Slashdot Mirror
Scammer Plants a Fake ATM At Defcon 17
Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
One wonders if it wasn't just bait to get security to tip their hand for a more thought out caper.
I Need someone to rebuild a Digitech Digital Delay pedal for me....for me...for me...for me.
I know we've been pulling out of Iraq, but going down to Defcon 17 just seems ridiculous.
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
FTA, "Conference organizers notified local law enforcement who hauled away the machine on Thursday or Friday".... Wouldn't they have been better served monitoring the device to see who came and picked it up?
Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?
You stereotypers are all the same...
They make it sound like this was done by criminals. Who's to say it wasn't really a job offer in disguise? ;) "First person here to notice this gets a job offer."
#fuckbeta #iamslashdot #dicemustdie
Even if they could monitor it wirelessly, they should have just carefully disabled the wireless transmission (aluminum foil?) and grabbed whoever came to check in on it.
I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees. Sort of like a guy having a heart attack at a cardiologists convention and the cops keeping everybody back until an ambulance can arrive and take him to a hospital.
I wish I noticed it. I would have gotten a starbucks card and see if I could withdraw some cash...
Test your net with Netalyzr
I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees.
The true FAIL was the Defcon attendees failing to spot and realize that the cops hauling the machines away were fake, and the ATM was real.
Tell your friends about xenu.net
Real ATM's say if they are out of cash before you put your card in.
What if Tetris was invented by Nazis?
Indeed... that is why the ones that you really have to watch for aren't complete fake machines, but little recording devices placed in front of the real machine. You put your card in, enter the code, get your cash... and 5 minutes later some criminal in Eastern Europe runs off a copy of your card and cleans out your account.
A nice example of such a skim job is this one. The page is in Dutch but the pics are interesting... the guy happened to notice the false front was just a tad too clean, and on closer inspection noticed a recording head just behind the card slot. He ripped the thing from the machine and made a few pictures of it before turning it in to the police. The guy might have been observant, but thousands of people already had put their card through the machine without a second glance. I probably would not have noticed this myself either.
These criminals are getting more sophisticated now that people watch for false fronts, and machines are being altered to make it impossible to add them. These days they simple break into stores, open up card readers at the checkout counters, and add devices that record PINs and magnetic strips. One week later they break in again to retrieve their devices... some even use WiFi to read the data remotely from a nearby van, reducing the chances of getting caught.
Thankfully the banks here refund any skimmed funds as a rule.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
People - and by this I mean people on Slashdot, I've not seen anyone complain about it elsewhere - always complain about that. But what's the alternative?
It could be referred as "Personal Identification Number" which is just overly long and besides, everybody just knows it as PIN. They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very good. I know the capitalization makes the necessary difference between "pins" and "PINs" here but honestly, that version still looks a bit out of place to me.
One could say "PIN code". It is the version usually used here in Finland ("PIN-koodi") but the difference to PIN number gets very small.
PIN isn't just an acronym for Personal Identification Number. It is, in itself, a name for a short, usually 4 to 8 digits long digit based password. I could bet a lot of money that most of people don't convert the acronym to words when they read text.
Besides, the ATM machine is used what, once? Most of the time it uses just ATM.
With the massive amount of acronyms we have, especially short ones, a lot of them have multiple meanings. While it is relatively easy to understand these ones in this context, I fully support people adding an additional word to tell which meaning of some acronym is meant in a given situation. At least once in an article. There has been too many times I've seen some acronym, tried to google it, found a dozen different meanings and have had no idea of which it refers to.
So you think of it more like finding a bomb at an explosives convention. Fair enough -- the cops were probably worried about some guy in the back yelling whatever the ATM equivalent of, "Cut the BLUE wire!" is. ;)
They could have covertly had an undercover agent place an "out of order" sign on it; perhaps after trying to use a 'special' jailbait ATM card and PIN number, and the device failing to dispense $$$.
Just like a citizen might do as a service to others when they found the ATM didn't seem to be working..
The perps would probably send someone to investigate why they weren't getting any numbers. If investigators were recording with video surveillance, they could get leads that way.
I would think that the hardware would be considered a loss once placed.
---- Booth was a patriot ----
They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them, Priest said. "It was literally right next to the hotel security entrance." So even the security officials don't like to be spied on.
Science will save us. The question is, will it destroy us first?
The fake-ATM problem is just a man in the middle attack. We've known how to deal with MITM attacks for decades: use public-key cryptography and a secure key exchange algorithm like Diffie-Hellman to create an authenticated, secure channel. That's how SSL works.
Credit and debit cards should contain a small microprocessor that communicates with bank, check its identity, and establish a secure channel. Even if an attacker could read and modify traffic between the card and the bank, he couldn't interfere with the transaction (other than by stopping it entirely).
Of course, this scheme doesn't allow offline credit card processing, but that's rare these days. If you still need to bother, just use an old-fashioned imprint machine.
The larger problem is just of backwards compatibility, which is why we'll never see the sensible scheme above implemented in our lifetimes.
FTFA:
They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them,
---
"I can't complain, but sometimes still do..." Joe Walsh
Can't speak for all ATM's but one possibility is to report some "unknown communication error" right after accepting the pin. I've gotten something like that a couple of times (yes, from ATM's I know are not fake).
Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."
If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.
--
Far better if this were an "pentest" with the "we'll stand back and watch" cooperation of the bank whose name is on the ATM. Scenario: White hat hackers to to BigBank and the hotel and say "We want to do a demonstration. We have a fake ATM we want to put in the DefCon hotel. We want to rig it so people's ATM codes are stored in the machine, encrypted, for later retrieval. BUT you, the bank, get the decoding key. At the end of Defcon we'll announce the prank. We'll give a $100 gift card and a a plaque to the first attendee who spots that it's a fake."
Now that would be cool.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If this was a legit scam instead of a prank, then there's a saying that applies:
"Only the most foolish mouse hides behind the cat's ear, but only the cleverest cat thinks to look there."
There are some people that if they don't know, you can't tell 'em.
Back in 1990, after the Loma Prieta Earthquake, there was certain bank (damaged by the quake) that was demolished right downtown in Santa Cruz, California. One day I was walking past and noticed in the debris/rubble pile the night deposit box, bread-box style door hanging open, still mounted in a fair portion of the wall it was attached to.
I realized it was exactly the same kind of door that was used on MY banks night deposit box just a few blocks down the street, a bank that still did business.
I had a very boring job at the time and had lots of time to daydream. It is here that I devised my plan.
Late in the night, head down with a pickup and load up the night deposit box from the rubble pile. Take it home. Reproduce the wall the other one, the one at my bank, is mounted in. As it turns out, the night deposit box there was located in a sort of wall "extension" that one could reproduce, lay the fake right over the top (quickly unloaded from the back of a pickup) and as long as it looked right would appear no different. Simply leave it in place with the lock modified so ANY key will open it.
Set it up late Sunday night, around 11pm, and wait for the night deposits from all the businesses that cater to the tourist industry in Santa Cruz every weekend. Head back around 5 am, swing the false wall out of the way, pick up all the deposits, and walk away...
There was even a parking garage across the street for spotters.
Alas, I have morals, so it shall remain a daydream.
A clever scammer would actually have the machine dispense a small amount of cash - say a maximum of $100 per transaction - to avert suspicion.
Load it with, say, $5000 and you can get a minimum of 50 PINs, which is probably worth more than the $5000. Have it say, "Due to high volume, this machine may only dispense $100 per transaction" or the like, which I've seen at various legit ATMs in high-traffic locations. To make it last even longer, have it every once in awhile simply give a message that it is unable to communicate with the network or whatever comments the type of machine you're spoofing usually gives.
If it fails to dispense cash, good samaritans may put "out of order" signs on it, or, if it doesn't dispense and still asks for your data, that makes people suspicious.
The $5000 is peanuts - and probably isn't even their money in the first place - and would almost certainly be less expensive in terms of avoiding detection & getting a LOT more accounts. Absolutely nobody would think that an ATM that dispensed cash is fake; lots of people might suspect one that takes your PIN and then fails to work.
Since I can't tell them apart, I treat all ACs as the same person.
If the customers are walking out with large amounts of cash, someone's head will roll.
Actually, the way the laws read in a lot of states, it goes something like this...
I learned this in law enforcement school. I was trained as a first responder. I could stabilize a patient until the paramedics arrived.
While on duty, I am protected by the department regardless of what happens. For example, if a person had a heart attack, and I gave CPR, they may sue for the bruising or cracked rib(s). If I fail to keep them alive, I'm still protected, because I tried to the best of my ability.
When OFF duty, I don't have any such protection, and may lose my ass in court. I was trained to perform those acts, but was not obliged. Pretty much, the lawyer for the victim, who is the person you saved, will tear you up when they say "So where did you go to medical school?" "Did the victim consent to you touching him?" "Being that you work in law enforcement, you thought it would be ok to attack the victim, and leave him with cracked ribs, causing him undue pain and suffering and weeks in the hospital?" As soon as you say "But he was having a heart attack", they'll come back with "But you're not a doctor, who were you to judge this?" You see where that goes. Lawyers are assholes, and some people will grab for money anywhere they can, including from the person who saved their life.
We were told, if you see someone having a heart attack on the street, and you aren't working, call 911. Don't get involved.
So, if someone had a heart attack at a conference of cardiovascular specialists, no, they may not get any treatment, but someone will (hopefully) call 911.
There are good people out there though. An ex-girlfriend was involved in a rather serious car accident. She was in the military, and a base surgeon witnessed it. He stopped, and began treating her to the best of his ability, even though he had no supplies. He called 911, then ensured she didn't move, and started to evaluate her for injuries. Other folks from the base secured the area, and guided traffic away from the scene. The scene was handed off to local law enforcement as they arrived. She was transported by ambulance to a civilian hospital (it happened off-base), where he road along. I was called from the hospital. By the time I got there, she was badly bruised and not terribly happy, but stable. And, no, it was a hit & run. There was a consistent description of the vehicle, but when they saw someone in uniform fall out of the drivers seat onto the ground, the focus was on her, not the other vehicle.
Myself, if I see someone in need, I help whenever possible. When professional help arrives, I'll walk away without giving any information. I care to help. I don't care for fame, fortune, or the lawsuit that may follow.
Serious? Seriousness is well above my pay grade.
They could have covertly had an undercover agent place an "out of order" sign on it;
Really, I'd replace the computer inside the ATM with a Ninja.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Because you linked to your personal blog which didn't cite your sources while the link on Slashdot's front page goes to an actual news article on the topic?
I'm sorry, it just seems like you're whining that Slashdot didn't plug your site.
TRHOnline - Staggering Towards Brilliance
My fave was the Yank pronounciation of 'solder' ("sodder"). To this Brit, it sounded like a cross between sodomize and bugger (which mean the same thing). I always cracked up when people asked if I could "sodder" a circuit board for them.
Squirrel!