Slashdot Mirror
Fake ATM Fraud Expose
santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."
ATM fraud like this has been reported at least since 1988. Ross Anderson presented this at a conference in 1993 Why Cryptosystems Fail mentioning that:
The fastest growing modus operandi is to use false terminals to collect customer card and PIN data. Attacks of this kind were first reported from the USA in 1988; there, crooks built a vending machine which would accept any card and PIN, and dispense a packet of cigarettes. They put their invention in a shopping mall, and harvested PINs and magnetic strip data by modem... in 1992, criminals set up a market stall in High Wycombe, England, and customers who wished to pay for goods by credit card were asked to swipe the card and enter the PIN at a terminal which was in fact hooked up to a PC.
This is really more of a problem with the lack of attention to such security issues on the part of banks than a new type of crime.
Here in New Zealand we have major bank monopoly which results in 4 banks owning the market, with very excessive charges. But as a result ATM fraud is virtualy non-existant. But internet banking fraud is at an all time high. Go figure.
On another note, this is old news and has been around for years but it suprising its still so rampant, I guess the banks must be putting most of the cost on the customers as is indicitave of their inaction.
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
Basically what you have to do is avoid random ATMs and only use ones from banks you're familiar with. This can be hard in some places but in general it doesn't take a whole lot of effort and can potentially save you a lot of trouble later on. If your ATM card gets frauded you're largely fucked because the burden of proof relies mostly on you instead of the bank, unlike credit card fraud where the company has to be able to prove that YOU went on the spending spree and not the guy that stole it.
You see credit card fraud hyped up in the media all the time, but with almost every credit card you're liable for no more than $50, whereas ATM card fraud is always mentioned as a footnote when it can really screw up peoples' finances!
There's a cool 10 minute Dateline documentary linked from the original article. They took a former criminal (two convictions on his record) and had him buy an ATM machine... and then he set it up in a public place. Tons of people were using it!
...and a magnetic card reader on it. LOTS of people were swiping their cards through it, oblivious to the fact that it wasn't cleaning their card, but it could have been snagging their card number. A nearby camera could grab the CVS number off the back of the card. Another camera could get their PIN number.... very good article / documentary.
Out of the 12 ATM vendors, only 1 wanted to do a background check - one vendor even offered to sell it to him without a social security number.
Then, even more disturbing... he setup a sign next to the ATM that had a card swiper that said FREE! FREE! Card cleaner!!
note: The video requires an MSN Passport account (free)
You can, with ease, open up a second with your bank... where by the 2nd account is used exclusivly for online transations and getting the odd bit of cash.
1 primary card for your paycheck needs, used only at trusted locations, like your physical bank, card stored at home preferably in a safe.
1 secondary card which can be termed a petty cash card, where you may transfer funds to it on an as needed basis, for mail order items for example.
I'm not saying that this system is perfect, but offers some minimal protection, and can be implemented by going down to your bank and opening up a second account. If lost or stolen, well you loose you may loose your petty cash, but hey could be worse, far far worse.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
TANSTAAFL /tan'stah-fl/ [acronym, from Robert Heinlein's classic "The Moon is a Harsh Mistress".] "There Ain't No Such Thing As A Free Lunch",
From excellent karma to terible karma with a single +5 funny post...
Did it tell you before withdrawing the money that it was going to do that? If not, it's fraud!
Gamingmuseum.com: Give your 3D accelerator a rest.
A recent trend here in Canada is that if you use one of the bank machines of a bank other than the bank that issued your debit card, they tack on a $1.50 service charge (this is atop the Interac fee that your own bank charges you). Given that most people get our fairly small sums, like $40 - $60, this is an outrageous service charge and it's just another money grab by the big banks. In any case, and getting back to your point, if they do this they have to provide a notice that there will be a service fee, to which you have to agree.
My guess is that your own bank dinged you with a huge "cross-border" service charge for the electronic debit. This is surprizing, though, as I've used my Canadian bank card around the globe and have never gotten charged anything more than the Interac fee and the normal currency conversion.
(PS. $40 was $60 Canadian about two years ago, but today it's about $52 Canadian).
You could disconnect the camera and plug it into your recording
You might as well just break into the ATM itself at that point.
or (possibly, I'm not sure) put a printed copy in front of the camera.
I'm not sure it's *that* easy, but the current technology does make fake retinas possible. Eventually (and maybe even now with the most expensive technology), this won't be possible, though (short of building a clone, anyway).
A much cheaper solution that's available today is to have some processing power built into the card itself. When I worked for Hewlett Packard we had to use these to log into the private network from home. A new password is generated every 60 seconds, so an attack like that described in this article would be useless. Of course this particular device isn't the best solution for an ATM, but something based on the same underlying technology would be. Or perhaps better yet, a public key system.
a list of freaks is German officalism (english) there, a German page about the banking freaks is here
Often they fake only parts of the ATMs system in Germany (reading it at the door, putting slices of plastic on top of the keypads)
The laws are strange in Germany for that problem. But often if you can prove that it was not your problem, they give you money.
they want everybody to believe that it IS safe, but it is not.
Thinking about it, in the context of those "virtual credit card numbers", imagine a special PIN that is good for one transaction.
The CitiBank virtual credit card account number feature actually doesn't work like you'd expect -- instead of being a "one-time" number, it's actually a "30-day" number. They set the expiration date to the end of the upcoming month to limit the time it's valid. I'm disappointed in the way it works, but the positives still outweigh the negatives so I still plan on using it until something better comes along.
Chip H.
The 'white label' ones (called ABMs) are operated privately and whatever restaurant or convenience store owns them can charge whatever service fees they want. I live in Canada and I never ever use the white label machines. The cost is insane. You were hit with the 'disloyalty fee' from your bank for not using their machine (not that there was one,) a PLUS/Cirrus fee for international transactions, a currency change fee from your bank, whatever normal fee is levied by the ABM's owner, and maybe a currency exhange fee levied by the ABM's owner.
If you had gone to a machine that was actually run by a bank (an ATM) then the service charges would have been much lower. Banks generally have lower surcharges than white label machines.
spring of 02 I was in europe, I used my regular american bank card in several ATM's in europe.. at least Amsterdam, Berlin, Paris... out spat my Euros and i wasn't charged nearly what my father was getting charge, by using travellers checks at money-exchange places
The reason that ATM fees piss people off is that when the banks put them in and closed branched because of it, the banks said the ATMs would be free.
Big shock, they lied.
http://www.ftc.gov/bcp/conline/pubs/credit/atmcard .htm
It is important to report this as soon as possible, or else your exposure rises. In the case of ATM fraud like this, it is very unlikely the people would report the theft before the cards were used since they had no idea the info was stolen. Plus, from a purely beuracratic standpoint, it is more difficult to convince a retail bank that you are not liable vs a credit card company.
There are also ATM machines on ebay for sale.
They did just that on Court TV's Safety Challenge Holiday Alert last night...
"Why do you consent to live in ignorance and fear?" - Bad Religion
Many office alarm systems have a feature where entering the disarm code backwards (1234 becomes 4321) will work like the real code, while also triggering a silent alarm, summoning the police.
Since colleges nearly always have an on-campus 24-hour security staff, it should be possible for help to arrive in time to catch the attacker, or at least to rush the victim to the hospital before she bleeds out.
I do not deploy Linux. Ever.
A one-time or limited-use PIN is a great idea, but unfortunately, it won't be so simple under the current system...
Unfortunately, the way a PIN is generated is by hashing your bank account number with a special key that only the bank knows. The result is mapped to the digits 0-9 somehow, and that's your PIN.
You: "Anti-Bank-Missile???"
Quite the opposite. The White Label ABM business means that big banks make money. Here's How: Canada's biggest bank and one of the top 10 in North America, the RBC Financial group (formerly Royal Bank) co-owns one of the white-label ABM companies!
So let's say I am a Royal Bank customer. (This was true up until a short time ago.) Royal bank gets my money in their account and pays me less than a dollar in interest per year. And then I go to a white label machine, pay the $1.50 disloyalty fee which goes straight to RBC, pay the ABM fee to the white label company (which RBC co-owns) and then I don't use up the receipt-paper, evelopes, cause wear and tear, etc. on Royal's own machines. It's a good deal for RBC and a bad deal for me.
The bottom line is that my bank makes more money if I go to the white label machines! Even if I go to another bank's machines, I am paying Royal's disloyalty fee and making them extra money. (I pay no fee if I use Royal's own machines.)
And a note for Canadians: If you are tired of stupid bank fees and low interest rates on your balances, consider President's Choice Financial. I am a satisfied customer and do not work for them. Sure, it's owned by CIBC but I've never paid a cent in fees, I get free internet banking, free phone banking, free chequebooks, free Interac at CIBC machines, the 'points' rewards are worthwhile and attainable, and the interest rates are decent. (There are some minor downsides like spotty support for ATMs outside Canada, and most depoits over $200 except auto-payroll are delayed for 5 days so they can make interest on it. I can live with it.)
I should know, I worked with a company that provided them. All I can say is that after working there for a week, I was scared to put my card in one.
This is one of those instances where security by obscurity is obviously working, at least somewhat... as most people don't have access to one to play around with.
They use absolutely no encryption, as they are not required to until something like 2006. And even though it's there, it's not on (at least with Diebold machines). Many have a network cable running into the back of them, so you could plug in a hub and sniff the data. What will this get you? It will get you the ip of the authentication server it talks to and the format of the responses. This would allow you to forge your own authentication server and use some network trickery with a linux box or two and a hub/switch to make any card run through the machine be accepted.
The ones that don't have network cables usually have phone lines. A little known fact is that if you plug two modems together directly, you can still dial the other one and it will pick up and negotiate. You could certainly use this to stick a linux box in between and sniff the data that goes over the network and perform something similar to the above.
Probably the most secure ones are the ones that use GSM or GPRS to communicate as you'd need some expensive equipment to do anything with that, and they are typically inside the unit, so you'd have to break it open somehow so you can't get at the wires.
There are methods in use right now that the ATM companies have absolutely no idea how they work. I'd see memos floating around all the time. They put machines under surveillance for months, and all of a sudden, everyone who had used the machine got ripped off. Yet, no one, as far as they could tell, ever physically did anything to the machine. Theives are using some really sophisticated techniques right now, and about the only way to thwart this is to start using crypto, both for transit, and on your card.
Oh, ever wonder why most machines have been retrofitted with a card swiper instead of an eater? It's because people were putting stuff inside of it so cards would jam, and then they would sit across the parking lot with a spotting scope and watch a person type their pin. When the person couldn't get their card out and left, they would come by with a little extraction tool, take the card, and go on an ATM spree.
If you loose money through the ATM/Debit network you will never see it! These networks are *NOT* insured.
Only visit your local branch to get cash with your debit/ATM card and use a Visa/Mastercard "CheckCard" for other purchases.
1. You will be insured.
2. Visa/Mastercard provier fraud protection
3. MAC/ATM/DEBIT is a bank fraud in itself. What is up with those FEES, especially since they don't guarantee or insure the transaction!
Ohhh yeah, Paypal is REAL safe
It's easier to fight for one's principles than to live up to them.
Looks like an integrated part of the ATM unless you are familiar with that ATM.
Melius mori in libertate quam vivere in servitute.