Scammer Plants a Fake ATM At Defcon 17

Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."

Epic Fail

[TornCityVenz]

One wonders if it wasn't just bait to get security to tip their hand for a more thought out caper.

Re:Epic Fail

[EdIII]

One wonders if it wasn't just bait to get security to tip their hand for a more thought out caper.

Been watching Oceans Eleven have we?

Re:Epic Fail

[cyclomedia]

Or Ronin, the "Would you take a picture of me and my wife?" scene

Defcon 5 isn't peaceful enough

I know we've been pulling out of Iraq, but going down to Defcon 17 just seems ridiculous.

Pedant Warning!

[ZackSchil]

Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

Re:Pedant Warning!

Yeah, like we are going to RTFA the farking article.

Re:Pedant Warning!

[Mononoke]

Read at your own risk.

At whom else's risk would I read it?

Re:Pedant Warning!

[Minwee]

Maybe it is referring to the other, NSFW definition of ATM. This is a hotel in Las Vegas, you know.

Re:Pedant Warning!

[MaskedSlacker]

Asynchronous Transfer Mode? (Imagining that as a sexual euphemism gives me all kinds of degrading ideas)

Re:Pedant Warning!

[epine]

Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

Languages are shaped by cognitive cost. This is what Steven Pinker seems not to get. There _is_ an innate language instinct, it's just not what he thinks it is. What we all share is the ability to introspect the cognitive cost of figuring out "WTH is this dude trying to convey?"

One of the key insights on language is that Lempel-Ziv compression never transmits the compression dictionary. The dictionary is implied because the compression program and the decompression program share the same dictionary construction heuristic. This is a trick you can pull off only if the two sides of the channel share the same cognitive architecture. There are no shortage of examples out there of how fast communication breaks down when the parties begin with fundamentally different premises on how to structure the categories of thought.

Here's another fundamental question: what portion of the brain's cognitive activity is devoted to power management? For one thing, glucose is precious resource, and the brain is a chug-a-lug organ where it comes to glucose consumption. For another, the brain is costly to cool. From the real-time perspective (which governed 5.999 million years of human evolution), there's not much use firing up the abstract-noun chocolate factory when you need a survival response in under 100ms.

There's another truism here: fool me once, shame on you, fool me twice, shame on me. (Or, if you've spent forty years fouling your spark plugs, "fool me once, shame on -- shame on you. Fool me -- you can't get fooled again.")

When you get surprised by a lion, first you need to act, secondly, you need to record, to avert recurrence, after deferred reflection.

However, the brain does not record broad-spectrum. There's just too much. It's easy to build a PVR these days with 1TB of storage. I still haven't seen one where the tuner is replaced by a DC-to-daylight recording mode.

You can't defer deciding what to record for very long. So this is an obligatory cognitive function when your brain is already heavily loaded. At high enough stress levels, the recording function does shut down. Assessing and responding to cognitive burden is a mission-critical survival function. This is a key foundation for language learning.

A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner. The underlying assumption that makes this work in practise is that the architectural model of the child's brain resembles that of the rest of the population. This is 99% satisfied by being a member of the same species, without any weird genetic Pinkerisms.

As the language convention becomes more sophisticated, some parameters in the ambiguity resolution process become social constructs. Given a conflict between two heuristics, which takes priority? The important thing to realize about socially determined linguistic parameters is that they tend to vary across discourse settings. Experts have slightly different rules among themselves than apply in heterogeneous settings, where, e.g. half the people involved are ESL.

There was a thread here the other day on the consequences of a non-specialist treating guilt and liability as vaguely synonymous in exactly the wrong forum (wrists cuffed to ankles by the minions of RIAA).

A person incapable of pedanticism is not likely to succeed with either law or software. (This is one of the reasons why the IANAL meme on slashdot annoys the hell out of me: if the law is too complex to be successfully interpreted by a concentrated group of the weediest pedants on planet earth, just maybe perhaps the root c

Re:Pedant Warning!

[theshowmecanuck]

Being Canadian I usually call it a 'bank machine' rather than an ATM. That is the common term here, very few people call it an ATM. The funny thing is, when I lived in the U.S. I would have to remember to use the term ATM instead of bank machine. While some people knew what I meant when I would ask, "where's the closest bank machine," an unbelievable number would look at me with a blank stare and ask what I meant. Then I would remember and say, "the closest ATM." Then I would get a look of understanding and then the directions. In fact I would hazard that something like 60 or 70% of the people would respond like that. I can't give exact numbers, but absolutely for sure, most people didn't know what I meant by 'bank machine'. The same when I asked for the 'bathroom'. I would have to translate to 'rest room' (the WC for those overseas :) ). When I remembered to use the local term, they would ask why I call it a bathroom, there aren't any baths there. And I would reply, why do you call it a rest room, I can tell you for sure I won't be doing any resting... maybe a lot of grunting, but no resting. It's funny how English can be so different. That's my story and I'm sticking to it.

Re:Pedant Warning!

[machine321]

So, in Canada, if you're going to steal a money-dispensing machine, you tell people you're going to take a BM?

Re:Pedant Warning!

[nacturation]

Lastly he said "Please direct me to your nearest porcelain receptacle that I may initiate peristalsis and thus deposit my faeces therein."

On a related note, there's those baby wipes called "Baby Faces" and I so which I could photoshop those in real life and add an "e" to make it "Baby Faeces".

Re:Pedant Warning!

[honkycat]

I suspect the failed communication was due to pronunciation rather than vocabulary. While "loo" and especially "WC" are very rare terms over here, "bathroom" is certainly the primary, standard term for almost everyone I know. Public bathrooms are typically called restrooms, but I'd be totally shocked to find someone who called their bathroom at home a restroom.

However, I could completely imagine someone with a moderate or thick British accent having a lot of trouble communicating with someone in the US. There are a lot of regional US accents that bear little resemblance to some of the British speech patterns, and a lot of people don't get outside their region very often.

Re:Pedant Warning!

[ATMD]

Of course, whether you get to do any is another matter.

Re:Pedant Warning!

[jtownatpunk.net]

Can I touch you for a fag?

Complete FAIL for eveyone, including law enforcemt

[Radtastic]

FTA, "Conference organizers notified local law enforcement who hauled away the machine on Thursday or Friday".... Wouldn't they have been better served monitoring the device to see who came and picked it up?

Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?

Fake ATMs

[girlintraining]

They make it sound like this was done by criminals. Who's to say it wasn't really a job offer in disguise? ;) "First person here to notice this gets a job offer."

Re:Complete FAIL for eveyone, including law enforc

[ZackSchil]

Even if they could monitor it wirelessly, they should have just carefully disabled the wireless transmission (aluminum foil?) and grabbed whoever came to check in on it.

Re:Complete FAIL for eveyone, including law enforc

[e9th]

I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees. Sort of like a guy having a heart attack at a cardiologists convention and the cops keeping everybody back until an ambulance can arrive and take him to a hospital.

Re:Complete FAIL for eveyone, including law enforc

[Xemu]

I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees.

The true FAIL was the Defcon attendees failing to spot and realize that the cops hauling the machines away were fake, and the ATM was real.

Re:No cash.

[Oktober+Sunset]

Real ATM's say if they are out of cash before you put your card in.

Re:No cash.

[JaredOfEuropa]

But yes, I would have bitched at the front counter asking them when it would get fixed. That at least would have called some attention to it.

Indeed... that is why the ones that you really have to watch for aren't complete fake machines, but little recording devices placed in front of the real machine. You put your card in, enter the code, get your cash... and 5 minutes later some criminal in Eastern Europe runs off a copy of your card and cleans out your account.

A nice example of such a skim job is this one. The page is in Dutch but the pics are interesting... the guy happened to notice the false front was just a tad too clean, and on closer inspection noticed a recording head just behind the card slot. He ripped the thing from the machine and made a few pictures of it before turning it in to the police. The guy might have been observant, but thousands of people already had put their card through the machine without a second glance. I probably would not have noticed this myself either.

These criminals are getting more sophisticated now that people watch for false fronts, and machines are being altered to make it impossible to add them. These days they simple break into stores, open up card readers at the checkout counters, and add devices that record PINs and magnetic strips. One week later they break in again to retrieve their devices... some even use WiFi to read the data remotely from a nearby van, reducing the chances of getting caught.

Thankfully the banks here refund any skimmed funds as a rule.

What's the alternative?

Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

People - and by this I mean people on Slashdot, I've not seen anyone complain about it elsewhere - always complain about that. But what's the alternative?

It could be referred as "Personal Identification Number" which is just overly long and besides, everybody just knows it as PIN. They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very good. I know the capitalization makes the necessary difference between "pins" and "PINs" here but honestly, that version still looks a bit out of place to me.

One could say "PIN code". It is the version usually used here in Finland ("PIN-koodi") but the difference to PIN number gets very small.

PIN isn't just an acronym for Personal Identification Number. It is, in itself, a name for a short, usually 4 to 8 digits long digit based password. I could bet a lot of money that most of people don't convert the acronym to words when they read text.

Besides, the ATM machine is used what, once? Most of the time it uses just ATM.

With the massive amount of acronyms we have, especially short ones, a lot of them have multiple meanings. While it is relatively easy to understand these ones in this context, I fully support people adding an additional word to tell which meaning of some acronym is meant in a given situation. At least once in an article. There has been too many times I've seen some acronym, tried to google it, found a dozen different meanings and have had no idea of which it refers to.

Re:Complete FAIL for eveyone, including law enforc

[e9th]

So you think of it more like finding a bomb at an explosives convention. Fair enough -- the cops were probably worried about some guy in the back yelling whatever the ATM equivalent of, "Cut the BLUE wire!" is. ;)

Re:Complete FAIL for eveyone, including law enforc

[mysidia]

They could have covertly had an undercover agent place an "out of order" sign on it; perhaps after trying to use a 'special' jailbait ATM card and PIN number, and the device failing to dispense $$$.

Just like a citizen might do as a service to others when they found the ATM didn't seem to be working..

The perps would probably send someone to investigate why they weren't getting any numbers. If investigators were recording with video surveillance, they could get leads that way.

Re:Complete FAIL for eveyone, including law enforc

[nurb432]

I would think that the hardware would be considered a loss once placed.

Re:Damn, I wish I noticed it...

[Vectronic]

Yeah? and I climb rainbows for a living... with our powers combined, we form Captain Planet.

Security Office

[Zerocool3001]

They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them, Priest said. "It was literally right next to the hotel security entrance." So even the security officials don't like to be spied on.

Easy to avoid

[QuoteMstr]

The fake-ATM problem is just a man in the middle attack. We've known how to deal with MITM attacks for decades: use public-key cryptography and a secure key exchange algorithm like Diffie-Hellman to create an authenticated, secure channel. That's how SSL works.

Credit and debit cards should contain a small microprocessor that communicates with bank, check its identity, and establish a secure channel. Even if an attacker could read and modify traffic between the card and the bank, he couldn't interfere with the transaction (other than by stopping it entirely).

Of course, this scheme doesn't allow offline credit card processing, but that's rare these days. If you still need to bother, just use an old-fashioned imprint machine.

The larger problem is just of backwards compatibility, which is why we'll never see the sensible scheme above implemented in our lifetimes.

Re:Las Vegas Hotel, Everything is monitored

[kent_eh]

FTFA:
They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them,

A long time ago...

[Anachragnome]

Back in 1990, after the Loma Prieta Earthquake, there was certain bank (damaged by the quake) that was demolished right downtown in Santa Cruz, California. One day I was walking past and noticed in the debris/rubble pile the night deposit box, bread-box style door hanging open, still mounted in a fair portion of the wall it was attached to.

I realized it was exactly the same kind of door that was used on MY banks night deposit box just a few blocks down the street, a bank that still did business.

I had a very boring job at the time and had lots of time to daydream. It is here that I devised my plan.

Late in the night, head down with a pickup and load up the night deposit box from the rubble pile. Take it home. Reproduce the wall the other one, the one at my bank, is mounted in. As it turns out, the night deposit box there was located in a sort of wall "extension" that one could reproduce, lay the fake right over the top (quickly unloaded from the back of a pickup) and as long as it looked right would appear no different. Simply leave it in place with the lock modified so ANY key will open it.

Set it up late Sunday night, around 11pm, and wait for the night deposits from all the businesses that cater to the tourist industry in Santa Cruz every weekend. Head back around 5 am, swing the false wall out of the way, pick up all the deposits, and walk away...

There was even a parking garage across the street for spotters.

Alas, I have morals, so it shall remain a daydream.

Re:A long time ago...

[Raptoer]

There is another version of this scam, one or two people with guard uniforms and a strong deposit box sit out front of a bank. They've placed an 'out of order' sign on the normal deposit box and tell anybody who asks that the normal box is broken and they are there to guard a temporary box. Once one or two people have put their deposits in, they take down the sign and walk away with the money.

Re:A long time ago...

[unfasten]

It's also something Frank Abagnale did, as noted in his book The Art of the Steal . Link goes to an excerpt from the book, start at the last paragraph on page 118.

Re:Complete FAIL for eveyone, including law enforc

[JWSmythe]

    Actually, the way the laws read in a lot of states, it goes something like this...

    I learned this in law enforcement school. I was trained as a first responder. I could stabilize a patient until the paramedics arrived.

    While on duty, I am protected by the department regardless of what happens. For example, if a person had a heart attack, and I gave CPR, they may sue for the bruising or cracked rib(s). If I fail to keep them alive, I'm still protected, because I tried to the best of my ability.

    When OFF duty, I don't have any such protection, and may lose my ass in court. I was trained to perform those acts, but was not obliged. Pretty much, the lawyer for the victim, who is the person you saved, will tear you up when they say "So where did you go to medical school?" "Did the victim consent to you touching him?" "Being that you work in law enforcement, you thought it would be ok to attack the victim, and leave him with cracked ribs, causing him undue pain and suffering and weeks in the hospital?" As soon as you say "But he was having a heart attack", they'll come back with "But you're not a doctor, who were you to judge this?" You see where that goes. Lawyers are assholes, and some people will grab for money anywhere they can, including from the person who saved their life.

    We were told, if you see someone having a heart attack on the street, and you aren't working, call 911. Don't get involved.

    So, if someone had a heart attack at a conference of cardiovascular specialists, no, they may not get any treatment, but someone will (hopefully) call 911.

    There are good people out there though. An ex-girlfriend was involved in a rather serious car accident. She was in the military, and a base surgeon witnessed it. He stopped, and began treating her to the best of his ability, even though he had no supplies. He called 911, then ensured she didn't move, and started to evaluate her for injuries. Other folks from the base secured the area, and guided traffic away from the scene. The scene was handed off to local law enforcement as they arrived. She was transported by ambulance to a civilian hospital (it happened off-base), where he road along. I was called from the hospital. By the time I got there, she was badly bruised and not terribly happy, but stable. And, no, it was a hit & run. There was a consistent description of the vehicle, but when they saw someone in uniform fall out of the drivers seat onto the ground, the focus was on her, not the other vehicle.

    Myself, if I see someone in need, I help whenever possible. When professional help arrives, I'll walk away without giving any information. I care to help. I don't care for fame, fortune, or the lawsuit that may follow.

Re:Complete FAIL for eveyone, including law enforc

[Dan541]

They could have covertly had an undercover agent place an "out of order" sign on it;

Really, I'd replace the computer inside the ATM with a Ninja.

Re:This is really curious

[Traegorn]

Because you linked to your personal blog which didn't cite your sources while the link on Slashdot's front page goes to an actual news article on the topic?

I'm sorry, it just seems like you're whining that Slashdot didn't plug your site.