9/28/2011 11:44 AM ET|
Crooks can buy ATMs on eBay
Beware the stand-alone ATM, which criminals can purchase online and set up in a public spot for stealing people's account information. Even bank ATMs can be made unsafe.
The more I talk to data-security experts, the less technology I want to use. The latest convenience I've given up? Stand-alone ATMs.
If you want to know why, just hop on over to eBay and Craigslist and type in "ATM." Availability varies, but often you can find machines for sale that cost just a few hundred bucks.
Bad guys can buy these, get a computer programmer to rewrite the code and set them up just about anywhere to collect people's card information and PINs. Sometimes the machines actually dispense some cash, but often they're set up just to display an error message -- after stealing your data.
This has been going on for a while now, but a bad economy seems to mean more ATMs are available as more businesses that own them go belly-up. Hence, more opportunities for crooks.
"It's easier to get the ATMs . . . and it doesn't require tremendous programming skills" to set them up, said Avivah Litan, a security expert at consulting firm Gartner Research. "The hardest part is finding the right location."
They might just park it on a sidewalk. Some bolder thieves have tried placing phony ATMs outside bank branches, but they risk getting caught on the bank's video surveillance. Often it's easier to co-opt a store employee or manager.
"At a gas station, for example, the employee or the manager can get a cut for allowing the ATM to be placed there," Litan said. "Collusion tends to be part of this."
The ATM doesn't even need to be real to fool people. When security expert Jim Stickley wanted to test how easy it would be to scam people's account information a few years ago, he decided used ATMs cost too much.
"Real machines were really expensive, over $1,000, so I decided to make my own," said Stickley, the author of "The Truth About Identity Theft" and the chief technology officer of TraceSecurity, a risk management firm. He assembled his machines from 7-foot kiosks he bought used from a college and card readers he bought online for about $20 each.
Stickley deposited two of the machines on Sixth Street in Austin, Texas. The machines were used 42 times by 27 people over five hours, according to the "Today" show, which recorded the experiment. People used the machines even though they could have seen on closer inspection that the machines didn't have a realistic-looking cash dispenser.
"It was basically just a slit," Stickley said. "It wasn't anything close to what could dispense money."
Instead of getting money, people would get an error message. That prompted several people to try repeatedly to get the fake ATMs to spit out cash.
"They would try two or three times . . . so that made sure we had the right code," Stickley said.
Such tales of fake ATMs have me convinced: There's too much risk. That's what Litan decided a while back, too.
"I never use my card anywhere except banks," Litan said.
That's not to say bank ATMs can't be compromised -- far from it. Crooks can put skimmers over the card readers to suck up your data and record your PIN with miniature cameras. Some bad guys don't bother with the ATMs at all, instead putting the skimmer on the key card lock of the door that leads into an ATM.
But security procedures and video surveillance at banks usually mean these skimmers are detected fairly quickly. Still, you'd be smart to practice good ATM hygiene where you go. That means you should:
- Be suspicious of any stand-alone ATM. Yes, there are plenty of legitimate ones, but it can be tough for a layperson to tell which ones feed information to thieves rather than cash to you. You'll definitely want to avoid any ATM that isn't bolted to the side of a building or secured inside a facility. Real ATMs are heavy and have money safes, so they're not going to be easy to move. Also beware of stand-alone ATMs that advertise "no fees," as Stickley's did, since legitimate owners of stand-alone ATMs have to charge fees to make money.
- Avoid bank ATMs if the access door is broken. If you normally have to use your ATM card to unlock a door to get to the ATM and the lock is broken or the door is propped open, don't go in. Someone could have forced open the door to install a skimmer.
- Beware of "out of service" signs. If there are two ATMs and one has an "out of service" sign, it could be legit -- or it could be trying to get you to use the other ATM, which has been compromised.
- Give the card slot a good yank. Put your hand on the slot where your card goes in and give it a push. A real one won't give way, while a skimmer often does. If the card slot looks strange at all, find another ATM.
- Report "malfunctions" immediately. If you get an error message instead of money, contact your bank right away. You're at much greater risk of fraud, Stickley said.
- Monitor your transaction activity. It doesn't matter how busy you are. You can still take a few minutes every week to log on to your accounts and look over your transactions. You'll want to report bogus transactions right away, since your liability for fraud is waived only if you spot the problems within a couple of months.
Liz Weston is the Web's most-read personal-finance writer. She is the author of several books, most recently "The 10 Commandments of Money: Survive and Thrive in the New Economy" (find it on Bing). Weston's award-winning columns appear every Monday and Thursday, exclusively on MSN Money. Join the conversation and send in your financial questions on Liz Weston's Facebook fan page.
VIDEO ON MSN MONEY
Any ATM connected to a processor and bank must be encrypted with special security and in order to have a working ATM, the owner of the ATM must be approved by the bank doing the transaction.
Anyone who would put a card into a non-working ATM sitting on a sidewalk somewhere deserves to be ripped off.
Reread the story, It specifically states that in many cases the crooks partner with clerks or business owners to place the bogus ATM in businesses to appear legit. Or will place them next to real Bank machines and label the Banks "out of order".
But you are correct, if you are that inattentive, you deserve what you get. I only use ATM's at my bank's branches and it isn't BofA, Citi or one of the other MMBs.
Well, now I know why I don't use ATMs, except @ the drive-thru @ my bank every now & then....
Always wondered about those machines that don't belong to a bank....
E-Bay does Not care about it as long as they are getting there money
Just like the Coin Section with all the Fakes from overseas that get sold on there
Dave @ His & Hers Coins
credit you better off you credit only?
Don't give anymore the false information!
Do you think that all of us, we are stupids?
If it don't look right, don't use it.
Copyright © 2013 Microsoft. All rights reserved.
Quotes are real-time for NASDAQ, NYSE and AMEX. See delay times for other exchanges.
Fundamental company data and historical chart data provided by Thomson Reuters (click for restrictions). Real-time quotes provided by BATS Exchange. Real-time index quotes and delayed quotes supplied by Interactive Data Real-Time Services. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by SIX Financial Information.