Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 7: Low tech hacking and the law:... > Meet Mr. Tony Marino - Pg. 201

180 CHAPTER 7 Low tech hacking and the law: Where can you go for help? MEET MR. TONY MARINO Mr. Marino has been a tremendous resource for me and for all of the members of the North Carolina Electronic Crimes Task Force for many years. His willingness to share his decades of experience in the fields of electronic crimes investigation and in personal protection have been invaluable to the entire task force. He has been an excellent example of how beneficial it can be for non­law enforcement members to take the time to get to know and learn from these senior federal agents. Let's ask him a few questions so you can get to know him. Low tech hacking interview with Tony Marino, U.S. Secret Service (retired) Jack: Give me your best low tech hacking war story for how the bad guys might be using low tech tools and social engineering skills. Mr. Marino: There may be several examples of basic low tech methods of attacks that utilized social engineering as the main ingredient in the application of an attack. The one I will recount here I found interesting because there was a perfect storm in effect that allowed the success of the attack. I will not divulge the parties that were victimized in this scheme, but I can say that the vulnerability has been remedied through hardware upgrades, internal procedures, and the advent of know-your- customers regulations that have been adopted. · · The background of this attack centered on a flaw in the design of a specific brand and model of ATM machine. The individuals exploiting the flaw obtained the information from the company involved in the manufacture of the equipment. The flaw was that a transaction could be canceled up until the moment that the customer physically pulled the bills from the dispenser. However, if the bills in the middle of the dispenser could be extracted, leaving the top and bottom bills, you could cancel the transaction, and the bills were placed in a transaction canceled bin without the number of bills being counted. The machine in effect presented the currency into view and allowed tampering with a check that the number of bills recycled into the bin was the number initially dispensed. The individuals who perpetrated this scheme traveled around the country to conduct the fraud. The last component was a convenience procedure in place at the particular financial institution in which a canceled transaction at the ATM did not affect the availability of funds for withdrawal on that date. · The enterprising criminals simply opened an account at the large financial insti- tution with cash in an amount slightly above the daily withdrawal limit. They obtained a temporary ATM card, then after the branches had closed for the day, drove up to the ATMs, asked for the daily maximum they could withdraw, extracted the bills from the center of the stack, and cancelled the transaction. They then repeated