Hacker shows how to fool cash machines

A hacker has discovered how to force cash machines to dispense money by hijacking the computers inside them.

Barnaby Jack spent two years tinkering with machines he bought online, they were standalone dispensers, the type seen in front of convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of them by exploiting weaknesses in the computers that run the machines.

He showed off his results today in Las Vegas at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

His attacks have wide implications because they affect multiple types of machines and exploit weaknesses in software and security measures that are used throughout the industry.

His talk was one of the conference’s most widely anticipated, as it had been scrapped a year ago over concerns that fixes for the machines would not be in place in time. He used the extra year to craft more dangerous attacks.

Jack, who works as director of security research for Seattle-based IOActive, showed in a theatrical demonstration two ways he can get machines to spit out money:

-- He found that the physical keys that came with his machines were the same for all machines of that type made by that manufacturer. He figured this out by ordering three machines from different manufacturers for a few thousand dollars each. Then he compared the keys he got to pictures of other keys, found on the Internet.

He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

-- Jack also hacked into machines by exploiting weaknesses in the way ATM makers communicate with the machines over the internet. Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn’t go into much more detail because he said the goal of his talk “isn’t to teach everybody how to hack machines. It’s to raise the issue and have ATM manufacturers be proactive about implementing fixes.”

The remote style of attack is more dangerous because an attacker does not need to open up the machines.

It allows an attacker to gain full control of the machines. Besides ordering it to spit out money, attackers can silently harvest account data from anyone who uses the machines. It also affects more than just the standalone machines vulnerable to the physical attack; the method could potentially be used against the kinds of machines used by mainstream banks.

More in this Section

British bosses increasingly worried by climate change – surveyBritish bosses increasingly worried by climate change – survey

Apple CEO Tim Cook backs OECD multinational tax reform plansApple CEO Tim Cook backs OECD multinational tax reform plans

Kerry Airport increases passenger numbers despite BrexitKerry Airport increases passenger numbers despite Brexit

Boeing urged to drop ''Max'' brand name from grounded 737Boeing urged to drop ''Max'' brand name from grounded 737


Lifestyle

SECOND Captains is one of the long-running success stories in Irish podcasting. Ostensibly a sports show led by Eoin McDevitt, Ken Early, and Ciarán Murphy, the former Off The Ball team from Newstalk launched the podcast in mid-2013. two Monday shows are offered for free, with Tuesday-Friday behind a Patreon subscriber model and dubbed ‘The World Service’. It has more than 11,500 subscribers.Podcast Corner: First-class podcasts from Second Captains

The incredible life of Ireland’s first celebrity chef has been turned into a play, writes Colette SheridanHow Maura Laverty cooked up a storm

Their paths first crossed on the top floor of the library at University College Cork in October 2010 when both were students there so Amy Coleman and Steven Robinson were delighted to retrace their footsteps on their big day.Wedding of the Week: College sweethearts open new chapter

Peter Dowdall reveals why all roads will lead to Tullow in County Carlow on February 1Snowdrop patrol: Why all roads will lead to County Carlow

More From The Irish Examiner