Slashdot Mirror
Fake ATM Fraud Expose
santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."
Use banks you trust and use ATMs [or ABMs as they are called in Canada] at banks you know and trust . I'd never use a whitelabel ABM since not only do you get a surcharge but it's very easy for it to be a fake.
This isn't foolproof but much safer than using random whitelabels you find in Apu's Mealbar.
Tom
Someday, I'll have a real sig.
Perhaps I should just go to the barter system. "I'll give you this cow for that rack mounted server."
*
troll blacklist. Please mo
ATM fraud like this has been reported at least since 1988. Ross Anderson presented this at a conference in 1993 Why Cryptosystems Fail mentioning that:
The fastest growing modus operandi is to use false terminals to collect customer card and PIN data. Attacks of this kind were first reported from the USA in 1988; there, crooks built a vending machine which would accept any card and PIN, and dispense a packet of cigarettes. They put their invention in a shopping mall, and harvested PINs and magnetic strip data by modem... in 1992, criminals set up a market stall in High Wycombe, England, and customers who wished to pay for goods by credit card were asked to swipe the card and enter the PIN at a terminal which was in fact hooked up to a PC.
This is really more of a problem with the lack of attention to such security issues on the part of banks than a new type of crime.
Best part in the entire article:
The U.S. Secret Service says the following people are wanted for questioning in connection with the $4 million ATM heist described in Dateline's story:
Bella Magary
Hungarian white male, blond hair, 5'6", with medium build, aka Bill Gates, personal ties to California.
If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried.
What difference will biometrics make if some criminal has installed a modified machine to intercept and record your biometric data?
With every bank trying to screw you for using any ATMs other than theirs, and with the level of acceptance of credit cards nowadays, who needs ATMs anymore?
It used to be that when I travelled, I carried a fair amount of cash with me. Not anymore - I simply find that I don't need it - gas, food, lodging, all are put on the credit card.
Furthurmore, should I feel the need for cash, my local grocery store allows me to get cash back from a credit card purchase. I simply make a habit of getting $40 back when I buy groceries, and then keeping about $200 at the house. Thus, I rarely if ever need an ATM under normal conditions.
It is pretty stupid - I am sure running an ATM costs a bank far less than paying for a teller, but they seem bound and determined to drive us all away from using ATMs.
www.eFax.com are spammers
A couple of my troops have ran into these fake ATMs in Tijuana. The fake ATMs have been there at least a couple of years from hearsay. Nasty place.
This guy is way out there
Here in New Zealand we have major bank monopoly which results in 4 banks owning the market, with very excessive charges. But as a result ATM fraud is virtualy non-existant. But internet banking fraud is at an all time high. Go figure.
On another note, this is old news and has been around for years but it suprising its still so rampant, I guess the banks must be putting most of the cost on the customers as is indicitave of their inaction.
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
WARNING:
ATM FRAUD
tcd004
If someone wants to obtain access to easy credit, the easiest way is to simply steal people's wallets, which filthy street urchins have been able to do since the beginnings of civilization. You don't need to spend time and money to construct an ATM, as a few 13-year old delinquients in a crowded area like a shopping mall can obtain credit cards much quicker than that.
A lot of times, bank cards can be used as credit cards, and only require a signature that is seldom ever checked against the one on the back of the card inside the US, though in the EU they actually do it. The PIN number is hardly ever needed, but all that is required to access it is a quick phone call to a bank. Just walk into Best Buy and go on a shopping spree and hit credit on the little number pad, and all they'll ever do is make you sign a receipt.
If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried. But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.
Or a public/private key system. Say when you get your card there is some randomish value on some part of the strip that when it is decryped against the key that the ABM/ATM has they will report a value that the bank gave you when you got your card, say "BLUE" (easy enough to remember). Now when ever you use an ABM/ATM you can know it will be authentic because it will say BLUE, if an ABM says your card is RED then you call the bank to report the erroneous machine which may mean an untrustmorthy machine or the bank has changed the key. The key is changed if some crackers ever find it out then the banks will have to go to all the machines and put in a new key, they'll also have to tell everyone what their new colour is which will be a hassle but hopefully shouldn't happen with any kind of frequency if they choose a good key and have good security procedures.
I stole this Sig
Clearly what's necessary is to have a small keypad on the card itself, as well as a small CPU, a private key that is encrypted by the user's PIN, and the public key of the bank. That way, all communication between the card and the bank can be encrypted, and no unencrypted information is ever sent through the ATM.
Such a card would not be much larger than current ATM cards.
The worst fraud that could then be perpetrated is to have a fake ATM that deducts $20 from your account but without dispensing the $20. But that scheme would be very quickly identified.
There are other ways an ATM can make your life miserable...... read on..
Once, about two years ago, I was shopping for Valentines Day gifts in a local market. The store had an ATM (and banking center) inside so I thought nothing of using their ATM for cash. As it turned out, one of the $20's that came from the ATM was counterfeit and the store clerk flagged it. Okay, so now it gets weird.....
I went immediately back to the banking center inside the store and told them what happened thinking I would be able to trade out the bad $20 for a good one. WRONG, WRONG, WRONG !!! Not only did they NOT replace the bill, but they forced me to fill out 3 pages of documentation on what happened, which was sent to the treasury department and was told to expect a call form them in a few weeks. And remember, the counterfeit $20 came from their machine.
Luckily, I was never contacted by the treasury dept or the FBI, but I am still out $20. Chalk it up to experience ?? I'll say one thing, I will never deal with "Union Bank of California" again.
Thinking about this got me riled up enough to pull out my banking records, it looks like my bank (Fleet) made quite a bit, by charging a huge 'exchange fee' and whoever sat at the Canadian-end of the deal took about $10 CAN as a "service charge".
It cost me $40 US, but my bank charged everything after $30 CAN.
I'm so pissed at Fleet, I've watched them switch around my transactions so they can charge overdraft fees. I sat and WATCHED online as my paycheck clearing time changed to AFTER the bills were paid so they could nail me with $75 in fees. I called them right after and told them that if I didn't get my $75 back I'd get a lawyer involved, they gave it right back. If my identity weren't stolen (long story) I'd open an account with Citizens Bank right now, I used to work there so I'd know who to call and yell at.
Whew. Don't drink, bank, and slashdot!
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
Weird. I used my US debit card quite extensively in Japan this spring and I never got charged all those fees you are talking about. Granted, I was mostly using government-run ATM machines while there that I believe do not charge fees even if you are not a customer. But my bank sure didn't charge me any "disloyalty" or any of those currency exchange fees you are talking about. I was getting a pretty competitive exchange rate too (I was monitoring the amount actually debited from my account using Internet banking).
I should know, I worked with a company that provided them. All I can say is that after working there for a week, I was scared to put my card in one.
This is one of those instances where security by obscurity is obviously working, at least somewhat... as most people don't have access to one to play around with.
They use absolutely no encryption, as they are not required to until something like 2006. And even though it's there, it's not on (at least with Diebold machines). Many have a network cable running into the back of them, so you could plug in a hub and sniff the data. What will this get you? It will get you the ip of the authentication server it talks to and the format of the responses. This would allow you to forge your own authentication server and use some network trickery with a linux box or two and a hub/switch to make any card run through the machine be accepted.
The ones that don't have network cables usually have phone lines. A little known fact is that if you plug two modems together directly, you can still dial the other one and it will pick up and negotiate. You could certainly use this to stick a linux box in between and sniff the data that goes over the network and perform something similar to the above.
Probably the most secure ones are the ones that use GSM or GPRS to communicate as you'd need some expensive equipment to do anything with that, and they are typically inside the unit, so you'd have to break it open somehow so you can't get at the wires.
There are methods in use right now that the ATM companies have absolutely no idea how they work. I'd see memos floating around all the time. They put machines under surveillance for months, and all of a sudden, everyone who had used the machine got ripped off. Yet, no one, as far as they could tell, ever physically did anything to the machine. Theives are using some really sophisticated techniques right now, and about the only way to thwart this is to start using crypto, both for transit, and on your card.
Oh, ever wonder why most machines have been retrofitted with a card swiper instead of an eater? It's because people were putting stuff inside of it so cards would jam, and then they would sit across the parking lot with a spotting scope and watch a person type their pin. When the person couldn't get their card out and left, they would come by with a little extraction tool, take the card, and go on an ATM spree.
Biometrics won't change the difficulty of electronic attacks, where the biometric signature is copied as easily as your pin number. Biometrics might make physical attacks more difficult, but still not impossible. Time and time again it is shown that biometric systems do not live up to hype. Sometimes they can be easily fooled, and sometimes the biometric signature can be used to reconstruct an acceptable fake. You can count on someone figuring out how to explit any given system sooner or later. How will you restore your security then? Can you get new fingerprints, or new eyeballs?
I'm posting this AC because I don't want my friends/coworkers who surf slashdot to associate my nick with this post.
I work for the largest company in the USA that verifies the transaction between the bank and the cardholder. We are as you could put it, an ISP for ATM's. We are very large, and I've worked for them for quite a number of years.
We heard about these scams a few years ago, it's nothing new. There are a few things you can do to protect yourself.
1. Wait for a prompt before entering your pin number. I have never heard of a "cover" system so complex that they will respond correctly on the screen when a card is put in the slot. Rogue ATM's are another matter.
2. If a white box ATM eats your card, call your bank immediately to report the card stolen/eaten. This is because most of these systems are just a camera and a box to hold stolen cards and pin numbers. Unfortunately the days of getting your card back when it gets eaten are gone. With new regulations there's just no way, get a new one.
3. All ATM's in this country (usa) are required by law to have a phone number of the institution that is authorizing the transactions, and a notice of surcharge on it. If you don't see those, then there could be "something" covering them. They went to a lot of work to make that fake ATM cover, why would they want you alerting someone who would send out a repair technician?
Please don't go clamoring for more regulation. A lot of the regulation in place keeps us from properly helping people in distress, and does almost nothing to help secure them. Besides, most people only need securing from themselves.