Mental Outlaw is the ultimate advocate for the Amish community.

the more I I learn about electronics the more I understand why most IT experience people tend to use as least amount of technology in their personal lives

Important things like this should be provided directly and ideally manufactured in the country using them. It’s silly to think our government and their contractors do stuff like this to save time and money when they could just hire a few more people to audit things as well as work with a local manufacturer

It's crazy how well social engineering and just standing around with boxes works

Quite common in Brazil. They swap the reader thing, usually from a gas station, with a hacked one. Then wait for the harvest. Got mine stolen once. 3 purchases at 1am. I was awake at the time, my bank sms me all purchases made over R$50, so I knew immediatelly, called my bank, cancelled the transactions and cancelled the card in like 20 minutes.

speaking of malware, youtube has been serving ads of "free games" websites, witch serves malicious fake installers, double packed MSI installer with a small c++ program (and some accompanying 7z archive with a password i couldn't find any ware) that fucks with your DNS config and bricks your internet connection, reminiscent of most of the malware you'd find on TPB back in the day

Great timing. Pulled a fake keypad off my local ATM two days ago. Sneaky bastards

Ah yes, Amazon special Chinesium smartcard reader for DoD CAC authentication. What could possibly go wrong?

This reminds me of the Despicable Me meme: "First, identify smart card reader used by military. Second, get access to vendor's website where drivers are hosted. Third, infect it with well-known malware that's being detected by most antivirus software."

A company I worked for just gave everyone a laptop with a smartcard reader built in. Much finer control for them. We also used RSA keys and a password. I don't think you can get more security for online identification than RSA keys

Actually government laptops are specced out to have CAC readers in the laptop, so not external reader is required. We also have cac readers within our keyboards, so a government employee should never have to buy a reader.

RFID can be intercepted from a man in the middle attack! It’s so unsafe

I cannot believe an IT person who works for a big IT company did not know about file signatures. When I download things like drivers from any vendor, I check the digital signature of the EXE and DLL's before executing the installer. In fact, I check this before buying a piece of hardware that requires driver installation. I visit their websites and download the driver file before buying the hardware, and check if the EXE is signed. If it is not, then I buy from a different company. I also did not expect so-called "smartcards" are just a mere password card, that if someone else read it, it gets compromised. I thought it would send some sort of calculated result so that only the device that has a previously agreed data can verify its authentisitity, like a bank OTP device. If it is just sending the same data whoever the reader is, why is it called "smart" card? It's a dumb card.

Thats the CAC (common access card), something that pretty much every US military personal will use, along with everyone who works for the DOD. One thing I find weird here is the "drivers" you need are actually DoD certificates, otherwise CAC enabled sites won't load. (Though I'm pretty sure this is just so your local FBI or NSA agent can watch your activity easier) The one positive thing is the DOD has been issuing out laptops that now use VPNs, and already contain a CAC reader built with the certificates you need, and are continuing to improve their OPSEC mostly due to the fact that having people work from home during COVID instead of a secure office has forced them too.

I work for a publicly run employer in the uk that's one of the largest employers in the country (work it out). Our smart cards for accessing the country wide databases uses an active x control in IE . The config file for this still states " do not change any settings as all settings are the same for windows 95 and NT " , smart cards are not secure !

Congrats on 300k. Thanks for spreading the information that actually matters!

An IT employee for a large government contractor bought a smart card reader. This is what happened to his highly sensitive data.

I've been in the military for nearly four years now. I'm happy to see that I've never seen any of these kinds of cac readers for sale, especially at the physical stores and gas stations.

Saicoo Card readers, proceed to place a Yuan symbol on the online payments sign and encourage employees from the DoD to use it. It is obviously a Chinese spy tool, lol.

You could use a regular Android phone to “copy” and “paste” the balance of a subway card in Moscow. That’s how I got unlimited rides lol.

You never cease to surprise me with these interesting vids, keep it up!

"Security products company with unsecure website", yep, sounds about right.

What kind of a brain dead govt agency would actually deploy workstations that don't have internal smart card readers? Oh right, quite a lot of them

Man your content is just awesome! I tell everyone to check out your channel

I always thought there's a private key in each of them, and therefore you cannot duplicate a smartcard by listening to the traffic. It's just common sense! RSA has been around since the 70s. Guess I was wrong

I used to work for a DOD contractor. We where super strict on card readers and lucky we never had this issue. All of our external readers where provided by a trusted vendor.

In Brazil is very common in sales fairs and at gas stations , they modify they payment machines and insert some msr90 board or something like these on the video , criminals call this type of modified machine as "chupa-cabra" . And they also use jammers for block gps signals from the cars and than steal , they typically call this type of jammer as "capetinha"

Properitary drivers be like:

Excellent video 👌🏻🔥 love the demonstration clips you got, I make videos sometimes and getting footage online like that takes a lot of work😂 keep it up man 💪

Another good example would be the Hak5 usbs. Think Mrwhosetheboss did a video on those, but all someone would need to do swap out a smart card reader that looks similar enough to whatever actual smart card reader you're using, and then they have access to all your credentials.

This would not have been a problem if the drivers where open source

Mental outlaw is either the biggest redhat or straight works for feds lmao

thanks for the updates as usual outlaw!

What is so hard about using pgp smartcards? Nonce in, signature out, access granted, no way to copy anything.

Please make a video on how the internet of things will ultimately destroy the human right to privacy and make us subservient to the surveillance state. I do know you briefly touched on it in your Guide to Escaping the Botnet video, but an in depth video would be really awesome and do us a great public service.

Great video. So true. This can be a major attack point, especially in Pubic or private institutions.

When I was attempting to enlist in the army, all their laptops had a card reader built into them.

wow... Thank you for the video!

Modern rogue footage, hell yeah!

I don't know about the authenticity of the web site you presented that had that card reader listed as recommended. In addition, any contractor that allowed average users local admin rights to install random drivers for crap wouldn't have their ATO for long and thus wouldn't be contractors for long I can tell you that much. Furthermore, when I contracted Federal IT I know we couldn't just hand out random garbage even for peripherals. There's actually standards in place that prevent even the purchasing of computer equipment from mainland China. Even the cards themselves are single sourced from one company to meet the HSPD-12 requirements.

Also, RFID/NFC/proxy cards are a different technology than smart cards

I love how the credit card companies decided to update their older cards to a much more VULNERABLE card. It’s like they WANT everyone to get their cards compromised. Plus I betcha they do, because they are most likely directly connected to those “credit monitoring” companies and they get more money from them every time a card is compromised.

That employee helped their company dodge not just a bullet,but an entire fucking nuke.

gratz on 300k

I like to think that the hackers have a handful of weird dumps where they have no clue what the card is for, what the data is about or how to use it While in reality, it's stuff like Pokémon print kiosk cards or someone's memory card that holds a script to install the network driver for an industrial computer

The first bag you posted is the good one to protect against rfid. They have larger sleeves too on amazon.

so. this video gives me an insight of why my military laptop (Latitude Rugged Extreme 7214) has a reader for those cards, both contactless and slot to insert the card

Grats on the 300k

Nice modern rogue cameo

When I worked as IT, we had a lot of people doing work from home stuff. We had protections against this and actually survived the Kaseya Ransomware attack because of a tool... which for the life of me I cannot remember the name of. It essentially worked as a DLL and EXE whitelist - we had a contract with the developers to ensure they updated our whitelist with the file signatures of executable files that came from reputable sources such as Microsoft, Adobe, Chrome, etc, that we'd use on a day to day basis. Everything else would be hard blocked, across all our devices. It would most certainly have protected us against smart card readers with modified drivers. Though, one time, we had a whole day of printer issues because microsoft did a silent patch to Edge, which was responsible for ensuring PDF files print correctly from edge, so we had a day of nonstop printer issues, but it was a small issue :/

I work for a security company where we make security cards. A lot of high security places are moving to cards with an encrypted chip where it stores certifications, your fingerprints, and your photo. Similar to CAC cards. It's fully encrypted and the card is tied to the facility and the readers. The card you showed is a PIV-I card. It's very secure. The government is slowly moving to this. You need a scanner, that isn't just a reader, but one where you insert the card and it reads the chip. It's all tied to the individual. As far as readers go, use an HID reader. Our company has tore apart the drivers and such, and they are secure. For common smart cards and card readers, yeah. It's easy to hack. People are always the issue in security. But there is smarter - smart cards.

had no idea that people could just buy their own hardware like this for security critical tasks. should at least have a list of hardware that you need to purchase from or something.

Love Mental outlaw keep it up 🖤

"curbs on security " 😂🤣😂🤣😂🤣😂🤣😂

Yeah, I totally believe that a "hacker" compromised their download page. Nudge, nudge, wink, wink. Pull there other one guvnor.

My trusty ACR122U is always packed with my laptop when I'm on vacation :D Most of the card readers are just connected to "psychologically" give a false sense of security, nine out of ten times they aren't even securely wired!

I suspect they are doing the same thing with Smart Lamps selling on Amazon that are impossible to beat on price but force you to allow access to your local home network traffic. Might be useful for a researcher to take a look at it, which I can use the time to jump deeper.

The company one of my friends works at provides laptops with built in card readers, they also have cell tower service so they don't have to connect to WiFi while they are not at home

Congrats on getting that shout-out from Mutahar yesterday!

Thanks for this helpful identity theft guide

As always, everything is super. Waiting for new cheats from your te

I believe new most Access cards/fobs systems now have 2 steps; meaning not only does the card provide a password to the opener, but the opener also put a signal back to your FOB and if your FOB cannot correctly verify the signal coming from the opener then the gate stays locked even tho the FOB has the correct access code.

This is sooooo dangerous.... So many people need to know about this..

I choose to live in a cave at this point.

As someone who works for a company that installs card readers in high security places, we only install swipe cards and we demand that we use cables rather than wireless transmission. Our system also nullifies cards every 2-3 days, so you have to get a new one at the reception.

a long while ago people used to use coiled copper rods to extend the reach to their sleeve.

My ThinkPad has a Smartcard reader. And there seems to be some tricks to read out the data anyway I want. Would be great to have this tool with me. I also think there is an RFID reader in that laptop... Which should be able to read some more information.

Now those cc reader signal blocker sleeves finally have a purpose😆

Oof, I was in the Army and never knew about sus drivers... fortunately I bought mine at AAFES and needed no additional drivers but I did need all sorts of security protocols.

Small detail, a large number of Amazon reviews are fake but you’re correct in assuming at least half of those are actual purchases. There’s some sites that will scan listings and tell you the percent of fake reviews

The first part is about RFID/NFC tech The 2nd part is about Smart-Card tech

things like these need OSS drivers with signed binary releases. Virustotal is not magic, it is rather easy to write undetected viruses, especially if their only job is to upload the smartcard data to a server. That is not even the definition of a virus, that would just be a modified/hacked driver

Eyy mahn. Can you give me advise or sense of direction, Im trying to setup NAT Network for Windows virtual machine. Using QEMU/Virt Manager on a Debian system. Thanks in advance, I appreciate your videos bro

In Brazil a guy managed to switch his card reader with gas'tation's card reader and recived 3 days of payments before be catch.

I prefer the battering ram method.

This is exactly why we need open source drivers period.

Military contractor here, these types of CAC readers are used but not sensitive information, at most the hackers would be getting some PII. More sensitive information is still only able to be reached at your base with a different type of CAC :-)

And this is why physical security, with human security, will never be outdated.

This is unbelievable... #stoptheoutsourcing

Thanks Jayson Tatum 👍

I used to work in an IT department of a hospital and they used card readers in-house and 2fa when working from home, worked better imo.

Or employees might have to scan both their card and fingerprint to enter a door while cameras monitoring the door will raise the alarm if the person’s face is obstructed with something like a mask or if it detects a face other to the face of the employee linked to the card signature and fingerprint provided! :)

well, that proves to carders that they should also be careful when buying their MSRs and omnikeys online (that if they aren't working out of the box). i wouldn't be surprised if mental outlaw one day participated in a talk at defcon or blackhat. I was wondering if you can do a video about sim card hacking or corebooting modern desktop hardware (such as: ryzen 5000 based motherboards)?? thanks for your great content.

Smart cards are not vulnerable to replay attacks. They use the algorithm of challenge-response. They have another set of vulnerabilities but not that one.

Something I leaned is that windows will go out and get drives for some things if the driver is proper signed. My guess is that when they made that drive it was but now it is not and that's why they had to manually install it.

I encountered something similar getting drivers for an old fujitsu laptop, I used the (supposedly) official fujitsu support page, but after downloading one installer, even windows defender detected a trojan in the driver.

Badge cards typically must be used in very specific manners the closer they work with government controlled data, such as PII, PHI, or official data. Though if a company isn't having this enforced on them it's pretty typical that they will use whatever. You'd think banks in particular would take more care to protect their cards for example, but it seems that rfid chips in cards are quite compatible with thief scanners.

You'd think most companies/governments would have some sorta deal with a tech trusted tech supplier instead of simply paying staff to buy whatever they want.

I once saw receiver that can read card from like 3m away. They used it on entrance to private community. You can just place card under front window and it will read it no problem

i feel like I’m watching a DedSec tutorial video

The company I worked for had smart cards but they supplied laptops that had the readers already installed. I would have figured the government would have done the same.

yeah, but if I wanted to break into a building I would rather bribe a janitor to copy their pass vs having my face on camera intercepting their card.

Subscribed 👍

"Kerbs on Security" lol...

“You can sell pretty much anything on Amazon.” *Slowly pulls out my rotting body bag* “Well, almost anything.” *Slowly puts back away my rotting body bag*

Holy kitty cats! This kind of stuff is why I tape over the selfie lens on my phone camera, etc etc.. Dumb question: what would one of those readers do with my debit card? (...and download drivers via dropbox???)

Even easier, just walk behind someone who goes into the office building. They will probably hold the door open for you out of politeness.

Bringing hacking into the mainstream one video at a time

I feel like if a weird creepy guy with too many bags was pretending to make a phone call next to the card reader I would wait for him to leave or try to make things awkward so that he leaves.

also having more than one card helps - cross signal protection