Automatic Theft Machines

ATMs that just spit out money - Nice!

As you may know, one of my favorite posting topics has to do with ATMs. I call them Automatic Theft Machines because there are way too many stories of equipment being hacked, and/or swiping hardware being installed, or people just driving away with them.

Well, along comes a story about the progression of this issue: In Eastern Europe, the bad guys have perfected the art of getting the machine to spit out all its money on demand.

According to the article (linked above), authorities say there must be some sort of inside access to allow software to be installed. The articles claims that after unlocking the security, the inside equipment is quite vulnerable.

Hmmm, hard on the outside, yummy and soft on the inside….where have we heard that before? And something else interesting to note: many of the ATMs appear to be Diebolds; the same company that makes voting machines for us……and was implicated in another attack earlier this year, also in Eastern Europe.

The ATMs utilize a scaled down version of Windows XP, which actually doesn’t make me feel any better at all.

The Beginning of the End for PIN Codes

Yesterday Wired released a story that reveals a startling detail about the TJMaxx data breach: hackers were able to cash in on stolen debit cards because they had a way to crack PINS.

This “minor detail” was buried in an affadavit last year, but Wired has put it together with some other information afloat on the NET, and the article is a really good read on what happens to your PIN from your debit card as it transits various networks to receive approval. Your PIN gets decrypted and re-encrypted by a Hardware Security Module (HSM) each time it transits a network. Lots of opportunities for capture with the help of an insider or some sniffing malware.

“While statistically not a large percentage…in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records,” says the report. “In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand.”

Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.

Ouch.

Clearly, PIN-based authentication has been cracked, and will be cracked more and more. Leave your debit card at home and Pay Cash Instead.

ATM Heists Grow in 2007 and 2008

A story on Wired came out recently about a $9 million ripoff of RBS WorldPay. Further reading on Wired led me to articles about, variously, a cracking of an ATM network in 7-Eleven stores that linked to Citibank, iWire cash payment cards, and Direct Cash management cards.

It seems that the bad folks are cracking ATMs and cash/debit/gift cards MUCH faster than the banks and financial services people can keep up. They have gotten adept at being able to clone cards, crack PINS and break account limits in order to drain accounts quickly with a host of people making fast runs on the system. Profits range from $750,000 to, so far, $9 million.

Banks and businesses are being ever more cagey about announcing such breaches, pointing fingers at various processors and claiming they can’t talk due to “ongoing criminal investigations.” This is the claim for the heist of $9 million that happened last November. Frankly, that excuse is getting harder and harder to swallow.

As my last post noted, we are starting to see a pattern of “repeat-offenders.” Companies that are broken into more than once, and don’t seem to be able (or willing) to make changes so that breakins stop happening. Monster.com comes to mind.

Of course, as consumers, we don’t see an impact until our cards get canceled, or God forbid, our accounts get drained. But for people being issued cash cards as a form of payroll, this can have devastating consequences. If you’re living from paycard to paycard, and one paycard gets hacked, what will you do for food, gas other necessary things that week? It might take the card company a week or two to straighten things out - maybe more. What happens until then?

The rising cost of these data losses are being well documented. For now, banks and financial companies are eating the cost out of their profits, and collecting damages from each other. It’s not a pretty picture, and ATMs are a growing part of the mess.

This is liable to get worse before it gets better. Companies tend to be unwilling to spend money on securing data in the best of times; but in these worst of times, securing data is just not happening.

PCI - Pay Cash Instead.

Must READ: A Great Article on ATM Card Skimming

If you want to know what to look for in the growing cybercrime market of ATM card skimming, read the article and check out the pictures.

Knowing what to look for is half the battle. And kudos to the author, James Heary, a Cisco Security Expert. He’s just gotten added to my Blog Roll!

More on ATMs - The Daily Store Owner Log

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.

So if I do an account balance request, that comes up in the log. The amount in my account comes up in the log.

The log includes all transactions done on that machine, so everyone’s name, Bank name, how much they have, how much they took out, etc, is all there on the log.

I was chatting with an acquaintance who owns a store in Maine, and she pretty much knows everyone who comes in her store. When she had an ATM put in, after numerous customer requests, she began getting those daily reports (probably because she gets a percentage of transactions). She was embarrassed at how much information she could see about people she knows. I would be, too.

Where does this report get stored? Who has access to the reports? The manager? The clerks?

Here’s an acronym I really like: TMI (TOO MUCH INFORMATION)

Why does a store owner need that much information? I’ll try and find out.

ATMs with Bugs - At the Grocery Store

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.

ATMs Redux - Why I Don’t Use My Debit Card

In a previous post about Automatic Theft Machines I commented on the worrisome rise in skimming with these machines.

Now, to add to our pain, we should be concerned about gas station pumps, according to NBC. Take a look at the picture of the device - makes me wonder how they set it up without inside help.

The article goes on to discuss the rising crime rate from debit card theft. Once these folks pluck your card number and PIN, they can clean out your bank account in no time flat. Unlike credit card fraud, where the bank removes your liability after $50, people are reporting a struggle to get their bank accounts credited after all the cash has been extracted.

So, let’s see, ATMs, airline check-in machines, and now gas pumps.

I’d decided after the Hannaford breach that we would no longer use our debit card unless standing inside the bank. And even that is not risk free from skimming.

ATMs - Automated Theft Machines

It’s absolutely fascinating (in a nerve-wracking sort of way) to read about how many different ways there are to use ATMs to capture (and steal) accounts and PIN numbers. From there, it takes very little time to create a fraudulent card and spend what you can before the bank catches up. It’s a triumph of hardware over software. Thieves simply work around the software controls to capture the information they want.

For example, the concept of “skimming.” Typically, thieves attach a device to the outside of the ATM that records the magnetic stripe information as you insert it. They also need a camera of some sort to capture the PIN as you type it in. For a classic example, with pictures you can see that the card skimmer fits in front of the regular card slot. For PINs, the clever placement of a pinhole wireless camera makes it all way too easy.

Thieves tend to get endlessly creative: One fellow bought his own ATM equipment and kept moving it around from place to place in order to capture information. He was good enough at it to collect at least $4 million, and is still at large.

More losses come from retail ATMs (those found in supermarkets, convenience stores, gas stations, or other non-banking environments) where there are less stringent controls and only casual observers. In May of this year, the ATM at one gas station was rigged, with at least 80 victims. When he was finally apprended, he had stolen more than $185,000. Ouch.

There are about 360,000 ATMs in the United States, according to Bankrate.com Only half of them are at a bank.

The ATM designers are moving to internal card readers and other techniques to eliminate external skimming devices, but when you can buy your own ATM and move it around, controls on sales of such machines must be tightened.

Rule of Thumb: If I don’t go to the bank for gas, I won’t go to the gas station for money.

Losing Your Credit Card Number at the Airline Check-in Kiosk

According to an article on MSNBC.com, there has been a data breach at the Toronto, Canada airport that may have been through the check-in kiosks. Similar to my blog on instant photo machines, the ability of machines to take more information than they need is certainly something that manufacturers should address, and quickly.

One airline at the airport has already suspended using credit-card information to check in, so even though a “full report” has yet to come out detailing HOW, we can draw some conclusions based on that action, and this statement:

“But Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.”

That is a logical conclusion, if skimmers were not attached. Given that the skimmers would have to be inside the machines in order not to be really obvious (if you travel a lot, like I do, you know what they look like.)

But what is the most disturbing is how the airlines and kiosk makers are taking turns not commenting. There are over 70,000 self-serve kiosks in American airports, that actually capture and send ALL the mag stripe data during the course of check-in to the airline. What do the airlines do with that data? How is it transmitted?

What do you want to bet that a technique similar to Hannaford’s data breach is in play?

Is this covered under the PCI DSS credit card regulations? Probably NOT, because no charges were made. And it’s an internal network, so encryption would not be required.

Why were they capturing ALL the stripe data? Because they can. Because it’s easier to program than eliminating “some data.” Because no one thought about the security of the data the machines were handling.

Keep your credit card in your pocket when you check in. That’s where mine will be.