Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Comments: 193 + -   ATM Hack Gives Cash On Demand on Thursday July 29, @07:57AM

Posted by samzenpus on Thursday July 29, @07:57AM
from the one-card-bandit dept.
security
it
technology
angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."
story

Related Stories

Submission: ATM hack gives cash on demand by angry tapir (1463043)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

ATM Hack Gives Cash On Demand 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Interesting Hacks... (Score:5, Interesting)

    by nosferatu1001 (264446) on Thursday July 29, @07:58AM (#33067160)

    Originally delayed to let the companies patch. Interested to see if he can live up to his claims to be able to find similar issues in other brand ATMs as well.

    • Re: (Score:3, Interesting)

      by fuzzyfuzzyfungus (1223518)
      Unless he chose the two he purchased purely based on underground buzz about their weakness(possible; but you'd hope that a security researcher would go for novelty.), going 2 for 2 suggests that overall industry standards might not be that high...

    • Patchless ATM "hack" (Score:4, Insightful)

      by mcgrew (92797) * on Thursday July 29, @08:40AM (#33067540) Journal

      There is no patch for social engineering except user education. Here's a way to "hack" any ATM. This "hack" doesn't require any computer skills, and the bank is not out any money -- the bank's customer is.

      This procedure was used on me. Education can be expensive.

      Here's how it works: simply watch someone enter the PIN number, then steal their card. If they're drinking, tired, or simply thinking about some problem on their mind it's easy to get their PIN.

      When I was victimized, the theif also stole checks, and forged and cashed them. The bank reimbursed me for the obviously forged checks, but if someone has you PIN, no matter how they get it, they are authorized to use the card!

      I no longer use a debit card. Nowdays I use cash whenever possible.

      • Re:Patchless ATM "hack" (Score:4, Insightful)

        by rtaylor (70602) on Thursday July 29, @09:02AM (#33067744) Homepage

        They stole your card so they can probably steal your cash which will also not get refunded by the bank.

        Better to use a debit card and keep a low value of funds in the account that it can access. Top up as necessary from a different account or a different bank entirely which is not accessible in any way through the card.

        Now you get a bit of added security the card offers over cash but you also limit your losses in the event of theft because it is treated like cash (balance limited to typical daily use).

        • Re:Patchless ATM "hack" (Score:4, Interesting)

          by BrokenHalo (565198) on Thursday July 29, @11:15AM (#33069478)
          Debit and credit cards are OK so long as you are a bit careful about not where you use them and not letting them out of your sight (in order to to skim them), and check your accounts reasonably frequently. They are certainly better than cheques.

          Banks will often not even look at a signature on a cheque, let alone make any attempt to verify it. As an example, I once accidentally grabbed my wife's chequebook and used it (signing my own name) to purchase goods. I realised my mistake a couple of days later and attempted to go into the shop to replace my presumably dodgy cheque with cash, but the bank had already paid up on it. Now in this case, it was an honest enough mistake, but it has made me a lot more careful about where we store our chequebooks since.

          At least with credit cards, there is always the option of a chargeback.

        • Re: (Score:3, Interesting)

          by CaseM (746707)

          Consumers are no more liable for debit/check card fraud than they are credit card fraud. This is a very common fallacy.

          • Re:Patchless ATM "hack" (Score:4, Interesting)

            by SQLGuru (980662) on Thursday July 29, @12:59PM (#33071382)

            In the early 90's, I had a 10 digit pin with Wells Fargo. It was great for security, but it was a pain when all of the POS terminals didn't expect it. They only allowed for 4 digit input.

            Also, my current bank (name withheld) offers the two account approach. One account has card access and the other has the money. You transfer periodically to cover the other. If your card is ever compromised, you stop the transfers and limit the losses. Of course, you still also get the protection you would normally get with your card.

      • Re:Interesting Hacks... (Score:4, Insightful)

        by fuzzyfuzzyfungus (1223518) on Thursday July 29, @08:26AM (#33067418) Journal
        TFA isn't exactly heavy on the details(PCWorld, detail light? Shocking.); but the class of vulnerability being described, a vulnerable remote management program listening to a modem(if the number isn't in the phone book, it is super-secret, right?), seems pretty OS agnostic. Same with the ghastly corner-cutting on making keys not unique per-device.

        It is conceivable that fewer corners were cut back in the day, or that a substantially greater percentage of ATMs were on bank premises, not being connected over public phone lines; but it would be surprising if OS/2 alone would save you from those design mistakes.

        • Re:Interesting Hacks... (Score:5, Informative)

          by blisteringsilence (1290138) on Thursday July 29, @11:57AM (#33070172)
          Disclaimer: I own about 30 of these machines, and work as a repair tech for a statewide area. It's a nice side income. Let's start at the beginning. This hack requires that a machine be connected to the outside via phone. This is increasingly going away. I would guess that 40% of the machines I work on are connected via internet now, as opposed to 15% a year ago. My first comment is that the remote management software that is being exploited isn't turned on in the vast majority of the machines that are out there. Whether it's triton connect, or tranax's remote access, all of the processors that I've encountered require that it be disabled for the machine to work. This software was important 4 or 5 years ago from a machine management standpoint, but with realtime internet tracking of machine status, there's just no reason for it to be enabled. Now, as to the comment about keys not being unique per device: A key on an ATM opens two areas: the "computer" module on top of the safe, and the bit of plastic that obscures the safe dial. A service technician (like me) is most of the time a freelancer who's in this for some side cash. When I go to a customer's location, my goal is to fix the problem and get out. As I almost never need to get to the vault of the machine, I have a keyring that has the standard sized keys for all of the machines I work on. An access password or vault combination can be obtained by a call to the owner of the machine. A unique key, however, cannot. Moreover, as many older machines require access to the processing unit in order to fill the machine (you have to hit a physical button to get into that menu), you have to make it easy for your armored service to access the top as well as the vault. It's unreasonable to expect a vaulting company to haul around 60 or 70 keys to fill the machines that they have on their list for that day.

          • Re: (Score:3, Interesting)

            by green1 (322787)

            Let's start at the beginning. This hack requires that a machine be connected to the outside via phone. This is increasingly going away. I would guess that 40% of the machines I work on are connected via internet now, as opposed to 15% a year ago.

            But does that really help matters any? wouldn't being connected to the internet be even MORE risky? surely the same "dial-in" access is still there, just over TCP/IP instead of dialup, and with exposure to the internet you have even more capacity for abuse by millions of hosts.

            Now I work as a tech for a local telco, and the ATM machines I've worked with have mostly been connected by ADSL, but my understanding was that although it was still a TCP/IP connection, they were actually on a special logical connect

            • Re:Interesting Hacks... (Score:4, Interesting)

              by blisteringsilence (1290138) on Thursday July 29, @01:43PM (#33072366)

              But does that really help matters any? wouldn't being connected to the internet be even MORE risky? surely the same "dial-in" access is still there, just over TCP/IP instead of dialup, and with exposure to the internet you have even more capacity for abuse by millions of hosts.

              Maybe yes, maybe no. The first part of this answer is that when you're connected to the internet, you remove the bandwidth problem of a modem connection. AND, because you're not tying up a phone line anymore, you have more flexibility with your communications.

              So, machines that are hooked in via TCP/IP do not have the option to accept remote connections initiated from anywhere other than the machine. The communication HAS to start with the machine, and the data is encrypted 19 ways from Sunday. To start with, you have the master keys that allow the machine to communicate with the processor. After they are input, they're encrypted and stored in epoxy buried chips in the keypad, and any interruption of electrical power to those chips (which runs through fry wires from a battery also stored within the epoxy matrix) kills the keys.

              So your communication starts with the machine opening a connection with a dedicated IP server on one of 3 possible ports. During handshake and authentication a unique time-based one time key is transmitted back to the machine. This super-encrypts the keys, which are then sent, followed by the transaction information, and the transmission is closed out. These machines are also usually programmed to auto-connect every 15 or 30 minutes with a machine status update (thereby eliminating the need to dial in remotely).

              Now, as all this information is going out over the general internet, it's possible to intercept the packets, but I don't know what good they'd do for you, as there's no way to get to the original master keys assuming you could get past the super encryption, thereby securing the first level.

              Now I work as a tech for a local telco, and the ATM machines I've worked with have mostly been connected by ADSL, but my understanding was that although it was still a TCP/IP connection, they were actually on a special logical connection back to the bank that kept their data away from the internet? wouldn't this make more sense? (from the stand point of a telco tech, these machines do not connect to our usual DHCP servers, and I believe their entire logical connection is separate, though what the end point is I don't know as I don't handle that end of the connection)

              The machines that are located at gas stations and bars and whatnot use a standard internet connection. The only requirement is that the location has to have a static IP. You have to remember, these machines only cost $2K - $5K, and the owner only makes $100 - $500 per month on the machine. Not to mention, they're not doing that many transactions.

              Would the solution you propose make more sense? Absolutely. But it's cost prohibitive, and beyond the scope of 99% of the owners, and 75% of the service techs. If these proposals were to be codified, you'd see fees go through the roof to make up the difference.

              Also:

              ...and the ATM machines I've worked with...

              Pet peeve.

              • Re: (Score:3, Interesting)

                by green1 (322787)

                when you're connected to the internet, you remove the bandwidth problem of a modem connection. AND, because you're not tying up a phone line anymore, you have more flexibility with your communications.

                and that's the problem, on a modem only one machine can attack you at a time, on the internet millions can have a go at once. the flexibility argument also cuts both ways...

                So, machines that are hooked in via TCP/IP do not have the option to accept remote connections initiated from anywhere other than the machine. The communication HAS to start with the machine,

                So, what you're saying is that dialup connected machines have the facility to receive calls, but internet connected machines only do outgoing connections? that seems odd. It would be just as easy to secure a dialup machine by simply telling it not to answer the phone. I have to believe that if the dialup machine is set to answer phone ca

        • Re:Interesting Hacks... (Score:5, Interesting)

          by silentcoder (1241496) on Thursday July 29, @09:47AM (#33068258) Homepage

          That reminds me. A couple of Christmas's ago I was visiting my sister in a small rural town where she lived at the time. Wanted to go draw cash at one point so walked down the main road to the town's only ATM - run by local bank ABSA (yeah - not afraid to mention it). My own bank not having an ATM in town this was the only choice available.

          As I stepped up to it... the interface was obscured by a warning message:
          F-Secure Anti-Virus for Windows has detected a virus in file ...

          Floating around.

          Being aware that
          1) This bank's ATM's run windows
          2) They use F-Secure for virus protection
          3) It obviously is connected in such a way that it can still GET infections

          I turned around, bummed cash of my sister and paid her bank online - there was just no way I was going to stick my card in that ATM. I am also really glad I'm not a customer of that bank - and despite the nearest ATM to my house being run by them - never use their ATM's - I would rather spend the bit of extra fuel and drive to my own bank (which may not be better - but at least I haven't seen with my own eyes that it's THAT bad). Besides the service charge saving I suspect outweighs what I spend on fuel so it's worth it either way.

  • I see what you did there... (Score:4, Funny)

    by fuzzyfuzzyfungus (1223518) on Thursday July 29, @08:00AM (#33067172) Journal
    This is clearly just a slashvertisement for Microsoft's expansion of their "Cashback" promotion from Bing to WinCE "The Product that Needs it More Than Bing"...

    Editorial standards these days... I ask you...

  • The tip of the iceberg (Score:4, Insightful)

    by tedgyz (515156) * on Thursday July 29, @08:00AM (#33067180) Homepage

    Wait until they can hack payment-enabled smartphones.

    All your cash are belong to us

  • Really? (Score:4, Insightful)

    by TwiztidK (1723954) on Thursday July 29, @08:01AM (#33067182)

    "After experimenting with two machines he purchased"

    Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats [xkcd.com].

    • Re: (Score:2, Interesting)

      by Netshroud (1856624)
      I presume they're just very expensive. Even more so if you have to secure them and connect them up to a banking network. Anything can be bought with enough money... like the bank itself.

      • Re:Really? (Score:4, Informative)

        by tomhudson (43916) <hudson@vid[ ]ron.ca ['eot' in gap]> on Thursday July 29, @08:32AM (#33067488) Homepage Journal
        They're not that expensive. Look at the "white label" ATMs you'll see in restaurants and bars.

        Here's one of the machines in question [flextouch.ca]

        esigned and assembled with pride in the USA, the RL1600's innovative configuration--including an embedded PC-based platform, Microsoft® Windows® CE 5.0 operating system with Triton's X2 technology--makes it as powerful as it is affordable and reliable. It has a large storage capacity for journaling, and is expandable to meet future compliance and application needs.

        They can be configured for either phone or ip network, and they're not that expensive, especially if you buy it used at a bar or restaurant bankruptcy.

    • Re: (Score:3, Interesting)

      by fuzzyfuzzyfungus (1223518)
      I assume that large purchasers, like banks, can easily enough commission "private label" versions of ATMs(based more or less closely on a manufacturer's available models, doing mechanical engineering much beyond the 'paste on a logo and some colored trim' level probably isn't cost effective; but running firmware tailored to them and their systems) that are for their exclusive order; but the generic ones you see in crummy convenience stores and the like are just appliances.

      Because(like commercial scales,

      • Re:Really? (Score:5, Interesting)

        by Pharmboy (216950) on Thursday July 29, @08:15AM (#33067322) Journal

        There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

        • Re: (Score:3, Insightful)

          by fuzzyfuzzyfungus (1223518)
          True enough. I suspect that that has to do with their use for sinful, wicked, dirty gambling, which tends to draw legislative fire.

          Since the gambling in the financial sector tends to be concentrated well away from the retail level, I'd suspect that ATMs would be safe.

        • Re: (Score:3, Insightful)

          by alexo (9335)

          There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free.

          Yet another example of a bad law.

        • There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

          I'm not so sure about them being illegal in "most states".

          The list of states banning slot machine ownership I found is: Alabama, Connecticut, Hawaii, Indiana, Nebraska, South Carolina, and Tennessee.

          I have a slot machine. It accepts quarters or tokens, and I can adjust the payout ratio.

          I paid $160 for it at the flea market, at the county fairgrounds one county over. There were Sheriff's deputies everywhere and they didn't give the slot machines a second look.

      • Re: (Score:3, Informative)

        by skgrey (1412883)
        You would be absolutely correct. I used to work for one of the largest ATM manufacturers, and I'm still very close with the people that designed most of the ATM's you see in banks and convenience stores. It's really just a branding thing, and even then there isn't much they do besides slapping a plastic faceplate on the ATM. You have to be one of the larger banks and have a very large exclusivity contract before they'll even start considering a design specific for your bank - I only saw one in five years of

    • Re: (Score:2, Informative)

      by 91degrees (207121)
      The sort you find in convenience stores can be purchased without too much difficulty. They're just automated machines that put a charge on your card and dispense money, so they're not that different from a till and card reader.

      I imagine the heavy duty ones that banks use are a little more tricky to get hold of.

    • Yup, they can. (Score:4, Informative)

      by Cyberax (705495) on Thursday July 29, @08:12AM (#33067288)

      ATMs are sold 'over the counter'.

      They aren't even that expensive, it's possible to get a new ATM for about $2000 (though realistically a good ATM costs about $5000).

    • Re: (Score:3, Informative)

      by KarrdeSW (996917)

      Well... Bank of America may be a bit angry if you have one of their ATMs in your living room, but getting one of the mass produced brands that companies set up at street events or in convenience stores isn't very difficult.

      The regulation isn't so much on who can have one as on the manufacturers to keep the data of the people using it secure, and even they aren't required to do much.

    • Re:Really? (Score:4, Interesting)

      by zigziggityzoo (915650) on Thursday July 29, @08:27AM (#33067432)
      I know of a couple of restaurants that have their own ATMs with a "cash only" policy for acceptable payments. Anyone without cash is directed to the ATM they own. Instead of it costing them a percentage to accept cards, they make money off the ATM.

      • Re: (Score:3, Interesting)

        by blisteringsilence (1290138)
        That's a big selling point when I go to place a machine. Instead of the location paying $2,500+ monthly to their credit card processor, they can just charge a $0.25 transaction fee, and make some money. One of my customers realized a net monthly gain of about $4,000. It's been really popular with liquor stores and bars.

  • BoA (Score:2, Interesting)

    by Anonymous Coward
    I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.

  • Pretension (Score:5, Funny)

    by aliddell (1716018) on Thursday July 29, @08:09AM (#33067250)

    Exploiting bugs in two different ATM machines

    'ATM machines'? Really?

    • Re:Pretension (Score:5, Funny)

      by Spad (470073) <`slashdot' `at' `spad.co.uk'> on Thursday July 29, @08:19AM (#33067352) Homepage

      And he didn't even need a PIN Number

      • Re:Pretension (Score:5, Funny)

        by RulerOf (975607) on Thursday July 29, @10:10AM (#33068550)
        Rumor has it that if the hacker can find the MAC controller address for the NIC card in the ATM machine, he can use specially crafted TCP/IP protocol and also expose your SSN number.

        • Re:Pretension (Score:4, Funny)

          by need4mospd (1146215) on Thursday July 29, @11:07AM (#33069384)
          But only ATM machines with specific UPC codes and LCD displays will do this. And you should make sure your PC computer has enough RAM memory and is setup to run on AC current using only RF frequencies to communicate. Always back up these transactions to a DAT tape or CD disks. If you do this right, you should be able to avoid any VAT taxes so you can afford more KFC chicken.

    • Re: (Score:3, Funny)

      by Darth_brooks (180756) *

      Yeah, ATM Machines. Those things that you put your PIN Number into.

    • It's a machine that operates the ATM for you. It also goes by the name Automated ATM.

        • Re: (Score:3, Funny)

          by davidbrit2 (775091)
          I think that would be the machine operating the machine that's operating the ATM. It brings the level of automation to where you only have to subconsciously think of money, or anything that rhymes with money in order to make a withdrawal.

  • You passed Go, please collect $ from bank, where $ = Amount Input.

  • scrooge? (Score:3, Interesting)

    by circletimessquare (444983) <circletimessquar ... m ['gma' in gap]> on Thursday July 29, @08:27AM (#33067438) Homepage

    he should have called it robin hood

    right subject matter (wealth redistribution), wrong direction (down to the lower classes: robin hood, not up to the higher classes: scrooge)

  • Why go through all that trouble of hacking? (Score:3, Interesting)

    by qazwart (261667) on Thursday July 29, @09:24AM (#33067956) Homepage

    The types of ATMs being talked about are the non-bank machines that you see in many smaller stores in New York City. They're installed and sold by third party vendors to connect to the main banking networks.

    A salesman goes into a store, and tells the owner that if they had an ATM in their store, their sales will go up because people will stop in to get cash. The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

    There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

    • Re:Why go through all that trouble of hacking? (Score:5, Informative)

      by blisteringsilence (1290138) on Thursday July 29, @12:15PM (#33070542)

      The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

      Well, I guess if I'm going to criticize, I'll start here. No PCI-compliant machines allow you to go through the configuration process without inputting 3 different levels of new password. The attack you describe above might have worked 2 years ago. No longer. Sorry. And you don't have to buy the manual, they're (mostly) available for free.

      There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

      No there haven't. The only exploit that could be executed in person was the following:
      1. Thief buys prepaid $200 visa card with PIN.
      2. Thief accesses the service menu of the machine (using default or socially engineered password).
      3. Thief changes the machine's internal systems to think it's holding $5 bills instead of $20 bills.
      4. Thief exits service menus.
      5. Thief puts in card and withdraws $200. Since the machine thinks it's holding $5's, it dispenses 40 total $20 bills ($800). The thief makes off with a net of $600.

      However, this exploit is no longer possible, as the master keys that allow an ATM to communicate with the processor are now erased when you change the denomination of bills the ATM dispenses.

      The process you describe has never worked. There is an option in a service menu called "test dispense," but it kicks the bill into the reject bin, not into the cash pickup.

      Please try again.

  • 'M' is for Machine (Score:3, Funny)

    by ricosalomar (630386) on Thursday July 29, @09:52AM (#33068338)

    The summary refers to 'ATM machines.'

    I haven't read TFA article, but I wonder if you need a PIN number, or if the exploit uses a VM machine?

    Has someone notified the federal FBI bureau?

  • Inside Man (Score:3, Insightful)

    by Itninja (937614) on Thursday July 29, @10:59AM (#33069270) Homepage
    From TFA: "A single, standard key can open many different types of machines, he said, presenting another serious security problem."

    Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.
Search
If only you had a personality instead of an attitude.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.