Take Me Out to the Reverse ATM
by heyczerny
In the world of OPSEC, anonymous payment methods are an important part of protecting one's privacy when interacting with merchants.
In the physical world, one common tool is the prepaid debit card. This is basically a gift card which can be purchased with cash without providing ID. I have been a fan of Vanilla Visa cards and over the years they have served me well. Recently, however, I have noticed a steep increase in "draining attacks" with these cards, including an alarming trend of cards hitting store shelves with the security code already scratched off and/or mag-stripe already demagnetized.
These attacks are a stark departure from one seen in years past, where criminals steal an unactivated card from a store and create a sticker matching its loading/activation barcode. In this attack they then return to the store and place this sticker over the same barcode of unsold cards still on the shelf. When a victim pays for and activates a card that contains this fraudulent bar code sticker, the money is instead deposited on the original stolen card. Checking for this by inspecting the packaging and looking for stickers is simple enough, but newer attacks involve stealing the card numbers and then scratching them off, and then demagnetizing it so that the person who actually buys it is unable to use the card.
Sometimes, incredibly, the packaging is still pristine, with no sign of tampering. At one store last year, I explained the situation and asked a manager if he would let me open up the packaging at the register before deciding whether to load it with cash. I brought up a perfectly sealed Vanilla Visa card and we opened it at the register to discover the security code was scratched off. He couldn't believe it. I walked out without a card. Too risky.
Apparently I am not alone. In the last year, at least two separate lawsuits against various companies involved in the sale of Vanilla Visa cards have been filed. It was time to look for a better solution.
In a seemingly unrelated story, I have watched with much sadness over the years as the ability to anonymously attend a staple of American culture, the Major League Baseball game, has all but disappeared. Not long ago, you could pay cash for a physical ticket at the box office. But as ticket fraud rose and China COVID-19 made businesses reevaluate technical solutions, the MLB has locked tickets down hard. Today, to get past the gates and into the ballpark near me, the MLB App is required, and its ticket is both animated and incorporates a rolling code. No more print-at-home. No more screenshots. And once you're inside, it's 100 percent cashless. But if you were to look closely at the amenities, you might notice another new addition to game day: the Reverse ATM.
It works exactly as it sounds. To quote one article, "You insert cash into the machine and it uploads the amount onto a prepaid Mastercard... If you do not use all of the funds during your time at the stadium, the card can be used at your local gas station or anywhere Mastercard is accepted."
This sounded perfect. But I had questions. Was some sort of account required? Would I be asked to scan an ID? To answer these questions and hopefully end up with such a card that suited my purposes, I would need to embark on a mission: Go to an MLB game anonymously and find the Reverse ATM.
Creating an MLB account was easier than I expected. I provided a masked email address for this specific task, and password. A birthday was also asked for. I gave the birthday of a famous retired MLB player. Interestingly, a name was not asked for. This sign-up was done in a privacy-hardened browser over a public VPN. So far so good.
At this point, it was time to find a ticket. Unfortunately, the stadium seat picker would not load in the browser. Maybe it was the VPN, maybe my extensions or settings, who knows? But I would need to move to the MLB app earlier than expected.
I have an old Pixel 3a with GrapheneOS for these sorts of things. It has an anonymous Mint Mobile SIM, and Wi-Fi and Bluetooth are always off. Because it is so old, it no longer receives any updates. I was worried this might cause an issue, but luckily it did not. I installed the MLB Ballpark App and logged in. Browsing for tickets worked fine on the app. I picked a game for the middle of the day in the middle of the week. This way I expected there to be fewer attendees and thus I could fuzz my actual seating a bit. There's good plausible deniability here - a seat is located by three distinct numbers! Maybe I just got confused.
Paying with a virtual masked credit card and using the stadium as the billing address was accepted, and I had my ticket. It was only viewable in the app, and contained an animation to defeat screenshots as well as a barcode which changes every few seconds. This phone was coming with me to the game.
On game day I put on the team colors to blend in, grabbed my Pixel 3a and hat and sunglasses, and headed out. I noticed a "Will Call" window near the gate which caught my attention since its existence suggested the ability to purchase a ticket app-free. But I was told that while they could maybe assist with a purchase, any ticket would eventually need to be sent to the app. Next it was time to head inside. I was a bit worried that my fake famous MLB'er birthday might come back to haunt me as I passed through security, but it was completely uneventful. I was in, the Pixel 3a got turned off, and I grabbed a seat. I decided I would wait until after the first inning to find the Reverse ATM, and during that time I learned a few interesting privacy-related things.
The first is that at a game there is a very slim chance you win one of the random prizes selected for various seats and rows throughout the stadium. I saw free seat upgrades, free food, etc. handed out to various lucky fans as the camera zoomed in on them on the JumboTron. The second is that if you happen to catch a ball at your seat, security might come have a chat with you. This is almost certainly a congratulatory thing, but they might also want some of your information in exchange for that ball. Luckily, I was unlucky in both of these scenarios.
After the first inning, I went and found the Reverse ATM. Interestingly, despite this being a cashless stadium, it was directly next to a regular ATM. The Reverse ATM dispensed Visa debit cards, and loading a new card was as simple as pressing a few buttons on the touch screen, none of which required any data or ID scans. When prompted, you simply insert cash bills up to a limit of $500. I decided to put $60 on the card, which I thought should cover a beer and a couple of hot dogs. Unlike Vanilla Visa, there was no activation fee. This appears to go against some documentation I found on this card's website, which states potential activation fees up to $6.00. Perhaps they have a special deal with this ballpark. There is, however, a dormancy fee. The card was printed immediately, and dispensed. I was able to choose a paper receipt as well. I was surprised to see that the card had an expiration date of only nine months from now. I'm not sure if this is by design, but it is something to keep in mind.
Immediately after the card was dispensed, I took it to go purchase a $20 beer (I wasn't kidding) and it was accepted without issue. Back in some new seat, I decided to also test it with one of the vendors walking up and down the aisles selling hot dogs. It was accepted there too with no issue after being swiped on his mobile point-of-sale system.
This was mission accomplished. I had come to this game with an anonymous ticket and was now enjoying a beer and a hot dog, courtesy of this new prepaid debit card with no activation fee. I stayed for more of the game, and then headed home. But there were still a few more tests to run.
You may recall that this card is supposed to work both inside and outside the ballpark. So the next day, I made a small purchase at a convenience store and it worked fine. It did, however, ring up as a credit card transaction, which was interesting (but a welcome sign in that it was accepted) and which cost me 38 cents. I think this charge came from the convenience store end and not Visa but I'm not sure.
The final test was an online purchase. Again, using a hardened browser and a public VPN, I am happy to report that the remaining funds on the card were able to be charged successfully in a donation to the EFF.
Some final notes: Like Vanilla Visa, there is a free website which lets you check the balance of the card at any time. Unlike Vanilla Visa, this website is much friendlier to VPNs. Be aware of short expiration time-frames and any dormancy fees. Also, your experience on activation fees may vary if this was a special agreement between the ballpark and the Reverse ATM company.
Finally, be aware that the Reverse ATM does have a front-facing camera similar to that on an Amazon Locker kiosk. However, it is high enough that a hat brim could likely shield your face.
Hopefully these Reverse ATMs show up in more locations over time. I would certainly use them again. They appear to be a nice alternative to other prepaid debit cards and potentially cheaper as well.
Finally, like other privacy tools that grant some level of anonymity, use them responsibly or we all run the risk of them either disappearing or being made ineffective through future identity verification requirements.