 So, yeah, you guys all showed up for basically us setting up the AV stuff pretty quick. And yeah, this is next-gen hacking ATMs. So I'm going to jackpot this little baby. It has $50,000 in it. So it should be shooting all over the floor in a little bit. And yeah. So yeah, I'm a senior engineer. Been doing pen testing for about 11 years. I speak a lot. Spoke a lot at DEF CON. This is my third year in a row at DEF CON. So I just love the conventions, love meeting the people. And I spoke at HOPE, Takedown CON, tons of other events. And I did a lot of reverse engineering. I'm doing a talk later this week on the demo labs on some software that actually makes computers immune to ransomware. So I don't only do terrible things to ATMs, I also try to make protections too. And I did a lot of hotel hacking. It's going to be on also later this week on Sunday. If you want to make sure your talks on the last day of the week, make sure you do it on hacking hotels. So. And yeah, safety first. I drove an ATM machine about 1900 miles from Bismarck, North Dakota to Las Vegas, Nevada. And I had, once again, I had an ATM machine and a bunch of skimmers, shimmers, everything you can imagine. So that was one of the things I took safety first and actually didn't push the firmware on the devices until I actually got to my hotel room at Mandalay Bay because I did this at Black Hat also. So that's something where I like to take a little bit more safety precautions just when you're moving those things because I know it's in the past, a lot of people of accidentally forgot them in airplanes or had their vehicles broken into. So I just did a little bit more new diligence and yeah, just thought that was kind of neat. I wish more people would do that because some of these things, they fall into the wrong hands. It's kind of scary to imagine what people would do with them. And yeah, I'm going to go over the actual attacks on the EMV. Some of them are standard space. Some of the things are things that weren't fixed in the past from some of the talks previously. So hopefully you guys have a little bit of understanding at least what the chip and pin cards are. If you bank somewhere where they still have the mag stripes, I would maybe take a consideration into changing that. And yeah, they're working through a lot of the card stocks. So everything in the United States is going to be chip and pin here pretty soon. So they have the next liability shift that's coming up in 2017. And that's what makes this a next-gen talk. Actually, I converted this ATM machine over to EMV, which I'll go into a little bit of details here. So a tour of the actual distribution system. So I have an actual blockchain design that I imagine that it actually makes it possible. You know, it's not actually enabling people, but it shows the capabilities of the extent that the bad guys are actually going to go to when they actually start trying to sell these transactions. Because the static data, everybody's seen the Carter forms and things they'll get into greater detail later about that. So, and let's see here. So I'm going to look at the communication backend. What the actual banking portion is running on, things like that. I'm going to introduce you to the CARA. It's the automated cash out method. And I'm going to go over the demo, which is going in great detail. It's actually going to just jackpot on stage. And yeah, so basically, what is EMV? It was integrated in the early 80s in France, and it's Irrepay Mastercard Visa. And it's a little chip and pin card. The actual EMV Co is the one that actually monitors the standards for those. So, yeah, it replaces the Mastercard, which has been around since the 1940s. So it's a little old. It could have participated in World War II. So it's pretty old. A liability, she had to actually on gas pumps, which is the bad guy's favorite shimming and skimming spots, is actually going to be coming up here in 2017 for gas pumps and point of sale system, or the gas pump and ATM machine. So that's why I thought this talk was due. I'd like to give the good guys a little bit of time to actually, yeah, fix some of these issues before they're actually used on the wild. Because as soon as the Magstrup data is cut off, they're going to have about $40 of value soon. And what actually led me to this research is I have a ton of scripts that I have running online, and they're actually monitoring bin numbers and some of the bank identification numbers that are for sale. So if there's a larger breach in, say for example, like Bismarck, North Dakota, or something like that, it'll show that there's high validity, or they have a lot of cards for sale in the North Dakota area, which I'll show you. And this is kind of how they offer it now. It was one of the biggest breakthroughs that happened in carding history in the last little bit, was pretty much over the last four or five years people have been able to filter by your area code. Like I live in Bismarck, North Dakota, and these are all credit card transactions that wouldn't raise any suspicion if I was the bad guy. So that's like one of the bigger things that hit the, this is how it evolved. Like before it was, you know, you didn't know if you were buying an Austin, Texas credit card, or the bad guy didn't know if he was buying a bad credit card. So where it would get flagged for suspicion. So I actually took kind of an approach on what I imagined some of the next generation sales methods like EMV transactions and some of the RFID and actually the old classic track one, two, and three data. And as you guys have probably seen, they have professionally made shimmers out there now. Like a lot of them actually have like serial members and stuff on them. So they are actually being professionally produced and that's something that, oh yeah, this is pretty much going to take a little bit of a glimpse into the actual, what I imagine future Carter sites would look like, being able to sell EMV transactions or something where you can buy it and use it in a week and a half. It's literally, as you'll see on the next page here, it's actually the Carter site of the future. So it has actually complete with spelling errors. And yeah, you can basically just select which FEMA region you're going to be in and automated. If it's going to be automated portion, you can push some additional commands and the actual time zone. It's going to go into setting the fraud to SMS system. So that's like something where you can see if people wanted to block the SMS messaging and things like that because some of the banks will send the confirm messages and stuff like that. So there's a lot of actual attack surface that people can do with these. And you can basically put in two passwords and I'll go into a little bit of detail what those actually do later on in this transaction. And yeah, and I trust that this will make a lot more sense once I actually show you guys the blockchain. So yeah, you're basically not buying static data through a network of shimmed devices where those devices are passing the information off to the cash out ATM. And yeah, here's how it works actually. So that person that was going through the bad Carter site, so Mr. Bad Guy comes onto the page, picks which minute he's going to be doing standing at that ATM and he has to select what time zone he was in and some other things. And it'll actually with one of those two passwords that he did, he'll be able to put into a limited character where it'll say you're getting a blockchain. Every single fraudulent transaction that's going on in this shim network, I have like 150,000 bank accounts that are simulated on this backend. And there's a credit processor portion where all the fraud flags are held and things. So it will actually go through the transactions here in a little bit. So this is actually going to pass off into the blockchain pretty much all of the 35 devices that is feeding this ATM machine. So since the 27th to last month I've got a lot of transactions going on. So there's little sims that are basically doing purchases and it's learning what a natural environment looks like. And it actually, the initial time when I ran it, it shut down after seven transactions because I only had 150 accounts. So it actually has the fraud flags in place to actually shut it down. So, and basically, so after you put the password in, it's actually going to go into giving you the character information you need to initiate the tunnel for the fraudulent connecting, they actually get DEZ keys that allow them to actually talk to the entire fraud backend. So, and this is the first time that they'd be able to monetize this in a live scenario. So, and the information received, so they get the tunnel information before, so they're connecting to the tunnel and authenticating to the fraud network pretty much the same way that the ATM has DEZ keys that talks to the gateway processor, that talks to the gateway processor network that I've set up, and then also the banking backend or any of the bank accounts. So that's something where your basic information is going to go for the info type quality of the actual skim device. So if it's one of the more trusted sources where people paid more, they'll get more preferential treatment on the actual blockchain. So, yeah, so basically other than that you're going to get your tunnel ID information, then you're going to get pin information. And this information, which is one of the last ways that it's actually possible to jackpot additionally, because like Barnaby Jack did some great research, made it a lot easier for people like me to be able to present flaws and ATMs and things like that without being arrested or questioned by law enforcement. So that's something where a lot of the front runners, his was actually a hardware attack where it actually attacked the firmware, just told it to spit the actual money out. It's a different research, so. And yeah, so basically as you can see the connection information is before your actual transaction in the blockchain. And what kind of information can be sold on these cards or sites? So there's basically static magnetic data and track 1 and 2 and 3 data, that's the classic data that's being sold right now. There's EMV, DDA, which is the dynamic authentication, which are some of the newer cards. If you got like one of the cards like that on them, and some of the newer card stocks that banks are going through are these new two transactions. So some of the issues that we're spoke of in the past were actually fixed a little bit. And some of them were still available, so some of the newer cards are still susceptible to these attacks. And there will be some RFID stuff. So not the RFID in the sense of like the Apple Pay and the Google Pay. It's actually the cards where you can click them and stuff like that. Some of them would be able to be sold on a fraudulent network. And actually this device will, if they're not, I put a couple cards in there and I remove them for demo purposes. But that were like specifically only for food or things like that. So it will reject cards onto the network that are just set for flags that say it can only be used for food or gas. And aside from the card actually being passed off, it will also pass off the pin and the ATM limit. And that's one of the things I've been doing a lot of research. And there's lots of pans. They were collecting the actual pan information. So the account numbers and the bins, which are the bank identification numbers, they were collecting the amounts that are most likely their point of sale limits and then some of their ATM transactions. So it's something where they were looking to see how much these actual accounts they could get out of them so they know what to mark them up to. But it's also anytime that they would compromise a little bit, they were likely taking these cards and looking at actual flag details so they're collecting all this information from the banking networks. And that's what led me to believe that eventually they're going to be going after EMV transactions. But why would they do it now? Because they have all this low hanging fruit of all these magnetic card data. And here's in a nutshell what is happening. You have multiple shimmed devices and they're passing off to one device. So this doesn't have to be in a huge blockchain. It will monetize this again. And it's because of some of the latency that is introduced into the actual process. There's limitations with the, especially the backbone for fiber inside the United States. There's some methods where they could actually be able to do online processing all the time. And some of the weaknesses that are in these actual protocols that were exploited won't be able to be fully turned on for a couple of years due to limitations on actual communication networks. But basically think of it as E.T.M. or point of sale systems. They'd be able to relay those EMV transactions into the actual E.T.M. So. And here's the most likely method that the data gets sold. So basically you have least gear. So there's people that would be mules for these organizations and they would be installing these shimmers driving across the United States. And then you have the fraudulent employees, pretty much the same methods that they're using now. You have the independent small breaches, things like the small Carter site. And those were the ones where, you know, the small organizations where people are actually able, you know, there's like a five person crew going around the United States, you know, cashing out that way. And when they have unused transactions they're actually able to pop them into the main Carter sites. And that's kind of the same way it works now except they're able to do it with these live EMV transactions. And like it's saying, it can't be held as static data. It needs to be used and it needs to match some of the flags that it has coming over the top of it for when the transaction is actually initiated. So, yeah. And so basically this is what happens. Some people ask me if it's actually cloning the card. It's actually not. It's what it is. It's basically intercepting after a certain portion. Initially it's just using the actual power from the point of sale system. And after that point, once it gets the transaction actually started, which I'll go through the actual process, then the actual shimmers. So, basically it holds for round two once it's started the initial process. It uses the power to actually power the shimmer or the shimmer and the actual wireless inside the device. So the actual stage one transaction, once it's passed off to the ATM machine, they just did the $38 point of sale transaction and the $1,500 ATM withdrawal happened without them even being the wiser. And they didn't touch each other's limits because there's point of sale. And like I said, this is not cloning the card. And there are four stages of the EMV transaction. It's being released in the tunnel and it is literally imagine it as an extension to the actual ATM. So the cash device basically regurgitates the exact same information that is sent from the shimmed point of sale system. And I will go into a little bit more detail about some of the ways to actually capture pins. You guys have seen pin overlays. I have a new one that's actually pretty decent here. And the actual point of sale limit is shimmed. And that won't count once again against the ATM limit. So they actually have different process portions that they're talking to about authentication. So it's a little bit harder to catch some of these transactions also. And here's a little bit of pictures of some of the skimmers and shimmers that were caught in the wild. The one up on the left actually was used for me. And some of the other ones are some of the phone parts and things like that that I actually used to build some of the shimmers that I was actually doing for my proof of concept. Your general point of sale system. And cash out device standalone. So this is meant to be like an odd of service ATM. It's supposed to be something that normally you wouldn't want it to fly out everywhere on the street. But it's something where you would want to catch it and have it doing after hours and it's something that the original concept that I had was just like a huge face on the actual ATM. And it would catch all the money and stuff. But it's much better if it's just flying out of the bottom. And I'm going to go into the actual cash out standalone. This is something that people were wondering about because it's there's foreign object detection on a lot of the new ones. I found several ways to actually deactivate a lot of that stuff and some of the newer devices inside the next generation ATMs. I'll go into a little bit more detail here. And basically this is like the standalone device. You just literally need a cell phone or the bad guy only needs a cell phone and a credit card that can impersonate some of the other EMV transactions. So basically once this device is actually plugged into the machine it will start replicating a lot of the information that they're getting from their blockchain. So pretty much all they need is a wireless internet connection and an ATM that accepts EMV transactions. And I'm going to introduce La Cara which is roughly translated the face. Because everything sounds more menacing in Spanish, doesn't it? But yeah, I know why would somebody want to automate something like this? Yeah, people are untrustable. As you can see this was off of a couple guys Twitter feeds that got busted. They were doing a cash out run. Yeah, that's not conspicuous at all. So the cash out crew is they're bragging about it on social media. Yeah, when busted, humans get busted they rat out. And machines usually don't have Twitter accounts. That's like one of the most positive things for the bad guys. And I wanted to go with the DEF CON theme this year which was a rise in the machines. Like immediately after Jeff told everybody what the theme was for the next year I was like I'm going to make an ATM machine that can do its own like fraud. It'll be a beautiful thing. And yeah, so going along with the theme, like I was saying there is the standalone which would be more practical and what I actually imagine the bad guys would do. And LaCarr does have its own Twitter account actually. And I was actually going to broadcast the simulated and emulated banking back in transaction data. I didn't have time to settle that up. And I doubt that anyone would have watched a bunch of numbers fly across Twitter when I thought about it in high insight. But yeah, it would have shown a lot of how the staging works and how what will happen if like two transactions are kicked into the blockchain, how they take priority and how they do it. And yeah, that guy smiling like a child inside the reflection of that ATM screen is me. Last year after DEF CON I actually bought an ATM machine and started doing some research. And everybody asks me including the press person who violently ripped the LaCarr off there, what's behind there? And it's actually two Arduinos controlled by a Raspberry Pi controlled by an Android. So there's a lot of computer components and it's basically a bunch of servos that say how much money it wants to take out. It'll actually enter the pin number it'll accept it, it'll say no receipt and then it'll go into the next transaction. So there's a bunch of little baby robot fingers inside there just pushing buttons and making money come out. And the actual card is actually plugged into the Raspberry Pi and that does all the modulation and the actual data processing for the card. So that's how the actual EMB card when it gets impersonated it needed something that's a little controlling the robot fingers that was pretty much what it came down to. And this could be a removable device like where if somebody didn't want like I was saying they would most likely want to make it something that pops on quick that is now made out of fiberglass and I'm actually going to go through some of the process of how for some reason you know you send I have a couple buddies that do 3D printing and you start sending them ATM parts and they quit answering your emails. So that's something where pretty much I was like okay I'm going to do this the good old fashioned way you know like I used to do a lot of auto restoration when I was little how hard could this be so yeah I basically covered it in plastic made a buck mold and a plug mold then I just put the fiberglass yeah the fiberglass on the front of it and yeah this is actually nasty ATM is the name of that color of gray so and it could have been a little bit closer match but yeah you get the gist of it it's an out of service ATM it wouldn't rise any suspicion I don't work at a bank I work at Repet7 but the bank that I actually bank at their ATM was down for 2 days and I was the first person to tell them so it's not something where out of service ATM will rise any suspicion so this is yeah so basically it's a Swiss Army knife so this was one of the first keypads that I actually started training my Arduino system on so and yeah then I started working into some of the more advanced methods a lot of the other countries they'll be able to turn on a lot of these mechanisms because I didn't want to just inject magnetic card data using like a mag spoofer like Sammy Kamkar has like that's an amazing device and that man is a brilliant genius I just want to give him props for I do use mag spoofer on this one and several other ones so oh yeah so and there's one up in the corner they're basically a little thing that can speak to the magnetic heads and the readers but it's a very very cool video to watch the device that I started out with just to see if this was possible because it's one thing if it's a theory and it's another thing when you can actually do it and it's another thing when you're able to do it wirelessly in a room and it's another thing when you can bounce it off of VPS up in Toronto so like that kind of latency compared to what's in a room and what's actually allowed by the standards they actually planned for a lot of that stuff to actually be stopped so but yeah building your own banking back end so that's a lot of the actual systems and since the I think it's the 17th or the 27th of last month I've been doing a lot of these transactions and they're actually doing EMV transactions like I said there's 15 bank financial institutions and it's over 150,000 bank accounts so those all are signed with card stock and they actually have like a physical attachment to them so anytime that a card is simulated into the reader it's going to check with the bank the exact same the real networks would if I had like I was saying when I had 150 accounts after 7 accounts I got flagged for fraud because it was unusual suspicion and it was some of the natural settings on the banking network but now that I have 150,000 accounts it opened up to a lot more attacks since I was going to be doing several demos so like I was saying each one of these is signed with DESKIES so say for example if I get flagged for fraud this will kick me off of my gateway processor and I won't be able to talk to my bank accounts so I wanted to make it a little more real world because I just didn't want it to be like a bad simulation like this one actually has some of the field information where you can actually set some of the flags and it initiates the risk just like it would with any other transactions and the skimmer is generated it's generating everything it's signing on with so here's the EMB transaction so this is in a nutshell 1438 pages for me to fully understand it so this is my two power point presentation example of that it's basically going to be the card is read by a point of sale terminal talks to the acquirer which talks to the bank and that's validating that the card's legitimate that the bank accounts are legitimate and that the device, the point of sale system or the actual ATM system is actually allowed on the network so that all that process is going on in the actual transaction and basically on step two is when this network happens it gets passed off to as you can see in that little green area there it's actually getting passed off to the ATM machine here so imagine there should be technically about 3.1 transactions getting shot at this ATM every time because of the size of the network and the blockchain it is the only cash out device on the blockchain so it takes priority and it should be getting nonstop transactions after I pop on the actual the card system so and yeah how will you capture the pin that's like one thing that's half the battle I was looking into some of the actual features for some of the next generation ATMs and they can actually change the pin on the fly and some of them are unencoded or actually unencrypted so there's the methods of the past there's the pinhole cameras that have been around for literally probably 12 or 13 years there's the pin overlays you'd be able to automate that kind of the same way as the actual version that I've simulated the actual pin numbers here is based on OpenCV which I will go into in a second here so and unencrypted pin traces so if it's actually reading straight mechanical data it'll be able to grab the pins that way also and this is actually the method that I came up with because I was like I want a way to 100% automate it so I actually got a keypad then I sprayed some 3M glue on it and then I put a bunch of iron oxide like very small pieces of metal because I wanted to be able to get past the foreign object so that's something where I basically put a little radio on the bottom of it and went through the actual key cycles and it actually basically has a different peak for each one of the keys through it into OpenCV and now it's watching for those peaks and depending on the actual peak and the pitch on the peaks it'll actually tell you basically what key was pushed so that was kind of like in addition to some of the overlays which would be automatable it was something else that I kind of wanted to go into other ways of pin capturing before and I loved playing with software defined radios I got a edis n210 at the beginning like right around Christmas time and I felt like an 11 year old again so if you guys aren't playing with software defined radios you definitely should be so they're amazingly fun soon and yeah so aside from probing some of the networks they're actually going to go into the actual network and card settings they're looking at what the like I said they're collecting tons of data they're setting out the bad guys are actually collecting what flags are you know what limitations for per country like what the actual attack surface will be once the actual mag strip data dries up so and this is kind of the direction that I saw the bad guys going with this so and branch ATMs versus on network ATMs anybody who's ever you know tried to get $500 and had to do it in two transactions that's an off network ATM they like to get some of the extra fees it's just a little bit more risky so they break them down into several transactions and the on branch ones are like the actual ones that are inside of the actual banks and stuff like that and I've you know personally I think I've taken out like you might have to adjust your point of sale limit but you can take up to like two three thousand dollars at a time from some of them depending on your years with your bank and things like that but some of the off branch ones are obviously not the ones that would be attacked so and also this that was one of the first things I did after I bought my ATM is I actually converted it to EMV so it has the more advanced firmware that can handle the EMV compared to the actual old credit cards so and yeah Chinese and Japanese ATMs they literally have like ten thousand dollar limits in some cases so there are I think I forgot what the actual number was but I it was several hundred that across the world that actually have ten thousand dollar plus limits so and they're in limited portions but most of them are in Japan and China so and yeah as 2017's coming around point of sale systems obviously they're going to go for things that don't have a lot of the foreign object detection that's something that yeah it will put an end to a lot of that so habits of putting EMV in early like if it doesn't have that piece of paper that whatever they put on it like you know don't stick card in no chip or whatever like we put our card in there and it literally takes almost an eternity is what it feels like so that's one of the things where we want it to be and yeah it's going to be one of their favorite things to actually most likely to do the same way that they do now like majority of the actual cards that were skimmed are from the actual gas pumps so yeah I just like to give special thanks before I kick off the demo and then I will answer some questions if anybody has questions which they should have a lot of them so I'm going to give a shout out to my wife my kids Jesus Barnaby Jack Sammy Kamkar a ton of the I got a lot of buddies with some of the Arduino issues I like to nest code sometimes and they help me fix it so yeah and I'm going to go over the transaction because I'm $1,800 short from my black hat demo so as you can see on the bottom Benjamin Franklin is puckered puckered lips so it is not real money so and basically what I'm going to go through this thing is loaded $50,000 in fake it's not fake money it's not over it I mean it looks pretty good from 10 feet or from wherever you're sitting in the crowd but actually you can tell from the bill on top it's not real so and it's going to grab the pan number and the bin number and actually go off if it's a $500 to $900 per transaction so it's going to most likely go anywhere from zero to 60 transactions before it's actually either shut down for fraud or runs out of money so and the transaction time is going to take about 18 seconds I'm going to kick off the demo here and I think it's going to enter the pin and so basically with the art we know I needed to get it to a no one state so I need to make sure that it's on the right screen and then I can kick it off and it will actually start pumping transactions and it will pump out different based on the actual account number that comes into it it will actually pop out a different set of money so and hopefully I don't fall off stage so we're jackpot and I was scared my ATM demo is going to blow up and the money so but yeah as you can hear it sounds like rattlesnakes those are little Arduino servos actually entering the pin number so and hopefully the money is coming out good so but yeah does anybody have any questions if you want to come up to the microphones some of this is very very ridiculous you have to read about 1400 pages some stuff but I will explain it to the best of my ability if anybody has any questions I'll also be on stage just want to thank you all for coming so