Blog

Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > Cybercrime > Brazilian Fraudsters Create Device to Punch Out EMV Chips

Brazilian Fraudsters Create Device to Punch Out EMV Chips

bio
emerging threats

The physical compromise of ATMs has long been considered a “tried and true” scheme among many fraudsters — and rightfully so. Not only do these schemes remain very common in many parts of the world, they continue to demonstrate that when it comes to crime, sophistication doesn’t always trump creativity.

Indeed, a group of criminals in Brazil developed a new tool for targeting Europay Mastercard Visa (EMV) payment cards that serves as a case in point. Although EMV cards — often referred to as “chip cards” — were initially developed as a more-secure alternative to traditional magnetic stripe cards, these criminals’ new device can undermine an EMV card’s security measures by targeting none other than the chip itself. Once installed in an ATM’s card reader slot, this device physically steals EMV cards’ chips by punching the chips out of cards inserted into the machine.

Seeking to maximize their financial gain from the stolen chips, the criminals reportedly installed cameras near compromised ATMs to record valuable information, such as the affected cardholder’s name and PIN information. Criminals can then insert the stolen chips into blank cards and use the victim’s accompanying PIN to make fraudulent purchases and unauthorized withdrawals.

Image 1: An example of a victimized card shows how the chip was punched out in a clean and precise fashion. Photo Courtesy of Globo G1 Rio De Janiero News.

 Image 2: An example of a card reader overlay taken from an ATM in Brazil. The overlay is associated with EMV chip-punching; a mechanism inside the card slot would physically punch out the chip from a card after it was inserted into an ATM.

Image 2: An example of a card reader overlay taken from an ATM in Brazil. The overlay is associated with EMV chip-punching; a mechanism inside the card slot would physically punch out the chip from a card after it was inserted into an ATM. Photo courtesy of YouTube.

Image 3: The underside of an assembly that was placed above select ATMs in Brazil. The front of the assembly matches the design of the ATM and conceals a pinhole camera that would record the victim’s PIN information while it was being typed on the keypad.

Image 3: The underside of an assembly that was placed above select ATMs in Brazil. The front of the assembly matches the design of the ATM and conceals a pinhole camera that would record the victim’s PIN information while it was being typed on the keypad. Photo courtesy of YouTube.

Unfortunately, this particular ATM compromise scheme is part of a growing trend in Latin America, where lower levels of security awareness often enable criminals to successfully carry-out bold stunts without alarming victims. In fact, one victim of the “chip-punching” scheme recently spoke with Brazilian reporters about the fact that, despite having noticed the missing chip, he didn’t take action immediately. It wasn’t until his bank notified him of suspicious activity on his account that he decided to report the incident.

Furthermore, in December 2016, Flashpoint released a report detailing Brazilian criminals’ use of a different device called a “chupa-cabra” to steal money from ATMs. The thieves used a long flat piece of metal crafted to fit the slot of the ATM machine and wedge the slot door open. Once the tool was wedged into the slot, the far end would open to reveal a heavy, sticky piece of metal attached to the long piece of metal by means of a ribbon. The sticky piece of metal would be lowered into the deposit box, where it would stick to the first envelope on the pile, allowing the thief to pull it out of the slot, along with the deposit envelope.

Image 4: Law enforcement demonstrates use of a chupa-cabra to pick up a deposit envelope.

Image 4: Law enforcement demonstrates use of a chupa-cabra to pick up a deposit envelope. Photo courtesy of YouTube.

Cases of ATM targeting in Latin America reinforce the notion that some types of criminal schemes need not be sophisticated to be effective. While ATM compromises in more-developed geographical regions often employ sophisticated malware and tactics requiring advanced technical skills, those in Latin America tend to rely on physical means of theft. Schemes involving tools like the card-punching device or chupa-cabra also serve to illustrate how the widespread use of older technologies in some countries — such as many of the ATM models common throughout Latin America — can be compromised and exploited with ease for financial gain.

About the author: Olivia Rowley

bio

Olivia Rowley is an Intelligence Analyst at Flashpoint. She speaks fluent Spanish and specializes in analyzing threats emerging from the Spanish-language underground with an emphasis on Latin America. Prior to Flashpoint, Olivia’s passion for Latin America and the Middle East led her to pursue extensive research on the languages, culture, and political climate of these regions. She has studied abroad in Madrid, Spain and holds a bachelor’s degree in International Relations with a concentration in International Security from Tufts University.

About the author: Ian W. Gray

Ian W. Gray is a Cyber Intelligence Analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is a military reservist with extensive knowledge of the maritime domain and regional expertise of the Middle East, Europe, and South America. As a Veteran Volunteer, Ian supports The Homefront Foundation, a non-profit that helps veterans and first responders share their experiences through focused story-telling workshops. His insights and commentary have been featured in publications including Wired, Christian Science Monitor Passcode, ThreatPost, TechTarget, The Washington Examiner, Cyberscoop, The Diplomat, and others. He holds a bachelor’s degree in Middle Eastern Studies from Fordham University and a Master of International Affairs degree from Columbia University.