached card reader. Fact is, I have a card reader unit that I bought a couple of years ago. I've been "about to get around to doing" a reader app on my Rabbit development board, but now that I have a CerfCube, I'll probably do it on that. A Tiqit is $995, but a CerfCube is only $495 (or maybe $299, if they repeat the sale) and will also take a Microdrive. -- Roy M. Silvernail [ ] roy@scytale.com DNRC Minister Plenipotentiary of All Things Confusing, Software Division PGP Key 0x1AF39331 : 71D5 2EA2 4C27 D569 D96B BD40 D926 C05E Key available from pubkey@scytale.com I charge to process unsolicited commercial email
participants (3)
-
John Doe #N -
Ray Dillinger -
Roy M. Silvernail