Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake ATM Fraud Expose

Posted by michael on from the you-pays-your-money-and-you-takes-your-chances dept.

santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."

15 of 478 comments (clear)

  1. Who needs ATMs anymore? by wowbagger · · Score: 5, Interesting

    With every bank trying to screw you for using any ATMs other than theirs, and with the level of acceptance of credit cards nowadays, who needs ATMs anymore?

    It used to be that when I travelled, I carried a fair amount of cash with me. Not anymore - I simply find that I don't need it - gas, food, lodging, all are put on the credit card.

    Furthurmore, should I feel the need for cash, my local grocery store allows me to get cash back from a credit card purchase. I simply make a habit of getting $40 back when I buy groceries, and then keeping about $200 at the house. Thus, I rarely if ever need an ATM under normal conditions.

    It is pretty stupid - I am sure running an ATM costs a bank far less than paying for a teller, but they seem bound and determined to drive us all away from using ATMs.

    --
    www.eFax.com are spammers
  2. Tijuana by LittleLebowskiUrbanA · · Score: 5, Interesting

    A couple of my troops have ran into these fake ATMs in Tijuana. The fake ATMs have been there at least a couple of years from hearsay. Nasty place.

    --
    This guy is way out there
  3. I saw a show about this by YoungBonzi · · Score: 3, Interesting

    A secret service agent demonstrated how to steal someones ATM card and PIN. She rigged an ATM machine that she bought from a website to not accept the pin entered and to not eject the ATM card. When the user was trying to re-enter his pin, she came over saying "This had happened to last week, I found that if you re-enter your PIN and hold down the enter key for 5 seconds it will work." Of course she watched the 4 digit PIN he entered, and when it didn't work he eventually just left. So she then took out the card with tweezers and now had his ATM card and PIN. The thing is... If she bought this ATM and had rigged it to not accept his PIN, why not just rig it to store his PIN and not eject the card? I mean is the secret service really that stupid to use such a dirty method? Anyway, it was very stupid.

  4. Re:Two tips by ergo98 · · Score: 5, Interesting

    A scam that recently was in the news here in Ontario is gangs that put false fronts on ATMs. The faux-fronts contain a camera over the keypad and a magnetic reader on the card reader. These were found on bank machines of the big 5 banks (BMO, TD, RBC, Scotia, and CIBC). So the moral of the story is that even if you stick to the "name-brand" bank machines, you still might get scammed. Personally I'm astounded at the intricacy involved in someone putting fake-fronts on big bank bank machines (don't these things have cameras and some sort of security? How did someone pull up and pull that off?), though I guess that's the extent that organized crime can go.

    BTW: Most Canadians I know call them ATMs.

  5. Minor safeguard... by Magus311X · · Score: 4, Interesting

    Seperate accounts.

    I've done this for a while. I have an account in which I pull out money I'll use to write checks for bills, Paypal, and to pull money from the ATM. This account usually only has another $1000-1500 in it that what is necessary for the bills.

    I have another account in which the money is meant to sit there unless there's an emergency. I can write checks with this account, but I never do (so if there's a check written from it on my statement, I'd call the bank ASAP). My ATM isn't tied to this account. Paypal will never it ever exists. And half of the money is always purposely tied up in fairly short-term CDs.

    -----

  6. phishing expeditions by hedley · · Score: 4, Interesting

    ATM's have long been such a target. Whne my bank back in NYC (Citibank) installed the old drum ATM's (try the code 1 1 2 3 5 :)), these rooms were vulnerable to people coming in right after you were done and hadn't signed out. Also the drum was weak, it would lose money around it's circumference and wasted your time for the end of day count to get your money back.

    Of course the usual robberies occured in the rooms themselves, forcing individuals to "dip" and enter their pins. Or getting pin jacked.

    Face it, we need these machines until the fabled cashless society kicks in. In the meanwhile, use your banks ATM (also avoids service charges). Avoid all other ATMs.

    Thinking about it, in the context of those "virtual credit card numbers", imagine a special PIN that is good for one transaction. If you are uncertain of a particular ATM or get pin jacked, give over the one time PIN#. Later, visit their website to activate/deactivate that magic pin.

    Hedley

  7. Re:I try to avoid them altogether. by quantaman · · Score: 5, Interesting

    If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried. But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.

    Or a public/private key system. Say when you get your card there is some randomish value on some part of the strip that when it is decryped against the key that the ABM/ATM has they will report a value that the bank gave you when you got your card, say "BLUE" (easy enough to remember). Now when ever you use an ABM/ATM you can know it will be authentic because it will say BLUE, if an ABM says your card is RED then you call the bank to report the erroneous machine which may mean an untrustmorthy machine or the bank has changed the key. The key is changed if some crackers ever find it out then the banks will have to go to all the machines and put in a new key, they'll also have to tell everyone what their new colour is which will be a hassle but hopefully shouldn't happen with any kind of frequency if they choose a good key and have good security procedures.

    --
    I stole this Sig
  8. Re:I try to avoid them altogether. by sfm · · Score: 5, Interesting

    There are other ways an ATM can make your life miserable...... read on..

    Once, about two years ago, I was shopping for Valentines Day gifts in a local market. The store had an ATM (and banking center) inside so I thought nothing of using their ATM for cash. As it turned out, one of the $20's that came from the ATM was counterfeit and the store clerk flagged it. Okay, so now it gets weird.....

    I went immediately back to the banking center inside the store and told them what happened thinking I would be able to trade out the bad $20 for a good one. WRONG, WRONG, WRONG !!! Not only did they NOT replace the bill, but they forced me to fill out 3 pages of documentation on what happened, which was sent to the treasury department and was told to expect a call form them in a few weeks. And remember, the counterfeit $20 came from their machine.

    Luckily, I was never contacted by the treasury dept or the FBI, but I am still out $20. Chalk it up to experience ?? I'll say one thing, I will never deal with "Union Bank of California" again.

  9. Re:I try to avoid them altogether. by ffsnjb · · Score: 4, Interesting

    VISA branded debit cards (maybe MC ones too, I don't have experience with them) in an effort to be friendly and accepted everywhere act as a credit card unless you've specified to use the debit option.

    One track of the card has the CC number linked to the primary account, another has a checking account number, and a third has a savings account number. I forget the order as I haven't had access to a magstripe reader/writer since I left my sysadmin job at college (used for the student IDs). It was nice to clone my debit card when the real one got trashed by a minimum wage counter-jockey who snapped it down the magstripe while swiping the card. BTW, the account info is plaintext on the card, if you know your account numbers, you can clone a card without actually having it available.

    Next time you go to the gas pumps, select the credit option with your debit card. It won't prompt you for your PIN. It will, if you select the debit option.

    I'm guessing its a legacy holdover, it would be nice if PIN usage was required on CC transactions. I think its sad that the local CompUSA here still uses the imprint machines to do CC transactions. Legacy always wins in business...

    --
    "Why do you consent to live in ignorance and fear?" - Bad Religion
  10. "Catch me if you can" anecdote by Alaska+Jack · · Score: 3, Interesting

    Sometime in the mid- to early-90s, I read the book "Catch me if you can" by con-artist-turned-security-consultant Frank Abagnale. You may have seen the recent Spielberg movie based on this. This was in the pre-ATM days, but if I recall correctly, one of his scams was similar. First he would go to a uniform store and get a security guard uniform. Then he would have a professional looking sign printed up saying something like: "Night deposit out of order -- Leave deposit with security guard."

    Anyway, at night, he would put up the sign and station himself outside a bank's night deposit drop box with a big bin. He says people would actually come up and toss bags of cash into the bin, because they just had an innate trust of people in uniform.

  11. Re:Attached documentary - Card Cleaner! by Plug · · Score: 3, Interesting

    When they first bought out ATMs, the program behaviour was to give out the cash first. Humans, being task based people, would go to the machines thinking "My goal is to withdraw cash." Then, they would be given the cash, and they'd say "I've achieved my goal", take their cash and leave, totally forgetting to take their card. (Which makes stealing it even easier).

    The HCI researchers picked this one up, and they changed the behaviour to "give receipt, then card, before issuing cash."

  12. Re:in Canada... by MarcQuadra · · Score: 5, Interesting

    Thinking about this got me riled up enough to pull out my banking records, it looks like my bank (Fleet) made quite a bit, by charging a huge 'exchange fee' and whoever sat at the Canadian-end of the deal took about $10 CAN as a "service charge".

    It cost me $40 US, but my bank charged everything after $30 CAN.

    I'm so pissed at Fleet, I've watched them switch around my transactions so they can charge overdraft fees. I sat and WATCHED online as my paycheck clearing time changed to AFTER the bills were paid so they could nail me with $75 in fees. I called them right after and told them that if I didn't get my $75 back I'd get a lawyer involved, they gave it right back. If my identity weren't stolen (long story) I'd open an account with Citizens Bank right now, I used to work there so I'd know who to call and yell at.

    Whew. Don't drink, bank, and slashdot!

    --
    "Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
  13. Re:in Canada... by Mnemia · · Score: 5, Interesting

    Weird. I used my US debit card quite extensively in Japan this spring and I never got charged all those fees you are talking about. Granted, I was mostly using government-run ATM machines while there that I believe do not charge fees even if you are not a customer. But my bank sure didn't charge me any "disloyalty" or any of those currency exchange fees you are talking about. I was getting a pretty competitive exchange rate too (I was monitoring the amount actually debited from my account using Internet banking).

  14. Posting AC - Information you should know. by Anonymous Coward · · Score: 5, Interesting

    I'm posting this AC because I don't want my friends/coworkers who surf slashdot to associate my nick with this post.

    I work for the largest company in the USA that verifies the transaction between the bank and the cardholder. We are as you could put it, an ISP for ATM's. We are very large, and I've worked for them for quite a number of years.

    We heard about these scams a few years ago, it's nothing new. There are a few things you can do to protect yourself.

    1. Wait for a prompt before entering your pin number. I have never heard of a "cover" system so complex that they will respond correctly on the screen when a card is put in the slot. Rogue ATM's are another matter.

    2. If a white box ATM eats your card, call your bank immediately to report the card stolen/eaten. This is because most of these systems are just a camera and a box to hold stolen cards and pin numbers. Unfortunately the days of getting your card back when it gets eaten are gone. With new regulations there's just no way, get a new one.

    3. All ATM's in this country (usa) are required by law to have a phone number of the institution that is authorizing the transactions, and a notice of surcharge on it. If you don't see those, then there could be "something" covering them. They went to a lot of work to make that fake ATM cover, why would they want you alerting someone who would send out a repair technician?

    Please don't go clamoring for more regulation. A lot of the regulation in place keeps us from properly helping people in distress, and does almost nothing to help secure them. Besides, most people only need securing from themselves.

  15. Re:Two tips by Ed+Avis · · Score: 3, Interesting

    The problem is that the information you give to authorize one transaction - your card number and PIN - is the same as needed to authorize _any_ transaction.

    You could have a different PIN for small amounts and large amounts, being limited to one 'small' withdrawal per day, and that would slightly reduce the potential for fraud. But people would tend to forget the numbers. You could have a booklet printed with a list of one-use-only identification numbers; then someone would have to steal the booklet rather than just copy one number you typed in.

    But with mobile phones being so common, can't we use those for security? You type into your phone the amount to withdraw and a PIN (which is held only in the phone itself), and it generates an authorization code signed with your private key (again held only in the phone). You type this code into the ATM, it checks the code using your public key and takes it as an authorization to withdraw *one* particular amount at *one* date and time. Rekeying the same authorization code later will not work since it includes the date and time (with say a five minute window between generating the number on your phone and it expiring), and as an additional safeguard the bank records previously-seen codes and won't accept them again.

    Then even if you use a completely bogus ATM that records everything you type in, the worst that could happen is for someone to rush over to a real ATM and type in the same code to get the money - and it would be obvious something was wrong if the fake ATM didn't dispense exactly the same amount.

    --
    -- Ed Avis ed@membled.com