When you make machines that are computers but don't look like desktop boxes an accepted part of routine transactions, it's awe-inspiring how easy it is to rip people off. For example, take ATMs and electronic voting machines. I don't think much about the former, and have pretty much exhausted my outrage over the defects of the latter. But today, John Benton reported this "elegant and malevolent" ATM scam at U Texas that reminded me of both.
The equipment used to capture your ATM card number and PIN is cleverly disguised to look like normal ATM equipment. A "skimmer" is mounted to the front of the normal ATM card slot that reads the ATM card number and transmits it to the criminals sitting in a nearby car.
At the same time, a wireless camera is disguised to look like a leaflet holder and is mounted in a position to view ATM PIN entries.
The prop leaflet container (which, if you know how to look for it, has a big ol' hole for the camera lens) reminds me of the potential exploits discovered (PDF linked here) by a team of security experts hired by Maryland to analyze the Diebold voting machines last month. Lots of ink and pixels have been expended on the potential electoral disasters discovered, but my favorite scenarios were less about scripts and more about picks. Apparently, it took an inexpert member of the team about three minutes and a cheap set of lock picks to access the box inside.
Those kinds of voting machine defects exist because Diebold employees were naive about physical data security in the face of criminal ingenuity. Just because a box is locked doesn't mean it stays closed. In the same way, just having a secret PIN doesn't mean there aren't ways to track where you put your fingers on the keypad. We tend to trust banks and, well, we used to trust the electoral system. It's disconcerting but ultimately safer to remember that neither can ever guarantee our safety from other people's malevolence.
