ATM Hack Gives Cash On Demand 193
angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."
Re:Really? (Score:2, Informative)
I imagine the heavy duty ones that banks use are a little more tricky to get hold of.
Yup, they can. (Score:4, Informative)
ATMs are sold 'over the counter'.
They aren't even that expensive, it's possible to get a new ATM for about $2000 (though realistically a good ATM costs about $5000).
Re:Really? (Score:3, Informative)
Well... Bank of America may be a bit angry if you have one of their ATMs in your living room, but getting one of the mass produced brands that companies set up at street events or in convenience stores isn't very difficult.
The regulation isn't so much on who can have one as on the manufacturers to keep the data of the people using it secure, and even they aren't required to do much.
Re:Pretension (Score:2, Informative)
Re:Really? (Score:4, Informative)
Here's one of the machines in question [flextouch.ca]
They can be configured for either phone or ip network, and they're not that expensive, especially if you buy it used at a bar or restaurant bankruptcy.
Re:Really? (Score:3, Informative)
video from the talk (Score:2, Informative)
Security Week posted has some videos of the presentation [securityweek.com] that they uploaded to youtube.
Not most states, about 7 of them (Score:3, Informative)
There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.
I'm not so sure about them being illegal in "most states".
The list of states banning slot machine ownership I found is: Alabama, Connecticut, Hawaii, Indiana, Nebraska, South Carolina, and Tennessee.
I have a slot machine. It accepts quarters or tokens, and I can adjust the payout ratio.
I paid $160 for it at the flea market, at the county fairgrounds one county over. There were Sheriff's deputies everywhere and they didn't give the slot machines a second look.
Number 4 (Score:2, Informative)
4) It had a virus ALREADY INSTALLED as per the message you saw, so malign in fact that even F-Secure could recognize it (which goes back to point #2).
Re:Interesting Hacks... (Score:5, Informative)
Re:Why go through all that trouble of hacking? (Score:5, Informative)
The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.
Well, I guess if I'm going to criticize, I'll start here. No PCI-compliant machines allow you to go through the configuration process without inputting 3 different levels of new password. The attack you describe above might have worked 2 years ago. No longer. Sorry. And you don't have to buy the manual, they're (mostly) available for free.
There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.
No there haven't. The only exploit that could be executed in person was the following:
1. Thief buys prepaid $200 visa card with PIN.
2. Thief accesses the service menu of the machine (using default or socially engineered password).
3. Thief changes the machine's internal systems to think it's holding $5 bills instead of $20 bills.
4. Thief exits service menus.
5. Thief puts in card and withdraws $200. Since the machine thinks it's holding $5's, it dispenses 40 total $20 bills ($800). The thief makes off with a net of $600.
However, this exploit is no longer possible, as the master keys that allow an ATM to communicate with the processor are now erased when you change the denomination of bills the ATM dispenses.
The process you describe has never worked. There is an option in a service menu called "test dispense," but it kicks the bill into the reject bin, not into the cash pickup.
Please try again.
Re:T2 (Score:1, Informative)