You Can Buy Used ATMs On Craigslist

Even if you always look for skimmers and hidden cameras when you use an ATM, you still might be a victim of identity theft if the ATM is later sold on eBay or Craigslist.

A data security expert in Boston demonstrated this vulnerability. After searching Craigslist for a seller, he found a bar owner looking to liquidate assets. He paid $750 for the ATM, and after a hacker friend looked over the accompanying manual, he was able to get 1,000 account numbers to print out. Video is available here.

His local Fox affiliate is running a series on the story, along with some tips for avoiding skimmers and cameras. There’s not much you can do if you used an ATM that is later sold, although you can try to use only bank-branded ATMs in bank offices, and avoid obviously sketchy or out-of-place machines whenever possible. This assumes that the bank will securely wipe their ATMs before disposing of them.

Comments

Edit Your Comment

  1. Eldritch says:

    ATMs strike me as one of those things that just shouldn’t be resold…. I’m amazed that isn’t illegal, to be honest.

  2. doctor_cos wants you to remain calm says:

    Bank ATMs. Never, ever, ever, one of the 7-11/Racetrac/Circle K/etc. etc.
    And wouldn’t whoever sold this be culpable in this matter?

    • PølάrβǽЯ says:

      Culpable for what? Selling a device he no longer uses?

      • ubermex says:

        Selling a device containing personal information. If I sold a bunch of file folders that contained medical records, I would be held liable should anything happen. If I sell an ATM which contains credit card numbers, I should be similarly held.

      • Smashville says:

        Culpable for giving out personal financial information. It’s essentially a data breach, which makes people very litigious…and generally victorious.

  3. Smashville says:

    Aren’t ATMs generally sold with a contract and loads of stipulations? And aren’t they usually rented out by a larger company/bank?

    It would seem that any ATM for sale would not be legally obtained.

    • PølάrβǽЯ says:

      You don’t think that a business owner who has gone out of business would want to sell an ATM he no longer needs?

  4. DangerMouth says:

    I make my own ATM’s at home

  5. indiegeek says:

    Good to know, but I’d have a little more respect for the “security expert” if he wasn’t shilling for scam-meisters Intellius (http://www.techcrunch.com/2008/05/29/naveen-jains-intelius-prepares-to-go-public-how-much-of-their-revenue-is-a-scam/) in half of the articles on the site.

  6. macoan says:

    Am I the only one in America who has never used an ATM.

    If I need money, I go to my bank and get it from the teller.

    Simple as that. No ATM fees, and I usually get a smile from the teller.

    • GuyGuidoEyesSteveDaveâ„¢ says:

      Wow, I’d love to go to your bank. Any chance they have a branch for when I need money on Christmas Eve at 21:30?

    • It's A Secret To Everybody says:

      You’re never used an ATM? You might indeed be the only one. In any event, some of us don’t have the “luxury” of availing ourselves a local branch and a friendly teller. Besides, unless they’re giving me some REALLY good lollipops, I’ll be bypassing the line and…using the ATM.

    • Smashville says:

      I’m going to say that you may be one of the few non-Amish/Mennonite to do so.

      Most banks won’t let you get petty cash from the teller without serious fees attached.

    • DangerMouth says:

      My mother has never, ever used an ATM.

      She’s also never bounced a check, and has never paid interest on her cc charges.

    • nsv says:

      My last bank had a $10 fee for a transaction with a teller. I think they’d waive the fee if you were doing something that you couldn’t do at the ATM, but I really had to work to convince them to do that.

  7. nrich239 says:

    Unfortunately, some of us don’t have bank branded ATM’s due to the bank not having branches (ING Direct)

    The closest one to me is inside Target so I try to only use that one but sometimes have no choice but to use the one in 7-11.

    • Tim says:

      7-11 ATMs are branded … Citibank. Maybe that’s just around here though? Then again, by virtue of it being in a 7-11, it’s still a bit sketch.

    • Kogenta says:

      I think you misunderstand “bank branded” ATMs. They don’t mean just your bank, you can use any bank’s ATM and it’s “bank branded”. What you want to do is avoid those white ATMs that just have a big sign that says “CASH$$$” on top of it.

  8. That's Consumer007 to you says:

    On another slant on this, there was a news story a few years ago how people were finding used ATM hard drives from major national banks NOT wiped for sale dirt cheap at swap meets. I called my bank and they couldn’t wouldn’t tell me what their policies were on destroying / protecting my account numbers when upgrading ATMs…so we’re all screwed anyway, because if idiot jackhole IT peeps at banks don’t care / don’t wipe them, the bank ain’t going to tell you about it, whether you ask or not. Have a nice day.

  9. Alvis says:

    A security “expert” who redundantly calls an ATM an “ATM machine”? Dubious.

  10. Lprd says:

    In regards to skimmers, around me U.S. Bank was installing anti-skimmers on all thier ATMs. They are little optical sensors that detect tampering with the card reader slot, and shut down the ATM (and probably trigger the ATMs alarm system). Aparently Diebold (USBs FLM vendor in the area) makes anti-skimmer sensors, in addition to NCR (the other major ATM player). There are also 3rd party systems (I believe the system I saw being installed was a 3rd party one) that can be retrofitted into basically any ATM system. So it’s not really a problem of there beeing no good tools to fight skimmers, its a problem of banks willing see skimming losses as a big enough punch in the pocketbook to roll out a countermeasure. So far I have only seen it that one banks ATM.

    Also the data stored on an ATMs electronic journal system is for the most part useless, and doesnt even requrire a “hacker” to access it. The type of ATM pictured in the article can have its electronic journal printed out without having any physical access to the interior of the machine, which is kind of scarey considering many of the crap ATM manufactures (im looking at you Triton) have the administrative password set to a few commonly used defaults. How lame is that.

  11. CuriousGeorge113 says:

    Why would it be illegal? All it takes is installing a sort of “kill switch” command that would wipe the device out. In fact, I would be surprised if that wasn’t already included in some machines.

    And besides the hassle (which can be great), you are financially limited to the amount of loss you can incur if your card is used fraudulently.

  12. holytrainwreck says:

    Or you could just go steal an ATM and throw it in the back of a pickup truck…

  13. elj812 says:

    Why are these numbers being stored on the machine, anyway? Seems like the account number should be erased after the transaction is complete. Maybe keep the bank name and last three digits, for record verification, but there’s really no reason to keep these things lying around in the ATM’s memory.

  14. Keep talking...I'm listening says:

    Didn’t Neiman-Marcus or FAO Schwartz offer an ATM in their catalog a few years ago?

  15. twophrasebark says:

    It doesn’t appear the machine gave them the pin numbers, though.

  16. tbax929 says:

    This is a really terrible idea.

  17. Taed says:

    $750?!?! Here’s one that’s in my town (Sunnyvale, CA) for FREE: http://sfbay.craigslist.org/sby/bfs/1478071395.html

    I never used that one, so if you’re stalking me and out to get my “identity”, you’ll have to look elsewhere. But if you want a geek project or are out to do bad, you can’t go wrong!

  18. Bloader says:

    Card number are never stored as raw data. Transaction history is stored in flash memory in which card numbers are masked. Typically only the first and last four digits are visible. The only time raw data is processed by an ATM is when the card reader. I have extensive experience with the model shown by “security expert” and I can attest that these machines do not store raw card data. The info printed out is used for verifying transaction disputes.

  19. KD2009 says:

    I am an independent ATM operator. This story is completely false. All ATM operators must adhere to the same set of regulations whether they are bank owned or independently owned. No account numbers are recorded at the ATM. The only numbers that are available to anyone are the last 4 digits of the account number. All ATMs must comply with Triple DES, which encrypts all info as it is being typed. This is a complete fabrication. If a used ATM was purchased, there would be no way to extract account numbers…That is why crooks use skimmers.
    Kudos to all the Consumerist readers who can pick out a fake security expert…

  20. consumerd says:

    I am not sure if I can put my finger on it, but why not buy an ATM with the camera on the pinpad and just have the machine (non hacked) give you the pin numbers from the keypad, and have it tell the user “Sorry this machine is currently unable to service this transaction” All you would have to do is make sure no one put on a “out of order” tag on it and that would be the end of it. No hardware modification just internal software modification only.

  21. brianguyy says:

    The closest one to me is inside Target so I try to only use that one but sometimes have no choice but to use the one in 7-11.

    I used to use exclusively online banking before I got tired of it. my advice for you is to go to a credit union ATM or whatever commercial bank around you charges the lowest amount of fees to get to your cash.

  22. bonham16 says:

    Wrong, Wrong, wrong. Consumerist is being taken for a ride on this one….

    Prior comments are correct with regard to the records stored on ATMs. Only the last 4 digits of customer accounts are retained. No customer identifiable data is retained. This is solely to resolve customer disputes.

    Consumerist would be wise to check with manufacturer or an ATM expert. Try Tranax.com, Tritonatm.com or other manufacturers to verify with a reputable source.

  23. bonham16 says:

    Also, I see that the “security expert” is recommending people purchase a certain type of identity theft protection.

    >>> Very interesting

  24. unfuckwithable says:

    @AlexChasick: I’m SO getting you and the missus one of these for your wedding.

  25. bbqtom1400 says:

    I own a few ATM’s and use them in my business. The older models do not use a hard drive at all. They use floppy disks. The program loads into ram and then boots. Older ATM’s have to be refitted with the newer encryption. I think it is 128 bit and is very expensive ($750). Anyone selling an older machine on Craig’s List probably knows this. The YouTube video is correct that you can rig one to steal card numbers and use video to catch the pin number. It is not true that anyone can operate an ATM legally or become certified. The printouts or journals the news video show are actually of little use to anybody…even the owner of the ATM. A tempest in a teapot for sure.