Security Analyst: Las Vegas ATMs May have Malware
The U.S. Secret Service said on Monday it is investigating a group of ATM machines in Las Vegas that are debiting people's accounts but not dispensing cash.
Mon, August 03, 2009
IDG News Service — The U.S. Secret Service said on Monday it is investigating a group of ATM machines in Las Vegas that are debiting people's accounts but not dispensing cash.
A Layman's Glossary of Malware Terms
Slideshow: 11 Security Companies to Watch
The case came to light after Defcon hacker conference presenter Chris Paget tried to withdraw $200 on Sunday from his account at the Rio All-Suite Hotel and Casino. He wanted buy a metallic copy of the Bill of Rights, a joke gift designed to set off airport metal detectors from the magicians Penn and Teller.
The ATM "whirred and chugged," Paget said, "but no money came out." His account, however, was debited.
He wasn't the only one. Paget spoke with an Israeli man who had tried to withdraw $1,000, as well as a woman who tried to take out $400. At least a half dozen people experienced the same problem at various machines in the hotel, Paget said.
Paget, who has expertise in credit-card security and runs a hardware security consulting company, notified the hotel staff, who didn't take action to shut down the machines.
"The best they would do was put a sign on the ATM saying 'Out of order,'" Paget said. "We were standing by the ATMs warning people."
Paget considered unplugging the machines, but the hotel's security told him he would potentially be prosecuted for vandalism.
Paget's experience points to the increasing frequency with which criminals are targeting ATMs. One scam is to attach a device to the ATM known as a skimmer that can record details stored on a card's magnetic stripe. A person's PIN (Personal Identification Number) can be captured with an overlay on the keypad or a video camera. Then, the card can be cloned.
Security experts have also seen samples of malicious software designed for ATMs that can record card details. Earlier this year, analysts at Trustwave's SpiderLabs research group said the malware came from a financial institution that had been affected in Eastern Europe.
In Paget's case, a Rio hotel representative said on Monday that she was unaware of the problem and advised calling the hotel's accounting office later. A Secret Service officer in the Las Vegas area confirmed the agency was looking into the issue along with the Las Vegas Metropolitan Police Department. Paget said he left a voicemail with the Federal Bureau of Investigation.
Paget also contacted Global Cash Access, a company that specializes in managing cash machines for the casino industry. The company told Paget they had no record of the withdrawal, although it showed up when he checked his online banking statement.
