Even if you always look for skimmers and hidden cameras when you use an ATM, you still might be a victim of identity theft if the ATM is later sold on eBay or Craigslist.
A data security expert in Boston demonstrated this vulnerability. After searching Craigslist for a seller, he found a bar owner looking to liquidate assets. He paid $750 for the ATM, and after a hacker friend looked over the accompanying manual, he was able to get 1,000 account numbers to print out. Video is available here.
His local Fox affiliate is running a series on the story, along with some tips for avoiding skimmers and cameras. There’s not much you can do if you used an ATM that is later sold, although you can try to use only bank-branded ATMs in bank offices, and avoid obviously sketchy or out-of-place machines whenever possible. This assumes that the bank will securely wipe their ATMs before disposing of them.
More From Consumerist
-
Why You Can’t Just Pay Your Rent At The Bank With Your EBT Card
-
Olympic Tourists To Compete In Epic Line-Standing Competitions At London’s ATMs
-
Do We Still Need Fee-Disclosure Placards On ATMs?
-
Cops On The Lookout For Guy With An ATM That Doesn’t Belong To Him
-
If All You’ve Got Is $17 In Your Account New ATMs Will Oblige With $1 And $5 Bills
ATMs strike me as one of those things that just shouldn’t be resold…. I’m amazed that isn’t illegal, to be honest.
Bank ATMs. Never, ever, ever, one of the 7-11/Racetrac/Circle K/etc. etc.
And wouldn’t whoever sold this be culpable in this matter?
Culpable for what? Selling a device he no longer uses?
Selling a device containing personal information. If I sold a bunch of file folders that contained medical records, I would be held liable should anything happen. If I sell an ATM which contains credit card numbers, I should be similarly held.
Culpable for giving out personal financial information. It’s essentially a data breach, which makes people very litigious…and generally victorious.
Aren’t ATMs generally sold with a contract and loads of stipulations? And aren’t they usually rented out by a larger company/bank?
It would seem that any ATM for sale would not be legally obtained.
You don’t think that a business owner who has gone out of business would want to sell an ATM he no longer needs?
That’s not what he’s saying. He’s saying that since ATMs are either leased or sold with contracts, it may not have been HIS to sell in the first place.
Exactly. I know most places can’t go around selling their Coke machines and the like.
I’ve honestly never seen an ATM that was not branded with either a leasing company or bank name on it.
there was that own your own ATM a while ago
but i think they went tits up
where you convinced the store owner to let you put one in the store
the store stocked the money and you split the fees with them
this is the device im thinking of
http://en.wikipedia.org/wiki/Scrip_cash_dispenser
I make my own ATM’s at home
I knew I’ve seen you around.
Blew my cover, damm you! *shakes fist*
Good to know, but I’d have a little more respect for the “security expert” if he wasn’t shilling for scam-meisters Intellius (http://www.techcrunch.com/2008/05/29/naveen-jains-intelius-prepares-to-go-public-how-much-of-their-revenue-is-a-scam/) in half of the articles on the site.
Am I the only one in America who has never used an ATM.
If I need money, I go to my bank and get it from the teller.
Simple as that. No ATM fees, and I usually get a smile from the teller.
Wow, I’d love to go to your bank. Any chance they have a branch for when I need money on Christmas Eve at 21:30?
You’re never used an ATM? You might indeed be the only one. In any event, some of us don’t have the “luxury” of availing ourselves a local branch and a friendly teller. Besides, unless they’re giving me some REALLY good lollipops, I’ll be bypassing the line and…using the ATM.
You’ve.
I’m going to say that you may be one of the few non-Amish/Mennonite to do so.
Most banks won’t let you get petty cash from the teller without serious fees attached.
My mother has never, ever used an ATM.
She’s also never bounced a check, and has never paid interest on her cc charges.
My last bank had a $10 fee for a transaction with a teller. I think they’d waive the fee if you were doing something that you couldn’t do at the ATM, but I really had to work to convince them to do that.
Unfortunately, some of us don’t have bank branded ATM’s due to the bank not having branches (ING Direct)
The closest one to me is inside Target so I try to only use that one but sometimes have no choice but to use the one in 7-11.
7-11 ATMs are branded … Citibank. Maybe that’s just around here though? Then again, by virtue of it being in a 7-11, it’s still a bit sketch.
I think you misunderstand “bank branded” ATMs. They don’t mean just your bank, you can use any bank’s ATM and it’s “bank branded”. What you want to do is avoid those white ATMs that just have a big sign that says “CASH$$$” on top of it.
On another slant on this, there was a news story a few years ago how people were finding used ATM hard drives from major national banks NOT wiped for sale dirt cheap at swap meets. I called my bank and they couldn’t wouldn’t tell me what their policies were on destroying / protecting my account numbers when upgrading ATMs…so we’re all screwed anyway, because if idiot jackhole IT peeps at banks don’t care / don’t wipe them, the bank ain’t going to tell you about it, whether you ask or not. Have a nice day.
A security “expert” who redundantly calls an ATM an “ATM machine”? Dubious.
Yeah that bothered me too, especially when the reporter kept calling it by its proper name and he didn’t get the hint.
Them there be signs of ass-hattery.
Them there be signs of ass-hattery.^H^H^H^H^H^H^H^H^H^H^H^H literacy.
Fixed that for ya.
In regards to skimmers, around me U.S. Bank was installing anti-skimmers on all thier ATMs. They are little optical sensors that detect tampering with the card reader slot, and shut down the ATM (and probably trigger the ATMs alarm system). Aparently Diebold (USBs FLM vendor in the area) makes anti-skimmer sensors, in addition to NCR (the other major ATM player). There are also 3rd party systems (I believe the system I saw being installed was a 3rd party one) that can be retrofitted into basically any ATM system. So it’s not really a problem of there beeing no good tools to fight skimmers, its a problem of banks willing see skimming losses as a big enough punch in the pocketbook to roll out a countermeasure. So far I have only seen it that one banks ATM.
Also the data stored on an ATMs electronic journal system is for the most part useless, and doesnt even requrire a “hacker” to access it. The type of ATM pictured in the article can have its electronic journal printed out without having any physical access to the interior of the machine, which is kind of scarey considering many of the crap ATM manufactures (im looking at you Triton) have the administrative password set to a few commonly used defaults. How lame is that.
Why would it be illegal? All it takes is installing a sort of “kill switch” command that would wipe the device out. In fact, I would be surprised if that wasn’t already included in some machines.
And besides the hassle (which can be great), you are financially limited to the amount of loss you can incur if your card is used fraudulently.
Or you could just go steal an ATM and throw it in the back of a pickup truck…
Why are these numbers being stored on the machine, anyway? Seems like the account number should be erased after the transaction is complete. Maybe keep the bank name and last three digits, for record verification, but there’s really no reason to keep these things lying around in the ATM’s memory.
Didn’t Neiman-Marcus or FAO Schwartz offer an ATM in their catalog a few years ago?
It doesn’t appear the machine gave them the pin numbers, though.
This is a really terrible idea.
$750?!?! Here’s one that’s in my town (Sunnyvale, CA) for FREE: http://sfbay.craigslist.org/sby/bfs/1478071395.html
I never used that one, so if you’re stalking me and out to get my “identity”, you’ll have to look elsewhere. But if you want a geek project or are out to do bad, you can’t go wrong!
That’s not an ATM, it’s a debit card point-of-sale processor.
Card number are never stored as raw data. Transaction history is stored in flash memory in which card numbers are masked. Typically only the first and last four digits are visible. The only time raw data is processed by an ATM is when the card reader. I have extensive experience with the model shown by “security expert” and I can attest that these machines do not store raw card data. The info printed out is used for verifying transaction disputes.
I am an independent ATM operator. This story is completely false. All ATM operators must adhere to the same set of regulations whether they are bank owned or independently owned. No account numbers are recorded at the ATM. The only numbers that are available to anyone are the last 4 digits of the account number. All ATMs must comply with Triple DES, which encrypts all info as it is being typed. This is a complete fabrication. If a used ATM was purchased, there would be no way to extract account numbers…That is why crooks use skimmers.
Kudos to all the Consumerist readers who can pick out a fake security expert…
I am not sure if I can put my finger on it, but why not buy an ATM with the camera on the pinpad and just have the machine (non hacked) give you the pin numbers from the keypad, and have it tell the user “Sorry this machine is currently unable to service this transaction” All you would have to do is make sure no one put on a “out of order” tag on it and that would be the end of it. No hardware modification just internal software modification only.
The closest one to me is inside Target so I try to only use that one but sometimes have no choice but to use the one in 7-11.
–
I used to use exclusively online banking before I got tired of it. my advice for you is to go to a credit union ATM or whatever commercial bank around you charges the lowest amount of fees to get to your cash.
Wrong, Wrong, wrong. Consumerist is being taken for a ride on this one….
Prior comments are correct with regard to the records stored on ATMs. Only the last 4 digits of customer accounts are retained. No customer identifiable data is retained. This is solely to resolve customer disputes.
Consumerist would be wise to check with manufacturer or an ATM expert. Try Tranax.com, Tritonatm.com or other manufacturers to verify with a reputable source.
Also, I see that the “security expert” is recommending people purchase a certain type of identity theft protection.
>>> Very interesting
@AlexChasick: I’m SO getting you and the missus one of these for your wedding.
I own a few ATM’s and use them in my business. The older models do not use a hard drive at all. They use floppy disks. The program loads into ram and then boots. Older ATM’s have to be refitted with the newer encryption. I think it is 128 bit and is very expensive ($750). Anyone selling an older machine on Craig’s List probably knows this. The YouTube video is correct that you can rig one to steal card numbers and use video to catch the pin number. It is not true that anyone can operate an ATM legally or become certified. The printouts or journals the news video show are actually of little use to anybody…even the owner of the ATM. A tempest in a teapot for sure.