Second-hand ATM trade opens up fraud risk Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant. Robert Siciliano, a security consultant to Intelius.com and personal ID theft expert, was able to buy an ATM machine through Craigslist for …
Given the number of ATMs installed in private venues, and the tendency of such machines to be considered part of the 'furniture' when a venue goes bust, I wonder how easy it would be to:
1] Buy an ATM at the Official Receiver's auction. For low values of silly-money.
2] Install it at a new, high-traffic venue [think shopping-mall or gas-station]
3] Repurpose it to accept-and-record a mark's card-and-PIN details but then say something innocuous like "Can't service your request - I am out of £20 and £20 notes - please try another ATM"
The rest should be obvious to even room-temperature-IQ types.....
If one 'owns' (in both senses of the word) the entire ATM, then one doesn't need to fit a card skimmer and pin code capture camera . The victim provides both the card margnetic stripe, and the pin code. One only needs to intercept these signals internally - the magnetic stripe data in its raw form, and the associated pin code read from the keypad. This data can be stored on removeable media, or transmitted to a safe location.
When you interact with an ATM, you're providing both your magnetic stripe data and pin code. You have to trust the machine. ATMs that are embedded into the wall of a large and impressive bank building are probably safe. Those that are in the back of a pub could be 'owned' by anyone.
Modern ATMs do NOT, I repeat *NOT* store the full ATM number. They haven't for at least 2 years now, specifically to avoid this kind of thing.
Further, to register on a network the machine would have to have new DES keys entered. If the gentleman could do that with "just a few faxes and phone calls" then VISA would be very interested in talking to the people he contacted--and putting them out of business.
VISA has Views on such matters, you see. Views with hobnailed boots, extreme prejudice and lawyers who can extract hundreds of thousands in fines *per violation*.
One of my responsibilities at work is to be the head key custodian for our DES keys. Trust me, setting up an ATM on a network involves a huge number of checks and balances. Dual control safes, no one person ever sees both halves of the DES Keys, dual control at installation time, three witnesses to the DES key once the convelope has been opened--it's a pain in the butt.
Anyone caught not doing it that way is out of business--and that's just the beginning of their pain. So by all means let the gentleman contact VISA.
We'd all be better off!
While raising awareness is a good thing, Seciliano’s argument that a “self-regulation scheme” is needed is a non-starter. In the USA the backend processors of payment cards can be counted on one hand and they have the clout to enforce standards to those downlevel to them – whereas with ATM’s you have THOUSANDS of banks.
Even at that, the strictest requirements that any self-regulation could put in place would do absolutely nothing to stop criminals from applying their trade. They are already committing federal crimes, why would they have even the slightest concern about following some trade organization’s guidelines?
While the government _COULD_ put in some regulations on ATM’s that have some teeth, previous attempts in congress have been shot down because the lawmakers misunderstand WHY there are so many independent ATMs out there – the answer to which is actually simple: People want convenience and they are more than willing to pay extra for the service, even while they complain about it.
When it comes to independent ATMs you take your chances – I certainly don’t use them.
Attempts to regulate them will drive up the costs, which will be directly passed on to the consumer causing even more grief. When the costs get too high and people stop using them, the independent operators will exit the business and the proliferation of ATM’s across the small stores, gas stations, bars, etc. will cease and people will have to actually go to the bank to transact their banking business again. I don’t see that as a bad thing, but now that many banks even charge “teller fees” if you go to a teller window people are still going to complain about the added costs and inconvenience.
Quick google search ("own your own ATM"):
http://www.mobilemoney.net/makingmoney.htm
I'm sure there's some background checks required and such, but still...
People are making money on placing ATMs they rent themselves in public places, and share a percentage of the ATM fees they charge users because it's an ATM not in their own bank's network...
So i'm sure it's possible to own your own ATM, mess with it, and indeed display a simple message like the one displayed in one of the earlier postings.
I'm making it a point not to get any money using these machines, that's for sure...
I appreciate that you appear to be more familiar with this process, but at the level this guy's talking, I don't think it needs to be that complicated. His could get the full PIN number just by using a hardware key logger on the keypad itself, regardless of what the ATM software does. I don't think he would go through the hassle of trying to connect it to the network either - as someone else pointed out, an innocous error message would do the trick. So card is inserted, pin number entered, then an error displayed that a connection to the cardholders bank systems could not be established. Card is returned and user walks away. Meanwhile, all details have been recorded for nefarious use.
That should be, Rogue ATMS which *are* skimmers. ATMs operated by organised crime.
I worked this risk out very many years ago, and never use an ATM that's not installed in the wall of a bank. Who knows what modifications have been made to the innards of the ones in service stations and clubs?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
