Last night I put out a post on twitter informing that the Shmoocon ATM had been compromised, and everyone who had used it should cancel & reissue their cards. This of course got retweeted a bunch, and then FINALLY some security people started commenting that we should have some evidence before they take action.
So some may have seen the ATMs in the hotel were “tagged” with this prank and thought that THIS was the compromise I was referring to.
This was funny, and I have a pretty good idea who put it there. (and really if it was “them” I would think twice of touching that ATM anyways) But it was not a compromise.
@surbo and I were running late to the airport, and the taxi driver wouldnt take a card. Having spent all our cash the night before, we ran over to the ATM located in the main hallway of the Marriott (across from the hotel convenience store) and I tried the ATM. It was acting very odd, it was taking about 5 minutes to change screens, and it was NOT TAKING MY PIN on my card, and occasionally told me that it could not read the card. I got a very bad feeling, but I was in a hurry, so I tried another card. Same story — acting weird not taking my pin. I asked Surbo to give it a go, and this time it took his pin, but it was still acting weird.
Surbo then did something that made us both say “F&^K”. He pulled the facepanel down off the ATM exposing the internal computer and authentication “dialer”, someone had either picked or left the panel unlocked. (the safe panel ($$$$) remained locked). The electronics that control the authorization of funds were easily accessed. You can imagine what an person of “low moral standards” could have benefited from this situation.
Right about the time that Surbo pulled the front panel down, Mouse came strolling by and said “Boys! What are you doing!?” It didnt look good, and since we had already had some run-ins with hotel police we immediately put it back and made sure it was reported. We didnt take any pictures because we didnt want to be any more involved than we already were. I am sure you can understand that although we pull some harmless pranks here or there, ATM fraud is not up our alley.
So, Do I have evidence that if you used that ATM that your card numbers & pin were exposed and/or recorded? No, in-fact I did not see any suspicious looking equipment inside that would indicate that it had, however the security of the ATM was compromised and the potential was definitely there. Don’t risk it, if you used this ATM, please call your bank and get your card reissued.
Update: I have now learned that the ATMs were using the default admin password. (crap see comments below)
