Monday, December 23

Warning: Crooks Can Buy ATMs on eBay

Beware the stand-alone ATM, which criminals can purchase online and set up in a public spot for stealing people’s account information. Even bank ATMs can be made unsafe.

The more I talk to data-security experts, the less technology I want to use. The latest convenience I’ve given up? Stand-alone ATMs.

If you want to know why, just hop on over to eBay and Craigslist and type in “ATM.” Availability varies, but often you can find machines for sale that cost just a few hundred bucks.

Bad guys can buy these, get a computer programmer to rewrite the code and set them up just about anywhere to collect people’s card information and PINs. Sometimes the machines actually dispense some cash, but often they’re set up just to display an error message — after stealing your data.

This has been going on for a while now, but a bad economy seems to mean more ATMs are available as more businesses that own them go belly-up. Hence, more opportunities for crooks.

“It’s easier to get the ATMs . . . and it doesn’t require tremendous programming skills” to set them up, said Avivah Litan, a security expert at consulting firm Gartner Research. “The hardest part is finding the right location.

They might just park it on a sidewalk. Some bolder thieves have tried placing phony ATMs outside bank branches, but they risk getting caught on the bank’s video surveillance. Often it’s easier to co-opt a store employee or manager.

“At a gas station, for example, the employee or the manager can get a cut for allowing the ATM to be placed there,” Litan said. “Collusion tends to be part of this.”

The ATM doesn’t even need to be real to fool people. When security expert Jim Stickley wanted to test how easy it would be to scam people’s account information a few years ago, he decided used ATMs cost too much.

“Real machines were really expensive, over $1,000, so I decided to make my own,” said Stickley, the author of “The Truth About Identity Theft” and the chief technology officer of TraceSecurity, a risk management firm. He assembled his machines from 7-foot kiosks he bought used from a college and card readers he bought online for about $20 each.

Stickley deposited two of the machines on Sixth Street in Austin, Texas. The machines were used 42 times by 27 people over five hours, according to the “Today” show, which recorded the experiment. People used the machines even though they could have seen on closer inspection that the machines didn’t have a realistic-looking cash dispenser.

“It was basically just a slit,” Stickley said. “It wasn’t anything close to what could dispense money.”

Instead of getting money, people would get an error message. That prompted several people to try repeatedly to get the fake ATMs to spit out cash.

“They would try two or three times . . . so that made sure we had the right code,” Stickley said.

Such tales of fake ATMs have me convinced: There’s too much risk. That’s what Litan decided a while back, too.

“I never use my card anywhere except banks,” Litan said.

That’s not to say bank ATMs can’t be compromised — far from it. Crooks can put skimmers over the card readers to suck up your data and record your PIN with miniature cameras. Some bad guys don’t bother with the ATMs at all, instead putting the skimmer on the key card lock of the door that leads into an ATM.

But security procedures and video surveillance at banks usually mean these skimmers are detected fairly quickly. Still, you’d be smart to practice good ATM hygiene where you go. That means you should:

•Be suspicious of any stand-alone ATM. Yes, there are plenty of legitimate ones, but it can be tough for a layperson to tell which ones feed information to thieves rather than cash to you. You’ll definitely want to avoid any ATM that isn’t bolted to the side of a building or secured inside a facility. Real ATMs are heavy and have money safes, so they’re not going to be easy to move. Also beware of stand-alone ATMs that advertise “no fees,” as Stickley’s did, since legitimate owners of stand-alone ATMs have to charge fees to make money.

•Avoid bank ATMs if the access door is broken. If you normally have to use your ATM card to unlock a door to get to the ATM and the lock is broken or the door is propped open, don’t go in. Someone could have forced open the door to install a skimmer.

•Beware of “out of service” signs. If there are two ATMs and one has an “out of service” sign, it could be legit — or it could be trying to get you to use the other ATM, which has been compromised.

•Give the card slot a good yank. Put your hand on the slot where your card goes in and give it a push. A real one won’t give way, while a skimmer often does. If the card slot looks strange at all, find another ATM.

•Report “malfunctions” immediately. If you get an error message instead of money, contact your bank right away. You’re at much greater risk of fraud, Stickley said.

•Monitor your transaction activity. It doesn’t matter how busy you are. You can still take a few minutes every week to log on to your accounts and look over your transactions. You’ll want to report bogus transactions right away, since your liability for fraud is waived only if you spot the problems within a couple of months.

Courtesy MSN Money

Leave a Reply

Your email address will not be published. Required fields are marked *