Slashdot Mirror
Scammer Plants a Fake ATM At Defcon 17
Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
FTA, "Conference organizers notified local law enforcement who hauled away the machine on Thursday or Friday".... Wouldn't they have been better served monitoring the device to see who came and picked it up?
Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?
You stereotypers are all the same...
I wish I noticed it. I would have gotten a starbucks card and see if I could withdraw some cash...
Test your net with Netalyzr
I would think that the hardware would be considered a loss once placed.
---- Booth was a patriot ----
Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."
If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.
--
Far better if this were an "pentest" with the "we'll stand back and watch" cooperation of the bank whose name is on the ATM. Scenario: White hat hackers to to BigBank and the hotel and say "We want to do a demonstration. We have a fake ATM we want to put in the DefCon hotel. We want to rig it so people's ATM codes are stored in the machine, encrypted, for later retrieval. BUT you, the bank, get the decoding key. At the end of Defcon we'll announce the prank. We'll give a $100 gift card and a a plaque to the first attendee who spots that it's a fake."
Now that would be cool.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Being Canadian I usually call it a 'bank machine' rather than an ATM. That is the common term here, very few people call it an ATM. The funny thing is, when I lived in the U.S. I would have to remember to use the term ATM instead of bank machine. While some people knew what I meant when I would ask, "where's the closest bank machine," an unbelievable number would look at me with a blank stare and ask what I meant. Then I would remember and say, "the closest ATM." Then I would get a look of understanding and then the directions. In fact I would hazard that something like 60 or 70% of the people would respond like that. I can't give exact numbers, but absolutely for sure, most people didn't know what I meant by 'bank machine'. The same when I asked for the 'bathroom'. I would have to translate to 'rest room' (the WC for those overseas :) ). When I remembered to use the local term, they would ask why I call it a bathroom, there aren't any baths there. And I would reply, why do you call it a rest room, I can tell you for sure I won't be doing any resting... maybe a lot of grunting, but no resting. It's funny how English can be so different. That's my story and I'm sticking to it.
-- I ignore anonymous replies to my comments and postings.
Back in 1990, after the Loma Prieta Earthquake, there was certain bank (damaged by the quake) that was demolished right downtown in Santa Cruz, California. One day I was walking past and noticed in the debris/rubble pile the night deposit box, bread-box style door hanging open, still mounted in a fair portion of the wall it was attached to.
I realized it was exactly the same kind of door that was used on MY banks night deposit box just a few blocks down the street, a bank that still did business.
I had a very boring job at the time and had lots of time to daydream. It is here that I devised my plan.
Late in the night, head down with a pickup and load up the night deposit box from the rubble pile. Take it home. Reproduce the wall the other one, the one at my bank, is mounted in. As it turns out, the night deposit box there was located in a sort of wall "extension" that one could reproduce, lay the fake right over the top (quickly unloaded from the back of a pickup) and as long as it looked right would appear no different. Simply leave it in place with the lock modified so ANY key will open it.
Set it up late Sunday night, around 11pm, and wait for the night deposits from all the businesses that cater to the tourist industry in Santa Cruz every weekend. Head back around 5 am, swing the false wall out of the way, pick up all the deposits, and walk away...
There was even a parking garage across the street for spotters.
Alas, I have morals, so it shall remain a daydream.
A clever scammer would actually have the machine dispense a small amount of cash - say a maximum of $100 per transaction - to avert suspicion.
Load it with, say, $5000 and you can get a minimum of 50 PINs, which is probably worth more than the $5000. Have it say, "Due to high volume, this machine may only dispense $100 per transaction" or the like, which I've seen at various legit ATMs in high-traffic locations. To make it last even longer, have it every once in awhile simply give a message that it is unable to communicate with the network or whatever comments the type of machine you're spoofing usually gives.
If it fails to dispense cash, good samaritans may put "out of order" signs on it, or, if it doesn't dispense and still asks for your data, that makes people suspicious.
The $5000 is peanuts - and probably isn't even their money in the first place - and would almost certainly be less expensive in terms of avoiding detection & getting a LOT more accounts. Absolutely nobody would think that an ATM that dispensed cash is fake; lots of people might suspect one that takes your PIN and then fails to work.
Since I can't tell them apart, I treat all ACs as the same person.
You don't make purchases with a card, but instead with the bank account the card represents. There are two parts to every transaction: identification and authorization. When using an ATM, the physical card provides both identification and authorization. The account number is simply placed on the card, and authentication comes from physical ownership of the card. (PINs don't count because they are unfortunately verified based on machine-readable information on the card itself.) Because it's non-trivial to both learn an account number and manufacture a matching card, physical possession of the card is a pretty good proxy for control of the account.
Online purchases are different: the identification still comes from the number printed on the card, but the authorization is based on the notion that account numbers are hard to guess (which is terrible security), or on a secret shared by the bank and the holder of the card, the CSC number on the back (which is merely bad security).
If you wanted, you could make online purchases work the same way they do today, and just keep printing CSC numbers on the back of cards. The ATM authorization scheme and the online one don't have anything to do with each other.
But if you're going to issue new cards, you might as well improve online security too, and stop using CSC numbers. Have customers just select a password for each account. Retailers would verify the password the same way they verify CSC numbers now, but because the password wouldn't be printed on the back of the card, stealing the physical card wouldn't give you the ability to make online purchases using that card.
Better still would be a way for the card to interact online with the bank, but that seems impractical to me.
The same when I asked for the 'bathroom'.
I, too, find American's aversion to referring to toilets by anything that vaguely resembles what one might do in them, damn strange. With that said, given their obsession with germs and hygiene is unsurpassed by pretty much no other culture (with the possible exception of the Japanese), I suppose it's not all that surprising.
I have an English friend who likes to tell the story of the first time he was in the US, trying to find a toilet in a shopping centre ("though they call it a 'mall'", he likes to chuckle about), and asked a security guard for directions.
First he asked "where's the loo". <blank stare>
Then he asked "where's the WC". <blank stare>
Then he asked "where's the bathroom". <blank stare>
Then he asked "where's the toilet". <blank stare>
Finally, someone standing nearby who had overheard, said "the rest room is over there".
He likes to reflect on how, of all the countries he's travelled to in the world (most of which do not have English as a local language), the one he had the hardest trouble finding a toilet in (due to comprehension problems) was America. This usually happens in the context of a "Great Britain and the USA, two countries separated by a common language" style discussion. :)
It's slightly more sophisticated than that. Note I say "slightly". Not "much".
You can't make a card with just the mag stripe and then use this card anywhere where they expect ATMs to read the chip. This is because the issuing bank will refuse to authorise a transaction which didn't involve the chip if it should have been possible to do so (they know full well that the card with number 1234 5678 9012 3456 was shipped with a chip, so if an ATM which can read chips tries a transaction with just the details on the stripe, it's dodgy).
So what the criminals do instead is read the stripe (either with a fake cash machine or a skimming device attached to a real cash machine), send the details to some country where ATMs that read chips aren't ubiquitous and make up a fake card for use there.
My guess is that Visa and Mastercard between them will, over time, put pressure on banks all over the world to replace their cash machines. But until that happens, this remains a security hole.