Fake ATM Fraud Expose

santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."

Two tips

[tomstdenis]

Use banks you trust and use ATMs [or ABMs as they are called in Canada] at banks you know and trust . I'd never use a whitelabel ABM since not only do you get a surcharge but it's very easy for it to be a fake.

This isn't foolproof but much safer than using random whitelabels you find in Apu's Mealbar.

Tom

I try to avoid them altogether.

[Meat+Blaster]

There's very little about ATMs nowadays to inspire confidence. It used to be that you'd stop by a trusted location to use one (like the bank) but now they're virtually everywhere and aren't always set up by trustworthy entities.

If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried. But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.

Re:I try to avoid them altogether.

[Ignis+Flatus]

If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried.

What difference will biometrics make if some criminal has installed a modified machine to intercept and record your biometric data?

Re:I try to avoid them altogether.

[segmond]

That is even more worrisome, you can change your pin, but good luck trying to change your finger print or retina scan data.

Re:I try to avoid them altogether.

[Imperator]

Because it's easy to make a fake card and use a stolen 4-digit PIN, but it's hard to make a fake retina.

Re:I try to avoid them altogether.

To get money out of your account, they would need to be you for one. Secondly, when the crook shows up at an ATM, you can immediatly identify that they are a crook and who the crook is.

Look idiot, think a little. Using a ATM, they record your biometric data (retinal, fingerprint, whatever) and allow your transaction to go through and record the info. Later, they replay the transaction electronically and rob you.

How do you think biometrics work? They scan you and convert the information into a long number or identifier. Then they compare that number with the number they have on file. If the two match (or are reasonably close) then the ATM thinks it is you. If you have an ATM (or can connect to the ATM system) you can enter the mag-stripe data, the pin, and the biometric info directly. And as others have pointed out, you can be issued a new card & pin, but biometric info is yours forever.

The ATM problem is one of the platform. Originally, ATMs were only owned by responsible people who don't (normally) rob you, i.e. banks. But now, any idiot can have one. How can you trust the machine run by someone you don't know?

If you check your hotmail account at a webcafe, your password is protected from sniffing by SSL, but how do you know the webcafe doesn't have a keylogger running? You don't. You can't trust the platform. Same thing with an ATM.

Re:I try to avoid them altogether.

[ericspinder]

These ATM scams work so well because they are able to use legit ATMs to collect the money. You could crack into a live ATM in order to upload your fake data, but while you got it open why not just grab the cash directly. There is the posibility of using some kind of device which interfaces with the machine on a directly physical level. Something that could send a fake stream to the scanner itself, but I haven't seen anything like that yet. However once you start to see boimetric scanners, I'll bet that you'll start seeing upload devices.

• Great security is keeping 2 steps ahead of the crooks
• Good security is keeping 1 step ahead, and
• Average security sometimes a little ahead and sometimes a little behind.

Most systems only have the budget for average security.

Re:I try to avoid them altogether.

[LocoSpitz]

Grab the raw data from the scanner and store it. Then when you're clearing out the account, just feed this raw data to the server. If someone is willing to purchase an ATM and mod it to grab PINs, forcing them to mod it to grab data from a retinal scanner instead is not going to stop them from running their scam.

Re:I try to avoid them altogether.

[wolfb]

Biometrics won't change the difficulty of electronic attacks, where the biometric signature is copied as easily as your pin number. Biometrics might make physical attacks more difficult, but still not impossible. Time and time again it is shown that biometric systems do not live up to hype. Sometimes they can be easily fooled, and sometimes the biometric signature can be used to reconstruct an acceptable fake. You can count on someone figuring out how to explit any given system sooner or later. How will you restore your security then? Can you get new fingerprints, or new eyeballs?

Yipes!

[xeno_gearz]

Talk about the ultimate in social engineering! Perhaps the best piece of advice in the article was "Keep a watchful eye on your monthly statement, as well as your balance, and report any problems to your bank." This may seem obvious but with people buying legitimate ATM's and stealing your PIN while legitimately providing your money what much else can you do?

Perhaps I should just go to the barter system. "I'll give you this cow for that rack mounted server."

ATMs becoming less useful

[doormat]

As fraud has increased, I've resorted to using only ATMs at the various branches of the bank I'm with, and I've switched (back) to using credit cards instead of debit cards for point-of-service purchases, so that if I get defrauded, I end up with a huge CC bill (relatively) instead of an empty bank account.

Re:Who needs ATMs anymore?

[meta-monkey]

I don't think anybody's trying to screw you there, chief. Nobody puts a gun to your head and makes you use their ATM (well, they might...I didn't actually read the article, so I don't know how violent these gangs get :) ).

• Your bank publishes the charges for using an ATM outside their network, and
  
• an ATM you use will tell you the fee for using that ATM
  

I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free? The machine costs money. The network costs money. Service costs money. TANSTAAFL. If you don't want to pay the fees, don't use an ATM. Like you said, there are plenty of other methods.

ATM Vs. INTERAC

[Malicious]

Personally, I fear no ATM. If I need cash, I simply go to the bank and get it from the official ATM there. That way I save my self $1.50 or what ever the FlybyNight ATM charges. I do this once, perhaps twice a month

The problem arises when people have created false Interac machines, or scam your bank cards information from it. I use Interac probably 3-4 times a day, and each time, do my best to ensue I can see the interac terminal, which my card is being scanned through, to allow my self a *little* piece of mind.

Non-biometrics solution

[product+byproduct]

I would prefer to use an electronic key that when interfaced with an ATM will happily raise any given number to my secret exponent modulo my public key.

For each transaction, my bank will send a random challenge to the ATM that only my electronic key can solve.

Re:What an overelaborate scheme...

[Q2Serpent]

But, when you lose your wallet, you are likely to report the card as missing/stolen a lot quicker. With magnetic stripe theft, most people won't notice money missing until their next statement.

Possible solution

[cartman]

Clearly what's necessary is to have a small keypad on the card itself, as well as a small CPU, a private key that is encrypted by the user's PIN, and the public key of the bank. That way, all communication between the card and the bank can be encrypted, and no unencrypted information is ever sent through the ATM.

Such a card would not be much larger than current ATM cards.

The worst fraud that could then be perpetrated is to have a fake ATM that deducts $20 from your account but without dispensing the $20. But that scheme would be very quickly identified.

Re:Who needs ATMs anymore?

[ottffssent]

I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free?

No, I think the HR fairy drops them off all over the place. She says "Here you go! Tons cheaper than a real person. Enjoy!" and wanders off to do another good deed.

Re:Old news... But still rampant!

[Qrlx]

Here in New Zealand we have major bank monopoly which results in 4 banks owning the market, with very excessive charges. But as a result ATM fraud is virtualy non-existant.

Sounds like the bank monopoly is ripping you off, though. Technically I suppose it's not fraud, but you're still getting scammed, right. It's just a scam that the law smiles upon :)

And credit cards

[RogerWilco]

As long as credit cards exist, I'm not going to complain about the insecurity of ATM's.

Re:PINs from far away?

[haizi_23]

I think that if they're set up to record the data on the magnetic stripe as well as your PIN, they can just reproduce your card -- there's no need to physically steal it. Reassuring, eh?

Re:Who needs ATMs anymore?

[dachshund]

I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free? The machine costs money. The network costs money.

ATM machines are certainly not free, but they are a damned sight less expensive than the human-operated branches that banks used to provide for their customers (at no charge). In fact, cost-cutting is one of the reasons banks have consistently offered when replacing branches with ATMs. What any consumer with a brain should notice is that over the past decade or two, banks have continuously reduced their operating costs thanks to ATMs, and yet the amount of money customers tend to shell out for banking services has not decreased-- it has consistently risen. ATM fees are a big part of that.

The existence of ATM fees is due to the lack of reciprocal agreements among different banks. If bank A has thousands of machines, and wishes to provide better service for its customers, it stands to reason that it would try to enter into an agreement with another large bank B, in order to guarantee that neither banks' customers have to pay fees at ATMs belonging to either bank.

Unfortunately, experience has indicated that banks don't feel any desire to do this. In the real world, it is far more profitable for large banks to collude against their own customers through inaction-- by not creating reciprocal agreements, and collecting vast amounts of additional money through fees. This pads their bottom lines, and hey, what are customers going to do about it? There are only a few banks large enough to make such collaboration practical, and they don't seem too concerned about how much customers are paying (fees continue to rise, way ahead of inflation, despite the fact that the tech is getting cheaper.)

A similar situation exists in the world of wireless communications, where international phone companies ruthlessly assess other companies' customers absurd international roaming fees, even when the caller is only a few hundred miles from his home country. The income these corporations derive from fleecing their customers is far greater than what they would make if they chose to collaborate; since only a few companies are large enough to make this sort of agreement, and those companies make too much money off of the current arrangement, customers have nowhere to go.

Even smartcards are not a solution.

[sonamchauhan]

Hmm.. The problem is that ATM cards can be so easily forged.

Banks should switch to contactless cards with a tiny processor and display that (a) stays in control of the user at all times, and (b) allows the user to authorise *individual* cash/ATM transactions. It would be akin to a small palm-pilot with public-key cryotography and an IRDA link, but credit card sized, so it fit in your wallet... or is built into your wallet. The only way this could be defeated is by breaking the crypto, or by capturing the device itself and obtaining it's password.

Without an interface on a device in your control, even smart-cards can be defeated by the "false-front" ATMs mentioned in this article (you withdraw $20, the "false-front" ATM actually withdraws $1000, dispenses $20, and pockets the $980 difference).

Fingerprint-protected ATM cards won't work - ever

[jetmarc]

> It takes less than a dollar worth of materials and a matter of
> seconds to capture a fingerprint off of... pretty much anything.

Yes! And I care to add for the sake of completeness, because this is
just too often (deliberately?) ignored:

1. fingerprint-protected ATM card gets stolen
2. thief needs sample of owners' fingerprint to produce copy
3. ?????????? ....... bing! thief takes sample from ATM cards' surface.
4. profit! (well, or go to jail immediately)