Forgot your password?
typodupeerror
Security It's funny.  Laugh.

Scammer Plants a Fake ATM At Defcon 17 394

Posted by kdawson
from the not-the-brightest-LED-in-the-flashlight dept.
Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
This discussion has been archived. No new comments can be posted.

Scammer Plants a Fake ATM At Defcon 17

Comments Filter:
  • Re:No cash. (Score:5, Informative)

    by Oktober Sunset (838224) <sdpage103@NospAM.yahoo.co.uk> on Sunday August 02, 2009 @07:10PM (#28920823)
    Real ATM's say if they are out of cash before you put your card in.
  • Re:No cash. (Score:5, Informative)

    by JaredOfEuropa (526365) on Sunday August 02, 2009 @07:16PM (#28920847) Journal

    But yes, I would have bitched at the front counter asking them when it would get fixed. That at least would have called some attention to it.

    Indeed... that is why the ones that you really have to watch for aren't complete fake machines, but little recording devices placed in front of the real machine. You put your card in, enter the code, get your cash... and 5 minutes later some criminal in Eastern Europe runs off a copy of your card and cleans out your account.

    A nice example of such a skim job is this one [nl.net]. The page is in Dutch but the pics are interesting... the guy happened to notice the false front was just a tad too clean, and on closer inspection noticed a recording head just behind the card slot. He ripped the thing from the machine and made a few pictures of it before turning it in to the police. The guy might have been observant, but thousands of people already had put their card through the machine without a second glance. I probably would not have noticed this myself either.

    These criminals are getting more sophisticated now that people watch for false fronts, and machines are being altered to make it impossible to add them. These days they simple break into stores, open up card readers at the checkout counters, and add devices that record PINs and magnetic strips. One week later they break in again to retrieve their devices... some even use WiFi to read the data remotely from a nearby van, reducing the chances of getting caught.

    Thankfully the banks here refund any skimmed funds as a rule.

  • Re:Pedant Warning! (Score:2, Informative)

    by Anonymous Coward on Sunday August 02, 2009 @07:27PM (#28920903)
    I can't tell if you're joking or if you're actually that stupid. I'm pretty sure the perfected way would just be ATM and PIN, without the redundancy.
  • Re:No cash. (Score:3, Informative)

    by sleigher (961421) on Sunday August 02, 2009 @08:05PM (#28921095)
    That's true but I have had ATM's fail to dispense after entering my info before.
  • by kent_eh (543303) on Sunday August 02, 2009 @08:24PM (#28921219)
    FTFA:
    They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them,
  • by Shakrai (717556) on Sunday August 02, 2009 @09:17PM (#28921593) Journal

    That's certainly a win-win for the cops -- if they delay treatment and the guy dies, their investigation has gone from attempted murder to murder, a plus

    I don't think most members of law enforcement would view that as a "plus"......

  • Re:Easy to avoid (Score:4, Informative)

    by TheSunborn (68004) <tiller@d[ ]i.au.dk ['aim' in gap]> on Sunday August 02, 2009 @09:55PM (#28921863)

    Well, unless you plan to invent a time machine and die in the past, the odds of you living when this scheme gets implemented are pretty good, because it have already been implemented here in Danmark, where all current danish cards does have a chip. And the solution to backward compability is quite simple. All cards and card-readers include both the old and new solution.

    But the banks have issued new cards to all users, and required all atms to be able to read the chip. So the backward compability is currently only used with foreign cards.

  • Re:Easy to avoid (Score:3, Informative)

    by PCM2 (4486) on Sunday August 02, 2009 @10:25PM (#28922033) Homepage

    Either I don't get what you're saying or you don't get what the GP was saying.

    The reason the chip-based authentication method was invented is because the old-style authentication was insecure. BUT the old-style authentication method still works, even on cards that have the chip. Danish ATMs need to be able to read cards issued from places other than Denmark, and Danes need to be able to use foreign ATMs. So anyone who wants to attack a card just needs to ignore the chip-based authentication, hack the cards the same as they do anywhere else, and they're fine.

  • Re:Easy to avoid (Score:3, Informative)

    by unfasten (1335957) on Sunday August 02, 2009 @11:44PM (#28922607)

    Have customers just select a password for each account. Retailers would verify the password the same way they verify CSC numbers now,

    Visa and Mastercard have already implemented this option. The only problem is the store has to be capable of handling it, and not all of them are, unfortunately.

    https://usa.visa.com/personal/security/vbv/index.html?ep=v_sym_verified [visa.com]
    http://www.mastercard.com/us/personal/en/cardholderservices/securecode/index.html [mastercard.com]

    The account number is simply placed on the card, and authentication comes from physical ownership of the card. (PINs don't count because they are unfortunately verified based on machine-readable information on the card itself.)

    This is wrong. PINs haven't been stored on the card for a long time (I'm not even certain they ever were for all cards). You can easily check this yourself with a relatively cheap reader [magtek.com], or you can build [archive.org] one [instructables.com] yourself.

  • Re:Pedant Warning! (Score:3, Informative)

    by PachmanP (881352) on Sunday August 02, 2009 @11:47PM (#28922643)

    I, too, find American's aversion to referring to toilets by anything that vaguely resembles what one might do in them, damn strange.

    Nah, we just don't like to refer to it as the shitter or the pisser in polite company.

  • by Anonymous Coward on Sunday August 02, 2009 @11:55PM (#28922705)

    A book, American Gods (I think) covered this exact scam in some detail.

  •     Actually, the way the laws read in a lot of states, it goes something like this...

        I learned this in law enforcement school. I was trained as a first responder. I could stabilize a patient until the paramedics arrived.

        While on duty, I am protected by the department regardless of what happens. For example, if a person had a heart attack, and I gave CPR, they may sue for the bruising or cracked rib(s). If I fail to keep them alive, I'm still protected, because I tried to the best of my ability.

        When OFF duty, I don't have any such protection, and may lose my ass in court. I was trained to perform those acts, but was not obliged. Pretty much, the lawyer for the victim, who is the person you saved, will tear you up when they say "So where did you go to medical school?" "Did the victim consent to you touching him?" "Being that you work in law enforcement, you thought it would be ok to attack the victim, and leave him with cracked ribs, causing him undue pain and suffering and weeks in the hospital?" As soon as you say "But he was having a heart attack", they'll come back with "But you're not a doctor, who were you to judge this?" You see where that goes. Lawyers are assholes, and some people will grab for money anywhere they can, including from the person who saved their life.

        We were told, if you see someone having a heart attack on the street, and you aren't working, call 911. Don't get involved.

        So, if someone had a heart attack at a conference of cardiovascular specialists, no, they may not get any treatment, but someone will (hopefully) call 911.

        There are good people out there though. An ex-girlfriend was involved in a rather serious car accident. She was in the military, and a base surgeon witnessed it. He stopped, and began treating her to the best of his ability, even though he had no supplies. He called 911, then ensured she didn't move, and started to evaluate her for injuries. Other folks from the base secured the area, and guided traffic away from the scene. The scene was handed off to local law enforcement as they arrived. She was transported by ambulance to a civilian hospital (it happened off-base), where he road along. I was called from the hospital. By the time I got there, she was badly bruised and not terribly happy, but stable. And, no, it was a hit & run. There was a consistent description of the vehicle, but when they saw someone in uniform fall out of the drivers seat onto the ground, the focus was on her, not the other vehicle.

        Myself, if I see someone in need, I help whenever possible. When professional help arrives, I'll walk away without giving any information. I care to help. I don't care for fame, fortune, or the lawsuit that may follow.

  • by unfasten (1335957) on Monday August 03, 2009 @12:49AM (#28923079)
    It's also something Frank Abagnale did, as noted in his book The Art of the Steal [google.com] . Link goes to an excerpt from the book, start at the last paragraph on page 118.
  • Re:Pedant Warning! (Score:1, Informative)

    by Anonymous Coward on Monday August 03, 2009 @02:08AM (#28923511)
    <Pedant>To prevent future pretentious misuse of language...

    whom=him
    who=he

    At whom else's risk? Him's risk. :-(

    At who else's risk? His risk. ;-)

    </Pedant>
  • Re:Easy to avoid (Score:3, Informative)

    by discomike (1291084) on Monday August 03, 2009 @04:02AM (#28924111)
    At least here in Sweden, the issuing bank transmits data on if the card has a chip or not, and the ATM or terminal requires chip usage if the card is supposed to have a chip. On older store terminals without a chip reader, the mag stripe works, but those are getting replaced as time goes by, and yeah, just using the card in another country is still the safest bet. Though I have noticed being required to use the chip in some other countries now as well.
  • Re:Epic Fail (Score:5, Informative)

    by cyclomedia (882859) on Monday August 03, 2009 @05:04AM (#28924367) Homepage Journal
    Or Ronin, the "Would you take a picture of me and my wife?" scene
  • Re:Easy to avoid (Score:2, Informative)

    by kghougaard (315693) <slashdot@oer s t e d h o u g a a rd.dk> on Monday August 03, 2009 @05:49AM (#28924647) Homepage

    The problem is that now - for obvious reasons - the card now has to stay in the reader during the transaction. This means that stupid idiots like me constantly forget their cards in the reader.

  • Re:Pedant Warning! (Score:2, Informative)

    by Internalist (928097) <fred.mailhotNO@SPAMgmail.com> on Tuesday August 04, 2009 @02:43AM (#28937167) Homepage

    Languages are shaped by cognitive cost.

    What are you talking about? Languages are shaped by a lot of things...social conventions, acquisition/induction in the face of noisy data, possible predispositions/biases towards particular analyses of novel data...but not cognitive cost. Unless you're using those words to mean something non-obvious.

    This is what Steven Pinker seems not to get. There _is_ an innate language instinct, it's just not what he thinks it is. What we all share is the ability to introspect the cognitive cost of figuring out "WTH is this dude trying to convey?"

    I'm no Pinker apologist (Jackendoff is better, for my money), but I'm pretty sure that there's not much that Pinker "doesn't get" about language...other than in the obvious sense that we're all on this voyage of knowledge and there are tonnes of things that we collectively don't know about language. The view of the "language instinct" espoused by Pinker has undergone a lot of revision, including by him (maybe try reading something post-1994. I recommend Words and Rules.) Also, the things that we're able to introspect about our language production ("how do I say X?") or comprehension ("what does Y mean when that person says it?") is a relatively small corner of the cognitive edifice that undergirds our linguistic knowledge. Moreover, it's rare that we have to explicitly reason through to an interpretation...most of the time there's no introspection involved at all.

    One of the key insights on language is that Lempel-Ziv compression never transmits the compression dictionary.

    Really? That's funny, because not a single one of the textbooks I've opened in 9 years of studying linguistics has mentioned gzip as representing one of the key insights of language.

    The dictionary is implied because the compression program and the decompression program share the same dictionary construction heuristic. This is a trick you can pull off only if the two sides of the channel share the same cognitive architecture. There are no shortage of examples out there of how fast communication breaks down when the parties begin with fundamentally different premises on how to structure the categories of thought.

    You don't need to have different cognitive category-structures for communication to break down. Moreover, there aren't any concepts that aren't expressible in some human language. Sure there may not be an English word that means zeitgeist (to trot out a hackneyed example), but that doesn't mean I can't use some longer construction to express the same meaning (look in your Deutsch-English dict for some hints).

    Here's another fundamental question: what portion of the brain's cognitive activity is devoted to power management? For one thing, glucose is precious resource, and the brain is a chug-a-lug organ where it comes to glucose consumption. For another, the brain is costly to cool. From the real-time perspective (which governed 5.999 million years of human evolution), there's not much use firing up the abstract-noun chocolate factory when you need a survival response in under 100ms.

    I'm not clear what this has to do with anything else, so I'll mostly gloss over it. BUT, I'm pretty sure it doesn't cost THAT much to cool one's head, since a lot of our heat escapes that way anyhow (lots of blood vessels really close to the surface, hence the propensity for head injuries to bleed like the dickens).

    [...]

    You can't defer deciding what to record for very long. So this is an obligatory cognitive function when your brain is already heavily loaded. At high enough stress levels, the recording function does shut down. Assessing and responding to cognitive burden is a mission-critical survival function. This is a key foundation for language learning.

    First anguage acquisition happens in the absence of explicit tutoring, and

"You don't go out and kick a mad dog. If you have a mad dog with rabies, you take a gun and shoot him." -- Pat Robertson, TV Evangelist, about Muammar Kadhafy

Working...