Hack attack hits ATM jackpots

Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.

The New Zealand native on Saturday demonstrated his "ATM jackpotting" discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.

"You don't have to go to the ATM at all," Jack told AFP after briefing fellow software savants. "You can do it from the comfort of your own bedroom."

Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the United States but said the flaw likely exists in machines at banks.

Banks use "remote management" software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.

He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.

He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.

"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Jack said.

"This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses."

Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.

"We shouldn't dwell on the walk-up attack, because no physical access is required," Jack said. "They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage."

He didn't reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.

"I might get my butt in hot water if I released the code," said the IO Active software security researcher who did the ATM hack 'as a hobby.'

"I was careful not to release the keys to the kingdom."

Jack said he doesn't know if criminals have exploited the software flaw "in the wild" but that it is tough to be certain.

"It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it," Jack said, admitting he has grown wary of ATMs. "I just keep my cash under the bed now, mate."

Life and Style
ebookNow available in paperback
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Guru Careers: Graduate Software Developer / Junior Developer

    £20 - 28k + Benefits: Guru Careers: We are seeking a Graduate Software Develop...

    Recruitment Genius: Digital Web Designer

    Negotiable: Recruitment Genius: A Digital Web Designer is required to join a f...

    Guru Careers: Marketing Manager / Marketing Communications Manager

    £35-40k (DOE) + Benefits: Guru Careers: We are seeking a Marketing Communicati...

    Recruitment Genius: IT Support Technician / Helpdesk - 2nd / 3rd Line

    £22000 - £25000 per annum: Recruitment Genius: IT Support Technician is requir...

    Day In a Page

    Fifa corruption: The 161-page dossier that exposes the organisation's dark heart

    The 161-page dossier that exposes Fifa's dark heart

    How did a group of corrupt officials turn football’s governing body into what was, in essence, a criminal enterprise? Chris Green and David Connett reveal all
    Mediterranean migrant crisis: 'If Europe thinks bombing boats will stop smuggling, it will not. We will defend ourselves,' says Tripoli PM

    Exclusive interview with Tripoli PM Khalifa al-Ghweil

    'If Europe thinks bombing boats will stop smuggling, it will not. We will defend ourselves'
    Raymond Chandler's Los Angeles: How the author foretold the Californian water crisis

    Raymond Chandler's Los Angeles

    How the author foretold the Californian water crisis
    Chinese artist who posted funny image of President Xi Jinping facing five years in prison as authorities crackdown on dissent in the arts

    Art attack

    Chinese artist who posted funny image of President Xi Jinping facing five years in prison
    Marc Jacobs is putting Cher in the limelight as the face of his latest campaign

    Cher is the new face of Marc Jacobs

    Alexander Fury explains why designers are turning to august stars to front their lines
    Parents of six-year-old who beat leukaemia plan to climb Ben Nevis for cancer charity

    'I'm climbing Ben Nevis for my daughter'

    Karen Attwood's young daughter Yasmin beat cancer. Now her family is about to take on a new challenge - scaling Ben Nevis to help other children
    10 best wedding gift ideas

    It's that time of year again... 10 best wedding gift ideas

    Forget that fancy toaster, we've gone off-list to find memorable gifts that will last a lifetime
    Paul Scholes column: With the Premier League over for another year, here are my end of season awards

    Paul Scholes column

    With the Premier League over for another year, here are my end of season awards
    Heysel disaster 30th anniversary: Liverpool have seen too much tragedy to forget fateful day in Belgium

    Liverpool have seen too much tragedy to forget Heysel

    Thirty years ago, 39 fans waiting to watch a European Cup final died as a result of a fatal cocktail of circumstances. Ian Herbert looks at how a club dealt with this tragedy
    Amir Khan vs Chris Algieri: Khan’s audition for Floyd Mayweather may turn into a no-win situation, says Frank Warren

    Khan’s audition for Mayweather may turn into a no-win situation

    The Bolton fighter could be damned if he dazzles and damned if he doesn’t against Algieri, the man last seen being decked six times by Pacquiao, says Frank Warren
    Blundering Tony Blair quits as Middle East peace envoy – only Israel will miss him

    Blundering Blair quits as Middle East peace envoy – only Israel will miss him

    For Arabs – and for Britons who lost their loved ones in his shambolic war in Iraq – his appointment was an insult, says Robert Fisk
    Fifa corruption arrests: All hail the Feds for riding to football's rescue

    Fifa corruption arrests

    All hail the Feds for riding to football's rescue, says Ian Herbert
    Isis in Syria: The Kurdish enclave still resisting the tyranny of President Assad and militant fighters

    The Kurdish enclave still resisting the tyranny of Assad and Isis

    In Syrian Kurdish cantons along the Turkish border, the progressive aims of the 2011 uprising are being enacted despite the war. Patrick Cockburn returns to Amuda
    How I survived Cambodia's Killing Fields: Acclaimed surgeon SreyRam Kuy celebrates her mother's determination to escape the US

    How I survived Cambodia's Killing Fields

    Acclaimed surgeon SreyRam Kuy celebrates her mother's determination to escape to the US
    Stephen Mangan interview: From posh buffoon to pregnant dad, the actor has quite a range

    How Stephen Mangan got his range

    Posh buffoon, hapless writer, pregnant dad - Mangan is certainly a versatile actor