Writing for Computerworld under the headline “Security analyst: Las Vegas ATMs may have malware: The U.S. Secret Service is looking into the situation,” Jeremy Kirk reports a story that I bet will become more and more common in the near future. Cash-dispensing banking machines can be equipped so that they divert money from one’s account in multiple ways.
The good news in this situation was that the person who used a malfunctioning automatic teller was someone who’s savvy about computer. Chris Paget, a principal in H4RDW4RE (a computer security firm), was attending a conference for people who study hacking, cracking, malware, and such. Mr. Paget recognized the problem—he didn’t get his $$!—and did something about it.
The U.S. Secret Service said on Monday it is investigating a group of ATM machines in Las Vegas that are debiting people’s accounts but not dispensing cash.
The case came to light after Defcon hacker conference presenter Chris Paget tried to withdraw $200 on Sunday from his account at the Rio All-Suite Hotel and Casino. He wanted buy a metallic copy of the Bill of Rights, a joke gift designed to set off airport metal detectors from the magicians Penn and Teller.
The ATM “whirred and chugged,” Paget said, “but no money came out.” His account, however, was debited.
As Mr. Kirk related, there was another incident earlier at DEFCON, but these are not the first. Indeed, the history of scams goes back at least to 2004. These scams use (a) devices that fit over the card reader in an ATM, permitting crooks to skim the data from the magnetic stripe when one inserts her card in a legitimate machine, and (b) hidden cameras that permit the crooks to record the presses on the keypad, thus snagging one’s PIN.
Update 4 Aug 2007: I see Hack a Day has an image of the fake ATM found earlier this week at DEFCON.