Scammer Plants a Fake ATM At Defcon 17 394
Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
Epic Fail (Score:5, Insightful)
Re:Epic Fail (Score:3, Insightful)
It would be like telling some dumb fool to try to set up fake slot machines in the lobby of some Vegas casino for a laugh and watching the tit go ahead and do it...
Re:Complete FAIL for eveyone, including law enforc (Score:5, Insightful)
Even if they could monitor it wirelessly, they should have just carefully disabled the wireless transmission (aluminum foil?) and grabbed whoever came to check in on it.
What's the alternative? (Score:5, Insightful)
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
People - and by this I mean people on Slashdot, I've not seen anyone complain about it elsewhere - always complain about that. But what's the alternative?
It could be referred as "Personal Identification Number" which is just overly long and besides, everybody just knows it as PIN. They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very good. I know the capitalization makes the necessary difference between "pins" and "PINs" here but honestly, that version still looks a bit out of place to me.
One could say "PIN code". It is the version usually used here in Finland ("PIN-koodi") but the difference to PIN number gets very small.
PIN isn't just an acronym for Personal Identification Number. It is, in itself, a name for a short, usually 4 to 8 digits long digit based password. I could bet a lot of money that most of people don't convert the acronym to words when they read text.
Besides, the ATM machine is used what, once? Most of the time it uses just ATM.
With the massive amount of acronyms we have, especially short ones, a lot of them have multiple meanings. While it is relatively easy to understand these ones in this context, I fully support people adding an additional word to tell which meaning of some acronym is meant in a given situation. At least once in an article. There has been too many times I've seen some acronym, tried to google it, found a dozen different meanings and have had no idea of which it refers to.
Re:Complete FAIL for eveyone, including law enforc (Score:5, Insightful)
They could have covertly had an undercover agent place an "out of order" sign on it; perhaps after trying to use a 'special' jailbait ATM card and PIN number, and the device failing to dispense $$$.
Just like a citizen might do as a service to others when they found the ATM didn't seem to be working..
The perps would probably send someone to investigate why they weren't getting any numbers. If investigators were recording with video surveillance, they could get leads that way.
Re:Complete FAIL for eveyone, including law enforc (Score:3, Insightful)
Do thieves actually come back for these? I'd definitely expect it to be wirelessly transmitting, or to be watching for a special card to be inserted to which it would download the skimmed information.
Re:Complete FAIL for eveyone, including law enforc (Score:3, Insightful)
In order to do that, they would have had to leave it out in the open and allowed people to use it, so as not to make the criminal suspicious when he returns to retrieve it. You then have people making transactions of questionable legality (I didn't read to see if it actually dispensed money or just showed an error after getting the PIN), and increase the possible damage if it is transmitting in a way they didn't uncover or if the criminal manages to extricate the information while they're watching it.
They're better served by taking it away and studying it for clues as to the criminal.
Security Office (Score:4, Insightful)
Re:Pedant Warning! (Score:2, Insightful)
Easy to avoid (Score:5, Insightful)
The fake-ATM problem is just a man in the middle attack. We've known how to deal with MITM attacks for decades: use public-key cryptography and a secure key exchange algorithm like Diffie-Hellman to create an authenticated, secure channel. That's how SSL works.
Credit and debit cards should contain a small microprocessor that communicates with bank, check its identity, and establish a secure channel. Even if an attacker could read and modify traffic between the card and the bank, he couldn't interfere with the transaction (other than by stopping it entirely).
Of course, this scheme doesn't allow offline credit card processing, but that's rare these days. If you still need to bother, just use an old-fashioned imprint machine.
The larger problem is just of backwards compatibility, which is why we'll never see the sensible scheme above implemented in our lifetimes.
Re:Complete FAIL for eveyone, including law enforc (Score:3, Insightful)
Re:Pedant Warning! (Score:5, Insightful)
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
Languages are shaped by cognitive cost. This is what Steven Pinker seems not to get. There _is_ an innate language instinct, it's just not what he thinks it is. What we all share is the ability to introspect the cognitive cost of figuring out "WTH is this dude trying to convey?"
One of the key insights on language is that Lempel-Ziv compression never transmits the compression dictionary. The dictionary is implied because the compression program and the decompression program share the same dictionary construction heuristic. This is a trick you can pull off only if the two sides of the channel share the same cognitive architecture. There are no shortage of examples out there of how fast communication breaks down when the parties begin with fundamentally different premises on how to structure the categories of thought.
Here's another fundamental question: what portion of the brain's cognitive activity is devoted to power management? For one thing, glucose is precious resource, and the brain is a chug-a-lug organ where it comes to glucose consumption. For another, the brain is costly to cool. From the real-time perspective (which governed 5.999 million years of human evolution), there's not much use firing up the abstract-noun chocolate factory when you need a survival response in under 100ms.
There's another truism here: fool me once, shame on you, fool me twice, shame on me. (Or, if you've spent forty years fouling your spark plugs, "fool me once, shame on -- shame on you. Fool me -- you can't get fooled again.")
When you get surprised by a lion, first you need to act, secondly, you need to record, to avert recurrence, after deferred reflection.
However, the brain does not record broad-spectrum. There's just too much. It's easy to build a PVR these days with 1TB of storage. I still haven't seen one where the tuner is replaced by a DC-to-daylight recording mode.
You can't defer deciding what to record for very long. So this is an obligatory cognitive function when your brain is already heavily loaded. At high enough stress levels, the recording function does shut down. Assessing and responding to cognitive burden is a mission-critical survival function. This is a key foundation for language learning.
A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner. The underlying assumption that makes this work in practise is that the architectural model of the child's brain resembles that of the rest of the population. This is 99% satisfied by being a member of the same species, without any weird genetic Pinkerisms.
As the language convention becomes more sophisticated, some parameters in the ambiguity resolution process become social constructs. Given a conflict between two heuristics, which takes priority? The important thing to realize about socially determined linguistic parameters is that they tend to vary across discourse settings. Experts have slightly different rules among themselves than apply in heterogeneous settings, where, e.g. half the people involved are ESL.
There was a thread here the other day on the consequences of a non-specialist treating guilt and liability as vaguely synonymous in exactly the wrong forum (wrists cuffed to ankles by the minions of RIAA).
A person incapable of pedanticism is not likely to succeed with either law or software. (This is one of the reasons why the IANAL meme on slashdot annoys the hell out of me: if the law is too complex to be successfully interpreted by a concentrated group of the weediest pedants on planet earth, just maybe perhaps the root c
Re:No cash. (Score:3, Insightful)
If it was a legit scam.... (Score:4, Insightful)
If this was a legit scam instead of a prank, then there's a saying that applies:
"Only the most foolish mouse hides behind the cat's ear, but only the cleverest cat thinks to look there."
Re:Pedant Warning! (Score:2, Insightful)
Back at you.
Re:Pedant Warning! (Score:2, Insightful)
By your logic, "r u going 2 da store" is properly formed English.
Gramatically it is a properly formed English sentence. Although the orthography is non-traditional, it's readable to most English readers. Moreover, it could be an appropriate way to communicate a message in a medium requiring parsimony, as for instance when sending text messages on mobile (cell) phones.
This example does not seem to impugn OP's logic, his aesthetics perhaps ...
Re:Easy to avoid (Score:3, Insightful)
It's all right for ATMs to be able to read old-style static tokens, but if new cards include both the token and the chip, then a compromised ATM can simply use the old-style authentication token to perform a fraudulent transaction. After all, aren't both schemes just as good from the banks point of view?
Now, if you guys have managed to phase out cards with offline, static tokens and rely solely on the chip, then kudos to you.
Re:Easy to avoid (Score:2, Insightful)
Re: Everything is monitored ... except this ATM (Score:3, Insightful)
Yea, there is no way someone can enter a casino in vegas, hell go anywhere near the strip, without being caught on hundreds of cameras. so they have a blind spot in one corner of the floor, but there is likly hundreds of hours of video tape covering every step of the delivery.
People Bitch about all the cameras in London. They got nothing on the number of cameras in Vegas.
If the security cameras in Vegas where not the best in World, the cons would have cleaned out the casinos years ago and the customers would not feel safe walking in to and out of the casinos with large amounts of cash.
Re:Epic Fail (Score:3, Insightful)
That was my thought too. I'd suspect if it was a prank, the PC will have a note taped to it saying "Welcome to DefCon" or something like that, hopefully with a description of the prank and the root/Administrator password to the machine so they can inspect it.
Of course, no forensics person (hopefully) would just log in with the given password, as if it was real, it could trip a cleanup routine. Providing the password would simply be a show of good faith to it being a prank.
It could have been a fraud, and the folks doing it had no clue that Defcon was about to happen, and/or they had no clue what Defcon is.
Re:Epic Fail (Score:3, Insightful)
Can you imagine a crowd you'd want to annoy LESS? (Score:3, Insightful)
For me the true FAIL of this incident was the idea of what could happen to the criminals once they're identities are made public after they seriously annoyed the attendees of a hacker convention. Can you imagine a group you'd less want to have seeing how they could make your life miserable (excluding the possibility of physical harm)? Good luck ever getting credit again, and that's just for starters...
Re: Everything is monitored ... except this ATM (Score:4, Insightful)
If the customers are walking out with large amounts of cash, someone's head will roll.
Re:Pedant Warning! (Score:2, Insightful)
Re:Pedant Warning! (Score:5, Insightful)
I suspect the failed communication was due to pronunciation rather than vocabulary. While "loo" and especially "WC" are very rare terms over here, "bathroom" is certainly the primary, standard term for almost everyone I know. Public bathrooms are typically called restrooms, but I'd be totally shocked to find someone who called their bathroom at home a restroom.
However, I could completely imagine someone with a moderate or thick British accent having a lot of trouble communicating with someone in the US. There are a lot of regional US accents that bear little resemblance to some of the British speech patterns, and a lot of people don't get outside their region very often.
Re:Complete FAIL for eveyone, including law enforc (Score:2, Insightful)
More like, by Law Enforcement taking the dummy ATM before the folks attending Defcon could "examine" it, they preserved the chain of evidence, thereby ensuring that what is uncovered during their forensics work will hold up in a court of law to successfully prosecute the perpetrators.
Re:Complete FAIL for eveyone, including law enforc (Score:3, Insightful)
CT is one state that only has such a law for those certified in first aid, but for other states, all of those questions your hypothetical lawyer asked you would be irrelevant, as you'd be immune under such coverage - consent can be implied if unable to be given, only active refusal being an exclusion, cracked ribs during CPR is not uncommon (there are often exemptions for 'reasonable recklessness' - if a person is trapped in a car but there is no reasonable risk of fire, and you, against protest, extricate them from the vehicle causing or exacerbating a spinal injury), and so on.
"When professional help arrives, I'll walk away without giving any information" - isn't that more bad advice? "Material witness", "leaving the scene of an accident" could both be thrown at you, dependent on jurisdiction.
Ironically, often those who may have most to fear from the above are people who are professionally trained. I have begun training as a paramedic - first thing drilled into me is the same as medical students: "You are NOT a paramedic/doctor until and unless you hold the bit of paper that says you are." The next is that as you are professionally trained and expected to know what you are doing, there can be, dependent upon jurisdiction, less latitude in Good Samaritan laws for events that could reasonably be attributed to incompetence on the part of your response. "Don't carry a 'whacker bag'." - "whacker" is an EMS/LE phrase for someone who likes to hang around the fringes of such professions, a 'wannabe', etc. If you're off-duty, respond and help out how and if you believe you can, but carrying a bag full of medical equipment like you're on duty is just going to get you burnt, in more ways than one - at the very least, your fire dept/chief is most definitely not going to be proud of your efforts.
Re:Complete FAIL for eveyone, including law enforc (Score:1, Insightful)
Loss of a machine is factored in. These things can't be that expensive to make. Any failure will be assumed to be a sting.
Re:This is really curious (Score:4, Insightful)
I'm sorry, it just seems like you're whining that Slashdot didn't plug your site.
Re:What's the alternative? (Score:3, Insightful)
They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very
Why not simply rephrase the sentence? For example: "It would scan the card and record the PIN."
It's not very difficult. One would think that the basics of writing should be important qualities in a job that primarily consists of writing.
Re:Pedant Warning! (Score:1, Insightful)
Being an American I can tell you that 90% of us are dumb morons...
And this is something I am not proud of.
-sid216