Slashdot Mirror
Scammer Plants a Fake ATM At Defcon 17
Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
One wonders if it wasn't just bait to get security to tip their hand for a more thought out caper.
I Need someone to rebuild a Digitech Digital Delay pedal for me....for me...for me...for me.
I know we've been pulling out of Iraq, but going down to Defcon 17 just seems ridiculous.
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
FTA, "Conference organizers notified local law enforcement who hauled away the machine on Thursday or Friday".... Wouldn't they have been better served monitoring the device to see who came and picked it up?
Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?
You stereotypers are all the same...
They make it sound like this was done by criminals. Who's to say it wasn't really a job offer in disguise? ;) "First person here to notice this gets a job offer."
#fuckbeta #iamslashdot #dicemustdie
Even if they could monitor it wirelessly, they should have just carefully disabled the wireless transmission (aluminum foil?) and grabbed whoever came to check in on it.
I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees. Sort of like a guy having a heart attack at a cardiologists convention and the cops keeping everybody back until an ambulance can arrive and take him to a hospital.
I wish I noticed it. I would have gotten a starbucks card and see if I could withdraw some cash...
Test your net with Netalyzr
I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees.
The true FAIL was the Defcon attendees failing to spot and realize that the cops hauling the machines away were fake, and the ATM was real.
Tell your friends about xenu.net
It's been my understand that these machines would prompt the customer with "out of order, your transaction has been refunded" or some such message. They would walk away with a peace of mind while their account info has been recorded. But yes, I would have bitched at the front counter asking them when it would get fixed. That at least would have called some attention to it.
Life is not for the lazy.
Real ATM's say if they are out of cash before you put your card in.
What if Tetris was invented by Nazis?
Indeed... that is why the ones that you really have to watch for aren't complete fake machines, but little recording devices placed in front of the real machine. You put your card in, enter the code, get your cash... and 5 minutes later some criminal in Eastern Europe runs off a copy of your card and cleans out your account.
A nice example of such a skim job is this one. The page is in Dutch but the pics are interesting... the guy happened to notice the false front was just a tad too clean, and on closer inspection noticed a recording head just behind the card slot. He ripped the thing from the machine and made a few pictures of it before turning it in to the police. The guy might have been observant, but thousands of people already had put their card through the machine without a second glance. I probably would not have noticed this myself either.
These criminals are getting more sophisticated now that people watch for false fronts, and machines are being altered to make it impossible to add them. These days they simple break into stores, open up card readers at the checkout counters, and add devices that record PINs and magnetic strips. One week later they break in again to retrieve their devices... some even use WiFi to read the data remotely from a nearby van, reducing the chances of getting caught.
Thankfully the banks here refund any skimmed funds as a rule.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
People - and by this I mean people on Slashdot, I've not seen anyone complain about it elsewhere - always complain about that. But what's the alternative?
It could be referred as "Personal Identification Number" which is just overly long and besides, everybody just knows it as PIN. They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very good. I know the capitalization makes the necessary difference between "pins" and "PINs" here but honestly, that version still looks a bit out of place to me.
One could say "PIN code". It is the version usually used here in Finland ("PIN-koodi") but the difference to PIN number gets very small.
PIN isn't just an acronym for Personal Identification Number. It is, in itself, a name for a short, usually 4 to 8 digits long digit based password. I could bet a lot of money that most of people don't convert the acronym to words when they read text.
Besides, the ATM machine is used what, once? Most of the time it uses just ATM.
With the massive amount of acronyms we have, especially short ones, a lot of them have multiple meanings. While it is relatively easy to understand these ones in this context, I fully support people adding an additional word to tell which meaning of some acronym is meant in a given situation. At least once in an article. There has been too many times I've seen some acronym, tried to google it, found a dozen different meanings and have had no idea of which it refers to.
So you think of it more like finding a bomb at an explosives convention. Fair enough -- the cops were probably worried about some guy in the back yelling whatever the ATM equivalent of, "Cut the BLUE wire!" is. ;)
They could have covertly had an undercover agent place an "out of order" sign on it; perhaps after trying to use a 'special' jailbait ATM card and PIN number, and the device failing to dispense $$$.
Just like a citizen might do as a service to others when they found the ATM didn't seem to be working..
The perps would probably send someone to investigate why they weren't getting any numbers. If investigators were recording with video surveillance, they could get leads that way.
I would think that the hardware would be considered a loss once placed.
---- Booth was a patriot ----
Do thieves actually come back for these? I'd definitely expect it to be wirelessly transmitting, or to be watching for a special card to be inserted to which it would download the skimmed information.
In order to do that, they would have had to leave it out in the open and allowed people to use it, so as not to make the criminal suspicious when he returns to retrieve it. You then have people making transactions of questionable legality (I didn't read to see if it actually dispensed money or just showed an error after getting the PIN), and increase the possible damage if it is transmitting in a way they didn't uncover or if the criminal manages to extricate the information while they're watching it.
They're better served by taking it away and studying it for clues as to the criminal.
They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them, Priest said. "It was literally right next to the hotel security entrance." So even the security officials don't like to be spied on.
Science will save us. The question is, will it destroy us first?
That's true but I have had ATM's fail to dispense after entering my info before.
All points of time and space are connected.
Sorry, Las Vegas casino Hotel. There are cameras in the toilets. They likly already know who they are.
Living in Chile
The fake-ATM problem is just a man in the middle attack. We've known how to deal with MITM attacks for decades: use public-key cryptography and a secure key exchange algorithm like Diffie-Hellman to create an authenticated, secure channel. That's how SSL works.
Credit and debit cards should contain a small microprocessor that communicates with bank, check its identity, and establish a secure channel. Even if an attacker could read and modify traffic between the card and the bank, he couldn't interfere with the transaction (other than by stopping it entirely).
Of course, this scheme doesn't allow offline credit card processing, but that's rare these days. If you still need to bother, just use an old-fashioned imprint machine.
The larger problem is just of backwards compatibility, which is why we'll never see the sensible scheme above implemented in our lifetimes.
There is a reason for following procedure during an investigation. If you have a piece of evidence in a criminal investigation, you don't let people touch it willy nilly because later in trial it could be thrown out on the grounds it was tampered with. The second reason is the criminal could have been watching in the crowd. Letting random invididuals get access to the machine could enable a criminal to erase the data by hitting a reset switch. The police had no idea who planted it there so they could not trust anyone other than law enforcement officials to go near it. This is in no way similar to your cardiologist/heart attack patient scenario.
Camping on quad since 1996.
Comment removed based on user account deletion
Can't speak for all ATM's but one possibility is to report some "unknown communication error" right after accepting the pin. I've gotten something like that a couple of times (yes, from ATM's I know are not fake).
Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."
If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.
--
Far better if this were an "pentest" with the "we'll stand back and watch" cooperation of the bank whose name is on the ATM. Scenario: White hat hackers to to BigBank and the hotel and say "We want to do a demonstration. We have a fake ATM we want to put in the DefCon hotel. We want to rig it so people's ATM codes are stored in the machine, encrypted, for later retrieval. BUT you, the bank, get the decoding key. At the end of Defcon we'll announce the prank. We'll give a $100 gift card and a a plaque to the first attendee who spots that it's a fake."
Now that would be cool.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You're taking this more seriously than I am, but OK.
Shouldn't the police assume that the victim at the cardiologists convention had been injected with KCl or adenosine+lidocaine by one of the attendees, and thus wait for independent medical professionals to arrive rather than allowing "random individuals" to act? After all, allowing others access to the guy might cloud any subsequent investigation.
That's certainly a win-win for the cops -- if they delay treatment and the guy dies, their investigation has gone from attempted murder to murder, a plus, and their evidence hasn't been tainted, another plus.
If this was a legit scam instead of a prank, then there's a saying that applies:
"Only the most foolish mouse hides behind the cat's ear, but only the cleverest cat thinks to look there."
There are some people that if they don't know, you can't tell 'em.
Yeah, like we are going to RTFA the farking article.
That's pretty redundant
No, it's redundant redundant. Pretty redundant is when someone reposts a picture to usenet.
That's certainly a win-win for the cops -- if they delay treatment and the guy dies, their investigation has gone from attempted murder to murder, a plus
I don't think most members of law enforcement would view that as a "plus"......
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Back in 1990, after the Loma Prieta Earthquake, there was certain bank (damaged by the quake) that was demolished right downtown in Santa Cruz, California. One day I was walking past and noticed in the debris/rubble pile the night deposit box, bread-box style door hanging open, still mounted in a fair portion of the wall it was attached to.
I realized it was exactly the same kind of door that was used on MY banks night deposit box just a few blocks down the street, a bank that still did business.
I had a very boring job at the time and had lots of time to daydream. It is here that I devised my plan.
Late in the night, head down with a pickup and load up the night deposit box from the rubble pile. Take it home. Reproduce the wall the other one, the one at my bank, is mounted in. As it turns out, the night deposit box there was located in a sort of wall "extension" that one could reproduce, lay the fake right over the top (quickly unloaded from the back of a pickup) and as long as it looked right would appear no different. Simply leave it in place with the lock modified so ANY key will open it.
Set it up late Sunday night, around 11pm, and wait for the night deposits from all the businesses that cater to the tourist industry in Santa Cruz every weekend. Head back around 5 am, swing the false wall out of the way, pick up all the deposits, and walk away...
There was even a parking garage across the street for spotters.
Alas, I have morals, so it shall remain a daydream.
No, the true FAIL was that none of the Defcon attendees took pictures of the people servicing the ATM. For security reasons that's the new rule, if you see an ATM being serviced -- you have to take your cell phone and take a picture of whomever is doing the servicing.
A clever scammer would actually have the machine dispense a small amount of cash - say a maximum of $100 per transaction - to avert suspicion.
Load it with, say, $5000 and you can get a minimum of 50 PINs, which is probably worth more than the $5000. Have it say, "Due to high volume, this machine may only dispense $100 per transaction" or the like, which I've seen at various legit ATMs in high-traffic locations. To make it last even longer, have it every once in awhile simply give a message that it is unable to communicate with the network or whatever comments the type of machine you're spoofing usually gives.
If it fails to dispense cash, good samaritans may put "out of order" signs on it, or, if it doesn't dispense and still asks for your data, that makes people suspicious.
The $5000 is peanuts - and probably isn't even their money in the first place - and would almost certainly be less expensive in terms of avoiding detection & getting a LOT more accounts. Absolutely nobody would think that an ATM that dispensed cash is fake; lots of people might suspect one that takes your PIN and then fails to work.
Since I can't tell them apart, I treat all ACs as the same person.
Yea, there is no way someone can enter a casino in vegas, hell go anywhere near the strip, without being caught on hundreds of cameras. so they have a blind spot in one corner of the floor, but there is likly hundreds of hours of video tape covering every step of the delivery.
People Bitch about all the cameras in London. They got nothing on the number of cameras in Vegas.
If the security cameras in Vegas where not the best in World, the cons would have cleaned out the casinos years ago and the customers would not feel safe walking in to and out of the casinos with large amounts of cash.
Living in Chile
For me the true FAIL of this incident was the idea of what could happen to the criminals once they're identities are made public after they seriously annoyed the attendees of a hacker convention. Can you imagine a group you'd less want to have seeing how they could make your life miserable (excluding the possibility of physical harm)? Good luck ever getting credit again, and that's just for starters...
If the customers are walking out with large amounts of cash, someone's head will roll.
Actually, the way the laws read in a lot of states, it goes something like this...
I learned this in law enforcement school. I was trained as a first responder. I could stabilize a patient until the paramedics arrived.
While on duty, I am protected by the department regardless of what happens. For example, if a person had a heart attack, and I gave CPR, they may sue for the bruising or cracked rib(s). If I fail to keep them alive, I'm still protected, because I tried to the best of my ability.
When OFF duty, I don't have any such protection, and may lose my ass in court. I was trained to perform those acts, but was not obliged. Pretty much, the lawyer for the victim, who is the person you saved, will tear you up when they say "So where did you go to medical school?" "Did the victim consent to you touching him?" "Being that you work in law enforcement, you thought it would be ok to attack the victim, and leave him with cracked ribs, causing him undue pain and suffering and weeks in the hospital?" As soon as you say "But he was having a heart attack", they'll come back with "But you're not a doctor, who were you to judge this?" You see where that goes. Lawyers are assholes, and some people will grab for money anywhere they can, including from the person who saved their life.
We were told, if you see someone having a heart attack on the street, and you aren't working, call 911. Don't get involved.
So, if someone had a heart attack at a conference of cardiovascular specialists, no, they may not get any treatment, but someone will (hopefully) call 911.
There are good people out there though. An ex-girlfriend was involved in a rather serious car accident. She was in the military, and a base surgeon witnessed it. He stopped, and began treating her to the best of his ability, even though he had no supplies. He called 911, then ensured she didn't move, and started to evaluate her for injuries. Other folks from the base secured the area, and guided traffic away from the scene. The scene was handed off to local law enforcement as they arrived. She was transported by ambulance to a civilian hospital (it happened off-base), where he road along. I was called from the hospital. By the time I got there, she was badly bruised and not terribly happy, but stable. And, no, it was a hit & run. There was a consistent description of the vehicle, but when they saw someone in uniform fall out of the drivers seat onto the ground, the focus was on her, not the other vehicle.
Myself, if I see someone in need, I help whenever possible. When professional help arrives, I'll walk away without giving any information. I care to help. I don't care for fame, fortune, or the lawsuit that may follow.
Serious? Seriousness is well above my pay grade.
Hehe... not exactly ;)
More like, by Law Enforcement taking the dummy ATM before the folks attending Defcon could "examine" it, they preserved the chain of evidence, thereby ensuring that what is uncovered during their forensics work will hold up in a court of law to successfully prosecute the perpetrators.
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
i work in a position with some authority in a major hotel chain, so i prefer to post this as AC.
get a job in a hotel where you can keep track of the billing information and credit/debit cards that people use.
daily, i physically handle dozens of cards with accurate names and contact information. with my company's online system, i can access huge numbers of customer data. at my particular property, i could scam so many people that it would be ridiculous.
you want scary? how about a small ring of organized hotel/restaurant/retail employees that keep track of the card numbers, security codes, and addresses (where applicable)? irregularly stagger the fraudulent charges in time and location to be difficult or impossible to follow, and you've got a fairly sustainable system of theft.
CT is one state that only has such a law for those certified in first aid, but for other states, all of those questions your hypothetical lawyer asked you would be irrelevant, as you'd be immune under such coverage - consent can be implied if unable to be given, only active refusal being an exclusion, cracked ribs during CPR is not uncommon (there are often exemptions for 'reasonable recklessness' - if a person is trapped in a car but there is no reasonable risk of fire, and you, against protest, extricate them from the vehicle causing or exacerbating a spinal injury), and so on.
"When professional help arrives, I'll walk away without giving any information" - isn't that more bad advice? "Material witness", "leaving the scene of an accident" could both be thrown at you, dependent on jurisdiction.
Ironically, often those who may have most to fear from the above are people who are professionally trained. I have begun training as a paramedic - first thing drilled into me is the same as medical students: "You are NOT a paramedic/doctor until and unless you hold the bit of paper that says you are." The next is that as you are professionally trained and expected to know what you are doing, there can be, dependent upon jurisdiction, less latitude in Good Samaritan laws for events that could reasonably be attributed to incompetence on the part of your response. "Don't carry a 'whacker bag'." - "whacker" is an EMS/LE phrase for someone who likes to hang around the fringes of such professions, a 'wannabe', etc. If you're off-duty, respond and help out how and if you believe you can, but carrying a bag full of medical equipment like you're on duty is just going to get you burnt, in more ways than one - at the very least, your fire dept/chief is most definitely not going to be proud of your efforts.
They could have covertly had an undercover agent place an "out of order" sign on it;
Really, I'd replace the computer inside the ATM with a Ninja.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Not if you were a pirate on a galleon. They'd understand where the black powder is stored, that you need room to wash ashore - and they very probably never heared about baths and rooms to place them in.
Because you linked to your personal blog which didn't cite your sources while the link on Slashdot's front page goes to an actual news article on the topic?
I'm sorry, it just seems like you're whining that Slashdot didn't plug your site.
TRHOnline - Staggering Towards Brilliance
A card plus PIN goes for couple of dollars. They're worth less than you think.
"Physics is to math as sex is to masturbation." -R. Feynman
My fave was the Yank pronounciation of 'solder' ("sodder"). To this Brit, it sounded like a cross between sodomize and bugger (which mean the same thing). I always cracked up when people asked if I could "sodder" a circuit board for them.
Squirrel!