Hack attack hits ATM jackpots

Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.

The New Zealand native on Saturday demonstrated his "ATM jackpotting" discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.

"You don't have to go to the ATM at all," Jack told AFP after briefing fellow software savants. "You can do it from the comfort of your own bedroom."

Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the United States but said the flaw likely exists in machines at banks.

Banks use "remote management" software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.

He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.

He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.

"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Jack said.

"This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses."

Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.

"We shouldn't dwell on the walk-up attack, because no physical access is required," Jack said. "They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage."

He didn't reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.

"I might get my butt in hot water if I released the code," said the IO Active software security researcher who did the ATM hack 'as a hobby.'

"I was careful not to release the keys to the kingdom."

Jack said he doesn't know if criminals have exploited the software flaw "in the wild" but that it is tough to be certain.

"It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it," Jack said, admitting he has grown wary of ATMs. "I just keep my cash under the bed now, mate."

Life and Style
ebookNow available in paperback
ebooks
ebookA delicious collection of 50 meaty main courses
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
SPONSORED FEATURES
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Recruitment Genius: Head of Support Services

    £40000 - £55000 per annum: Recruitment Genius: This is an exciting opportunity...

    Recruitment Genius: Business Development Manager / Sales - OTE £40,000

    £20000 - £40000 per annum: Recruitment Genius: This IT provider for the educat...

    Recruitment Genius: Front End Developer / Web Designer

    £20000 - £25000 per annum: Recruitment Genius: This leader in the e-cigarette ...

    Recruitment Genius: Web Developer - PHP

    £32000 - £40000 per annum: Recruitment Genius: With extensive experience and a...

    Day In a Page

    A nap a day could save your life - and here's why

    A nap a day could save your life

    A midday nap is 'associated with reduced blood pressure'
    If men are so obsessed by sex, why do they clam up when confronted with the grisly realities?

    If men are so obsessed by sex...

    ...why do they clam up when confronted with the grisly realities?
    The comedy titans of Avalon on their attempt to save BBC3

    Jon Thoday and Richard Allen-Turner

    The comedy titans of Avalon on their attempt to save BBC3
    The bathing machine is back... but with a difference

    Rolling in the deep

    The bathing machine is back but with a difference
    Part-privatised tests, new age limits, driverless cars: Tories plot motoring revolution

    Conservatives plot a motoring revolution

    Draft report reveals biggest reform to regulations since driving test introduced in 1935
    The Silk Roads that trace civilisation: Long before the West rose to power, Asian pathways were connecting peoples and places

    The Silk Roads that trace civilisation

    Long before the West rose to power, Asian pathways were connecting peoples and places
    House of Lords: Outcry as donors, fixers and MPs caught up in expenses scandal are ennobled

    The honours that shame Britain

    Outcry as donors, fixers and MPs caught up in expenses scandal are ennobled
    When it comes to street harassment, we need to talk about race

    'When it comes to street harassment, we need to talk about race'

    Why are black men living the stereotypes and why are we letting them get away with it?
    International Tap Festival: Forget Fred Astaire and Ginger Rogers - this dancing is improvised, spontaneous and rhythmic

    International Tap Festival comes to the UK

    Forget Fred Astaire and Ginger Rogers - this dancing is improvised, spontaneous and rhythmic
    War with Isis: Is Turkey's buffer zone in Syria a matter of self-defence – or just anti-Kurd?

    Turkey's buffer zone in Syria: self-defence – or just anti-Kurd?

    Ankara accused of exacerbating racial division by allowing Turkmen minority to cross the border
    Doris Lessing: Acclaimed novelist was kept under MI5 observation for 18 years, newly released papers show

    'A subversive brothel keeper and Communist'

    Acclaimed novelist Doris Lessing was kept under MI5 observation for 18 years, newly released papers show
    Big Blue Live: BBC's Springwatch offshoot swaps back gardens for California's Monterey Bay

    BBC heads to the Californian coast

    The Big Blue Live crew is preparing for the first of three episodes on Sunday night, filming from boats, planes and an aquarium studio
    Austin Bidwell: The Victorian fraudster who shook the Bank of England with the most daring forgery the world had known

    Victorian fraudster who shook the Bank of England

    Conman Austin Bidwell. was a heartless cad who carried out the most daring forgery the world had known
    Car hacking scandal: Security designed to stop thieves hot-wiring almost every modern motor has been cracked

    Car hacking scandal

    Security designed to stop thieves hot-wiring almost every modern motor has been cracked
    10 best placemats

    Take your seat: 10 best placemats

    Protect your table and dine in style with a bold new accessory