Malicious ATM Found At Defcon 17

atm

A fake ATM machine, set to capture ATM information was found at Defcon 17 in vegas this year.  Its design has a tinted plastic window at the top which attendees noticed had a computer in it. It was quickly removed by the police. Is this an amazing coincidence? We doubt it. Someone probably knew exactly who was going to be there and either wanted to scam some hackers or just wanted to have some fun.

49 thoughts on “Malicious ATM Found At Defcon 17

  1. Um… Has it ever occurred to anyone that it takes a computer to run an ATM?

    Unless their were other signs of malicious intent like a removable card reader, camera aimed at the number pad, etc, then what evidence did they have that it was a crooked ATM? Sheesh… What do you expect when a bunch of paranoid “security professionals” gather together in one place… Conspiracy theories start falling from the sky.

    Maybe the ATM was malicious, but maybe it was just a cheaply put together machine that wasn’t “secure” enough for the plaintiff.

    A little more detail would be nice before “world-wide” news is spread about something like this.

  2. Hmm… Doesn’t really completely surprise me that one would see something like that this a “hacker” (twisted media definition) convention. You would think that if they really wanted to get away with some unsuspecting victims CC info they would have completed the illusion of it being an actual ATM. Also the thing is right in the middle of the floor most ATM’s are placed near a wall LMAO. All in all thats just too funny.

  3. It is not known if it was tied to defcon or anyone that attended defcon.

    Quote from CNN

    “chris paget, a security expert who works at google, reported on twitter that he lost $200 from a compromised atm at the rio hotel over the weekend. there are multiple diebold atms with the skimmers inside at the rio casino, he tweeted, later adding: “secret service just called back. they’re taking it seriously, reading between the lines it seem(s) like there’s more going on here.”

    there is no evidence that the fake riviera atm was planted by anyone at defcon, and in all likelihood the hacked rio atm was not associated with the hacker show.”

    http://www.cnn.com/2009/tech/biztech/08/04/cnet.defcon.hackers.security/index.html

  4. “Um… Has it ever occurred to anyone that it takes a computer to run an ATM?

    Unless their were other signs of malicious intent like a removable card reader, camera aimed at the number pad, etc, then what evidence did they have that it was a crooked ATM? Sheesh… What do you expect when a bunch of paranoid “security professionals” gather together in one place… Conspiracy theories start falling from the sky.

    Maybe the ATM was malicious, but maybe it was just a cheaply put together machine that wasn’t “secure” enough for the plaintiff.

    A little more detail would be nice before “world-wide” news is spread about something like this.”

    These people are a mix of professionals and students trained in security matters. The police agreed that the ATM was fraudulent. You should probably read more about Defcon before you comment on these matters.

  5. wow what an amateur attempt.

    buy a real ATM, rewrite the software to read the card, capture the pin and respond with “cant communicate come back later”

    That was a really REALLY amateur attempt.

  6. An interesting development. I also love the comment by agent420, maybe it was an aduino after all, possibly just atiny? LOL. I’d be more concerned about the diebold machines being compromised.

  7. @farthead
    most people don’t even verify their billing statements, let alone pay attention to things like that. add in the social engineering factor that it’s an atm right in front of a security office and you can bet the majority of the population, perhaps even yourself, wouldn’t take notice. Social engineering beats technology every time.

    it’s funny to pick on the poor security expert dood that got taken, but you’ve got to think that if it got him it was good enough to get others. And though it may or may not be coincidence, i think if defcon had not been going on that atm might well still be in action.

  8. Surely watching the security cameras for the place would reveal who brought it in? You know, cash machines are quite large and I bet there’s cameras on the doorway looking at everyone who enters.

  9. @rememberwhen
    I don’t think that was ever a widespread thing. MAC was one brand of ATM. It was the dominant brand where I lived, so I called them MAC machines for a long time, but outside of that area people just looked at me like I was crazy.

  10. ^ yeah, i’m sure they’ll get video of who brought it in. if they were clever these fake atms would be wireless and disposable so they would never have to physically go back.

    the more i read between the lines, the more it seems like this was indeed a decent fake, and the only thing that gave it away was really the lack of a camera behind the tinted plastic… if they had a fake camera prop in there they may have gotten away even longer, though i doubt the defcon crowd would not be suspicsious.

    http://www.computerworld.com/s/article/9136179/Fake_ATM_doesn_t_last_long_at_hacker_meet

  11. I agree with the sentiment that ‘security professionals’ (and all the ‘expert’ feddies there too) should probably be on their toes at the worlds foremost black-hat convention…. profession fail.

  12. I can’t help but think there must been some other motive for placing this thing at defcon. I’d bet that anywhere else a fake atm that just gave an error code after copying the victims data would last weeks or months. I suppose if it was disposable the convention use volume could have made it worth it though.

  13. yes there are computers inside of atm’s but they tend to be old, very old. I heard they use the commodore 64 chipset but that information is old and suspect. what they don’t look like is a crappy laptop. everybody seems to really dislike the people at defcon. why? from “security professionals in quotes. also for those interested they put it in the one spot without a camera, right beside the security entrance I believe. why the security didn’t notice a surprise atm I don’t know.

  14. although i have no relevant experience building anything like this, i won’t let that stop me from assuring you i would have done it better. using my trusty wii-mote, i would have crafted it from the guts of an old drum machine, used a spinning array of green leds for a pov based display and used twitter to relay all of the data. oh, and it would be linux based, so it would in no way fail. that, my friends, is how a real hacker builds his n00b pwning atm. as you were.

  15. has anyone considered that this might be the same “testing” routine done by counterfeiters? after printing their paper, counterfeiters test their goods by paying someone to deposit a few bills at a federal bank. if it isn’t rejected, it’s good to spend everywhere (more or less). what if the guy with the ATM was doing the same thing? what’s a better test for a scamming ATM that a security convention?

  16. I never read any metion in the article that the ATM contained a computer, but I read the following;

    “An attendee grew suspicious of the tinted plastic front and shone a light through it, where he saw a PC instead of the expected security camera”

    Long before PC was short hand for Personal Coumpter, PC was short hand for Printed Circuit. Most likely the person sounding the alarm knew what they should see, and knew what they saw. Most likely those who read computer are young and untrained, or trained but growing older, and ausceptsble to oldtimers, along with the SRS deseas that comes with it. ;)

  17. You can buy real ATM’s off fleabay. everybody that I talked to at the con wouldn’t use any atm but the one beside the cash cage at the riv. There are no cameras where the fake one was sitting. that part of the hotel wasn’t considered “secure”. it is also right in front of the security office….

  18. I used to work in a pizza store that had an ATM built into the side so anyone wanting access to the cash cartridges or technical parts had to go through our store. The ATM even had an LCD screen on the back that showed that it ran a custom version of Windows XP, so naturally it broke down all the time and one time while I saw them working on it I saw that there was indeed just a regular pc inside. Ah Diebold, you crack me up.

  19. I can tell you guys that the picture is indeed of the suspicious ATM. I was looking for an ATM at DefCon and walked right up to it. I noticed it looked smaller than a regular ATM and the screen was dark. I walked past it and used an ATM on the casino floor instead (I’d been keeping an eye out for card skimmers). The ATM was probably about 15 feet away from the security office door in the hall near the buffet. It was actually placed against a column in the middle of the hall. As a casino surveillance professional, I can tell you that the area was not well covered by cameras. In fact there is little coverage in the convention areas. I was tempted to jump up and pull the plug on a still camera that was mounted on the ceiling in a hallway. Both the power and signal cables were just sticking out.

  20. Anybody notice how the carpet pattern doesnt match on both sides of the ATM (not to mention the contrast)? Im fuckin wasted right now, and I still noticed that. I know Vegas is all about distracting people with a busy atmosphere so they dont notice their empty wallets… but I was there, and they definitely dont screw up stuff like that. HA… minus the Arduino stuff, this sites quality control comes into question.

  21. has anyone bothered to check whether this false atm was communicating to an outside source or storing cc data locally? engineering a false atm would require a lot of work, and investment, after all the thing would have to dispense real cash to avoid suspicion. if it’s a criminal job, there will be some mechanism for retrieving stolen data.

  22. i have the operator info of 7 models of ATM machiens thear not fake bud the real deal you
    can do al you wand to do whit the ATM you have not to break the atm open or break the atm
    i will gif the info away for free
    tis you one risk to use it
    you can mail to feri35@hotmail.
    i send you the info in pdf format

  23. I’ve been behind the scenes at one of the conferences, if an ATM machine made it out into the public there the staff knew about it’s origins.

    It’s 30-100 Lbs and very visible…you can’t sneak it pass security and mounds of electronic surveillance under your clothing…

    the great thing about lulz is it’s careless stupid people making other careless stupid people look stupid-er..

    Also there’s something worth noting about that building’s construction and rf transmission..

  24. The two semi portable ones close to here (yes, I use them) run DOS on what looks like a 386. I’ve seen them stuck trying to reboot or successfully rebooting a few times when something went wrong. I see nothing wrong with this per se – the physical security of the money is the cruncher not what hardware does the rather trivial “read card, crypto, check with bank, trigger actuator to dispense cash”. There isn’t really anything you could do in hardware to assure the user this is a real ATM rather then a home built looks-like-an-ATM that just logs card numbers and PINs anyway. Even real ATMs sometimes say “Oh, I can’t connect to the bank. Sorry bro” once in a while.

  25. looks like a Diebold Aptiva ATM. The new card readers are swipe they no longer pull your card in.
    The ATM’s now look cheaply made. I’m sure if someone had a little extra cash they can make a mock ATM and stick any old P4 based machine with a few ATM amenity’s anyone can make a machine. but they usually level and bolt down the box of the machine to the floor with 1 inch lag bolts. If they hand trucked this thing out then it was a fake.

  26. oh never mind my last comment..how many security firm ceos does it take to catch a malicious atm planter XD

    high security environment+small army of security professionals+a big atm that did light pwnage before being found and played down by the uber leetzors=epic lulz

  27. Am an expert with ATM machines for the past 15years in several countries. I design this programmes and now am always under constant police surveillance. i have all the secrets. Seek my help at your own risk and never mention me. Just email me at:

  28. Am an expert with ATM machines for the past 15years in several countries. I design this programmes and now am always under constant police surveillance. i have all the secrets. Seek my help at your own risk and never mention me. Just email me at:aluebhose@yahoo.com

  29. If your under complete surveillance, then why would they allow you to say this on hack a day?Furthermore: anyone who mailed you would be nailed by the fuzz for asking you about this stuff. Anyone who mails you is stupid.

Leave a Reply to daenrisCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.