Feeds

Second-hand ATM trade opens up fraud risk

Craigslist cash machine contains 1,000 card numbers

SANS - Survey on application security programs

Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant.

Robert Siciliano, a security consultant to Intelius.com and personal ID theft expert, was able to buy an ATM machine through Craigslist for $750 from a bar in Boston. The previous owners hadn’t taken the trouble to clear out the data stored by the machines, making it possible for Siciliano to easily extract a log of hundreds of credit and debit card account numbers and transaction details.

There are no regulations in the US on who can own or operate an ATM, so Siciliano was able to make the purchase without any checks. He even managed to knock $250 off the asking price of $1,000. The bar selling the ATM was going through liquidation and also selling pool tables and neon Budweiser signs.

A manual supplied with the machine gave clear instructions on how to access the sensitive data it stored.

Although the names and expiration dates of cards were not included in the logged data, there was still enough information to constitute a serious breach involving more than a thousand records. "Fraudsters might be able to fudge the name and expiration date and create counterfeit cards that could be used at self-service terminals," Siciliano explained.

Most ATM machine operators are affiliated with reputable banks. However, there's very little to stop crooks from purchasing machines and setting them up with skimmers and cameras designed to capture PINs associated with particular cards.

To carry out skimming fraud, crooks use hardware attached to the face of an ATM to record user card information and PIN codes - and that skimming hardware is easily purchased online. Alternatively, a card reader in a purchased cash machine might be blocked off and replaced with hardware that records data without allowing a transaction.

Miscreants might also want to buy machines in order to develop ideas for more sophisticated hacking or malware-based scams.

Siciliano argues that a self-regulation scheme for the cash dispenser machine business was needed. "The payment-processing card industry has PCI which, while imperfect, regulates who can trade as an online merchant. The ATM industry in the US has nothing. Anyone has purchase a cash machine," Siciliano told El Reg.

Pubs or convenience store owners in the US sell hundreds of second-hand cash machines through eBay and Craiglist, according to Siciliano, who reports he had little trouble finding a seller close to home without having the inconvenience of shipping the machine across the US.

Siciliano obtained a license to handle transactions via his machine after sending off a few faxes and making some phone calls. Crooks could still carry out crimes without going through this process by using a purchased machine (powered off a car battery and transformer or an electrical outlet) simply to record bank cards and PINs without processing transactions. Such rogue machines could be placed in a high-traffic location.

The security consultant wants to encourage greater public awareness of the dangers posed by rogue ATM machines fitted with skimmers and how to recognise possible scams. As part of this campaign, Siciliano contacted a local Fox News crew whose report (below) illustrates the risk.

Siciliano got the idea to purchase the ATM, which he bought in late September, after hearing how a machine fitted with a skimmer was placed in the lobby of a hotel hosting the Defcon hacker convention in Vegas. He intends to keep the cash machine as a prop for presentations on the dangers of identity theft. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.