ATM Ripoff
$1 million bogus bank deposit
Cheating of automatic teller machines
Sometimes things go right

----------------------------------------------------------------------

Date: Thu, 6 Mar 86 08:59:55 EST
From: davy@purdue-ecn.ARPA (Dave Curry)
To: risks@sri-csl.arpa
Subject: ATM Ripoff

   WASHINGTON (UPI) - A computer glitch enabled a man to get away with
$140,000 in $10- and $20-bills in a weekend run on 16 automatic teller
machines in the nation's capital and its Virginia suburbs, the Secret
Service said Wednesday.
   Michael Caputo, 31, of Fairfax Station, Va., admitted in federal
court Tuesday to using a stolen VISA credit card to make more than 400
withdrawals from the money machines last October.
   The withdrawals represent the largest fraud committed agains VISA
with an automatic teller machine, officials said.
   "Why didn't someone else in line notice it?" asked John Magaw, a
Secret Service agent.  "It's very bizarre.  All of a sudden this guy
realized how good he had it.  His pockets just weren't big enough.
The machines just weren't programmed to stop."
   Caputo was photographed by monitors at the 16 mechanized tellers
receiving $300 during each transaction - at times smiling while other
times holding bags of money.
   "Normally, you can't take more than $200 at a time, and (most
machines) will not allow you on nights and weekends to go beyond a
certain limit," Magaw said.  "Somehow, the safeguards broke down to
allow for that to happen."
   Magaw said that Caputo apparently used the VISA card at two banking
institutions.  He said that the two computers did not "blend together,"
and allowed him to take large amounts of money without being detected.
   "It's like having a Chevrolet and a Buick and putting a carburetor
from one on the other," Magaw explained.  "You may get it to work, but
it just doesn't quite go together.  There's glitches that have to be
worked out."

------------------------------

I'm don't know a lot about blending computers together or combustion
engines, but this isn't the first problem I've ever heard of with
ATMs.  Several years ago (on the old $25 clip dispenser type machines)
a friend of mine discovered he could empty the machine by pushing the
clip back into the slot.  The machine assumed the clip didn't fall
out, and so it sent *another* one.

He emptied the machine of several thousand dollars, put it all into a
paper bag, and left.  The next day he went to the main office of the
bank, saw the manager, and said, "Your teller machines can be robbed."
The manager of course said this was impossible, at which point my
friend dumped the bag of money on his desk and said, "You won't be
wanting this back, then."  The machines were down for the next several
days...

Anybody have some stats on these things?  I seem to recall seeing
something that the banks are still losing money on them, but it didn't
show any figures.  Anyone have any data on this?  I'm sure that given
a few hours most people on this list could come up with at least one
way to rob the machine down on the corner.... (let's not discuss the
methods in detail though; I'm sure the banks have enough problems
without us advertising ways to steal from them).

--Dave Curry

   [I have various inside stories about the extent of fraud, but the
    victimized institutions seem to keep pretty quiet.  They don't want to
    lose customer confidence and customers.  Besides which, they can simply
    up the rates to amortize the losses.  Who cares, especially if the
    customers don't even know?  (OK.  I care.)  PGN]
----------------------------------------------------------------------
----------------------------------------------------------------------

Date: Fri, 22 Aug 86 21:47:58 EDT
From: hal@gvax.cs.cornell.edu (Hal Perkins)
To: risks@csl.sri.com
Subject: $1 million bogus bank deposit

From the Chicago Tribune, Friday, Aug. 15, 1986.  sec. 3, p. 3:

Bank machine is no match for schoolboy with a lollipop

  AUCKLAND, New Zealand [UPI] -- A schoolboy outsmarted an automatic
bank machine by using the cardboard from a lollipop packet to
transfer $1 million New Zealand dollars into his account, bank
spokesmen said Thursday.

  Tony Kunowski, corporate affairs manager of the United Building
Society savings and loans institution, said the 14-year-old student
slipped the cardboard into an envelope and inserted it into the machine
while punching in a deposit of $1 million, the U.S. equivalent of
$650,000.

  "We are not amused, but we don't think this is the tip of an
iceberg," he said of the incident of three weeks ago.

  Kunowski said that when the boy, identified only as Simon, checked
his account a few days later, he was amazed to discover the money had
been credited.  He withdrew $10.

  When no alarm bells rang and no police appeared, he withdrew another
$500.  But his nerve failed and he redeposited the money.

  On Tuesday, Simon withdrew $1,500, Kunowski said.

  But his nerve failed again Wednesday, and he told one of his teachers
at Selwyn College, Kunowski said.  The school's headmaster, Bob Ford,
took Simon to talk with United Building Society executives.

  Ford said Simon had not been considered one of his brightest pupils,
"at least until now."

  It was unknown if Simon would be disciplined.

  Kunowski told reporters that Simon succeeded because of delays in
reconciling transactions in automatic tellers around the country with
United's central computer system.

  "The delay in toting up the figures would normally be four weeks and
that was how a schoolboy could keep a fake million dollars in his
account without anyone batting an eyelid," he said.

  "We are now looking very closely at our internal systems.  Human
error may also be involved," Kunowski said.

----------------------------------------------------------------------
----------------------------------------------------------------------

Date:        21 Aug 86 02:45 +0200
From:        Jacob_Palme_QZ%QZCOM.MAILNET@MIT-MULTICS.ARPA
To:          "RISKS FORUM" <RISKS@CSL.SRI.COM>
Subject:     Cheating of automatic teller machines

Several young people have cheated automatic teller machines from
one of the largest Swedish bank chains in a rather funny way.

You use the machines by inserting your plastic card in a slot, then punching
the amount you want and your password, and then the card comes out of one
slot, and the money out of another slot.

The cheaters took a badge belonging to a large guard company, which looked
very reassuring, and fastened it with double-sticky tape in front of the
slot through which money comes out. They then faded into the background and
waited until someone came to get money from the machine. The person who
wanted to use the machine put in his card, punched his code and amount, and
the machine started to push out the money through the slot. When the money
could not get out, because of the obstruction, the machine noted this, and
gave a "technical error" message to the customer, who went away. Up came the
youngsters, who took away the badge, fetched the money behind it, and put up
the badge again for the next customer.

The cheatings described above have been going on for several months, but the
bank has tried to keep this secret, claiming that if more people knew about,
more would try to cheat them.  Since the money is debited on the account of
the customers, this means that those customers who did not complain lost the
money. The bank has now been criticised for keeping this secret, and has
been forced to promise that they will find all customers cheated (this is
possible because the temporary failure in getting the money out of the slot
was noted automatically by the machine) and refund the money lost.

The bank chain will now have to rebuild 700 automatic dispensing machines.
Most other banks in Sweden, except this chain, have a joint company
operating another kind of dispensing machines, from which you can take out
money from your account in any of these banks. Their dispensing machines
cannot be cheated in this way, because they have a steel door in front of
the machine which does not open until you insert a valid plastic card.

----------------------------------------------------------------------
----------------------------------------------------------------------

From: Matt Bishop <mab@riacs.ARPA>
To: risks@csl.sri.com
Subject: Sometimes things go right
Date: Mon, 25 Aug 86 08:19:14 -0700

All these letters about ATM's being outsmarted reminds me of an incident
where someone gambled on the inability of a bank to change the programming
for managing ATM's, and lost.  This incident is described in Donn Parker's
book on computer crime, which I seem to have left at home (so I can't give a
reference), and it's interesting because it shows the risks in assuming
things can't be done quickly.

In Japan, someone kidnapped a little girl, and told her father to open an
account at a bank which had ATM's throughout Tokyo, and put the ransom in
that account.  He was then to indicate the account number and password (in
the newspaper via what Sherlock Holmes would call the agony column, I
guess). The kidnapper would then withdraw the money from one of the ATMs.
He figured there weren't enough police to watch all the ATMs and even if
there were, they would have no way of distinguishing him from any of the
other patrons who made legitimate withdrawals.

Unfortunately for him, when the bank heard about this, they got
several programmers together and working all night they changed the
program controlling the ATMs to trap any transactions for that
particular account, and immediately notify the operators at which ATM
the withdrawal was taking place.  They then put police at as many ATMs
as they could.  The father made the deposit, the kidnapper withdrew
the money, and before he could get out of the ATM booth the police
grabbed him.  The girl was recovered safely.  The programmers got a
medal.  The kidnapper went to jail.

Kind of nice to know that sometimes things do go wrong for the better!

Matt Bishop

----------------------------------------------------------------------