August 04, 2009

ATM Machines - Fake ATMs and Malware Infested

The Defcon in Vegas had fakes ATMs and non-dispensing ATMs spice up the event this year. Hard to believe but a fully fake ATM being placed in hotel (next to security office). Or machines that take your card and then just make sounds but never dispense money.

Fake ATMs

Back in April we told you about a global ATM skimming ring that was traced back to Romania. This week another ATM scam popped up in Las Vegas – at the DEFCON security conference, no less.

The no-armed bandit showed up in one of the cleverest, or most unlikely, spots in the Riviera Hotel Casino, depending on how you look at it. Why the dichotomy? It was positioned in a rare location not watched by a security camera. The flipside? It was right outside the casino’s security office.

Aries Security CEO Brian Markus spotted the machine and pointed it out to hotel security, according to Wired.

Markus said it was clear to him the ATM was fake when he looked at the smoked glass on the front of the machine and noticed something funny about it. When he beamed a flashlight through the glass, instead of seeing a camera behind it, he saw the PC that was set up to siphon card data.

Las Vegas may not be the area with the highest concentration of ATMs – that designation goes to Harvard Square in Cambridge, Mass., which has over 50 in just a two-block vicinity – but the machines are certainly ubiquitous in a town known for a need for quick cash.

The illicit Riviera ATM wasn’t the only one found in Vegas this week. PC World reports that the Secret Service is investigating reports of hacked ATMs across the city. At the Rio All-Suites Hotel and Casino DEFCON presenter Chris Paget reported trying unsuccessfully to withdraw cash from one, but still having his account debited.

He wasn’t the only one. Paget spoke with an Israeli man who had tried to withdraw $1,000, as well as a woman who tried to take out $400. At least a half dozen people experienced the same problem at various machines in the hotel, Paget said.

Channel Web reports that, “In an ironic twist, a scheduled presentation titled “Jackpotting Automated Teller Machines” at the conference by Juniper Networks researcher Barnaby Jack was scrapped because of an unnamed ATM vendor, who cited security reasons, according to SC Magazine.”


ATMs with Malware

Security Analyst: Las Vegas ATMs May Have Malware
Jeremy Kirk, IDG News Service
Vegas ATM Malware Demonstrates Banking Security Woes - Business Center
Is Your Linksys or Netgear Router Open to Attack?
Juniper Nixes ATM Security Talk
Google Billboard Ads Gun for Microsoft and Promote Google Apps
Google's Schmidt Resigns From Apple's Board
Web Surfers Forced to Choose Security or Anonymity - Business Center


Monday, August 03, 2009 4:30 AM PDT
The U.S. Secret Service said on Monday it is investigating a group of ATM machines in Las Vegas that are debiting people's accounts but not dispensing cash.

The case came to light after Defcon hacker conference presenter Chris Paget tried to withdraw $200 on Sunday from his account at the Rio All-Suite Hotel and Casino. He wanted buy a metallic copy of the Bill of Rights, a joke gift designed to set off airport metal detectors from the magicians Penn and Teller.

The ATM "whirred and chugged," Paget said, "but no money came out." His account, however, was debited.

He wasn't the only one. Paget spoke with an Israeli man who had tried to withdraw $1,000, as well as a woman who tried to take out $400. At least a half dozen people experienced the same problem at various machines in the hotel, Paget said.

Paget, who has expertise in credit-card security and runs a hardware security consulting company, notified the hotel staff, who didn't take action to shut down the machines.

"The best they would do was put a sign on the ATM saying 'Out of order,'" Paget said. "We were standing by the ATMs warning people."

Paget considered unplugging the machines, but the hotel's security told him he would potentially be prosecuted for vandalism.

Paget's experience points to the increasing frequency with which criminals are targeting ATMs. One scam is to attach a device to the ATM known as a skimmer that can record details stored on a card's magnetic stripe. A person's PIN (Personal Identification Number) can be captured with an overlay on the keypad or a video camera. Then, the card can be cloned.

Security experts have also seen samples of malicious software designed for ATMs that can record card details. Earlier this year, analysts at Trustwave's SpiderLabs research group said the malware came from a financial institution that had been affected in Eastern Europe.

In Paget's case, a Rio hotel representative said on Monday that she was unaware of the problem and advised calling the hotel's accounting office later. A Secret Service officer in the Las Vegas area confirmed the agency was looking into the issue along with the Las Vegas Metropolitan Police Department. Paget said he left a voicemail with the Federal Bureau of Investigation.

Paget also contacted Global Cash Access, a company that specializes in managing cash machines for the casino industry. The company told Paget they had no record of the withdrawal, although it showed up when he checked his online banking statement.

Paget said it is possible that the machines have been infected with malware. The program could be directing the machines not to dispense cash, which then is picked up by an insider in on the scam, he said. But it's too early to tell.

If the problem is not simply malfunctioning machines, it would be at least the second incident of something funny going on with ATMs around Defcon.

Earlier in the week, conference attendees at the Riviera Hotel noticed what was on inspection a bogus ATM machine positioned in the lobby. They shined a light into its screen, which revealed a PC behind it. Law enforcement later confiscated it.

Ironically, one of the talks planned for this year's Black Hat and Defcon conferences dealing with ATMs was cancelled. A researcher with Juniper Networks, Barnaby Jack, was supposed to detail a vulnerability affecting a popular line of new ATMs. But Juniper barred Barnaby from giving his presentation after the unnamed ATM vendor threatened legal action.

Posted by staff at August 4, 2009 09:14 AM