Scammer Plants a Fake ATM At Defcon 17 394
Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
Complete FAIL for eveyone, including law enforcemt (Score:5, Interesting)
Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?
Damn, I wish I noticed it... (Score:4, Interesting)
I wish I noticed it. I would have gotten a starbucks card and see if I could withdraw some cash...
Comment removed (Score:3, Interesting)
Re:Damn, I wish I noticed it... (Score:1, Interesting)
I carry a variety of cards with 'valid' CC and expiration dates. Swipe one and enter a any old pin and see if it gives money. Then do it again with the other cards if it spits out any money. Then go make more cards.
Re:Complete FAIL for eveyone, including law enforc (Score:5, Interesting)
I would think that the hardware would be considered a loss once placed.
Las Vegas Hotel, Everything is monitored (Score:3, Interesting)
Sorry, Las Vegas casino Hotel. There are cameras in the toilets. They likly already know who they are.
Comment removed (Score:2, Interesting)
Going for broke (Score:3, Interesting)
Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."
If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.
--
Far better if this were an "pentest" with the "we'll stand back and watch" cooperation of the bank whose name is on the ATM. Scenario: White hat hackers to to BigBank and the hotel and say "We want to do a demonstration. We have a fake ATM we want to put in the DefCon hotel. We want to rig it so people's ATM codes are stored in the machine, encrypted, for later retrieval. BUT you, the bank, get the decoding key. At the end of Defcon we'll announce the prank. We'll give a $100 gift card and a a plaque to the first attendee who spots that it's a fake."
Now that would be cool.
Re:Pedant Warning! (Score:5, Interesting)
A long time ago... (Score:5, Interesting)
Back in 1990, after the Loma Prieta Earthquake, there was certain bank (damaged by the quake) that was demolished right downtown in Santa Cruz, California. One day I was walking past and noticed in the debris/rubble pile the night deposit box, bread-box style door hanging open, still mounted in a fair portion of the wall it was attached to.
I realized it was exactly the same kind of door that was used on MY banks night deposit box just a few blocks down the street, a bank that still did business.
I had a very boring job at the time and had lots of time to daydream. It is here that I devised my plan.
Late in the night, head down with a pickup and load up the night deposit box from the rubble pile. Take it home. Reproduce the wall the other one, the one at my bank, is mounted in. As it turns out, the night deposit box there was located in a sort of wall "extension" that one could reproduce, lay the fake right over the top (quickly unloaded from the back of a pickup) and as long as it looked right would appear no different. Simply leave it in place with the lock modified so ANY key will open it.
Set it up late Sunday night, around 11pm, and wait for the night deposits from all the businesses that cater to the tourist industry in Santa Cruz every weekend. Head back around 5 am, swing the false wall out of the way, pick up all the deposits, and walk away...
There was even a parking garage across the street for spotters.
Alas, I have morals, so it shall remain a daydream.
Re:No cash. (Score:4, Interesting)
A clever scammer would actually have the machine dispense a small amount of cash - say a maximum of $100 per transaction - to avert suspicion.
Load it with, say, $5000 and you can get a minimum of 50 PINs, which is probably worth more than the $5000. Have it say, "Due to high volume, this machine may only dispense $100 per transaction" or the like, which I've seen at various legit ATMs in high-traffic locations. To make it last even longer, have it every once in awhile simply give a message that it is unable to communicate with the network or whatever comments the type of machine you're spoofing usually gives.
If it fails to dispense cash, good samaritans may put "out of order" signs on it, or, if it doesn't dispense and still asks for your data, that makes people suspicious.
The $5000 is peanuts - and probably isn't even their money in the first place - and would almost certainly be less expensive in terms of avoiding detection & getting a LOT more accounts. Absolutely nobody would think that an ATM that dispensed cash is fake; lots of people might suspect one that takes your PIN and then fails to work.
Re:Easy to avoid (Score:4, Interesting)
You don't make purchases with a card, but instead with the bank account the card represents. There are two parts to every transaction: identification and authorization. When using an ATM, the physical card provides both identification and authorization. The account number is simply placed on the card, and authentication comes from physical ownership of the card. (PINs don't count because they are unfortunately verified based on machine-readable information on the card itself.) Because it's non-trivial to both learn an account number and manufacture a matching card, physical possession of the card is a pretty good proxy for control of the account.
Online purchases are different: the identification still comes from the number printed on the card, but the authorization is based on the notion that account numbers are hard to guess (which is terrible security), or on a secret shared by the bank and the holder of the card, the CSC number on the back (which is merely bad security).
If you wanted, you could make online purchases work the same way they do today, and just keep printing CSC numbers on the back of cards. The ATM authorization scheme and the online one don't have anything to do with each other.
But if you're going to issue new cards, you might as well improve online security too, and stop using CSC numbers. Have customers just select a password for each account. Retailers would verify the password the same way they verify CSC numbers now, but because the password wouldn't be printed on the back of the card, stealing the physical card wouldn't give you the ability to make online purchases using that card.
Better still would be a way for the card to interact online with the bank, but that seems impractical to me.
Re:A long time ago... (Score:5, Interesting)
There is another version of this scam, one or two people with guard uniforms and a strong deposit box sit out front of a bank. They've placed an 'out of order' sign on the normal deposit box and tell anybody who asks that the normal box is broken and they are there to guard a temporary box. Once one or two people have put their deposits in, they take down the sign and walk away with the money.
Re:Going for broke (Score:3, Interesting)
Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."
If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.
I can't imagine they hit that specific conference on purpose. They had bad luck. There are conferences in the hotels in Vegas every day. The thieves probably only knew "hotel booked" and "conference" and acted on that. Had it been a conference of commercial real estate managers or occupational therapists it probably would have gathered a good batch of account numbers and PINs.
Re:Pedant Warning! (Score:4, Interesting)
The same when I asked for the 'bathroom'.
I, too, find American's aversion to referring to toilets by anything that vaguely resembles what one might do in them, damn strange. With that said, given their obsession with germs and hygiene is unsurpassed by pretty much no other culture (with the possible exception of the Japanese), I suppose it's not all that surprising.
I have an English friend who likes to tell the story of the first time he was in the US, trying to find a toilet in a shopping centre ("though they call it a 'mall'", he likes to chuckle about), and asked a security guard for directions.
First he asked "where's the loo". <blank stare>
Then he asked "where's the WC". <blank stare>
Then he asked "where's the bathroom". <blank stare>
Then he asked "where's the toilet". <blank stare>
Finally, someone standing nearby who had overheard, said "the rest room is over there".
He likes to reflect on how, of all the countries he's travelled to in the world (most of which do not have English as a local language), the one he had the hardest trouble finding a toilet in (due to comprehension problems) was America. This usually happens in the context of a "Great Britain and the USA, two countries separated by a common language" style discussion. :)
why stop there? (Score:2, Interesting)
i work in a position with some authority in a major hotel chain, so i prefer to post this as AC.
get a job in a hotel where you can keep track of the billing information and credit/debit cards that people use.
daily, i physically handle dozens of cards with accurate names and contact information. with my company's online system, i can access huge numbers of customer data. at my particular property, i could scam so many people that it would be ridiculous.
you want scary? how about a small ring of organized hotel/restaurant/retail employees that keep track of the card numbers, security codes, and addresses (where applicable)? irregularly stagger the fraudulent charges in time and location to be difficult or impossible to follow, and you've got a fairly sustainable system of theft.
Re:Pedant Warning! (Score:3, Interesting)
"A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner."
Oh how I wish that were true. I have seen too many people complain about something someone did, only to do it themselfes and not realizing it. Most people lack the sort of self reflection that allows them to see the error in their ways.
This is really curious (Score:1, Interesting)
What makes me really wonder about this post is why KDawson took my original submission here:
http://it.slashdot.org/firehose.pl?id=5416205&op=view [slashdot.org]
and edited ONLY the link. It originally pointed to my site here:
http://it.slashdot.org/firehose.pl?id=5416205&op=view [slashdot.org]
So, Mr Dawson took the time to leave everything else intact, but go out of his way to hunt down another link to a large corporate site. Hmmmm. He didn't pick the chronologically first one, which mine wasn't, and I can't see any real difference between the articles posted on the topic. The briefing Priest gave wasn't all that long or in depth, so we pretty much all got the same story.
Normally I am not a conspiracy theorist, but I did just spend the better part of a week at Defcon.
Mr. Dawson, can you explain?
-Charlie
Re:Pedant Warning! (Score:2, Interesting)
Re:Easy to avoid (Score:4, Interesting)
It's slightly more sophisticated than that. Note I say "slightly". Not "much".
You can't make a card with just the mag stripe and then use this card anywhere where they expect ATMs to read the chip. This is because the issuing bank will refuse to authorise a transaction which didn't involve the chip if it should have been possible to do so (they know full well that the card with number 1234 5678 9012 3456 was shipped with a chip, so if an ATM which can read chips tries a transaction with just the details on the stripe, it's dodgy).
So what the criminals do instead is read the stripe (either with a fake cash machine or a skimming device attached to a real cash machine), send the details to some country where ATMs that read chips aren't ubiquitous and make up a fake card for use there.
My guess is that Visa and Mastercard between them will, over time, put pressure on banks all over the world to replace their cash machines. But until that happens, this remains a security hole.
Re:A long time ago... (Score:3, Interesting)
Re:Complete FAIL for eveyone, including law enforc (Score:2, Interesting)
No no no...
You have use your iPhone, since the almighty iPhone is obviously the only phone sufficiently advanced to contain a camera, making it "A hotbed for amateur photography".
iPhone, iPhone, iPhone! Just let me strangle whoever wrote that article, please?
Re:No cash. (Score:3, Interesting)
A card plus PIN goes for couple of dollars. They're worth less than you think.
Re:Pedant Warning! (Score:3, Interesting)
Re:Pedant Warning! (Score:3, Interesting)
Barclays (I think) have actually TRADEMARKED the term Hole In The Wall and label their machines with it now. Somebody else has claimed Cashpoint as their own. Doesn't seem right to me, what with decades of prior art having put those terms well and truly in the public domain, but I don't make the rules.
Re:Going for broke (Score:3, Interesting)
I don't have any real information, but it seems a plausible scenario to me.