I raised a hackle or two. Seems my little stunt got the attention of industry insiders, and not all of them believe that
I bought a used ATM on Craigslist, which turned out to contain thousands of credit card numbers. Well, it did actually happen, and despite what many say, that the ATM couldn’t have contained 16-digit credit and debit card numbers on it, it did.
The most intense resistance to my experiment came from one Boston cop who watched me plant this thing in Downtown Crossing. He crossed his arms, glared at me, and when I walked away from the ATM, asked
what I was doing. When I told him, he yelled for the women who were already using my ATM to stop, then took down my information while screaming at me. He later told me that his main concern was the possibility that the ATM might have contained a bomb!
ATMmarketplace.com, the ATM industry is braced for a backlash in the face of security concerns. There should be a backlash. We definitely need some regulation as to who can or can’t buy an ATM. And according to Mike Lee, the chief executive of the
ATM Industry Association, “while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold.”
Personally, I think that the association needs to start establishing some control, and throwing your hands up in the air is lame. Both
Craigslist have prohibited certain items. Why can’t I buy
an old credit card off eBay, but I can buy an ATM with thousands of credit and debit card numbers on it? I can’t buy a “traffic signal control device” off eBay either. Because
someone recognized in the wrong hands, the device can wreak havoc.
James Phillips, director of North American sales for ATMGurus, a Triton company, says that “an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts,” but that my experiment
still “has the potential to be so damaging to the industry’s reputation.” First of all, a 16-digit number is enough to turn data into cash. Even without a PIN, the 16-digit number can be used to buy goods online, or encoded on a blank card to buy goods in
a store. This is why Visa and MasterCard require new software to block out the numbers. Second, Jim, you’re right, this is damaging. So please, fix it, and don’t allow lame excuses. And my machine is a Triton 9100. She’s a beauty by the way. Works nice off
a 12-volt car battery, too.
Wendy Amaral, an account manager at Nationwide Money Services, says that while it’s possible that some companies could provide processing without collecting the required background information about the ATM owner, Visa, MasterCard, and other financial institutions
are firm about the rules, and that audits are unlikely but possible. I think “possible audits” sounds like another cop out. For those of us who use ATMs, the idea that we are protected by “possible audits” is a slap in the face.
George McQuain, chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, says he’s skeptical that I was able to set up my ATM for processing without a background check or even any questions. I haven’t revealed the processors who agreed
to set up my ATM because they seemed to be small shops, and I don’t intend to destroy their livelihoods in my attempt to point out the inadequacy of the industry’s regulations. But the first processor set me up over the phone, and all I had to do was fill
out a PDF and fax it back. The second showed up to my house in a pickup truck to service the ATM in my garage.
McQuain also says that it is rare for an ATM to have such outdated software that it would allow the owner to print so much customer information. But it was easy for me to find one. And even when they are replaced with newer models, where do they go? Where
does the data go? I’ll tell you. On Craigslist, and then to the criminals.
There have been tons of reports on my story:
Robert Siciliano, identity theft speaker,
rolls an ATM around on Fox.