24 April 2018
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

747Posts 2,141,526Views 62Comments

Craigslist ATM I bought Causes Industry Stir

22 December 2009  |  5526 views  |  1

Apparently I raised a hackle or two. Seems my little stunt got the attention of industry insiders, and not all of them believe that I bought a used ATM on Craigslist, which turned out to contain thousands of credit card numbers. Well, it did actually happen, and despite what many say, that the ATM couldn’t have contained 16-digit credit and debit card numbers on it, it did.

The most intense resistance to my experiment came from one Boston cop who watched me plant this thing in Downtown Crossing. He crossed his arms, glared at me, and when I walked away from the ATM, asked what I was doing. When I told him, he yelled for the women who were already using my ATM to stop, then took down my information while screaming at me. He later told me that his main concern was the possibility that the ATM might have contained a bomb!

According to ATMmarketplace.com, the ATM industry is braced for a backlash in the face of security concerns. There should be a backlash. We definitely need some regulation as to who can or can’t buy an ATM. And according to Mike Lee, the chief executive of the ATM Industry Association, “while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold.”

Personally, I think that the association needs to start establishing some control, and throwing your hands up in the air is lame. Both eBay and Craigslist have prohibited certain items. Why can’t I buy an old credit card off eBay, but I can buy an ATM with thousands of credit and debit card numbers on it? I can’t buy a “traffic signal control device” off eBay either. Because someone recognized in the wrong hands, the device can wreak havoc.

James Phillips, director of North American sales for ATMGurus, a Triton company, says that “an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts,” but that my experiment still “has the potential to be so damaging to the industry’s reputation.” First of all, a 16-digit number is enough to turn data into cash. Even without a PIN, the 16-digit number can be used to buy goods online, or encoded on a blank card to buy goods in a store. This is why Visa and MasterCard require new software to block out the numbers. Second, Jim, you’re right, this is damaging. So please, fix it, and don’t allow lame excuses. And my machine is a Triton 9100. She’s a beauty by the way. Works nice off a 12-volt car battery, too.

Wendy Amaral, an account manager at Nationwide Money Services, says that while it’s possible that some companies could provide processing without collecting the required background information about the ATM owner, Visa, MasterCard, and other financial institutions are firm about the rules, and that audits are unlikely but possible. I think “possible audits” sounds like another cop out. For those of us who use ATMs, the idea that we are protected by “possible audits” is a slap in the face.

George McQuain, chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, says he’s skeptical that I was able to set up my ATM for processing without a background check or even any questions. I haven’t revealed the processors who agreed to set up my ATM because they seemed to be small shops, and I don’t intend to destroy their livelihoods in my attempt to point out the inadequacy of the industry’s regulations. But the first processor set me up over the phone, and all I had to do was fill out a PDF and fax it back. The second showed up to my house in a pickup truck to service the ATM in my garage.

McQuain also says that it is rare for an ATM to have such outdated software that it would allow the owner to print so much customer information. But it was easy for me to find one. And even when they are replaced with newer models, where do they go? Where does the data go? I’ll tell you. On Craigslist, and then to the criminals.

There have been tons of reports on my story:

 

Robert Siciliano, identity theft speaker, rolls an ATM around on Fox.

TagsSecurityRisk & regulation

Comments: (1)

Nick Green
Nick Green - ISD Consultants - Northampton | 31 December, 2009, 15:50

Robert,

There is the point that you haven't mentioned "he yelled for the women who were already using my ATM to stop" - pepole were prepared to use the ATM and to a fraudster it would have been worth parting with a few dispensed dollars to get not just the card numbers but the PIN numbers as well.

There have been cases in Europe of vacant stores next to Banks being fitted with an "ATM" then after the Bank has closed the fraudsters cover the real ATM with an Out of Order sign and direct customers to the fake ATM.

With a real ATM the options are endless you could even fit a camera inside to read the Card Security Code off the signature strip.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Robert

Mobile Phone Numbers Are as Sensitive as Your Social Security Number

19 April 2018  |  2054 views  |  0 comments | recomends Recommends 0 TagsSecurity

The Term Identity Theft Protection is Often a Lie

06 April 2018  |  5709 views  |  0 comments | recomends Recommends 0 TagsSecurity

Use a Password Manager Or You WILL Get Hacked

19 March 2018  |  3764 views  |  0 comments | recomends Recommends 0 TagsSecurity

14 Social Media Disasters Ready to Strike

03 March 2018  |  4891 views  |  0 comments | recomends Recommends 0 TagsSecurity

Understanding and Stopping Criminal Identity Theft

23 February 2018  |  6562 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
739 posts62 comments

Who's commenting on Robert's posts