It's particularly galling because the fake ATM was put right outside the security entrance. I'd almost be willing to bet that any account number/PIN tuples gained from this (if they were collected before the unit was discovered) won't be used. This was someone making a point, and they did an excellent job of it.
I seriously doubt the "criminals" who did this didn't know Defcon was taking place. They most likely were attendees pulling a prank to make a point.
There's other similar shenanegans at Defcon, like the Wall of Sheep, which sniffs network traffic for unencrypted logins and displays them (with most of the password obscured) on a projector screen.
How do the property managers not realize that someone has dropped off an ATM that isn't supposed to be there? Is it just me or does it seem like the properties are partially responsible if someone gets ripped off by this?
Organizations beyond a certain size are such that no single person can know everything that is going on. Where that threshold lies is a function of the general competence with which the organization is managed. To get a sense of the level of competence of the Las Vegas Riviera, consider this anecdote:
They're probably just as naive as I was (before reading the article) about the existence of fake ATMs set up by scammers. I don't think it's common knowledge that this happens, is it?
If someone set up a Coke machine that stole people's dollars, do you think they'd notice? This doesn't have anything to do with the scam, but simply being completely oblivious as to what's going on in your place of business.
I don't think the people at the front desk are aware of which contracts for vending machines or ATMs. They could have had 4 guys bring it in and make up a slick story about how they had a work order to install the machine and the front desk would probably not have the authority to act in any direction other than send the info up the chain.
Unfortunately, it now appears that there were other fake ATMs around, these at the Rio. These were not removed promptly. A friend of mine is out $200 and some of his friends are out more. Worse, no one can seem to figure out which law enforcement agency is responsible. See @chrispaget on twitter, e.g.
http://twitter.com/ChrisPaget/status/3100154939
When you walk in to Defcon you'd better be prepared at every turn, that includes any equipment you interact with.
Imagine the scoop if they had gotten away with it cleanly. Everybody is concentrating on the latest wifi snooping hack meanwhile some joker walks off with the account info / pin numbers of half the attendees.
If the attendants of a security conference can be scammed like this it is really no surprise that it happens to the general public on a daily basis. I don't use any ATMs that are not 'wall mounted', always check the slot if it is securely attached and doesn't have extra reader heads.
And in spite of all that I still had a card cloned in a restaurant in Toronto... the bank was pretty good about it but it was still surprising to be so careful and still get cloned.
Pretty stupid of the person cloning the card to use it the same evening, that narrowed it down quite a bit.
