Hack attack hits ATM jackpots

Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.

The New Zealand native on Saturday demonstrated his "ATM jackpotting" discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.

"You don't have to go to the ATM at all," Jack told AFP after briefing fellow software savants. "You can do it from the comfort of your own bedroom."

Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the United States but said the flaw likely exists in machines at banks.

Banks use "remote management" software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.

He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.

He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.

"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Jack said.

"This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses."

Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.

"We shouldn't dwell on the walk-up attack, because no physical access is required," Jack said. "They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage."

He didn't reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.

"I might get my butt in hot water if I released the code," said the IO Active software security researcher who did the ATM hack 'as a hobby.'

"I was careful not to release the keys to the kingdom."

Jack said he doesn't know if criminals have exploited the software flaw "in the wild" but that it is tough to be certain.

"It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it," Jack said, admitting he has grown wary of ATMs. "I just keep my cash under the bed now, mate."

Life and Style
ebookNow available in paperback
ebooks
ebookPart of The Independent’s new eBook series The Great Composers
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Ashdown Group: Front-End Developer - Surrey - £40,000

    £30000 - £40000 per annum: Ashdown Group: Front-End Developer - Guildford/Craw...

    Recruitment Genius: Customer Service Assistant

    £13500 - £15000 per annum: Recruitment Genius: A Customer Service Assistant is...

    Recruitment Genius: Senior IT Support / Projects Engineer

    £26000 - £29000 per annum: Recruitment Genius: This is an exciting opportunity...

    Recruitment Genius: Senior Director - Product Management

    £75000 - £85000 per annum: Recruitment Genius: They are the largest and fastes...

    Day In a Page

    Not even the 'putrid throat' could stop the Ross Poldark swoon-fest'

    Not even the 'putrid throat' could stop the Ross Poldark swoon-fest'

    How a costume drama became a Sunday night staple
    Miliband promises no stamp duty for first-time buyers as he pushes Tories on housing

    Miliband promises no stamp duty for first-time buyers

    Labour leader pushes Tories on housing
    Aviation history is littered with grand failures - from the the Bristol Brabazon to Concorde - but what went wrong with the SuperJumbo?

    Aviation history is littered with grand failures

    But what went wrong with the SuperJumbo?
    Fear of Putin, Islamists and immigration is giving rise to a new generation of Soviet-style 'iron curtains' right across Europe

    Fortress Europe?

    Fear of Putin, Islamists and immigration is giving rise to a new generation of 'iron curtains'
    Never mind what you're wearing, it's what you're reclining on

    Never mind what you're wearing

    It's what you're reclining on that matters
    General Election 2015: Chuka Umunna on the benefits of immigration, humility – and his leader Ed Miliband

    Chuka Umunna: A virus of racism runs through Ukip

    The shadow business secretary on the benefits of immigration, humility – and his leader Ed Miliband
    Yemen crisis: This exotic war will soon become Europe's problem

    Yemen's exotic war will soon affect Europe

    Terrorism and boatloads of desperate migrants will be the outcome of the Saudi air campaign, says Patrick Cockburn
    Marginal Streets project aims to document voters in the run-up to the General Election

    Marginal Streets project documents voters

    Independent photographers Joseph Fox and Orlando Gili are uploading two portraits of constituents to their website for each day of the campaign
    Game of Thrones: Visit the real-life kingdom of Westeros to see where violent history ends and telly tourism begins

    The real-life kingdom of Westeros

    Is there something a little uncomfortable about Game of Thrones shooting in Northern Ireland?
    How to survive a social-media mauling, by the tough women of Twitter

    How to survive a Twitter mauling

    Mary Beard, Caroline Criado-Perez, Louise Mensch, Bunny La Roche and Courtney Barrasford reveal how to trounce the trolls
    Gallipoli centenary: At dawn, the young remember the young who perished in one of the First World War's bloodiest battles

    At dawn, the young remember the young

    A century ago, soldiers of the Empire – many no more than boys – spilt on to Gallipoli’s beaches. On this 100th Anzac Day, there are personal, poetic tributes to their sacrifice
    Dissent is slowly building against the billions spent on presidential campaigns – even among politicians themselves

    Follow the money as never before

    Dissent is slowly building against the billions spent on presidential campaigns – even among politicians themselves, reports Rupert Cornwell
    Samuel West interview: The actor and director on austerity, unionisation, and not mentioning his famous parents

    Samuel West interview

    The actor and director on austerity, unionisation, and not mentioning his famous parents
    General Election 2015: Imagine if the leading political parties were fashion labels

    Imagine if the leading political parties were fashion labels

    Fashion editor, Alexander Fury, on what the leaders' appearances tell us about them
    Phumzile Mlambo-Ngcuka: Home can be the unsafest place for women

    Phumzile Mlambo-Ngcuka: Home can be the unsafest place for women

    The architect of the HeForShe movement and head of UN Women on the world's failure to combat domestic violence