Forgot your password?
typodupeerror
Security IT Technology

ATM Hack Gives Cash On Demand 193

Posted by samzenpus
from the one-card-bandit dept.
angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."
This discussion has been archived. No new comments can be posted.

ATM Hack Gives Cash On Demand

Comments Filter:
  • Interesting Hacks... (Score:5, Interesting)

    by nosferatu1001 (264446) on Thursday July 29, 2010 @07:58AM (#33067160)

    Originally delayed to let the companies patch. Interested to see if he can live up to his claims to be able to find similar issues in other brand ATMs as well.

    • Re: (Score:3, Interesting)

      Unless he chose the two he purchased purely based on underground buzz about their weakness(possible; but you'd hope that a security researcher would go for novelty.), going 2 for 2 suggests that overall industry standards might not be that high...
    • by mcgrew (92797) * on Thursday July 29, 2010 @08:40AM (#33067540) Homepage Journal

      There is no patch for social engineering except user education. Here's a way to "hack" any ATM. This "hack" doesn't require any computer skills, and the bank is not out any money -- the bank's customer is.

      This procedure was used on me. Education can be expensive.

      Here's how it works: simply watch someone enter the PIN number, then steal their card. If they're drinking, tired, or simply thinking about some problem on their mind it's easy to get their PIN.

      When I was victimized, the theif also stole checks, and forged and cashed them. The bank reimbursed me for the obviously forged checks, but if someone has you PIN, no matter how they get it, they are authorized to use the card!

      I no longer use a debit card. Nowdays I use cash whenever possible.

      • by rtaylor (70602) on Thursday July 29, 2010 @09:02AM (#33067744) Homepage

        They stole your card so they can probably steal your cash which will also not get refunded by the bank.

        Better to use a debit card and keep a low value of funds in the account that it can access. Top up as necessary from a different account or a different bank entirely which is not accessible in any way through the card.

        Now you get a bit of added security the card offers over cash but you also limit your losses in the event of theft because it is treated like cash (balance limited to typical daily use).

        • Use a credit card for larger purchases and only keep small sums of cash with you. Credit cards are technically not cash, and the consumer protections are generally stronger in cases of fraud. A charge back for fraud on a credit card results in no money leaving your bank account compared to a debit card.
        • by BrokenHalo (565198) on Thursday July 29, 2010 @11:15AM (#33069478)
          Debit and credit cards are OK so long as you are a bit careful about not where you use them and not letting them out of your sight (in order to to skim them), and check your accounts reasonably frequently. They are certainly better than cheques.

          Banks will often not even look at a signature on a cheque, let alone make any attempt to verify it. As an example, I once accidentally grabbed my wife's chequebook and used it (signing my own name) to purchase goods. I realised my mistake a couple of days later and attempted to go into the shop to replace my presumably dodgy cheque with cash, but the bank had already paid up on it. Now in this case, it was an honest enough mistake, but it has made me a lot more careful about where we store our chequebooks since.

          At least with credit cards, there is always the option of a chargeback.
          • by tlhIngan (30335)

            Banks will often not even look at a signature on a cheque, let alone make any attempt to verify it. As an example, I once accidentally grabbed my wife's chequebook and used it (signing my own name) to purchase goods. I realised my mistake a couple of days later and attempted to go into the shop to replace my presumably dodgy cheque with cash, but the bank had already paid up on it. Now in this case, it was an honest enough mistake, but it has made me a lot more careful about where we store our chequebooks s

            • by socz (1057222)

              Actually, the signature is nothing more than an approval to a contract, not for comparison purposes. The signature panel on the back of your credit card signifies that you agreed to the cardholder agreement. The signature on the slip signifies that you are agreeing to pay the amount specified as a valid debt. The signature on the cheque indicates that you're agreeing to pay the amount specified on the note. A cheque can be written on anything as long as it contains the payee details (name), payer details (name, account number), the amount to be paid, the date and a signature indicating approval of the transaction. You could write this all on a piece of paper and it would be valid - it's how banks give you generic cheques where you have to fill in all the details yourself while your customized ones arrive later.

              What bank is this? (So I know to avoid business with them.)


              Having worked in a bank opening new accounts (not by choice!) I can verify that at least that banks policy was not just for contractual agreements, but for verifying the signer. For example:

              ) Someone walks in with a check. They wish to cash it. It's $60.
              ) The teller pays it because its $60.

              ) Someone later that day returns with a check for $260. The teller says hang on a sec while I verify the funds.
              ) The teller gets up, and if local, obt

        • Re: (Score:3, Interesting)

          by CaseM (746707)

          Consumers are no more liable for debit/check card fraud than they are credit card fraud. This is a very common fallacy.

      • What the heck is wrong with most banking regulation? If someone who isn't me makes debit transactions on my account, no matter what the amount, even if they use my card and my PIN, the fraud department at my bank (TD Canada Trust) is happy to reimburse me (especially if I'm fairly confident about the location and amount of my last transaction). And they have, even if someone is making small purchases over a period of time, which happened once (over a period of two months, someone had made a copy of my card,
        • What the heck is wrong with most banking regulation? If someone who isn't me makes debit transactions on my account, no matter what the amount, even if they use my card and my PIN...

          How the hell are they to know it isn't you? Just because you say so? You know that there are people who would lie to defraud them. I don't see why the bank should be responsible for your loss of control of your card and PIN any more than they are for your loss of control of your cash.

          • How the hell are they to know it isn't you? Because it is not you who is on the video tape(s) made by the ATM and in the room where the ATM is installed. Often as well you can prove you where elsewhere during that particular time.

            angel'o'sphere

      • by iserlohn (49556)

        For 4 digit PINs, there is a 0.3% chance of an attacker randomly entering the PIN and succeeding. So is a 0.3% chance of losing all your money in your debit card account acceptable (which can be partially mitigated using EMV smartships on debit cards)?

        • by iserlohn (49556)

          Sorry.. I meant 0.03%

          • The chance of losing all your money in your debit card account is not .03%. It is .03% times the probability of a thief acquiring possession of your card and using it before you discover that it is gone and cancel it.

          • by mcgrew (92797) *

            If they watch you enter the PIN they don't have to guess.

  • by fuzzyfuzzyfungus (1223518) on Thursday July 29, 2010 @08:00AM (#33067172) Journal
    This is clearly just a slashvertisement for Microsoft's expansion of their "Cashback" promotion from Bing to WinCE "The Product that Needs it More Than Bing"...

    Editorial standards these days... I ask you...
  • by tedgyz (515156) * on Thursday July 29, 2010 @08:00AM (#33067180) Homepage

    Wait until they can hack payment-enabled smartphones.

    All your cash are belong to us

    • by necro81 (917438)

      All your cash are belong to us

      Worse than that, since the smartphones don't actually have any physical cash.

      All your bits-that-provide-access-and-represent-money-in-an-account-that-is-itself-just-a-representation-of-cash-you-could-have-in-your-hand are belong to us. Much more fungible than cash.

    • by rickb928 (945187)

      It has begun [hackaday.com].

  • Really? (Score:4, Insightful)

    by TwiztidK (1723954) on Thursday July 29, 2010 @08:01AM (#33067182)

    "After experimenting with two machines he purchased"

    Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats [xkcd.com].

    • Re: (Score:2, Interesting)

      by Netshroud (1856624)
      I presume they're just very expensive. Even more so if you have to secure them and connect them up to a banking network. Anything can be bought with enough money... like the bank itself.
      • Re:Really? (Score:4, Informative)

        by tomhudson (43916) <.barbara.hudson. ... bara-hudson.com.> on Thursday July 29, 2010 @08:32AM (#33067488) Journal
        They're not that expensive. Look at the "white label" ATMs you'll see in restaurants and bars.

        Here's one of the machines in question [flextouch.ca]

        esigned and assembled with pride in the USA, the RL1600's innovative configuration--including an embedded PC-based platform, Microsoft® Windows® CE 5.0 operating system with Triton's X2 technology--makes it as powerful as it is affordable and reliable. It has a large storage capacity for journaling, and is expandable to meet future compliance and application needs.

        They can be configured for either phone or ip network, and they're not that expensive, especially if you buy it used at a bar or restaurant bankruptcy.

    • Re: (Score:3, Interesting)

      I assume that large purchasers, like banks, can easily enough commission "private label" versions of ATMs(based more or less closely on a manufacturer's available models, doing mechanical engineering much beyond the 'paste on a logo and some colored trim' level probably isn't cost effective; but running firmware tailored to them and their systems) that are for their exclusive order; but the generic ones you see in crummy convenience stores and the like are just appliances.

      Because(like commercial scales,
      • Re:Really? (Score:5, Interesting)

        by Pharmboy (216950) on Thursday July 29, 2010 @08:15AM (#33067322) Journal

        There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

        • Re: (Score:3, Insightful)

          True enough. I suspect that that has to do with their use for sinful, wicked, dirty gambling, which tends to draw legislative fire.

          Since the gambling in the financial sector tends to be concentrated well away from the retail level, I'd suspect that ATMs would be safe.
        • Re: (Score:3, Insightful)

          by alexo (9335)

          There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free.

          Yet another example of a bad law.

        • There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

          I'm not so sure about them being illegal in "most states".

          The list of states banning slot machine ownership I found is: Alabama, Connecticut, Hawaii, Indiana, Nebraska, South Carolina, and Tennessee.

          I have a slot machine. It accepts quarters or tokens, and I can adjust the payout ratio.

          I paid $160 for it at the flea market, at the county fairgrounds one county over. There were Sheriff's deputies everywhere and they didn't give the slot machines a second look.

        • > There is at least one precedent for making owning machines illegal.

          There many precedents for loony laws making owning all sorts of things illegal. So what?

      • Re: (Score:3, Informative)

        by skgrey (1412883)
        You would be absolutely correct. I used to work for one of the largest ATM manufacturers, and I'm still very close with the people that designed most of the ATM's you see in banks and convenience stores. It's really just a branding thing, and even then there isn't much they do besides slapping a plastic faceplate on the ATM. You have to be one of the larger banks and have a very large exclusivity contract before they'll even start considering a design specific for your bank - I only saw one in five years of
    • Re: (Score:2, Informative)

      by 91degrees (207121)
      The sort you find in convenience stores can be purchased without too much difficulty. They're just automated machines that put a charge on your card and dispense money, so they're not that different from a till and card reader.

      I imagine the heavy duty ones that banks use are a little more tricky to get hold of.
    • Yup, they can. (Score:4, Informative)

      by Cyberax (705495) on Thursday July 29, 2010 @08:12AM (#33067288)

      ATMs are sold 'over the counter'.

      They aren't even that expensive, it's possible to get a new ATM for about $2000 (though realistically a good ATM costs about $5000).

    • Re: (Score:3, Informative)

      by KarrdeSW (996917)

      Well... Bank of America may be a bit angry if you have one of their ATMs in your living room, but getting one of the mass produced brands that companies set up at street events or in convenience stores isn't very difficult.

      The regulation isn't so much on who can have one as on the manufacturers to keep the data of the people using it secure, and even they aren't required to do much.

      • by skgrey (1412883)
        It's not a matter of having a "Bank of America" or "FirstMerit" ATM in your living room, they don't make the ATM's. Banks buy ATM's to interface with their own network. If you would buy an ATM you'd need a banking entity, so you'd typically set up the account with the ATM manufacturer or a partner. For example, Triton sells those dinky little ATM's you see at gas stations. The gas station has an account with Triton, where Triton is the "banking entity" which is allowed to reach out into your bank's account,
    • Re:Really? (Score:4, Interesting)

      by zigziggityzoo (915650) on Thursday July 29, 2010 @08:27AM (#33067432)
      I know of a couple of restaurants that have their own ATMs with a "cash only" policy for acceptable payments. Anyone without cash is directed to the ATM they own. Instead of it costing them a percentage to accept cards, they make money off the ATM.
      • Re: (Score:3, Interesting)

        That's a big selling point when I go to place a machine. Instead of the location paying $2,500+ monthly to their credit card processor, they can just charge a $0.25 transaction fee, and make some money. One of my customers realized a net monthly gain of about $4,000. It's been really popular with liquor stores and bars.
      • There's only one restaurant I visit with any regularity that does this... however their fee is $0.50, which probably covers their costs... if it's more than that, they're probably making a fair profit on the ATM itself. Just the same, if it works out, awesome. I've also seen cash only restaurants set their pricing so that with tax, the pricing is at even dollar amounts.
    • by harl (84412)

      Why would they be restricted?

  • BoA (Score:2, Interesting)

    by Anonymous Coward
    I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.
    • by westlake (615356)

      I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.

      Would you feel more confident with an ATM that didn't post an error dialog?

  • Pretension (Score:5, Funny)

    by aliddell (1716018) on Thursday July 29, 2010 @08:09AM (#33067250)

    Exploiting bugs in two different ATM machines

    'ATM machines'? Really?

  • You passed Go, please collect $ from bank, where $ = Amount Input.

  • no wonder (Score:2, Insightful)

    by Anonymous Coward

    Note the manufacturers. The big 3 of ATMs are Wincor, Diebold, and NCR. Check the ATM for pretty much any financial institution and you'll see one of those logos somewhere. When one of them gets hacked it's a big deal. When a white-label gets hacked it's just another day.

  • scrooge? (Score:3, Interesting)

    by circletimessquare (444983) <circletimessquare&gmail,com> on Thursday July 29, 2010 @08:27AM (#33067438) Homepage Journal

    he should have called it robin hood

    right subject matter (wealth redistribution), wrong direction (down to the lower classes: robin hood, not up to the higher classes: scrooge)

  • Quote from TFA: "Criminals could find vulnerable ATMs by using open-source 'war-dialling' software"

    Nice. Because closed source software could never be used for criminal activity, right?

    • by Lumpy (12016)

      Nope. all the closed source war dialing apps have a list of all phone numbers to all the ATM's and refuse to dial them. They also have regular popups that ask you to confirm that you are not wardialing to do illegal activities...

      Microsoft Bob was re purposed for this use. Microsoft BobDialer 6 is the most popular in the in crowd of casual wardialing.... Ohh BRB Mine has found a fax machine for me to listen to!

    • by Spad (470073)

      It's something that seems to be getting more and more common in a subset of security-related articles. With my less cynical hat on I'm tempted to believe that they're trying to imply that the software is free and freely available and thus has a low barrier to entry for people who want to try and replicate the exploit, however, my less cynical hat doesn't fit me very well.

  • video from the talk (Score:2, Informative)

    by AmElder (1385909)

    Security Week posted has some videos of the presentation [securityweek.com] that they uploaded to youtube.

  • by qazwart (261667) on Thursday July 29, 2010 @09:24AM (#33067956) Homepage

    The types of ATMs being talked about are the non-bank machines that you see in many smaller stores in New York City. They're installed and sold by third party vendors to connect to the main banking networks.

    A salesman goes into a store, and tells the owner that if they had an ATM in their store, their sales will go up because people will stop in to get cash. The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

    There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

    • by blisteringsilence (1290138) on Thursday July 29, 2010 @12:15PM (#33070542)

      The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

      Well, I guess if I'm going to criticize, I'll start here. No PCI-compliant machines allow you to go through the configuration process without inputting 3 different levels of new password. The attack you describe above might have worked 2 years ago. No longer. Sorry. And you don't have to buy the manual, they're (mostly) available for free.

      There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

      No there haven't. The only exploit that could be executed in person was the following:
      1. Thief buys prepaid $200 visa card with PIN.
      2. Thief accesses the service menu of the machine (using default or socially engineered password).
      3. Thief changes the machine's internal systems to think it's holding $5 bills instead of $20 bills.
      4. Thief exits service menus.
      5. Thief puts in card and withdraws $200. Since the machine thinks it's holding $5's, it dispenses 40 total $20 bills ($800). The thief makes off with a net of $600.

      However, this exploit is no longer possible, as the master keys that allow an ATM to communicate with the processor are now erased when you change the denomination of bills the ATM dispenses.

      The process you describe has never worked. There is an option in a service menu called "test dispense," but it kicks the bill into the reject bin, not into the cash pickup.

      Please try again.

  • by ricosalomar (630386) on Thursday July 29, 2010 @09:52AM (#33068338)

    The summary refers to 'ATM machines.'

    I haven't read TFA article, but I wonder if you need a PIN number, or if the exploit uses a VM machine?

    Has someone notified the federal FBI bureau?

  • Inside Man (Score:3, Insightful)

    by Itninja (937614) on Thursday July 29, 2010 @10:59AM (#33069270) Homepage
    From TFA: "A single, standard key can open many different types of machines, he said, presenting another serious security problem."

    Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.
    • Does not one need to be inside the bank to use said key?

      Many ATMs are not inside, nor even on the premises of, a bank.

      • by Itninja (937614)
        I was thinking about that too. I think many, if not all, of those are in very public places like Shopping Malls or 24-hour gas stations... not sure if I've seen one i a secluded area... Of course if the thief wore an official-looking uniform and name tag, I bet they could still get away with it.
    • by jimicus (737525)

      Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.

      So don't interfere with one at a bank. Show up in a uniform with an armoured van to a convenience store.

  • Windows CE-based ATMs

    I wonder who had that brilliant idea...

The relative importance of files depends on their cost in terms of the human effort needed to regenerate them. -- T.A. Dolotta

Working...