Feeds

Second-hand ATM trade opens up fraud risk

Craigslist cash machine contains 1,000 card numbers

SANS - Survey on application security programs

Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant.

Robert Siciliano, a security consultant to Intelius.com and personal ID theft expert, was able to buy an ATM machine through Craigslist for $750 from a bar in Boston. The previous owners hadn’t taken the trouble to clear out the data stored by the machines, making it possible for Siciliano to easily extract a log of hundreds of credit and debit card account numbers and transaction details.

There are no regulations in the US on who can own or operate an ATM, so Siciliano was able to make the purchase without any checks. He even managed to knock $250 off the asking price of $1,000. The bar selling the ATM was going through liquidation and also selling pool tables and neon Budweiser signs.

A manual supplied with the machine gave clear instructions on how to access the sensitive data it stored.

Although the names and expiration dates of cards were not included in the logged data, there was still enough information to constitute a serious breach involving more than a thousand records. "Fraudsters might be able to fudge the name and expiration date and create counterfeit cards that could be used at self-service terminals," Siciliano explained.

Most ATM machine operators are affiliated with reputable banks. However, there's very little to stop crooks from purchasing machines and setting them up with skimmers and cameras designed to capture PINs associated with particular cards.

To carry out skimming fraud, crooks use hardware attached to the face of an ATM to record user card information and PIN codes - and that skimming hardware is easily purchased online. Alternatively, a card reader in a purchased cash machine might be blocked off and replaced with hardware that records data without allowing a transaction.

Miscreants might also want to buy machines in order to develop ideas for more sophisticated hacking or malware-based scams.

Siciliano argues that a self-regulation scheme for the cash dispenser machine business was needed. "The payment-processing card industry has PCI which, while imperfect, regulates who can trade as an online merchant. The ATM industry in the US has nothing. Anyone has purchase a cash machine," Siciliano told El Reg.

Pubs or convenience store owners in the US sell hundreds of second-hand cash machines through eBay and Craiglist, according to Siciliano, who reports he had little trouble finding a seller close to home without having the inconvenience of shipping the machine across the US.

Siciliano obtained a license to handle transactions via his machine after sending off a few faxes and making some phone calls. Crooks could still carry out crimes without going through this process by using a purchased machine (powered off a car battery and transformer or an electrical outlet) simply to record bank cards and PINs without processing transactions. Such rogue machines could be placed in a high-traffic location.

The security consultant wants to encourage greater public awareness of the dangers posed by rogue ATM machines fitted with skimmers and how to recognise possible scams. As part of this campaign, Siciliano contacted a local Fox News crew whose report (below) illustrates the risk.

Siciliano got the idea to purchase the ATM, which he bought in late September, after hearing how a machine fitted with a skimmer was placed in the lobby of a hotel hosting the Defcon hacker convention in Vegas. He intends to keep the cash machine as a prop for presentations on the dangers of identity theft. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.