Scamming ATM Cards for Fun and Profit

It’s a lot easier than you might think for the Ruskies to start vacuuming funds from your account after they steal the account number and PIN codes from Office Max.

All you need is a $100 reader and a $1500-$2000 encoder. You can buy a reader and the necessary software at Staples. The encoders can be had on eBay.

The Red Tape Chronicles writes,
For demonstration purposes, the Deignan brothers took my debit card, dropped it in an encoder, copied the data from the back, and handed the card back to me. Then they took a piece of white plastic, a second card, inserted that into the encoder, and essentially pasted my ATM information onto the second card. The process took less than 15 seconds.

Within moments, the was able to withdraw $100 from his bank account using one of these manufactured white cards.

We just changed our PIN code this weekend. The Washington Mutual bank officer asked if our new ATM card had arrived yet. We said no, we hadn’t requested a new card. Peering a little skeptically, the officer asked why we wanted to change our PIN. We said, “I just want to.”

A few moments later at the bank’s encoder and we were lock and load. Unfortunately the bank was closing, otherwise we would
ve stuck around and quizzed them on what they knew about the debit card hacks and what they were going to do about it.

We’ve also been using our debit card as a credit card in order to avoid punching our PIN code in and having it possibly get stolen. Sometimes it takes a few extra steps. Often the clerks automatically set it up to enter the PIN and we’ve just had to ask, can you please ring this up as a credit card? It’s worth the hassle. If you haven’t changed your PIN yet, do so now.

Because, as Digg member incognegro wrote,
In Soviet Russia, the debit card scams you!

Previously: ATM Scam UPDATE: Crooks Caught!

Comments

Edit Your Comment

  1. Danilo says:

    Here’s a tip on forcing credit behavior for debit cards:

    When the merchant’s terminal dumps you forcibly into an PIN Number entry screen, hit the button that says either Cancel, Credit or Cancel/Credit. You’ll get a “You wanna cancel or you wanna do this as credit card?” screen. Then you can proceed as normal. You’ll have to sign a piece of paper or sign the screen. (This is easier than trying to explain to a 16-year-old the horrors of debit theft, as the whole process takes a few seconds.)

    The reason, of course, the terminals force you into a PIN entry screen is because debit transaction fees are significantly lower than credit transaction fees. Stores would prefer you save them some cash on your purchases when you can. At the BBY I worked at, someone in leadership was neurotic enough to exhort the cashiers to encourage debit usage where possible.

    Pity, then, that a mishandling of data will end up costing these clowns several million over the course of the year, assuming more people become hip to the insecurity of these merchant systems.

  2. Nick says:

    This has, of course, been possible for a long time – as long as encoders have been available. In theory, you’re protected because the fraudster doesn’t have your pin, but we’ve seen just how successful that is.

    Of course, technologies such as smart cards, which can prevent card duplication, have been around for a long time, and affordable for quite a while, but banks have no incentive to employ them, because they’ve successfully foisted the costs of fraud onto consumers and retailers. Why spend the money required to fix their systems when the fraud isn’t costing them anything?

    As far as signing instead of using your pin goes, don’t forget that there’s nothing stopping a fraudster duplicating your card, then using it in exactly the same manner.

  3. PanicRoom says:

    “It’s a lot easier than you might think for the Ruskies to start vacuuming funds from your account after they steal the account number and PIN codes from Office Max.”

    The first line of the CNET article (http://news.com.com/2100-1029_3-6049290.html) you linked to here (http://www.consumerist.com/consumer/the-russian-connection/atm-scam-update-crooks-caught-160475.php) says: “The suspects [are] all U.S. citizens”.

    Obviously it’s not just Bushies and us Mac cultists who have a reality distortion field. Let’s stop playing cold war good-guys / bad-guys here.

    I love the Consumerist — but sometimes you’re just so 1982.