Slashdot Mirror
Fake ATM Fraud Expose
santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."
With every bank trying to screw you for using any ATMs other than theirs, and with the level of acceptance of credit cards nowadays, who needs ATMs anymore?
It used to be that when I travelled, I carried a fair amount of cash with me. Not anymore - I simply find that I don't need it - gas, food, lodging, all are put on the credit card.
Furthurmore, should I feel the need for cash, my local grocery store allows me to get cash back from a credit card purchase. I simply make a habit of getting $40 back when I buy groceries, and then keeping about $200 at the house. Thus, I rarely if ever need an ATM under normal conditions.
It is pretty stupid - I am sure running an ATM costs a bank far less than paying for a teller, but they seem bound and determined to drive us all away from using ATMs.
www.eFax.com are spammers
A couple of my troops have ran into these fake ATMs in Tijuana. The fake ATMs have been there at least a couple of years from hearsay. Nasty place.
This guy is way out there
A secret service agent demonstrated how to steal someones ATM card and PIN. She rigged an ATM machine that she bought from a website to not accept the pin entered and to not eject the ATM card. When the user was trying to re-enter his pin, she came over saying "This had happened to last week, I found that if you re-enter your PIN and hold down the enter key for 5 seconds it will work." Of course she watched the 4 digit PIN he entered, and when it didn't work he eventually just left. So she then took out the card with tweezers and now had his ATM card and PIN. The thing is... If she bought this ATM and had rigged it to not accept his PIN, why not just rig it to store his PIN and not eject the card? I mean is the secret service really that stupid to use such a dirty method? Anyway, it was very stupid.
A scam that recently was in the news here in Ontario is gangs that put false fronts on ATMs. The faux-fronts contain a camera over the keypad and a magnetic reader on the card reader. These were found on bank machines of the big 5 banks (BMO, TD, RBC, Scotia, and CIBC). So the moral of the story is that even if you stick to the "name-brand" bank machines, you still might get scammed. Personally I'm astounded at the intricacy involved in someone putting fake-fronts on big bank bank machines (don't these things have cameras and some sort of security? How did someone pull up and pull that off?), though I guess that's the extent that organized crime can go.
BTW: Most Canadians I know call them ATMs.
Seperate accounts.
I've done this for a while. I have an account in which I pull out money I'll use to write checks for bills, Paypal, and to pull money from the ATM. This account usually only has another $1000-1500 in it that what is necessary for the bills.
I have another account in which the money is meant to sit there unless there's an emergency. I can write checks with this account, but I never do (so if there's a check written from it on my statement, I'd call the bank ASAP). My ATM isn't tied to this account. Paypal will never it ever exists. And half of the money is always purposely tied up in fairly short-term CDs.
-----
Funny. There's a similar true story in the book Catch Me if You Can (yah, the one they made the movie out of): seems the hero bought a locking trunk, cut a slot out of the top and pasted a sign on it saying something like "deposit slot out of order, please place money in the slot in trunk". IIRC, he put trunk & sign below the deposit slot for a mall's rent collections.
/.ters who still believe in the basic intelligence of your average Joe-Sixpack: read this book.
For added realism he rented a cop outfit and stood all day near the trunk.
Worked like a charm.
Msg. for any
ATM's have long been such a target. Whne my bank back in NYC (Citibank) installed the old drum ATM's (try the code 1 1 2 3 5 :)), these rooms were vulnerable to people coming in right after you were done and hadn't signed out. Also the drum was weak, it would lose money around it's circumference and wasted your time for the end of day count to get your money back.
Of course the usual robberies occured in the rooms themselves, forcing individuals to "dip" and enter their pins. Or getting pin jacked.
Face it, we need these machines until the fabled cashless society kicks in. In the meanwhile, use your banks ATM (also avoids service charges). Avoid all other ATMs.
Thinking about it, in the context of those "virtual credit card numbers", imagine a special PIN that is good for one transaction. If you are uncertain of a particular ATM or get pin jacked, give over the one time PIN#. Later, visit their website to activate/deactivate that magic pin.
Hedley
If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried. But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.
Or a public/private key system. Say when you get your card there is some randomish value on some part of the strip that when it is decryped against the key that the ABM/ATM has they will report a value that the bank gave you when you got your card, say "BLUE" (easy enough to remember). Now when ever you use an ABM/ATM you can know it will be authentic because it will say BLUE, if an ABM says your card is RED then you call the bank to report the erroneous machine which may mean an untrustmorthy machine or the bank has changed the key. The key is changed if some crackers ever find it out then the banks will have to go to all the machines and put in a new key, they'll also have to tell everyone what their new colour is which will be a hassle but hopefully shouldn't happen with any kind of frequency if they choose a good key and have good security procedures.
I stole this Sig
There are other ways an ATM can make your life miserable...... read on..
Once, about two years ago, I was shopping for Valentines Day gifts in a local market. The store had an ATM (and banking center) inside so I thought nothing of using their ATM for cash. As it turned out, one of the $20's that came from the ATM was counterfeit and the store clerk flagged it. Okay, so now it gets weird.....
I went immediately back to the banking center inside the store and told them what happened thinking I would be able to trade out the bad $20 for a good one. WRONG, WRONG, WRONG !!! Not only did they NOT replace the bill, but they forced me to fill out 3 pages of documentation on what happened, which was sent to the treasury department and was told to expect a call form them in a few weeks. And remember, the counterfeit $20 came from their machine.
Luckily, I was never contacted by the treasury dept or the FBI, but I am still out $20. Chalk it up to experience ?? I'll say one thing, I will never deal with "Union Bank of California" again.
VISA branded debit cards (maybe MC ones too, I don't have experience with them) in an effort to be friendly and accepted everywhere act as a credit card unless you've specified to use the debit option.
One track of the card has the CC number linked to the primary account, another has a checking account number, and a third has a savings account number. I forget the order as I haven't had access to a magstripe reader/writer since I left my sysadmin job at college (used for the student IDs). It was nice to clone my debit card when the real one got trashed by a minimum wage counter-jockey who snapped it down the magstripe while swiping the card. BTW, the account info is plaintext on the card, if you know your account numbers, you can clone a card without actually having it available.
Next time you go to the gas pumps, select the credit option with your debit card. It won't prompt you for your PIN. It will, if you select the debit option.
I'm guessing its a legacy holdover, it would be nice if PIN usage was required on CC transactions. I think its sad that the local CompUSA here still uses the imprint machines to do CC transactions. Legacy always wins in business...
"Why do you consent to live in ignorance and fear?" - Bad Religion
Should work, but what do I know.
Sometime in the mid- to early-90s, I read the book "Catch me if you can" by con-artist-turned-security-consultant Frank Abagnale. You may have seen the recent Spielberg movie based on this. This was in the pre-ATM days, but if I recall correctly, one of his scams was similar. First he would go to a uniform store and get a security guard uniform. Then he would have a professional looking sign printed up saying something like: "Night deposit out of order -- Leave deposit with security guard."
Anyway, at night, he would put up the sign and station himself outside a bank's night deposit drop box with a big bin. He says people would actually come up and toss bags of cash into the bin, because they just had an innate trust of people in uniform.
When they first bought out ATMs, the program behaviour was to give out the cash first. Humans, being task based people, would go to the machines thinking "My goal is to withdraw cash." Then, they would be given the cash, and they'd say "I've achieved my goal", take their cash and leave, totally forgetting to take their card. (Which makes stealing it even easier).
The HCI researchers picked this one up, and they changed the behaviour to "give receipt, then card, before issuing cash."
Thinking about this got me riled up enough to pull out my banking records, it looks like my bank (Fleet) made quite a bit, by charging a huge 'exchange fee' and whoever sat at the Canadian-end of the deal took about $10 CAN as a "service charge".
It cost me $40 US, but my bank charged everything after $30 CAN.
I'm so pissed at Fleet, I've watched them switch around my transactions so they can charge overdraft fees. I sat and WATCHED online as my paycheck clearing time changed to AFTER the bills were paid so they could nail me with $75 in fees. I called them right after and told them that if I didn't get my $75 back I'd get a lawyer involved, they gave it right back. If my identity weren't stolen (long story) I'd open an account with Citizens Bank right now, I used to work there so I'd know who to call and yell at.
Whew. Don't drink, bank, and slashdot!
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
Weird. I used my US debit card quite extensively in Japan this spring and I never got charged all those fees you are talking about. Granted, I was mostly using government-run ATM machines while there that I believe do not charge fees even if you are not a customer. But my bank sure didn't charge me any "disloyalty" or any of those currency exchange fees you are talking about. I was getting a pretty competitive exchange rate too (I was monitoring the amount actually debited from my account using Internet banking).
Its possible not to pay any ATM fees, if you are with a bank that has agreements with other banks to use their ATMs for free. For example, customers of The National Bank have been able to use ASB Bank and TSB Bank ATMs for free for many years now. The customers of the TSB and ASB banks also have free access to National Bank's ATMs.
The ANZ Bank rectently purchased the National Bank from its British owner, Lloyds TSB, and now ANZ and National Bank customers can access both National/ANZ ATMs for free. This came into effect only a week ago -- December 1st.
Nowdays the only banks that chages a fee for using any other bank's ATM are Westpac, Bank of New Zealand and some other smaller banks. The ANZ/ASB/National/TSB banks all allow their customers to use at least one other bank's ATMs for free.
Can anyone tell us what is the case with the KiwiBank and SuperBank (the New World/4 Square/Pack'n'Save bank)? I read somewhere that the SuperBank charges $2.00 for every ATM transaction regardless of which bank you use. Apparenly the banks wouldn't let them use their ATMs for free or even a small charge!
What I want to see is something that reads neruoelectric signatures. For the initial version, you'd think about your favorite food while leaning your head against a sensor pad. Of course, that could be captured, but that's just phase 1.
Phase 2 is to look at am image shown on the screen. When you sign up for an account, they'd do this once and store the neural impulses generated. From then on, they would show you the image and send the neural signature to the bank. The bank would compare the results and authorize the transaction, and would send a new image to display. You would see the second image, and the neural impulses generated by this second image would be sent back to the bank to store for the next time you tried to make a transaction.
The key requirements are that each transaction could require confirming the neural signature generated by any one or several of the prior images and the images sent for generating new signatures must be taken from a large enough database to get a high degree of variation. Finally, there must be expiration for old images, as one would expect one's reaction to an image to drift over time. Thus, an account unused in 90 days would be frozen until in-person verification could take place.
In such a case, in the unlikely event that someone were able to steal access to someone's account by taking enough prior neural signatures, they would still have to generate a new neural signature for the new image, which would mean that either it would be completely fictitious (which could probably be detected), a copy of some prior signature (which would definitely be detected and an alarm would sound), or would be the signature generated by the criminal, which could then be used as positive identification once that person gets caught.
Sound like fun? :-)
120 character sigs suck. Make it 250.
"They began by using "Lebanese loops" - home-made devices which make the customer think the machine has swallowed the card, only for the crooks to nab them after the victim has walked off. But they have moved on to card skimmers - fake devices which are taped onto the doors of cash machine foyers - and card slot readers."
It used to be you had to press a button to get into the lobby out of hours. Then the homless started sleeping in the lobbys, so the banks replaced the button with a card reader. Now they're having to go back to buttons again.
I'm posting this AC because I don't want my friends/coworkers who surf slashdot to associate my nick with this post.
I work for the largest company in the USA that verifies the transaction between the bank and the cardholder. We are as you could put it, an ISP for ATM's. We are very large, and I've worked for them for quite a number of years.
We heard about these scams a few years ago, it's nothing new. There are a few things you can do to protect yourself.
1. Wait for a prompt before entering your pin number. I have never heard of a "cover" system so complex that they will respond correctly on the screen when a card is put in the slot. Rogue ATM's are another matter.
2. If a white box ATM eats your card, call your bank immediately to report the card stolen/eaten. This is because most of these systems are just a camera and a box to hold stolen cards and pin numbers. Unfortunately the days of getting your card back when it gets eaten are gone. With new regulations there's just no way, get a new one.
3. All ATM's in this country (usa) are required by law to have a phone number of the institution that is authorizing the transactions, and a notice of surcharge on it. If you don't see those, then there could be "something" covering them. They went to a lot of work to make that fake ATM cover, why would they want you alerting someone who would send out a repair technician?
Please don't go clamoring for more regulation. A lot of the regulation in place keeps us from properly helping people in distress, and does almost nothing to help secure them. Besides, most people only need securing from themselves.
Now if you were black with a Caddilac, you'd be pimpin ho's and poppin crack. That's racism.
The problem is that the information you give to authorize one transaction - your card number and PIN - is the same as needed to authorize _any_ transaction.
You could have a different PIN for small amounts and large amounts, being limited to one 'small' withdrawal per day, and that would slightly reduce the potential for fraud. But people would tend to forget the numbers. You could have a booklet printed with a list of one-use-only identification numbers; then someone would have to steal the booklet rather than just copy one number you typed in.
But with mobile phones being so common, can't we use those for security? You type into your phone the amount to withdraw and a PIN (which is held only in the phone itself), and it generates an authorization code signed with your private key (again held only in the phone). You type this code into the ATM, it checks the code using your public key and takes it as an authorization to withdraw *one* particular amount at *one* date and time. Rekeying the same authorization code later will not work since it includes the date and time (with say a five minute window between generating the number on your phone and it expiring), and as an additional safeguard the bank records previously-seen codes and won't accept them again.
Then even if you use a completely bogus ATM that records everything you type in, the worst that could happen is for someone to rush over to a real ATM and type in the same code to get the money - and it would be obvious something was wrong if the fake ATM didn't dispense exactly the same amount.
-- Ed Avis ed@membled.com
I'd never heard of this kind of fraud until about 2 months ago. In that time my flatmate had 500 taken withdrawn from her account, a good friend had 1500 pounds taken from a number of ATMs and a work mate has just been done for about 800 pounds. That's just the people I know personally!
I've also heard second hand of two other incidents, girlfriends cousin being one of them. According to the cops crooks are using "skimmers" on the card slots of ATMs and camera's or "shoulder surfing" to get the pins.
So watch out in London right now is the message I guess.
Who's with me?! I SAID... WHO'S WITH ME!!??
My credentials: I've worked in a bank's main Cash Vault, Research & Adjustments department, and now (finally and Praise Jesus!) IT.
You haven't received good advice all around. The thing you should have done immediately is see the bank manager of the nearest branch and Raise Hell {TM}. It would have been best to have refused to fill out any forms that forced you to admit to being the simple owner of a counterfeit bill, but even that's not so terrible as long as you are willing to do some further social engineering yourself.
1) You see, that ATM's bills came from a cash vault. That vault is responsible for catching counterfeits. In fact, its bill counters are SUPPOSED to catch each and every counterfeit bill fed through them. That's part of their design.
So, by losing $20, you have just allowed the bastards in the Vault (and its governing Operations section) to continue to use machines or procedures that allow counterfeits to pass through their hands, and thus into yours.
2) Social-engineering-wise, once a bill touches your hands, and you examine it and say "hey this is counterfeit", does that mean that the person who passed it to you can just fucking walk away scot free? Of course not. The same reasoning applies to ATMs.
Using these two lines of reasoning, go back to that goddamned bank and get your $20 back (i.e. issue you a $20 credit). If they still balk, follow up with the Secret Service itself about your individual counterfiet bill; this can serve to embarrass the bank to honor your credit.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
Wait a minute.
ATM' are required to be on the DES III standard by 2006. Meanwhile, they all encrypt using standard DES. Even then, the WAN wired ones re-encrypt on the banks private network on the way out to the switch (NYCE, SUM, VISA, etc.). There is NO current ATM network driver that currently accepts un-encrypted transmission. If they did, thieves wouldn't need to set up little card readers to scoop the data, they'd just crack the lines.
Very few WAN operated ATM's use IP. It's just too insecure. Most run serial cables to a FRAD or something similar inside the bank which then sends out a transmission using IP over private, encrypted lines. No one wants to have to address each ATM since the network provider tends to use their own proprietary scheme anyway (ATM Identifier, Poll Select, etc.).
Data leaving the ATM does NOT include a customers PIN. Authentication is done in the box and never sent out. Again, that's why the thieves need the camera and / or card.
Card swipers are cheaper to make and easier to fix. The real reason they are used instead of eaters is because far too many customers walk away from the ATM leaving their card hanging out of the slot. We get a few every day turned in by honest customers or dropped in the night drops of our branches. Card swipers solve that problem. They also won't eat a card that a customer accidently used...like their department store card instead of their ATM card. We get a lot of those too, especially around these holidays!
The transition is already being made, but the hold up is getting the machines upgraded/replaced.
Not to mention the $5/card. Is it really worth the additional expense? I doubt this type of ATM fraud is costing the industry $5 per ATM card.
The best thing you can do right now is go through the hassle of transferring money between accounts (only have an ATM card for one account on you at a time) and transfer money between them. That is unless you want to use a credit card, and just pay it via check every month instead... I don't think you can be held liable for fraud on CCs, or at least you won't if you get the right contract.
You're not liable for fraud on ATM cards either. I transfer money between accounts, but only because my account with the ATM card doesn't let me buy stock. If I could get an ATM card for my Ameritrade account, you better believe I would.