Download subtitle and video from Youtube

Quicky way to download subtitle and video from Youtube: go to https://thetv.info/[youtube-id]
E.g. Change https://youtu.be/6I2BnX32qNQ to https://thetv.info/6I2BnX32qNQ

Video DEF CON 24 - Hacking Next-Gen ATM's From Capture to Cashout

TheTV.info
30:05   |   20K+ views   |   08/20/2018 at 23:52

Transcription

  • so yeah you guys all showed up for
  • basically us setting up the a/v stuff
  • pretty quick and yeah this is next-gen
  • hacking atm
  • so I'm going to jackpot this little baby
  • is $50,000 in it so it should be
  • shooting all over the floor in a little
  • bit and yeah so yeah I'm a senior
  • engineer than doing pen testing for 11
  • years I speak a lot spoke a lot at Def
  • Con is my third year in a row Def Con so
  • but as well the conventions love meeting
  • the people and I thought hope takedown
  • con terms of other events and I did a
  • lot of reverse engineering I'm doing a
  • talk lighter this week or on the demo
  • labs on some software that actually
  • makes computers immune to ransomware so
  • I don't only do terrible things the ATMs
  • I also try to make protections too and I
  • do a lot of hotel hacking it's going to
  • be on also later this week on Sunday if
  • you want to make sure your talks on the
  • last day of the week make sure you do it
  • on hacking a hotel so and yeah safety
  • first I drove an ATM machine about 1,900
  • miles from Bismarck North Dakota to Las
  • Vegas Nevada and I had once again I had
  • an ATM machine and a bunch of skimmers
  • shimmer's everything you can imagine so
  • that was one of the things I took safety
  • first and actually didn't push the firm
  • word on the devices until I actually got
  • to my hotel room at Mandalay Bay because
  • I did this at blackhat also so that's
  • something where I like to take a little
  • bit more safety precautions just when
  • you're moving those things because I
  • know in the past a lot of people of a
  • accidentally forgot them in airplanes or
  • had the vehicles broken into so this did
  • a little bit more due diligence and yeah
  • just thought that was kind of kind of
  • neat I wish more people do that so some
  • of these things are they fall into the
  • wrong hands
  • it's kind of scary to imagine what
  • people will do with them so and yeah I'm
  • gonna go over the actual attacks on the
  • EMB some of our standards base some of
  • the things are things that weren't fixed
  • in the past from some of the talks
  • previously so hopefully you guys have a
  • little bit of a understanding at least
  • about the Chip and PIN cards are if you
  • if you banks them over they still have
  • the mag stripe so I would a maybe take a
  • consideration into changing that so and
  • yeah they're working through a lot of
  • the card stock so where everything in
  • the United States is going to be
  • chip-and-pin here pretty soon
  • so they have the next liability shift
  • that's coming up at 2017 so
  • and that's what makes us a next-gen talk
  • actually I converted this a ATM machine
  • over to DMV so which I will go into a
  • little bit details here so a tour of the
  • actual distribution system so I have an
  • actual blockchain design that I imagine
  • that the it actually makes it possible
  • you know it's not actually enabling
  • people but it shows the capabilities of
  • the extent that the bad guys are
  • actually going to go to when they
  • actually start trying to sell these
  • transactions because the static data
  • everybody's seen the Carter forms and
  • things I'll get into greater detail
  • later about that so and let's you some
  • look at the communication back-end on
  • what the actual banking portion is
  • running on things like that I'm going to
  • introduce you to the Cara
  • it's the automated cash out mesh method
  • and I'm going to go over the demo which
  • is a going great detail it's actually
  • going to just jackpot on stage so and
  • yeah so basically what does the MVA was
  • integrated integrated in the early 80s
  • in France and Europe MasterCard Visa
  • it's a little chipping SIM card the
  • actual EMV ko is the one that actually
  • monitors the standards for those so yeah
  • it replaces the Mac stripped card which
  • is vedera
  • since the 1940s so the little old it
  • could have participated in World War two
  • so it is pretty old a liability shift
  • actually on gas pumps which is the bad
  • guys favorite shimming and skimming
  • spots is actually going to be coming up
  • here in 2017 for gas pumps and
  • point-of-sale system or the gas pump and
  • ATM machine so that's why I thought this
  • talk was due I'd like to give the good
  • guys a little bit of time to actually
  • yeah some of these issues before they're
  • actually used on the wild because as
  • soon as the max trip data's are cut off
  • they're going to have the left 40
  • dollars of value soon and what actually
  • led me to this research is I have a ton
  • of script that I have a running online
  • and they're actually monitoring VIN
  • numbers and some of the bank
  • identification numbers that are for sale
  • so there's a larger breach in a say for
  • example like Bismarck North Dakota or
  • something like that it'll you know it'll
  • show that there's a high politically or
  • there have a lot of cards for sale in
  • the North Dakota area which I'll show
  • you on this is kind of how they offer it
  • now it was one of the biggest
  • breakthroughs that happened in karting
  • history in the last little bit was
  • pretty much over the last four or five
  • years people have been able to literally
  • filter by your area code
  • I live in Bismarck North Dakota and
  • these are all credit card transactions I
  • wouldn't raise any suspicions if I was
  • the bad guy so that's like one of the
  • bigger things that hit the mrs.
  • habitable like before it was you know
  • you didn't know if you're buying an
  • Austin Texas credit card or the bad guy
  • didn't know if he was buying a bad
  • credit card so where it would get
  • flagged for suspicion so so I actually
  • took a kind of an approach on what I
  • imagined
  • some of the next generation sales
  • methods would be and how people would
  • actually be able to sell EMV
  • transactions and some of the RFID and
  • actually the old classic track 1 2 & 3
  • data and as you guys have probably seen
  • they have professionally made shimmers
  • out there now like a lot of them
  • actually like serial numbers and stuff
  • on them so they are actually being
  • professionally produced and that's
  • something that yeah this is pretty much
  • going to take a little bit of a glimpse
  • into the actual what I imagine future
  • Carter sites would look like being able
  • to sell even B transactions which aren't
  • static static data so they're not
  • something where you can buy it and using
  • the week 1/2 it's literally as the ocean
  • on the next page here it's actually the
  • Carter site of the future so it has
  • actually completed spelling errors so
  • and yeah you can basically just select
  • which FEMA region you're going to be in
  • and automated it's going to be automated
  • portion you can push them in additional
  • commands and the actual time zone it's
  • going to go into setting the fraud a SMS
  • system so that's like something where
  • you can say for example upon the cash
  • out ATM if people wanted to block the
  • SMS messaging and things like that
  • because some of the banks will send the
  • confirm messages and stuff like that so
  • there's a lot of actual attack surface
  • that people can do with these so and
  • you're going to basically put in two
  • passwords and I'll go into a little bit
  • of detail what those actually do later
  • on in this transaction and yeah and the
  • I trust that this will make a lot more
  • sense
  • so once I have to show you guys the
  • blockchain so yeah you're basically not
  • buying static data anymore you're buying
  • access or the bad guys are actually
  • buying access to a network of shimmed
  • devices where those devices are passing
  • the information off to the cash out ATM
  • so Jen here's how it works actually
  • so that person that was going through
  • the ad Carter site so mr. bad guy comes
  • onto the page picks which minute he's
  • going to be doing standing at that ATM
  • and use that I guess it's like what time
  • zone Lee was in and some other things
  • and it'll actually
  • with one of those two passwords they'll
  • be able to put in a delimited character
  • where it'll be able to pick out where
  • that transaction is so that you're
  • getting a blockchain every single
  • proctolin transaction that is going on
  • in this sim network I have there's like
  • $150 in bank account there simulated on
  • this back-end
  • then there's a credit processor portion
  • where all the fraud flags are held in
  • things so it will actually go through
  • the transactions here in a little bit so
  • this is actually going to pass off into
  • the blockchain pretty much all the 35
  • devices that it's feeding this ATM
  • machine so for since the 27th to last
  • month I've actually had a lot of
  • transactions going on so there's little
  • Sims that are basically doing purchases
  • and it's learning what a natural
  • environment looks like and it actually
  • an initial time when I ran it it shut
  • down after seven transactions because I
  • only had 150 account so it actually has
  • a frat of the fraud flags in place to
  • actually shut it down so and basically
  • so after you put the password in it's
  • actually going to go into giving you the
  • character information you need to
  • initiate the tunnel for the fraudulent
  • back-end so when the bad guys are
  • connecting they actually get des keys
  • that allow them to actually talk to the
  • entire fraud back-end so and this is
  • yeah this is the first time that they'd
  • be able to monetize this in a in a live
  • scenario so and the information received
  • so they get the tunnel information
  • before so they're connecting to the
  • tunnel and authenticating to the fraud
  • network pretty much the same way that's
  • the ATM as des keys that talks to the
  • Gateway processor that talks to the
  • banking backends so without the DES keys
  • this ATM cannot talk to my gateway
  • processor network that I've set up and
  • then also the banking back-end or any
  • the bank account
  • so that's something where you're
  • basically basic informations going to go
  • over the info type quality of the actual
  • skimming device so if it's one of the
  • more trusted sources or people paid more
  • they'll get more preferential treatment
  • on the actual blockchain so yes so
  • basically other than that you're going
  • to get a tunnel ID information then
  • you're going to get pin information and
  • this device is actually automatically
  • putting in information which is one of
  • the last ways that it's actually
  • possible to jackpot additionally because
  • I'm Barnaby Jax did some great research
  • made it a lot easier for people like me
  • to be able to present
  • flaws and
  • ATMs and things like that without being
  • arrested or questioned by law
  • enforcement so that's something where
  • you know a lot of the front runners his
  • is actually a hardware attack where to
  • actually check the firmware
  • there's told it the actual money out so
  • that's something where this is a little
  • bit different research so and yes so
  • basically as you can see the connection
  • information is before your actual
  • transaction in the blockchain so and
  • what kind of information can be sold on
  • these Carter sites so there's basically
  • static magnetic data and track one and
  • two and three data that's the classic
  • data that's being sold right now there's
  • EMV DDA which is the dynamic
  • authentication which are some of the
  • newer cards if you've got like one of
  • the cards like three years ago four
  • years ago some of those had a lot more
  • static information on them and some of
  • the newer card stocks that banks are
  • going through are the new these new tune
  • is two transactions so some of the
  • issues that were you know spoke of in
  • the past
  • we're actually fixed a little bit and
  • some of them was still available so some
  • of the newer cards are still susceptible
  • though these attacks and there will be
  • some RFID stuff so not the RFID in the
  • sense of like the Apple pay in the
  • Google pay it's actually the cards where
  • you can click them and stuff like that
  • so some of those will be able to be
  • would be able to be sold on a fraudulent
  • network so and yeah it actually this
  • device will if they're not I put a
  • couple cards in there I remove them for
  • demo purposes whatever like specifically
  • only for food or things like that so
  • it'll reject cards onto the networks
  • that are just sets or flags that say it
  • can only be used for food or gas so and
  • aside from the card actually being
  • passed off it will also pass up a pin
  • and the ATM limit and that's one of the
  • things that while I was going around
  • some of those Carter sites I was
  • collecting all the research and there's
  • lots of pans they were collecting the
  • actual pan information so they account
  • numbers in the bins which are the bank
  • identification numbers they were
  • collecting the amounts that were most
  • likely their point of sale limits and
  • then some of their ATM transactions so
  • it's something where they were looking
  • to see how much these actual accounts
  • they could get out of them so they know
  • what to mark them up to but it's also
  • any time that they would compromise the
  • card using like a Lebanese loop or
  • there's other devices where they would
  • get them stuck in the ATM and come back
  • for them they were most likely you know
  • taking these cards and looking actually
  • actual flag detail so they're collecting
  • all this information from the banking
  • networks and that's what led me to
  • believe that
  • eventually they're going to be going
  • after EMV transactions but why would
  • they do it now because they have all
  • this low-hanging fruit of all these
  • magnetic card data so and yeah here's in
  • a nutshell what is happening you have
  • multiple shims devices and they're
  • passing off to one device so it doesn't
  • have to be in a huge block chain that
  • was the method that I saw is where bad
  • guys to be able to monetize this again
  • and it's because of some of the latency
  • that is introduced into the actual
  • process there's limitations with the
  • especially the backbone for fiber inside
  • the United States there's some methods
  • where they could actually be able to do
  • online processing all the time and some
  • of the weaknesses that are in these
  • actual protocols that were exploited I
  • won't be able to be fully turned on for
  • a couple of years due to limitations on
  • actual communication networks so but
  • basically think of it as you know if one
  • bad guy actually poisoned for ATMs or
  • point-of-sale systems they'd be able to
  • relay those EMV transactions into the
  • actual ATM so and here's the most likely
  • method that the data gets sold so
  • basically you have least gear so there's
  • people that would be mules for these
  • organizations and they would be you know
  • installing these shimmer's driving
  • across the United States then you have
  • the fraudulent employees pretty much the
  • same methods that they're using now yet
  • they independent small breeches things
  • like that where they're they're fed into
  • a small Carter site and those were the
  • ones were in the small organizations
  • where people are actually able you know
  • there's like a five person crew going
  • around the United States you know
  • cashing out that way so and when they
  • have unused transactions they're
  • actually able to pop them into the main
  • Carter so it and that's kind of the same
  • way it works now except for they were
  • able to do it with these live envy
  • transactions and like a thing it can't
  • be held a static data it needs to be
  • used within a certain time frame and it
  • needs to match some of the flags that it
  • has coming over the top of it or when
  • the transactions actually initiated so
  • yeah and so basically this is what
  • happens some people ask me if it's
  • actually cloning the card it's actually
  • not it what it is is it's basically
  • intercepting after a certain portion
  • initially it's just using the actual
  • power from the point-of-sale system and
  • after that point once it gets the
  • transaction actually started which I'll
  • through the actual process then we'll
  • get into the actual mechanics behind us
  • and the actual wash shimmers so so
  • because it holds for round two once it
  • started the initial process it uses the
  • power over the skimmer or the shimmer
  • and the actual wireless inside the
  • device so the actual stage one
  • transaction once it's passed off to the
  • ATM machine they just did the $38
  • point-of-sale transaction and the $1500
  • ATM withdrawal happens without them even
  • being the wiser and they didn't touch
  • each other's limits because there's
  • point-of-sale and ATM and like I said
  • this is not cloning the card and there
  • are four stages of the MV transaction
  • it's being released into the tunnel and
  • it is literally imagine it as an
  • extension to the actual ATM so the cash
  • the cash our device basically
  • regurgitates the exact same information
  • that is sent from the shimmed
  • point-of-sale system and I will go into
  • a little bit more detail about some of
  • the ways to actually capture pins you
  • guys seen a lot of them in the wild
  • for example there's pin overlays I have
  • a new one that's actually pretty decent
  • too soon and the actual present-day
  • limit is shimmed and that won't count
  • once again against the ATM limit so they
  • actually have different process portions
  • that they're talking to about
  • authentication so it's a little bit
  • harder to catch some of these
  • transactions also so and here's a little
  • bit of a pictures of some of the
  • skimmers and shimmers that were caught
  • in the wild the one on the left actually
  • was used for some downgrade attacks for
  • some banks that had improperly
  • integrated EMV and some of the other
  • ones are some of the phone parts and
  • things like that that I actually used to
  • build some of the shimmers that I was
  • actually doing for my proof of concept
  • so yeah just your general point of sale
  • system so and you know cash out device
  • standalone so yeah this is meant to be
  • like an out-of-service ATM it's supposed
  • to be something that a you know normally
  • you wouldn't want it to fly out
  • everywhere on the street will hit
  • something where you would want to you
  • know catch it and have it doing
  • after-hours if it you if you are a bad
  • person of course and it's something that
  • the original concept that I had was just
  • like a huge facia on the actual ATM and
  • it would catch all the money and stuff
  • but it's much better if it's just flying
  • out of the bottom so and yeah and I'm
  • gonna go into the actual cash out
  • standalone this is something that people
  • were wondering about fit
  • yeah there's foreign object detection on
  • a lot of the new ones I found searched
  • several ways to actually deactivate a
  • lot of that stuff and some of the newer
  • devices inside the next-generation ATMs
  • so that's something that I'll go into
  • the little detail here and basically
  • this is like a standalone device you
  • just literally need a cell phone and a
  • or the bad guy all I need the cell phone
  • and credit cards that can impersonate
  • some of the other EMV transactions so
  • basically once this device is actually
  • plugged into the Machine it'll start
  • replicating a lot of the information
  • that they're getting from their
  • blockchain so pretty much all they need
  • is a wireless internet connection and an
  • ATM that accepts yeah EMV transaction so
  • and I'm going to introduce wakaru
  • which is a roughly translated to face so
  • did everything sounds more menacing in
  • Spanish doesn't it
  • but yeah Noah why would somebody want to
  • automate something like this yeah people
  • are untrustable as you can see here this
  • was off of a couple guys Twitter feed
  • that got busted they were doing a cash
  • out run yeah that's not conspicuous at
  • all
  • so after the cash out to their bragging
  • about it on social media you have one
  • busted
  • humans get busted they rat out and
  • machines usually don't have Twitter
  • accounts that's like one of the most
  • positive things for the bad guys so and
  • I wanted to go with a Def Con team this
  • year which was our rise of the machines
  • like immediately after Jeff told
  • everybody what the theme was for the
  • next year I was like I'm gonna make an
  • ATM machine that can do its own like
  • fraud it'll be a beautiful thing so and
  • yeah so going along with a theme like I
  • was saying there is the standalone which
  • was more practical and what I actually
  • imagine the bad guys using in the wild
  • so and lekar does have its own Twitter
  • account actually so and I was actually
  • going to broadcast the the simulated and
  • emulated a banking back-end transaction
  • data I didn't have time to set all that
  • up and I doubt that anyone would have
  • watched a bunch of numbers fly across
  • Twitter when I thought about it in
  • hindsight so but yeah I would've shown a
  • lot of how the staging works and how
  • what will happen if like two
  • transactions are kicked into the
  • blockchain how they take priority and a
  • lot of that information so so yeah that
  • guy smiling like a child inside the
  • reflection of that ATM screen is me
  • that's last year after Def Con I
  • actually bought an ATM machine and
  • started doing some research
  • and everybody asked me including the
  • press person who violently ripped the
  • lekar off their what's behind there and
  • it's actually to Arduino is controlled
  • by a Raspberry Pi controlled by an
  • Android so there's a lot of computer
  • components and it's a basically a bunch
  • of servos that are entering the
  • transaction amount so it'll say how much
  • money it wants to take out it'll
  • actually enter the pin number it'll
  • accept it it'll say no receipt and then
  • we'll go into the next transaction so
  • there's a bunch of little baby robot
  • fingers inside there just pushing
  • buttons and making money come out - and
  • the actual card is actually plugged into
  • the Raspberry Pi and that does all the
  • modulation and the actual data
  • processing for the card so that's how
  • the actual EMV card when you get them
  • personated it needed something with a
  • little more beefy than an Arduino but as
  • far as for controlling the robot fingers
  • that was pretty much what it came down
  • so and this could be a removable device
  • like where if somebody didn't want to
  • like I was saying they would most likely
  • want to make it something that pops on
  • quick that
  • yeah it's now made out of fiberglass in
  • and I'm actually go through the process
  • of how yeah for some reason you know you
  • send I have a couple buddies that do 3d
  • printing and you start sending them atm
  • parts and they quit answering your
  • emails so so that's something we're
  • pretty much I was like okay I'm gonna do
  • this the good old fashioned way you know
  • like I used to do a lot of auto
  • restoration when I was little how hard
  • could this be so yeah I basically uh
  • covered it in plastic made a buck mold
  • and a plug mold then I just put the you
  • know fiberglass
  • yeah the fiberglass on the front of it
  • and yeah this is actually nasty ATM is
  • the name of that color of gray so and it
  • could've been a little bit closer match
  • but yeah you get the gist of it it's an
  • auto service ATM at one rise any
  • suspicion my actual branch ATM the bank
  • that I work or the I don't work at the
  • bank I work at repet seven but let the a
  • bank that I actually bank at their ATM
  • was down for two days and I was the
  • first person to tell them so it's not
  • something we're out of service ATM will
  • rise any suspicion so this is a yeah so
  • basically it's a Swiss Army knife so
  • this is one of the first keypads that I
  • actually started training my Arduino
  • system on so and you know then I started
  • I'm working into some of the more
  • advanced methods like some of the things
  • that aren't even out yet and will only
  • be integrated once the United States
  • finally catches up to a lot of the other
  • countries
  • they'll be able to turn on a lot of
  • these mechanisms because I didn't want
  • to just inject magnetic card data using
  • like a Mac spoof or like Samy Kamkar has
  • like that's an amazing device and that
  • man is a brilliant genius I just want to
  • give him props for I do use Mac's Cooper
  • on this one and several other ones so oh
  • yeah so and there's one of them in the
  • corner there basically a little thing
  • that can speak to the magnetic heads in
  • the readers but it's very very cool
  • video to watch if you guys haven't seen
  • it yet so we're basically what I start
  • one of the other devices that started
  • out with just to see if this was
  • possible you know because it's one thing
  • if it's a theory and it's another thing
  • when you can actually do it and it's
  • another thing you know when you're able
  • to do it wirelessly in a room that's
  • another thing when you can bounce it off
  • of EPs up in Toronto so like that kind
  • of latency compared to you know what's
  • in a room and what's actually allowed by
  • the standards they actually you know
  • planned for a lot of that stuff to
  • actually be stopped so which I building
  • your own thinking back-end so that's a
  • lot of the actual systems like I was
  • saying there's been since the s of 72
  • the 27 to last month I've been doing a
  • lot of these transactions and they're
  • actually doing EMV transactions like I
  • said there's 15 banks financial
  • institutions and it's over a 150,000
  • bank accounts so those all are signed
  • with card stock and they actually have
  • like physical attachment to them so
  • anytime that a card is simulated into
  • the reader it's going to check with the
  • bank the exact same the real networks
  • would it's going to flag it for fraud if
  • I had like I was saying when I had 150
  • accounts after seven accounts I got
  • flagged for fraud because unusual
  • suspicions and it was some of the
  • natural settings on the banking network
  • but now that I have a hundred fifty
  • thousand accounts it opened up to a lot
  • more attacks since I was going to be
  • doing several demos so and each other
  • like I was saying each one of these is
  • this is signed with DES keys so say for
  • example if I get flagged for fraud this
  • will kick me off of my gateway processor
  • I won't be able to talk to my bank
  • account so it will end the demo so and I
  • wanted to make it a little more real
  • world because I just didn't want to you
  • know be like a bad simulation like this
  • one actually has some of the field
  • information where you can actually set
  • some of the flags and you know it's the
  • risk just like it would with any other
  • transactions
  • and the skimmer is generated at
  • generating everything at signing on with
  • so and yeah so here's the EMV
  • transaction so this is in a nutshell
  • this is not a literally took fourteen
  • hundred and thirty eight pages for me to
  • fully understand it so this is my two
  • PowerPoint presentation examples that so
  • it's basically going to be the card is
  • read by a point-of-sale terminal talks
  • to the acquirer which talks to the bank
  • and that's about it validating that the
  • card legitimate that the bank accounts
  • are legitimate and that's the device the
  • point-of-sale system or the actual ATM
  • system is actually allowed on the
  • network so that all that process is
  • going on in the actual transaction and
  • basic on step two is when the actual
  • attack happens it gets passed off to as
  • you can see in that little green area
  • there it's actually getting bounced off
  • to the ATM machine here so imagine there
  • should be technically about 3.1
  • transactions getting shot at that ATM
  • every time because of the size of the
  • network and the blockchain it is the
  • only cash out device on the blockchain
  • so it takes priority and it should be
  • getting non-stop transactions after I
  • pop on the actual lekar system so and
  • yeah how will you capture the pin you
  • have the chip it's like one thing that's
  • half the battle I was looking into some
  • of the actual features for the
  • next-generation ATMs and they could
  • actually change the pin on the fly and
  • some of them are on entry unencoded or
  • actually unencrypted so there's methods
  • of the pass is the pinhole cameras that
  • have been around for literally probably
  • twelve or thirteen years
  • there's the pin overlays you'd be able
  • to automate that kind of the same way as
  • the actual version that I've simulating
  • the actual pin numbers here is based on
  • OpenCV which will I will go and drew in
  • the second tier so an unencrypted in
  • traces so if it's actually reading
  • straight mechanical data it'll be able
  • to grab the pins that way also and this
  • is actually the method that I came up
  • with because I was like I want a way to
  • 100% automated so I actually got a
  • keypad the next sprayed some 3m glue on
  • it and then I put up into iron oxide
  • like very small pieces of metal because
  • I wanted to be able to get past before
  • an object detection you know in this
  • simulation so that's something we could
  • put a little a little radio on the
  • bottom open and went through the actual
  • key cycles and it actually basically has
  • a different peak for each
  • keys rude and OpenCV and now it's
  • watching for those peek and depending on
  • the actual peak and the pitch on the
  • peaks it'll actually tell you basically
  • what what key was pushed so that was
  • kind of like you know in addition to
  • some of the overlays which would be
  • automatable it was something else that I
  • kind of wanted to go into other ways of
  • pin capturing so and that one was one
  • that I hadn't seen before and I loved
  • playing with stopper to find radios I
  • got a edit into ten at the beginning
  • like right around Christmas time and I
  • felt like an 11 year old again so if you
  • guys aren't playing with soft behind
  • radios you definitely should be so
  • they're amazingly fun and yeah so aside
  • from probing for the networks they're
  • actually going to go into the actual
  • network and card settings they're
  • looking at what the like I said they're
  • collecting tons of data they're sitting
  • out there Claud the bad guys are
  • actually collecting you know what the
  • what flags are said like what uh you
  • know what limitations for per country
  • like what the actual attacks are
  • probably once the actual mag max trip
  • data dries up so and this is kind of a
  • direction that I saw the bad guys going
  • with this soon and branch ATMs versus a
  • on that on network ATMs anybody who's
  • ever you know tried to get five hundred
  • dollars and had to do it in two
  • transactions
  • that's an off network ATM they like to
  • summon extra fees it's just a little bit
  • more risky so they break them down into
  • several transactions and the on branch
  • ones are like the actual ones that are
  • inside of the actual banks and stuff
  • like that and I've you know personally I
  • think I've taken out like you might have
  • to adjust your point-of-sale limit but
  • you can take up to like two three
  • thousand dollars at a time from some of
  • them depending on your years with your
  • bank and things like that but some of
  • the off branch ones are obviously not
  • the ones that would be attacked so and
  • also this uh that was one of the first
  • things that date after about my ATM is
  • actually converted it to EMV so that is
  • one of the only modifications done to
  • the actual circuit board is it has a
  • more advanced firmer that can handle the
  • EMV compared to the actual old credit
  • card so and yeah Chinese and Japanese
  • ATM they literally have like ten
  • thousand dollar limits in some cases so
  • if there are I think about the actual
  • number was but I uh and it was several
  • hundred that caught the world that
  • actually have ten thousand dollar plus
  • limit so and they are in limited
  • portions but most of them are in Japan
  • and China so andr as two of them some
  • teams coming around shimming a point of
  • sale
  • system obviously they're going to go for
  • things that don't have a lot of the
  • foreign object connection that's
  • something that yeah it'll put an end to
  • a lot of that so habit of putting EMV
  • and early what's uh like if it doesn't
  • have that piece of paper that whatever
  • they put on it like you know don't stick
  • card in no chip or whatever like we put
  • our card in there and it literally takes
  • almost an eternity is what it feels like
  • so that's one of the things where we
  • want it to be uninterrupted and yeah you
  • can basically take your point of sale
  • limit and it's going to be one of their
  • favorite things to actually most likely
  • to do the same way that they do not like
  • majority of the actual cards that were
  • skimmed are from the actual gas pump so
  • yeah I just like to give special thanks
  • before I kick off the demo and then I
  • will answer some questions if anybody
  • has questions which they should have a
  • lot of them so I'm going to give a shout
  • out to my wife my kids
  • Jesus Barnaby Jack Samy Kamkar a ton of
  • the Cambridge guys they did a really
  • really good job I got a lot of a buddies
  • with some of the Arduino issues I like
  • to nest code sometimes and they helped
  • me fix it so yeah and I'm going to go
  • over the transaction because I am
  • eighteen hundred dollars short from my
  • blackhat demo so as you can see on the
  • bottom Benjamin Franklin is puckered
  • puckered lip so it is not real money so
  • and basically what I'm gonna go through
  • the things letter to $50,000 in a fake
  • it's a not fake money it's a fraudulent
  • money it's actual for motion picture use
  • and it has written all over it I mean it
  • looks pretty good from ten feet or from
  • wherever you're sitting in the crowd but
  • it actually you can tell it from the
  • bill on top it's not real so and it's
  • going to grab the pan number and a bin
  • number and actually go off if it's five
  • to nine hundred dollar per transaction
  • so it's going to most likely go anywhere
  • from zero to sixty transactions before
  • it's actually either shut down for fraud
  • or runs out of money so and the
  • transaction time we're gonna take about
  • 18 seconds I'm going to kick off the
  • demo here and I will start answering
  • questions and yeah it's going to enter
  • the pin and so basically with your we
  • know I needed to get it to a known state
  • so I need to make sure that it's on the
  • right screen and then I could kick it
  • off and it will actually start pumping
  • transactions and it will pump out
  • different based on the actual account
  • number that comes into it it'll actually
  • pop out a different set of money so and
  • hopefully I don't fall off stage
  • your jackpot number
  • whoo and I was scared my APM demo is
  • going to blow up and the a/v stuff I'm
  • crazy there at the beginning so but yeah
  • as you can hear it sounds like
  • rattlesnakes those are little Arduino
  • servos actually entering a PIN number so
  • and hopefully the money is coming out
  • good so but yeah there's anybody any
  • questions if you want you come up to the
  • microphone some of this is very very
  • ridiculous you have to read about 1,400
  • pages of some stuff but I will explain
  • it to the best of my ability
  • anybody's any questions I'll also be on
  • stage it's on thank you all for coming
  • [Applause]

Download subtitle

Description

Weston Hecker Senior Security Engineer & Pentester, Rapid7

MV (Chip & Pin) card ATM's are taking over the industry with the deadlines passed and approaching the industry rushes ATM's to the market. Are they more secure and hack proof? Over the past year I have worked at understanding and breaking the new methods that ATM manufactures have implemented on production ‘Next Generation’ Secure ATM systems. This includes bypassing Anti-skimming/Anti-Shimming methods introduced to the latest generation ATM's. along with NFC long range attack that allows real-time card communication over 400 miles away. This talk will demonstrate how a $2000-dollar investment criminals can do unattended ‘cash outs’ touching also on failures of the past with EMV implementations and how credit card data of the future will most likely be sold with the new EMV data having such a short life span.

With a rise of the machines theme demonstration of ‘La-Cara’ and automated Cash out machine that works on Current EMV and NFC ATM's it is an entire fascia Placed on the machine to hide the auto PIN keyboard and flash-able EMV card system that is silently withdrawing money from harvested card data. This demonstration of the system can cash out around $20,000/$50,000 in 15 min.

11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Keywords

learn hacking tutorial live computer science hacker conference usa france dutchland australia china

Popular this week

Related videos

TheTV in 90 countries


16 main categories