Identity Theft Attempt at Defcon

Identity Theft Expert Robert Siciliano

Hackers hacked hackers at the annual Defcon conference in Las Vegas this past weekend. Defcon is a conference for hackers of all breeds. There are good guys, bad guys, those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack.

At this year’s Defcon, someone planted a real, rigged, malicious ATM right outside the security office of the Riviera Hotel and Casino. For some reason, the area outside the security office doesn’t have any security cameras, which made it an easy place to attempt a scam. Scams like this are common in Las Vegas, due to the city’s transient nature and frantic pace. Everyone is looking for a quick buck, and what better place to pull of an ATM scam than Vegas?

ATM skimming comes in two flavors. In the first scenario, a device called a “skimmer” is placed on the face of an operational ATM. When a card is swiped, the skimmer records the data on the card, and a hidden camera generally records the PIN. Usually, money is dispensed. In the second scenario, a used ATM is rigged to record data, and placed in a public area. These ATMs are only semi-operational, and do not dispense cash. This is the type of ATM that was found in Las Vegas.

A conference attendee uncovered the scam when he attempted to use the machine and recieved an error message. Upon further investigation, a computer was discovered where the security camera should have been. The computer was recording all the victims’ details. That’s when the alarm was sounded and the area became a crime scene.

You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. (Of course, just outside the security office isn’t exactly the middle of nowhere, so always be alert.) Use strong PINs, with both upper and lowercase letters, as well as numbers. And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discussing ATM skimming on Fox News

Debit Cards at Risk for Identity Theft

Robert Siciliano Identity Theft Expert

There are 437,000,000 debit cards in circulation, and their use is on the rise. Criminal hackers are paying attention. Credit cards offer some measure of protection, but when a debit card is compromised, the stolen money is taken directly from the victim’s bank account.

Federal laws limit cardholder liability to $50.00 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days in order to maintain this $50.00 limit. After that, the maximum liability jumps to $500.00. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

There are a few known scams that can make you vulnerable to debit card fraud.

There’s the bait and switch. When making a purchase online, you may be prompted to make an additional purchase that appears to be a one time fee, but is actually an ongoing monthly debit that is nearly impossible to cancel. That’s when canceling your card is the only way out. While this isn’t technically criminal hacking, it is very slimy marketing. The best way to protect yourself from this one is to always read the fine print before making an online purchase. Just be smart.

Unless you have been living in a cave, you’ve probably received a phishing email at some point. Criminal hackers, assisted by teams of psychologists and sociologists, are designing and selling phishing kits to one another. They know what makes you tick and they know what will convince you to click on a link. These people are professionals. There used to be a day when phish emails contained obvious misspellings and but now they are organized and sophisticated. And as more people go paperless and get their bank statements online, it is becoming more common for criminals to take advantage of that process, sending emails that appear to be statement notifications. If you think an email might be phishing, delete it immediately. And don’t click on links in emails. Either manually type the link into the address bar, or use your bookmarks menu.

According the the Secret Service, Skimming is one of the financial industry’s fastest growing crimes. The ATM Industry Association reports over one billion dollars in annual global losses from credit card fraud and electronic crime associated with ATMs. A skimmer is a hardware device that a thief places on the face of an ATM, which matches the machine itself. It’s almost impossible for a civilian to notice the difference unless the skimmer is of poor quality, or the civilian has a unique eye for security. Often, the thieves will mount a small pinhole camera somewhere near the ATM, perhaps in a brochure holder, to record the victim’s PIN. Gas pumps are equally vulnerable to this scam. Pay very close attention during ATM and gas pump transactions. If something seems wrong, it is wrong. Look for double stick tape, removable features on the face of the ATM, a card sticking inside the reader, or additional mirrors or brochure holders that could contain a small camera.

1. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing ATM skimming on Fox News Here and credit card fraud on CNBC Here

XX

ATM Fraud Increases Identity Theft Risk

Robert Siciliano Identity Theft Expert

A spate of recent news reports highlight growing ATM fraud. Law enforcement in New York City reported a gang had stolen $500,000 from bank accounts via ATM skimming. They installed cameras and skimming devices on the machines, and recorded the magnetic strips and the PIN numbers.

A recent survey points towards ATM fraud rising 5-9 percent. Seventy percent of those poled experienced a jump between 2007 and 2008. Many of the large data breaches that have occurred over the past few years may have contributed to the fraud.

It’s simple enough to hack into a database and compromise cards and pins. It’s even easier to affix hardware to the face of an ATM machine and do the same. Once the data is compromised the identity thieves clone cards and turn the data into cash as quickly.

Bankinfosecurity.com recently published “7 Growing Threats to Financial Institutions”. This post is a play on that; “7 Growing Threats to You”

#1 Skimming; Hardware readily available online that is attached to the face of an ATM records user card information and pin codes. In this case you may still be able to perform a transaction.

#2 Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads “Can’t complete transaction”.

#3 Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.

#4 Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.

#5 PIN ID’s; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, peoples names, pets names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.

#6 Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification) is a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via “Caller ID Spoofing”. They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to “verify” them as the banks customer.

#7 SMS Attacks; AKA Smishing or Phexting – phish texting. Customers receive a text from a bank on their smartphone requesting login information.

#8 Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.

How to protect yourself;

First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.

1. Pay close attention to everything you do at an ATM. Look for “red flags”, anything out of place. If your card sticks, odd looking configurations on the ATM, wires, two sided tape.
2. Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
3. Don’t reply to phishing or phexting emails. Just hit delete.
4. Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere.
5. Make sure your McAfee anti-virus is up to date.
6. Invest in Intelius identity theft protection and prevention. Because when all else fails its good to have someone watching your back.

Robert Siciliano Identity Theft Speaker discussing ATM skimming

ATM Skimmer Defeated By Customer

Identity Theft Expert Robert Siciliano

Its not often that I get to report on the victim becoming the victor. It’s nice to see the good guys win one.

I met a charismatic gent on FOX and Friends named Sean Seibel. Sean has a unique job title at Microsoft: User Experience Evangelist. Sean’s job is to be on top of what’s new and what’s next in technology, in the next 5-7 years. He’s a futurist. He and I spoke in the green room of the show before we appeared together on a segment regarding ATM skimming.

ATM skimming often results in forms of identity theft, credit card fraud or bank fraud.

To be a User Experience Evangelist requires a certain vision, insight and the ability to go beyond what’s current or obvious. Sean proved his ability to see “more” by trumping a gang of identity thieves who set out to steal millions from ATMs but “only” got away with $500,000.

Sean stopped at an ATM to get some cash to pay his barber. When he inserted his ATM card in the machine, he noticed a bit of resistance. Most people wouldn’t think twice about this. But Sean doesn’t think like most people. Then the screen said the machine was unable to read his card so he tried again. The second time, the machine gave him an error message. Before he tried again, he thought about a report he had heard about devices that fraudsters attach to the outside of card readers on ATM machines and wondered if that was the source of his problem.

He says, “I’m looking at the thing and thinking, this can’t be. No way. There are all these stories and myths about it, but I actually found one in the wild.”

Sean was face to face with an ATM skimmer, one that he had just swiped his card through. His heart started pounding. Adrenalin was rushing through his body. He was concerned, not just that he might be scammed, but that criminals might be very close by, maybe even behind him or watching him. However, that did not deter him.

Sean says, “I tried to pull on the green plastic surrounding the card slot and found that it peeled right off.” This plastic ATM skimmer had an SD card built into it to store all the stolen data. Sean went into the bank and notified the branch manager, who had never seen an ATM skimmer and didn’t know what to do. She took the skimmer and thanked Sean.

Then Sean remembered, from numerous reports about ATM skimming, that there are usually 2 parts to the ATM skimmer. One is the skimming device itself, the second is a micro-camera placed somewhere on the machine, where it 1arecords the user’s PIN. The camera is often installed in a false brochure holder that taped to the ATM. In this case, it was behind a small mirror that alerts the ATM user to beware of “shoulder surfers.”

Sean went back to the still operational ATM, where people were waiting in line for their cash, and noticed a tiny video camera behind an extra mirror attached to the machine, positioned right over the key pad where it could record user’s PINs. Not being a bank employee and not wanting to alarm any of the people iwaiting, he actually got in line, waited his turn (knowing that the skimmer was gone and nobody was in danger) and pulled the camera off the ATM.

He brought the camera to the bank manager, who replied by saying, “Maybe we should shut 2b*that machine down, huh?” Sean said, “I think that’s a good idea.” The bank manager contacted bank security, shut down the machine and alerted other area banks. The identity thieves netted $500,000 from their scam, rather than the millions they might have stolen had Sean Seibel not foiled their operation.

Bank branch manager…ZERO
Identity Thieves……….$500,000
Sean Seibel foiling their operation and becoming a hero to many….Priceless.

Some great tips from Marite Ferrero, of CardSwitch Technology:

  • Skimming has been and will continue to be the most common type of ATM-related fraud.
  • Criminals attach skimming devices over card slots on ATMs to steal data as the machine reads the card’s magnetic strip.
  • Hidden cameras record victims typing in their PIN codes.
  • More sophisticated criminals use wireless keypad overlays, which transmit PINs to a nearby laptop, instead 3bof cameras.
  • The U.S. Secret Service estimates that annual losses from ATM skimming total about $1 billion each year, or $350,000 a day.
  • Bank ATMs are more vulnerable than standalone ATMs.
  • Standalone ATMs in grocery stores or on the street use technology that encrypts the PIN pad, making them more difficult for criminals to hack.
  • Standalone ATMs are often positioned near the watchful eye of cashiers or store owners, so it’s harder to install skimmers without being caught.
  • Bank ATMs are also more highly trafficked, which means a bigger potential payoff for the criminals.

Also, invest in identity theft protection and make to update your PC’s McAfee internet security software.

Identity theft expert Robert Siciliano discusses ATM skimming.