from the a-short-career-comes-to-an-end dept.
Kiosk ATM's installed at convenience stores have long been a favorite of hackers; ingenious online and on-premises exploits of machines made by Tranax Technologies and Trident were demonstrated by Barnaby Jack at the 2010 Black Hat conference. But no high tech wizardry was needed for several waves of ATM thefts pulled off by small time crooks across the country; all that was needed was for someone to guess the six digit operator passcode and enter that into the ATM keypad, to force the machine into a special "operator mode".
Until 2006, "guessing" was easy because many merchants never bothered to change the manufacturer's default passcode (Triton's was "123456"). Tranax and Trident subsequently changed their software to force operators to change the default passcode, but some machines in the field were never upgraded, and (this is speculation on my part, not in the Wired story) it could be that middlemen service companies standardized on their own default passcodes.
Wired has a story of a Tennessee crook named Fattah who drew $400,000 from ATMs around Nashville over the course of 18 months by reprogramming them to think that their cash trays held $1 bills instead of $20 bills, so each $20 withdrawal netted Fattah $19. In a previous job, Fattah had worked for a company that operated ATMs, so he knew both the vulnerability and the default passcode. But Fattah made amateur mistakes; one was using a debit card under his own name instead of a prepaid card. After being busted by the Secret Service, Fattah and an accomplice are now facing 30 counts of fraud and conspiracy.
(Score: 1, Informative) by Anonymous Coward on Saturday November 15 2014, @10:13PM
The correct link to the default passcode story mentioned in the second paragraph is here [wired.com], not to the Kaspersky blog. My bad.
- AC submitter
(Score: 1) by esperto123 on Saturday November 15 2014, @11:28PM
It shouldn't be $380 for every $20 withdraw?
(Score: 1) by dlb on Saturday November 15 2014, @11:41PM
Or scare quotes should have been used:
so each "$20" withdrawal netted Fattah $19
(Score: 0) by Anonymous Coward on Sunday November 16 2014, @12:32AM
The $19 makes no sense at all. Withdrawing $20 in $1 bills, is a $400 sum. Even after subtracting the $20 he was charged from his account, that's $380 for every $20.
(Score: 2) by tibman on Sunday November 16 2014, @07:49AM
If he withdrew 1$ from his account it would give him a 20$ bill. So he gained 19$ from the transaction.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Sunday November 16 2014, @10:28AM
That kinda explains the error then. "For each $1 he got $19" got spliced together with "For each $20 he got $380" into one mess.
(Score: 2) by mendax on Saturday November 15 2014, @11:30PM
Sometimes when reading these silly stories about easily prevented security breaches that some people just ask to be robbed. Perhaps that statement is just as asinine as those made by people who say that women who walk around in public scantily clad are asking to be raped. I know that some banks tolerate some kinds of credit card and EFT fraud because the cost of making the system more secure is higher than what they lose in fraud and in business due to the ensuing chaos.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by VLM on Sunday November 16 2014, @12:37PM
A better analogy would be going home with some dude and saying "yes" and doing the deed, and a month later while balancing his checkbook pressing charges because she found out for every claimed $20 of salary income he actually only had $1 of income.
I'm sitting here trying to pierce the veil of "e-commerce" BS, and obviously from common sense he's a crook, but in practice I'm having trouble thinking of what exactly he did thats illegal. The UI for the ATM sucks but thats not his fault. The bank didn't give him permission to reprogram the ATM but they didn't give him permission to do anything including just plain old use it. The ATM I use lets me change its default language to illegal or english, which is not exactly at the level of this crook but its interesting, the bank certainly never gave me permission to do that. I'm guessing the closest traditional analogy is this dude walked up to an unsecured "give a penny take a penny" tray at the deli cash register and said "F it I'm not give/take one penny, I'm taking twenty pennies". Which is not illegal, but is being a jerk.
"Hey look, here, unsecured, laying on the ground, is a great big pile of money. There's no law against it, but we're all agreeing not to pick up the money. If you pick it up, we're busting you on all kinds of ridiculous charges that have nothing to do with picking up money laying on the ground free for the taking. You know, just because. P.S. the money is all owned by banks, the biggest financial crooks in the world, so no ethical / moral concerns there, if you're stealing, you're stealing from the lowest thieves on the planet."
(Score: 2) by urza9814 on Monday November 17 2014, @09:02PM
Good analogy...and it leads to a few interesting questions that might be worth exploring...
So, as a regular citizen, if you leave something laying around your front yard, can you call the police if it gets stolen? Sure. Or someone grabs your bike from a public bike rack? Even if it's not locked, I think most people would still call that theft. But if you leave the bike sitting there for a week or two, then maybe the situation looks different. If the bike has been there so long it's starting to rust to the rack, I don't think anyone would call it theft if you take it home and fix it up for yourself. At some point it becomes abandoned property, right?
If a construction crew leaves a backhoe sitting in the middle of a parking lot all weekend, is it theft if someone comes in and drives off with it? Yeah, that seems reasonable. If they leave it there for a month...?
If a bank leaves a pile of money sitting in the parking lot and you pick up a stack, is THAT theft? Well....that one I'm not so sure about. But fundamentally it's no different than the situation above. Except...it's a bit less clear whose money that is. If another customer left it, then you can't really call it theft because they weren't in possession of it. We're back to abandoned property there. But if a bank employee left it, it's still on their property. Yet the person picking it up can't tell the difference, can they?
Either way, by this chain of logic it seems obvious that stealing from an ATM -- no matter how insecure -- is theft. You know damn well whose money that is.
But that brings a whole mess of other problems. Is it fair to make the public pay for crappy security of a private company? Why should banks even have locked vaults, if the public police forces will pick up the slack for them? That's pretty absurd too. They ought to face SOME repercussions for lax security.
So yes, maybe at a certain point corporate property should become public property if it is insufficiently secured. Where do we draw the line? Is a password prompt enough? Even if the password is 1234? Even if it's trivial to bypass? Does it matter if the insecure ATM was installed yesterday or has been that way since last year? I don't think there's any obvious answer, or any clear place to draw the line...
Perhaps a comparison to an actual bank teller would help? If they accidentally give you a 50 instead of a 5, very few people would consider that theft. "Bank error in your favor" as it says in the Life board game. If you intentionally trick them into giving you too much though, I think most people *would* call that theft. That seems about equivalent to hacking the ATM. Then again, if they hire a teller with an IQ of 50, and you tell them they owe you 50 (not running some elaborate con, just directly lying to them) and they believe you...is THAT theft? I'm inclined to say no -- it's not your job to train their employees. Maybe that's similar to using a crappy password?
(Score: 0) by Anonymous Coward on Wednesday November 19 2014, @11:23PM
Any business dealing with seriously large amounts of money will have cameras everywhere -- you are being watched and will NOT get away with it if the amount involved is large enough. Just do the right thing and tell them of the mistake and allow them to fix the error. The employee gets to keep their job without any problems or 'wage garnishment' to replace the lost funds and you stay out of police custody (and jail) for perpetrating fraud whether you knew you were doing it or not!
Cameras are everywhere inside real storefronts inside buildings run by business people willing to invest in camera surveillance , scams like these are HISTORY!
[Two scams against cashiers 're-created' in PAPER MOON (1973) ]
http://www.youtube.com/watch?v=6xHlU7si5ws [youtube.com]
http://www.youtube.com/watch?v=CKJJbZe4TWM [youtube.com]