66% or better

Malicious ATM found at Defcon 17

atm

A fake ATM machine, set to capture ATM information was found at Defcon 17 in vegas this year.  Its design has a tinted plastic window at the top which attendees noticed had a computer in it. It was quickly removed by the police. Is this an amazing coincidence? We doubt it. Someone probably knew exactly who was going to be there and either wanted to scam some hackers or just wanted to have some fun.

Comments

  1. charlie says:

    I believe i saw some lolcats in teh celings around the atm, instead of cameras.

  2. Thomas says:

    Um… Has it ever occurred to anyone that it takes a computer to run an ATM?

    Unless their were other signs of malicious intent like a removable card reader, camera aimed at the number pad, etc, then what evidence did they have that it was a crooked ATM? Sheesh… What do you expect when a bunch of paranoid “security professionals” gather together in one place… Conspiracy theories start falling from the sky.

    Maybe the ATM was malicious, but maybe it was just a cheaply put together machine that wasn’t “secure” enough for the plaintiff.

    A little more detail would be nice before “world-wide” news is spread about something like this.

  3. Liquid says:

    Hmm… Doesn’t really completely surprise me that one would see something like that this a “hacker” (twisted media definition) convention. You would think that if they really wanted to get away with some unsuspecting victims CC info they would have completed the illusion of it being an actual ATM. Also the thing is right in the middle of the floor most ATM’s are placed near a wall LMAO. All in all thats just too funny.

  4. Caleb Kraft says:

    @thomas,
    Surely there was an obvious telltale sign. These are savvy people that reported it.

    @liquid,
    I don’t think that photo is accurate. It was the only one on the article.

  5. Agent420 says:

    “this atm incurs a transaction fee of $1,000,000.00 – press yes to continue or no to cancel”

  6. Darcshado says:

    It is not known if it was tied to defcon or anyone that attended defcon.

    Quote from CNN

    “chris paget, a security expert who works at google, reported on twitter that he lost $200 from a compromised atm at the rio hotel over the weekend. there are multiple diebold atms with the skimmers inside at the rio casino, he tweeted, later adding: “secret service just called back. they’re taking it seriously, reading between the lines it seem(s) like there’s more going on here.”

    there is no evidence that the fake riviera atm was planted by anyone at defcon, and in all likelihood the hacked rio atm was not associated with the hacker show.”

    http://www.cnn.com/2009/tech/biztech/08/04/cnet.defcon.hackers.security/index.html

  7. maus says:

    “Um… Has it ever occurred to anyone that it takes a computer to run an ATM?

    Unless their were other signs of malicious intent like a removable card reader, camera aimed at the number pad, etc, then what evidence did they have that it was a crooked ATM? Sheesh… What do you expect when a bunch of paranoid “security professionals” gather together in one place… Conspiracy theories start falling from the sky.

    Maybe the ATM was malicious, but maybe it was just a cheaply put together machine that wasn’t “secure” enough for the plaintiff.

    A little more detail would be nice before “world-wide” news is spread about something like this.”

    These people are a mix of professionals and students trained in security matters. The police agreed that the ATM was fraudulent. You should probably read more about Defcon before you comment on these matters.

  8. Agent420 says:

    ^ security expert street cred diminished ;-)

  9. Agent420 says:

    wait… no build plans? did they use an arduino?

  10. rememberwhen says:

    remember when we called them MAC machines?

    btw – agent420, genius comment.

  11. farthead says:

    wow what an amateur attempt.

    buy a real ATM, rewrite the software to read the card, capture the pin and respond with “cant communicate come back later”

    That was a really REALLY amateur attempt.

  12. Stephen says:

    An interesting development. I also love the comment by agent420, maybe it was an aduino after all, possibly just atiny? LOL. I’d be more concerned about the diebold machines being compromised.

  13. Agent420 says:

    @farthead
    most people don’t even verify their billing statements, let alone pay attention to things like that. add in the social engineering factor that it’s an atm right in front of a security office and you can bet the majority of the population, perhaps even yourself, wouldn’t take notice. Social engineering beats technology every time.

    it’s funny to pick on the poor security expert dood that got taken, but you’ve got to think that if it got him it was good enough to get others. And though it may or may not be coincidence, i think if defcon had not been going on that atm might well still be in action.

  14. piku says:

    Surely watching the security cameras for the place would reveal who brought it in? You know, cash machines are quite large and I bet there’s cameras on the doorway looking at everyone who enters.

  15. daenris says:

    @rememberwhen
    I don’t think that was ever a widespread thing. MAC was one brand of ATM. It was the dominant brand where I lived, so I called them MAC machines for a long time, but outside of that area people just looked at me like I was crazy.

  16. Agent420 says:

    ^ yeah, i’m sure they’ll get video of who brought it in. if they were clever these fake atms would be wireless and disposable so they would never have to physically go back.

    the more i read between the lines, the more it seems like this was indeed a decent fake, and the only thing that gave it away was really the lack of a camera behind the tinted plastic… if they had a fake camera prop in there they may have gotten away even longer, though i doubt the defcon crowd would not be suspicsious.

    http://www.computerworld.com/s/article/9136179/Fake_ATM_doesn_t_last_long_at_hacker_meet

  17. xrazorwirex says:

    I agree with the sentiment that ‘security professionals’ (and all the ‘expert’ feddies there too) should probably be on their toes at the worlds foremost black-hat convention…. profession fail.

  18. Wolf says:

    I can’t help but think there must been some other motive for placing this thing at defcon. I’d bet that anywhere else a fake atm that just gave an error code after copying the victims data would last weeks or months. I suppose if it was disposable the convention use volume could have made it worth it though.

  19. Hiroe says:

    yes there are computers inside of atm’s but they tend to be old, very old. I heard they use the commodore 64 chipset but that information is old and suspect. what they don’t look like is a crappy laptop. everybody seems to really dislike the people at defcon. why? from “security professionals in quotes. also for those interested they put it in the one spot without a camera, right beside the security entrance I believe. why the security didn’t notice a surprise atm I don’t know.

  20. Bil Keane says:

    Real ATMs have pcs in them, i used to work for a bank.

  21. Agent420 says:

    ^ one just need google ‘atm blue screen’ to know that is a fact.

  22. vikki says:

    i can’t think of a better way to weed out the posers. to get hacked at a convention in such a way would be way too embarrassing.

  23. LordDominoTwain says:

    although i have no relevant experience building anything like this, i won’t let that stop me from assuring you i would have done it better. using my trusty wii-mote, i would have crafted it from the guts of an old drum machine, used a spinning array of green leds for a pov based display and used twitter to relay all of the data. oh, and it would be linux based, so it would in no way fail. that, my friends, is how a real hacker builds his n00b pwning atm. as you were.

  24. anon says:

    has anyone considered that this might be the same “testing” routine done by counterfeiters? after printing their paper, counterfeiters test their goods by paying someone to deposit a few bills at a federal bank. if it isn’t rejected, it’s good to spend everywhere (more or less). what if the guy with the ATM was doing the same thing? what’s a better test for a scamming ATM that a security convention?

  25. doug says:

    I never read any metion in the article that the ATM contained a computer, but I read the following;

    “An attendee grew suspicious of the tinted plastic front and shone a light through it, where he saw a PC instead of the expected security camera”

    Long before PC was short hand for Personal Coumpter, PC was short hand for Printed Circuit. Most likely the person sounding the alarm knew what they should see, and knew what they saw. Most likely those who read computer are young and untrained, or trained but growing older, and ausceptsble to oldtimers, along with the SRS deseas that comes with it. ;)

  26. barry99705 says:

    You can buy real ATM’s off fleabay. everybody that I talked to at the con wouldn’t use any atm but the one beside the cash cage at the riv. There are no cameras where the fake one was sitting. that part of the hotel wasn’t considered “secure”. it is also right in front of the security office….

  27. smilr says:

    I’ve read that the fake atm was placed against a wall, next to a door reserved for building security – right where there was no camera coverage.

  28. deathwombat says:

    I used to work in a pizza store that had an ATM built into the side so anyone wanting access to the cash cartridges or technical parts had to go through our store. The ATM even had an LCD screen on the back that showed that it ran a custom version of Windows XP, so naturally it broke down all the time and one time while I saw them working on it I saw that there was indeed just a regular pc inside. Ah Diebold, you crack me up.

  29. argus says:

    I can tell you guys that the picture is indeed of the suspicious ATM. I was looking for an ATM at DefCon and walked right up to it. I noticed it looked smaller than a regular ATM and the screen was dark. I walked past it and used an ATM on the casino floor instead (I’d been keeping an eye out for card skimmers). The ATM was probably about 15 feet away from the security office door in the hall near the buffet. It was actually placed against a column in the middle of the hall. As a casino surveillance professional, I can tell you that the area was not well covered by cameras. In fact there is little coverage in the convention areas. I was tempted to jump up and pull the plug on a still camera that was mounted on the ceiling in a hallway. Both the power and signal cables were just sticking out.

  30. Detective Bruno says:

    Anybody notice how the carpet pattern doesnt match on both sides of the ATM (not to mention the contrast)? Im fuckin wasted right now, and I still noticed that. I know Vegas is all about distracting people with a busy atmosphere so they dont notice their empty wallets… but I was there, and they definitely dont screw up stuff like that. HA… minus the Arduino stuff, this sites quality control comes into question.

  31. argus says:

    Check the original pic on Wired. It shows the whole picture and the crappy mismatched carpet the Riv has.

  32. amk says:

    has anyone bothered to check whether this false atm was communicating to an outside source or storing cc data locally? engineering a false atm would require a lot of work, and investment, after all the thing would have to dispense real cash to avoid suspicion. if it’s a criminal job, there will be some mechanism for retrieving stolen data.

  33. ferdie says:

    i have the operator info of 7 models of ATM machiens thear not fake bud the real deal you
    can do al you wand to do whit the ATM you have not to break the atm open or break the atm
    i will gif the info away for free
    tis you one risk to use it
    you can mail to feri35@hotmail.
    i send you the info in pdf format

  34. ferdie says:

    sorry mail add
    feri354@hotmail.

  35. Robo says:

    This ATM machine provided by the Department of Redundancy Department

  36. agent58 says:

    No freakin way, I thought that only happened in the movies.

  37. killerabbit says:

    @robo

    would you like to enter your pin number into that atm machine? ha

  38. TJHooker says:

    I’ve been behind the scenes at one of the conferences, if an ATM machine made it out into the public there the staff knew about it’s origins.

    It’s 30-100 Lbs and very visible…you can’t sneak it pass security and mounds of electronic surveillance under your clothing…

    the great thing about lulz is it’s careless stupid people making other careless stupid people look stupid-er..

    Also there’s something worth noting about that building’s construction and rf transmission..

  39. tubes says:

    I know a few banks use PCs as ATMs that use internet explorer as the UI.

  40. LarrySDonald says:

    The two semi portable ones close to here (yes, I use them) run DOS on what looks like a 386. I’ve seen them stuck trying to reboot or successfully rebooting a few times when something went wrong. I see nothing wrong with this per se – the physical security of the money is the cruncher not what hardware does the rather trivial “read card, crypto, check with bank, trigger actuator to dispense cash”. There isn’t really anything you could do in hardware to assure the user this is a real ATM rather then a home built looks-like-an-ATM that just logs card numbers and PINs anyway. Even real ATMs sometimes say “Oh, I can’t connect to the bank. Sorry bro” once in a while.

  41. shortwave says:

    looks like a Diebold Aptiva ATM. The new card readers are swipe they no longer pull your card in.
    The ATM’s now look cheaply made. I’m sure if someone had a little extra cash they can make a mock ATM and stick any old P4 based machine with a few ATM amenity’s anyone can make a machine. but they usually level and bolt down the box of the machine to the floor with 1 inch lag bolts. If they hand trucked this thing out then it was a fake.

  42. TJHooker says:

    headlines: defcon hacker conference get lulzed all up, and with the help of the federal government is unable to unlulz the case.

  43. TJHooker says:

    oh never mind my last comment..how many security firm ceos does it take to catch a malicious atm planter XD

    high security environment+small army of security professionals+a big atm that did light pwnage before being found and played down by the uber leetzors=epic lulz

  44. creepykrawler says:

    hahahah…I remember seeing this machine…nice one!

  45. leej says:

    “this atm incurs a transaction fee of $1,000,000.00 – press yes to continue or no to continue”

  46. Tripifaps says:

    Illilipordify
    apeg
    fapeQueesehex
    rdbg

  47. ken says:

    Am an expert with ATM machines for the past 15years in several countries. I design this programmes and now am always under constant police surveillance. i have all the secrets. Seek my help at your own risk and never mention me. Just email me at:

  48. ken says:

    Am an expert with ATM machines for the past 15years in several countries. I design this programmes and now am always under constant police surveillance. i have all the secrets. Seek my help at your own risk and never mention me. Just email me at:aluebhose@yahoo.com

  49. Slanesch says:

    If your under complete surveillance, then why would they allow you to say this on hack a day?Furthermore: anyone who mailed you would be nailed by the fuzz for asking you about this stuff. Anyone who mails you is stupid.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s