Fake ATM Fraud Expose

← Back to Stories (view on slashdot.org)

Posted by michael on Saturday December 6, 2003 @01:24PM from the you-pays-your-money-and-you-takes-your-chances dept.

santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."

3 of 478 comments (clear)

Min score:

Reason:

Sort:

This is hardly new by Kirill+Lokshin · 2003-12-06 13:30 · Score: 5, Informative

ATM fraud like this has been reported at least since 1988. Ross Anderson presented this at a conference in 1993 Why Cryptosystems Fail mentioning that:

The fastest growing modus operandi is to use false terminals to collect customer card and PIN data. Attacks of this kind were first reported from the USA in 1988; there, crooks built a vending machine which would accept any card and PIN, and dispense a packet of cigarettes. They put their invention in a shopping mall, and harvested PINs and magnetic strip data by modem... in 1992, criminals set up a market stall in High Wycombe, England, and customers who wished to pay for goods by credit card were asked to swipe the card and enter the PIN at a terminal which was in fact hooked up to a PC.

This is really more of a problem with the lack of attention to such security issues on the part of banks than a new type of crime.
Old news... But still rampant! by node159 · 2003-12-06 13:34 · Score: 5, Informative

Here in New Zealand we have major bank monopoly which results in 4 banks owning the market, with very excessive charges. But as a result ATM fraud is virtualy non-existant. But internet banking fraud is at an all time high. Go figure.

On another note, this is old news and has been around for years but it suprising its still so rampant, I guess the banks must be putting most of the cost on the customers as is indicitave of their inaction.

--
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
atm security is pathetic by Anonymous Coward · 2003-12-06 16:56 · Score: 5, Informative

I should know, I worked with a company that provided them. All I can say is that after working there for a week, I was scared to put my card in one.

This is one of those instances where security by obscurity is obviously working, at least somewhat... as most people don't have access to one to play around with.

They use absolutely no encryption, as they are not required to until something like 2006. And even though it's there, it's not on (at least with Diebold machines). Many have a network cable running into the back of them, so you could plug in a hub and sniff the data. What will this get you? It will get you the ip of the authentication server it talks to and the format of the responses. This would allow you to forge your own authentication server and use some network trickery with a linux box or two and a hub/switch to make any card run through the machine be accepted.

The ones that don't have network cables usually have phone lines. A little known fact is that if you plug two modems together directly, you can still dial the other one and it will pick up and negotiate. You could certainly use this to stick a linux box in between and sniff the data that goes over the network and perform something similar to the above.

Probably the most secure ones are the ones that use GSM or GPRS to communicate as you'd need some expensive equipment to do anything with that, and they are typically inside the unit, so you'd have to break it open somehow so you can't get at the wires.

There are methods in use right now that the ATM companies have absolutely no idea how they work. I'd see memos floating around all the time. They put machines under surveillance for months, and all of a sudden, everyone who had used the machine got ripped off. Yet, no one, as far as they could tell, ever physically did anything to the machine. Theives are using some really sophisticated techniques right now, and about the only way to thwart this is to start using crypto, both for transit, and on your card.

Oh, ever wonder why most machines have been retrofitted with a card swiper instead of an eater? It's because people were putting stuff inside of it so cards would jam, and then they would sit across the parking lot with a spotting scope and watch a person type their pin. When the person couldn't get their card out and left, they would come by with a little extraction tool, take the card, and go on an ATM spree.