Bali banking bandits foiled by probing penetration tester
Tells waiter 'I'll have the Nasi Goreng, Bing Tang, and a Faraday cage'.
US penetration tester Matt South has ripped off and reverse-engineered an automated teller machine skimmer, finding videos of entered PINs stored within.
The TrustFoundry consultant found the surreptitious skimmer on an ATM in Bali, Indonesia, after he jiggled the cover protecting the PIN entry bank and discovered it could be removed.
South says he took the unit home, stopping to build a DIY faraday cage from aluminium foil, and later crafted a cable to interact with a port on the skimmer.
"The card reader was solid, but when I pulled on the guard that hides your hands when you type your PIN, it came right off," South says.
"By the time we got to the restaurant, we were pretty scared [since] a GSM-enabled device could feasibly phone home with its GPS coordinates [so] just in case we asked for some aluminium foil and made a makeshift Faraday cage.
"I freak-out a little and begin copying the files from the device."
South cut off the end of his phone charger and - without a soldering iron - floated the ends into a port on the skimmer which accessed folders containing 11Gbs of captured PIN entry videos.
He found the unit contained a board repurposed from a spy camera, and included a bigger battery and an off-switch.
Image: Matt South
The curious penetration tester did not, however, find the skimmer charged with hoovering up credit card numbers. "Fear of being shot prevented me from spending too much time investigating at the ATM site after the initial find."
The brazen carders had installed a replacement skimmer on the ATM days later, by which time South had reported the skimmer to the affected bank but did not receive a reply.
"Remember to wiggle those card readers and cover up those PINs," South says.
South's find comes as a report last month found ATM compromises in the US have surged a massive 546 per cent from 2014 to 2015.
The increase affected retail stores the worst where 10 times more ATM skimmers were found over the reported period in what FICO says is the largest jump ever seen.
Skimmers are being retrieved sooner after running for an average of two weeks, compared to a month in 2014, according to the analytics company.
Wiggling the plastic protrusions and lightly picking at keypads may be all that is needed to remove PIN-stealing skimmers. This reporter has pulled off a similar pin-hole camera skimmer cover from a Sydney ATM, before promptly depositing it at a local cop shop. ®