Scammer Plants a Fake ATM At Defcon 17

Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."

Defcon 5 isn't peaceful enough

I know we've been pulling out of Iraq, but going down to Defcon 17 just seems ridiculous.

Pedant Warning!

[ZackSchil]

Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

Re:Pedant Warning!

Yeah, like we are going to RTFA the farking article.

Re:Pedant Warning!

[Mononoke]

Read at your own risk.

At whom else's risk would I read it?

Re:Pedant Warning!

[MaskedSlacker]

Asynchronous Transfer Mode? (Imagining that as a sexual euphemism gives me all kinds of degrading ideas)

Re:Pedant Warning!

[epine]

Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

Languages are shaped by cognitive cost. This is what Steven Pinker seems not to get. There _is_ an innate language instinct, it's just not what he thinks it is. What we all share is the ability to introspect the cognitive cost of figuring out "WTH is this dude trying to convey?"

One of the key insights on language is that Lempel-Ziv compression never transmits the compression dictionary. The dictionary is implied because the compression program and the decompression program share the same dictionary construction heuristic. This is a trick you can pull off only if the two sides of the channel share the same cognitive architecture. There are no shortage of examples out there of how fast communication breaks down when the parties begin with fundamentally different premises on how to structure the categories of thought.

Here's another fundamental question: what portion of the brain's cognitive activity is devoted to power management? For one thing, glucose is precious resource, and the brain is a chug-a-lug organ where it comes to glucose consumption. For another, the brain is costly to cool. From the real-time perspective (which governed 5.999 million years of human evolution), there's not much use firing up the abstract-noun chocolate factory when you need a survival response in under 100ms.

There's another truism here: fool me once, shame on you, fool me twice, shame on me. (Or, if you've spent forty years fouling your spark plugs, "fool me once, shame on -- shame on you. Fool me -- you can't get fooled again.")

When you get surprised by a lion, first you need to act, secondly, you need to record, to avert recurrence, after deferred reflection.

However, the brain does not record broad-spectrum. There's just too much. It's easy to build a PVR these days with 1TB of storage. I still haven't seen one where the tuner is replaced by a DC-to-daylight recording mode.

You can't defer deciding what to record for very long. So this is an obligatory cognitive function when your brain is already heavily loaded. At high enough stress levels, the recording function does shut down. Assessing and responding to cognitive burden is a mission-critical survival function. This is a key foundation for language learning.

A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner. The underlying assumption that makes this work in practise is that the architectural model of the child's brain resembles that of the rest of the population. This is 99% satisfied by being a member of the same species, without any weird genetic Pinkerisms.

As the language convention becomes more sophisticated, some parameters in the ambiguity resolution process become social constructs. Given a conflict between two heuristics, which takes priority? The important thing to realize about socially determined linguistic parameters is that they tend to vary across discourse settings. Experts have slightly different rules among themselves than apply in heterogeneous settings, where, e.g. half the people involved are ESL.

There was a thread here the other day on the consequences of a non-specialist treating guilt and liability as vaguely synonymous in exactly the wrong forum (wrists cuffed to ankles by the minions of RIAA).

A person incapable of pedanticism is not likely to succeed with either law or software. (This is one of the reasons why the IANAL meme on slashdot annoys the hell out of me: if the law is too complex to be successfully interpreted by a concentrated group of the weediest pedants on planet earth, just maybe perhaps the root c

Re:Pedant Warning!

[machine321]

So, in Canada, if you're going to steal a money-dispensing machine, you tell people you're going to take a BM?

Re:Pedant Warning!

[honkycat]

I suspect the failed communication was due to pronunciation rather than vocabulary. While "loo" and especially "WC" are very rare terms over here, "bathroom" is certainly the primary, standard term for almost everyone I know. Public bathrooms are typically called restrooms, but I'd be totally shocked to find someone who called their bathroom at home a restroom.

However, I could completely imagine someone with a moderate or thick British accent having a lot of trouble communicating with someone in the US. There are a lot of regional US accents that bear little resemblance to some of the British speech patterns, and a lot of people don't get outside their region very often.

Re:Pedant Warning!

[ATMD]

Of course, whether you get to do any is another matter.

Complete FAIL for eveyone, including law enforcemt

[Radtastic]

FTA, "Conference organizers notified local law enforcement who hauled away the machine on Thursday or Friday".... Wouldn't they have been better served monitoring the device to see who came and picked it up?

Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?

Re:Complete FAIL for eveyone, including law enforc

[e9th]

I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees. Sort of like a guy having a heart attack at a cardiologists convention and the cops keeping everybody back until an ambulance can arrive and take him to a hospital.

Re:Complete FAIL for eveyone, including law enforc

[Xemu]

I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees.

The true FAIL was the Defcon attendees failing to spot and realize that the cops hauling the machines away were fake, and the ATM was real.

Re:No cash.

[JaredOfEuropa]

But yes, I would have bitched at the front counter asking them when it would get fixed. That at least would have called some attention to it.

Indeed... that is why the ones that you really have to watch for aren't complete fake machines, but little recording devices placed in front of the real machine. You put your card in, enter the code, get your cash... and 5 minutes later some criminal in Eastern Europe runs off a copy of your card and cleans out your account.

A nice example of such a skim job is this one. The page is in Dutch but the pics are interesting... the guy happened to notice the false front was just a tad too clean, and on closer inspection noticed a recording head just behind the card slot. He ripped the thing from the machine and made a few pictures of it before turning it in to the police. The guy might have been observant, but thousands of people already had put their card through the machine without a second glance. I probably would not have noticed this myself either.

These criminals are getting more sophisticated now that people watch for false fronts, and machines are being altered to make it impossible to add them. These days they simple break into stores, open up card readers at the checkout counters, and add devices that record PINs and magnetic strips. One week later they break in again to retrieve their devices... some even use WiFi to read the data remotely from a nearby van, reducing the chances of getting caught.

Thankfully the banks here refund any skimmed funds as a rule.

What's the alternative?

Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

People - and by this I mean people on Slashdot, I've not seen anyone complain about it elsewhere - always complain about that. But what's the alternative?

It could be referred as "Personal Identification Number" which is just overly long and besides, everybody just knows it as PIN. They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very good. I know the capitalization makes the necessary difference between "pins" and "PINs" here but honestly, that version still looks a bit out of place to me.

One could say "PIN code". It is the version usually used here in Finland ("PIN-koodi") but the difference to PIN number gets very small.

PIN isn't just an acronym for Personal Identification Number. It is, in itself, a name for a short, usually 4 to 8 digits long digit based password. I could bet a lot of money that most of people don't convert the acronym to words when they read text.

Besides, the ATM machine is used what, once? Most of the time it uses just ATM.

With the massive amount of acronyms we have, especially short ones, a lot of them have multiple meanings. While it is relatively easy to understand these ones in this context, I fully support people adding an additional word to tell which meaning of some acronym is meant in a given situation. At least once in an article. There has been too many times I've seen some acronym, tried to google it, found a dozen different meanings and have had no idea of which it refers to.

Re:Complete FAIL for eveyone, including law enforc

[mysidia]

They could have covertly had an undercover agent place an "out of order" sign on it; perhaps after trying to use a 'special' jailbait ATM card and PIN number, and the device failing to dispense $$$.

Just like a citizen might do as a service to others when they found the ATM didn't seem to be working..

The perps would probably send someone to investigate why they weren't getting any numbers. If investigators were recording with video surveillance, they could get leads that way.

Re:Damn, I wish I noticed it...

[Vectronic]

Yeah? and I climb rainbows for a living... with our powers combined, we form Captain Planet.