A number of ATM skimmers sold in the digital criminal underground are made out of MP3 components.
As security analyst Brian Krebs notes, using audio to capture credit and debit card data is hardly a new technique, although it is becoming quite vogue.
For example, Square, a credit card reader built for the iPhone, works by plugging into the headphone jack on the iPhone and converting credit card data stored on the card into audio files.
According to Krebs, the device pictured above is a skimmer designed to fit over the acceptance slot on the common Diebold Opteva 760 ATM.
“The green circuit board on the left was taken from an MP3 player (no idea which make or model),” he explained.
“When a card is slid past the magnetic reader (the small black rectangle at the end of the black and red wires near the center of the picture), the MP3 player ‘hears’ the data stored on the card’s magnetic strip and records it as an audio file to a tiny embedded flash memory device.”
The card skimmer is packaged with a false panel that fits on top of the ATM. The panel is equipped with a miniature video camera that records victims entering their PIN when the card skimmer slot is activated.
The audio skimmer boasts an approximate street price of $1,500, which is payable via virtual currencies like WebMoney and Liberty Reserve. However, there is a catch: audio files recorded by the device are encrypted. Meaning, any would be cyber criminal must also purchase the skimmer maker’s decryption service, as it decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.
“In fairness, the seller does note in the fine print that third party software is required to decrypt the audio files, and [confirms] he is working closely with another partner for this service,” said Krebs.
“That partner is [another] fraudster who will decrypt the audio files in exchange for 20 percent of the stolen card numbers and PINs.”
