Fake ATM Fraud Expose

santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."

Two tips

[tomstdenis]

Use banks you trust and use ATMs [or ABMs as they are called in Canada] at banks you know and trust . I'd never use a whitelabel ABM since not only do you get a surcharge but it's very easy for it to be a fake.

This isn't foolproof but much safer than using random whitelabels you find in Apu's Mealbar.

Tom

Yipes!

[xeno_gearz]

Talk about the ultimate in social engineering! Perhaps the best piece of advice in the article was "Keep a watchful eye on your monthly statement, as well as your balance, and report any problems to your bank." This may seem obvious but with people buying legitimate ATM's and stealing your PIN while legitimately providing your money what much else can you do?

Perhaps I should just go to the barter system. "I'll give you this cow for that rack mounted server."

Re:I try to avoid them altogether.

[Ignis+Flatus]

If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried.

What difference will biometrics make if some criminal has installed a modified machine to intercept and record your biometric data?

Possible solution

[cartman]

Clearly what's necessary is to have a small keypad on the card itself, as well as a small CPU, a private key that is encrypted by the user's PIN, and the public key of the bank. That way, all communication between the card and the bank can be encrypted, and no unencrypted information is ever sent through the ATM.

Such a card would not be much larger than current ATM cards.

The worst fraud that could then be perpetrated is to have a fake ATM that deducts $20 from your account but without dispensing the $20. But that scheme would be very quickly identified.

Re:Who needs ATMs anymore?

[dachshund]

I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free? The machine costs money. The network costs money.

ATM machines are certainly not free, but they are a damned sight less expensive than the human-operated branches that banks used to provide for their customers (at no charge). In fact, cost-cutting is one of the reasons banks have consistently offered when replacing branches with ATMs. What any consumer with a brain should notice is that over the past decade or two, banks have continuously reduced their operating costs thanks to ATMs, and yet the amount of money customers tend to shell out for banking services has not decreased-- it has consistently risen. ATM fees are a big part of that.

The existence of ATM fees is due to the lack of reciprocal agreements among different banks. If bank A has thousands of machines, and wishes to provide better service for its customers, it stands to reason that it would try to enter into an agreement with another large bank B, in order to guarantee that neither banks' customers have to pay fees at ATMs belonging to either bank.

Unfortunately, experience has indicated that banks don't feel any desire to do this. In the real world, it is far more profitable for large banks to collude against their own customers through inaction-- by not creating reciprocal agreements, and collecting vast amounts of additional money through fees. This pads their bottom lines, and hey, what are customers going to do about it? There are only a few banks large enough to make such collaboration practical, and they don't seem too concerned about how much customers are paying (fees continue to rise, way ahead of inflation, despite the fact that the tech is getting cheaper.)

A similar situation exists in the world of wireless communications, where international phone companies ruthlessly assess other companies' customers absurd international roaming fees, even when the caller is only a few hundred miles from his home country. The income these corporations derive from fleecing their customers is far greater than what they would make if they chose to collaborate; since only a few companies are large enough to make this sort of agreement, and those companies make too much money off of the current arrangement, customers have nowhere to go.

Re:I try to avoid them altogether.

[wolfb]

Biometrics won't change the difficulty of electronic attacks, where the biometric signature is copied as easily as your pin number. Biometrics might make physical attacks more difficult, but still not impossible. Time and time again it is shown that biometric systems do not live up to hype. Sometimes they can be easily fooled, and sometimes the biometric signature can be used to reconstruct an acceptable fake. You can count on someone figuring out how to explit any given system sooner or later. How will you restore your security then? Can you get new fingerprints, or new eyeballs?