Guests at the Rio Hotel in Las Vegas may have had their financial information stolen by ATMs infected with malware. The possible breach was first discovered by a conference presenter at the Defcon hacker conference.
He used one of the hotel’s ATMs to make an attempted withdrawal of $200. The machine accepted his card and his bank promptly deducted the amount from his balance, but the machine did not present him with any cash. Further investigation revealed that several other guests had the same thing happen to them when using the hotel’s ATMs, including a man who had tried to withdraw $1000.
At first, the hotel did little about the complaints. When notified, they refused to shut down the machines, but did put “Out of Order” signs on them. Chris Paget, the Defcon attendee who happens to have expertise in credit card and hardware security, refused to accept the hotel’s lame response to the issue and as a result both the Las Vegas Metro PD and the U.S. Secret Service are investigating.
Usually if an ATM fails to deliver the requested cash it is simply empty and needs to be refilled (a common occurrence, especially in casinos) or has malfunctioned. However a completely fake ATM was discovered at the nearby Riviera hotel earlier in the week, making the situation at the Rio suspicious. Las Vegas would be a very desirable place for hackers to compromise ATMs as large withdrawals would be very commonplace.
Paget contacted the company that owns the ATMs, Global Cash Access and found that despite the fact the money was taken from his account, they had no record of the transaction, further deepening the suspicion that malware is to blame.
Since there were no outward signs of a skimmer (a device that records the information in a credit or debit card’s magnetic stripe) the machines may have been infected with a Trojan called Trojan.Skimmer.A. It is a virtual skimmer that does the same thing as the old mechanical devices.
The matter is still under investigation, but stay tuned to Gadgetell and Shields Up! for the latest developments. In the meantime how can you protect yourself? Here are a few tips.
- Avoid using generic or unfamiliar ATMs. Stick to ones branded with with the name of your bank or other well known financial institutions whenever possible.
- Take the time to give the machine a quick once over before using it. If anything looks suspicious don’t use it and notify the financial institution it belongs to.
- If you don’t already do so get in the habit of checking your bank and credit card accounts often so you will catch any fraudulent charges quickly. If you spot any inconsistencies notify your bank or credit card company as soon as possible.
- If you use an ATM and it doesn’t give you any cash, notify your bank and the ATM owner right away.
- Be careful when using an ATM when there are other people around. Those in line behind you should be several steps back as a courtesy. If anyone is standing close to you and refuses to move back when asked politely, don’t use the ATM as they could be waiting to read your PIN over your shoulder (hardware skimmers don’t capture them). Leave the area and call the police.
That’s all for this week. If you’ve experienced fraudulent charges due to a compromised ATM please leave a comment and share your experience!
What's a nice comments.