Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security It's funny.  Laugh.

Scammer Plants a Fake ATM At Defcon 17 394

Groo Wanderer writes "Normally, a well-crafted fake ATM would skim a lot of card information before it was noticed, if it was ever noticed at all. Because it is safer for the criminals and harder to prosecute, financial crimes like this are spreading fast. If you are smart, you don't try to pull one off in the middle of a computer security convention where the attendees are very good at spotting such scams. That said, some not-so-bright criminal tried to plant a fake ATM at Defcon. He now has one less fake ATM and a whole lot of investigators on his tail."
This discussion has been archived. No new comments can be posted.

Scammer Plants a Fake ATM At Defcon 17

Comments Filter:
  • Epic Fail (Score:5, Insightful)

    by TornCityVenz ( 1123185 ) on Sunday August 02, 2009 @06:26PM (#28920493) Homepage Journal
    One wonders if it wasn't just bait to get security to tip their hand for a more thought out caper.
    • Re: (Score:3, Insightful)

      by Fluffeh ( 1273756 )
      I would doubt that. If anything, maybe someone suggested it as a location for a joke and some dumb bewb fell for it.

      It would be like telling some dumb fool to try to set up fake slot machines in the lobby of some Vegas casino for a laugh and watching the tit go ahead and do it...
      • Re: (Score:3, Insightful)

        by JWSmythe ( 446288 )

        That was my thought too. I'd suspect if it was a prank, the PC will have a note taped to it saying "Welcome to DefCon" or something like that, hopefully with a description of the prank and the root/Administrator password to the machine so they can inspect it.

        Of course, no forensics person (hopefully) would just log in with the given password, as if it was real, it could trip a cleanup routine. Providing the password would simply be a show of good faith to it being a prank.

        • Re: (Score:3, Insightful)

          by TiberSeptm ( 889423 )
          A better show of good faith would be if the card-reader were not actually connected internally with a sticky note inside saying that was done intentionally. At least that's what I'd do if I wanted to pull a prank like that and not face 5+ years in prison.
    • by EdIII ( 1114411 ) * on Sunday August 02, 2009 @06:56PM (#28920757)

      One wonders if it wasn't just bait to get security to tip their hand for a more thought out caper.

      Been watching Oceans Eleven have we?

  • by Anonymous Coward on Sunday August 02, 2009 @06:28PM (#28920517)

    I know we've been pulling out of Iraq, but going down to Defcon 17 just seems ridiculous.

  • by ZackSchil ( 560462 ) on Sunday August 02, 2009 @06:28PM (#28920525)

    Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

    • by Anonymous Coward on Sunday August 02, 2009 @06:33PM (#28920547)

      Yeah, like we are going to RTFA the farking article.

    • by Mononoke ( 88668 ) on Sunday August 02, 2009 @06:43PM (#28920633) Homepage Journal

      Read at your own risk.

      At whom else's risk would I read it?

    • by Minwee ( 522556 ) <dcr@neverwhen.org> on Sunday August 02, 2009 @06:43PM (#28920639) Homepage
      Maybe it is referring to the other, NSFW definition of ATM. This is a hotel in Las Vegas, you know.
    • Re: (Score:2, Funny)

      by rlseaman ( 1420667 )

      Would you really prefer "AT Machine" and "PI Number"?

      • Re: (Score:2, Informative)

        by Anonymous Coward
        I can't tell if you're joking or if you're actually that stupid. I'm pretty sure the perfected way would just be ATM and PIN, without the redundancy.
        • Re:Pedant Warning! (Score:5, Interesting)

          by theshowmecanuck ( 703852 ) on Sunday August 02, 2009 @08:54PM (#28921401) Journal
          Being Canadian I usually call it a 'bank machine' rather than an ATM. That is the common term here, very few people call it an ATM. The funny thing is, when I lived in the U.S. I would have to remember to use the term ATM instead of bank machine. While some people knew what I meant when I would ask, "where's the closest bank machine," an unbelievable number would look at me with a blank stare and ask what I meant. Then I would remember and say, "the closest ATM." Then I would get a look of understanding and then the directions. In fact I would hazard that something like 60 or 70% of the people would respond like that. I can't give exact numbers, but absolutely for sure, most people didn't know what I meant by 'bank machine'. The same when I asked for the 'bathroom'. I would have to translate to 'rest room' (the WC for those overseas :) ). When I remembered to use the local term, they would ask why I call it a bathroom, there aren't any baths there. And I would reply, why do you call it a rest room, I can tell you for sure I won't be doing any resting... maybe a lot of grunting, but no resting. It's funny how English can be so different. That's my story and I'm sticking to it.
          • by machine321 ( 458769 ) on Sunday August 02, 2009 @08:58PM (#28921423)

            So, in Canada, if you're going to steal a money-dispensing machine, you tell people you're going to take a BM?

          • by v1 ( 525388 ) on Sunday August 02, 2009 @09:05PM (#28921485) Homepage Journal

            You just need to learn more aboot the language before you visit.

          • by thesandtiger ( 819476 ) on Sunday August 02, 2009 @09:53PM (#28921849)

            I'm baffled by this...

            Where were you in the US that people didn't know what a bathroom was? I mean that seriously - I've never in my life met someone who spoke English with at least medium facility who didn't know the terms "bathroom" "toilet" "restroom" "powder room" or "washroom," or any number of other more slangy terms for it. "WC" is a little less common in the US, but still generally understood.

            And "Bank Machine" isn't a common term over here, but where were you that people weren't able to figure it out? If they were also completely flummoxed by "bath room" I'm going to guess it was an area where lead paint chips were a regional delicacy? Or was this so long ago that the devices were unknown to many? I did go on a trip to Oklahoma some years back where kids would actually ask if they could watch me use "the magic money machine," but those were children in a VERY small town, the machines were a novelty in many larger areas, and the kids in question were about 6-8 years old.

            I absolutely don't mean to come off as hostile - I'm honestly amazed and curious.

            • Re: (Score:3, Funny)

              by Tubal-Cain ( 1289912 )
              "powder room" and "washroom" would confuse me (the terms are never used 'round here) but not understanding "bathroom" must have required very special medical treatment [wikipedia.org].
              • Not if you were a pirate on a galleon. They'd understand where the black powder is stored, that you need room to wash ashore - and they very probably never heared about baths and rooms to place them in.
          • Re:Pedant Warning! (Score:4, Interesting)

            by drsmithy ( 35869 ) <drsmithy @ g m a il.com> on Sunday August 02, 2009 @11:02PM (#28922243)

            The same when I asked for the 'bathroom'.

            I, too, find American's aversion to referring to toilets by anything that vaguely resembles what one might do in them, damn strange. With that said, given their obsession with germs and hygiene is unsurpassed by pretty much no other culture (with the possible exception of the Japanese), I suppose it's not all that surprising.

            I have an English friend who likes to tell the story of the first time he was in the US, trying to find a toilet in a shopping centre ("though they call it a 'mall'", he likes to chuckle about), and asked a security guard for directions.

            First he asked "where's the loo". <blank stare>
            Then he asked "where's the WC". <blank stare>
            Then he asked "where's the bathroom". <blank stare>
            Then he asked "where's the toilet". <blank stare>

            Finally, someone standing nearby who had overheard, said "the rest room is over there".

            He likes to reflect on how, of all the countries he's travelled to in the world (most of which do not have English as a local language), the one he had the hardest trouble finding a toilet in (due to comprehension problems) was America. This usually happens in the context of a "Great Britain and the USA, two countries separated by a common language" style discussion. :)

          • by vorlich ( 972710 ) on Monday August 03, 2009 @04:53AM (#28924309) Homepage Journal
            In Miami City, when I lived there, I went down to the deli/supermarket/minimarket that sells everything and had the following conversation:

            VORLICH:[In his best Scottish Grammar School English] "and can I have four AA batteries, please?"
            SALESGUY: "Y'Wot?"
            VORLICH: [speaking slower and pointing directly to them] "Four AA Batteries, please."
            SALESGUY: "Y'Wot?"
            VORLICH: "Four AA badderees, please."
            SALESGUY: "Aw, why'd y'not say that?
          • Re: (Score:3, Interesting)

            by BrentH ( 1154987 )
            Here in the Netherlands everyone calls it either 'to PIN some money' (because everyone refers to their debit-cards as PIN-cards) or 'to get some money from the wall'. Can't get used to 'ATM' either. Although I think I just read it in the comments just now, I cant remember what ATM stands for.
          • by jtownatpunk.net ( 245670 ) on Monday August 03, 2009 @12:24PM (#28928963)

            Can I touch you for a fag?

      • Re: (Score:3, Funny)

        by johncadengo ( 940343 )

        I can just imagine the conversations...

        "Honey, I'm at the at machine, but I forgot my pi number."
        "Daniel [wikipedia.org] babe, its 3141 you should know this by now."

    • by Anonymous Coward on Sunday August 02, 2009 @07:17PM (#28920851)

      Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

      People - and by this I mean people on Slashdot, I've not seen anyone complain about it elsewhere - always complain about that. But what's the alternative?

      It could be referred as "Personal Identification Number" which is just overly long and besides, everybody just knows it as PIN. They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very good. I know the capitalization makes the necessary difference between "pins" and "PINs" here but honestly, that version still looks a bit out of place to me.

      One could say "PIN code". It is the version usually used here in Finland ("PIN-koodi") but the difference to PIN number gets very small.

      PIN isn't just an acronym for Personal Identification Number. It is, in itself, a name for a short, usually 4 to 8 digits long digit based password. I could bet a lot of money that most of people don't convert the acronym to words when they read text.

      Besides, the ATM machine is used what, once? Most of the time it uses just ATM.

      With the massive amount of acronyms we have, especially short ones, a lot of them have multiple meanings. While it is relatively easy to understand these ones in this context, I fully support people adding an additional word to tell which meaning of some acronym is meant in a given situation. At least once in an article. There has been too many times I've seen some acronym, tried to google it, found a dozen different meanings and have had no idea of which it refers to.

      • Re: (Score:3, Insightful)

        by dangitman ( 862676 )

        They could just say "it would scan their card information and record the PINs they entered" but I don't think it is very

        Why not simply rephrase the sentence? For example: "It would scan the card and record the PIN."

        It's not very difficult. One would think that the basics of writing should be important qualities in a job that primarily consists of writing.

      • Re: (Score:3, Funny)

        by sorak ( 246725 )

        Tom's Law:
        Any word, acronym, or expression you don't understand, is about sex.

        Your company's web filter WILL block it.

    • Re:Pedant Warning! (Score:5, Insightful)

      by epine ( 68316 ) on Sunday August 02, 2009 @08:27PM (#28921233)

      Article contains the terms "ATM Machine" and "PIN Number". Read at your own risk.

      Languages are shaped by cognitive cost. This is what Steven Pinker seems not to get. There _is_ an innate language instinct, it's just not what he thinks it is. What we all share is the ability to introspect the cognitive cost of figuring out "WTH is this dude trying to convey?"

      One of the key insights on language is that Lempel-Ziv compression never transmits the compression dictionary. The dictionary is implied because the compression program and the decompression program share the same dictionary construction heuristic. This is a trick you can pull off only if the two sides of the channel share the same cognitive architecture. There are no shortage of examples out there of how fast communication breaks down when the parties begin with fundamentally different premises on how to structure the categories of thought.

      Here's another fundamental question: what portion of the brain's cognitive activity is devoted to power management? For one thing, glucose is precious resource, and the brain is a chug-a-lug organ where it comes to glucose consumption. For another, the brain is costly to cool. From the real-time perspective (which governed 5.999 million years of human evolution), there's not much use firing up the abstract-noun chocolate factory when you need a survival response in under 100ms.

      There's another truism here: fool me once, shame on you, fool me twice, shame on me. (Or, if you've spent forty years fouling your spark plugs, "fool me once, shame on -- shame on you. Fool me -- you can't get fooled again.")

      When you get surprised by a lion, first you need to act, secondly, you need to record, to avert recurrence, after deferred reflection.

      However, the brain does not record broad-spectrum. There's just too much. It's easy to build a PVR these days with 1TB of storage. I still haven't seen one where the tuner is replaced by a DC-to-daylight recording mode.

      You can't defer deciding what to record for very long. So this is an obligatory cognitive function when your brain is already heavily loaded. At high enough stress levels, the recording function does shut down. Assessing and responding to cognitive burden is a mission-critical survival function. This is a key foundation for language learning.

      A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner. The underlying assumption that makes this work in practise is that the architectural model of the child's brain resembles that of the rest of the population. This is 99% satisfied by being a member of the same species, without any weird genetic Pinkerisms.

      As the language convention becomes more sophisticated, some parameters in the ambiguity resolution process become social constructs. Given a conflict between two heuristics, which takes priority? The important thing to realize about socially determined linguistic parameters is that they tend to vary across discourse settings. Experts have slightly different rules among themselves than apply in heterogeneous settings, where, e.g. half the people involved are ESL.

      There was a thread here the other day on the consequences of a non-specialist treating guilt and liability as vaguely synonymous in exactly the wrong forum (wrists cuffed to ankles by the minions of RIAA).

      A person incapable of pedanticism is not likely to succeed with either law or software. (This is one of the reasons why the IANAL meme on slashdot annoys the hell out of me: if the law is too complex to be successfully interpreted by a concentrated group of the weediest pedants on planet earth, just maybe perhaps the root c

      • Re: (Score:3, Interesting)

        by quadrox ( 1174915 )

        "A child doesn't need a special gene to discover the linguistic consequences of garden path sentence structures. "Oh damn, my mind when the wrong direction, and I wasted cognitive effort". Thus a child can self-infer a constraint on viable grammatical form, even if, in the manner of an LZW dictionary, the constraint is never explicitly conveyed from the language proficient to the language learner."

        Oh how I wish that were true. I have seen too many people complain about something someone did, only to do it t

  • by Radtastic ( 671622 ) on Sunday August 02, 2009 @06:29PM (#28920529)
    FTA, "Conference organizers notified local law enforcement who hauled away the machine on Thursday or Friday".... Wouldn't they have been better served monitoring the device to see who came and picked it up?

    Sorry, I'm no expert here. Is there a way to monitor if the device was broadcasting wirelessly, preventing the need of a physical retrieval?
    • by ZackSchil ( 560462 ) on Sunday August 02, 2009 @06:33PM (#28920553)

      Even if they could monitor it wirelessly, they should have just carefully disabled the wireless transmission (aluminum foil?) and grabbed whoever came to check in on it.

    • by e9th ( 652576 ) <e9th.tupodex@com> on Sunday August 02, 2009 @06:39PM (#28920603)
      I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees. Sort of like a guy having a heart attack at a cardiologists convention and the cops keeping everybody back until an ambulance can arrive and take him to a hospital.
      • by Xemu ( 50595 ) on Sunday August 02, 2009 @06:51PM (#28920711) Homepage

        I think the real fail was the cops hauling the machine away without asking for help from the Defcon attendees.

        The true FAIL was the Defcon attendees failing to spot and realize that the cops hauling the machines away were fake, and the ATM was real.

        • Re: (Score:3, Funny)

          by stephanruby ( 542433 )
          No, the true FAIL was that none of the Defcon attendees took pictures of the people servicing the ATM. For security reasons that's the new rule, if you see an ATM being serviced -- you have to take your cell phone and take a picture of whomever is doing the servicing [pulse2.com].
      • Re: (Score:3, Insightful)

        by lena_10326 ( 1100441 )
        There is a reason for following procedure during an investigation. If you have a piece of evidence in a criminal investigation, you don't let people touch it willy nilly because later in trial it could be thrown out on the grounds it was tampered with. The second reason is the criminal could have been watching in the crowd. Letting random invididuals get access to the machine could enable a criminal to erase the data by hitting a reset switch. The police had no idea who planted it there so they could not tr
    • by nurb432 ( 527695 ) on Sunday August 02, 2009 @07:31PM (#28920931) Homepage Journal

      I would think that the hardware would be considered a loss once placed.

    • Re: (Score:3, Insightful)

      by Sancho ( 17056 )

      Do thieves actually come back for these? I'd definitely expect it to be wirelessly transmitting, or to be watching for a special card to be inserted to which it would download the skimmed information.

    • Re: (Score:3, Insightful)

      by FroBugg ( 24957 )

      In order to do that, they would have had to leave it out in the open and allowed people to use it, so as not to make the criminal suspicious when he returns to retrieve it. You then have people making transactions of questionable legality (I didn't read to see if it actually dispensed money or just showed an error after getting the PIN), and increase the possible damage if it is transmitting in a way they didn't uncover or if the criminal manages to extricate the information while they're watching it.


    • Sorry, Las Vegas casino Hotel. There are cameras in the toilets. They likly already know who they are.

      • by kent_eh ( 543303 ) on Sunday August 02, 2009 @08:24PM (#28921219)
        They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them,
  • Fake ATMs (Score:5, Funny)

    by girlintraining ( 1395911 ) on Sunday August 02, 2009 @06:32PM (#28920545)

    They make it sound like this was done by criminals. Who's to say it wasn't really a job offer in disguise? ;) "First person here to notice this gets a job offer."

  • by nweaver ( 113078 ) on Sunday August 02, 2009 @06:48PM (#28920681) Homepage

    I wish I noticed it. I would have gotten a starbucks card and see if I could withdraw some cash...

  • Security Office (Score:4, Insightful)

    by Zerocool3001 ( 664976 ) <tfall@wBALDWINitsend.com minus author> on Sunday August 02, 2009 @08:03PM (#28921087) Homepage Journal
    They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them, Priest said. "It was literally right next to the hotel security entrance." So even the security officials don't like to be spied on.
  • Easy to avoid (Score:5, Insightful)

    by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Sunday August 02, 2009 @08:16PM (#28921167)

    The fake-ATM problem is just a man in the middle attack. We've known how to deal with MITM attacks for decades: use public-key cryptography and a secure key exchange algorithm like Diffie-Hellman to create an authenticated, secure channel. That's how SSL works.

    Credit and debit cards should contain a small microprocessor that communicates with bank, check its identity, and establish a secure channel. Even if an attacker could read and modify traffic between the card and the bank, he couldn't interfere with the transaction (other than by stopping it entirely).

    Of course, this scheme doesn't allow offline credit card processing, but that's rare these days. If you still need to bother, just use an old-fashioned imprint machine.

    The larger problem is just of backwards compatibility, which is why we'll never see the sensible scheme above implemented in our lifetimes.

    • Re:Easy to avoid (Score:4, Informative)

      by TheSunborn ( 68004 ) <.tiller. .at. .daimi.au.dk.> on Sunday August 02, 2009 @09:55PM (#28921863)

      Well, unless you plan to invent a time machine and die in the past, the odds of you living when this scheme gets implemented are pretty good, because it have already been implemented here in Danmark, where all current danish cards does have a chip. And the solution to backward compability is quite simple. All cards and card-readers include both the old and new solution.

      But the banks have issued new cards to all users, and required all atms to be able to read the chip. So the backward compability is currently only used with foreign cards.

      • Re: (Score:3, Insightful)

        by QuoteMstr ( 55051 )

        All cards and card-readers include both the old and new solution.

        It's all right for ATMs to be able to read old-style static tokens, but if new cards include both the token and the chip, then a compromised ATM can simply use the old-style authentication token to perform a fraudulent transaction. After all, aren't both schemes just as good from the banks point of view?

        Now, if you guys have managed to phase out cards with offline, static tokens and rely solely on the chip, then kudos to you.

  • Going for broke (Score:3, Interesting)

    by davidwr ( 791652 ) on Sunday August 02, 2009 @08:47PM (#28921371) Homepage Journal

    Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."

    If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.


    Far better if this were an "pentest" with the "we'll stand back and watch" cooperation of the bank whose name is on the ATM. Scenario: White hat hackers to to BigBank and the hotel and say "We want to do a demonstration. We have a fake ATM we want to put in the DefCon hotel. We want to rig it so people's ATM codes are stored in the machine, encrypted, for later retrieval. BUT you, the bank, get the decoding key. At the end of Defcon we'll announce the prank. We'll give a $100 gift card and a a plaque to the first attendee who spots that it's a fake."

    Now that would be cool.

    • Re: (Score:3, Interesting)

      Just imagine the headlines if they had succeeded: "Security experts lose bank accounts to scammers."

      If you have the cojones to put your fake ATM in a security conference at least have the brains to do it right.

      I can't imagine they hit that specific conference on purpose. They had bad luck. There are conferences in the hotels in Vegas every day. The thieves probably only knew "hotel booked" and "conference" and acted on that. Had it been a conference of commercial real estate managers or occupational therapists it probably would have gathered a good batch of account numbers and PINs.

  • by Darth_brooks ( 180756 ) * <clipper377@noSpaM.gmail.com> on Sunday August 02, 2009 @09:03PM (#28921471) Homepage

    If this was a legit scam instead of a prank, then there's a saying that applies:

    "Only the most foolish mouse hides behind the cat's ear, but only the cleverest cat thinks to look there."

  • A long time ago... (Score:5, Interesting)

    by Anachragnome ( 1008495 ) on Sunday August 02, 2009 @10:13PM (#28921953)

    Back in 1990, after the Loma Prieta Earthquake, there was certain bank (damaged by the quake) that was demolished right downtown in Santa Cruz, California. One day I was walking past and noticed in the debris/rubble pile the night deposit box, bread-box style door hanging open, still mounted in a fair portion of the wall it was attached to.

    I realized it was exactly the same kind of door that was used on MY banks night deposit box just a few blocks down the street, a bank that still did business.

    I had a very boring job at the time and had lots of time to daydream. It is here that I devised my plan.

    Late in the night, head down with a pickup and load up the night deposit box from the rubble pile. Take it home. Reproduce the wall the other one, the one at my bank, is mounted in. As it turns out, the night deposit box there was located in a sort of wall "extension" that one could reproduce, lay the fake right over the top (quickly unloaded from the back of a pickup) and as long as it looked right would appear no different. Simply leave it in place with the lock modified so ANY key will open it.

    Set it up late Sunday night, around 11pm, and wait for the night deposits from all the businesses that cater to the tourist industry in Santa Cruz every weekend. Head back around 5 am, swing the false wall out of the way, pick up all the deposits, and walk away...

    There was even a parking garage across the street for spotters.

    Alas, I have morals, so it shall remain a daydream.

    • by Raptoer ( 984438 ) on Sunday August 02, 2009 @10:33PM (#28922065)

      There is another version of this scam, one or two people with guard uniforms and a strong deposit box sit out front of a bank. They've placed an 'out of order' sign on the normal deposit box and tell anybody who asks that the normal box is broken and they are there to guard a temporary box. Once one or two people have put their deposits in, they take down the sign and walk away with the money.

  • by sprior ( 249994 ) on Sunday August 02, 2009 @11:14PM (#28922339) Homepage

    For me the true FAIL of this incident was the idea of what could happen to the criminals once they're identities are made public after they seriously annoyed the attendees of a hacker convention. Can you imagine a group you'd less want to have seeing how they could make your life miserable (excluding the possibility of physical harm)? Good luck ever getting credit again, and that's just for starters...

Federal grants are offered for... research into the recreation potential of interplanetary space travel for the culturally disadvantaged.