Full Report
So I get a phone call from Daniel on a Wednesday night, Stu, can you bring your hardware stuff with you tomorrow, I’ve been given a card skimmer that i want us to see what we can get from it. So I get my bag ready with the hardware tools i have, RS232 to USB UART adapter, Saelea 8 Channel Logic Analyser, and numerous other components. Thursday comes round and I’m eager to see what device Daniel has, he gives me it and says “gimme 10, then we will sit down and see what we can get”, I waited 1-second and tore into this thing!
Analysis Summary
# Tool/Technique: Card Skimmer (Insert Type)
## Overview
This summary details the hardware and components identified within a physical card skimming device, specifically classified as an 'INSERT' type skimmer, designed to capture magnetic stripe data from payment cards, likely within ATM or POS interfaces. The analysis focuses on reverse-engineering the device's constituent parts to understand its data capture and storage mechanisms.
## Technical Details
- Type: Tool (Physical Access Attack Tool / Skimmer Hardware)
- Platform: Unspecified hardware environment (typically ATMs, POS systems)
- Capabilities: Magnetic stripe reading, data capture, local storage, rechargeable power.
- First Seen: Analysis/Reporting date is August 02, 2017.
## MITRE ATT&CK Mapping
The activity described falls under physical access and collection of credentials.
- **TA0001 - Initial Access**
- **T1580 - Build Infrastructure** (If considering the manufacturing/sourcing of the skimmer)
- **T1583.001 - Acquire Infrastructure: Domains** (Not directly applicable, but represents preparation)
- **TA0010 - Collection**
- **T1582 - Stored Data Collection** (Implied by reading card data)
- **TA0007 - Discovery**
- **T1595.001 - Active Scanning: Network Service Scanning** (Analysis involves discovery of system components)
- **TA0008 - Lateral Movement** (Not explicitly detailed, but often follows data extraction)
- **TA0011 - Command and Control** (Not detailed; data theft phase)
*(Note: Since this is a physical device analysis, direct TTP mapping is contextual. The primary focus is physical intrusion and data collection.)*
## Functionality
### Core Capabilities
1. **Magnetic Stripe Reading:** Utilizes a magnetic strip reader (2 wire, single track) to read data from the payment card's magnetic stripe during insertion/swipe.
2. **Data Storage:** Employs an **AT45DB321E (32-Mbit DataFlash)** to store captured magnetic stripe data.
3. **Power Source:** Powered by a rechargeable **LIPO Battery**.
4. **Physical Integration:** Designed as an "INSERT" skimmer, meant to slot inside the existing card reader mechanism, often deeper than the shutter mechanism.
### Advanced Features
1. **Microcontroller Brains:** Managed by a **PIC18F26K20** microcontroller, which executes the capture logic (likely custom code in C). This chip potentially supports **hardware encryption** of the captured data.
2. **Signal Amplification:** Uses an **MCP6142** dual operational amplifier (Op Amp), possibly for voltage regulation or amplifying the weak signal from the magnetic read head.
3. **Rudimentary Construction:** The device exhibits surprisingly simple construction, using filed brass parts, superglued wires, and masking tape for concealment, suggesting ease of rapid deployment.
## Indicators of Compromise
As this is a summary of analytic findings on a *found* device, specific IoCs relate to the identified components rather than network activity.
- File Hashes: N/A (No software image extracted in this phase)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Successful extraction would involve communication or physical connection to the storage chip (SPI interface) or debugging ports (UART/Serial) on the physical board.
## Associated Threat Actors
The article does not name specific threat actors. These types of devices are commonly attributed to organized financial crime groups specializing in ATM/POS malware and hardware compromise.
## Detection Methods
Detection focuses on forensic and physical countermeasures:
- Signature-based detection: Not applicable to the physical hardware itself, but firmware on future iterations might be signatured.
- Behavioral detection: Physical inspection and analysis of abnormal behavior on compromised terminals (e.g., unusual device insertion resistance, unexplained power drain).
- YARA rules: Not specified for the firmware, but monitoring for data transfers from these types of flash chips during forensic acquisition could be relevant.
## Mitigation Strategies
Mitigation centers on preventing physical installation and ensuring secure hardware design:
- **Physical Security:** Regular physical inspection of ATM/POS card reader slots for foreign objects, especially deep insertion devices hiding near shutters.
- **Hardware Hardening:** Using tamper-evident features on card slots.
- **Monitoring:** Securing devices against unauthorized access during downtime.
- **Technology Shift:** Relying on EMV Chip technology, which is significantly more resistant to magnetic stripe skimming purely by physical means.
## Related Tools/Techniques
- **General Card Skimmers:** Surface mount skimmers, overlay devices.
- **Related Components/Techniques:** Use of PIC microcontrollers (common in various small-scale embedded attack tools), reliance on SPI interfaces for data extraction.