If You’re Going to Scam Try Doing it Somewhere Not Overrun by Security Experts

This is a rather funny but also scary story. An unknown criminal entity setup a fake ATM at a hotel. The fake ATM was meant to steal credit card numbers and provide them to the controlling entity. Well the people who set it up probably didn’t realize that Defcon, an event focusing on security, was going to be in town.

Needless to say a place flooded with security experts meant somebody took note that the ATM didn’t look quite right. After a short investigation they discovered the machine was in fact fraudulent and contacted the police whom took it away.

The scary part here is realizing how sophisticated criminals are becoming. Who would suspect a fake ATM machine? But all that is needed is to create a casing that looks like an ATM and slap a computer with a card scanner in it and you have an instant way of harvesting credit card numbers. For bonus points you can put in a cellular data card tied to a stolen account and have the computer inside the machine transfer the credit card numbers to a compromised computer which in turn will transmit them to the controlling entity.

Of course creating a fully functional fake ATM isn’t necessary. A simple card reading device can be overlaid on an authentic ATM. When you insert your card the overlay will read the card number and then feed it into the ATM. At that point you have no idea your credit card number was recorded by an entity besides the ATM. After a period of time the thief can retrieve the overlay and obtain the recorded credit card numbers. Furthermore to prevent having to physically retrieve the overlay the thief could setup some kind of wireless transmitter inside the overlay which would allow the numbers to be retrieved from a distance.

People trust ATMs because they don’t realize people can make fake imitations which look real. This seems like a job that would be too expensive and sophisticated for a generic criminal and hence nobody worries about it. This story should remind everybody that being paranoid isn’t necessarily a bad thing.

Further Research

A Diebold white paper on ATM fraud and security. (PDF)