Fooling with hackers is generally a very bad idea, but the scammers responsible for an apparent ATM grift in Las Vegas may not have been aware of that particular rule of thumb.
The ATM scam happened during the Black Hat and Defcon security conferences last week, during which time the Las Vegas Strip was heavily populated with hackers well-versed in the many methods cyberthieves employ to rip off victims.
The hackers who noticed the suspicious-looking ATMs called in the authorities, and both the Las Vegas Police Department and the Secret Service are now reportedly involved in hunting down the attackers.
Fraudsters have been using ATM machines to steal money from users for a long time, but they’re getting more sophisticated in their attacks.
Ironically, a scheduled talk on a new ATM security hole was reportedly canceled because of pressure from the researcher’s employer, Juniper Networks.
Tricking the Tricksters
Last week, fraudsters apparently set up a fake ATM kiosk in the Riviera Hotel Casino. However, it was quickly spotted by sharp-eyed hackers who noted it looked a little different from the usual ATM.
This machine was reportedly designed to log the card data and PIN numbers of anyone using it; that information could be used to make counterfeit cards.
Defcon organizers called in law enforcement, which removed the machine.
Separately, the U.S. Secret Service and the Las Vegas Police Department are reported to be investigating complaints about ATM machines that debited users’ accounts without giving them any money.
Attendee Chris Paget alerted law enforcement after unsuccessfully trying to withdraw money from an ATM machine in the Rio All-Suite Hotel and Casino and finding that his account had been debited.
“There were two incidents,” attendee Dave Marcus, directory of security research at security vendor McAfee, told TechNewsWorld.
The Las Vegas Police Department did not respond to requests for comment by press time.
Looping the Lebanese Loop
ATM frauds have been around for a long time, and one of the simplest and most widely used goes by the colorful name of “The Lebanese Loop.”
Essentially, criminals put a strip or sleeve of metal or plastic into an ATM machine’s card slot. This prevents the machine from drawing in cards that consumers insert into the slot and sets things up for the next stage of the scam.
Criminals then learn the victim’s PIN number by watching the victim key it in repeatedly. When the victim leaves without the card, which is still in the ATM machine, the criminal retrieves the card and attacks the victim’s account.
In some variants of the Lebanese Loop, the criminals attach a small camera to the ATM to record victims entering their PIN numbers; in others, the criminals attach a fake keypad over the real one, thus capturing victims’ PIN numbers.
“Crooks can copy every single detail of a real ATM,” Randy Abrams, director of technical education at ESET, told TechNewsWorld. “You have to pay attention and be alert at an ATM machine.”
Hackers Know Computers Too
Those relatively low-tech attacks are being replaced by more sophisticated ones that leverage computer technology.
“I remember a recent story of ATMs leaving the factory with Trojans preinstalled,” McAfee’s Marcus said. “You could set them up to capture data.”
Security vendor Trustwave’s SpiderLabs recently found malware installed on compromised ATMs in Eastern Europe. The malware captures magnetic strip data and PIN codes from ATMs running Windows XP.
The malware lets attackers fully control compromised ATMs.
Most ATMs run embedded versions of a very specific version of Windows, and McAfee has supported these for some time, Marcus said.
Hole-y ATM Security, Batman!
As a rule, ATM vendors prefer not to discuss security issues. In fact, one reportedly pressured Juniper Networks to call off a talk on a security hole in its latest devices.
Barnaby Jack, a staff security researcher, was scheduled to give the talk “Jackpotting Automated Teller Machines,” at Black Hat and Defcon.
“As word spread that Jack would be disclosing vulnerabilities using a real ATM during his demonstration, one unnamed ATM vendor got nervous,” wrote Javelin Research’s Robert Varnoski in his blog.
Juniper Networks did not respond to requests for comment by press time.