Fake ATM Fraud Expose

santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."

Two tips

[tomstdenis]

Use banks you trust and use ATMs [or ABMs as they are called in Canada] at banks you know and trust . I'd never use a whitelabel ABM since not only do you get a surcharge but it's very easy for it to be a fake.

This isn't foolproof but much safer than using random whitelabels you find in Apu's Mealbar.

Tom

I try to avoid them altogether.

[Meat+Blaster]

There's very little about ATMs nowadays to inspire confidence. It used to be that you'd stop by a trusted location to use one (like the bank) but now they're virtually everywhere and aren't always set up by trustworthy entities.

If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried. But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.

Re:I try to avoid them altogether.

[Ignis+Flatus]

If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried.

What difference will biometrics make if some criminal has installed a modified machine to intercept and record your biometric data?

Re:I try to avoid them altogether.

[segmond]

That is even more worrisome, you can change your pin, but good luck trying to change your finger print or retina scan data.

Re:I try to avoid them altogether.

[Imperator]

Because it's easy to make a fake card and use a stolen 4-digit PIN, but it's hard to make a fake retina.

Re:I try to avoid them altogether.

To get money out of your account, they would need to be you for one. Secondly, when the crook shows up at an ATM, you can immediatly identify that they are a crook and who the crook is.

Look idiot, think a little. Using a ATM, they record your biometric data (retinal, fingerprint, whatever) and allow your transaction to go through and record the info. Later, they replay the transaction electronically and rob you.

How do you think biometrics work? They scan you and convert the information into a long number or identifier. Then they compare that number with the number they have on file. If the two match (or are reasonably close) then the ATM thinks it is you. If you have an ATM (or can connect to the ATM system) you can enter the mag-stripe data, the pin, and the biometric info directly. And as others have pointed out, you can be issued a new card & pin, but biometric info is yours forever.

The ATM problem is one of the platform. Originally, ATMs were only owned by responsible people who don't (normally) rob you, i.e. banks. But now, any idiot can have one. How can you trust the machine run by someone you don't know?

If you check your hotmail account at a webcafe, your password is protected from sniffing by SSL, but how do you know the webcafe doesn't have a keylogger running? You don't. You can't trust the platform. Same thing with an ATM.

Re:I try to avoid them altogether.

[ericspinder]

These ATM scams work so well because they are able to use legit ATMs to collect the money. You could crack into a live ATM in order to upload your fake data, but while you got it open why not just grab the cash directly. There is the posibility of using some kind of device which interfaces with the machine on a directly physical level. Something that could send a fake stream to the scanner itself, but I haven't seen anything like that yet. However once you start to see boimetric scanners, I'll bet that you'll start seeing upload devices.

• Great security is keeping 2 steps ahead of the crooks
• Good security is keeping 1 step ahead, and
• Average security sometimes a little ahead and sometimes a little behind.

Most systems only have the budget for average security.

Re:I try to avoid them altogether.

[LocoSpitz]

Grab the raw data from the scanner and store it. Then when you're clearing out the account, just feed this raw data to the server. If someone is willing to purchase an ATM and mod it to grab PINs, forcing them to mod it to grab data from a retinal scanner instead is not going to stop them from running their scam.

Re:I try to avoid them altogether.

[wolfb]

Biometrics won't change the difficulty of electronic attacks, where the biometric signature is copied as easily as your pin number. Biometrics might make physical attacks more difficult, but still not impossible. Time and time again it is shown that biometric systems do not live up to hype. Sometimes they can be easily fooled, and sometimes the biometric signature can be used to reconstruct an acceptable fake. You can count on someone figuring out how to explit any given system sooner or later. How will you restore your security then? Can you get new fingerprints, or new eyeballs?

Yipes!

[xeno_gearz]

Talk about the ultimate in social engineering! Perhaps the best piece of advice in the article was "Keep a watchful eye on your monthly statement, as well as your balance, and report any problems to your bank." This may seem obvious but with people buying legitimate ATM's and stealing your PIN while legitimately providing your money what much else can you do?

Perhaps I should just go to the barter system. "I'll give you this cow for that rack mounted server."

ATMs becoming less useful

[doormat]

As fraud has increased, I've resorted to using only ATMs at the various branches of the bank I'm with, and I've switched (back) to using credit cards instead of debit cards for point-of-service purchases, so that if I get defrauded, I end up with a huge CC bill (relatively) instead of an empty bank account.

Re:Who needs ATMs anymore?

[meta-monkey]

I don't think anybody's trying to screw you there, chief. Nobody puts a gun to your head and makes you use their ATM (well, they might...I didn't actually read the article, so I don't know how violent these gangs get :) ).

• Your bank publishes the charges for using an ATM outside their network, and
  
• an ATM you use will tell you the fee for using that ATM
  

I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free? The machine costs money. The network costs money. Service costs money. TANSTAAFL. If you don't want to pay the fees, don't use an ATM. Like you said, there are plenty of other methods.

ATM Vs. INTERAC

[Malicious]

Personally, I fear no ATM. If I need cash, I simply go to the bank and get it from the official ATM there. That way I save my self $1.50 or what ever the FlybyNight ATM charges. I do this once, perhaps twice a month

The problem arises when people have created false Interac machines, or scam your bank cards information from it. I use Interac probably 3-4 times a day, and each time, do my best to ensue I can see the interac terminal, which my card is being scanned through, to allow my self a *little* piece of mind.

Non-biometrics solution

[product+byproduct]

I would prefer to use an electronic key that when interfaced with an ATM will happily raise any given number to my secret exponent modulo my public key.

For each transaction, my bank will send a random challenge to the ATM that only my electronic key can solve.

Re:What an overelaborate scheme...

[Q2Serpent]

But, when you lose your wallet, you are likely to report the card as missing/stolen a lot quicker. With magnetic stripe theft, most people won't notice money missing until their next statement.

The interface would still be a problem

You cant copy a chipcard like you can a simple magnetic strip ... but as long as the interface is not on your own hardware, the card, they can still hijack the session and rip you off.

They need to start using cards with their own crypto yes, but they also need to put a LCD on the card so you can see the amount you are transferring (with some basic safeguards to ensure that the amount shown has to have been shown for X seconds before you can confirm, so they cant just flash a new amount on there just as you press the button).

Possible solution

[cartman]

Clearly what's necessary is to have a small keypad on the card itself, as well as a small CPU, a private key that is encrypted by the user's PIN, and the public key of the bank. That way, all communication between the card and the bank can be encrypted, and no unencrypted information is ever sent through the ATM.

Such a card would not be much larger than current ATM cards.

The worst fraud that could then be perpetrated is to have a fake ATM that deducts $20 from your account but without dispensing the $20. But that scheme would be very quickly identified.

Re:Who needs ATMs anymore?

[ottffssent]

I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free?

No, I think the HR fairy drops them off all over the place. She says "Here you go! Tons cheaper than a real person. Enjoy!" and wanders off to do another good deed.

Re:Old news... But still rampant!

[Qrlx]

Here in New Zealand we have major bank monopoly which results in 4 banks owning the market, with very excessive charges. But as a result ATM fraud is virtualy non-existant.

Sounds like the bank monopoly is ripping you off, though. Technically I suppose it's not fraud, but you're still getting scammed, right. It's just a scam that the law smiles upon :)

And credit cards

[RogerWilco]

As long as credit cards exist, I'm not going to complain about the insecurity of ATM's.

Re:PINs from far away?

[haizi_23]

I think that if they're set up to record the data on the magnetic stripe as well as your PIN, they can just reproduce your card -- there's no need to physically steal it. Reassuring, eh?

Re:Who needs ATMs anymore?

[dachshund]

I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free? The machine costs money. The network costs money.

ATM machines are certainly not free, but they are a damned sight less expensive than the human-operated branches that banks used to provide for their customers (at no charge). In fact, cost-cutting is one of the reasons banks have consistently offered when replacing branches with ATMs. What any consumer with a brain should notice is that over the past decade or two, banks have continuously reduced their operating costs thanks to ATMs, and yet the amount of money customers tend to shell out for banking services has not decreased-- it has consistently risen. ATM fees are a big part of that.

The existence of ATM fees is due to the lack of reciprocal agreements among different banks. If bank A has thousands of machines, and wishes to provide better service for its customers, it stands to reason that it would try to enter into an agreement with another large bank B, in order to guarantee that neither banks' customers have to pay fees at ATMs belonging to either bank.

Unfortunately, experience has indicated that banks don't feel any desire to do this. In the real world, it is far more profitable for large banks to collude against their own customers through inaction-- by not creating reciprocal agreements, and collecting vast amounts of additional money through fees. This pads their bottom lines, and hey, what are customers going to do about it? There are only a few banks large enough to make such collaboration practical, and they don't seem too concerned about how much customers are paying (fees continue to rise, way ahead of inflation, despite the fact that the tech is getting cheaper.)

A similar situation exists in the world of wireless communications, where international phone companies ruthlessly assess other companies' customers absurd international roaming fees, even when the caller is only a few hundred miles from his home country. The income these corporations derive from fleecing their customers is far greater than what they would make if they chose to collaborate; since only a few companies are large enough to make this sort of agreement, and those companies make too much money off of the current arrangement, customers have nowhere to go.

A Per-Use fee is not the only way

I don't understand why some people accept some fees and not others.

• When I go to a bookstore, there are armchairs there that I can use to sit down if I want to read a few pages of books I'm considering buying. Those armchairs cost money to buy and clean, but I don't have to pay a special armchair-surchange if someone sees me sitting in one.
• When I go to a supermarket, I get the free loan of a grocery cart to wheel my groceries around. These carts cost the supermarket money -- there's no grocery-cart-fairy dropping them all over -- but still I don't see a guy standing next to the cart-corral charging a quarter to use one.

The point is there are many examples of business providing services for "free", usually because they think they'll get more customers as an indirect consequence, or they fear getting a bad reputation and losing customers if they don't provide a service that their competitors provide. Of course businesses must recover their costs, but a per-use fee is not the best or only way to do so.

So just because someone suggests that ATM fees piss them off, this doesn't mean they're oblivious to the fact that ATMs cost money to buy and operate. Instead, they're suggesting that they'd like it better if businesses recovered their costs in some other way -- for example -- the same way that they recover the costs of using credit cards.

This thread started with credit cards, and guess what -- it's not free for a business to accept credit cards either. They have to pay the credit card company every time someone makes a purchase. So when credit cards first came out, businesses would tack on a 5% fee if you wanted to pay with a card. Someone like you might have made a comment like yours defending this "credit-card-use" fee. "Nobody puts a gun to your head and makes you pay with a credit card. The credit card network and database cost money." Yada yada..

But people did complain -- and today those fees are largely gone. If you go to a convenience store, the prices listed on the shelves are the same prices you pay whether you use cash or credit. Of course, this just means that stores have absorbed the costs of dealing with the credit-card companies into their prices, so today someone paying cash is paying "more than they should" to subsidize customers who pay with credit cards. Do you think this was a good change? Do you approve of this?

Whether or not you do, there's no reason this can't or won't happen to ATMs. A convenience store owner might buy and install an ATM that charges no fee, just because he's expects customers who come in to use the ATM might buy something on the way out -- or because all the other convenience stores around already have free ATMs and his store would get a bad reputation if he didn't have one too. In a world like this, the convenience store owner would just have to raise all his prices a little to compensate.

If you approve of ATM fees, would you like to see credit-card-use fees come back too? How about fees for using the convenience-store bathroom? Is there such a thing as being "nickle-and-dimed" to death? Personally I like that credit-card fees have gone away, and I would like ATM fees to go too, even if prices rose overall a little to compensate.

Just my opinion...

Even smartcards are not a solution.

[sonamchauhan]

Hmm.. The problem is that ATM cards can be so easily forged.

Banks should switch to contactless cards with a tiny processor and display that (a) stays in control of the user at all times, and (b) allows the user to authorise *individual* cash/ATM transactions. It would be akin to a small palm-pilot with public-key cryotography and an IRDA link, but credit card sized, so it fit in your wallet... or is built into your wallet. The only way this could be defeated is by breaking the crypto, or by capturing the device itself and obtaining it's password.

Without an interface on a device in your control, even smart-cards can be defeated by the "false-front" ATMs mentioned in this article (you withdraw $20, the "false-front" ATM actually withdraws $1000, dispenses $20, and pockets the $980 difference).

Fingerprint-protected ATM cards won't work - ever

[jetmarc]

> It takes less than a dollar worth of materials and a matter of
> seconds to capture a fingerprint off of... pretty much anything.

Yes! And I care to add for the sake of completeness, because this is
just too often (deliberately?) ignored:

1. fingerprint-protected ATM card gets stolen
2. thief needs sample of owners' fingerprint to produce copy
3. ?????????? ....... bing! thief takes sample from ATM cards' surface.
4. profit! (well, or go to jail immediately)