Hack attack hits ATM jackpots
Monday 02 August 2010
Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.
The New Zealand native on Saturday demonstrated his "ATM jackpotting" discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.
"You don't have to go to the ATM at all," Jack told AFP after briefing fellow software savants. "You can do it from the comfort of your own bedroom."
Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the United States but said the flaw likely exists in machines at banks.
Banks use "remote management" software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.
He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.
He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.
"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Jack said.
"This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses."
Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.
"We shouldn't dwell on the walk-up attack, because no physical access is required," Jack said. "They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage."
He didn't reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.
"I might get my butt in hot water if I released the code," said the IO Active software security researcher who did the ATM hack 'as a hobby.'
"I was careful not to release the keys to the kingdom."
Jack said he doesn't know if criminals have exploited the software flaw "in the wild" but that it is tough to be certain.
"It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it," Jack said, admitting he has grown wary of ATMs. "I just keep my cash under the bed now, mate."
Life & Style blogs
The Evil Within preview: a survival horror fan’s best worst nightmare
Porn film production likely to stop after performer tests positive for HIV
Ice Bucket Challenge: ALS Association doesn't yet know what to do with all of the money raised
Anal sex study reveals climate of 'coercion'
iPhone 6 'release date' firmed up in leaked photos of Apple smartphone
Robin Williams Emmys tribute led by Billy Crystal criticised for including 'racist' joke about Muslim woman
The Rotherham child abuse scandal is a tale of apologists, misogyny and double standards
Scottish independence TV debate: Pumped-up Alex Salmond bounces back in bruising second round against Alistair Darling
Do you realise just how foolish the UK looks?
Ukip Douglas Carswell defection: Tory MP jumps ship to join Nigel Farage
When elitism grips the top of British society to this extent, there is only one answer: abolish private schools
- 1 Notting Hill Carnival: Woman shares selfie after being ‘punched in face for telling man to stop groping her’
- 2 Keira Knightley topless: Usually conservative actress does own take on #Freethenipple campaign for Interview Magazine
- 3 Oil tanker with $100 million cargo goes missing off Texas coast
- 4 George Galloway attacked on Notting Hill street by man 'shouting about the holocaust'
- 5 Brother and sister, Christopher Buckner and Timothy Savoy, arrested for 'committing incest after watching 'The Notebook''
- < Previous
- Next >
iJobs Gadgets & Tech
£45000 - £69999 per annum + Benefits + Bonus: Harrington Starr: C# Algo-Develo...
£60000 - £70000 per annum + Benefits + Bonus: Harrington Starr: Senior Data Sc...
£350 - £400 Per Day: Clearwater People Solutions Ltd: Our client based in Cent...
£17000 - £20000 Per Annum Bonus, Life Insurance + Other Benefits: Clearwater P...