Robert Siciliano Identity Theft Expert
Apparently I raised a hackle or two. Seems my little stunt got the attention of industry insiders, and not all of them believe that I bought a used ATM on Craigslist, which turned out to contain thousands of credit card numbers. Well, it did actually happen, and despite what many say, that the ATM couldn’t have contained 16-digit credit and debit card numbers on it, it did.
The most intense resistance to my experiment came from one Boston cop who watched me plant this thing in Downtown Crossing. He crossed his arms, glared at me, and when I walked away from the ATM, asked what I was doing. When I told him, he yelled for the women who were already using my ATM to stop, then took down my information while screaming at me. He later told me that his main concern was the possibility that the ATM might have contained a bomb!
According to ATMmarketplace.com, the ATM industry is braced for a backlash in the face of security concerns. There should be a backlash. We definitely need some regulation as to who can or can’t buy an ATM. And according to Mike Lee, the chief executive of the ATM Industry Association, “while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold.”
Personally, I think that the association needs to start establishing some control, and throwing your hands up in the air is lame. Both eBay and Craigslist have prohibited certain items. Why can’t I buy an old credit card off eBay, but I can buy an ATM with thousands of credit and debit card numbers on it? I can’t buy a “traffic signal control device” off eBay either. Because someone recognized in the wrong hands, the device can wreak havoc.
James Phillips, director of North American sales for ATMGurus, a Triton company, says that “an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts,” but that my experiment still “has the potential to be so damaging to the industry’s reputation.” First of all, a 16-digit number is enough to turn data into cash. Even without a PIN, the 16-digit number can be used to buy goods online, or encoded on a blank card to buy goods in a store. This is why Visa and MasterCard require new software to block out the numbers. Second, Jim, you’re right, this is damaging. So please, fix it, and don’t allow lame excuses. And my machine is a Triton 9100. She’s a beauty by the way. Works nice off a 12-volt car battery, too.
Wendy Amaral, an account manager at Nationwide Money Services, says that while it’s possible that some companies could provide processing without collecting the required background information about the ATM owner, Visa, MasterCard, and other financial institutions are firm about the rules, and that audits are unlikely but possible. I think “possible audits” sounds like another cop out. For those of us who use ATMs, the idea that we are protected by “possible audits” is a slap in the face.
George McQuain, chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, says he’s skeptical that I was able to set up my ATM for processing without a background check or even any questions. I haven’t revealed the processors who agreed to set up my ATM because they seemed to be small shops, and I don’t intend to destroy their livelihoods in my attempt to point out the inadequacy of the industry’s regulations. But the first processor set me up over the phone, and all I had to do was fill out a PDF and fax it back. The second showed up to my house in a pickup truck to service the ATM in my garage.
McQuain also says that it is rare for an ATM to have such outdated software that it would allow the owner to print so much customer information. But it was easy for me to find one. And even when they are replaced with newer models, where do they go? Where does the data go? I’ll tell you. On Craigslist, and then to the criminals.
There have been tons of reports on my story:
- Fox Boston video
- Extra TV video
- Boston Globe article
- The Register article
- SC Magazine article
- NBC Boston video
- Dvorak Uncensored
- The Consumerist
- Digital Journal
- Tom’s Guide
You can protect yourself from these types of scams by paying attention to your statements. and refuting unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the machine’s appearance, such as wires, double sided tape, error messages, a missing security camera, or if the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Cover your pin!
And invest in identity theft protection. Not all forms of identity theft can be prevented, but an identity theft protection service can dramatically reduce your risk.
Robert Siciliano, identity theft speaker, rolls an ATM around on Fox.
You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Cover your pin!! And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”
Robert Siciliano Identity Theft Speaker rolling an ATM around on Fox
Loading ...
3 users commented in " Craigslist ATM I bought Causes Industry Stir "
Follow-up comment rss or Leave a TrackbackDear Mr. Siciliano,
As an ATMIA member who is active in several security and best practices committees, I think that your allegations are only partially correct. Skimming of track two card data has been around as long as magnetic striped cards and as an industry association, ATMIA has been very active in working with the card associations, law enforcement, manufacturers and ATM operators to find solutions to what is a complex and difficult to solve problem. Although the theft of cardholder data and PIN’s pose a serious threat to the public and the global banking system, the fact remains that ATM’s account for a relatively small percentage of cardholder data compromises worldwide. I would also like to point out that the industry addressed the issue of storing card numbers on receipts and journal tapes a number of years ago.
Since you are a self proclaimed “Identity Theft Expert” perhaps you can enlighten us on how you would propose eliminating card skimming and cardholder data theft. I am also curious to know if you think that only banks should be allowed to own and operate ATM’s, and if so, do you think that the hundreds of thousands of ATM’s that are owned by legitimate operators should be rounded up and confiscated? If you are in fact an expert on anything, shouldn’t you at least try to get your facts straight before you pursue a strategy of fear mongering, grandstanding and shameless self promotion? You are not serving anyone’s interest but you own.
Kind regards,
ATM Security Expert
ATM Security Expert who hides in anonymity, if you are what represents the industry with your non-nonsensical accusatory throw-up of a comment, then you have affirmed my points entirely.
Mr ATM Expert,
I must admit I find it to be truly amusing that you are calling Mr. Sicilano’s efforts, “self serving” and that he “isn’t helping anyone”. Let’s see you are “supposedly” someone representing the ATMIA so WE the GENERAL public are supposed to take YOUR word that the short comings of YOUR industry are not as you say. Interesting to say the least. Have you even bothered to verify your statements with some back up or research? Let me quote you kind sir..and I quote “Since you are a self proclaimed “Identity Theft Expert” end quote. You must suffer from some mild mental disorder because if you have done any research on Mr. Sicilano you would very quickly come to realize that he is a sought out speaker regarding his forte(identity theft). You sir are exhibiting 2 very typical negative attributes to your own people. 1. You are clearly looking after your own interests and NOT the general public’s(which is a shame) and 2. You are trying to undermine a person that has nothing to prove, a person that has been selected to be the key note speaker at the 12th annual Orbograph conference. A person that has been invited to TV shows , radio shows, the major newspapers in America and so on. So in short let me get this straight, he is trying to cause , how did you put it?..ah yes and I quote “ fear mongering, grandstanding and shameless self promotion” You truly are a joke. People like you are the cause of disbelief in decency. There will always be an element of corruption from within a society, I just wonder if you sleep well at night trying to insult honest people that are trying to open the eyes of the public. It truly is a shame when someone goes to the trouble of showing the public (with proof) that there is a real problem and people like YOU sir, try and pull the wool over there eyes. I bet you don’t think telemarketing is a problem either? And if you do I bet it’s because you do not turn a profit from it. Part of me would love to sit down face to face and have a duel of wits, but I do not believe in duels when the other party is unarmed. And if you didn’t understand that, I’m quit simply calling you a moron. Keep drinking from the cesspool of corruption, see where it will get you.
Signed, V for Vendetta
Leave A Reply