Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATM Hack Gives Cash On Demand

Posted by samzenpus on from the one-card-bandit dept.

angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."

10 of 193 comments (clear)

  1. The tip of the iceberg by tedgyz · · Score: 3, Insightful

    Wait until they can hack payment-enabled smartphones.

    All your cash are belong to us

    --
    "No matter where you go, there you are." -- Buckaroo Banzai
  2. Really? by TwiztidK · · Score: 3, Insightful

    "After experimenting with two machines he purchased"

    Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats.

    --
    Sent from my iPhone 5
    1. Re:Really? by fuzzyfuzzyfungus · · Score: 2, Insightful

      True enough. I suspect that that has to do with their use for sinful, wicked, dirty gambling, which tends to draw legislative fire.

      Since the gambling in the financial sector tends to be concentrated well away from the retail level, I'd suspect that ATMs would be safe.

    2. Re:Really? by alexo · · Score: 2, Insightful

      There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free.

      Yet another example of a bad law.

  3. no wonder by Anonymous Coward · · Score: 2, Insightful

    Note the manufacturers. The big 3 of ATMs are Wincor, Diebold, and NCR. Check the ATM for pretty much any financial institution and you'll see one of those logos somewhere. When one of them gets hacked it's a big deal. When a white-label gets hacked it's just another day.

  4. Re:Interesting Hacks... by fuzzyfuzzyfungus · · Score: 3, Insightful

    TFA isn't exactly heavy on the details(PCWorld, detail light? Shocking.); but the class of vulnerability being described, a vulnerable remote management program listening to a modem(if the number isn't in the phone book, it is super-secret, right?), seems pretty OS agnostic. Same with the ghastly corner-cutting on making keys not unique per-device.

    It is conceivable that fewer corners were cut back in the day, or that a substantially greater percentage of ATMs were on bank premises, not being connected over public phone lines; but it would be surprising if OS/2 alone would save you from those design mistakes.

  5. Patchless ATM "hack" by mcgrew · · Score: 3, Insightful

    There is no patch for social engineering except user education. Here's a way to "hack" any ATM. This "hack" doesn't require any computer skills, and the bank is not out any money -- the bank's customer is.

    This procedure was used on me. Education can be expensive.

    Here's how it works: simply watch someone enter the PIN number, then steal their card. If they're drinking, tired, or simply thinking about some problem on their mind it's easy to get their PIN.

    When I was victimized, the theif also stole checks, and forged and cashed them. The bank reimbursed me for the obviously forged checks, but if someone has you PIN, no matter how they get it, they are authorized to use the card!

    I no longer use a debit card. Nowdays I use cash whenever possible.

    --
    Free Martian Whores!
    1. Re:Patchless ATM "hack" by rtaylor · · Score: 3, Insightful

      They stole your card so they can probably steal your cash which will also not get refunded by the bank.

      Better to use a debit card and keep a low value of funds in the account that it can access. Top up as necessary from a different account or a different bank entirely which is not accessible in any way through the card.

      Now you get a bit of added security the card offers over cash but you also limit your losses in the event of theft because it is treated like cash (balance limited to typical daily use).

      --
      Rod Taylor
  6. Inside Man by Itninja · · Score: 2, Insightful

    From TFA: "A single, standard key can open many different types of machines, he said, presenting another serious security problem."

    Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  7. Re:Interesting Hacks... by Anonymous Coward · · Score: 1, Insightful

    You're right on all accounts except for (3). Just because an anti-virus says that something is infected doesn't mean it's the case. I have to deal with false positives on a daily basis. Please don't fall for the myth that anti-virus companies are infallible. There was a story recently about one anti-virus that had "mistakenly" classified a competitor's product as infected.