Pro ATM Hacker ‘Chao’ Gives Out ATM Hacking Tips


It seems like ATM hacking is still the way to go for those into a bit of hardware hacking. One of the most notorious and well known ATM hackers was recently arrest in Turkey and a list of his tips discovered online where he also sold the ATM skimming equipment.

Well his tips can’t be THAT good if he got caught can they?

A bank-machine hacker who reportedly was arrested earlier this month in Turkey gave would-be fraudsters tips on how to install rogue card-reading devices, including advising them to target drive-through ATMs (automated teller machines) and avoid towns with fewer than 15,000 residents.

The hacker, who went by the handle “Chao,” reportedly was arrested earlier this month in Turkey. He was one of the most well-known ATM hackers in the world, according to Uri Rivner, head of new technologies for RSA Consumer Solutions.

Chao sold fake faceplates that fraudsters could attach to the card slots in ATMs. These “skimmer” devices can read the magnetic stripe of every customer’s ATM or credit card, and are often used in conjunction with a hidden camera that watches people enter their PINs (personal identification numbers), Rivner said. Alternatively, criminals can attach an extra keypad on top of the one in the machine and capture the PIN that way, he added.

It seems like the old methods are still prevailing but the kit used is probably lot smaller, neater and unobtrusive. They skim your card, record your pin on the number pad with a micro dot camera and usually beam it all to a wifi PC nearby which will pipe it back to the owner over the net with a 3G phone or similar.

Just be careful where you use the ATM machine and cover the numberpad with your other hand when you are typing to the PIN to be extra vigilant.

  • don’t install a skimmer in the morning, because people are more vigilant then;
  • determine where a person would have to stand to keep an eye on everything happening on that block;
  • avoid blocks where more than 250 people per day walk through, because of the danger of detection;
  • don’t install skimmers in towns with fewer than 15,000 people, because people in those towns know what their ATMs look like;
  • avoid areas with small shops open 24 hours a day, because there may be surveillance cameras and vigilant shopkeepers;
  • don’t set up in areas where a lot of illegal immigrants live;
  • places with a lot of tourist traffic are good;
  • look for affluent neighborhoods and drive-through ATMs;
  • ATMs near cash-only bars are a good bet for lots of customer activity.

The tips are really nothing ground-breaking, but interesting to read nevertheless. Most of them could be considered common sense, but some like not targeting really small towns are quite interesting.

I would have thought busy times would have been the best time to go in as long as there is no-one else queuing at the ATM machine.

Source: NetworkWorld

Posted in: Hardware Hacking, Spammers & Scammers

, ,


Latest Posts:


LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.


9 Responses to Pro ATM Hacker ‘Chao’ Gives Out ATM Hacking Tips

  1. Navin September 30, 2008 at 12:45 pm #

    doesn’t this all come under tht little thing we all ignore called “common sense”??

    I mean, its more of observations than tips …what say??

  2. Yami King September 30, 2008 at 7:06 pm #

    @ Navin
    I totally agree.

    Except for the one (point 3) that says Avoid blocks where more than 250 people per day walk through, because of the danger of detection.
    Why? Because this just really depends on the time of the day you are at the ATM; when there is no one around and you followed the basic guidelines stated above, there’s basicly nothing to worry about.
    And it’s kind of in contradiction with point 7: Places with a lot of tourist traffic are good. Since these so-called places all contain blocks that are usually visited over 250 times a day (point 3) depending on the popularity of the region.

  3. SpikyHead October 1, 2008 at 12:38 am #

    This had to happen (that he got caught), ATM hacking is something which is comparatively easy to figure out especially when more than one customer complains about fraudulent activity in their bank accounts and then finding the fraudsters is even easier unless he has stopped these activities.

    now couple more ‘Blackhat’ tips to add (for humour purposes only):
    -Do not attempt this more than 5 times in one city
    -Change the city every day. This may make it harder for police ;)

    Yami, you seem to be analyzing his tips very carefully.. what ar eyour plans budd?

  4. goblert October 1, 2008 at 1:04 pm #

    Interesting read.
    This was happening in my
    country for a while, there was a big thing on the news about it.

  5. Pantagruel October 1, 2008 at 1:13 pm #

    Nice read, but nothing ground bracking

  6. terrery October 2, 2008 at 9:07 am #

    ”He was one of the most well-known ATM hackers in the world, according to Uri Rivner, head of new technologies for RSA Consumer Solutions”

    maybe a hint for him, after you skim the card you are about to withdraw cash from it.
    it will have a maximum amount of withdrawel, how can we get max profit of this scam? well search for a ATM that has standard passwords provided by the manufacturer, (you can find manuals from that specific ATM manufacture on the internet) use them, hack in the ATM and let the ATM think that a bill of 50 is 5.

    ”a max withdraw of 500”, 500:5= 100 times 50= ”5000”

    5 times in each city = 25000 lets say you can accomplish this is some days.

    well keep this on for a few weeks and fly to the bahama’s or something :)

  7. Goodpeople October 2, 2008 at 9:24 am #

    Am I glad that I live in a small town.. :-)

  8. navin October 15, 2008 at 10:50 am #

    @ terrery
    Can wht U’re saying be done for a single transaction?? i mean u ever heard of something like this done?? Even as a PoC?? links please…anyone

  9. Joe October 16, 2008 at 9:24 pm #

    Avoid ATM’s with video cameras… Although maybe sunglasses and a hood at night time would foil them. Banks and the Secret Service use all that info when they look for their guy.

    Some guys with very complicated heist manuvers have been caught even still.