Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Discovers ATM Hack, Gets Silenced

Posted by kdawson on from the wait-wait-not-yet dept.

Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."

5 of 229 comments (clear)

  1. Re:Ridiculous by Anonymous Coward · · Score: 5, Interesting

    No, they don't... but it depends on the hack.

    If it gives out free money, only harming the company which didn't seem to care, then no, don't give them any more time.

    If the hack gives them access to innocent people's account details, and they'd be out money, and/or time fighting the bogus withdrawals, then yes, give them time to fix it.

  2. Never fear, BH presentation likely by 2gravey · · Score: 5, Interesting

    For those of you who aren't aware, the Black Hat tradition for vulnerability presentations which have been similarly blocked due to court orders, etc. is to offer BH a replacement safe/bland presentation and then deliver the banned exploit demonstration regardless. This action typically results in a large lawsuit against the researcher's employer, subsequent termination of the researcher, and a short-lived rock star notoriety for the researcher making the afore mentioned termination totally worth it.

  3. Re:Ridiculous by compro01 · · Score: 4, Interesting

    Being as the exploit is already in the fucking wild and being actively exploited, preventing the information from being presented is completely and totally pointless.

    --
    upon the advice of my lawyer, i have no sig at this time
  4. Re:Ridiculous by Talderas · · Score: 4, Interesting

    Not really. Despite the exploit being out there, there is likely only a few malicious people that know about it. If the hack requires physical access to the machine, this means the number of machines that are exploited is less. As other people have mentioned.... once the exploit is significantly more public, that will increase the number of malicious people that know about it and increases the number of exploited machines.

    There's a lot of people who can apply exploits. There aren't as many that can discover them.

    --
    "Lack of speed can be overcome. In the worst case by patience." --Znork
  5. How it works. by mbarkhau · · Score: 4, Interesting

    I only read this on another forum so take with a grain of salt.

    The hack is based on the assumption that if you make a withdrawal from an ATM and don't take the money you forgot to take it, so the machine takes the money back and refunds the amount to your account.

    The thing is that the machine doesn't have a way to count how much bills it takes back, so you can just take the bills from the middle and you will get a full refund.

    Supposedly this also works if you take the money right before the ATM pulls back in the money.