Slashdot Mirror
Fake ATM Fraud Expose
santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."
Use banks you trust and use ATMs [or ABMs as they are called in Canada] at banks you know and trust . I'd never use a whitelabel ABM since not only do you get a surcharge but it's very easy for it to be a fake.
This isn't foolproof but much safer than using random whitelabels you find in Apu's Mealbar.
Tom
Someday, I'll have a real sig.
If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried. But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.
Perhaps I should just go to the barter system. "I'll give you this cow for that rack mounted server."
*
troll blacklist. Please mo
Of course, the new fad is to fake elctronic voting machines and elect myself to be a president
So, basically in the end, anything they do to protect me, and anything I do to protect myself (short of becoming a hermit and leaving society altogether) will still leave me wide open to identity to theft. I guess I could enter a bunch of wrong PINS in the ATM.. but then the ATM would eat up my card. Maybe I could covermyself in a black trashbag and cover the front of the ATM with it, but then the bank will be like: WTF. Hell, the thieves have already installed false fronts on the ATMs, so what choice do I have?
.. I hate it when my leather wallet starts to rot.
I guess I could start using paypal. I mean, they're safe? They probably don't have evil workers at paypal enjoying a quick id. theft, I hope? Maybe, I could just start using cash again, but where I live I'll get mugged. Shoot, if I carry cash, I've even got the possiblity of washing my pants with my money in it. That's worse than having my idenitiy stolen. Seriously
Screw it. I'll be a hermit.
So why is this? Is it because slashdot it getting too many articles submitted (and/or not enough staff)? It would be interesting to read an article from the Editors about how the whole process works (and get suggests from the audience).
One suggestion I'd have is delete submissions from the previous day and start anew.
Luck!
I have a very small mind and must live with it.
-- E. Dijkstra
ATM fraud like this has been reported at least since 1988. Ross Anderson presented this at a conference in 1993 Why Cryptosystems Fail mentioning that:
The fastest growing modus operandi is to use false terminals to collect customer card and PIN data. Attacks of this kind were first reported from the USA in 1988; there, crooks built a vending machine which would accept any card and PIN, and dispense a packet of cigarettes. They put their invention in a shopping mall, and harvested PINs and magnetic strip data by modem... in 1992, criminals set up a market stall in High Wycombe, England, and customers who wished to pay for goods by credit card were asked to swipe the card and enter the PIN at a terminal which was in fact hooked up to a PC.
This is really more of a problem with the lack of attention to such security issues on the part of banks than a new type of crime.
Fake ATM Fraud Expose
The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash...
Ok, tell me again where the Fake ATM is?
Actually, I have always wondered about these little ATMs that I see in random places. Just walking by the machines makes me nervous!
Best part in the entire article:
The U.S. Secret Service says the following people are wanted for questioning in connection with the $4 million ATM heist described in Dateline's story:
Bella Magary
Hungarian white male, blond hair, 5'6", with medium build, aka Bill Gates, personal ties to California.
As fraud has increased, I've resorted to using only ATMs at the various branches of the bank I'm with, and I've switched (back) to using credit cards instead of debit cards for point-of-service purchases, so that if I get defrauded, I end up with a huge CC bill (relatively) instead of an empty bank account.
The Doormat
If you're not outraged, then you're not paying attention.
With every bank trying to screw you for using any ATMs other than theirs, and with the level of acceptance of credit cards nowadays, who needs ATMs anymore?
It used to be that when I travelled, I carried a fair amount of cash with me. Not anymore - I simply find that I don't need it - gas, food, lodging, all are put on the credit card.
Furthurmore, should I feel the need for cash, my local grocery store allows me to get cash back from a credit card purchase. I simply make a habit of getting $40 back when I buy groceries, and then keeping about $200 at the house. Thus, I rarely if ever need an ATM under normal conditions.
It is pretty stupid - I am sure running an ATM costs a bank far less than paying for a teller, but they seem bound and determined to drive us all away from using ATMs.
www.eFax.com are spammers
A couple of my troops have ran into these fake ATMs in Tijuana. The fake ATMs have been there at least a couple of years from hearsay. Nasty place.
This guy is way out there
Here in New Zealand we have major bank monopoly which results in 4 banks owning the market, with very excessive charges. But as a result ATM fraud is virtualy non-existant. But internet banking fraud is at an all time high. Go figure.
On another note, this is old news and has been around for years but it suprising its still so rampant, I guess the banks must be putting most of the cost on the customers as is indicitave of their inaction.
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
Basically what you have to do is avoid random ATMs and only use ones from banks you're familiar with. This can be hard in some places but in general it doesn't take a whole lot of effort and can potentially save you a lot of trouble later on. If your ATM card gets frauded you're largely fucked because the burden of proof relies mostly on you instead of the bank, unlike credit card fraud where the company has to be able to prove that YOU went on the spending spree and not the guy that stole it.
You see credit card fraud hyped up in the media all the time, but with almost every credit card you're liable for no more than $50, whereas ATM card fraud is always mentioned as a footnote when it can really screw up peoples' finances!
There's a cool 10 minute Dateline documentary linked from the original article. They took a former criminal (two convictions on his record) and had him buy an ATM machine... and then he set it up in a public place. Tons of people were using it!
...and a magnetic card reader on it. LOTS of people were swiping their cards through it, oblivious to the fact that it wasn't cleaning their card, but it could have been snagging their card number. A nearby camera could grab the CVS number off the back of the card. Another camera could get their PIN number.... very good article / documentary.
Out of the 12 ATM vendors, only 1 wanted to do a background check - one vendor even offered to sell it to him without a social security number.
Then, even more disturbing... he setup a sign next to the ATM that had a card swiper that said FREE! FREE! Card cleaner!!
note: The video requires an MSN Passport account (free)
What good does it do to shoulder surf PINs anyway? You still need the card.
I guess having part of the equation gets you a step closer, but the criminal strategy becomes far more complicated once you add the requirement of pilfering a card (close physical contact, a criminal act with each individual).
A secret service agent demonstrated how to steal someones ATM card and PIN. She rigged an ATM machine that she bought from a website to not accept the pin entered and to not eject the ATM card. When the user was trying to re-enter his pin, she came over saying "This had happened to last week, I found that if you re-enter your PIN and hold down the enter key for 5 seconds it will work." Of course she watched the 4 digit PIN he entered, and when it didn't work he eventually just left. So she then took out the card with tweezers and now had his ATM card and PIN. The thing is... If she bought this ATM and had rigged it to not accept his PIN, why not just rig it to store his PIN and not eject the card? I mean is the secret service really that stupid to use such a dirty method? Anyway, it was very stupid.
Bank of America advertisement about ATM makes sense now.
In efforts to do so please email fraud@infiltrated.net and include your full name, social security number, all known credit card numbers, and let us do the rest.
We promise to give you the experience of a lifetime. At Politrix we don't just secure we test your account against the strictest policies. Using our patented SHAFT -- Securely Handling All Farking Technologies -- Politrix will order $10,000 worth of products. If we suceed we know you arent secure.
Call 1877TRIXSTA for more details choperators are standing by... A payphone in Times Square
MoFscker
A card cleaner was installed next to the machines...hahaha.. How about installing a brain cleaner to clean stupidity?
WARNING:
ATM FRAUD
tcd004
If someone wants to obtain access to easy credit, the easiest way is to simply steal people's wallets, which filthy street urchins have been able to do since the beginnings of civilization. You don't need to spend time and money to construct an ATM, as a few 13-year old delinquients in a crowded area like a shopping mall can obtain credit cards much quicker than that.
A lot of times, bank cards can be used as credit cards, and only require a signature that is seldom ever checked against the one on the back of the card inside the US, though in the EU they actually do it. The PIN number is hardly ever needed, but all that is required to access it is a quick phone call to a bank. Just walk into Best Buy and go on a shopping spree and hit credit on the little number pad, and all they'll ever do is make you sign a receipt.
Seperate accounts.
I've done this for a while. I have an account in which I pull out money I'll use to write checks for bills, Paypal, and to pull money from the ATM. This account usually only has another $1000-1500 in it that what is necessary for the bills.
I have another account in which the money is meant to sit there unless there's an emergency. I can write checks with this account, but I never do (so if there's a check written from it on my statement, I'd call the bank ASAP). My ATM isn't tied to this account. Paypal will never it ever exists. And half of the money is always purposely tied up in fairly short-term CDs.
-----
The articles has some handy tips for avoiding scams."
That's nice, but what we really need are tips on how to set these scams up.
I'm unemployed.
I am a viral sig. Please copy me and help me spread. Thank you.
You can, with ease, open up a second with your bank... where by the 2nd account is used exclusivly for online transations and getting the odd bit of cash.
1 primary card for your paycheck needs, used only at trusted locations, like your physical bank, card stored at home preferably in a safe.
1 secondary card which can be termed a petty cash card, where you may transfer funds to it on an as needed basis, for mail order items for example.
I'm not saying that this system is perfect, but offers some minimal protection, and can be implemented by going down to your bank and opening up a second account. If lost or stolen, well you loose you may loose your petty cash, but hey could be worse, far far worse.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
...is mere greed. I mean, shit, $4 million in theft? Come on, guys, get a clue! A mere half-million would have been enough to purchase a really nice house and car, go on a great vacation, and give a big chunk to charity. A million would have you nicely comfortable for life.
Four million, though? Damn, you deserve to get caught.
--
Don't like it? Respond with words, not karma.
I went up to Montreal two years ago to visit a friend, I used a 'white label' ATM at a chinese food joint and took out $20 CAN from my US account, the transaction ended up costing me upwards of $40 US, which is like $60 CAN!
And this was all legal, no recourse was possible. I wonder who made off with the 'big money' though, my bank, the ATM company, or the chinese food joint.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
I was thinking of buying a nice pistol for protecting myself and my 2nd amendment rights. Currently, I'm leaning towards a taurus .38 or .357 (double action), though a taurus .44 or .45 pistol is also a possibility. I'm also looking at a berreta 1911 pistol.
.357 or .44 is probably overkill for street self-defense. The stopping power is nice, but the recoil is a little on the high side, and when you figure in the adrenaline involved in a self-defense situation + muzzle recoil, you're probably not going to be real accurate with one of those things, unless you practice A LOT.
.40 S&W, or maybe a .357 Mag auto, but loaded with .38 Special rounds (yes, you can safely load a .357 Mag with .38 Special rounds). Either one should be available in a size and weight that's comfortable to carry and small enough to conceal.
.45 ACP, despite the "conventional logic" stuff.
Anyone have any thoughts on what they'd go with?
Conventional logic is that a 1911 is too heavy for regular carry, and too big to properly conceal, if you're going the "conceal carry" route.
A
I wouldn't go 9mm though, too many times I've read about thugs getting shot repeatedly with 9mm and still continuing to attack. See the famous Miami / FBI shootout stuff for more... long story short, the FBI used to carry 9mm's until some crazy doped up fucker killed 2 or 3 FBI agents after getting capped several times with a 9mm.
So what would I go with? A nice automatic in
Other than that, I'd go with a 1911 in
// TODO: Insert Cool Sig
Every time somthing like this happens, there is a cry to regulate by the masses, and then the Bank officials promplty fund the campaigns of the political powers that be to make sure that they are nice regulations.
I would not be supprised at all if this were intentional fear mongering designed to get particular policitians elected. What we really need is an attitude of - buyer beware and to let the market teach them a lession if they become too lax about financial security.
The problem arises when people have created false Interac machines, or scam your bank cards information from it. I use Interac probably 3-4 times a day, and each time, do my best to ensue I can see the interac terminal, which my card is being scanned through, to allow my self a *little* piece of mind.
0110100100100000011000010110110100100000011000100
I knew that there would be a way to pay my tution....
TANSTAAFL /tan'stah-fl/ [acronym, from Robert Heinlein's classic "The Moon is a Harsh Mistress".] "There Ain't No Such Thing As A Free Lunch",
From excellent karma to terible karma with a single +5 funny post...
These days, we can't trust anyone. I will set up my own ATM machine, and use only that one. I will also allow any Slashdot user on my "friends" list to use it. Or any stranger.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Here's some more info on the history of the Miami Shootout and the emergence of the .40 S&W...
// TODO: Insert Cool Sig
ATM's have long been such a target. Whne my bank back in NYC (Citibank) installed the old drum ATM's (try the code 1 1 2 3 5 :)), these rooms were vulnerable to people coming in right after you were done and hadn't signed out. Also the drum was weak, it would lose money around it's circumference and wasted your time for the end of day count to get your money back.
Of course the usual robberies occured in the rooms themselves, forcing individuals to "dip" and enter their pins. Or getting pin jacked.
Face it, we need these machines until the fabled cashless society kicks in. In the meanwhile, use your banks ATM (also avoids service charges). Avoid all other ATMs.
Thinking about it, in the context of those "virtual credit card numbers", imagine a special PIN that is good for one transaction. If you are uncertain of a particular ATM or get pin jacked, give over the one time PIN#. Later, visit their website to activate/deactivate that magic pin.
Hedley
Carrying cash gets to be a risk, and a hassle... it also makes it harder to track your spending habits.
Yes, everything you buy on a credit card could go into some giant big-brother database... but you also get a nicely printed statement at the end of the month. I find this makes it infinitely easier to see where your money goes. Some programs, like Quicken (Evil Intuit... Evil!) will even automatically put that data into a ledger for you.
Honestly, credit cards make it easy, and there's fraud protection if it gets snatched (prompt reporting helps). On the other hand, if someone gets your Visa Check/Debit card (connected to your checking account), they can empty your bank account lickety-split... and you can be out the whole amount, not just the first $50.
Yep... I find myself using the ATM less and less.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
What would your ATM say?
Yeah, 'cuz there's just no way i could use *nix to build a fake atm.
Retard.
I would prefer to use an electronic key that when interfaced with an ATM will happily raise any given number to my secret exponent modulo my public key.
For each transaction, my bank will send a random challenge to the ATM that only my electronic key can solve.
One of the tips I was sure they'd include would be to change Keep a watchful eye on your monthly statement, as well as your balance, and report any problems to your bank. to recommend that people sign up for electronic access (Quicken or web access) so they see the crooks' transactions within a day or two.
As the article mentioned, some people have enough money that they actually don't recognize the drop in the balance as significant, but they'll sure notice when their ATM card was used 10 times at 8 ATMs in 2 days :)
Mencken had it right. So glad that's old news.
The sheer number of independent non-bank ATM operators make it all but impossible for the public to know whether he is using a legitimate ATM or not.
Eventually, if the banks do nothing to address this problem, their credibility will be so eroded that no one will trust ATMs any more.
Maybe I'm alone here, but this doesn't seem like a very impressive return for their efforts, considering the risk. 50+ machines they had to install, 21K individual potential criminal charges they face, and for what? $4 million dollars. That's cab fare for the average CEO.
its just the design philosophy - if your designing a windows based ATM system you are automatically a retard before you even start. thus your whole design is going to suck and your whole way of thinking about the design is going to suck.
This comment does not represent the views or opinions of the user.
Three occurrences each of "PIN number" and "ATM machine" in the comments for this story.
Keep going!
...to lose $3800 and not even notice it!
Are we getting poor or what? This means that the average bank customer has under $200 dollars in their bank account. I rather think the it is more likely that each card was used once to get the max allowed money, which in often on the order of a couple hundred dollars.
On a more serious note, this is a security problem that has been talked about quite a bit in the papers, and the conclusion seems to be that the banking and ATM industry brought upon itself. They set up ATMs in non-bank, non-secure, standalone locations and expect the customer to just trust that these are real ATMs. Of course ATM suppliers are more than happy to sell them to anyone who will fork over the cash. To make matters worse, the banks have been training customers to fall for this scam. The motivation is, of course, greed. The banks get $2-$5 of pretty much pure profit for each transaction. Much of the risk for these standalone machines are assumed by the owners of the machines and the account holder.
The banks should just refund money to anyone defrauded by such a scam. Ideally, the people who sold the ATMs should be held responsible for damaging the nations financial network.
On a less serious note, I really think it is funny that they way the picture is labeled in the article it appears that the suspect is in fact part of the Secret Service.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
You cant copy a chipcard like you can a simple magnetic strip ... but as long as the interface is not on your own hardware, the card, they can still hijack the session and rip you off.
They need to start using cards with their own crypto yes, but they also need to put a LCD on the card so you can see the amount you are transferring (with some basic safeguards to ensure that the amount shown has to have been shown for X seconds before you can confirm, so they cant just flash a new amount on there just as you press the button).
I use Quicken myself... it's a very useful piece of software (running on my wife's Win2K PC, naturally). However, I did get burned by their undocumented boot sector writing when I had to rebuild said PC a year or so ago...
Intuit's missteps have been discussed to death in this forum, and while I dislike the hassles I was subjected to by their copyright paranoia, I appreciate a useful piece of software.
So to clarify: I like the program... I dislike the DRM (though they have forsaken that path, thankfully).
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Join us!
This guy is way out there
Guy moves fake ATM into position at the mall....hangs a sign on it that says "Temporarily Out of Order - Deposits Only -- Give Deposits to Guard on Duty".
:)
Guy stands next to machine in a fake uniform and collects the dough
a list of freaks is German officalism (english) there, a German page about the banking freaks is here
Often they fake only parts of the ATMs system in Germany (reading it at the door, putting slices of plastic on top of the keypads)
The laws are strange in Germany for that problem. But often if you can prove that it was not your problem, they give you money.
they want everybody to believe that it IS safe, but it is not.
In Malaysia last year, I saw a number of ATMs with signs next to them warning of precisely these dangers. The signs say, essentially, "Watch out for any equipment that may be attached to this ATM that appears unusual. And please be aware that you may be taking a risk by using this ATM at all." And one such sign was next to a machine inside one of those little rooms at a bank branch, mind you.
Breakfast served all day!
Thinking about it, in the context of those "virtual credit card numbers", imagine a special PIN that is good for one transaction.
The CitiBank virtual credit card account number feature actually doesn't work like you'd expect -- instead of being a "one-time" number, it's actually a "30-day" number. They set the expiration date to the end of the upcoming month to limit the time it's valid. I'm disappointed in the way it works, but the positives still outweigh the negatives so I still plan on using it until something better comes along.
Chip H.
"That's nice, but what we really need are tips on how to set these scams up.
I'm unemployed."
Become a congressmen. No one will suspect a thing.
Although I'm sure you probably didn't intend this to be a snub to people of Indian-descent, it was. Quite often I have people ask me which 7-11 I own, or where's my taxi simply because my parents are from India. It would be greatly appreciated if you could refrain from perpetuating this stereotype. I'm not saying you're racist or anything because I'm certain you didn't know how this affects some of us.
"Setup", "login", "logout", "logon", "logout" are nouns.
"Set up", "log in", "log out", "log on", "log out" are verbs.
Clearly what's necessary is to have a small keypad on the card itself, as well as a small CPU, a private key that is encrypted by the user's PIN, and the public key of the bank. That way, all communication between the card and the bank can be encrypted, and no unencrypted information is ever sent through the ATM.
Such a card would not be much larger than current ATM cards.
The worst fraud that could then be perpetrated is to have a fake ATM that deducts $20 from your account but without dispensing the $20. But that scheme would be very quickly identified.
It is not incorrect strictly speaking, but you have a point, it is poorly worded. BTW it was supposed to be expose with the accent on the last 'e'. Seriously though, get a life. ;)
Just another example of the media creating a culture of fear that keeps corporate America and our goverment in dough. 21,000 out of millions of American's, not much to worry about.
that there are *laws* to protect you from cc fraud! it appears that if your debit card is defrauded, you're outta luck!
eric
The bank robbery in American Gods was far simpler, required no fancy hardware, no weapons, and no delay to take the money out of people's accounts later.
iirc, it took an existing atm, some tape, a security guard uniform, a bag, and a business card. Hm, and a payphone nearby.
The reason that ATM fees piss people off is that when the banks put them in and closed branched because of it, the banks said the ATMs would be free.
Big shock, they lied.
You mean that coin-operated dick cleaner near Michael Jackson's ranch was really just a ..........oh God! I am so embarrassed.
Table-ized A.I.
As long as credit cards exist, I'm not going to complain about the insecurity of ATM's.
RogerWilco the Adventurous Janitor
There is a popular ATM "modus operandi".
Thieves, hotwire a backhoe, drive it a couple of miles and use it to liberate an ATM from wherever, drop it into a truck and get the hell outa Dodge.
Imagine the disappointment when they get it home... if one of these fake ATM's gets selected for a backhoe style type smash and grab theft. Plus, imagine the disappointment for the original ATM fakers.... Delicious.
Murphys law says its gotta happen sometime!
Organized crime?, Nah!, for my money, its not really all that well organized....
There is no god; get over it already! Never exchange a walk on part in the war, for a lead role in a cage.
Who's with me to start an open source project to write an a program that can interfaces with an ATM?
There are also ATM machines on ebay for sale.
Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams.
Two sentences spliced together with a comma --> one incorrect sentence. Also, "ATM related" should be hyphenated
The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers.
I can't believe people pay for this shite.
Many office alarm systems have a feature where entering the disarm code backwards (1234 becomes 4321) will work like the real code, while also triggering a silent alarm, summoning the police.
Since colleges nearly always have an on-campus 24-hour security staff, it should be possible for help to arrive in time to catch the attacker, or at least to rush the victim to the hospital before she bleeds out.
I do not deploy Linux. Ever.
Far more money gets stolen by dishonest tellers and bank personnel than fake or rigged atms.
These people, when caught, do not get prosecuted, because the banks do not want anyone to know of the level of internal crime.
So the criminals get fired.
They go to another bank, apply for a job, and get hired, because when the bank calls up the old bank, all they can say is yes, they used to work here.
I am certain of this, because I once dated a bank teller who did this.
Also, the people who take your credit card applications (one stole my wife's grandpa's card), and store tellers who impress your credit card onto the carbon paper system, and anyone who has access to the discarded paper from impressing machines (that would be anyone).
People who make mistakes on their deposit slips and throw them away (I got hit indirectly by this one), etc.
These criminals take orders of magnitude more money than all the atm scams combined.
Be afraid. Be very afraid.
wake up and hold your nose
Sometime in the mid- to early-90s, I read the book "Catch me if you can" by con-artist-turned-security-consultant Frank Abagnale. You may have seen the recent Spielberg movie based on this. This was in the pre-ATM days, but if I recall correctly, one of his scams was similar. First he would go to a uniform store and get a security guard uniform. Then he would have a professional looking sign printed up saying something like: "Night deposit out of order -- Leave deposit with security guard."
Anyway, at night, he would put up the sign and station himself outside a bank's night deposit drop box with a big bin. He says people would actually come up and toss bags of cash into the bin, because they just had an innate trust of people in uniform.
Yes, you do. Regulation is not completely bad. Why should the crooks be enabled by the market? that's what de-regulation does. This kind of philosophy needs to get out of the political system.
Please upgrade this post to the "bold" font-style, which will increase its impact and ensure that people pay it the heed it is due.
Also, try to make the content a little less whiny next time. It's a real turnoff to be cruising around the -1 neighborhood and run headlong into this steaming pile of self pity.
It ain't going to do you any good, if you can't even spell it.
My bank account's always empty anyways... If they tried to empty it, the bank would ask them to deposit money first.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
A one-time or limited-use PIN is a great idea, but unfortunately, it won't be so simple under the current system...
Unfortunately, the way a PIN is generated is by hashing your bank account number with a special key that only the bank knows. The result is mapped to the digits 0-9 somehow, and that's your PIN.
I actually took quite a while for the banks to capture a complete faux-front. It seems they are very careful not to leave them on for too long, and they do blend in with the ATM quite well. For a while, my bank's ATM would post a toll-free number to call if you noticed anything suspicious attached to the ATM.
Xix.
"Everything is adjustable, provided you have the right tools"
The point is there are many examples of business providing services for "free", usually because they think they'll get more customers as an indirect consequence, or they fear getting a bad reputation and losing customers if they don't provide a service that their competitors provide. Of course businesses must recover their costs, but a per-use fee is not the best or only way to do so.
So just because someone suggests that ATM fees piss them off, this doesn't mean they're oblivious to the fact that ATMs cost money to buy and operate. Instead, they're suggesting that they'd like it better if businesses recovered their costs in some other way -- for example -- the same way that they recover the costs of using credit cards.
This thread started with credit cards, and guess what -- it's not free for a business to accept credit cards either. They have to pay the credit card company every time someone makes a purchase. So when credit cards first came out, businesses would tack on a 5% fee if you wanted to pay with a card. Someone like you might have made a comment like yours defending this "credit-card-use" fee. "Nobody puts a gun to your head and makes you pay with a credit card. The credit card network and database cost money." Yada yada..
But people did complain -- and today those fees are largely gone. If you go to a convenience store, the prices listed on the shelves are the same prices you pay whether you use cash or credit. Of course, this just means that stores have absorbed the costs of dealing with the credit-card companies into their prices, so today someone paying cash is paying "more than they should" to subsidize customers who pay with credit cards. Do you think this was a good change? Do you approve of this?
Whether or not you do, there's no reason this can't or won't happen to ATMs. A convenience store owner might buy and install an ATM that charges no fee, just because he's expects customers who come in to use the ATM might buy something on the way out -- or because all the other convenience stores around already have free ATMs and his store would get a bad reputation if he didn't have one too. In a world like this, the convenience store owner would just have to raise all his prices a little to compensate.
If you approve of ATM fees, would you like to see credit-card-use fees come back too? How about fees for using the convenience-store bathroom? Is there such a thing as being "nickle-and-dimed" to death? Personally I like that credit-card fees have gone away, and I would like ATM fees to go too, even if prices rose overall a little to compensate.
Just my opinion...
Use your debit card at Wal-Mart or your local drug store, buy a stick of gum, and get $XX amount of cash back. And at the rate it's going, there'll be as many Wal-Marts as there are ATMs. Saves yourself a fee AND is much safer.
That is, until someone builds a false Wal-Mart to get your account information.
Oh my god! I have to go to that. The Dude definitely abides!
I just checked out SwipeUSA. They say either you, the owner,
can fill the machine or they will do it for you. Now this
sounds to me like an open invitation for Tony and Vito to launder money. Put ATM's in as many places as you can, wether its a business you are already 'associated' with or not. Fill it with your dirty money, in comes clean money for your Grand Caymans front company. Sweep the money every night out of GCI to your account in a bank domiciled in a 'no reciprocity with USA' country.
Then again.. maybe casinos are easier!
Hmm.. The problem is that ATM cards can be so easily forged.
Banks should switch to contactless cards with a tiny processor and display that (a) stays in control of the user at all times, and (b) allows the user to authorise *individual* cash/ATM transactions. It would be akin to a small palm-pilot with public-key cryotography and an IRDA link, but credit card sized, so it fit in your wallet... or is built into your wallet. The only way this could be defeated is by breaking the crypto, or by capturing the device itself and obtaining it's password.
Without an interface on a device in your control, even smart-cards can be defeated by the "false-front" ATMs mentioned in this article (you withdraw $20, the "false-front" ATM actually withdraws $1000, dispenses $20, and pockets the $980 difference).
"First I emptied the checking account and then I hit the mall, and there in the window was this sexy little outfit, and oh my gosh, I just had to have it! Fifteen hundred dollars for a leather bustier? I didn't care, it lifts and separates. Heh. Plus, it's not like I'm actually paying for it. Hehehe, ah."
The bank card scam that is really popular these days in Quebec is replacing the machines where you swipe your bank card or credit card at the counter. The machine records the number on your card and the PIN you enter, then plays the modem sound to make you believe that it called to your bank and accepts the transaction, even though you might have entered the wrong PIN number.
A lot of gas stations have been found guilty of using such devices, though it was often done in less fortuned areas and organized crime was always involved. I think I read somewhere that the "roumanian mafia" (WTF? italian, ok, russian, meh, but roumanian?) was behind the scam. It's been around for a year now in different part of the province.
I never heard about ATM scams so far though.
I should know, I worked with a company that provided them. All I can say is that after working there for a week, I was scared to put my card in one.
This is one of those instances where security by obscurity is obviously working, at least somewhat... as most people don't have access to one to play around with.
They use absolutely no encryption, as they are not required to until something like 2006. And even though it's there, it's not on (at least with Diebold machines). Many have a network cable running into the back of them, so you could plug in a hub and sniff the data. What will this get you? It will get you the ip of the authentication server it talks to and the format of the responses. This would allow you to forge your own authentication server and use some network trickery with a linux box or two and a hub/switch to make any card run through the machine be accepted.
The ones that don't have network cables usually have phone lines. A little known fact is that if you plug two modems together directly, you can still dial the other one and it will pick up and negotiate. You could certainly use this to stick a linux box in between and sniff the data that goes over the network and perform something similar to the above.
Probably the most secure ones are the ones that use GSM or GPRS to communicate as you'd need some expensive equipment to do anything with that, and they are typically inside the unit, so you'd have to break it open somehow so you can't get at the wires.
There are methods in use right now that the ATM companies have absolutely no idea how they work. I'd see memos floating around all the time. They put machines under surveillance for months, and all of a sudden, everyone who had used the machine got ripped off. Yet, no one, as far as they could tell, ever physically did anything to the machine. Theives are using some really sophisticated techniques right now, and about the only way to thwart this is to start using crypto, both for transit, and on your card.
Oh, ever wonder why most machines have been retrofitted with a card swiper instead of an eater? It's because people were putting stuff inside of it so cards would jam, and then they would sit across the parking lot with a spotting scope and watch a person type their pin. When the person couldn't get their card out and left, they would come by with a little extraction tool, take the card, and go on an ATM spree.
If you loose money through the ATM/Debit network you will never see it! These networks are *NOT* insured.
Only visit your local branch to get cash with your debit/ATM card and use a Visa/Mastercard "CheckCard" for other purchases.
1. You will be insured.
2. Visa/Mastercard provier fraud protection
3. MAC/ATM/DEBIT is a bank fraud in itself. What is up with those FEES, especially since they don't guarantee or insure the transaction!
Gee, I sure wish that I had said something about this like a year ago...
I use ATMs all the time, but being the paranoid type, I don't keep more than ~$200 in my cheque account. Just get your bank to disallow ATM access of your savings account and transfer money online when needed.
Call me crazy but I LOLed at that
I never understood the point of having the signature on the back of the card. By signing it, you're giving the thief an example of your signature, and it takes a person about 2 minutes to learn to forge a reasonable enough copy of your signature to pass a Best Buy clerk's eyeball test. Then it becomes harder to contest, because the signature is somewhat close to yours. I'd rather have them not know what my signature looks like and be able to point to it and say "That's not even close."
I once read somewhere in an old magazine from the 1980 or so about "bank robots." Has anybody heard ATMs called these before?
Why don't you guys have friends or journals?
RSA has a neat little device called a SecureID, which is about the size of a pack of matches or a very small pager - it has an LCD on it that displays a 6 digit number that changes every 20 seconds or so. A lot of companies use this as a two-factor security device - you need both a password/pin as well as the number on the device to gain access.
I imagine that this would be an excelent application for a credit card sized flexible computer.
THERE AER NO SPOKE!!!!!!11 THEIR AER A DIFFERENCE BETWIXT KNOWING TEH PATHXOR AND WALKING TEH PATHXOR!!!!112 YUO CNAOT BE TOLD WAHT IS ON TEH SPOKE!!!!!11 YUO CAN ONLY LERN BY GOING ON TEH SPOKE!!!!112
THEIR AER NO LOWERCASE ON TEH SPOKE!!!!11
It's "fraud" committed using a "fake ATM". Make sense?
It has been about 30 years since the invention of smart cards. Using a smart card with a challenge-response mechanism should make it almost impossible for a fraud to happen. It would also make it convenient to access ATMs as you dont need to enter your pin.. well maybe there still is a pin to protect you in case you lose the smart card itself. I think the banks have not introduced smart cards to keep the costs of the card readers and the cards low. What should be done to drive the banks towards better technology?
Yep! The original poster is exactly right! What reason or incentive do you really have to give all of your money to a business, if they're not going to provide you with something in return for the ability to borrow your money to make themselves more money?
Banks thrive primarily because society has become addicted to the ease of paying for items electronically. We like the convenience of such things as "direct deposit" and credit or debit cards.
The question is, how long are these basic concepts going to keep the banking industry going? They sure seem to be experimenting to see just how many services they can take away or charge extra for before customers walk away.
Most checking accounts don't even pay interest anymore, unless you keep some huge amount of money in the account at all times. Even the "special services" we're accustomed to trusting banks to provide are diminishing. Just the other day, I needed to have a document notarized - so I called one of the larger branches of my bank to make sure a notary public would be available when I wanted to drop by. Guess what? It turns out they haven't had a notary public for at least several months now - and they could only give me the name of ONE branch in my city that still had one!
Another friend of mine needed some foreign currency before embarking on a business trip - and he had a nearly impossible time getting it. Only one bank branch was equipped to convert his funds to the currency he needed - and when he got there, he was told the foreign funds weren't actually on-hand. He had to give them 48 hours to obtain the money and then come back!
I always remember the Dilbert cartoon where Dilbert is talking with Dogbert and a restaurant stating why he doesn't trust ATM machines. He gives his credit card to the waitress and she comes back with a fur coat.
But the truth is, they can bug ATM but a dishonest working at a store can get your credit card. It's really quite easy I would imagine. One time I had a clerk throw away my receipt (since he screwed up). I went and grabbed it because it had my credit card number.
It's sometimes even easy, just by looking through the trash. Just find a store that gives the complete credit card number information on the receipt and find them on the ground or in the garbage.
The chances of them ripping off an ATM is probably less than a waiter/waitress/clerk, etc. can rip you off.
Okay, so let's get rid of all credit cards. We are back to checks. Well, the phone company and electric company can take out money from my checking account, they just a number. So does that mean if somebody finds an old check they can get money from my account?!
My advice only accept cash, put it in a fire/water proof safe, bury it. Buy a shotgut with armor piercing bullets, don't sleep and just sit in front of the money shotting anybody who comes close!
I'm posting this AC because I don't want my friends/coworkers who surf slashdot to associate my nick with this post.
I work for the largest company in the USA that verifies the transaction between the bank and the cardholder. We are as you could put it, an ISP for ATM's. We are very large, and I've worked for them for quite a number of years.
We heard about these scams a few years ago, it's nothing new. There are a few things you can do to protect yourself.
1. Wait for a prompt before entering your pin number. I have never heard of a "cover" system so complex that they will respond correctly on the screen when a card is put in the slot. Rogue ATM's are another matter.
2. If a white box ATM eats your card, call your bank immediately to report the card stolen/eaten. This is because most of these systems are just a camera and a box to hold stolen cards and pin numbers. Unfortunately the days of getting your card back when it gets eaten are gone. With new regulations there's just no way, get a new one.
3. All ATM's in this country (usa) are required by law to have a phone number of the institution that is authorizing the transactions, and a notice of surcharge on it. If you don't see those, then there could be "something" covering them. They went to a lot of work to make that fake ATM cover, why would they want you alerting someone who would send out a repair technician?
Please don't go clamoring for more regulation. A lot of the regulation in place keeps us from properly helping people in distress, and does almost nothing to help secure them. Besides, most people only need securing from themselves.
Ha! Poor americans! We Italians have been doing this kind of scam for years! If you need training and/or extra information of the subject, I suggest you come visit us (Naples is especially suted for the job, but basically any large city will do) and take a CM (Con Master) degree.
Marcello Missiroli Vice-President of ERLUG
I have a homeloan package with my bank (in Australia). The only fee they charge me is $8/month (I could have chosen a slightly higher interest rate on the homeloan but for at least the next 10 years that equates to more than $8/month).
In return the interest from my bank account offsets the homeloan account, and therefore doesn't count as income for tax purposes, and I get enough free transactions that i've never been charged a fee for any banking in the last 2.5 years!!!
Shop around!
When ATM fraud is committed, the individual whose account is stolen from takes the fall. When banks are robbed at gunpoint, it isn't feasible to make just one account holder carry the can for it, so it has to be amortised over a number of accounts. It is obviously cheaper for the banks to allow relatively easy ATM crime than to be robbed at a branch. Remember, no-one ever steals from banks - they only steal from you. Both the banks and the "criminals" I mean...
Because I check my transactions very frequently (for budget and other purposes), I would notice immediatly if something was wrong and there was a transaction that I didnt make. Then, I would report it to the bank.
Now if you were black with a Caddilac, you'd be pimpin ho's and poppin crack. That's racism.
I'd never heard of this kind of fraud until about 2 months ago. In that time my flatmate had 500 taken withdrawn from her account, a good friend had 1500 pounds taken from a number of ATMs and a work mate has just been done for about 800 pounds. That's just the people I know personally!
I've also heard second hand of two other incidents, girlfriends cousin being one of them. According to the cops crooks are using "skimmers" on the card slots of ATMs and camera's or "shoulder surfing" to get the pins.
So watch out in London right now is the message I guess.
Who's with me?! I SAID... WHO'S WITH ME!!??
In Brazil the ATMs have a very clever solution for these problems:
:)
1) You type all information in touch screens (very dificult to tap into... but easy to everybody read... wait for 2
2) every time you came to "login" at the machine, the 10 algarisms are ramdomly rearranged in 5 buttons... so even if you see me entering my password, you cant do the same next time because the algarisms would be arranged in a different order... and they will only chane orgder again after a sucessfull login... of course if you try to login 3 times and fail, your account is locked.
A lot of people don't want to live in the boondocks. Here in New York City the nearest store is next door. That place in Colorado says the nearest store is thirty minutes away, and you'd have to have a car. I don't need a car in New York....
Tim
Omnia vestra castrorum habetur nobis.
Most bank machines have cameras and time stamp the videos. The banks like to use FUD to protect their systems, which tend to be quite weak, however it can be (and has been) defeated in court.
Articles from msn.com should be posted in the thread. That's because if you have msid.msn.com blocked in your hosts file (by making it point to localhost), you cannot see msnbc.com articles. One might suggest that I could just comment it out - which is what I did to see this article - but still, a host named "msid" is not something I want my browser to go to.
"One of the symptoms of an approaching nervous breakdown is the belief that ones work is terribly important." -BRussell
So.. how are you supposed to prove it? Witnesses? The bank is supposed to be responsible.. if the bank handed it to you, the bank has a responsibility to take it back. We need to MAKE the banks be responsible in a situation like this... so that they will develop ways to not have it happen again.
The only solution currently is to not use ATMs
And it's probably just Urban Legend but..
At a mall in Calgary, Alberta (that's Canada, eh?)
I heard it was Shinook Center, but who knows...
There is, of course, a bank in the mall. This bank is, of course, used by most merchants in the mall to drop off their nightly deposits.
Some intelligent person brought a few things to the mall: A heavy cardboard box with a hole in the top, a couple of paper signs, and some tape.
The "out of order" sign was placed on the night deposit door (you know, heavy metal thing that works like a mail drop box, but for money).
The "Deposits here" sign was put on the cardboard box.
Guess where lots and lots of people put bags of cash that night?
Offtopic, but... When I was in Tokyo, I missed a plane, because it took me hour and a half to find an ATM compatible with my US bank card.
I don't believe they are required to ask for ID. In fact, Visa discourages it.. the idea is to make it as easy as possible for the customer. with a credit card, remember, you are protected form fraudulent use. IT's VISA that gets ripped off, not you. Look on your card, it even says "Property of the issuer". That's all.
I was asked for ID when I was at a gas station buying gas. I don't look dirty or shabby. I was 27 years old. I was simply buying $30 in gas... and the little fucker behind the counter was like "Hmm. I need to see some ID." "Why?"
"Umm... you need to show ID!"
"why?"
"I'm not going to run this card through without ID sir"
"I don't have any with me" (I live 2 blocks away)
"well pay cash then"
"I don't have any"
"Well I'm going to call the police!"
"And tell them what, exactly?"
"Umm.. okay.. nevermind"
This was at a 7-11, in a mid-sized canadian town... not in a dodgy neighborhood, nothing like that.
The point is.. everyone is acting like credit cards are their personal property, and that clerks and merchants are the problem.. remember it's the credit card issuers that are providing a service for us... and we need THEM to make it a service we want to use.
Yes, clerks should check signatures more.... but that's between the merchant and Visa. Remember, the merchant is the one who doesn't get paid if the transaction was fraudulent.
My credentials: I've worked in a bank's main Cash Vault, Research & Adjustments department, and now (finally and Praise Jesus!) IT.
You haven't received good advice all around. The thing you should have done immediately is see the bank manager of the nearest branch and Raise Hell {TM}. It would have been best to have refused to fill out any forms that forced you to admit to being the simple owner of a counterfeit bill, but even that's not so terrible as long as you are willing to do some further social engineering yourself.
1) You see, that ATM's bills came from a cash vault. That vault is responsible for catching counterfeits. In fact, its bill counters are SUPPOSED to catch each and every counterfeit bill fed through them. That's part of their design.
So, by losing $20, you have just allowed the bastards in the Vault (and its governing Operations section) to continue to use machines or procedures that allow counterfeits to pass through their hands, and thus into yours.
2) Social-engineering-wise, once a bill touches your hands, and you examine it and say "hey this is counterfeit", does that mean that the person who passed it to you can just fucking walk away scot free? Of course not. The same reasoning applies to ATMs.
Using these two lines of reasoning, go back to that goddamned bank and get your $20 back (i.e. issue you a $20 credit). If they still balk, follow up with the Secret Service itself about your individual counterfiet bill; this can serve to embarrass the bank to honor your credit.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
Why do people insist on using cash and not just using your bank atm?
There is no need to carry tons of cash around with you anymore. Use credit cards responsibly and you won't have any problems. I'll maybe only have 10-20 bucks on me for when I absolutely need cash, like at fast food places. But even that is going away. There is no need to carry around tons of cash anymore and don't use your debit cards.
Secondly, I never use mall or gas station atms. They charge 1.50 and more per transaction on top of what my bank will charge. Belong to a big bank and only use the bank atms that are everywhere. Its safer and you avoid charges.
Fraud like this can be EASILY avoided.
Whoops.
> It takes less than a dollar worth of materials and a matter of
....... bing! thief takes sample from ATM cards' surface.
> seconds to capture a fingerprint off of... pretty much anything.
Yes! And I care to add for the sake of completeness, because this is
just too often (deliberately?) ignored:
1. fingerprint-protected ATM card gets stolen
2. thief needs sample of owners' fingerprint to produce copy
3. ??????????
4. profit! (well, or go to jail immediately)
YUO ARE MEH BROVA
A simple net search revealed this interesting site: http://www.mag-card.com
Makes you wonder what kind of regulation could be imposed to prevent the sale of hardware to illegitimate users.
MAC/ATM/DEBIT is not fraud...it's a common exchange medium.
The bank can't guarantee a debit transaction that is originated on the store owners network. They can only guarantee a transaction done at the ATM on their own network. Suppose good old WalMart has someone that tapped into their network and scooped the info on a debit transaction? There is no way that the bank could guarantee against it. It would be like trying to hold your ISP responsible for someone who broke your WEP encryption and used your WLAN for themselves.
BTW....you're still covered against fraud by the switch provider...typically Visa or MasterCard against fraud....including PIN fraud on debit transactions.
Oh...one more thing. If the retailer asks you to use a PIN, don't. Sign for your debit transaction instead (say CREDIT...but not Credit Card). Thiefs HATE to forge a signature and your sig is as good as gold when dealing with fraud.
Just put in your card, and enter the wrong PIN. If it gives you money, just keep making "withdrawls" until the machine is empty!
Manipulate the moderator system! Mod someone as "overrated" today.
"Hello Mr. Takamoto ..."
If you loose money through the ATM/Debit network you will never see it!
Riiight. That's why the article says that "consumers are nearly always compensated by their banks."
I knew that, too, dammit... living out of the country is making me lose my roots.
I knew something looked wrong.
There is often confusion as different things have different meanings in different places.
In the US a "Debit Card" is usually a Visa or Mastercard, but instead of credit, it takes money out of your account directly. In Canada, these are called "Cheque cards". A "Debit Card" in Canada is an Interac card.
A "Charge card" refers usually to the original American Express card, or other cards where you do have to pay them off, in full, at the end of the month. They are not about credit, and carrying a balance.
A "Credit card" is about spending money you don't have.
> There're problems with SC-s but they're
> certainly better than magnetic strip cards.
I agree that smartcards are light-years ahead of magnetic stripe cards.
> I'm affraid you're DEADLY wrong. While
> smartcards aren't perfect they're certainly cure
> for skimming, false frontends and other
> low-tech frauds.
Maybe I used the word "false front" inaccurately. But an SC won't stop some of the frauds mentioned in the article.
> SC (smartcard) has private RSA key. Once it is
> loaded it can't be recovered. SC does all crypto
> but only when correct PIN is entered. Enter
> wrong PIN 10 times and SC will burn itself. Once
> the SC signed and encrypted message for the
> authorization server, there's no way to alter it
> UNLESS you know private key. Sorry.
You're right. But the real problem is that the SC has no way of checking with *you* if the amount it is signing for is correct. Both the amount and the PIN are fed to it via the ATM. A fake ATM could ask your card to authorize a withdrawal of $1000 when you only asked for a $20 withdrawal.
It then can pocket the difference, and leave you none the wiser.
Three years ago some folks set up convenient bank deposit sites in major shopping malls. A few days later the modern drop off boxes were gone logo and all.
I disagree. A signature is NO security at all. It isn't difficult to forge someone else's signature, especially when you've got the back of their card to practice with. You'll certainly get it good enough to pass for the owner's sig (how many people sign their name EXACTLY the same every time). A PIN is secure when you're entering it into a key pad, but not if you have to tell it to the clerk, which I have never encountered anywhere.
attaching false fronts to existing ATMs
Trojans and man-in-the-middle attacks on ATM machines.
This should help raise public awareness of what I've long worried about.
Everyone worries about authenticating the user to the machine (PIN numbers, biometrics), but I worry about whether what's shown to me is my authentic machine.
It's already kind of iffy, but in a few years it will be a foregone conclusion that I cannot trust my machine when it no longer trusts me.
"Provided by the management for your protection."
If it looks like a night deposit box it must be a night deposit box.
You are absolutely right. But the courts provide for stricter penalties when a signature is forged than when a PIN is used fraudulently. Both cases are fraud, but when a signature is used, it's uttering and forgery as well. If one of our customers has their PIN used fraudulently, it's a minor felony in MA. If they forge a check or forge a credit based debit card transaction (POS), it's a major felony. Finally, if a transaction is signed for fraudulently, there is no exposure to the customer (as in the $50 rule). This last item is provided for by federal statute by the way. While the PIN is technically more secure, legal standing goes in favor of the signature (which I wish wasn't the case, but they never listen to me..).
Scat link! Do not follow!
My eyes are burning!
Do you live in the UK? Kind of doubt since you're talking about handguns here but I see the .uk email addy. .40 and just bought my 2nd Kimber (a Custom CDP II). Best thing about the Glock is how easy it is to clean. Other than that, it's 1911 .45 all the way.
Gotta agree w/ you about the pistols. I started out w/ a Glock 22
This guy is way out there
The card worked, and I paid no fee at all. (Well, I did get a not-quite-ideal exchange rate, but not particularly bad, certainly not $2 worse than I would have received in a bank.)
How on earth did you get all those CAPS past the lameness filter?
This is Slashdot. That's not a viable alternative.