Fake ATM Fraud Expose 478
santos_douglas writes "Forget ATMs coming under attack by worms, MSNBC has this article about Dateline NBC's investigative report into fake ATMs and other ATM related scams. ATM frauds are a clever combination of social engineering and hardware hacking. The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash to avoid suspicion, but are altered to save both the card's magnetic signature and the customers PIN, which are later added to false cards and used to empty bank accounts at real ATMS. The 'ATM gang' profiled managed to purchase and setup 50+ machines and steal over $4 million from over 21,000 customers. The machines can be purchased legitimately and hooked into the banking network with no more than a regular bank account. Less sophisticated attacks include building and attaching false fronts to existing ATMs to collect info, and using covert cameras to collect PINs from afar. The articles has some handy tips for avoiding scams."
Two tips (Score:5, Insightful)
This isn't foolproof but much safer than using random whitelabels you find in Apu's Mealbar.
Tom
Re:Two tips (Score:5, Interesting)
BTW: Most Canadians I know call them ATMs.
Re:Two tips (Score:4, Informative)
Looks like an integrated part of the ATM unless you are familiar with that ATM.
Re:Two tips (Score:2)
Re:Two tips (Score:4, Funny)
1. An ATM is commonly referred to as an ATM machine
and
2. A PIN is commonly referred to as a PIN number
So we have to enter out personal identification number number into the automatic teller machine machine.
Re:Two tips (Score:4, Funny)
Re:Two tips (Score:3, Funny)
While the tired old ad is indeed redundant, the signal-checking procedure it portrays is certainly not. Note also that they are careful to have him say "good" after each query--otherwise his repetition and movment would indicate that the Spr
in Canada... (Score:2)
And this was all legal, no recourse was possible. I wonder who made off with the 'big money' though, my bank, the ATM company, or the chinese food joint.
Re:in Canada... (Score:2, Informative)
Re:in Canada... (Score:3, Informative)
Re:in Canada... (Score:5, Informative)
The 'white label' ones (called ABMs) are operated privately and whatever restaurant or convenience store owns them can charge whatever service fees they want. I live in Canada and I never ever use the white label machines. The cost is insane. You were hit with the 'disloyalty fee' from your bank for not using their machine (not that there was one,) a PLUS/Cirrus fee for international transactions, a currency change fee from your bank, whatever normal fee is levied by the ABM's owner, and maybe a currency exhange fee levied by the ABM's owner.
If you had gone to a machine that was actually run by a bank (an ATM) then the service charges would have been much lower. Banks generally have lower surcharges than white label machines.
Re:in Canada... (Score:5, Interesting)
It cost me $40 US, but my bank charged everything after $30 CAN.
I'm so pissed at Fleet, I've watched them switch around my transactions so they can charge overdraft fees. I sat and WATCHED online as my paycheck clearing time changed to AFTER the bills were paid so they could nail me with $75 in fees. I called them right after and told them that if I didn't get my $75 back I'd get a lawyer involved, they gave it right back. If my identity weren't stolen (long story) I'd open an account with Citizens Bank right now, I used to work there so I'd know who to call and yell at.
Whew. Don't drink, bank, and slashdot!
Re:in Canada... (Score:5, Interesting)
Weird. I used my US debit card quite extensively in Japan this spring and I never got charged all those fees you are talking about. Granted, I was mostly using government-run ATM machines while there that I believe do not charge fees even if you are not a customer. But my bank sure didn't charge me any "disloyalty" or any of those currency exchange fees you are talking about. I was getting a pretty competitive exchange rate too (I was monitoring the amount actually debited from my account using Internet banking).
Re:Two tips (Score:5, Funny)
Also, most of the chartered banks now charge a surcharge in addition to the interac fee if you don't have a card from that bank.
Re:Two tips (Score:4, Interesting)
You could have a different PIN for small amounts and large amounts, being limited to one 'small' withdrawal per day, and that would slightly reduce the potential for fraud. But people would tend to forget the numbers. You could have a booklet printed with a list of one-use-only identification numbers; then someone would have to steal the booklet rather than just copy one number you typed in.
But with mobile phones being so common, can't we use those for security? You type into your phone the amount to withdraw and a PIN (which is held only in the phone itself), and it generates an authorization code signed with your private key (again held only in the phone). You type this code into the ATM, it checks the code using your public key and takes it as an authorization to withdraw *one* particular amount at *one* date and time. Rekeying the same authorization code later will not work since it includes the date and time (with say a five minute window between generating the number on your phone and it expiring), and as an additional safeguard the bank records previously-seen codes and won't accept them again.
Then even if you use a completely bogus ATM that records everything you type in, the worst that could happen is for someone to rush over to a real ATM and type in the same code to get the money - and it would be obvious something was wrong if the fake ATM didn't dispense exactly the same amount.
Re:Two tips (Score:3, Interesting)
The transition is already being made, but the hold up is getting the machines upgraded/replaced.
Not to mention the $5/card. Is it really worth the additional expense? I doubt this type of ATM fraud is costing the industry $5 per ATM card.
The best thing you can do right now is go through the hassle of transferring money between accounts (only have an ATM card for one account on you at a time) and transfer money between them. That is unless you want to use a credit card, and just pay it via check every
Re:Two tips (Score:5, Informative)
You: "Anti-Bank-Missile???"
Quite the opposite. The White Label ABM business means that big banks make money. Here's How: Canada's biggest bank and one of the top 10 in North America, the RBC Financial group (formerly Royal Bank) co-owns one of the white-label ABM companies [www.cbc.ca]!
So let's say I am a Royal Bank customer. (This was true up until a short time ago.) Royal bank gets my money in their account and pays me less than a dollar in interest per year. And then I go to a white label machine, pay the $1.50 disloyalty fee which goes straight to RBC, pay the ABM fee to the white label company (which RBC co-owns) and then I don't use up the receipt-paper, evelopes, cause wear and tear, etc. on Royal's own machines. It's a good deal for RBC and a bad deal for me.
The bottom line is that my bank makes more money if I go to the white label machines! Even if I go to another bank's machines, I am paying Royal's disloyalty fee and making them extra money. (I pay no fee if I use Royal's own machines.)
And a note for Canadians: If you are tired of stupid bank fees and low interest rates on your balances, consider President's Choice Financial [pcfinancial.ca]. I am a satisfied customer and do not work for them. Sure, it's owned by CIBC but I've never paid a cent in fees, I get free internet banking, free phone banking, free chequebooks, free Interac at CIBC machines, the 'points' rewards are worthwhile and attainable, and the interest rates are decent. (There are some minor downsides like spotty support for ATMs outside Canada, and most depoits over $200 except auto-payroll are delayed for 5 days so they can make interest on it. I can live with it.)
I try to avoid them altogether. (Score:5, Insightful)
If they integrated some other forms of identification that couldn't be forged, such as biometrics or retinal scans, perhaps I'd be a bit less worried. But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.
Re:I try to avoid them altogether. (Score:5, Insightful)
What difference will biometrics make if some criminal has installed a modified machine to intercept and record your biometric data?
Re:I try to avoid them altogether. (Score:3, Insightful)
Re:I try to avoid them altogether. (Score:3, Interesting)
What I want to see is something that reads neruoelectric signatures. For the initial version, you'd think about your favorite food while leaning
Fingerprint-protected ATM cards won't work - ever (Score:3, Insightful)
> seconds to capture a fingerprint off of... pretty much anything.
Yes! And I care to add for the sake of completeness, because this is
just too often (deliberately?) ignored:
1. fingerprint-protected ATM card gets stolen
2. thief needs sample of owners' fingerprint to produce copy
3. ??????????
4. profit! (well, or go to jail immediately)
Re:I try to avoid them altogether. (Score:2)
To get money out of your account, they would need to be you for one. Secondly, when the crook shows up at an ATM, you can immediatly identify that they are a crook and who the crook is.
Sounds good to me.
Re:I try to avoid them altogether. (Score:2, Insightful)
Look idiot, think a little. Using a ATM, they record your biometric data (retinal, fingerprint, whatever) and allow your transaction to go through and record the info. Later, they replay the transaction electronically and rob you.
How do you think biometrics work? They scan you and convert the information into a long numbe
Re:I try to avoid them altogether. (Score:2, Insightful)
Re:I try to avoid them altogether. (Score:3, Funny)
Re:I try to avoid them altogether. (Score:5, Insightful)
Re:I try to avoid them altogether. (Score:3, Funny)
all you have to do is put your eye against the glass of a copy machine ....
Re:I try to avoid them altogether. (Score:2)
Re:I try to avoid them altogether. (Score:2)
Re:I try to avoid them altogether. (Score:4, Insightful)
- Great security is keeping 2 steps ahead of the crooks
- Good security is keeping 1 step ahead, and
- Average security sometimes a little ahead and sometimes a little behind.
Most systems only have the budget for average security.Re:I try to avoid them altogether. (Score:2)
When you start seeing biometrics like facial recognition, voice pattern matching, and retnal scanning, then someone having your card would be useless. In fact, at that point, just drop the card. Use your face as the card and your voice as the PIN.
Re:I try to avoid them altogether. (Score:2, Informative)
You could disconnect the camera and plug it into your recording
You might as well just break into the ATM itself at that point.
or (possibly, I'm not sure) put a printed copy in front of the camera.
I'm not sure it's *that* easy, but the current technology does make fake retinas possible. Eventually (and maybe even now with the most expensive technology), this won't be possible, though (short of building a clone, anyway).
A much cheaper solution that's available today is to have some processing power b
Re:I try to avoid them altogether. (Score:2)
But as things stand now credit cards are a better way to go if you're worried about recovering losses from fraud.
That's just not true. Either way you are not responsible for losses from fraud unless you are negligent (or in cahoots with the fraudster). The people who had their pins stolen this way didn't lose a penny out of their own pockets. It's the banks that are taking the hit.
Re:I try to avoid them altogether. (Score:5, Interesting)
Or a public/private key system. Say when you get your card there is some randomish value on some part of the strip that when it is decryped against the key that the ABM/ATM has they will report a value that the bank gave you when you got your card, say "BLUE" (easy enough to remember). Now when ever you use an ABM/ATM you can know it will be authentic because it will say BLUE, if an ABM says your card is RED then you call the bank to report the erroneous machine which may mean an untrustmorthy machine or the bank has changed the key. The key is changed if some crackers ever find it out then the banks will have to go to all the machines and put in a new key, they'll also have to tell everyone what their new colour is which will be a hassle but hopefully shouldn't happen with any kind of frequency if they choose a good key and have good security procedures.
Non-biometrics solution (Score:5, Insightful)
For each transaction, my bank will send a random challenge to the ATM that only my electronic key can solve.
Re:I try to avoid them altogether. (Score:2)
Re:I try to avoid them altogether. (Score:5, Interesting)
One track of the card has the CC number linked to the primary account, another has a checking account number, and a third has a savings account number. I forget the order as I haven't had access to a magstripe reader/writer since I left my sysadmin job at college (used for the student IDs). It was nice to clone my debit card when the real one got trashed by a minimum wage counter-jockey who snapped it down the magstripe while swiping the card. BTW, the account info is plaintext on the card, if you know your account numbers, you can clone a card without actually having it available.
Next time you go to the gas pumps, select the credit option with your debit card. It won't prompt you for your PIN. It will, if you select the debit option.
I'm guessing its a legacy holdover, it would be nice if PIN usage was required on CC transactions. I think its sad that the local CompUSA here still uses the imprint machines to do CC transactions. Legacy always wins in business...
Re:I try to avoid them altogether. (Score:5, Interesting)
Once, about two years ago, I was shopping for Valentines Day gifts in a local market. The store had an ATM (and banking center) inside so I thought nothing of using their ATM for cash. As it turned out, one of the $20's that came from the ATM was counterfeit and the store clerk flagged it. Okay, so now it gets weird.....
I went immediately back to the banking center inside the store and told them what happened thinking I would be able to trade out the bad $20 for a good one. WRONG, WRONG, WRONG !!! Not only did they NOT replace the bill, but they forced me to fill out 3 pages of documentation on what happened, which was sent to the treasury department and was told to expect a call form them in a few weeks. And remember, the counterfeit $20 came from their machine.
Luckily, I was never contacted by the treasury dept or the FBI, but I am still out $20. Chalk it up to experience ?? I'll say one thing, I will never deal with "Union Bank of California" again.
Good Advice For Once (Score:3, Interesting)
You haven't received good advice all around. The thing you should have done immediately is see the bank manager of the nearest branch and Raise Hell {TM}. It would have been best to have refused to fill out any forms that forced you to admit to being the simple owner of a counterfeit bill, but even that's not so terrible as long as you are willing to do some further so
Yipes! (Score:5, Insightful)
Perhaps I should just go to the barter system. "I'll give you this cow for that rack mounted server."
Re:Yipes! (Score:3, Funny)
Throw in a pig and your daughter and you have a deal!
Aumm, so where am I safe? (Score:5, Funny)
I guess I could start using paypal. I mean, they're safe? They probably don't have evil workers at paypal enjoying a quick id. theft, I hope? Maybe, I could just start using cash again, but where I live I'll get mugged. Shoot, if I carry cash, I've even got the possiblity of washing my pants with my money in it. That's worse than having my idenitiy stolen. Seriously
Screw it. I'll be a hermit.
Re:Aumm, so where am I safe? (Score:2, Funny)
Theres an idea for a scam.. Setup a fake ATM machine that will take your card, and ask you to enter the pin three times. After the client enters the same pin number three times (the legit code of course), then it eats the card. No need to make a duplicate when you can use the origional.
Re:Aumm, so where am I safe? (Score:3, Interesting)
"They began by using "Lebanese loops" - home-made devices which make the customer think the machine has swallowed the card, only for the crooks to nab them after the victim has walked off. But they have moved on to card skimmers - fake devices which are taped onto the doors of cash machine foyers - and card slot readers."
It used to be you had to press a button to get into the lobby
Re:Aumm, so where am I safe? (Score:3, Informative)
This is hardly new (Score:5, Informative)
The fastest growing modus operandi is to use false terminals to collect customer card and PIN data. Attacks of this kind were first reported from the USA in 1988; there, crooks built a vending machine which would accept any card and PIN, and dispense a packet of cigarettes. They put their invention in a shopping mall, and harvested PINs and magnetic strip data by modem... in 1992, criminals set up a market stall in High Wycombe, England, and customers who wished to pay for goods by credit card were asked to swipe the card and enter the PIN at a terminal which was in fact hooked up to a PC.
This is really more of a problem with the lack of attention to such security issues on the part of banks than a new type of crime.
Uhh.. Yeah (Score:2)
The most sophisticated thefts involve the purchase and setup of real ATMs that actually do dispense cash...
Ok, tell me again where the Fake ATM is?
Actually, I have always wondered about these little ATMs that I see in random places. Just walking by the machines makes me nervous!
Article Highlight (Score:5, Funny)
The U.S. Secret Service says the following people are wanted for questioning in connection with the $4 million ATM heist described in Dateline's story:
Bella Magary
Hungarian white male, blond hair, 5'6", with medium build, aka Bill Gates, personal ties to California.
ATMs becoming less useful (Score:5, Insightful)
Who needs ATMs anymore? (Score:5, Interesting)
It used to be that when I travelled, I carried a fair amount of cash with me. Not anymore - I simply find that I don't need it - gas, food, lodging, all are put on the credit card.
Furthurmore, should I feel the need for cash, my local grocery store allows me to get cash back from a credit card purchase. I simply make a habit of getting $40 back when I buy groceries, and then keeping about $200 at the house. Thus, I rarely if ever need an ATM under normal conditions.
It is pretty stupid - I am sure running an ATM costs a bank far less than paying for a teller, but they seem bound and determined to drive us all away from using ATMs.
Re:Who needs ATMs anymore? (Score:5, Insightful)
- Your bank publishes the charges for using an ATM outside their network, and
- an ATM you use will tell you the fee for using that ATM
I don't know why people are so pissed off about ATM fees. What, do you think the ATM fairy just drops them off all over the place for free? The machine costs money. The network costs money. Service costs money. TANSTAAFL. If you don't want to pay the fees, don't use an ATM. Like you said, there are plenty of other methods.TANSTAAFL (Score:3, Informative)
Why ATM fees piss off people (Score:3, Informative)
Big shock, they lied.
Re:Who needs ATMs anymore? (Score:3, Insightful)
No, I think the HR fairy drops them off all over the place. She says "Here you go! Tons cheaper than a real person. Enjoy!" and wanders off to do another good deed.
Re:Who needs ATMs anymore? (Score:5, Insightful)
ATM machines are certainly not free, but they are a damned sight less expensive than the human-operated branches that banks used to provide for their customers (at no charge). In fact, cost-cutting is one of the reasons banks have consistently offered when replacing branches with ATMs. What any consumer with a brain should notice is that over the past decade or two, banks have continuously reduced their operating costs thanks to ATMs, and yet the amount of money customers tend to shell out for banking services has not decreased-- it has consistently risen. ATM fees are a big part of that.
The existence of ATM fees is due to the lack of reciprocal agreements among different banks. If bank A has thousands of machines, and wishes to provide better service for its customers, it stands to reason that it would try to enter into an agreement with another large bank B, in order to guarantee that neither banks' customers have to pay fees at ATMs belonging to either bank.
Unfortunately, experience has indicated that banks don't feel any desire to do this. In the real world, it is far more profitable for large banks to collude against their own customers through inaction-- by not creating reciprocal agreements, and collecting vast amounts of additional money through fees. This pads their bottom lines, and hey, what are customers going to do about it? There are only a few banks large enough to make such collaboration practical, and they don't seem too concerned about how much customers are paying (fees continue to rise, way ahead of inflation, despite the fact that the tech is getting cheaper.)
A similar situation exists in the world of wireless communications, where international phone companies ruthlessly assess other companies' customers absurd international roaming fees, even when the caller is only a few hundred miles from his home country. The income these corporations derive from fleecing their customers is far greater than what they would make if they chose to collaborate; since only a few companies are large enough to make this sort of agreement, and those companies make too much money off of the current arrangement, customers have nowhere to go.
Know what you mean (Score:2)
Yes, everything you buy on a credit card could go into some giant big-brother database... but you also get a nicely printed statement at the end of the month. I find this makes it infinitely easier to see where your money goes. Some programs, like Quicken (Evil Intuit... Evil!) will even automatically put that data into a ledger for you.
Honestly, credit cards make it easy, and there's fraud protection
Quicken et al (Score:2)
One of the tips I was sure they'd include would be to change Keep a watchful eye on your monthly statement, as well as your balance, and report any problems to your bank. to recommend that people sign up for electronic access (Quicken or web access) so they see the crooks' transactions within a day or two.
As the article mentioned, some people
By way of explanation (Score:2)
Intuit's missteps have been discussed to death in this forum, and while I dislike the hassles I was subjected to by their copyright paranoia, I appreciate a useful piece of software.
So to clarify: I like the program... I dislike the DRM (though they have forsaken that path, thankfully)
Tijuana (Score:5, Interesting)
Re:Tijuana (Score:4, Funny)
-B
Old news... But still rampant! (Score:5, Informative)
On another note, this is old news and has been around for years but it suprising its still so rampant, I guess the banks must be putting most of the cost on the customers as is indicitave of their inaction.
Re:Old news... But still rampant! (Score:3, Insightful)
Sounds like the bank monopoly is ripping you off, though. Technically I suppose it's not fraud, but you're still getting scammed, right. It's just a scam that the law smiles upon
Yeah (Score:5, Informative)
You see credit card fraud hyped up in the media all the time, but with almost every credit card you're liable for no more than $50, whereas ATM card fraud is always mentioned as a footnote when it can really screw up peoples' finances!
Attached documentary - Card Cleaner! (Score:5, Informative)
Out of the 12 ATM vendors, only 1 wanted to do a background check - one vendor even offered to sell it to him without a social security number.
Then, even more disturbing... he setup a sign next to the ATM that had a card swiper that said FREE! FREE! Card cleaner!!
note: The video requires an MSN Passport account (free)
Re:Attached documentary - Card Cleaner! (Score:5, Funny)
There's something ominous about requiring a swipe of my e-wallet info to view a video of a scam for people's p-wallet info.
Re:Attached documentary - Card Cleaner! (Score:4, Interesting)
The HCI researchers picked this one up, and they changed the behaviour to "give receipt, then card, before issuing cash."
I saw a show about this (Score:3, Interesting)
Re:I saw a show about this (Score:2)
Low-tech ATM user victimization (Score:4, Informative)
Many office alarm systems have a feature where entering the disarm code backwards (1234 becomes 4321) will work like the real code, while also triggering a silent alarm, summoning the police.
Since colleges nearly always have an on-campus 24-hour security staff, it should be possible for help to arrive in time to catch the attacker, or at least to rush the victim to the hospital before she bleeds out.
Dear /. User (Score:4, Funny)
In efforts to do so please email fraud@infiltrated.net and include your full name, social security number, all known credit card numbers, and let us do the rest.
We promise to give you the experience of a lifetime. At Politrix we don't just secure we test your account against the strictest policies. Using our patented SHAFT -- Securely Handling All Farking Technologies -- Politrix will order $10,000 worth of products. If we suceed we know you arent secure.
Call 1877TRIXSTA for more details choperators are standing by... A payphone in Times Square
card cleaner! (Score:4, Funny)
they missed this brilliant fraud: (Score:5, Funny)
ATM FRAUD [lostbrain.com]
tcd004
What an overelaborate scheme... (Score:5, Funny)
If someone wants to obtain access to easy credit, the easiest way is to simply steal people's wallets, which filthy street urchins have been able to do since the beginnings of civilization. You don't need to spend time and money to construct an ATM, as a few 13-year old delinquients in a crowded area like a shopping mall can obtain credit cards much quicker than that.
A lot of times, bank cards can be used as credit cards, and only require a signature that is seldom ever checked against the one on the back of the card inside the US, though in the EU they actually do it. The PIN number is hardly ever needed, but all that is required to access it is a quick phone call to a bank. Just walk into Best Buy and go on a shopping spree and hit credit on the little number pad, and all they'll ever do is make you sign a receipt.
Re:What an overelaborate scheme... (Score:2, Insightful)
Re:What an overelaborate scheme... (Score:2)
Minor safeguard... (Score:5, Interesting)
I've done this for a while. I have an account in which I pull out money I'll use to write checks for bills, Paypal, and to pull money from the ATM. This account usually only has another $1000-1500 in it that what is necessary for the bills.
I have another account in which the money is meant to sit there unless there's an emergency. I can write checks with this account, but I never do (so if there's a check written from it on my statement, I'd call the bank ASAP). My ATM isn't tied to this account. Paypal will never it ever exists. And half of the money is always purposely tied up in fairly short-term CDs.
-----
Thanks for the tips, but (Score:5, Funny)
That's nice, but what we really need are tips on how to set these scams up.
I'm unemployed.
A solution... for the semi-paranoid (Score:4, Informative)
1 primary card for your paycheck needs, used only at trusted locations, like your physical bank, card stored at home preferably in a safe.
1 secondary card which can be termed a petty cash card, where you may transfer funds to it on an as needed basis, for mail order items for example.
I'm not saying that this system is perfect, but offers some minimal protection, and can be implemented by going down to your bank and opening up a second account. If lost or stolen, well you loose you may loose your petty cash, but hey could be worse, far far worse.
Looks like the problem... (Score:5, Funny)
Four million, though? Damn, you deserve to get caught.
OK, but please don't regulate (Score:2)
I would not be supprised at all if this were intentional fear mongering designed to get particular policitians elected. What we really need is an attitude of - buyer beware and to let the market teach them a lession if they become too lax about financial security.
ATM Vs. INTERAC (Score:4, Insightful)
The problem arises when people have created false Interac machines, or scam your bank cards information from it. I use Interac probably 3-4 times a day, and each time, do my best to ensue I can see the interac terminal, which my card is being scanned through, to allow my self a *little* piece of mind.
THERES MY TUTITION! (Score:3, Funny)
Can't trust anyone (Score:2, Funny)
phishing expeditions (Score:5, Interesting)
Of course the usual robberies occured in the rooms themselves, forcing individuals to "dip" and enter their pins. Or getting pin jacked.
Face it, we need these machines until the fabled cashless society kicks in. In the meanwhile, use your banks ATM (also avoids service charges). Avoid all other ATMs.
Thinking about it, in the context of those "virtual credit card numbers", imagine a special PIN that is good for one transaction. If you are uncertain of a particular ATM or get pin jacked, give over the one time PIN#. Later, visit their website to activate/deactivate that magic pin.
Hedley
Virtual account numbers (Score:3, Informative)
The CitiBank virtual credit card account number feature actually doesn't work like you'd expect -- instead of being a "one-time" number, it's actually a "30-day" number. They set the expiration date to the end of the upcoming month to limit the time it's valid. I'm disappointed in the way it works, but the positives still outweigh the negatives so I still plan on using it unt
Re:Virtual account numbers (Score:3, Informative)
The CitiBank virtual credit card account number feature actually doesn't work like you'd expect -- instead of being a "one-time" number, it's actually a "30-day" number. They set the expiration date to the end of the upcoming month to limit the time it's valid. I'm disappointed in the way it works, but the positives still outweigh the negatives so I still plan on using it unti
Outsourcing woes, again (Score:2)
The sheer number of independent non-bank ATM operators make it all but impossible for the public to know whether he is using a legitimate ATM or not.
Eventually, if the banks do nothing to address this problem, their credibility will be so eroded that no one will trust ATMs any more.
Best one... (Score:4, Funny)
Guy stands next to machine in a fake uniform and collects the dough
Possible solution (Score:5, Insightful)
Clearly what's necessary is to have a small keypad on the card itself, as well as a small CPU, a private key that is encrypted by the user's PIN, and the public key of the bank. That way, all communication between the card and the bank can be encrypted, and no unencrypted information is ever sent through the ATM.
Such a card would not be much larger than current ATM cards.
The worst fraud that could then be perpetrated is to have a fake ATM that deducts $20 from your account but without dispensing the $20. But that scheme would be very quickly identified.
Murphys waiting for them too! (Score:3, Funny)
Thieves, hotwire a backhoe, drive it a couple of miles and use it to liberate an ATM from wherever, drop it into a truck and get the hell outa Dodge.
Imagine the disappointment when they get it home... if one of these fake ATM's gets selected for a backhoe style type smash and grab theft. Plus, imagine the disappointment for the original ATM fakers.... Delicious.
Murphys law says its gotta happen sometime!
Organized crime?, Nah!, for my money, its not really all that well organized....
atms on ebay (Score:4, Informative)
Re:atms on ebay (Score:3, Funny)
"Catch me if you can" anecdote (Score:3, Interesting)
Anyway, at night, he would put up the sign and station himself outside a bank's night deposit drop box with a big bin. He says people would actually come up and toss bags of cash into the bin, because they just had an innate trust of people in uniform.
I don't have to worry about ATM fraud. (Score:3, Funny)
Best Way? (Score:4, Funny)
That is, until someone builds a false Wal-Mart to get your account information.
Even smartcards are not a solution. (Score:4, Insightful)
Banks should switch to contactless cards with a tiny processor and display that (a) stays in control of the user at all times, and (b) allows the user to authorise *individual* cash/ATM transactions. It would be akin to a small palm-pilot with public-key cryotography and an IRDA link, but credit card sized, so it fit in your wallet... or is built into your wallet. The only way this could be defeated is by breaking the crypto, or by capturing the device itself and obtaining it's password.
Without an interface on a device in your control, even smart-cards can be defeated by the "false-front" ATMs mentioned in this article (you withdraw $20, the "false-front" ATM actually withdraws $1000, dispenses $20, and pockets the $980 difference).
atm security is pathetic (Score:5, Informative)
This is one of those instances where security by obscurity is obviously working, at least somewhat... as most people don't have access to one to play around with.
They use absolutely no encryption, as they are not required to until something like 2006. And even though it's there, it's not on (at least with Diebold machines). Many have a network cable running into the back of them, so you could plug in a hub and sniff the data. What will this get you? It will get you the ip of the authentication server it talks to and the format of the responses. This would allow you to forge your own authentication server and use some network trickery with a linux box or two and a hub/switch to make any card run through the machine be accepted.
The ones that don't have network cables usually have phone lines. A little known fact is that if you plug two modems together directly, you can still dial the other one and it will pick up and negotiate. You could certainly use this to stick a linux box in between and sniff the data that goes over the network and perform something similar to the above.
Probably the most secure ones are the ones that use GSM or GPRS to communicate as you'd need some expensive equipment to do anything with that, and they are typically inside the unit, so you'd have to break it open somehow so you can't get at the wires.
There are methods in use right now that the ATM companies have absolutely no idea how they work. I'd see memos floating around all the time. They put machines under surveillance for months, and all of a sudden, everyone who had used the machine got ripped off. Yet, no one, as far as they could tell, ever physically did anything to the machine. Theives are using some really sophisticated techniques right now, and about the only way to thwart this is to start using crypto, both for transit, and on your card.
Oh, ever wonder why most machines have been retrofitted with a card swiper instead of an eater? It's because people were putting stuff inside of it so cards would jam, and then they would sit across the parking lot with a spotting scope and watch a person type their pin. When the person couldn't get their card out and left, they would come by with a little extraction tool, take the card, and go on an ATM spree.
Be careful! ATM/MAC/Debit is *NOT* Insured! (Score:4, Informative)
Only visit your local branch to get cash with your debit/ATM card and use a Visa/Mastercard "CheckCard" for other purchases.
1. You will be insured.
2. Visa/Mastercard provier fraud protection
3. MAC/ATM/DEBIT is a bank fraud in itself. What is up with those FEES, especially since they don't guarantee or insure the transaction!
Posting AC - Information you should know. (Score:5, Interesting)
I work for the largest company in the USA that verifies the transaction between the bank and the cardholder. We are as you could put it, an ISP for ATM's. We are very large, and I've worked for them for quite a number of years.
We heard about these scams a few years ago, it's nothing new. There are a few things you can do to protect yourself.
1. Wait for a prompt before entering your pin number. I have never heard of a "cover" system so complex that they will respond correctly on the screen when a card is put in the slot. Rogue ATM's are another matter.
2. If a white box ATM eats your card, call your bank immediately to report the card stolen/eaten. This is because most of these systems are just a camera and a box to hold stolen cards and pin numbers. Unfortunately the days of getting your card back when it gets eaten are gone. With new regulations there's just no way, get a new one.
3. All ATM's in this country (usa) are required by law to have a phone number of the institution that is authorizing the transactions, and a notice of surcharge on it. If you don't see those, then there could be "something" covering them. They went to a lot of work to make that fake ATM cover, why would they want you alerting someone who would send out a repair technician?
Please don't go clamoring for more regulation. A lot of the regulation in place keeps us from properly helping people in distress, and does almost nothing to help secure them. Besides, most people only need securing from themselves.