PDA

View Full Version : Latest ATM scam. Beware!


Noah Zark.
30th Apr 2009, 08:28
Hello all.
I've just received this, from a credible source. Apparently, when using a cash machine, several people have had the following happen to them, by a "team" of up to three people.
Once at the machine, one of them stands behind the person making the withdrawal or at an alternative machine if two are situated together and waits for them to put their card into the machine and enter their pin number.

Once they have seen the pin number, they are somehow turning the screen off on the cash point. Police have no idea how they are doing this and the banks are also baffled. The machine then appears to the customer as having crashed.

The customer is then entering the bank to report that the machine has crashed and taken their card. As soon as this happens, one of the males is turning the machine screen back on and taking the card. They are then going to the nearest bank and carrying out the maximum withdrawal available.

Please be aware of this and report anyone acting suspiciously around the cash points. If you use a machine and it goes blank, DO NOT LEAVE THE MACHINE. Explain what has happened to someone passing and ask them to enter the bank and explain the situation.

The Police have visited all the banks and a major investigation is underway with their fraud investigators.

Jofm5
30th Apr 2009, 08:53
Noah,

Not sure who your credible source is - but I cannot see how this is possible. It used to be possible to disrupt the screens with magnets when they were of the old CRT type (as some still are) but that would only result in image distortion - most are now LCD which are not susceptible to magnetic interference.

To actually interrupt and power cycle a cashpoint (atm) would result it going through it's start up cycle which includes binning any cards/cash in its peripherals as part of this process - this would require huge elctromagnets and alot of power. It is not possible to freeze the machine in mid cycle to resume later as this would corrupt the memory in the process (it requires the memory controller to refresh the memory hundreds of times a second for the contents of the memory not to be lost).

To me it sounds like your being wound up - but if you have more info would be interested to evaluate.

Noah Zark.
30th Apr 2009, 09:02
Not knowing a thing about them, I don't know how it is possible either, but I thought it was worth a heads-up just in case.

tony draper
30th Apr 2009, 09:32
The scallywags have been known to fit a whole dummy ATM on the front of the real one,possibly a thin LCD polarising screen of some kind stuck on top of of the real display,current on screen transparent, current off screen blanks out the display behind.
That how I would do it anyway.:rolleyes:

SpringHeeledJack
30th Apr 2009, 09:40
Blimmin Geordies, it's in their DNA I tells ya :}


Regards


SHJ

Jofm5
30th Apr 2009, 09:41
More often than not it use to be a mag stripe reader inserted into the front of the card insert and someone observing the pin - but that was to clone the card not to steal the card in the first place.

Trying to clone the whole machine is not unheard of but is impractical - the only times I have known this to be done is someone inserting one into a disused store where there was never one before.

Torque Tonight
30th Apr 2009, 09:51
I was nearly done by the Lebanese Loop trick in Covent Garden a few years ago. I put my card into the cash machine, the thing went out of order and shut down keeping my card. Not being one to give up too easily, I fiddled around to see if I could recover my card - it came out, complete with the home made but convincing loop device. A beggar positioned near the machine then quietly pointed out a couple of irate looking blokes whose plan I'd rumbled. I found a couple of police standing around nearby, showed them the device, told them I could point out the culprits and suggested they come down and nick the scumbags concerned. Their disinterest was spectacular and they did nothing.

tony draper
30th Apr 2009, 09:51
Well for a while I went round fitting small CCTV cameras inside ATMs looking out,I did not think it a great success all we seemed to get was hours of tape looking up punters nostrils but the Bank security bods seemed impressed with the result,dunno if they still do that,seems to me it would discourage miscreants tampering with the machines if they were informed by a sign that said they could be identified by their noses,honest punters might not like the idea though,so I want you all to forget you read this.
:)

Jofm5
30th Apr 2009, 09:55
Our bobbies in their usual glory - you should have yelled that they called you a black gay illegal immigrant - they would be down for ten years by now.

Jofm5
30th Apr 2009, 11:03
But it was a fun convestation whilst it lasted :D

Storminnorm
30th Apr 2009, 11:35
CCTV cameras looking up peoples' noses?
Could be useful for spotting those with Swine Flu???

tony draper
30th Apr 2009, 12:10
Didn't some famous American entertainer get nicked for fitting a CCTV camera that looked up ladies skirts?never been asked to do that yet, was once asked to move a Cam into a ladies trying on room in a clothes store, "they's pinching me frocks" he claimed, told him to **** orf or I would have the law on him.
Not only them Lawyers that have ethics yer know.:rolleyes:

Storminnorm
30th Apr 2009, 12:17
I thought Lawyers came from Essex, not Ethics.
Or have you thprung a Lithp?

Low Flier
30th Apr 2009, 12:50
I don't know how it is possible

Quite simple, really.

The top box of an ATM contains all the computery bits. Unlike the money-holding safe beneath, it is unarmoured and not at all secure. A single key fits every NCR ATM top box in the world. There are quite literally millions of those latchkeys in circulation in almost every country around the world. Opening the box does not, in most cases, trigger an alarm or even an event log.

The "core" of the top box is a bog-standard IBM-clone PC. The 9-pin D-type connector in the video cable is absolutely standard. It is trivially simple to disconnect that connector and insert a miscreant's device, such as a simple remote-controlled switch, in the video screen line. Similarly, inserting a switch inline for the card reader is simply a matter of disconnecting a ribbon connector and inserting the device inline.

Total time to insert two such devices would be about ten seconds for a practiced person.

The hardware required is easily available for about 20. It's just the sort of radio controlled gear in the cheapest toy cars/boats/planes.

Roger Sofarover
30th Apr 2009, 16:18
Well I never! This happened to me two days ago. I was stood at the machine card in started the process and the machine went blank. S**t thinks I, no money away from home, only cashcard, wifey looks impatient from the car I beckon her out (we had parked near the machine), I did the standard pilot thing of just press lots of buttons and thump it when nothing else works another 10 seconds and it comes back on, I press some more buttons now I can see the options, get my card out and walk. Maybe the crims thought with 2 of us there one would stay while I went inside to the bank, so turned it back on to get rid of us.

Standard Noise
30th Apr 2009, 18:02
I did the standard pilot thing of just press lots of buttons and thump it when nothing else works

Ah yes, the good old 'thrash the fecker' approach.

Crepello
30th Apr 2009, 18:20
Low Flier, interesting idea but sounds a little too easy. Wouldn't you at least need access to the ATM's internals before opening the system unit?

I'd struggle to see manufacturer design panels signing off on what you describe, otherwise a competent person could simply insert dataloggers between the PC and the cardreader and keypad, possibly drawing system power and communicating wirelessly with a nearby device.

Lebanese Loop: Yup, also seen that one, in Amsterdam about eight years ago. The sounds and messages didn't seem quite right and behold - an easily removed gadget that made a nice souvenir. But just as Torque Tonight experienced, the local plod could not have cared less. :rolleyes:

Low Flier
30th Apr 2009, 19:41
Wouldn't you at least need access to the ATM's internals before opening the system unit?


Yes, but in many banks the back of the ATM is in plain view and easily accessed by customers. Of course an accomplice or three needs to stand strategically between the back of the machine and the usual security cameras, but most bank cameras are quite openly visible.

a competent person could simply insert dataloggers between the PC and the cardreader and keypad,

Inserting a datalogger between the keypad and the core would tell you exactly nothing. The pad is a solid state affair which encrypts the keystrokes in realtime. It's an extremely tough code to break, triple DES if I recall correctly. The core of the ATM hasn't a clue what your PIN is. It simply relays the encrypted version to the bank's server, reencrypted for further security. Even the server doesn't know your PIN. Nobody in your bank knows your PIN and nobody has any way of finding out what it is, even if they have full access to all the bank's computer systems.

The way all these ATM ripoff schemes work is by having someone peer over your shoulder as you type in your PIN.

The Lebanese Loop, by the way, was easily defeated by retrofitting ATMs with a slightly modified card entry bezel. The vulnerable ones were the old flush-mounted bezels, the dark coloured ones. The light coloured ones, almost transparent with the sloping rain deflector at the top, cannot catch and hold the folded 35mm film which was the "Loop", no matter how carefully the edge perforations in the film are cut and folded back.

tony draper
30th Apr 2009, 19:56
Of course there is no need to employ these sneaky Eastern European tricks or go to puter college for four years, use the Anglo Saxon method,steal a JCB and just rip buggah out of the wall.
:rolleyes:

TerminalTrotter
30th Apr 2009, 23:48
I don't know about that Mr D. I was in the cellar of a local Building Society once, and there was a dirty big lump of concrete connected to what looked like a loop of ship's anchor chain, going up into the ceiling, which I was told was connected to the ATM. That ATM was NOT going anywhere with anything as puny as a JCB, that's for sure.

TT

JEMAVION
1st May 2009, 07:29
I had an experience a couple of years ago in Thailand with an ATM machine. Everything looked normal until I was waiting for the money; the screen went blank for a few seconds then I got a 'Transaction Cancelled' message. When I tried my card at another machine belonging to a different bank I was told I had no credit. This was on a Sunday so had to wait till the next day to complain. When later I checked my account on the internet, I found the maximum amount had been withdrawn. My bank - ABN - assured me I would get my money back which I did about 3 weeks later. Scam? I still don't know but I'm much more careful now.

Low Flier
1st May 2009, 08:16
A well spec'ed ATM has an "earthquake alarm" which is designed to detect a JCB type attack. It will emit a 30 second long loud wail, so that a false alarm can be dealt with, and then it will trigger the release of a permanent dye into the cash cassettes.

Of course the bad guys know exactly how to disable the dye system. It's operated by a very high pressure gas cylinder which looks a bit like a Sparklets soda syphon CO2 cartridge. The neds know exactly where it is located and they know exactly where to drill in order to disrupt the little gas bottle. To counteract this there is now an electrical pad on the inside of the safe wall which will set off the dye system if a drill bit penetrates the pad.

The two easiest ways to loot an ATM do not involve such brute force.

One way is simply to open the safe and access unprotected cash cassettes. There are between two and four cassettes in each ATM, each of which holds up to 2,500 banknotes. Incredibly, up to 25% of non-bank ATMs still have the factory default combination number set on the combination lock. For the rotary type it's 55-55-55, starting with a left-hand rotation. For the electronic type combination locks it's a more complicated 4-digit number which I will not show here.

The other way is the insiders way. Using the ubiquitous latchkey to open the top box, switch off the core computer. Before restarting the 'puter, insert a 'keydisc' floppy which is of the type used by the factory to functiontest new ATMs. Look at the menu on the control pad and you will see "looptest". Choose looptest to dispense any number of banknotes from each of the cassettes. Be ready for an avalanche of banknotes into the spray tray at the front end of the machine. If it's a bunch type dispenser, it will present the notes and then retract them, sending them into an unsecured bin within the now-opened safe. You'll be surprised how long it takes to empty a machine of 10,000 banknotes, so it's not something to be done with a High Street machine, but it's an easy way to empty the cash dispenser module's cash cassettes without risking the dye system being detonated.

Tercarley
1st May 2009, 08:27
When I lived in Singapore I sent my son down to the HSBC in Orchard Road to get some cash from the ATM there and he duly put my card into the machine for a few hundred dollars and out came about $3000!

Fortunately he knew all about the draconian punishments that Singapore authorities deal out for any offence and also noticed all the CCTV cameras trained onto the machine as well. He took the money into the bank and gave it back to them. He would have done so anyway!

Roger Sofarover
1st May 2009, 08:49
Low Flier

I am impressed

Tercarley

Did the bank give your son a reward?? They should have done. I bet the miserable sods didn't eh?

M.Mouse
1st May 2009, 09:59
The core of the ATM hasn't a clue what your PIN is. It simply relays the encrypted version to the bank's server, reencrypted for further security.

I thought the PIN number was coded onto the card? If that is the case why would the PIN number be relayed to the bank's server?

The starter of this thread refers to his 'credible source'. That always makes me laugh. It usually starts a post where someone wants to be believed. How do you categorise a 'credible source'?

Roger Sofarover
1st May 2009, 10:15
The starter of this thread refers to his 'credible source'. That always makes me laugh. It usually starts a post where someone wants to be believed. How do you categorise a 'credible source'?

Well would you prefer him to write his name and address on here?

How do you categorise a 'credible source'?

I am sure that you know whether those around you are credible or not don't you?

It usually starts a post where someone wants to be believed

As I posted earlier, it has happened to me recently.

419
1st May 2009, 10:18
I thought the PIN number was coded onto the card? If that is the case why would the PIN number be relayed to the bank's server?

It is.

That is how the small hand held card readers that some banks require you to use for internet and telephone banking work.
You insert the card, and you have 3 attempts to enter your pin.
Get it wrong and it locks the card.

Roger Sofarover
1st May 2009, 11:19
The Pin number is not on the card. There is an encryption code that must match the code on the data base held by your bank. It is not possible, even if you know the key, to read a pin from a card, otherwise the crims would have no problems when they nick your cards.

henry crun
1st May 2009, 12:06
The personal identification number number is not on the card, is that right ?

419
1st May 2009, 12:22
The PIN is definately stored on the card.

The card readers I mentioned are battery powered, and not connected to either your PC or the bank computers in any way.

You put in your card, and you are prompted to enter your PIN. The reader will confirm if this has been entered correctly, and then generate another code that you have to give to the bank.
One car reader can be used for as many different card as you like.

How does my Card-Reader work?
Your Card-Reader is powered by batteries and works independently of your computer. The Card-Reader uses the chip on your card and your normal card PIN. It then creates a unique eight digit code that you are asked to enter to verify some of your online banking transactions.

Roger Sofarover
1st May 2009, 13:10
HowStuffWorks "Credit Card Stripe" (http://money.howstuffworks.com/personal-finance/debt-management/credit-card2.htm)

How the mag strip on a card works.

Portable credit card readers use wireless technology just like any other modern computer or mobile phone.

419
1st May 2009, 13:16
Roger,

That info is for the old style card that had a magnetic strip.
All current cards issued in the UK are "chip and pin", and don't have this strip.
All the info is stored on the chip, and this includes the PIN details.

I've stuck on a photo showing how the PIN can be read and confirmed by a simple card reader, and the following bit also explains how it works.

To solve this, banks and retailers are replacing traditional magnetic stripe equipment with smartcard technology, where credit/debit cards contain an embedded microchip and are authenticated automatically using a PIN. When a customer wishes to pay for goods using this system, the card is placed into a "PIN pad" terminal (often by the customer themselves) or a modified swipe-card reader, which accesses the chip on the card. Once the card has been verified as authentic, the customer enters a 4-digit PIN, which is checked against the PIN stored on the card; if the two match, the transaction completes.

http://i666.photobucket.com/albums/vv28/primehelicopters01/card.jpg

Roger Sofarover
1st May 2009, 13:26
419

Thanks:ok:

419
1st May 2009, 13:36
No Problem.

The biggest worry with the chip and pins cards is that they were introduded to try and prevent fraud, but they seem to have had the opposite effect.

A simple "google" brings up loads of instances of large scale chip and pin fraud.

- Google Search (http://www.google.co.uk/search?hl=en&ie=ISO-8859-1&as_q=fraud+&as_epq=chip+and+pin+&as_oq=&as_eq=&num=10&lr=&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=&as_occt=any&cr=&as_nlo=&as_nhi=&safe=images)

RatherBeFlying
1st May 2009, 13:55
Some banks allow you to choose and change your PIN at will:ok:

You can use more than four digits, but may have problems going abroad if the local POS terminals and ATMs can only handle 4 or 6 digits:ugh:

Others simply issue you a 4-digit PIN which can be encoded, hopefully encrypted, on the card, whether strip or chip:eek:

A bank that allows you to choose your PIN has to store the encryption of your PIN on their server.

Back in the '80s when ATMs became popular and I was working at a bank, I predicted that it was only a matter of time before cards would be cloned.

Once pinhole video cameras hit the scene, several banks got hit. I notice that about that time, my bank removed the card readers from the ATM lobby entrance doors as the bad guys were splicing into the wires:=

Low Flier
1st May 2009, 14:09
The PIN is definately stored on the card.


Not quite true.

An encrypted version of the PIN is, though.

Here's how it works:

When the bank issues your first PIN, it does so based on your account number. That PIN is simply the first four decimal digits of the derived hexadecimal number which is encrypted from your account number.

Here's an example:

Say your account number is:
4556 2385 7753 2239

First the a/c number is encrypted into hexadecimal using a very simple DES algorithm:
3F7C 2201 00CA 8AB3

Then a simple Hex-Dec look up table:
0123456789ABCDEF
0123456789012345
takes the first four numerals, 3F7C, and produces a simple decimal equivalent, 3572.

This is added to a four digit Public Key, such as 4344, to produce a sum of 7816 which is the PIN which will be issued initially to the customer with that account number.

If you decide to change your PIN, all that happens is that the difference is added (modulo) to the original PIN and the difference is recorded with the account file.

You might think that your PIN has 10,000 different permutations and that therefore a crude guessing attack is extremely unlikely to come up with your PIN. Not so. Because of the Hex-Dec transfer there are considerably less than 10,000 valid PINs and the sequence of numbers within the 4-digits is not statistically even.

So, your card does *not* carry your PIN, but it does show your account number on the front and from that your PIN can be guessed in
an average of just 15 (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-560.pdf) attempts and 24 at most. Now you can see why a crooked and money-driven banker (if you can imagine such a creature!) needs only half a dozen cards and account numbers to be able to empty an account with just three attempts per card, on average.

Tercarley
1st May 2009, 23:57
No, they didnt give a reward! In Singapore - in those days at least, mid 80's - any wrong doing by anyone and especially expats or their families and you would have been out of the country and your company in 48 hours. There fore you and your family had to toe the line. It was a benevolent dictatorship. But ultra safe!

Funnily enough my 17 yr old daughter went to school there and in spite of the harsh punishments meted out for drug use, she says that at teenage parties other kids were always offering you drugs.

Any expats out there now - whats it like now from that point of view?

Low Flier
2nd May 2009, 11:39
Having done a bit of research, this 'scam' appears to be emailed BS of the highest order.

Your "research" wasn't much good, GobonaStick!

South Yorkshire Police (http://www.thestar.co.uk/news/Cashpoint-scam-alert.5229531.jp) are investigating at least 13 of these thefts.

Noah Zark.
2nd May 2009, 17:31
The starter of this thread refers to his 'credible source'. That always makes me laugh. It usually starts a post where someone wants to be believed. How do you categorise a 'credible source'?

South Yorkshire Police are investigating at least 13 of these thefts
M.Mouse.
Still laughing?
Jofm5 & Gobonastick, along with M.Mouse and his haughty attitude, I don't give a toot about your "know-it-all" attitude. My "credible source" is a very close rellie who works with S.Y.P. and that's credible enough for me. The intention of my original post was to alert everyone to this scam, for their own good, nothing else.
Fortunately, most of our fellow Prooners have taken it for what it is, a warning. Good enough.

lomapaseo
2nd May 2009, 18:05
Noah Zark

Fortunately, most of our fellow Prooners have taken it for what it is, a warning. Good enough

Now how would you know that unless you had attached a poll to this thread :confused:

I treat all warnings on Pprune as alerts to read my mail from trusted credible sources (like my bank or my Anti-virus sorftware provider)

All else are treated the same as Vice Pres. Biden Flu warnings

419
2nd May 2009, 18:32
Well I had never heard of it, and I've not seen anything from the banks about it.
If I was using a cashpoint and the screen went blank, I'm pretty sure that I would have done as most victims did, and go into the branch to ask for assistance.

If posting the advice on here only stops the scammers from catching a few people out, IMO, that's a good enough reason to put it on the boards.

simon brown
6th May 2009, 09:11
you are more likely to have your credit card details sold on by someone at play.com and the first you know about it is confirmation of 6 dvds delivered to someone called James, of 63,sutton road, Barking essex. IG11 7XS

Its happened to several people I know and looking at various fora on the internet this is common place

Barking Polis dont want to know unless youve lost your money.

I have yet to exact my revenge...suggestions anyone