Feeds

Second-hand ATM trade opens up fraud risk

Craigslist cash machine contains 1,000 card numbers

Using blade systems to cut costs and sharpen efficiencies

Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant.

Robert Siciliano, a security consultant to Intelius.com and personal ID theft expert, was able to buy an ATM machine through Craigslist for $750 from a bar in Boston. The previous owners hadn’t taken the trouble to clear out the data stored by the machines, making it possible for Siciliano to easily extract a log of hundreds of credit and debit card account numbers and transaction details.

There are no regulations in the US on who can own or operate an ATM, so Siciliano was able to make the purchase without any checks. He even managed to knock $250 off the asking price of $1,000. The bar selling the ATM was going through liquidation and also selling pool tables and neon Budweiser signs.

A manual supplied with the machine gave clear instructions on how to access the sensitive data it stored.

Although the names and expiration dates of cards were not included in the logged data, there was still enough information to constitute a serious breach involving more than a thousand records. "Fraudsters might be able to fudge the name and expiration date and create counterfeit cards that could be used at self-service terminals," Siciliano explained.

Most ATM machine operators are affiliated with reputable banks. However, there's very little to stop crooks from purchasing machines and setting them up with skimmers and cameras designed to capture PINs associated with particular cards.

To carry out skimming fraud, crooks use hardware attached to the face of an ATM to record user card information and PIN codes - and that skimming hardware is easily purchased online. Alternatively, a card reader in a purchased cash machine might be blocked off and replaced with hardware that records data without allowing a transaction.

Miscreants might also want to buy machines in order to develop ideas for more sophisticated hacking or malware-based scams.

Siciliano argues that a self-regulation scheme for the cash dispenser machine business was needed. "The payment-processing card industry has PCI which, while imperfect, regulates who can trade as an online merchant. The ATM industry in the US has nothing. Anyone has purchase a cash machine," Siciliano told El Reg.

Pubs or convenience store owners in the US sell hundreds of second-hand cash machines through eBay and Craiglist, according to Siciliano, who reports he had little trouble finding a seller close to home without having the inconvenience of shipping the machine across the US.

Siciliano obtained a license to handle transactions via his machine after sending off a few faxes and making some phone calls. Crooks could still carry out crimes without going through this process by using a purchased machine (powered off a car battery and transformer or an electrical outlet) simply to record bank cards and PINs without processing transactions. Such rogue machines could be placed in a high-traffic location.

The security consultant wants to encourage greater public awareness of the dangers posed by rogue ATM machines fitted with skimmers and how to recognise possible scams. As part of this campaign, Siciliano contacted a local Fox News crew whose report (below) illustrates the risk.

Siciliano got the idea to purchase the ATM, which he bought in late September, after hearing how a machine fitted with a skimmer was placed in the lobby of a hotel hosting the Defcon hacker convention in Vegas. He intends to keep the cash machine as a prop for presentations on the dangers of identity theft. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.