Feeds

Second-hand ATM trade opens up fraud risk

Craigslist cash machine contains 1,000 card numbers

The Essential Guide to IT Transformation

Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant.

Robert Siciliano, a security consultant to Intelius.com and personal ID theft expert, was able to buy an ATM machine through Craigslist for $750 from a bar in Boston. The previous owners hadn’t taken the trouble to clear out the data stored by the machines, making it possible for Siciliano to easily extract a log of hundreds of credit and debit card account numbers and transaction details.

There are no regulations in the US on who can own or operate an ATM, so Siciliano was able to make the purchase without any checks. He even managed to knock $250 off the asking price of $1,000. The bar selling the ATM was going through liquidation and also selling pool tables and neon Budweiser signs.

A manual supplied with the machine gave clear instructions on how to access the sensitive data it stored.

Although the names and expiration dates of cards were not included in the logged data, there was still enough information to constitute a serious breach involving more than a thousand records. "Fraudsters might be able to fudge the name and expiration date and create counterfeit cards that could be used at self-service terminals," Siciliano explained.

Most ATM machine operators are affiliated with reputable banks. However, there's very little to stop crooks from purchasing machines and setting them up with skimmers and cameras designed to capture PINs associated with particular cards.

To carry out skimming fraud, crooks use hardware attached to the face of an ATM to record user card information and PIN codes - and that skimming hardware is easily purchased online. Alternatively, a card reader in a purchased cash machine might be blocked off and replaced with hardware that records data without allowing a transaction.

Miscreants might also want to buy machines in order to develop ideas for more sophisticated hacking or malware-based scams.

Siciliano argues that a self-regulation scheme for the cash dispenser machine business was needed. "The payment-processing card industry has PCI which, while imperfect, regulates who can trade as an online merchant. The ATM industry in the US has nothing. Anyone has purchase a cash machine," Siciliano told El Reg.

Pubs or convenience store owners in the US sell hundreds of second-hand cash machines through eBay and Craiglist, according to Siciliano, who reports he had little trouble finding a seller close to home without having the inconvenience of shipping the machine across the US.

Siciliano obtained a license to handle transactions via his machine after sending off a few faxes and making some phone calls. Crooks could still carry out crimes without going through this process by using a purchased machine (powered off a car battery and transformer or an electrical outlet) simply to record bank cards and PINs without processing transactions. Such rogue machines could be placed in a high-traffic location.

The security consultant wants to encourage greater public awareness of the dangers posed by rogue ATM machines fitted with skimmers and how to recognise possible scams. As part of this campaign, Siciliano contacted a local Fox News crew whose report (below) illustrates the risk.

Siciliano got the idea to purchase the ATM, which he bought in late September, after hearing how a machine fitted with a skimmer was placed in the lobby of a hotel hosting the Defcon hacker convention in Vegas. He intends to keep the cash machine as a prop for presentations on the dangers of identity theft. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.