CHiNA Newsletter #2
-------------------
+-------------------------------+
| |
| A. T. M. Fraud Made Easy |
| |
| summary and research by |
| Count Zero |
| |
| (A CHiNA Info-Net Prod) |
| |
+-------------------------------+
Have you ever looked longingly upon the sight of your local PULSE machine
and thought, "There must be some way that I can make some money REAL easy
here."?
Well, there is. But it won't be easy. Protection methods can be overcome,
but the technology involved must be understood IN ITS ENTIRETY before an
attempt at illegal access is to be made. There are hundreds of people,
guests of the state, that figured their plans infallible, only to fall
victim to a well-hidden camera.
This article will not be a lesson on HOW to break into the machine, it is
merely a summary of the operations involved with a normal ATM transaction.
This information is being presented on a "for information's sake"-only
basis. I, Count Zero, do not promote nor remotely condone any illegal
acts of any sort. So there.
I. MAGNETIC STRIP FORMAT
This would seem to be the most efficient method of trying to access illegal
sums of cash. You could:
a. steal somebody's card and PIN code
b. synthesize a card
c. attempt to "jackpot" the system
We will only look at option B. As "A" is up to your own devices and "C" has
several good text files written about it already. So "B" it is.
Let's look at the format of the data written to the magnetic strips. This
has been taken from a recent HARTWELL, INC manual.
[ XX XX XX XX XX XX XX XX ] [ YYYY ] [ - 20 CHARS - ] [ ZZ ZZ ZZ ] [ CC CC ]
\-----------------------/ \------/ \--------------/ \----------/ \-------/
Your individual acct. PIN Name of card Bank route CHKSUM
number/serial code Code issuee code/rem.
access #
For validation, each entry is written twice but not written here for
ease of typing. But it is repeated in the form of:
"ACCT NUM" "ACCT NUM" "PIN CODE" "PIN CODE" etc...
These codes may be examined by building a simple code-reader as many
have done which can be easily interfaced to your IBM-PC. Full plans
to be put into a future CHiNA newsletter.
If you were to attempt to write a magnetic strip or change a currently
existing one, you would need to be using a head-write circuit based on
the popular Motorola BCX119221-A...C series of head control chips.
NOTE: Make sure to change the last 2 values! They constitute the
checksum of the entry.
Merely add all existing characters written (only the first entry, not both
of them) using the following chart:
CHARACTER VALUE
--------------------------------
0..9 0..9
A..Z 10..36
EOL 37
EOT 38
CLR 39
HMX 40
PTT 41
RIA-1 42
RIA-2 43
I doubt anyone in the communications biz needs an explanation of these terms
so I'll move on.
II. ATM HARDWARE
Usually consists of:
------------------------------------
| |
\-----\ | B |
| A | | |
\-----\ ------------------------------------
| |
| ----------- /---/ E |
| / / / / ---- |
| / C / / D / F |
| / / / / ---- |
| ------------ /---/ |
| |
------------------------------------
A. Camera Mount
B. Hidden Voice-Activated recorder & printout link
C. Display Monitor
D. Options buttons
E. Card Slot
F. Receipt Slot
Your machine may vary slightly. But the concept will almost always hold true.
Simple rules for each.
A. Wear a paper bag or mask. See also Part II A
B. Do NOT speak. This is the most crucial part! See also Part II A
C. Nothing
D. Wear gloves
E. See Part I
F. TAKE YOUR RECEIPT AND BURN IT!!
One of the neat flaws in many machines made prior to 1989 involved the
use of the "CANCEL" button. This button was made to be pressed when the
user decided, at any time during the transaction, that he didn't wish
to continue. The display would jump immediately to:
"TRANSACTION CANCELLED - CHOOSE ANOTHER?"
This was all well and good, but the machines did not disable this feature
between the time your cash was dispensed and you were prompted for your
next activity. In effect, you could push the "CANCEL" button after your
money has been withdrawn and it would not be added to your account record!
THIS STILL WORKS IN MANY PLACES! OVER 85% OF ALL MACHINES MADE BEFORE MAR. 1989
STILL HAVE NOT BEEN UPGRADED.
Although most machines of that period would only work if you were withdrawing
amounts larger than $20 (usually $25 is the next possible choice!)
This is ideal if you are using another's card!
II A. CAMERA/SOUND HARDWARE
You can go other routes when dealing with camera systems. You do not have
to wear a bag on your head (unless the cosmetic improvement is quite large)
Thin alloy metal such as common aluminum/tin foil, which are full of impurities,
react in a bizarre way when photographed through the special lenses that are
commonly used. The effect is to "blur" or "bleed" the image, rendering it
indestinguishable from an accident in your local Sherwin-Williams store.
Most people prefer to make a "headband" of this metal, lined with copper
wire in a sine wave pattern when accosting a machine. You should
seriously consider this possibility!
For further reading on this subject, consult:
BANKER'S WORLD - Apr 1989
"Where Have All the Dollars Gone?"
pp 24-29
P. I. - Apr 1989
"The Last Straw"
pp 37-41 (p 38 in particular has a nice
diagram. Fig 1)
Sounds, these articles also suggest an indirect method of dealing with the
voice-activated recording device. Oddly, a pure square wave tone (roughly
around 3100 hz) will cause a major screwup in the sound-sensing abilities
of the recorder. It usually will have to be replaced. Suggested volume,
given at 6" range is 8.5+ db. Obviously, anything louder will do.
An interesting side-note is that this has become a past-time of suburban
teenagers!
Well, hope this gets you started! More will be coming in the next
exciting file!
---------------------------> OVER AND OUT! -----------> COUNT ZERO
HAHAHAHA NAPPA IS A BUNCH OF FLY-BY-NIGHT LOSERS, EH CONFLICT?!
Call us on:
HYPERCARD BBS (406) 538-2101
1200/2400 BAUD
(CHiNA Node #3) SYSOP: GEORGE VON JUNGLE
FAWLTY TOWERS (202) 781-6420
2400 BAUD ONLY
(CHiNA Node #9) SYSOP: BASIL FAWLTY
A big hello to:
Rubix the Cube, The Conflict, Monalisa Overdrive
----------------------------------------------------------------------------
R.O.L.M. Sorcerer XII PBX Remote System Control CHiNA
By... The Conflict
INTRO : I know right off you people are thinking, "How in the Hell
do I know if I am calling a R.O.L.M. Sorcerer XII PBX?".
Well, that will be covered here, along with all system
commands available on that PBX.**Of course, this file is
meant for educational purposes only. We at CHiNA hereby
waive any legal reprimand due to misuse of the information
contained in this file (so there!).**
HOW : A R.O.L.M. Sorcerer XII PBX has a unique answer; thus, it
IT is quite distinguishable from most other PBX's. I will list
SOUNDS some PBX's with similar answer devices at the end of this
section. The Sorcerer XII's answer consists of: A.) No
ring, B.) A short diverting tone of 2600 Hz, and C.) A
standard, no interrupt AT&T 4.2c dial tone. Unfortunately,
there are four known PBX's that have a similar answer device,
but not exact. These four are as follows: A.) R.O.L.M.
Sorcerer III, B.) SouthWestern Bell WizSys I, C.) Northern
Telecom SL-Net V, and D.) Siemans WebLink v.Ia. The slight
differences between these systems answer devices are the
dial tones. The dial differ either in tone, volume, or
interrupt/no interrupt. With practice, you will find the
Sorcerer XII easy to distinguish.
WHAT : Now, most often Sorcerer XII requires a four digit code, but
TO DO this can be altered at the source, so it is not entirely
consistent. To be able to utilize the Remote System Control
(RSC from here out) commands, you must obtain the System
Command Code. The System Command Code consists of the
original number of digits plus a two digit authorization
check. Thus, if we were dealing with a four digit Sorcerer
XII system, we would find the four digit System Command Code
followed by two more digits. *How do you know if you have the
first set of the SCC?* A four tone confirmation, similar to
the one given by ASPEN VMNetworks, is given when you have the
first digit set of the SCC; then, you must discover the two
digit confirmation code. The confirmation code is updated
every week. Finding the SCC is not going to be easy, as you
can not utilize a cutesy code hacker on your computer.
Essentially, the process will take dedicated hand hacking,
and scanning for that matter.
SYSTEM: Since this is a PBX, there are no voice instructions; thus,
COMMAND you must know what the hell you're doing! After you have
LEVEL obtained the correct confirmation code, two short beeps are
transmitted. This is your cue; you're in! The commands are
two digits followed by the asterisk (*) key. Since there are
many commands, I will list only those which are essential to
your life and needs. You can experiment with the other ones.
07* - input 1, 2, or 3; alters error transmission. 1 is fake
carrier, 2 is fast-busy, 3 is sweep-siren.
19* - allows removal of codes from the programed code array.
You must enter the code to be removed, followed by the
pound key (#).
20* - allows insertion of codes. You must input the code,
followed by the pound key (#). Be careful, as a
precise log of all code insertions is kept.
43* - enables calls to toll numbers, such as 0700, 1900, and
976.
44* - disables calls to toll numbers. Be sure to disable
the function immediately after you are done with it.
If it is left on, the administrator knows what's going
on and will investigate.
73* - enables making log of all calls placed through Sorcerer
XII lines.
74* - disables making log of all calls placed through
Sorcerer XII lines. Once again, disable 73 if you use
it, as it is obvious to the administrator what's going
on.
99* - disconnect from the system command level. Make sure
to do this before hanging up, as it will hang the PBX,
and things will definantly be switched around.
Have fun, be careful, and take it easy. All the information included
should be enough to provide hours of safe enjoyment. If you have any
questions for CHiNA concerning anything, give us a call at one of the
below-listed CHiNA Nodes. Spread this around!!!
Tinsel Town Rebellion 12/24/96
713-451-9548
The Forbidden Passage 12/24
713-774-0449
Optical Illusions 12/24
713-578-0722
The Ultimate Revolution 12
713-492-0438
Later,
The Conflict
<CHiNA>
Thanks go out to Maxwell Smart for acquiring a partial R.O.L.M.
manual; Count Zero for being a swell guy; The Viper for giving us a
'home'; Monalisa Overdrive for anti-procrastination support; and last
but not least, NAP/PA for instilling in us a realization that we do
not want to do nothing!
------------------------------------------------------------------------------
-- InfoFile on Operation Wolf -- CHiNA
As most of you have now heard this wonderful long awaited game suddenly
was released, but not by Taito, FiRM, PTL or MCM, but by a guy named General
Zaroff.
If you downloaded this 'game' somewhere then you probably noticed that it
said it was cracked by PTL. How can PTL crack a game when it hasn't even
been released out on the market, according to The Viper he called Taito and
they told him that it wouldn't be released until the third week of July.
Therefore this guy obviously did this to frame PTL (against FiRM)
General Zarhoff (also known as The Gipper) did this Sunday I do believe and was
stupid enough to put it up on his own board (where several people downloaded
it) and then proceded to upload it to The House of Phreaks and you know how it
goes it was easily distibuted around.
This guy can be found around a few boards but you can pay him a personal
visit on the board he runs Crystal Chasm (408) 997-9107 CASJO. I didn't
think it would be neccesary to post his Voice #, Address and Real Name.
o What the file does o
When you first run the program it will tell you that it is PTL. Next
it will ask you for your graphics mode and sound ability. After that it
will clear the screen, delete Config.Sys Command.Com Autoexec.Bat
IBMBIO.Com IBMCOM.Com and then it will lock up.
The files are Wolf.001 Wolf.Exe Runme.Bat Title.Ptl The rest of
the files on disk one are useless garbage and on Disk 2 the entire disk
is all docs.
I hope this file helped to prevent the use of this program and make sure you
keep a look out for this guy because he is obviously wanted by PTL and FiRM.
Created by : Maxwell Smart
Thanks to : The Viper and Master Ryu
(another CHiNA original)
-----------------------------------------------------------------------------
---- Exterior Terminal Telephones ----- CHiNA
by... The Conflict....
Salutations and welcome to CHiNA InfoFile #5. What are
Exterior Terminal Telephones? After reading this file, you should
understand what an ETT is and how to manipulate it to your liking.
We at CHiNA are supplying this information to educate the user.
We do not condone implementing this information for illegal use.
We at CHiNA hereby waive any legal reprimands which may be
directed at us, and the USA protects us with its First Amendment
priveleges (SO THERE!).
Exterior Terminal Telephones are the extension phones located
at various locations. Some commonplace locales include secured
apartment buildings, small office buildings, or buildings with
after business hours time locks. An ETT is a branch off of the
building PBX. Most often, you dial in a four digit number, and
the phone processes that and dials the seven digit pre-suff for
your extension...the dial mode is commonly pulse. Remote tone
controls often control security locks. Logically, if you seize
the dial tone before any call goes through, you can call out
using the PBX. This can be easily accomplished using a portable
dual-tone multi-frequency generator. Either you can pre-record
the destination numbers on a portable cassette, or you can
contruct a portable DTMF generator.
----------------------------------------------------------------------------
Cellular Phone File - #1
written, created and tested
by Count Zero
{CHiNA}
This simple (?) mod has been tested on the:
UNIDEN CS-1000/1200 Series Cellular
MPPS Red 12/13 (Pretty much same as above model)
and has proven effective for over four months running. However, (yes, here
comes the big disclaimer...)
----------------------------------------------------------------------------
D I S C L A I M E R
CHiNA and its members claim no responsibility for irresponsible
use of the information and designs contained herein. This file is being
presented on a "for knowledge's sake" basis to the members of the modemming
community at large. Any use of this file except for educational and
operational efficiency purposes is hereby forbidden.
So there!
The Conflict * Maxwell Smart * Count Zero * Monalisa Overdrive * The Viper
& Rubiks the Cube
----------------------------------------------------------------------------
What this mod does is prevent a correct unit identification code (called UIC
from here on) from being transmitted. The messages sent to and from the
local transmittal stations should be surpisingly familiar to any one of our
readers.
But here's the mod and a bit of theory that I used to discover it.
(1) Your individual UID is "burned into" a simple 8x8 EPROM that may
be erased and "re-written" to accomodate a new code. This may be
difficult, and in fact IS difficult because you will have a lot of
trouble finding where it begins and ends.
(2) The contact sequence when you first power up the unit (which usually
goes on while the handset's "NO SERVC" or "SVC UNAVAIL" is lit) goes
like this:
YOU A0 A0 A0 A0 A0 A0 A0 A0
IT ACK or NAK (up to a max of 4 times)
YOU 12 3A + UID
IT 12 3A + UID
YOU ACK or NAK
IT 00 00 00 or FF FF FF
(Available / Not Available)
The best route to handle this is to FORCE your system to ACK when asked
if a false code is its code.
The following should outline the procedure:
You will need:
* A Temperature-Controlled Soldering Iron
* Rosin-Core Solder
* Solder wick (for you slobs)
* Pair of Diag-Cutters (or wire-cutters)
* About 15 minutes of time.
Step 1 - Unplug the unit and allow to sit for at least a half hour to allow
all capacitors to become completely discharged. Also, as a
precaution, "discharge" yourself on a common ground (no woolly
socks, ok?) Remove cover from "handset" portion (yes, the one with
the keypad)
Step 2 - Locate the indicated EPROM should have a serial number that begins
with an "IA" prefix and will be noted on the circuit board as
"IC4" or "IC5". Given this knowledge and the following picture:
+5v -!-------!- GND
-! IA... !- RST
-! !-
+1.5v -! !-
IC4 D1 -! !- D5
D2 -! !- D6
D3 -! !- D7
D4 -!-------!- D8
...you should be able to find it.
Step 3 - Cut the D1 pin and pull completely back from the motherboard at
a 90 deg angle. This will not interfere with your system messages
but will disable any "odd number" from being sent! Thus your code
alone will come out false.
Step 4 - Locate the following components:
R14 - Resistor #14 1.5 ohm
Cut and jumper with solder and small gauge wire
R15 - Resistor #15 3.5 ohm
Cut and replace with 1.5 ohm from previous step
C22 - Capacitor #22
Cut and leave out!
Now make sure you have no "cold" joints and all soldered points are secure!
If you are going to screw up at any point in the procedure, this will be it.
Make sure to double-check your work! I don't want anyone weeping to me
because their handset if now fused to their right ear!
Step 5 - (explanation of Step 4)
This step "forces" the system to send an ACK (by routing the NAK
trigger through ACK output) and thus verifying the bogus code.
Step 6 - Reassemble handset.
Just a hint, do NOT go overboard on your calls as these calls are not free,
they are just being billed to another person's code (if it is a legit code)
Again, re-read the disclaimer.
Step 7 - Operate the unit normally.
TROUBLESHOOTING:
Problem Solution
* NO POWER Be sure all power leads were reconnected
correctly when you put the handset back
together.
* STILL GETTING CHARGED FOR Cut the correct pin from the IC!
CALLS If still getting charged, cut D2 The House of Phreaks and you know how it
goes it was easily disuted around.
This guy can be found around a few boards but you can pay him a personal
visit on the board he runs Crystal Chasm (408) 997-9107 CASJO. I didn't
think it would be neccesary to post his Voice #, Address and Real Name.
o What the file does o
When you first run the program it will tell you that it is PTL. Next
it will ask you for your graphics mode and sound ability. After that it
will clear the screen, delete Config.Sys Command.Com Autoexec.Bat
IBMBIO.Com IBMCOM.Com and then it will lock up.
The files are Wolf.001 Wolf.Exe Runme.Bat Title.Ptl The rest of
the files
