ATM Hack Gives Cash On Demand 193
angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."
The tip of the iceberg (Score:4, Insightful)
Wait until they can hack payment-enabled smartphones.
All your cash are belong to us
Really? (Score:4, Insightful)
"After experimenting with two machines he purchased"
Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats [xkcd.com].
no wonder (Score:2, Insightful)
Note the manufacturers. The big 3 of ATMs are Wincor, Diebold, and NCR. Check the ATM for pretty much any financial institution and you'll see one of those logos somewhere. When one of them gets hacked it's a big deal. When a white-label gets hacked it's just another day.
Re:Interesting Hacks... (Score:4, Insightful)
It is conceivable that fewer corners were cut back in the day, or that a substantially greater percentage of ATMs were on bank premises, not being connected over public phone lines; but it would be surprising if OS/2 alone would save you from those design mistakes.
Re:Really? (Score:3, Insightful)
Since the gambling in the financial sector tends to be concentrated well away from the retail level, I'd suspect that ATMs would be safe.
Patchless ATM "hack" (Score:4, Insightful)
There is no patch for social engineering except user education. Here's a way to "hack" any ATM. This "hack" doesn't require any computer skills, and the bank is not out any money -- the bank's customer is.
This procedure was used on me. Education can be expensive.
Here's how it works: simply watch someone enter the PIN number, then steal their card. If they're drinking, tired, or simply thinking about some problem on their mind it's easy to get their PIN.
When I was victimized, the theif also stole checks, and forged and cashed them. The bank reimbursed me for the obviously forged checks, but if someone has you PIN, no matter how they get it, they are authorized to use the card!
I no longer use a debit card. Nowdays I use cash whenever possible.
Re:Patchless ATM "hack" (Score:4, Insightful)
They stole your card so they can probably steal your cash which will also not get refunded by the bank.
Better to use a debit card and keep a low value of funds in the account that it can access. Top up as necessary from a different account or a different bank entirely which is not accessible in any way through the card.
Now you get a bit of added security the card offers over cash but you also limit your losses in the event of theft because it is treated like cash (balance limited to typical daily use).
Re:Really? (Score:3, Insightful)
Yet another example of a bad law.
Inside Man (Score:3, Insightful)
Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.
Re:Interesting Hacks... (Score:1, Insightful)
You're right on all accounts except for (3). Just because an anti-virus says that something is infected doesn't mean it's the case. I have to deal with false positives on a daily basis. Please don't fall for the myth that anti-virus companies are infallible. There was a story recently about one anti-virus that had "mistakenly" classified a competitor's product as infected.