ATMs hacked with MP3 player
A loop-hole in the security of free-standing ATM machines has been brought to light by a conviction for fraud at Minshull Street Crown Court. Maxwell Parsons was convicted of intercepting the signals sent from these ATM machines over telephone lines, simply by plugging in a two-way connector, and then later analysing these signals in order to produce counterfeit cards.
The recorded modem signals were analysed with some software from Ukraine, Modem Line Taps like this can do the same. The information was then used to procure products to a value stated to be up to £200,000. An MP3 music player and recorder was used to record the signals, presumably because of its small size and portability.
According to APACS, the organisation that co-ordinates the banking industry's efforts to combat online banking fraud, no ATMs owned by banks were involved in this scam, and such ATMs are in general not vulnerable. The ATMs in question were owned by other companies, and set-up in such sites as shopping centres, sports halls, and so on. According to APACS, it is much easier to "get round the back" of such machines, and plug into the telephone wires over which sensitive personal bank card data is sent.
The Link is the company that runs the communication infrastucture that is used by these ATMs, and a spokesman told heise Security that the only information that had been obtained by Parsons and other members of his gang had been the numbers of the cards. PINs and security numbers (the three digits on the back) had not been captured, and the gang had then only been able to use this information for purchases in other countries where "card not present" transactions were particularly vulnerable. Malaysia has been mentioned in this respect. He said that such countries had tightened up their procedures in recent times. This fact, combined with the encryption now used in modern chip and pin technology – introduced in the UK since the Parsons fraud – should make a repeat of this particular crime impossible.