The U.S. Secret Service said on Monday it is investigating a group of ATMs in Las Vegas that are debiting people's accounts but not dispensing cash.
The case came to light after Defcon hacker conference presenter Chris Paget tried to withdraw $200 on Sunday from his account at the Rio All-Suite Hotel and Casino. He wanted to buy a metallic copy of the Bill of Rights, a joke gift designed to set off airport metal detectors from the magicians Penn and Teller.
[ At Black Hat last week, security researchers showed how to hack a parking meter. | Meanwhile, the Defense Department came to Defcon looking for new recruits. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
The ATM "whirred and chugged," Paget said, "but no money came out." His account, however, was debited.
He wasn't the only one. Paget spoke with an Israeli man who had tried to withdraw $1,000, as well as a woman who tried to take out $400. At least a half-dozen people experienced the same problem at various machines in the hotel, Paget said.
Paget, who has expertise in credit-card security and runs a hardware security consulting company, notified the hotel staff, who didn't take action to shut down the machines.
"The best they would do was put a sign on the ATM saying 'Out of order,'" Paget said. "We were standing by the ATMs warning people."
Paget considered unplugging the machines, but the hotel's security told him he would potentially be prosecuted for vandalism.
Paget's experience points to the increasing frequency with which criminals are targeting ATMs. One scam is to attach a device to the ATM known as a skimmer that can record details stored on a card's magnetic stripe. A person's PIN (Personal Identification Number) can be captured with an overlay on the keypad or a video camera. Then, the card can be cloned.
Security experts have also seen samples of malicious software designed for ATMs that can record card details. Earlier this year, analysts at Trustwave's SpiderLabs research group said the malware came from a financial institution that had been affected in Eastern Europe.
In Paget's case, a Rio hotel representative said on Monday that she was unaware of the problem and advised calling the hotel's accounting office later. A Secret Service officer in the Las Vegas area confirmed the agency was looking into the issue along with the Las Vegas Metropolitan Police Department. Paget said he left a voice mail with the Federal Bureau of Investigation.
Paget also contacted Global Cash Access, a company that specializes in managing cash machines for the casino industry. The company told Paget they had no record of the withdrawal, although it showed up when he checked his online banking statement.
Paget said it is possible that the machines have been infected with malware. The program could be directing the machines not to dispense cash, which then is picked up by an insider in on the scam, he said. But it's too early to tell.
If the problem is not simply malfunctioning machines, it would be at least the second incident of something funny going on with ATMs around Defcon.
Earlier in the week, conference attendees at the Riviera Hotel noticed what was on inspection a bogus ATM positioned in the lobby. They shined a light into its screen, which revealed a PC behind it. Law enforcement later confiscated it.
Ironically, one of the talks planned for this year's Black Hat and Defcon conferences dealing with ATMs was cancelled. A researcher with Juniper Networks, Barnaby Jack, was supposed to detail a vulnerability affecting a popular line of new ATMs. But Juniper barred Barnaby from giving his presentation after the unnamed ATM vendor threatened legal action.