back to article Fake ATM scam rumbled by Defcon hackers

White hat hackers attending the DefCon conference in Vegas last week uncovered the presence of a fake ATM in the show's venue. Fraudsters placed a fake ATM kiosk in the Riviera Hotel Casino at an unknown time prior to the conference. The scam was uncovered after eagle-eyed hackers noticed something wrong with the machine. " …

COMMENTS

This topic is closed for new posts.
  1. Greg Tiernan

    .(untitled)

    Surely it doesn't take a hacker to figure out that they didn't receive the money, or did the machine try to fake some sort of error to throw people off? And are not most ATMs just PCs running some software on top of XP?

  2. Shane 8
    Thumb Up

    GG

    "takes one to catch one"....gg

  3. ChrisC Silver badge

    @Greg Tiernan

    There are a growing number of ATMs in the UK that no longer print a "no cash available" message on the welcome screen, but only let you know they're unable to dish out the folding after you've inserted your card and PIN. If this operating illogic has also started making its way into US ATMs, you wouldn't need to fake anything - you'd just make the fake ATM behave *exactly* the same way as a genuine ATM in a no cash situation...

  4. Anonymous Coward
    Anonymous Coward

    A forensic thought

    Have Defcon or Blackhat ever featured in an episode of CSI? And if not, why not?

  5. Lottie
    Joke

    @David Harley

    Because none of them can solve crimes by simply removing their shades and then putting them back on again.

  6. Anonymous Coward
    Pint

    Hmmm

    I don't think I would wanna piss-off the DefCon Geeks.

    The person or persons that planted that fake ATM, haven't got the police to worry about

    The delegates at DefCon 2009 can look after themselves, I bet they mirrored the hard disk

    if they got access to it, well before informing the police.

    They have lock picking as a funny sideline, then they would just plug in a network cable

    to their VERY HOSTILE network and let the hackers find the perps.

    I'd be really scared, if someone I knew put that machine there.

    I'll have a beer later to toast the DefCon geeks, Loved the 2007 one

    great fun

  7. Stef 4

    Why so soon?

    Wouldn't it have made more sense to wait for the scammers to return and pick up the PC, rather than try to examine the machine? That way they could have actually caught someone.

  8. Brett Leach
    Big Brother

    Re: Why so soon.

    Good chance that the thing was wi-fi enabled or otherwise networked. I certainly would have done that to maximise my 'take' of card details, regardless of whether or not my little toy was rumbled.

  9. Stu
    Black Helicopters

    Anyone stop to think...

    ...that perhaps some DefCon guys were the ones that put the machine in place!? And that some OTHER DefCon guys not in on it discovered the machine and called the feds?

    Like a stunt that went out of control.

    They'd have planned to go on stage talking about ATM theft and controversially demonstrate in exuberant style that they actually recorded real CC numbers and PINs from the security savvy attendants of the conference, whilst of course greying out or pixellating the CC numbers - because they are legit of course, yes, legit.

    Its not like its unprecedented - Wasn't there a quite controversial demo one of the previous conference years where attendees systems were compromised, or personal information stolen, or something? Cant remember - too many El-Reg articles to go back thru!

    .

    Jeez I cant be the only person to think this surely!?

  10. Anonymous Coward
    Anonymous Coward

    @Lottie

    I think that only works in Miami.

  11. call me scruffy
    Stop

    Standalone ATMs are laughable.

    The traditional, bank style ATM is a serious bit of kit, counter intrusion systems, dye packs, mechanised card handling, and robust approaches to cash being retracted into the machine, and account integrity.

    Plug and play ATMs, such as the ones in pubs are total jokes by comparison, remember that case in 2006 when someone was recording the phone line chatter and recovering the card details?

  12. Disco-Legend-Zeke
    Paris Hilton

    Unt the US... beware card slots in gas (er, petrol) pumps.

    Apparently the security on gasoline pumps is rather sparse; i heard on TV that one key opens every pump in las vegas.

    Thus adding a skimmer becomes rather trivial. You are a bit safer paying inside. Safer yet getting cash at your bank ATM and using it to pay for yourl fuel.

    Paris cause she just got a kitty that looks like my last cat.

  13. John Smith 19 Gold badge
    FAIL

    They have to be kidding.

    Putting a dummy ATM near the site of a major conference on computer security?

    Fail written all over it.

  14. Henry Wertz 1 Gold badge

    And even then...

    "There are a growing number of ATMs in the UK that no longer print a "no cash available" message on the welcome screen, but only let you know they're unable to dish out the folding after you've inserted your card and PIN."

    And even then, some are just cheap.. I had one just a few weeks ago short me $20. It ran out of cash, but instead of debiting for the $180 it *could* dispense it took out the full $200. It whirred like crazy to try to get that last $20 too so it "knew" it was out. I'm sure the old "fortress" style ATMs handled this properly -- man what sloppy programming. I had to call the bank, and they credited it back on (and I assume got it back from the owner of the ATM.)

  15. Anonymous Coward
    Linux

    Fishy.....

    It was a little bit too dark, so someone shined a flashlight in there and there was a PC."

    That is what an ATM is. A PC loaded with windows and ATM software. I thought you guys where "smart"?

    But a bodged up ATM wouldnt be able to debit banks accounts. I think this was just a broken real ATM

  16. Dana W
    Happy

    Smart.

    This is about as smart as the guy who robbed the gun store, and walked around a squad car on the way in.............

    "And yes it did happen"

  17. Anonymous Coward
    Grenade

    @zerofool2005

    I believe, Mr. Fool, that the point is that there was *no camera between the window and the PC*, not that there *was* a PC.

    Also, saying "I thought you guys where "smart"" on a forum is really cruising for a bruising.

  18. Rich Davies
    Linux

    RE: Fishy

    I'm sure a room full of hackers can tell the difference between a computerised ATM, and a Personal Computer.

    Like maybe the fact that the 'PC' had a Dell sticker on the front.....

  19. Chris C

    Idiots and more idiots

    First off, there seem to be a number of idiots commenting on this, smugly pointing out that an ATM technically is a PC. Well, duh. The point is that the location where the camera should be was empty. In other words, there was no camera. Tell me -- of the ATMs you use, how many of them are missing the camera and have the PC visible?

    Second, the people who put the ATM at a DefCon conference are idiots.

    Third, the people who used an ATM at a DefCon conference are idiots. What's next, using an ATM at Black Hat? I have no doubt that both of these conferences attract their share of white, grey, and black hats, so trust nothing (and no one). Why ask for trouble?

    Fourth, the hotel/casino staff (especially security) who failed to notice the ATM are idiots.

    Fifth, the hotel/casino owners and management are idiots for not placing (and pointing) cameras at the hotel security entrance. In a hotel/casino, every entrance and exit should have full video coverage (with audio, if possible), and every entrance and exit to/from the security room(s) should have full coverage.

    @zerofool2005 -- "But a bodged up ATM wouldnt be able to debit banks accounts. I think this was just a broken real ATM." -- If it was an ATM without a camera, then no, it's not legitimate. Not to mention the fact that if it was legitimate, the casino management would know it. Your statement only makes sense if you mean "broken" in the sense of "stolen, modified by scammers, and installed at a different location". As for debiting people's bank accounts, most ATM cards are now MC or VISA debit cards. Use the ATM to capture the card data, retrieve that data (either physically or via wireless), and use a separate system to issue capture transactions against the cards.

  20. Simon B
    Grenade

    Why are the powers that be so thick?

    Dumb dumb dumb dumb dumb dumb dumb! Here's a novel idea, leave said machine in place, arrest who collects it, ta daaaaaaa! one criminal caught, not fking difficult is it. So instead the powers that be collect it and nobody has a bloody clue who the criminal is, marvelous policing!

  21. Chris Lewis

    Re: "Why so soon." and "Why are the powers that be so thick?"

    Well, pretty clearly there's no need for them to return if they can send the information they need home.

    I read an interesting comment on a Wired article on this subject from an attendee who suggested there was a legitimate machine directly adjacent that was reporting a network fault. He suspected that the dodgy ATM might have been ferrying back the details over a network connection stolen from the other machine, which seems perfectly reasonable.

  22. Anonymous Coward
    Linux

    Confusing

    This article is damn confusing......

    [quote]The suspected fraud came to light after conference presenter Chris Paget unsuccessfully attempted to withdraw $200 from an ATM at the Rio All-Suite Hotel and Casino last weekend, PC World reports. The ATM "whirred and chugged," according to Paget, but failed to dispense any money. Subsequent checks online revealed that Paget's account had been debited.[/quote]

    This shows that the ATM tried at least to simulate trying to recover money from the cases. And that the ATM actually did a debit upon the account.

    Even if the card info was sent wirelessly to another card. The fraudster is still required to write the data to the magstripe. And go to the atm with the data obtained. And if they are not within 10 yards of the real owner where he tried the card. The anti-fraud systems will flag. They measure timing and distance as protection.

    "Where the camera would be"

    Im guessing hes trying to say a camera on a skimmed ATM?

    @David W

    "I believe, Mr. Fool, that the point is that there was *no camera between the window and the PC*, not that there *was* a PC."

    The article does state that they shone a light in there and saw a PC. But im confused as to how there would be a camera in there?

  23. Anonymous Coward
    Boffin

    @Stef4 - Why so soon? #

    why would they ever go back to the scene of a crime?

    There are ways to access machines using this new stuff called wireless - let me sell you a can sometime.

    either they 'driveby' and collect or it is already online via a nearby access point.

This topic is closed for new posts.