Entries Tagged "ATMs"

Page 4 of 4

Programming ATMs to Believe $20 Bills Are $5 Bills

Clever attack:

Last month, a man reprogrammed an automated teller machine at a gas station on Lynnhaven Parkway to spit out four times as much money as it should.

He then made off with an undisclosed amount of cash.

No one noticed until nine days later, when a customer told the clerk at a Crown gas station that the machine was disbursing more money than it should. Police are now investigating the incident as fraud.

Police spokeswoman Rene Ball said the first withdrawal occurred at 6:17 p.m. Aug. 19. Surveillance footage documented a man about 5-foot-8 with a thin build walking into the gas station on the 2400 block of Lynnhaven Parkway and swiping an ATM card.

The man then punched a series of numbers on the machine’s keypad, breaking the security code. The ATM was programmed to disburse $20 bills. The man reprogrammed the machine so it recorded each $20 bill as a $5 debit to his account.

The suspect returned to the gas station a short time later and took more money, but authorities did not say how much. Because the account was pre-paid and the card could be purchased at several places, police are not sure who is behind the theft.

What’s weird is that it seems that this is easy. The ATM is a Tranax Mini Bank 1500. And you can buy the manuals from the Tranax website. And they’re useful for this sort of thing:

I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are:

  • Instructions on how to enter the diagnostic mode
  • Default passwords

  • Default Combinations For the Safe

Do not ask me for them. If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately.

This is from an eWeek article:

“If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,” Goldsmith said.

Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the company’s Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.

So, as long as you can use an account that’s not traceable back to you, and you disguise yourself for the ATM cameras, this is a pretty easy crime.

eWeek claims you can get a copy of the manual simply by Googling for it. (Here’s one on eBay.

And Tranax is promising a fix that will force operators to change the default passwords. But honestly, what’s the liklihood that someone who can’t be bothered to change the default password will take the time to install a software patch?

EDITED TO ADD (9/22): Here’s the manual.

Posted on September 22, 2006 at 7:04 AMView Comments

Interview with a Debit Card Scammer

Podcast:

We discuss credit card data centers getting hacked; why banks getting hacked doesn’t make mainstream media; reissuing bank cards; how much he makes cashing out bank cards; how banks cover money stolen from credit cards; why companies are not cracking down on credit card crimes; how to prevent credit card theft; ATM scams; being “legit” in the criminal world; how he gets cash out gigs; getting PINs and encoding blank credit cards; how much money he can pull in a day; e-gold; his chances of getting caught; the best day to hit the ATMs; encrypting ICQ messages.

Posted on June 5, 2006 at 6:23 AMView Comments

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the register: “Your purchase free if you don’t get a receipt”? You almost certainly didn’t see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: it works best when you align interests with capability.

If you’re a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner — who was presumably elsewhere in the store — that an employee was handling money.

The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it’s impossible to insert or delete transactions. It’s an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register. Any discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of course. But that’s not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn’t care one way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up a sign saying “Your purchase free if you don’t get a receipt,” the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.

There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

“When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks’ agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn’t care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses–most of the fraud actually was not the cardholder’s fault–while in the UK, the banks did nothing.”

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn’t until the UK courts reversed themselves and aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don’t have much interest. Features, schedule, and profitability are far more important. Software liabilities will change that. They’ll align interest with capability, and they’ll improve software security.

One last story… In Italy, tax fraud used to be a national hobby. (It may still be; I don’t know.) The government was tired of retail stores not reporting sales and paying taxes, so they passed a law regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, has to produce a receipt or they would be fined. Just as in the “Your purchase free if you don’t get a receipt” story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax.

This was a great idea, but it didn’t work very well. Customers, especially tourists, didn’t like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn’t guard merchants wasn’t as effective an enticement as offering people a reward if they didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful how you generate interest.

This essay originally appeared on Wired.com.

Posted on June 1, 2006 at 6:27 AMView Comments

Triple-DES Upgrade Adding Insecurities?

It’s a provocative headline: “Triple DES Upgrades May Introduce New ATM Vulnerabilities.” Basically, at the same time they’re upgrading their encryption to triple-DES, they’re also moving the communications links from dedicated lines to the Internet. And while the protocol encrypts PINs, it doesn’t encrypt any of the other information, such as card numbers and expiration dates.

So it’s the move from dedicated lines to the Internet that’s adding the insecurities.

Posted on April 17, 2006 at 6:48 AMView Comments

Blowing Up ATMs

In the Netherlands, criminals are stealing money from ATMs by blowing them up (article in Dutch). First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas — from a safe distance — and clean up the money that flies all over the place after the ATM explodes.

Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks’ countermeasure is to install air vents so that gas can’t build up inside the ATMs.

Posted on March 10, 2006 at 12:26 PMView Comments

More on the ATM-Card Class Break

A few days ago, I wrote about the class break of Citibank ATM cards in Canada, the UK, and Russia. This is new news:

With consumers around the country reporting mysterious fraudulent account withdrawals, and multiple banks announcing problems with stolen account information, it appears thieves have unleashed a powerful new way to steal money from cash machines.

Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.

The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.

Read the whole article. Details are emerging slowly, but there’s still a lot we don’t know.

EDITED TO ADD (3/11): More info in these four articles.

Posted on March 9, 2006 at 3:51 PMView Comments

Class Break of Citibank ATM Cards

There seems to be some massive class break against Citibank ATM cards in Canada, the UK, and Russia. I don’t know any details, but the story is interesting. More info here.

EDITED TO ADD (3/6): More info here, here, here, and here.

EDITED TO ADD (3/7): Another news article.

From Jake Appelbaum: “The one unanswered question in all of this seems to be: Why is the new card going to have any issues in any of the affected countries? No one from Citibank was able to provide me with a promise my new card wouldn’t be locked yet again. Pretty amazing. I guess when I get my new card, I’ll find out.

EDITED TO ADD (3/8): Some more news.

Posted on March 6, 2006 at 2:44 PMView Comments

ATM Fraud and British Banks

An absolutely great story about phantom ATM withdrawals and British banking from the early 90s. (The story is from the early 90s; it has just become public now.) Read how a very brittle security system, coupled with banks using the legal system to avoid fixing the problem, resulted in lots of innocent people losing money to phantom withdrawals. Read how lucky everyone was that the catastrophic security problem was never discovered by criminals. It’s an amazing story.

See also Ross Anderson’s page on phantom withdrawals.

Oh, and Alistair Kelman assures me that he did not charge 1,750 pounds per hour, only 450 pounds per hour.

Posted on October 24, 2005 at 7:16 AMView Comments

Identity Theft out of Golf Lockers

When someone goes golfing in Japan, he’s given a locker in which to store his valuables. Generally, and at the golf course in question, these are electronic combination locks. The user selects a code himself and locks his valuables. Of course, there’s a back door — a literal one — to the lockers, in case someone forgets his unlock code. Furthermore, the back door allows the administrator of these lockers to read all the codes to all the lockers.

Here’s the scam: A group of thieves worked in conjunction with the locker administrator to open the lockers, copy the golfers’ debit cards, and replace them in their wallets and in their lockers before they were done golfing. In many cases, the golfers used the same code to lock their locker as their bank card PIN, so the thieves got those as well. Then the thieves stole a lot of money from multiple ATMs.

Several factors make this scam even worse. One, unlike the U.S., ATM cards in Japan have no limit. You can literally withdraw everything out of the account. Two, the victims don’t know anything until they find out they have no money when they use their card somewhere. Three, the victims, since they play golf at these expensive courses, are
usually very rich. And four, unlike the United States, Japanese banks do not guarantee loss due to theft.

Posted on March 1, 2005 at 9:20 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.