Slashdot Mirror
ATM Hack Gives Cash On Demand
angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."
Originally delayed to let the companies patch. Interested to see if he can live up to his claims to be able to find similar issues in other brand ATMs as well.
I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.
I presume they're just very expensive. Even more so if you have to secure them and connect them up to a banking network. Anything can be bought with enough money... like the bank itself.
I assume that large purchasers, like banks, can easily enough commission "private label" versions of ATMs(based more or less closely on a manufacturer's available models, doing mechanical engineering much beyond the 'paste on a logo and some colored trim' level probably isn't cost effective; but running firmware tailored to them and their systems) that are for their exclusive order; but the generic ones you see in crummy convenience stores and the like are just appliances.
Because(like commercial scales, and gas pumps) they are appliances used in commerce, there may well be one or more state, or local authorities who want to take a look and put their sticker on it before it goes into use; but if some guy wants to buy a used one, I see no reason why that would be uncommon or controlled. If they are used for fraud or theft, that is just as illegal as any other flavor of the same; but there are loads of common and wholly legal tools that have potential in that area.
There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.
Tequila: It's not just for breakfast anymore!
I know of a couple of restaurants that have their own ATMs with a "cash only" policy for acceptable payments. Anyone without cash is directed to the ATM they own. Instead of it costing them a percentage to accept cards, they make money off the ATM.
Zing!
he should have called it robin hood
right subject matter (wealth redistribution), wrong direction (down to the lower classes: robin hood, not up to the higher classes: scrooge)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Reliable my ass. I keep seeing BSOD-ed or out-of-memory ATMs around these parts, running what seems to be Windows XP (Embedded? At least, I hope it's XP and not Windows ME); even better are those with the "you may be a victim of software piracy" WGA notice. Closed my account at that bank after seeing that ("in what otther areas do they habitually and epically fail?")
The types of ATMs being talked about are the non-bank machines that you see in many smaller stores in New York City. They're installed and sold by third party vendors to connect to the main banking networks.
A salesman goes into a store, and tells the owner that if they had an ATM in their store, their sales will go up because people will stop in to get cash. The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.
There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.
Debit and credit cards are OK so long as you are a bit careful about not where you use them and not letting them out of your sight (in order to to skim them), and check your accounts reasonably frequently. They are certainly better than cheques.
Banks will often not even look at a signature on a cheque, let alone make any attempt to verify it. As an example, I once accidentally grabbed my wife's chequebook and used it (signing my own name) to purchase goods. I realised my mistake a couple of days later and attempted to go into the shop to replace my presumably dodgy cheque with cash, but the bank had already paid up on it. Now in this case, it was an honest enough mistake, but it has made me a lot more careful about where we store our chequebooks since.
At least with credit cards, there is always the option of a chargeback.
That's a big selling point when I go to place a machine. Instead of the location paying $2,500+ monthly to their credit card processor, they can just charge a $0.25 transaction fee, and make some money. One of my customers realized a net monthly gain of about $4,000. It's been really popular with liquor stores and bars.
Consumers are no more liable for debit/check card fraud than they are credit card fraud. This is a very common fallacy.
In the early 90's, I had a 10 digit pin with Wells Fargo. It was great for security, but it was a pain when all of the POS terminals didn't expect it. They only allowed for 4 digit input.
Also, my current bank (name withheld) offers the two account approach. One account has card access and the other has the money. You transfer periodically to cover the other. If your card is ever compromised, you stop the transfers and limit the losses. Of course, you still also get the protection you would normally get with your card.
You should inform the FTC, it seems they aren't aware of that fact. http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm If you are slow to report it you are responsible with a debit card more than you are with a credit card.
Xavier Rabourdin for president 2012