Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security IT Technology

ATM Hack Gives Cash On Demand 193

Posted by samzenpus from the one-card-bandit dept.
angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."
This discussion has been archived. No new comments can be posted.

ATM Hack Gives Cash On Demand More

ATM Hack Gives Cash On Demand

Comments Filter:

  • The tip of the iceberg (Score:4, Insightful)

    by tedgyz ( 515156 ) * on Thursday July 29, 2010 @08:00AM (#33067180) Homepage

    Wait until they can hack payment-enabled smartphones.

    All your cash are belong to us

  • Really? (Score:4, Insightful)

    by TwiztidK ( 1723954 ) on Thursday July 29, 2010 @08:01AM (#33067182)

    "After experimenting with two machines he purchased"

    Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats [xkcd.com].

  • no wonder (Score:2, Insightful)

    by Anonymous Coward on Thursday July 29, 2010 @08:21AM (#33067380)

    Note the manufacturers. The big 3 of ATMs are Wincor, Diebold, and NCR. Check the ATM for pretty much any financial institution and you'll see one of those logos somewhere. When one of them gets hacked it's a big deal. When a white-label gets hacked it's just another day.

  • Re:Interesting Hacks... (Score:4, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Thursday July 29, 2010 @08:26AM (#33067418) Journal
    TFA isn't exactly heavy on the details(PCWorld, detail light? Shocking.); but the class of vulnerability being described, a vulnerable remote management program listening to a modem(if the number isn't in the phone book, it is super-secret, right?), seems pretty OS agnostic. Same with the ghastly corner-cutting on making keys not unique per-device.

    It is conceivable that fewer corners were cut back in the day, or that a substantially greater percentage of ATMs were on bank premises, not being connected over public phone lines; but it would be surprising if OS/2 alone would save you from those design mistakes.

  • Re:Really? (Score:3, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Thursday July 29, 2010 @08:31AM (#33067480) Journal
    True enough. I suspect that that has to do with their use for sinful, wicked, dirty gambling, which tends to draw legislative fire.

    Since the gambling in the financial sector tends to be concentrated well away from the retail level, I'd suspect that ATMs would be safe.

  • Patchless ATM "hack" (Score:4, Insightful)

    by mcgrew ( 92797 ) * on Thursday July 29, 2010 @08:40AM (#33067540) Homepage Journal

    There is no patch for social engineering except user education. Here's a way to "hack" any ATM. This "hack" doesn't require any computer skills, and the bank is not out any money -- the bank's customer is.

    This procedure was used on me. Education can be expensive.

    Here's how it works: simply watch someone enter the PIN number, then steal their card. If they're drinking, tired, or simply thinking about some problem on their mind it's easy to get their PIN.

    When I was victimized, the theif also stole checks, and forged and cashed them. The bank reimbursed me for the obviously forged checks, but if someone has you PIN, no matter how they get it, they are authorized to use the card!

    I no longer use a debit card. Nowdays I use cash whenever possible.

  • Re:Patchless ATM "hack" (Score:4, Insightful)

    by rtaylor ( 70602 ) on Thursday July 29, 2010 @09:02AM (#33067744) Homepage

    They stole your card so they can probably steal your cash which will also not get refunded by the bank.

    Better to use a debit card and keep a low value of funds in the account that it can access. Top up as necessary from a different account or a different bank entirely which is not accessible in any way through the card.

    Now you get a bit of added security the card offers over cash but you also limit your losses in the event of theft because it is treated like cash (balance limited to typical daily use).

  • Re:Really? (Score:3, Insightful)

    by alexo ( 9335 ) on Thursday July 29, 2010 @10:16AM (#33068636) Journal

    There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free.

    Yet another example of a bad law.

  • Inside Man (Score:3, Insightful)

    by Itninja ( 937614 ) on Thursday July 29, 2010 @10:59AM (#33069270) Homepage
    From TFA: "A single, standard key can open many different types of machines, he said, presenting another serious security problem."

    Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.

  • Re:Interesting Hacks... (Score:1, Insightful)

    by Anonymous Coward on Thursday July 29, 2010 @11:37AM (#33069806)

    You're right on all accounts except for (3). Just because an anti-virus says that something is infected doesn't mean it's the case. I have to deal with false positives on a daily basis. Please don't fall for the myth that anti-virus companies are infallible. There was a story recently about one anti-virus that had "mistakenly" classified a competitor's product as infected.

Slashdot Top Deals

Pound for pound, the amoeba is the most vicious animal on earth.

Close