CONTINUE TO SITE »
or wait 15 seconds

Article

Craigslist ATM causes industry stir

When security tester Robert Siciliano told news outlets how easy it was to buy a retail ATM online, ISOs and ATMIA braced themselves for the negative reactions.

December 8, 2009 by

An experiment that tested the ease of buying and deploying a retail ATM by one Boston-based security expert has raised a few eyebrows in the ATM industry.
 
Last month, news reports hit the Internet about Robert Siciliano — an identity theft-protection expert at Intelius who claimed he was able to buy, program and deploy a retail ATM he bought on Craigslist.org without any red tape or paperwork registration.
 
Reports of security concerns and Siciliano's access to information retained on the ATM began turning up on the Web, and the ATM industry braced itself for the backlash.But the industry says there is little it can do about controlling how ATMs are sold, and a quick surf of the Web proves that point.
 
With a few strokes on the keyboard, I was able to quickly find retail ATMs, namely Triton and Tranax models, on both eBay and Craigslist. One ATM on Craigslist was listed for less than $2,000, with an addendum stressing the need for the retail owner to sell the machine quickly.
 
Siciliano's test
In his interview with Extra,Siciliano shows how he was able to print out transaction journal entries, revealing full account numbers for cards used at the ATM before he purchased it.
Mike Lee, chief executive of the ATM Industry Association, says that while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold. That kind of control would have to be mandated legislatively, he says.
 
But, Lee says ATMIA takes the irresponsible sale of ATMs very seriously.
 
"If an organization sells an ATM in an irresponsible manner, where the ATM has not been properly decommissioned (with stored card information or outdated software removed), we would consider a range of options in response, including possible blacklisting in the industry," he said.
 
Though an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts, the ATM industry is striving to exceed security mandates. That's why Siciliano's experiment has the potential to be so damaging from to the industry's reputation, says James Phillips, director of North American sales for Memphis, Tenn.-based ATMGurus, a Triton company.
 
The ability to print off a log of card numbers is possible, Phillips says, but it could only occur on an older terminal. And even at that, the numbers would be useless unless accompanied by corresponding PINs.
 
"Visa and MasterCard require that that those logs be masked," Phillips said. "Up until a few years ago, that was not the case. So it is possible that the PANs (personal account numbers) could be printed."
 
In May 2008, Visa and MasterCard changed their rules, requiring that all ATM manufacturers ensure the software they install on all new terminals shield the PANs from view, Phillips said.
 
"Up until then, everything had 16-digit account numbers on it; it was not just the ATM, but the POS, too. So it's not surprising that (Siciliano) was able to buy an old ATM and print out 16-digit account numbers. It is a reminder to the industry that older terminals need to be upgraded with software that masks the PANs. But it's also important to keep in mind that a 16-digit account number does you no good without the Track 2 information from the card, the name and expiration date. And in order to create a fake card and withdraw cash, you have to have a PIN."
 
A slap in the face of retail?
 
Because consumers are so aware of identity theft and security breaches, they often assume retail ATMs are unsafe when they hear stories like Siciliano's. But he admits that retail ATMs are no less secure than FI-owned ATMs, though he says the industry overall needs to address some of its lingering security gaps.
 
"I am aware that bank ATMs are more likely to be hit by a skimmer; and I also know that many bankers are not aware of security issues," Siciliano said. "In fact, they are generally the least informed. This example focused on my ability to buy a retail ATM. But the industry across the board needs look at where the holes in the system are and address them. Should a guy from a bar be able to sell an ATM on Craig's list? I don't think so."
 
Siciliano says his real concern relates to the relative ease with which he was able to hook his Craigslist ATM up for processing. He says he was able to buy the ATM and hook it up for transactions without undergoing a background check or completing any paperwork. And though none of the would-be customers who approached his retail ATM on the street actually withdrew cash, Siciliano insists the machine was capable of completing a transaction.
 
"What I found out right off the bat was that there were no restrictions on who could buy the ATM," he said. "And setting up the processing was easy. I just made a phone call to a processor I found online, and no one did any background check or asked me any questions. They wanted bank account information and that was it."
 
George McQuain, the chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, is skeptical of that claim. Siciliano would not reveal the names of the two transaction processors he says agreed to hook him up for processing.
 
"Our sponsoring bank (American State Bank) requires that we have all of the backgrounds completed, first, and I assume that's the way most sponsoring banks operate," McQuain said.
 
Wendy Amaral, an account manager at Nationwide Money Services, says sponsoring financial institutions, as well as the Visa and MasterCard networks, are firm about these rules. And though audits are not likely, they are possible. Still, she says it is possible that some companies are providing processing without collecting the proper background information about the ATM owner first. 
 
"I don't know of anyone specifically that doesn't follow the rules," she said. "But we do get complaints from some merchants who say they that they don't want to give us all that information, and they tell us that other companies out there do not require so much."
 
And as far as outdated software that reveals PANs is concerned, McQuain says ISOs are removing and replacing ATMs in retail locations all the time, and therefore are constantly checking to ensure that software is up-to-date.
 
"It would be rare today to find an ATM that would allow someone to print all of that information out," he said.

Included In This Story

ATMGurus.com

ATMGurus offers a large selection of new, refurbished and closeout parts, repair service and training for your Triton, Tranax, Tidel, Hantle and Nautilus Hyosung units. With over $10M of parts in stock, we have what you need to keep your ATMs running profitably.

Request Info
Learn More
Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
ParaScript intros verification solution for checks
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'