ATM Security Threats Increase

ATM skimming alone is responsible for $350,000 of fraud daily exceeding a billion dollars in losses annually.

A recent news report of a skimming scam in Long Island, N.Y., netted thieves more than $200,000 from ATMs at five branches.

Skimming today is far more sophisticated than in the past. Skimmers can include blue tooth and texting technology that send the data to the criminal anywhere. Keypads can be compromised by devices that overlay the exiting pad and transfer the data remotely.

ATM scams and fraud go beyond skimming to crimes that are very physical such as ram raiding to remote malicious software hacks.

During the Black Hat conference a hacker demonstrated how he forced three ATMs to dispense funds by exploiting the machines’ weaknesses in the computers that operate the ATMs. He purchased machines online and discovered that the physical keys were the same for all ATMs of that type made by that manufacturer.  He used the keys to unlock a compartment of the ATM that had standard USB slots. He then inserted a program he wrote for one of the machines, commanding it to dispense all of its vault cash.

Bankinfosecurity.com published “7 Growing Threats to Financial Institutions”.

#1 Skimming; Hardware readily available online that is attached to the face of ATM records user card information and pin codes. In this case you may still be able to perform a transaction.

#2 Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads “Can’t complete transaction”.

#3 Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.

#4 Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.

#5 PIN ID’s; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, people names, pet names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.

#6 Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification) is a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via “Caller ID Spoofing”. They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to “verify” them as the banks customer.

#7 SMS Attacks; AKA Smishing or Phexting – phish texting. Customers receive a text from a bank on their Smartphone requesting login information.

#8 Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.

To help combat ATM skimming, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models.

ADT’s Anti-Skim Solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. It can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader.

How to protect yourself from ATM skimming;

  1. First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.
  2. Pay close attention to everything you do at an ATM. Look for “red flags”, anything out of place, your card sticks, odd looking configurations on the ATM, wires, two sided tape.
  3. Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
  4. Don’t reply to phishing or phexting emails. Just hit delete.
  5. Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere. Do not drop your guard if the ATM is at a bank branch.

Robert Siciliano personal security expert to Home Security Source discussing ATM skimming on Fox Boston. Disclosures.

Scams Happen to Smart People Who Do Stupid Things

Robert Siciliano Identity Theft Expert

Most people are too smart to fall for a Nigerian 419 scam. But plenty of smart people fell for Bernie Madoff’s investment scams. Madoff was far more subtle than your average scammer. But in this day and age, people ought to be more alert to potential scams than ever before. And yet this wolf in sheep’s clothing was able to bilk so many investors. So it looks like we aren’t as savvy as we should be.

The root of the problem is the sheer number of scams. There are investment seminars, smoke and mirror charities, phishing emails and even text messages. I got a “phext” (phishing text message) from “r.yahoo.com” that said, “changed secret question, log in to update, or text HELP or to end STOP.” Naturally, this raised my suspicions, so I did an online search which led me to a forum discussion of this particular scam. Apparently, any response to this text message would have allowed hackers to access plenty of proprietary data.

A prominent security and privacy researcher emailed me to describe an attempted Craigslist scam:

“Robert, so, I registered on Craigslist and posted our above ground pool for sale. Within minutes got a reply from someone asking some basic questions (most of which could have been answered if they had read the advert). Their reply to my answers raised an immediate red flag. This individual claimed to be from Miami and was willing to write me a check for the full amount, plus shipping charges for their shipping company that would pick up the pool. In other words, I deposit a check (in context it seemed to be either a business or personal check, either way I would have had to wait for it to clear) and when it clears, I keep my asking price and give the difference to the shipping company when they arrive to pick up the pool.

I’ve ceased communication with this individual, but this just stinks to high heaven. First, if it is their own shipping company, why should I have to pay them? Second, no way I’m going to deposit this check into my account and risk having my bank info show up on their statement. Third, why would someone in Miami (above ground pools aren’t all that popular down there, it seems to me) want to pay to have a used above ground pool shipped all the way from New England? Fourth, I’m just nervous about stuff like that anyway.

Ever heard of/encountered that kind of situation before?”

This is an advanced fee scam! Now, since I am obsessively screaming about this stuff all day, I can see this coming from a mile away, as did my friend. But those who are less tuned in to the variety of potential scams might easily fall victim to this type of crime.

Financial troubles are forcing people to seek out new opportunities. When we are searching for jobs or attempting to sell our belongings online, or simply spending more time using social networking sites, we become more susceptible to the latest scams. But the biggest danger is our own egos and our complacency, as we foolishly believe that we are all too smart to become victims.

According to The Wall Street Journal, many scam victims are pretty smart. Three recent studies showed that victims of investment fraud tend to be better educated and have higher incomes than nonvictims, and that most have been investing for a decade or more. Because they are so confident in their own judgment, they fail to seek out professional advice.

Years ago, the Better Business Bureau conducted a test in which they planted a man dressed in normal street clothes outside a store during the holiday season. They gave the man a plastic pumpkin and a bell to ring. He spent twenty minutes ringing the bell, and during that time, people kept dropping money into the pumpkin. When the people were questioned, most believed that they had just donated to the Salvation Army, simply because the man was ringing a bell. Like Pavlov’s dogs, they opened their wallets.

Criminals aren’t any smarter than we are, but they know how to capitalize on our stupidity. You need to take steps to protect your own identity, because while you are smart enough to inform yourself about these issues, you can’t prevent some company from stupidly compromising your sensitive personal data. Prevent new account fraud by getting a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. And invest in Intelius Identity Theft Protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses various scams on TBS’s Movie and a Makeover.

ATM Fraud Increases Identity Theft Risk

Robert Siciliano Identity Theft Expert

A spate of recent news reports highlight growing ATM fraud. Law enforcement in New York City reported a gang had stolen $500,000 from bank accounts via ATM skimming. They installed cameras and skimming devices on the machines, and recorded the magnetic strips and the PIN numbers.

A recent survey points towards ATM fraud rising 5-9 percent. Seventy percent of those poled experienced a jump between 2007 and 2008. Many of the large data breaches that have occurred over the past few years may have contributed to the fraud.

It’s simple enough to hack into a database and compromise cards and pins. It’s even easier to affix hardware to the face of an ATM machine and do the same. Once the data is compromised the identity thieves clone cards and turn the data into cash as quickly.

Bankinfosecurity.com recently published “7 Growing Threats to Financial Institutions”. This post is a play on that; “7 Growing Threats to You”

#1 Skimming; Hardware readily available online that is attached to the face of an ATM records user card information and pin codes. In this case you may still be able to perform a transaction.

#2 Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads “Can’t complete transaction”.

#3 Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.

#4 Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.

#5 PIN ID’s; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, peoples names, pets names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.

#6 Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification) is a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via “Caller ID Spoofing”. They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to “verify” them as the banks customer.

#7 SMS Attacks; AKA Smishing or Phexting – phish texting. Customers receive a text from a bank on their smartphone requesting login information.

#8 Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.

How to protect yourself;

First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.

1. Pay close attention to everything you do at an ATM. Look for “red flags”, anything out of place. If your card sticks, odd looking configurations on the ATM, wires, two sided tape.
2. Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
3. Don’t reply to phishing or phexting emails. Just hit delete.
4. Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere.
5. Make sure your McAfee anti-virus is up to date.
6. Invest in Intelius identity theft protection and prevention. Because when all else fails its good to have someone watching your back.

Robert Siciliano Identity Theft Speaker discussing ATM skimming

Identity Theft Expert; Organized Webmobs Focused on Cyber Crime

Identity Theft Expert Robert Siciliano

New reports confirm what we have been seeing in the news; organized criminals have upped the ante. Global web mobs are tearing up financial institutions’ networks.

We’ve known for some time that the long-haired, lowly, pot-smoking, havoc-reeking hacker, sitting alone in his mom’s basement, hacking for fun and fame is no more. He cut his hair and has now graduated into a full time professional criminal hacker, hacking for government secrets and financial gain.

His contacts are global, many from Russia and Eastern Europe, and they include brilliant teens, 20-somethings, all the way up to clinical psychologists who are organized, international cyber criminals.

We are in the middle of a cold cyber crime war.

Their sole motivation is money and information and they either find their way inside networks due to flaws in the applications, or they work on their victims psychologically and trick them into entering usernames and passwords, or clicking links.

According to a new Verizon report, a staggering 285 million records were compromised in 2008, which exceeds total losses for 2004-2007 combined. As many as 93% of the breaches were targeted hacks occurring at financial institutions.

Hackers made $10 million by hacking RBS Worldpay’s system, then loading up blank dummy cards and gift cards, and sending mules to use them at ATMs. The entire scheme took less than one day to pull off.

Many of these hacks occur due to flaws in the design of web applications. The criminals send out “sniffers,” which seek out those flaws. Once they are found, the attack begins. Malware is generally implanted on the network to extract usernames and passwords. Once the criminals have full access, they use the breached system as their own, storing the stolen data and eventually turning it into cash.

Meanwhile, criminal hackers have created approximately 1.6 million security threats, according to Symantec’s Internet Security Threat Report. 90% of these attacks were designed to steal personal information including names, addresses and credit card details. Almost every single American has had their data compromised in some way.

Unsuspecting computer users who do not update their PC’s basic security, including Windows updates, critical security patches or anti-virus definitions often become infected as part of a botnet. Botnets are used to execute many of the attacks on unprotected networks.

The same study shows computer users were hit by 349 billion spam and phishing messages. Many were tricked into giving up personal information. It is common sense not to plug data into an email that appears to be from your bank, asking to update your account. Attacks directed towards mobile phones are also rising. “Phexting” is when a text message phishes for personal data. Just hit delete.

Much of the data stolen is out of your hands. So invest in identity theft protection, and keep your McAfee Internet security software updated.

Robert Siciliano, identity theft speaker, discusses criminal hackers who got caught.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Phishing Attacks Rise Dramatically in 2008

Robert Siciliano Identity Theft Expert – Speaker

Stupid people get hooked by phishers. You have to be a complete idiot to get sucked into a scam email that has typos making requests that are geared toward naïve simple minded pea brain fools. Right? Yes? No? So why have phishing attacks risen dramatically in 2008? That’s 66% higher than in 2007.

Have we gotten dumber or are the attackers getting smarter?

RSA concluded that phishing attacks rose to an unprecedented 15,002 in April of 2008. Millions of people in mainly english speaking nations receiving ruse after ruse. 68% of US bank brands attacked. Less than 7% UK brands experiencing less than attacks.

However the UK takes the title for the most exploits as the most phished country in the world equating to 40% of the 135,426 cases detected by RSA.

This seems to be due to the UKs system allowing fraudulent transfers fast enough “real-time” to avoid detection. Criminals like real time fast cash.

Much of the success of phishers is that they are in fact getting smarter using “flax flux” attacks. *Fast flux is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. *Thank you Wikipedia.

Tonight I spent 2 hours on the phone in a webinar with a startup reviewing a fully functional toolbar that makes 54 checks to determine the validity of a website checking for phishing, pharming etc. All any bank needs to do is adopt the technology and require their clients to adopt it in the sign-in process. In most cases problems solved.

And do you know what we labored over in this call? How to get all the banks clients to install a simple toolbar that would protect them and the bank.

Why is this so difficult?

Robert Siciliano Identity Theft Expert discussing Scambaiter in video Here