So, yeah, you guys all showed up for basically us setting up the AV stuff pretty quick. And
yeah, this is next gen hacking ATMs. So I'm going to jackpot this little baby. It has $50,000
in it. So it should be shooting all over the floor in a little bit. And yeah. So yeah, I'm a
senior engineer. Been doing pen testing for about 11 years. I speak a lot. Spoke a lot at
DEF CON. This is my third year in a row at DEF CON. So I just love the conventions, love
meeting the people. And I spoke at HOPE, Takedown Con, tons of other events. And I did a lot of
reverse engineering. I'm doing a talk later this week on the demo labs on some software that
actually makes computers immune to ransomware. So I don't only do terrible things to ATMs, I
also try to make protections too. And I did a lot of hotel hacking. It's going to be on also
later this week on Sunday. If you want to make sure your talk is on the last day of the week,
make sure you do it on hacking hotels. So. And yeah, safety first. So yeah,
safety first. I drove an ATM machine about 1900 miles from Bismarck, North Dakota to Las Vegas,
Nevada. And I had, once again, I had an ATM machine and a bunch of skimmers, shimmers,
everything you can imagine. So that was one of the things I took safety first and actually
didn't push the firmware on the devices until I actually got to my hotel room at Mandalay Bay
because I did this at Black Hat also. So that's something where I like to take a little bit more
safety precautions just when you're moving those things. Because I know in the past a lot of
people have, you know, accidentally forgot them in airplanes or, you know, had their vehicles
broken into. So I just did a little bit more due diligence and yeah, I just thought that was
kind of neat. I wish more people would do that because some of these things, if they fall into
the wrong hands, it's kind of scary to imagine what people would do with them. So. And yeah,
I'm going to go over the actual attacks on the EMV. Some of them are standards based. Some of
the things are things that weren't fixed in the past from some of the talks previously. So
hopefully you guys have a little bit of understanding at least of what the chip and pin
cards are. If you bank somewhere where they still have the mag stripes, I would maybe take a
consideration into changing that. So. And yeah, they're working through a lot of the card
stocks. So everything in the United States is going to be chip and pin here pretty soon. So they
have the next liability shift that's coming up in 2017. So. And that's what makes this a next
gen talk. Actually I converted this ATM machine over to EMV. So which I'll go into a little
bit of details here. So a tour of the actual distribution system. So I have an actual
block chain design that I imagine that the, it actually makes it possible, you know, it's not
actually an ATM machine. It's actually a block chain. It's actually a block chain. It's actually
a system for enabling people but it shows the capabilities of the extent that the bad guys are
actually going to go to when they actually start trying to sell these transactions. Because the
static data, everybody's seen the Carter forms and things. I'll get into greater detail later
about that. So. And let's see here. So I'm going to look at the communication back end. What
the actual banking portion is running on. Things like that. I'm going to introduce you to ACARA.
It's the automated cashout method. And I'm going to go over the demo which is, I'll go in great
great detail. It's actually going to just jackpot on stage. So, and yeah, so basically what is
EMB? It was integrated in the early 80s in France and it's Europay MasterCard Visa and it's a
little chip and pin card. The actual EMB Co. is the one that actually monitors the standards
for those. So yeah, it replaces the MagStrip card which has been around since the 1940s. So
it's a little old. It could have participated in World War II. So it's pretty old. Liability
shift actually on gas pumps, which is the bad guy's favorite shimming and skimming spots, is
actually going to be coming up here in 2017 for gas pumps and point of sale systems, or the gas
pump and ATM machines. So that's why I thought this talk was due. I'd like to give the good guys
a little bit of time to actually, yeah, fix some of these issues before they're actually used on
the wild. Because as soon as the MagStrip data's are cut off, they're going to have about
$40 of value soon. And what actually led me to this research is I have a ton of scripts that I
have a, that I've been working on for a long time. I've been working on a bunch of scripts that
are running online and they're actually monitoring bin numbers and some of the bank
identification numbers that are for sale. So if there's a larger breach in, say for example, like
Bismarck, North Dakota or something like that, it'll, you know, it'll show that there's high
validity or they have a lot of cards for sale in the North Dakota area, which I'll show you. And
this is kind of how they offer it now. It was one of the biggest breakthroughs that happened in
carding history in the last little bit was pretty much over the last four or five years, people
have been able to literally filter by your area code. Like I live in Bismarck, North Dakota and
these are all, uh, credit card transactions that wouldn't raise any suspicion if I was the bad
guy. So that's like one of the bigger things that hit the, this is how it evolved. Like before it
was, you know, you didn't know if you were buying an Austin, Texas credit card or the bad guy
didn't know if he was buying a, a bad credit card. So, where it would get flagged for
suspicion, so. So I actually took a, kind of an approach on what I imagined some of the next
generation sales methods would be and, uh, how people would actually be able to sell EMV
transactions and, um, some of the, uh, RFID and actually, uh, the old client, the old
classic track one, two and three data. And, uh, as you guys have probably seen, um, they have
professionally made shimmers out there now. Like a lot of them actually have like serial numbers
and stuff on them. So, they are actually being professionally produced and, uh, that's
something that, uh, yeah, this is pretty much going to take a little bit of a glimpse into the
actual, uh, what I imagine future carder sites would look like. Uh, being able to sell the EMV
transactions which aren't static, static data. So they're not something where you can buy it and
use it in a week and a half. It's literally, uh, as you'll see on the next page here, it's
actually the carder site of the future.
So, it has actually complete with spelling errors. So, and yeah, you can basically, uh, just
select which FEMA region you're going to be in and, uh, automated. If it's going to be automated
portion, you can push some additional commands. And the actual time zone, uh, it's going to go
into setting the fraud SMS system. So that's like something where you can, uh, say for example, if
on the cash out ATM, if people wanted to block the SMS messaging and things like that because
some of the banks will send the confirm messages and stuff like that. So, uh, there's a lot of,
uh, actual attack surface that people can do with these. So.
And, uh, you can basically put in two passwords and I'll go into a little bit of detail what those
actually do later on in this transaction. And, uh, yeah. And I trust that this will make a lot more
sense once I actually show you guys the blockchain. So, yeah, you're basically not buying
static data anymore. You're buying access, or the bad guys are actually buying access to a
network of shimmed devices where those devices are passing the information off to the cash out ATM.
So. And here's how it works actually. So that person that was going through the bad carder site,
so Mr. Bad Guy comes onto the page, uh, picks which minute he's going to be doing, uh, standing at
that ATM. And, uh, you just, he has to select what time zone he was in and some other things. And
it'll actually, uh, with one of those two passwords that he did, he'll be able to put in a
delimited character where it'll be able to pick out where that transaction is. So that you're
getting a blockchain. Every single fraudulent transaction that is going on in this shimmed
network, um, I have, there's like 150,000 bank accounts, uh, that are simulated on this back
end. And, um, there's a credit processor portion where all the credit is going to go to the
fraud flags are held and things. So it will actually go through the transactions here in a
little bit. So this is actually going to pass off into the blockchain pretty much all of the 35
devices that is feeding this ATM machine. So, uh, since the 27th of last month, I've actually
had a lot of transactions going on. So there's little sims that are basically doing purchases.
And it's learning what a natural environment looks like. And it actually, uh, the initial time
when I ran it, it, uh, shut down after seven transactions because I only had 150 accounts. So
it actually has the fraud, uh, the fraud flags in place to actually shut it down. So. And
basically, so after you put the password in, it's actually going to go into, uh, giving you the
character information you need to initiate the tunnel, uh, for the fraudulent back end. So when
the bad guys are connecting, they actually get DES keys that allow them to actually talk to the
entire fraud back end. So, and this is, um, yeah, this is the first time that they'd be able to
monetize this in a, in a live scenario. So. And the information received, so they get the tunnel
before. So they're connecting to the tunnel and authenticating to the fraud network. Uh, pretty
much the same way that the ATM has DES keys that talks to the gateway processor that talks to the
banking back ends. So without the DES keys, this, uh, ATM cannot talk to my, uh, gateway
processor network that I've set up. And then also the banking back end or any of the bank
accounts. So that's something where, uh, your basic, basic information is going to go over the
info type, quality of the actual SCIM device. So if it's one of the more trusted sources, um,
where people paid more, they'll get more preferential treatment on the actual SCIM device.
Or the actual blockchain. So, yeah, so basically, uh, other than that, you're going to get your
tunnel ID information and then you're going to get PIN information. And, uh, this, this device is
actually automatically putting in PIN information, which is, uh, one of the, the last ways that
it's actually possible to, uh, jackpot, uh, additionally. Cause, um, like Barnaby Jack, uh, was,
did some great research, made it a lot easier for people like me to be able to present, uh, uh,
flaws in ATMs and things like that without being arrested or questioned by law enforcement. So
that's something where, you know, like, you can, you can, you can, you can, you can, you can, you
know, a lot of the front runners, um, his was actually a hardware attack where it actually
attacked the firmware, just told it to spit the actual, uh, money out. So that's something where
this is a little bit different research. So. And yeah, so basically, as you can see, the
connection information is before your actual transaction in the blockchain. So. And what kind
of inform, information can be sold on these Carter sites? Um, so there's basically static
magnetic data and track one and two and three data. That's the classic data that's being sold
right now. There's EMV, DDA, which is the dynamic, uh, authentication, which I
think are some of the newer cards. Um, if you got like one of the cards like three years ago, four
years ago, some of those had a lot more static information on them. And, uh, some of the newer
card stocks that banks are going through are the new, these new two, two transactions. So some
of the issues that were, you know, spoke of in the past were actually fixed a little bit. And, uh,
some of them were, were still available. So some of the newer, uh, cards are still susceptible to
these attacks. And, uh, there will be some RFID stuff. So not the RFID in the sense of like the
Apple Pay and the Google Pay. Uh, it's actually the, the, uh, the, uh, the, uh, the, uh, the, uh,
cards where you can click them and stuff like that. Those, some of those will be able to be,
would be able to be sold on a fraudulent network. So. And, yeah, it actually, the, this device
will, if they're not, uh, I put a couple cards in there and I removed them for demo purposes.
But, uh, that were like specifically only for food or things like that. So it'll reject cards
onto the network that are just set for flags that say it can only be used for food or gas. So.
And, uh, aside from the card actually being passed off, it'll also pass off the PIN and the
ATM limit. And that's one of the things that, uh, while I was going through this, I was
going around some of those carder sites. I was, uh, collecting a lot of research. And there
was lots of, um, PANs. Uh, they were collecting the actual PAN information. So the account
numbers and the BINs, which are the bank identification numbers, they were collecting the
amounts that were most likely their point of sale limits and then some of their ATM
transactions. So it's something where they were looking to see how much these actual accounts
they could get out of them so they'd know what to mark them up to. But it's also, uh, any time
that they would compromise a card, uh, using like a Lebanese loop or there's other devices
where they would get them stuck in the ATM and come back for them. Um, they were most
likely, you know, taking these cards and looking at the actual flag details. So they're
collecting all this information from the banking networks. And that's what led me to believe
that, uh, eventually they're going to be going after EMB transactions. But why would they do it
now? Because they have all this low hanging fruit of all these magnetic card data. So.
Anyway, here's in a nutshell what is happening. You have multiple shimmed devices and they're
passing off to one device. So this doesn't have to be in a huge blockchain. Uh, that was the
method that I saw is where bad guys would be able to monetize this again. And it's because of
some of the latency, uh, that is introduced into the actual process. Um, there's limitations
with the, especially the, uh, backbone for fiber inside the United States. There's some methods
where they could, uh, actually be able to do online processing all the time. And some of the
weaknesses that are in these actual protocols that were exploited, uh, won't be able to be fully
turned on for a couple of years due to limitations on actual communication networks. So. But,
uh, basically think of it as, you know, if one bad guy actually poisoned four, uh, ATMs or
point of sale systems, they'd be able to, uh, relay those, uh, EMB transactions to the other
transactions into the actual, uh, ATM. So. And here's the most likely method that the data
gets sold. Uh, so basically you have leased gear. So there's people that would be mules for these
organizations. And they would be, you know, installing these shimmers driving across the
United States. And then you have the, uh, fraudulent employees. Uh, pretty much the same
methods that they're using now. Uh, you have the independent small breaches, things like that.
Where they're, they're, uh, fed into a small Carter site. And, uh, those were the ones where,
you know, the smaller organizations were able to, you know, sell the data. Uh, and then, uh,
people are actually able, you know, there's like a five person crew going around the United
States, you know, cashing out that way. So. And when they have unused transactions, they're
actually able to pop them into the main Carter sites. And that's kind of the same way it works
now, except for they're, uh, able to do it with these live EMB transactions. And like it's
saying, it can't be held as static data. It needs to be used within a certain time frame. And,
uh, it needs to match some of the flags that it has coming over the top of it for when the, uh,
transaction's actually initiated. So.
Yeah. And so basically this is what happens. Uh, yeah, some people ask me if it's actually
cloning the card. It's actually not. It's, uh, what it is, is it's basically intercepting after a
certain portion. Uh, initially it's just using the actual power from the point of sale system.
And after that point, uh, once it gets the transaction actually started, which I'll go through
the actual, uh, process, then we'll get into the actual mechanics behind this and the actual, uh,
shimmers. So. So basically it holds for round two. Uh, once it's, uh, uh, uh, uh, uh, uh, uh, uh,
started the initial process, it uses the power to actually power the skimmer or the shimmer and the
actual, uh, wireless inside the device. So the actual stage one transaction, once it's passed off
to the ATM machine, they just did the $38 point of sale transaction and the, uh, $1500 ATM
withdrawal happened without them even being the wiser. And they didn't touch each other's
limits because there's point of sale and ATM. So. And like I said, this is not cloning the card.
And, uh, there are four stages of the EMV transaction. It's being released into the tunnel
and it is literally, imagine it as an extension to the actual ATM. So, uh, the cache, uh, the
cache out device, uh, basically regurgitates the exact same information that is sent from the
shimmed point of sale system. And I will go into a little bit more detail about some of the
ways to actually capture pins. Uh, you guys have seen a lot of them in the wild. Um, for
example, uh, there's pin overlays. I have a new one that's actually pretty, pretty decent here.
So. And, uh, the actual point of sale limit is shimmed. And that won't, uh, count once again
against the ATM limit. So.
Uh, they actually have different process portions that they're talking to about authentication.
So it's a little bit harder to catch some of these transactions also. So. And, uh, here's a, a
little bit of the pictures of some of the skimmers and shimmers that were, uh, caught in the
wild. The one up on the left actually was used for some downgrade attacks for some banks that
had improperly, uh, integrated EMV. And, uh, some of the other ones are some of the, uh, phone
parts and things like that that I actually used to build some of the shimmers that I was actually
doing for my proof of concept. So. And yeah, just your general point of sale system. So.
And, uh, yeah. Cash out device stand alone. So, yeah. Uh, this is meant to be like an out of
service ATM. It's supposed to be something that, uh, you know, normally you wouldn't want it to
fly out everywhere on the street. But it's something where you would want to, you know, catch
it and have it doing after hours if it, if you were a bad person, of course. And it's something
that, uh, I, uh, the original concept that I had, um, was just like a huge fascia on the actual
ATM. And it would catch all the money and stuff. But it's much better if it's just flying out of
the bottom. So. And, yeah. And I'm going to go into the actual cash out stand alone. I'm going to go
through this. Uh, this is something that people were wondering about because it's, uh, yeah,
there's foreign object detection on a lot of the new ones. Um, I found several ways to actually
deactivate a lot of that stuff. And, uh, some of the newer devices, uh, inside the next
generation ATMs. So that's something that I'll go into a little bit more detail here. And
basically this is like the stand alone device. You just literally need a cell phone and a, or the
bad guy only needs a cell phone and a credit card that can impersonate some of the other EMV
transactions. So basically once this device is actually, uh, plugged into the machine it'll
start replicating a lot of the information that they're getting from their blockchain. So
pretty much all they need is a wireless internet connection and, uh, an ATM that accepts, uh,
yeah, EMV transactions. So. And I'm going to introduce La Cara, which is, uh, roughly
translated, the face. So. Because everything sounds more menacing in Spanish, doesn't it? So.
But, yeah, I know, uh, why would somebody want to automate something like this? Um, yeah,
people are untrustable. As you can see, uh, this was off of, uh, a couple guys' Twitter feeds
that got busted. Uh, they were doing a cash out run. Yeah, this is, uh, this is, uh, this is
not, uh, conspicuous at all. So. Yeah, so the cash out crews, they were bragging about it on
social media. Uh, yeah, when busted, humans get busted, they rat out. And, uh, machines
usually don't have Twitter accounts. That's, like, one of the most positive things for the
bad guys. So. And I wanted to go with a DEF CON theme this year, which was, uh, rise of the
machines. Like, immediately after Jeff told everybody what the theme was for the next year, I
was like, I'm going to make an ATM machine that can do its own, like, fraud. It'll be a
beautiful thing. So.
And, uh, yeah. So going along with the theme, uh, like I was saying, there is the standalone,
which will be more practical, and what I actually imagine the bad guys using in the wild. So.
And LaCara does have its own Twitter account, actually. So. And I was actually going to
broadcast the, the, uh, uh, simulated and emulated, uh, uh, banking backend transaction data.
I didn't have time to set all that up. And I doubt that anyone would have watched a bunch of
numbers fly across Twitter when I thought about it in hindsight. So. But, yeah, it would have
shown a lot of how the staging works and, uh, how, what'll happen if, like, two transactions
are kicked into the blockchain, how they take priority and a lot of that information. So. So,
yeah. Uh, that guy smiling like a child inside the reflection of that ATM screen is me. Uh,
that's last year after DEF CON, I actually bought an ATM machine and started doing some
research. And, uh, everybody asks me, including the press person who violently ripped the,
heh, LaCara off there. What's behind there? And, uh, it's actually two Arduinos controlled by
Raspberry Pi controlled by an Android. So there's a lot of computer components. And it's, uh,
basically a bunch of servos, uh, that are entering the, uh, transaction amount. So it'll say
how much money it wants to take out. It'll actually enter the pin number. It'll accept it. It'll
say no receipt. And then it'll go on to the next transaction. So there's a bunch of little
baby robot fingers inside there, just pushing buttons and making money come out. And the actual
card is actually plugged into the Raspberry Pi and that does all the modulation and, uh, the
actual data processing for the card. So that's how the actual EMV card, when it gets
impersonated, it needed something to do with the card. And, uh, that's how the actual data
processing works. It's a little more beefy than an Arduino. But as far as for, uh, controlling
the robot fingers, that was pretty much, uh, what it came down to. So. And this could be a
removable device. Like where if somebody didn't want to, uh, uh, like I was saying, they would
most likely want to make it something that pops on quick. That, uh, yeah, is not made out of
fiberglass. And, uh, and I'm actually gonna go through some of the process of how, yeah, for
some reason, you know, you send, uh, I have a couple buddies that do 3D printing and you start
sending them ATM parts and, uh, they quit answering your emails. So.
So that's something where pretty much I was like, okay, I'm gonna do this the good old
fashioned way. You know, like I used to do a lot of auto restoration when I was little. How
hard could this be? So. Yeah, I basically, uh, covered it in plastic, made a buck mold and a
plug mold. And then I, uh, just put the, you know, fiberglass, uh, yeah, the fiberglass on
the front of it. And, yeah, this is actually nasty ATM is the name of that, uh, color of
gray. So. And it could've been a little bit closer match. But, yeah, you get the gist of it.
It's an out of service ATM. It wouldn't rise any suspicion. Uh, my actual branch ATM, the bank
that I work, or the bank, I don't work at a bank. Uh, I don't work at a bank. Uh, I work at a
rapid seven. But, uh, but the, uh, bank that I actually bank at, uh, their ATM was down for
two days. And I was the first person to tell them. So. It's not something where an out of
service ATM will rise any suspicion. So. This is, uh, yeah. So basically, uh, it's a Swiss
Army knife. So this is one of the first keypads that I actually started training my Arduino
system on. So. And, uh, yeah, then I started, um, working into some of the more advanced
methods. Like some of the things that aren't even out yet. And will only be integrated once the
United States finally catches up to a lot of the other countries. They'll be able to turn on a lot
of these mechanisms. Because I've been doing this for a long time. I've been doing this for a long
time. So I didn't want to just inject magnetic card data, uh, using like a mag spoofer like
Samy Kamkar has. Like that's an amazing device. And, uh, that man is a brilliant genius. I just
want to give him props for I do use mag spoofer on this one and several other ones. So. Oh,
yeah. So. And there's one up in the corner. Uh, they're basically a little thing that can
speak to the magnetic heads in the readers. But it's a very, very cool, uh, video to watch if
you guys haven't seen it yet. So. But basically, uh, what I start, one of the other devices I
started out with, uh, just to see if this was, uh, possible. You know, because it's one thing if
it's a theory. And it's another thing when you can actually do it. And it's another thing, you
know, when you're able to do it wirelessly in a room. And it's another thing when you can bounce
it off a VPS up in Toronto. So. Like that kind of latency compared to, you know, what's in a
room. And what's actually allowed by the standards. Um, they actually, you know, planned for
a lot of that stuff, uh, to actually be stopped. So. But, yeah. Uh, building your own banking
backend. So that's, uh, a lot of the actual systems. Like I was saying, uh, there's been,
since the, uh, I think it's the 17th or the 27th of last month, I've been doing, uh, a lot of
these transactions. And they're actually, uh, you know, they're, uh, they're, uh, they're
actually doing EMB transactions. Um, like I said, there's 15 bank financial institutions.
And it's over, uh, 150,000, uh, bank accounts. So those all are signed with, uh, card stock.
Um, and they actually have, like, a physical attachment to them. So anytime that a card is,
uh, simulated into the reader, it's gonna check with the bank the exact same the real networks
would. It's gonna flag it for fraud. Uh, if I had, like I was saying, when I had 150
accounts, after 7 accounts I got, uh, flagged for fraud because it was unusual suspicion and it
was some of the natural.
settings on the banking network. But now that I have 150,000 accounts, it, uh, opened up to a lot
more attacks, uh, since I was gonna be doing several demos. So. And each, like I was saying,
each one of these is, uh, this, this is signed with DES keys. Uh, so say for example if I get
flagged for fraud, this will kick me off of my, uh, gateway processor and I won't be able to
talk to my bank accounts. So that will end the demo. So. And I wanted to make it a little more
real world because I just didn't want it to, you know, be like a, uh, a bad simulation. Like
this one actually has some of the field, uh, information where you can actually, uh, set some
of the flags. And, uh, yeah, it, uh, initiates the risk just like it would with any other
transaction. So. And, uh, the skimmer is, uh, generated, uh, yeah, it's, it's generating
everything it's signing on with. So. And, yeah. So here's the EMB transaction. So, uh, this is
in a nutshell. This is not, uh, it literally took 1438 pages for me to fully understand it. So,
this is, uh, my two PowerPoint presentation example of that. So. It's basically gonna be, uh,
the card is read by a point of sale terminal. Talks to the acquirer, which is, uh, a
network which talks to the bank. And that's validating that the card's legitimate, that the
bank accounts are legitimate, and that the device, the point of sale system, or the actual ATM
system is actually allowed on the network. So. That all that process is going on in the actual
transaction. And basically on step two is when this, uh, actual attack happens. It gets
passed off to, as you can see in that little green area there, it's actually getting passed off
to the, uh, ATM machine here. So. Uh, imagine, uh, there should be technically about 3.1
transactions getting shot at this ATM, uh, every time because of the size of the ATM. Uh,
the size of the network and the blockchain. It is the only cash out device on the blockchain, so
it takes priority. And it should be, uh, getting non-stop transactions after I pop on the actual,
uh, Likara system. So. And, yeah. Uh, how will you capture the pin? You have the chip. That's
like one thing that's half the battle. I was looking into some of the actual features, uh, for
some of the next generation ATMs and, uh, they can actually change the pin on the fly. Uh, and
some of them are unentry, uh, unencoded, or, uh, actually unencrypted. So, uh, there's the
pep- methods of the past. There's the pinhole cameras that have been around for literally
probably 12 or 13 years. Uh, there's the pin overlays. You'd be able to automate that. Uh,
kind of the same way, uh, as, um, uh, the actual version that I have simulating the actual
pin numbers here is, uh, based on, uh, OpenCV, which I will go into in a second here. So. And
unencrypted pin traces. So if it's actually reading straight mechanical data, it'll be able to
grab the pins that way also. And, uh, this is actually the method that I came up with because I
was like, I want a way to 100% automate it. So I was like, I want a way to 100% automate it. So I
actually got a, a keypad, then I, uh, sprayed some 3M glue on it, and then I put a bunch of
iron oxide, like very small pieces of metal, because I wanted to be able to get past the
foreign object detection, you know, in this simulation. So that's something where I
basically put a little, uh, little radio on the bottom of it and went through the actual key
cycles. And it actually, uh, basically has a different peak for each one of the keys, threw it
into OpenCV, and now it's watching for those peaks. And, uh, depending on the actual peak and
the pitch on the peaks, it'll actually, uh, tell you basically what, what key was pushed. So that
was kind of like, you know, in addition to some of the overlays, which would be automatable, uh,
it was something else that I kind of wanted to, yeah, go into other ways of pin capturing. So,
and that one was one that I hadn't seen before, and I loved playing with software defined
radios. I got a Edis N210 at the beginning, like right around Christmas time, and I felt like
an 11 year old again. So, if you guys aren't playing with software defined radios, you
definitely should be. So, they're amazingly fun, so. And yeah, so, uh, aside from probing some
of the networks, they're actually going to go into, uh, the actual network and card settings. Um,
they're looking at what the, like I said, they're collecting tons of data. They're setting, uh,
they're, uh, the bad guys are actually collecting, you know, what the, what flags are set. Like,
what, uh, you know, what, uh, limitations for per country. Like, what the actual attack
surface will be once the actual mag, mag strip data dries up. So, and this is kind of the
direction that I saw, uh, the bad guys going with this, so. And branch ATMs versus, uh, on
net, on network ATMs. Um, anybody who's ever, you know, tried to get $500 and had to do it in
two transactions? That's an off network ATM. They like to, uh, get some of the extra fees. It's
just a little bit more risky. So they, uh, break them down into several transactions. And the
on branch ones are like the actual ones that are inside of the actual, uh, banks and stuff like
that. And I've, you know, personally I think I've taken out like, uh, you might have to adjust
your point of sale limit, but you can take up to like two, $3000 at a time from some of them,
depending on your, uh, years with your bank and things like that. But some of the off branch ones
are obviously not the ones that would be attacked, so. And also this, uh, that was one of the
first things I did after I bought my ATM is I actually converted it, uh, to EMV. So that, uh, is
one of the only modifications, uh, done to the actual, uh, circuit board is it has the more
advanced firmware that can handle the EMV compared to the actual old credit cards, so. And yeah,
uh, Chinese and Japanese ATMs, uh, they literally have like $10,000 limits in some cases. So
there are, uh, I think, uh, I forgot what the actual number was, but I, uh, yeah, there was
several hundred that, uh, across the world that actually have $10,000 plus limits, so. And
they're in limited portions, but, uh, most of them are in Japan and China, so. And yeah, uh, as
2017, uh, I think, uh, I think, uh, I think, uh, I think, uh, I think, uh, I think, uh, I think, uh,
I think, uh, I think this will, it's, uh, it's one of the some of the electrMost important
things coming around, um, shimmering of point of sale systems. Uh, obviously they're gonna go for
things that don't have a lot of before an object detection. That's something that, uh, yeah,
it'll put an end to a lot of that, so. Uh, how about putting EMV up in early? What's, uh,
like if it don't have that piece of paper that whoever they put on it, like you know, don't
stick card in, no chip, or whatever, like, we put our card in there, and it literally takes
almost an eternity is what it feels like. So that's one of the things where we want it to be
uninterrupted. And yeah, you can basically take your point of sale limits and yeah, it's going to
be one of their favorite things to actually most likely do the same way that they do now. Like a
majority of the actual cards that were skimmed are from the actual gas pumps. So yeah, I'd just
like to give special thanks before I kick off the demo and then I will answer some questions if
anybody has questions, which they should have a lot of them. So I'm going to give a shout out to
my wife, my kids, Jesus, Barnaby Jack, Sammy Kamkar, a ton of the Cambridge guys. They did a
really, really good job. I got a lot of buddies with some of the Arduino issues. I like to nest
code sometimes and they helped me fix it. So yeah. And I'm going to go over the transaction
because I'm $1800 short from my black hat demo. So as you can see on the bottom, Benjamin
Franklin is puckered, puckered lips. So it is not real money.
So, and basically what I'm going to go through, this thing is loaded at $50,000 in fake, it's not
fake money, it's not fraudulent money, it's actual for motion picture use and it has written all
over it. I mean it looks pretty good from 10 feet or from wherever you're sitting in the crowd,
but it actually, you can tell from the bill on top, it's not real. So, and it's going to grab the
PAN number and the bin number and actually go off if it's a $500 to $900 per transaction. So
it's going to most likely go anywhere from zero to 60 transactions before it's actually either
shut down for fraud or runs out of money.
So, and the transaction time is going to take about 18 seconds. I'm going to kick off the demo
here and I will start answering questions. And yeah, it's going to enter the PIN and so
basically, with the Arduino, I needed to get it to a known state. So I need to make sure that it's
on the right screen and then I can kick it off and it'll actually start pumping transactions and
it'll pump out different, based on the actual account number that comes into it, it'll actually
pop out a different set of money. So, and hopefully I don't fall off stage. So.
Awesome. We're jackpotting them. So. Woo. And I was scared my ATM demo was going to blow up and
the AV stuff went crazy there at the beginning. So. But yeah. As you can hear, it sounds like
rattlesnakes. Those are little Arduino servos actually entering the PIN number. So. And
hopefully the money is coming out good. So. But yeah. Does anybody have any questions? If you
want, you can come up to the microphones. Some of this is very, very ridiculous and you have to
read about 1,400 pages of some stuff, but I will explain it to the best of my ability. If
anybody has any questions, I'll also be on stage. I just want to thank you all for coming. So.
Thank you.
Thank you.