9/28/2011 11:44 AM ET|
Crooks can buy ATMs on eBay
Beware the stand-alone ATM, which criminals can purchase online and set up in a public spot for stealing people's account information. Even bank ATMs can be made unsafe.
The more I talk to data-security experts, the less technology I want to use. The latest convenience I've given up? Stand-alone ATMs.
If you want to know why, just hop on over to eBay and Craigslist and type in "ATM." Availability varies, but often you can find machines for sale that cost just a few hundred bucks.
Bad guys can buy these, get a computer programmer to rewrite the code and set them up just about anywhere to collect people's card information and PINs. Sometimes the machines actually dispense some cash, but often they're set up just to display an error message -- after stealing your data.
This has been going on for a while now, but a bad economy seems to mean more ATMs are available as more businesses that own them go belly-up. Hence, more opportunities for crooks.
"It's easier to get the ATMs . . . and it doesn't require tremendous programming skills" to set them up, said Avivah Litan, a security expert at consulting firm Gartner Research. "The hardest part is finding the right location."
They might just park it on a sidewalk. Some bolder thieves have tried placing phony ATMs outside bank branches, but they risk getting caught on the bank's video surveillance. Often it's easier to co-opt a store employee or manager.
"At a gas station, for example, the employee or the manager can get a cut for allowing the ATM to be placed there," Litan said. "Collusion tends to be part of this."
The ATM doesn't even need to be real to fool people. When security expert Jim Stickley wanted to test how easy it would be to scam people's account information a few years ago, he decided used ATMs cost too much.
"Real machines were really expensive, over $1,000, so I decided to make my own," said Stickley, the author of "The Truth About Identity Theft" and the chief technology officer of TraceSecurity, a risk management firm. He assembled his machines from 7-foot kiosks he bought used from a college and card readers he bought online for about $20 each.
Stickley deposited two of the machines on Sixth Street in Austin, Texas. The machines were used 42 times by 27 people over five hours, according to the "Today" show, which recorded the experiment. People used the machines even though they could have seen on closer inspection that the machines didn't have a realistic-looking cash dispenser.
"It was basically just a slit," Stickley said. "It wasn't anything close to what could dispense money."
Instead of getting money, people would get an error message. That prompted several people to try repeatedly to get the fake ATMs to spit out cash.
"They would try two or three times . . . so that made sure we had the right code," Stickley said.
Such tales of fake ATMs have me convinced: There's too much risk. That's what Litan decided a while back, too.
"I never use my card anywhere except banks," Litan said.
That's not to say bank ATMs can't be compromised -- far from it. Crooks can put skimmers over the card readers to suck up your data and record your PIN with miniature cameras. Some bad guys don't bother with the ATMs at all, instead putting the skimmer on the key card lock of the door that leads into an ATM.
But security procedures and video surveillance at banks usually mean these skimmers are detected fairly quickly. Still, you'd be smart to practice good ATM hygiene where you go. That means you should:
- Be suspicious of any stand-alone ATM. Yes, there are plenty of legitimate ones, but it can be tough for a layperson to tell which ones feed information to thieves rather than cash to you. You'll definitely want to avoid any ATM that isn't bolted to the side of a building or secured inside a facility. Real ATMs are heavy and have money safes, so they're not going to be easy to move. Also beware of stand-alone ATMs that advertise "no fees," as Stickley's did, since legitimate owners of stand-alone ATMs have to charge fees to make money.
- Avoid bank ATMs if the access door is broken. If you normally have to use your ATM card to unlock a door to get to the ATM and the lock is broken or the door is propped open, don't go in. Someone could have forced open the door to install a skimmer.
- Beware of "out of service" signs. If there are two ATMs and one has an "out of service" sign, it could be legit -- or it could be trying to get you to use the other ATM, which has been compromised.
- Give the card slot a good yank. Put your hand on the slot where your card goes in and give it a push. A real one won't give way, while a skimmer often does. If the card slot looks strange at all, find another ATM.
- Report "malfunctions" immediately. If you get an error message instead of money, contact your bank right away. You're at much greater risk of fraud, Stickley said.
- Monitor your transaction activity. It doesn't matter how busy you are. You can still take a few minutes every week to log on to your accounts and look over your transactions. You'll want to report bogus transactions right away, since your liability for fraud is waived only if you spot the problems within a couple of months.
Liz Weston is the Web's most-read personal-finance writer. She is the author of several books, most recently "The 10 Commandments of Money: Survive and Thrive in the New Economy" (find it on Bing). Weston's award-winning columns appear every Monday and Thursday, exclusively on MSN Money. Join the conversation and send in your financial questions on Liz Weston's Facebook fan page.
VIDEO ON MSN MONEY
Also in terms of security, there are two parts to the system. The first is the security of the card, and the second is the security of the transaction from the ATM to the bank.
There is absolutely no security on a mag stripe. It is merely the data on the card that can be read and re-written to another card with great ease.
The second part is a real ATM making a request of a bank's computer. This is where the security is actually implemented, but it does not need to happen in a fake ATM. There is no need for the fake ATM to even go anywhere to "ask" if it is OK to dispense the cash.
Therefore a fake ATM could read the card, accept a PIN and dispense the requested amount of cash without any security needs at all. All that needs to be done is read the card data, and PIN. Log that data, and dispense the cash. Later on, the scammer takes the captured data, and makes new cards with the data from the real card, and uses it in a real ATM to withdraw cash.
It is very easy to get someone's card info from the card. There are three tracks on a mag card, and the card readers are less than $20 to be able to read that info. Once you have that info, and the PIN code, you can make a card with that info and take money out of an account without issue.
I have a card writer that I purchased for a project years ago, and did a test. I took one of my current debit cards, and read the mag stripe data from it. I then wrote that mag stripe data to a hotel room key that I had. It took me less than 10 seconds to do this. I then put the newly written card into an ATM at my bank, and withdrew cash without incident from my own account. There is no security on a mag stripe. It is merely the account info.
In the case of a "fake" ATM, I can see stupid people using the machine, and the machine accepting a PIN code and logging that info. Then you take that info, and write a new blank card and withdraw cash without issue.
What the USA needs is what europe has moved to which is smart cards. The cards have a proximity reader with data on it which cannot be written at all. There is no way someone can produce a copy of a smart card since it cannot be written.
- More fear mongering....... keep the propaganda going there is a whole lot of people that will swallow such crap!!
SCIENCE IS SELF-DESTRUCTING----AND IT WILL TAKE US ALL WITH IT.
The best way to handle a hacker is a 10 inch hat pin stuck in their left ear till
it comes out ther right ear, or there abouts.
And what the hell is our lazy assed law system doing about this??? I think they are gettting
a cut of the take......happened in the 30's. the idea a fake atm can be bought thru
the monster or the computer, is beyond reason----wher can i buy an ak-47 for $50
by the way Mr Allen, I will name my price. It will be far more than monetary for what you did. Just for what you did to my children using teachers at their schools.
For the rest of eternity your name is going to be remembered for what you are...
I am sure tho you will be able to get a judge to help you out...But make sure you use the lawyers in level 1 363 king street wont you...after all you THINK you are the king of Australia, would you like me to list all your queens....no i better not. after all a rich man such as yourself, i mean whats a woman like me agaisnt someone like you and your whores.
History will tell what sort of a man you were mr allen, along with your whores.
I put a small white sticker over the three digit number on the back of my card, it still works in the card reader at the store but nobody can read the number unless they peel off the sticker and I'd know they did it. Also I use a pre-paid card if I make purchases on the internet also when I'm out of town because it's easier to keep track of by phone and it only has enough cash to cover my immediate expenses.
I think we need to do away with the cards and go back to good old fashion cash. Credit and Debit cards have been a pain in alot of peoples asses since they were created.Yeah that sounds great on paper, so to speak, doesn't it? Well think about it...
1) You are not nearly as consumer protected when you buy something with cash as you are with a credit card. And how are you going to buy something online with cash? Really?
2) Do you really want to deal with carrying pennies, nickels, dimes, quarters, and bills every where you go? Do you want to stand in grocery store lines and retail store lines having to wait for everyone in front of you dealing with fumbling around for cash and breaking out coins to round up the dollar or spend time writing a check and going through that hassle? And would you rather have a credit/debit card stolen from you during a robbery that you can immediately call and cancel or have cash stolen that you'll never see again? Really?
3) This relates to #2: I don't have excess coins laying around from cash transactions at stores cluttering up my drawers from cash transactions that are better used in an interest bearing checking/debit card account. I know people that have hundreds of dollars in pennies, nickels, dimes, and quarters in jars and boxes because they just allowed them to accumulate and never bothered with the hassle to roll them and deposit them throughout the years.
4) Most of the "pain" from people using credit cards and debit cards (more so credit cards here) is that they were too incompetent and not disciplined enough to handle the responsibility of them. It wasn't INSTANT cash out of their pockets, so they didn't feel the pain...until the monthly statement showed up.
Yeah, I'll take my debit card for everyday transactions like the grocery store and a credit card for larger retail transactions over $100 or so, thanks.
On Ebay I just saw a few ATMs that cost only $500! The very first one at the top of the list is one of them!
awesome, now lets tell all the scammers out there even more ways to fraud people out of their money ..... b/c I'm sure the guy whose credit card was used, with my email address ... sent to another person in a different state will be happy when he gets an $1,100 credit card bill for the computer he didn't purchase from O ..... glad to be an american!
Sadly, those who would be up to no good (as well as the computer security guys), would already know more then the average consumer does, about how to scam people. And along those lines, things can be observed to a greater degree then many people know.
For instance, if one's sitting at work, and they're using a network which happens to go through hubs (though more are becomming switched networks these days, and yet even that has work arounds), someone sitting in the office down the hall can be running an IP sniffer on their computer, which puts their network card into permiscuous mode. And filtering through the data packets sent to/from another computer, where people were still using plain text protoocols like telnet and ftp, they could assemble what the computer user was typeing into these programs, and reconstruct the activity log, words sent, etc.
I'm serious when I say that when I was taking network topologies in college, one of the test questions was:
Get out IP snifer. Capture a telnet password. Show me you can do this for credit.
I couldn't help but laugh when I read the test question. The teacher said he just wanted to make sue the class could use IP sniffer. Now needless to say, I've used SSH ever since, to hell with telnet, if I can capture the passwords.... Now encryption (and it's a good think banks use encryption), there's a level of protection against this, they'd intercept the thing in code. But if someone could crack it, while someone is logging into online banking.... Keyloggers are also a concern people should have, which is a good reason people should have good AV software, not all do.
It gets worse then even that however, because network cables are unshielded. And one thing the CIA among others is well aware of, this thing they call tempest. It's possible with the right equipment, to detect the electro-magnetic emanations that are radiated off an unshielded cable, and decipher it at a distance, to detect the stream of data going over the cable. Someone sitting out in a truck could do it, if they have the right skills, equipment, and know how. Which is of course how such possibilities enter into the consideration of people at the CIA, the NSA, etc. It might be sad however, but is also true, that those who can be up to no good however, can already be more aware, and more savy then the typical user of technology. No one for instance had to inform the creaters of the conficker worm, that such possibilities exist. Actually it was many of the security people who had to do the research to piece together what was going on, and try to combat it. On the upside though, there are also ways that a network card going into promiscuous mode can be detected, so in a secure environment, when one loads an IP sniffer, it isn't necessarily non-detectable.
Copyright © 2013 Microsoft. All rights reserved.
Quotes are real-time for NASDAQ, NYSE and AMEX. See delay times for other exchanges.
Fundamental company data and historical chart data provided by Thomson Reuters (click for restrictions). Real-time quotes provided by BATS Exchange. Real-time index quotes and delayed quotes supplied by Interactive Data Real-Time Services. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by SIX Financial Information.
RECENT ARTICLES ON IDENTITY THEFT
Think saving money, paying bills, comparing prices and shopping for deals take way too much work? All of these can be done with very little effort on your part.