Scammer Plants a Fake ATM At Defcon 17 394
Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
Epic Fail (Score:5, Insightful)
Re: (Score:3, Insightful)
It would be like telling some dumb fool to try to set up fake slot machines in the lobby of some Vegas casino for a laugh and watching the tit go ahead and do it...
Re: (Score:3, Insightful)
That was my thought too. I'd suspect if it was a prank, the PC will have a note taped to it saying "Welcome to DefCon" or something like that, hopefully with a description of the prank and the root/Administrator password to the machine so they can inspect it.
Of course, no forensics person (hopefully) would just log in with the given password, as if it was real, it could trip a cleanup routine. Providing the password would simply be a show of good faith to it being a prank.
Re: (Score:3, Insightful)
Re:Epic Fail (Score:5, Funny)
Been watching Oceans Eleven have we?
Re:Epic Fail (Score:5, Informative)
Defcon 5 isn't peaceful enough (Score:5, Funny)
I know we've been pulling out of Iraq, but going down to Defcon 17 just seems ridiculous.
Re:Defcon 5 isn't peaceful enough (Score:4, Funny)
I would put world peace at around 8.
10 would be a massive party with excessive amounts of alcohol.
12 would have half of them die of various overdoses.
Pedant Warning! (Score:5, Funny)
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
Re:Pedant Warning! (Score:5, Funny)
Yeah, like we are going to RTFA the farking article.
Re: (Score:2, Funny)
***WOOOOOOOOSSSSSHHHHH***
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Modded redundant! One can almost taste the poetic justice.
Re: (Score:3, Funny)
like a redundant reuse of similar duplicate terms that mean the same thing?
Re:Pedant Warning! (Score:5, Funny)
Of course, whether you get to do any is another matter.
Re:Pedant Warning! (Score:5, Funny)
At whom else's risk would I read it?
Re:Pedant Warning! (Score:5, Funny)
Re:Pedant Warning! (Score:5, Funny)
Asynchronous Transfer Mode? (Imagining that as a sexual euphemism gives me all kinds of degrading ideas)
Re:Pedant Warning! (Score:4, Funny)
The real one is worse.
http://www.all-acronyms.com/cat/9/ATM [all-acronyms.com]
"Abbreviatiated text messaging" *shudder*
Re:Pedant Warning! (Score:4, Funny)
Re: (Score:2, Funny)
Would you really prefer "AT Machine" and "PI Number"?
Re: (Score:2, Informative)
Re:Pedant Warning! (Score:5, Interesting)
Re:Pedant Warning! (Score:5, Funny)
So, in Canada, if you're going to steal a money-dispensing machine, you tell people you're going to take a BM?
Re:Pedant Warning! (Score:4, Funny)
You just need to learn more aboot the language before you visit.
Re:Pedant Warning! (Score:4, Funny)
I'm baffled by this...
Where were you in the US that people didn't know what a bathroom was? I mean that seriously - I've never in my life met someone who spoke English with at least medium facility who didn't know the terms "bathroom" "toilet" "restroom" "powder room" or "washroom," or any number of other more slangy terms for it. "WC" is a little less common in the US, but still generally understood.
And "Bank Machine" isn't a common term over here, but where were you that people weren't able to figure it out? If they were also completely flummoxed by "bath room" I'm going to guess it was an area where lead paint chips were a regional delicacy? Or was this so long ago that the devices were unknown to many? I did go on a trip to Oklahoma some years back where kids would actually ask if they could watch me use "the magic money machine," but those were children in a VERY small town, the machines were a novelty in many larger areas, and the kids in question were about 6-8 years old.
I absolutely don't mean to come off as hostile - I'm honestly amazed and curious.
Re: (Score:3, Funny)
Pirates (Score:3, Funny)
Re:Pedant Warning! (Score:4, Interesting)
The same when I asked for the 'bathroom'.
I, too, find American's aversion to referring to toilets by anything that vaguely resembles what one might do in them, damn strange. With that said, given their obsession with germs and hygiene is unsurpassed by pretty much no other culture (with the possible exception of the Japanese), I suppose it's not all that surprising.
I have an English friend who likes to tell the story of the first time he was in the US, trying to find a toilet in a shopping centre ("though they call it a 'mall'", he likes to chuckle about), and asked a security guard for directions.
First he asked "where's the loo". <blank stare>
Then he asked "where's the WC". <blank stare>
Then he asked "where's the bathroom". <blank stare>
Then he asked "where's the toilet". <blank stare>
Finally, someone standing nearby who had overheard, said "the rest room is over there".
He likes to reflect on how, of all the countries he's travelled to in the world (most of which do not have English as a local language), the one he had the hardest trouble finding a toilet in (due to comprehension problems) was America. This usually happens in the context of a "Great Britain and the USA, two countries separated by a common language" style discussion. :)
Re: (Score:3, Informative)
I, too, find American's aversion to referring to toilets by anything that vaguely resembles what one might do in them, damn strange.
Nah, we just don't like to refer to it as the shitter or the pisser in polite company.
Re:Pedant Warning! (Score:5, Funny)
Lastly he said "Please direct me to your nearest porcelain receptacle that I may initiate peristalsis and thus deposit my faeces therein."
On a related note, there's those baby wipes called "Baby Faces" and I so which I could photoshop those in real life and add an "e" to make it "Baby Faeces".
Re:Pedant Warning! (Score:4, Funny)
Don't even start me on the portable toilets called "Honey Bucket"...
Re:Pedant Warning! (Score:4, Funny)
Re:Pedant Warning! (Score:5, Insightful)
I suspect the failed communication was due to pronunciation rather than vocabulary. While "loo" and especially "WC" are very rare terms over here, "bathroom" is certainly the primary, standard term for almost everyone I know. Public bathrooms are typically called restrooms, but I'd be totally shocked to find someone who called their bathroom at home a restroom.
However, I could completely imagine someone with a moderate or thick British accent having a lot of trouble communicating with someone in the US. There are a lot of regional US accents that bear little resemblance to some of the British speech patterns, and a lot of people don't get outside their region very often.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
NYC?
Re:Pedant Warning! (Score:4, Funny)
VORLICH:[In his best Scottish Grammar School English] "and can I have four AA batteries, please?"
SALESGUY: "Y'Wot?"
VORLICH: [speaking slower and pointing directly to them] "Four AA Batteries, please."
SALESGUY: "Y'Wot?"
VORLICH: "Four AA badderees, please."
SALESGUY: "Aw, why'd y'not say that?
Sodder me sideways (Score:4, Funny)
My fave was the Yank pronounciation of 'solder' ("sodder"). To this Brit, it sounded like a cross between sodomize and bugger (which mean the same thing). I always cracked up when people asked if I could "sodder" a circuit board for them.
Re: (Score:3, Interesting)
Re:Pedant Warning! (Score:5, Funny)
Can I touch you for a fag?
Re: (Score:3, Funny)
Re:Pedant Warning! (Score:4, Funny)
That's the 'warsh room' to you buddy. ;-)
Yes, if you're retarded or from the Maritimes, but I repeat myself.
<Groundskeeper Willie voice>Auch! No doot aboot it, lad!</Groundskeeper Willie voice>
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Barclays (I think) have actually TRADEMARKED the term Hole In The Wall and label their machines with it now. Somebody else has claimed Cashpoint as their own. Doesn't seem right to me, what with decades of prior art having put those terms well and truly in the public domain, but I don't make the rules.
Re: (Score:3, Funny)
I can just imagine the conversations...
"Honey, I'm at the at machine, but I forgot my pi number."
"Daniel [wikipedia.org] babe, its 3141 you should know this by now."
Re: (Score:3, Funny)
But I *want* an Automatic ATM Machine and a Personal PIN Number!
What's the alternative? (Score:5, Insightful)
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
People - and by this I mean people on Slashdot, I've not seen anyone complain about it elsewhere - always complain about that. But what's the alternative?
It could be referred as "Personal Identification Number" which is just overly long and besides, everybody just knows it as PIN. They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very good. I know the capitalization makes the necessary difference between "pins" and "PINs" here but honestly, that version still looks a bit out of place to me.
One could say "PIN code". It is the version usually used here in Finland ("PIN-koodi") but the difference to PIN number gets very small.
PIN isn't just an acronym for Personal Identification Number. It is, in itself, a name for a short, usually 4 to 8 digits long digit based password. I could bet a lot of money that most of people don't convert the acronym to words when they read text.
Besides, the ATM machine is used what, once? Most of the time it uses just ATM.
With the massive amount of acronyms we have, especially short ones, a lot of them have multiple meanings. While it is relatively easy to understand these ones in this context, I fully support people adding an additional word to tell which meaning of some acronym is meant in a given situation. At least once in an article. There has been too many times I've seen some acronym, tried to google it, found a dozen different meanings and have had no idea of which it refers to.
Re: (Score:3, Insightful)
They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very
Why not simply rephrase the sentence? For example: "It would scan the card and record the PIN."
It's not very difficult. One would think that the basics of writing should be important qualities in a job that primarily consists of writing.
Re: (Score:3, Funny)
Tom's Law:
Any word, acronym, or expression you don't understand, is about sex.
Corollary:
Your company's web filter WILL block it.
Re:Pedant Warning! (Score:5, Insightful)
Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.
Languages are shaped by cognitive cost. This is what Steven Pinker seems not to get. There _is_ an innate language instinct, it's just not what he thinks it is. What we all share is the ability to introspect the cognitive cost of figuring out "WTH is this dude trying to convey?"
One of the key insights on language is that Lempel-Ziv compression never transmits the compression dictionary. The dictionary is implied because the compression program and the decompression program share the same dictionary construction heuristic. This is a trick you can pull off only if the two sides of the channel share the same cognitive architecture. There are no shortage of examples out there of how fast communication breaks down when the parties begin with fundamentally different premises on how to structure the categories of thought.
Here's another fundamental question: what portion of the brain's cognitive activity is devoted to power management? For one thing, glucose is precious resource, and the brain is a chug-a-lug organ where it comes to glucose consumption. For another, the brain is costly to cool. From the real-time perspective (which governed 5.999 million years of human evolution), there's not much use firing up the abstract-noun chocolate factory when you need a survival response in under 100ms.
There's another truism here: fool me once, shame on you, fool me twice, shame on me. (Or, if you've spent forty years fouling your spark plugs, "fool me once, shame on -- shame on you. Fool me -- you can't get fooled again.")
When you get surprised by a lion, first you need to act, secondly, you need to record, to avert recurrence, after deferred reflection.
However, the brain does not record broad-spectrum. There's just too much. It's easy to build a PVR these days with 1TB of storage. I still haven't seen one where the tuner is replaced by a DC-to-daylight recording mode.
You can't defer deciding what to record for very long. So this is an obligatory cognitive function when your brain is already heavily loaded. At high enough stress levels, the recording function does shut down. Assessing and responding to cognitive burden is a mission-critical survival function. This is a key foundation for language learning.
A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner. The underlying assumption that makes this work in practise is that the architectural model of the child's brain resembles that of the rest of the population. This is 99% satisfied by being a member of the same species, without any weird genetic Pinkerisms.
As the language convention becomes more sophisticated, some parameters in the ambiguity resolution process become social constructs. Given a conflict between two heuristics, which takes priority? The important thing to realize about socially determined linguistic parameters is that they tend to vary across discourse settings. Experts have slightly different rules among themselves than apply in heterogeneous settings, where, e.g. half the people involved are ESL.
There was a thread here the other day on the consequences of a non-specialist treating guilt and liability as vaguely synonymous in exactly the wrong forum (wrists cuffed to ankles by the minions of RIAA).
A person incapable of pedanticism is not likely to succeed with either law or software. (This is one of the reasons why the IANAL meme on slashdot annoys the hell out of me: if the law is too complex to be successfully interpreted by a concentrated group of the weediest pedants on planet earth, just maybe perhaps the root c
Re: (Score:3, Interesting)
"A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner."
Oh how I wish that were true. I have seen too many people complain about something someone did, only to do it t
Complete FAIL for eveyone, including law enforcemt (Score:5, Interesting)
Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?
Re:Complete FAIL for eveyone, including law enforc (Score:5, Insightful)
Even if they could monitor it wirelessly, they should have just carefully disabled the wireless transmission (aluminum foil?) and grabbed whoever came to check in on it.
Re:Complete FAIL for eveyone, including law enforc (Score:5, Funny)
Re:Complete FAIL for eveyone, including law enforc (Score:5, Funny)
I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees.
The true FAIL was the Defcon attendees failing to spot and realize that the cops hauling the machines away were fake, and the ATM was real.
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
That's certainly a win-win for the cops -- if they delay treatment and the guy dies, their investigation has gone from attempted murder to murder, a plus
I don't think most members of law enforcement would view that as a "plus"......
Re:Complete FAIL for eveyone, including law enforc (Score:5, Informative)
Actually, the way the laws read in a lot of states, it goes something like this...
I learned this in law enforcement school. I was trained as a first responder. I could stabilize a patient until the paramedics arrived.
While on duty, I am protected by the department regardless of what happens. For example, if a person had a heart attack, and I gave CPR, they may sue for the bruising or cracked rib(s). If I fail to keep them alive, I'm still protected, because I tried to the best of my ability.
When OFF duty, I don't have any such protection, and may lose my ass in court. I was trained to perform those acts, but was not obliged. Pretty much, the lawyer for the victim, who is the person you saved, will tear you up when they say "So where did you go to medical school?" "Did the victim consent to you touching him?" "Being that you work in law enforcement, you thought it would be ok to attack the victim, and leave him with cracked ribs, causing him undue pain and suffering and weeks in the hospital?" As soon as you say "But he was having a heart attack", they'll come back with "But you're not a doctor, who were you to judge this?" You see where that goes. Lawyers are assholes, and some people will grab for money anywhere they can, including from the person who saved their life.
We were told, if you see someone having a heart attack on the street, and you aren't working, call 911. Don't get involved.
So, if someone had a heart attack at a conference of cardiovascular specialists, no, they may not get any treatment, but someone will (hopefully) call 911.
There are good people out there though. An ex-girlfriend was involved in a rather serious car accident. She was in the military, and a base surgeon witnessed it. He stopped, and began treating her to the best of his ability, even though he had no supplies. He called 911, then ensured she didn't move, and started to evaluate her for injuries. Other folks from the base secured the area, and guided traffic away from the scene. The scene was handed off to local law enforcement as they arrived. She was transported by ambulance to a civilian hospital (it happened off-base), where he road along. I was called from the hospital. By the time I got there, she was badly bruised and not terribly happy, but stable. And, no, it was a hit & run. There was a consistent description of the vehicle, but when they saw someone in uniform fall out of the drivers seat onto the ground, the focus was on her, not the other vehicle.
Myself, if I see someone in need, I help whenever possible. When professional help arrives, I'll walk away without giving any information. I care to help. I don't care for fame, fortune, or the lawsuit that may follow.
Re: (Score:3, Insightful)
CT is one state that only has such a law for those certified in first aid, but for other states, all of those questions your hypothetical lawyer asked you would be irrelevant, as you'd be immune under such coverage - consent can be impli
Re:Complete FAIL for eveyone, including law enforc (Score:4, Funny)
Re:Complete FAIL for eveyone, including law enforc (Score:5, Interesting)
I would think that the hardware would be considered a loss once placed.
Re: (Score:3, Insightful)
Do thieves actually come back for these? I'd definitely expect it to be wirelessly transmitting, or to be watching for a special card to be inserted to which it would download the skimmed information.
Re: (Score:3, Insightful)
In order to do that, they would have had to leave it out in the open and allowed people to use it, so as not to make the criminal suspicious when he returns to retrieve it. You then have people making transactions of questionable legality (I didn't read to see if it actually dispensed money or just showed an error after getting the PIN), and increase the possible damage if it is transmitting in a way they didn't uncover or if the criminal manages to extricate the information while they're watching it.
They'r
Las Vegas Hotel, Everything is monitored (Score:3, Interesting)
Sorry, Las Vegas casino Hotel. There are cameras in the toilets. They likly already know who they are.
Re:Las Vegas Hotel, Everything is monitored (Score:5, Informative)
They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them,
Re: (Score:3, Insightful)
Yea, there is no way someone can enter a casino in vegas, hell go anywhere near the strip, without being caught on hundreds of cameras. so they have a blind spot in one corner of the floor, but there is likly hundreds of hours of video tape covering every step of the delivery.
People Bitch about all the cameras in London. They got nothing on the number of cameras in Vegas.
If the security cameras in Vegas where not the best in World, the cons would have cleaned out the casinos years ago and the customers woul
Re: Everything is monitored ... except this ATM (Score:4, Insightful)
If the customers are walking out with large amounts of cash, someone's head will roll.
Re:Complete FAIL for eveyone, including law enforc (Score:5, Insightful)
They could have covertly had an undercover agent place an "out of order" sign on it; perhaps after trying to use a 'special' jailbait ATM card and PIN number, and the device failing to dispense $$$.
Just like a citizen might do as a service to others when they found the ATM didn't seem to be working..
The perps would probably send someone to investigate why they weren't getting any numbers. If investigators were recording with video surveillance, they could get leads that way.
Re:Complete FAIL for eveyone, including law enforc (Score:5, Funny)
They could have covertly had an undercover agent place an "out of order" sign on it;
Really, I'd replace the computer inside the ATM with a Ninja.
Fake ATMs (Score:5, Funny)
They make it sound like this was done by criminals. Who's to say it wasn't really a job offer in disguise? ;) "First person here to notice this gets a job offer."
Damn, I wish I noticed it... (Score:4, Interesting)
I wish I noticed it. I would have gotten a starbucks card and see if I could withdraw some cash...
Re:Damn, I wish I noticed it... (Score:5, Funny)
Yeah? and I climb rainbows for a living... with our powers combined, we form Captain Planet.
Security Office (Score:4, Insightful)
Easy to avoid (Score:5, Insightful)
The fake-ATM problem is just a man in the middle attack. We've known how to deal with MITM attacks for decades: use public-key cryptography and a secure key exchange algorithm like Diffie-Hellman to create an authenticated, secure channel. That's how SSL works.
Credit and debit cards should contain a small microprocessor that communicates with bank, check its identity, and establish a secure channel. Even if an attacker could read and modify traffic between the card and the bank, he couldn't interfere with the transaction (other than by stopping it entirely).
Of course, this scheme doesn't allow offline credit card processing, but that's rare these days. If you still need to bother, just use an old-fashioned imprint machine.
The larger problem is just of backwards compatibility, which is why we'll never see the sensible scheme above implemented in our lifetimes.
Re:Easy to avoid (Score:4, Informative)
Well, unless you plan to invent a time machine and die in the past, the odds of you living when this scheme gets implemented are pretty good, because it have already been implemented here in Danmark, where all current danish cards does have a chip. And the solution to backward compability is quite simple. All cards and card-readers include both the old and new solution.
But the banks have issued new cards to all users, and required all atms to be able to read the chip. So the backward compability is currently only used with foreign cards.
Re: (Score:3, Insightful)
It's all right for ATMs to be able to read old-style static tokens, but if new cards include both the token and the chip, then a compromised ATM can simply use the old-style authentication token to perform a fraudulent transaction. After all, aren't both schemes just as good from the banks point of view?
Now, if you guys have managed to phase out cards with offline, static tokens and rely solely on the chip, then kudos to you.
Re: (Score:3, Informative)
Either I don't get what you're saying or you don't get what the GP was saying.
The reason the chip-based authentication method was invented is because the old-style authentication was insecure. BUT the old-style authentication method still works, even on cards that have the chip. Danish ATMs need to be able to read cards issued from places other than Denmark, and Danes need to be able to use foreign ATMs. So anyone who wants to attack a card just needs to ignore the chip-based authentication, hack the cards
Re: (Score:3, Informative)
Re:Easy to avoid (Score:4, Interesting)
It's slightly more sophisticated than that. Note I say "slightly". Not "much".
You can't make a card with just the mag stripe and then use this card anywhere where they expect ATMs to read the chip. This is because the issuing bank will refuse to authorise a transaction which didn't involve the chip if it should have been possible to do so (they know full well that the card with number 1234 5678 9012 3456 was shipped with a chip, so if an ATM which can read chips tries a transaction with just the details on the stripe, it's dodgy).
So what the criminals do instead is read the stripe (either with a fake cash machine or a skimming device attached to a real cash machine), send the details to some country where ATMs that read chips aren't ubiquitous and make up a fake card for use there.
My guess is that Visa and Mastercard between them will, over time, put pressure on banks all over the world to replace their cash machines. But until that happens, this remains a security hole.
Re:Easy to avoid (Score:4, Interesting)
You don't make purchases with a card, but instead with the bank account the card represents. There are two parts to every transaction: identification and authorization. When using an ATM, the physical card provides both identification and authorization. The account number is simply placed on the card, and authentication comes from physical ownership of the card. (PINs don't count because they are unfortunately verified based on machine-readable information on the card itself.) Because it's non-trivial to both learn an account number and manufacture a matching card, physical possession of the card is a pretty good proxy for control of the account.
Online purchases are different: the identification still comes from the number printed on the card, but the authorization is based on the notion that account numbers are hard to guess (which is terrible security), or on a secret shared by the bank and the holder of the card, the CSC number on the back (which is merely bad security).
If you wanted, you could make online purchases work the same way they do today, and just keep printing CSC numbers on the back of cards. The ATM authorization scheme and the online one don't have anything to do with each other.
But if you're going to issue new cards, you might as well improve online security too, and stop using CSC numbers. Have customers just select a password for each account. Retailers would verify the password the same way they verify CSC numbers now, but because the password wouldn't be printed on the back of the card, stealing the physical card wouldn't give you the ability to make online purchases using that card.
Better still would be a way for the card to interact online with the bank, but that seems impractical to me.
Re: (Score:3, Informative)
Have customers just select a password for each account. Retailers would verify the password the same way they verify CSC numbers now,
Visa and Mastercard have already implemented this option. The only problem is the store has to be capable of handling it, and not all of them are, unfortunately.
https://usa.visa.com/personal/security/vbv/index.html?ep=v_sym_verified [visa.com]
http://www.mastercard.com/us/personal/en/cardholderservices/securecode/index.html [mastercard.com]
The account number is simply placed on the card, and authentication comes from physical ownership of the card. (PINs don't count because they are unfortunately verified based on machine-readable information on the card itself.)
This is wrong. PINs haven't been stored on the card for a long time (I'm not even certain they ever were for all cards). You can easily check this yourself with a relatively cheap reader [magtek.com], or you
Going for broke (Score:3, Interesting)
Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."
If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.
--
Far better if this were an "pentest" with the "we'll stand back and watch" cooperation of the bank whose name is on the ATM. Scenario: White hat hackers to to BigBank and the hotel and say "We want to do a demonstration. We have a fake ATM we want to put in the DefCon hotel. We want to rig it so people's ATM codes are stored in the machine, encrypted, for later retrieval. BUT you, the bank, get the decoding key. At the end of Defcon we'll announce the prank. We'll give a $100 gift card and a a plaque to the first attendee who spots that it's a fake."
Now that would be cool.
Re: (Score:3, Interesting)
Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."
If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.
I can't imagine they hit that specific conference on purpose. They had bad luck. There are conferences in the hotels in Vegas every day. The thieves probably only knew "hotel booked" and "conference" and acted on that. Had it been a conference of commercial real estate managers or occupational therapists it probably would have gathered a good batch of account numbers and PINs.
Re: (Score:3, Interesting)
I don't have any re
If it was a legit scam.... (Score:4, Insightful)
If this was a legit scam instead of a prank, then there's a saying that applies:
"Only the most foolish mouse hides behind the cat's ear, but only the cleverest cat thinks to look there."
A long time ago... (Score:5, Interesting)
Back in 1990, after the Loma Prieta Earthquake, there was certain bank (damaged by the quake) that was demolished right downtown in Santa Cruz, California. One day I was walking past and noticed in the debris/rubble pile the night deposit box, bread-box style door hanging open, still mounted in a fair portion of the wall it was attached to.
I realized it was exactly the same kind of door that was used on MY banks night deposit box just a few blocks down the street, a bank that still did business.
I had a very boring job at the time and had lots of time to daydream. It is here that I devised my plan.
Late in the night, head down with a pickup and load up the night deposit box from the rubble pile. Take it home. Reproduce the wall the other one, the one at my bank, is mounted in. As it turns out, the night deposit box there was located in a sort of wall "extension" that one could reproduce, lay the fake right over the top (quickly unloaded from the back of a pickup) and as long as it looked right would appear no different. Simply leave it in place with the lock modified so ANY key will open it.
Set it up late Sunday night, around 11pm, and wait for the night deposits from all the businesses that cater to the tourist industry in Santa Cruz every weekend. Head back around 5 am, swing the false wall out of the way, pick up all the deposits, and walk away...
There was even a parking garage across the street for spotters.
Alas, I have morals, so it shall remain a daydream.
Re:A long time ago... (Score:5, Interesting)
There is another version of this scam, one or two people with guard uniforms and a strong deposit box sit out front of a bank. They've placed an 'out of order' sign on the normal deposit box and tell anybody who asks that the normal box is broken and they are there to guard a temporary box. Once one or two people have put their deposits in, they take down the sign and walk away with the money.
Re: (Score:3, Interesting)
Re:A long time ago... (Score:5, Informative)
Can you imagine a crowd you'd want to annoy LESS? (Score:3, Insightful)
For me the true FAIL of this incident was the idea of what could happen to the criminals once they're identities are made public after they seriously annoyed the attendees of a hacker convention. Can you imagine a group you'd less want to have seeing how they could make your life miserable (excluding the possibility of physical harm)? Good luck ever getting credit again, and that's just for starters...
Re: (Score:3, Interesting)
Re:No cash. (Score:5, Informative)
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Re:No cash. (Score:4, Interesting)
A clever scammer would actually have the machine dispense a small amount of cash - say a maximum of $100 per transaction - to avert suspicion.
Load it with, say, $5000 and you can get a minimum of 50 PINs, which is probably worth more than the $5000. Have it say, "Due to high volume, this machine may only dispense $100 per transaction" or the like, which I've seen at various legit ATMs in high-traffic locations. To make it last even longer, have it every once in awhile simply give a message that it is unable to communicate with the network or whatever comments the type of machine you're spoofing usually gives.
If it fails to dispense cash, good samaritans may put "out of order" signs on it, or, if it doesn't dispense and still asks for your data, that makes people suspicious.
The $5000 is peanuts - and probably isn't even their money in the first place - and would almost certainly be less expensive in terms of avoiding detection & getting a LOT more accounts. Absolutely nobody would think that an ATM that dispensed cash is fake; lots of people might suspect one that takes your PIN and then fails to work.
Re: (Score:3, Interesting)
A card plus PIN goes for couple of dollars. They're worth less than you think.
Re:No cash. (Score:5, Informative)
Indeed... that is why the ones that you really have to watch for aren't complete fake machines, but little recording devices placed in front of the real machine. You put your card in, enter the code, get your cash... and 5 minutes later some criminal in Eastern Europe runs off a copy of your card and cleans out your account.
A nice example of such a skim job is this one [nl.net]. The page is in Dutch but the pics are interesting... the guy happened to notice the false front was just a tad too clean, and on closer inspection noticed a recording head just behind the card slot. He ripped the thing from the machine and made a few pictures of it before turning it in to the police. The guy might have been observant, but thousands of people already had put their card through the machine without a second glance. I probably would not have noticed this myself either.
These criminals are getting more sophisticated now that people watch for false fronts, and machines are being altered to make it impossible to add them. These days they simple break into stores, open up card readers at the checkout counters, and add devices that record PINs and magnetic strips. One week later they break in again to retrieve their devices... some even use WiFi to read the data remotely from a nearby van, reducing the chances of getting caught.
Thankfully the banks here refund any skimmed funds as a rule.
Re: (Score:2)
Re:This is really curious (Score:4, Insightful)
I'm sorry, it just seems like you're whining that Slashdot didn't plug your site.