Some time ago I was fascinated by the story of how criminals were stealing credit card information from ATM machines in California by creating a fake, intermediate entry point for the credit/debit card. A device which, for all practicle purposes, looked like the slot where the credit card should be inserted, was placed over the slot. However, this device was set up to read the information on the credit card stripe in the same manner that the ATM machine would. So, the card is inserted and passes the first, fake device before continuing on into the machine. The ATM works as expected to the customer, who does not notice the addition of the outer device. Keep in mind, the devices were designed to aesthetically blend in with the surrounding ATM. Of course, the criminals needed the customer’s pin number as well, so a small video camera was mounted in an upper corner of the ATM where it would not be noticed by the victims.
In a rash of similar attacks in Utah, criminals are now placing scamming devices within “Pay-at-the-Pump” gas pumps. You can read the full story here. The way this seems to work is that a device is placed within the gas pup, skimming the credit card numbers as was done with the ATM machines. The data is transmitted via bluetooth to a nearby device to be collected later by the attacker.
How an attacker gains access to the “inside” of a gas pump is beyond me. Some are speculating it is an inside job while others say that these pumps are physically vulnerable. However the method, the fact that these reside within the pump makes it all the more difficult to detect, especially for the victim.
These two types of attacks remind me of similar phishing methods used by online attackers. A victim receives an email from his bank and is told that his account has been compromised. He clicks the link to log in to his account and is greeted by the familiar login page. However, this page does not reside on his bank’s web server. Instead, it resides on the attacker’s server somewhere in Russia. all the other links on the page do as expected and take him to actual links on his bank page. However, the button he clicks to log in sends his credentials to the attacker’s database. The attacker’s page will then redirect him to his actual bank login page. What does the victim think? He must have simply put in the wrong password. He tries again, and he’s in his account. All this transpired without the victim realizing his credentials were stolen. The fake page was designed in the same way as a the fake ATM card slot, and the clever attacker allows the victim’s login to finally achieve what the victim wants–access to his account. The attacker does not want to cause disruption to the process that would direct unwanted attention to himself.
While newsworthy, neither of these skimming attacks are commonplace. Setting them up would involve quite a lot of risk. I would say that you are as equally vulnerable to having your credit card information stolen by your waiter at a restaurant who walks off with it for 15 minutes as you are from a credit card skimmer. However, let us still show a bit more caution whenever we swipe that card. Does the device look tampered with? Perhaps it looks newer than its surrounding encloser? Do you remember that ATM card slot being so big? Are the other ATMs the same in appearance? If the answer to any of these questions cause reasonable suspicion, then we should be discussing our concerns with the owners of the equipment.
David H.
We’ve all seen them. Mechanical Locks on doors with 5 vertical numbered buttons. Here’s an example
Here are some facts about these locks:
1. In any given combination, you can only push a digit once. This means that the same number will not show up in a combination sequence twice.
2. You may, however, push two buttons at the same time as part of the combination. But again, once these numbers are pushed they cannot be re-used. They are pushed simultaneously.
So, figuring all this out: Here’s how many possibilities you have. You have all the possible two number combinations which equal 10:
5-1, 5-2, 5-3, 5-4, 4-3, 4-2, 4-1, 3-2, 3-1, 1-2.
For each one, you have all the possible combinations of the remaining 3 numbers. 3! = 3 x 2 x 1 = 6 X 10 = 60.
If no two-button combinations are used, the possibilties are 5! = 120.
Ok, so here’s how I reduced the possibilities on a client office door….
On each button, I made a dot with an dry-erase marker. The next day I checked the door. “3″ was the only button with a mark left, so it was not used in the combination. Working as quickly as possible (and assuming a 4 digit combination) I worked through the list, starting with single digits….
1245, 1254, 1425, 1452, 1524, 1542, …and so on. About 25 tries into it, the doorknob turned and I was in their office. Because of this, they’ve since switched it out for a card reader. 
DH