Entries Tagged "ATMs"

Page 2 of 4

Really Clever Bank Card Fraud

This is a really clever social engineering attack against a bank-card holder:

It all started, according to the police, on the Saturday night where one of this gang will have watched me take money from the cash point. That’s the details of my last transaction taken care of. Sinister enough, the thought of being spied on while you’re trying to enjoy yourself at a garage night at the Buffalo Bar, but not the worst of it.

The police then believe I was followed home, which is how they got my address.

As for the call: well, credit where it’s due, it’s pretty clever. If you call a landline it’s up to you to end the call. If the other person, the person who receives the call, puts down the receiver, it doesn’t hang up, meaning that when I attempted to hang up to go and find my bank card, the fraudster was still on the other end, waiting for me to pick up the phone and call “the bank”. As I did this, he played a dial tone down the line, and then a ring tone, making me think it was a normal call.

I thought this phone trick doesn’t work any more. It doesn’t work at my house — I just tried it. Maybe it still works in much of the UK.

Posted on July 30, 2013 at 7:33 AMView Comments

Advances in Attacking ATMs

Cash traps and card traps are the new thing:

[Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.

“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country ­ despite warning messages that appear on the ATM screen or are displayed on the ATM fascia ­ customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale transactions.”

More descriptions, and photos of the devices, in the article.

Posted on November 29, 2012 at 4:36 PMView Comments

Another ATM Theft Tactic

This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint.

It’s hardly a technology-related attack. But from what I know about ATMs, the security of the money safe inside the machine is separate from the security of the rest of the machine. So it seems that the repair technicians might be given access to only the machine but not the safe inside.

Posted on October 31, 2011 at 8:18 AMView Comments

A Professional ATM Theft

Fidelity National Information Services Inc. (FIS) lost $13M to an ATM theft earlier this year:

KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period.

Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

This reminds me of the RBS WorldPay theft from a couple of years ago.

Posted on September 2, 2011 at 6:38 AMView Comments

Stealing ATM PINs with a Thermal Camera

It’s easy:

Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn’t work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you think about your average ATM trip, that’s a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.

Paper here. More articles.

Posted on August 24, 2011 at 7:13 AMView Comments

Organized Crime in Ireland Evolves As Security Increases

The whole article is interesting, but here’s just one bit:

The favoured quick-fix money-making exercise of the average Irish organised crime gang had, for decades, been bank robberies. But a massive investment by banks in branch security has made the traditional armed hold-up raids increasingly difficult.

The presence of CCTV cameras in most banks means any raider would need to be masked to avoid being identified. But security measures at the entrances to many branches, where customers are admitted by staff operating a buzzer, say, means masked men can now not even get through the door.

By the middle of the last decade, cash-in-transit vans delivering money to ATMs were identified by gangs as the weak link in the banks’ operations. This gave rise to a huge number of armed hold-ups on the vans.

However, in recent years the cash-in-transit companies have followed the example of the banks and invested heavily in security technology. Most vans carrying money are now heavily protected by timing devices on safes in the back of the vans, with staff having access to only limited amounts of cash at specific times to facilitate their deliveries.

These security measures have led to a steady decline in robberies on such vans in the past five years.

But having turned from bank robberies to armed hold-ups on cash vans, organised crime gangs have once again changed tack and are now engaging in robberies with hostage-taking.

Known as “tiger raids”, the robberies involve an organised crime gang kidnapping a family member or loved one of a person who has access to cash because of their work in a bank or post office.

Family members are normally taken away at gunpoint, threatened with being shot and or held until the bank or post-office worker goes to their work place, takes a ransom sum and leaves it for the gang at a prearranged drop-off point.

The Garda has worked closely with the main banks in agreeing protocols for such incidents. The main element of that agreement is that banks will not let money leave a branch, no matter how serious the hostage situation, until gardaí have been notified. A reaction operation can then be put in place to try and catch the gang as they collect the ransom.

These protocols have been relatively successful and seem to be deterring tiger raids targeting bank workers.

However, gangs are now increasingly targeting post offices in the belief that security protocols and equipment such as safes are not as robust as in the banking sector.

Most of the tiger raids now occurring are targeting post-office staff, usually in rural areas.

The latest raid occurred just last week, when more than €100,000 was taken from a post office in Newcastle West, Co Limerick, when the post mistress’s adult son was kidnapped at gunpoint and released unharmed when the ransom was paid.

Posted on July 8, 2011 at 6:19 AMView Comments

Hacking ATM Users by Gluing Down Keys

Clever hack:

The thieves glue down the “enter,” “cancel” and “clear” buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account.

The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use the ATM touchscreen to finish their transaction, or become nervous when the keypad isn’t working and react by leaving the ATM unattended….

Posted on March 17, 2011 at 6:50 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.