|
A short primer on ATM communications. Basic communications: Most ATM's in use today use either "Bisync" or "SDLC" communication. Bisync is a format where there is not a start or stop bit, but rather after a certain number of characters (a Packet), two (i.e. BI) sync characters are sent to "re-align" or "lock-in" the next packet. Bisync also differs from async (Standard IBM serial) in that there is a hardware clock signal to indicate when a bit cell should be started. SDLC is also know as NRZ or Non-return-to-zero. In this format, the electrical signal is sent redundantly. A binary 1 for instance will swing from the current voltage to +12 in 1/4 of a bit cell, remain at +12 for 1/4, swing to -12 in 1/4, and remain at -12 for the last 1/4 of the bit cell. A binary 0 will follow the opposite pattern (current to -12,remain -12,swing +12, remain +12). The interesting part here is that the voltage remains at the last active state until changed by another bit (hence, NRZ). This format also uses a clock signal, but the clock may be a seperate hardware line, or may be derived from the data line. Just to make matters more interesting, the bit cell may be inverted (i.e. a 1 bit may go -12 then +12), giving you what is called NRZI or NRZI-nverted. This gives a possible 4 type of SDLC comm; NRZ, NRZI, NRZD (VERY RARE if ever), and NRZID. Basic Networking: Most ATM networks use a "Star" topology with "Loops" at each terminus. Basically, this means that you have one central computer going to several nodes. Each node is a "loop" with up to 64 ATM's on each loop. You will almost never see more than 16 ATM's on a loop, mostly due to the higher cost of multiplexing more than 16 machines onto a single line. Each ATM has it's own address or "POLL SELECT #" to differentiate it from every other ATM on that particular loop. Basic Packet Format: A basic Bisync Packet will look something like this: 32 32 C7 02 xx xx xx xx xx xx xx xx xx xx 1c xx xx xx xx xx xx xx xx |___| p S F DES Encrypted time SYNC o O account # in EBCDIC L l T D l xx xx xx xx xx xx xx xx xx xx xx xx 1c xx xx xx xx xx xx xx xx --- and date and verification code Text description of ---------------------- xx xx 1c xx xx xx xx xx xx 1c xx xx xx xx xx xx Transaction Amount Bank Blurb ex. xx xx xx xx xx xx xx xx xx xx xx xx xx 03 00 00 00 (Thank you for Banking with RIP-Off) E |______| O Idle T SOT=Start Of Text EOT=End Of Text FLD=Field delimiter Almost all ATM's use EBCDIC coding (which is different from ASCII), this is the same coding found on most IBM mainframes (no, it's not concidence, many of the ATM network controllers are still IBM equipment). Although it is possible, ASCII is never used in SDLC. (SDLC is another IBM protocol.) Several companies manufacture devices which tap into this loop, and overlay the parsed data onto a video picture from the surveillance camera often found in an ATM casing. _______________________________________________________________________________ Technical Scams/Workarounds A new way of obtaining PIN numbers has surfaced recently, and has not yet been picked up on by the ATM Security people. This involves using three or four mini-mike/transmitters, shaped like bolt heads. Basically, the four "Bolt-heads" are placed on each corner of the ATM keypad so that they look like they hold the keypad down. Each bolt-head is transmitting on a slightly different frequency. Each receiver is then fed into a seperate input (usally one pin on a parallel port) an decoded into discrete audio waveforms. The audio waveforms are then processed and compared to a base (i.e. the person doing this would initially press each key on the keypad in sequence several time). This makes it very simple to decode keypress sounds into numbers, as each switch will have a SLIGHTLY different sound than any other. Even an 8088 at 4.77 MHZ can process this data if it is stored first, then processed later. Another, less known and more sophisticated method, is the use of a magnetic pickup coil to pick up the signal from the electronics inside the ATM. This requires some fairly intense DSP (Digital signal processing). While this sounds expensive or technical, it is actually fairly simple. The most common piece of equipment used is a SoundBlaster Pro (c) card. This card is an often overlooked piece of hacking/phreaking equipment. (Can also be used for fax interception, satelite pic decoding, touch tone decoder, telcom operator tones, and MUCH more. ask about more info...) Using a magnetic pickup allows decoding both the card number, and the PIN. Card Readers/Writers are available starting at about $125. Note that while some cards use DES encrytion schemes, a large enough pool of data (real card numbers and encrypted equivelant) makes it possible to simulate the encoding scheme. There have been reports (but I have seen no firm evidence) of the reverse being done. A large magnetic coil is placed in the ATM (possibly in the deposit slip holder or the deposit receptacle itself), and the correct signals are fed into it to simulate a viable transaction or to scramble the Microproccesors. Unsubstantiated information claims that a dual frequency magnetic field (7200 Hz and 1247 Hz) of >=3000 Gauss scrambles the micro- proccesors and has a 33% chance of causing the ATM to "freak out" and start dispensing money at random. My source is anonymous (even to me), but claims that he/she has done this on more than 30 machines. The 30% figure is from his/her boasts of "Every third box freaked out and spit money at me". There has been increased interest in ATM surveillance in the area where this was supposed to have happened, but this may reflect nothing more than bank officials having gotten word of this story and trying to prevent rather than cure. If you are interested in talking to this person, the last contact I have had was on Usenet. Message to "snake@ghost.com" in the alt.hacking newsgroup. (BTW, there is no ghost.com domain, I assume this address is the result of a "modified" program on a Usenet host.) Other variations include the use of high power microwave pulses to accomplish basically the same thing. I have received no further information on this, but would point out the high power microwaves (pulsed OR steady) can be very hazardous to people as well as machines. I would recomend that anyone not experienced in microwave technology stay far away from high powered microwave experiments of any kind. ______________________________________________________________________________ Other Interesting Stuff. Techno-anarchy. (sub-titled "Make electrons, not bombs") A small but growing number of anarchists are putting down their guns and picking up their soldering irons. Simple electronic projects that can be built very inexpensively can be used to cause mis-functioning or destruction of most electronics. A department store in Arizona supposedly lost approx. $15,000 in consumer electronics due to a "techno-anarchist" revenge. The story says that a teenage man familiar with electronics purchased a stereo system from the store which did not work, and had trouble returning it either for another stereo or for a refund. About two weeks later, he walked in the store, went to the consumer electronics department, and proceeded to plug in a "black box" measuring approx. 12" by 8" by 6". (Van De Graff generator?). Within seconds, malfunctions began to occur. Televisions and stereos began to randomly change volume/station/function. After no more than 5 minutes, 75% of the electronics in the department were functionally destroyed. Note that there was very little, if any, physical damage. The teenager was apprehended by police 5 days later. It is possible is that it took that long for the store security and/or police to track down exactly what had happened, since this is not something that they deal with on any kind of regular basis. The teenager was supposedly charged with criminal mischief (since no other law would cover this act?). The story was only briefly reported in the local newspapers, and very little was said by the department store. One supposition is that police did not want the public to know how easily this was done. Related stories are heard from time to time about "techno-anarchists" disrupting traffic patterns in large citites by "frying" the traffic signal controllers. If true, this could cause more damage than is readily apparent, particularly due to frustrated motorists and the increased loads on roadways not designed for such heavy traffic. The possibilities for disruption of normal day-to-day living are enormous. This same type of electronic warfare could be used on critical installations such as air traffic control towers, hospitals, and railway controls. Tapping modem communications While many people believe that fax and modem communications cannot be tapped, this is a false assumption. Many companies are currently marketing Fax inter- ception cards for as low as $129. There are at least three companies advertising these cards in the 1-94 issue of "Law Enforcement Product News". As far as modem communications, there are several ways to intercept either side of a modem link, the simplest of which is to play back the recording of the modem communications to another modem which has already been placed into online mode. The most common method of playback is the answering machine. This is reported to work about 50% of the time. Another possibility is tapping into the actual RS-232 line to an external modem, if available. Most people are not aware that the RS-232 line can be paralleled to another device. The trick is to connect only the recieve and ground lines on the second device (i.e. DB-9 2 and 5). As long as there is only one device doing handshaking and/or responding, there is no problem. Both sides of the link may be monitored by using one two serial ports; one to recieve the local, and one to recieve the remote. You should be aware that this may be illegal if you do not obtain the consent of at least one of the parties being monitored, if not both. This could be considered a grey area, as it is unclear whether this could be considered wire-tapping or bugging. This is also physically harder to do since the tap would require 2 wires to be added for 1 side of the communication or 3 wires for both sides (common ground). Fax Intercept hardware suppliers: Power Fax Inc. Address & phone not available at this time Faxmate! card for 386+ IBM compatibles. Features Multi level zoom, exporting (OCR?), Inverted images, Fax machine ID, handles 2 dimensional and most non-standard faxes Faxmatel is an addon board to IBM compatibles with an extremely high line impedance to avoid detection by conventional sweeps and line testers. Kings Security Intern'tl Inc. Located in L.A. CA (address/# NA at this time) KSI Fax Intercept (FAXSNIFF) Laptop computer with special hardware. Features interception and storage of up to 9,999 group III faxes. Maximum fax baud rate 9600 (no 14.4). Connects directly to telephone line, or to ANY SCANNER TYPE RECEIVER OR DIGITAL AUDIO RECORDER. This allows FAX INTERCEPTION FROM CELLULAR TELEPHONES, SERIAL/PARALLEL TELEPHONE TRANSMITTERS OR DIRECT AUDIO RECORDINGS. ------------------------------------------------------------------------------- Pagers While pagers may not be as exciting as Cellular Phones, there are many possibilities, and pagers are still much more common than cellular phones. Pagers are also carried personally, not by a vehicle (which may be loaned to someone else or stolen). Some law enforcement agencies are starting to use cellular phones to track suspects or aid surveillance/stakeouts. The major problem with this is that often the person will leave their car/cellular phone in another location, thereby eluding a cellular trace. Pagers, on the other hand are always carried by the owner personally. Many new paging networks require a response from the pager when a message is sent, to ensure that the page was received correctly. This response is very short, usually consisting of the pagers NAM and a simple go/no-go message. If you know the number of the pager, you can use simple receiver equipment to determine the strength of the signal to within a few feet, and use the network to determine where the signal is to within the size of a cell. This makes it possible to track a person to within a few feet simply by calling their pager. The newer pagers that accept a multi-character alphanmeric message are even more interesting. Most of theses pagers include a TTL or RS-232 port for programming and for remote links to equipment such as computers, medical monitors, etc. RNet Paging data recievers. Manufactured my Motorola (c), these pagers operate at 138-174 MHZ, 406-423 MHZ, and 929-932 MHZ. The standard unit includes a 240 byte buffer, TTL or RS232 I/O port, and multiple (4) address codes. Port Pinout |------------------------| | 9 10 11 12 13 14 15 16 | | 1 2 3 4 5 6 7 8 | |------------------------| 1 +5VDC 9 +5VDC 2 Keyed 10 Gnd 3 Gnd 11 Keyed 4 8-12 VAC/8-16VDC 12 8-12VAC/8-16VDC 5 Serial Data Out 13 Output 1 6 Flow control out 14 Output 2 7 Serial Data In 15 Output 3 8 Flow control in 16 Reserved Output 1,3,4,5 are also available through the holes in the bottom of the unit. Note that Output 1-3 and reserved are TTL level direct from the uP. Function codes (serial in) Command Code Description 77 Output 1 control 78 Output 2 control 79 Output 3 control 10 logic 0 11 logic 1 12 Cycle (logic1, delay, logic0) 13 Cycle (logic0, delay, logic1) 70 Control output states 14 Set control output states x1,x2,x3 = logic 0 or 1 for output 1,2,3 Data Block Function Code | Command Code | Sub Address | Data x1 x2 x3 | Checksum To send logic 1 to output 3 to a unit with a subaddress of 1000002, send: 79111000002 To send a logic 0 to outputs 2 and 3, and a logic 1 to output 1 to a unit with a sub-address of 1231234, send: 70141231234001 Programmable Functions: Cap Codes/Address codes (xxxxxxx) active y/n (yyyy/nnnn) Function (aaaa) Code Type (indiv.) Inverted data (y/n) RS232 interface Baud Rate (to 19200 default 9600) Data Bits (7/8 default 8) Parity (even, odd, none default none) Out of Range message (Yes/No Default no) Headers (yes/no default No) Trailers (yes/no default no) CTS (y/n def. n) RTS (y/n def. n) Enable control output Print Control output messages (y/n def. y) Output Control individ. address (xxxxxx) Output Control Group address (xxxxxx) Cycle time delay (x seconds def. 5) Message checksum enable (y/n def. n) Output 1 Initial logic state (low/high def. low) " 2 " " " " " 3 " " " " That should get you started on the RNet(c) paging receivers. Interesting Equipment Nothing technical, just some equipment suppliers you don't normally see. Curtis Electro Devices 4345 Pacific Street Rocklin, CA 95677 Tel. 800-332-2790 Fax 916-632-0636 ESNR-5900B CellPhone ESN Reader. Stores and prints (to parallel printer) last 99 readings with time and date. Detects cellular phone number, called number, and ESN up to two miles from target. Options include voice capture (tap?) and handoff following. WARNING:Sold to law enforcement only. Proof of identification is required. Call or Fax on official law enforcement letterhead. ZEI Corporation Address/Phone Currently unavailable. Counter-Fighter. Detects fraudulent checks and/or credit cards by the presence or absence of magnetic Ink or strip. (If you look at a check, you will see unusual looking numbers on the bottom. These have the routing code/bank/account and often the check number encoded in by using magnetic ink to print the numbers.) The Counter-Fighter operates from a 9V battery or transformer, and weighs only 3 Ounces. The unit "fits comfortably in the palm of your hand". Upon detection of magnetic ink the unit gives a quick flash of a red light. (This does not check what the magnetic ink says, merely whether it is there or not, Magnetic ink present. Magnetic ink has been imitated by mixing Schaffer's ink with extremely finely ground neodymium magnets. The ink is then used in a calligraphy type pen, or with less success, in an inkjet printer cartridge. The same thing has supposedly been done with laser/copier toner, but this seems unlikely due to the metallic rollers/parts in laser printers/ copiers) AVCOM 500 Southlake Blvd. Richmond VA 23236 Tel. 804-794-2500 Fax 804-794-8284 PSA-65A Portable Spectrum Analyzer (Bug-sniffer, radio tracer, etc.) The PSA-65A covers up to 1GigaHertz in one sweep, Sensitivity in narrow sweeps is -95dBm. It is ideally suited for 2 way radio, cellular, cable, LAN, and surveillance/anti-surveillance work. Options include freq. extenders to allow usage at SAT-COM and higher frequencies, audio demodulation for monitoring (tapping), and more. RACOM 5504 State Rd. Cleveland OH 44134-7330 Tel. 216-351-1755 or 800-722-664x (number lost due to misprint) Fax 216-351-0392 RACOM 2816A is a multiline dialed number recorder that can simultaneously Record number dialed and audio on up to 6 lines. Prints and displays date, time, number of rings, length of call and recorder status for each line. Seperate minimized audio and cassette recorder for each line. Real time display of line activity on 80 column display. Completely automatic or manual operation. Options include CallerID, Dual and Single tone slaves, RS232 output, database program and more. FOR LAW ENFORCEMENT ONLY. Federal Card Co. Address and phone not available at this time. FBI Trading Cards. Series of 100 Trading Cards features official photographs, descriptions, and criminal records of fugitives currently wanted by the FBI. Subsets include The Top Ten, FBI Lab, FBI Firearms, and FBI Facts and History. ALSO: Randomly inserted foil stamped bonus cards. Limited production; only 3,750 officially numbered cases printed. Special on pack offer:Win a trip to Washington D.C. for a tour of FBI headquarters. Sold in packs of 8. 5% of profit donated to victims of violent crime and drug prevention programs. (The last sentence is verbatim from the ad in the 1-94 Law Enforcement Product News, so I have to wonder about victims of drug prevention programs.) Protective Products PO Box 450358 Dept. EP Sunrise Florida 33345 Tel 305-846-8222 OR 800-509-9111 Body Armor Starting at $149 for concealable standard Threat Level IIA New Eagle Communications Address Unavailable at this time Tel 913-582-5823 Fax 913-582-5820 Bone Vibration Headsets. Demo Gear available to quailified organizations. Tech Support Systems (Surveillance Products) 540 Weddell Drive Suite One Sunnydale CA 94089 Tel. 408-734-9436 Fax 408-734-9437 Cellmate Model B. A cellular monitoring system designed for unattended operations. Just enter the suspects phone number and it automatically intercepts calls made to or from the phone. The included VOX circuit activate sthe built in Marantz (c) cassette recorder to record both sides of the conversation. (This system is packaged in a standard metal shell briefcase, and icludes a cellular phone, recorder and controls. It is available for both Amps and ETACS systems) WARNING: Sales are restricted to authorized purchasers only. More Simple but interesting Junk. Modifying 386/486 ROM's WARNING:You do this at your own risk! You CAN seriously hurt hardware if you screw this up. It is fairly safe to change the text in the BIOS, for instance, maybe you want your sign on screen to say "Joe's Bar and Grill" instead of "Some Funky BIOS 1989". But there is NO warranty given to you or anyone you ever knew. Ok, now, first we need to read the old BIOS. Follow the instructions below: debug rcx 8000 n top.hlf m f000:0 8000 cs:100 w n bot.hlf m f800:0 8000 cs:100 w q This will give you two files, top.hlf and bot.hlf, which is one bios chip each if you have two BIOS chips. If you only have one, then type: copy /b top.hlf+bot.hlf > whole.thg del top.hlf del bot.hlf You will now have one binary file called whole.thg. Load this file into your favorite EPROM burner program (as a binary file), and do a checksum. You should get a XX00 where XX is anything. If not, your program does not support the standard checksum used by IBM compatibles. If so, then you can change what you want to (Common changes are to text messages, and Hard Drive Tables). When you have finished,do another checksum and write it down, then write the file back to disk (use binary mode, NOT hex or Intel Hex). Now we have to find out how to reset the checksum so that it is XX00 again. Type the following: debug H ffff chksum (from just before saving file above) You will see something like this 2233 DDCC Write down the last two digits, then type: q Now go back into your EPROM programmer and load the file (remember, Binary). Find an unused FF, and change it to the two digits from the step above (i.e. CC) Now do another Checksum, and verify that is is XX00. Then burn your new EPROM and install it. If you did not get the checksum right, your machine will refuse to boot up, and you will have to try again. Pirate Television. Caution: The FCC is very adamant about shutting down unlicensed transmitters, especially those involving television channels. The normal procedure when this occurs is to confiscate all equipment and levy a $1000 fine. Pirate television is actually very easy to get into. The first thing you need is a transmitter (of course). The second is an amplifier to get your output up high enough to be of any use. The quickest way to get an inexpensive high quality transmitter is from a cable TV surplus equipment reseller. These can be purchased used for under $50 depending on make/model/features. The preferred channels are from 14 to 20, as these are within the 400-512 MHz frequency range. This range falls (mostly) within the range of ham radio, and linear amplifiers can be purchased very inexpensively. Beware of cheap build- it-yourself transmitter kits, as they tend to have lots of frequency drift and instability (esp. when transmitting video and audio at the same time). There are 100 watt pirate television stations that have been assembled for as little as $150, although generally, such a stastion will cost around $300. In the Houston, Texas area, there are currently 4 known active stations, ranging from 25 to 2500 watts. These stations have operated an average of 5 years each, mostly due to the fact that they do not transmit full time, and all but one moves location monthly or bi-monthly. They also do NOT transmit pornography or "death" films (Faces of Death, Die On My Blade, etc.) The fastest way to be found is to transmit things that are overly offensive. This does not mean that you should only transmit Disney movies, but keep in mind that this IS a public broadcast, and that ANYONE can receive it. In the Houston, Texas area, one station is devoted purely to "cult" films, such as Pink Floyd's "The Wall", "The Rocky Horror Picture Show", "Night of the Living Dead", "Godzilla" movies, etc. Most stations run a mix of music videos, old/cult movies, and classic reruns such as "The Prisoner" and "Dr. Who". Some stations will take requests at P.O. Boxes or on telephone "loops" (an open two person conference call). Most Pirate TV operators are technologically literate, and are willing to help someone set up a new station, (providing you don't compete against them, of course). Many cities host a large number of these stations, and in some cities the "underground" newspapers even run the "Pirate Nielsens". If you are interested in setting up your own station, check your local yellow pages under "Cable Telivision Equipment" for the base transmitter, and QRx or 72 magazines for the linear amplifiers. Keep in mind that you are running an illegal transmitter, and that most ham radio equipment suppliers will not sell to you if you state that you are running a pirate TV station. When choosing an amplifier, be sure that it has at LEAST a 6 MHz bandwidth, otherwise you will tend to lose your audio and/or video. Anyway, this is some basic stuff. You might want to rewrite/clean-up some of it though. I will give you a call soon after you recieve this to see if you find it informative or useful. This information gathered/compiled by Light Speed Delta. Republication or other usage is permitted if verbal permission is given.