Hacker Makes ATMs Puke Money, Shows How

During the annual Black Hat conference in Las Vegas, computer hacker Barnaby Jack demonstrated how a hacker could trick an ATM machine into coughing up its full load of money.

Apparently the technique took two full years to perfect, and mainly works on stand-alone ATM machines found at convenience stores. Jack chose to go public with his findings so that ATM manufacturers would take notice of the exploit and plug the holes.

Although criminals have long known that ATM machines aren't tamper-proof, previously they gained access by installing fake card readers to steal card numbers, installing tiny cameras to capture PIN numbers and other methods.

However Jack's method takes a different approach by attacking the computer within the machine. What makes this somewhat easy is that--through his discovery of purchasing ATM machines online--manufacturers tend to use the same key across all models. He was able to gain access to the computers and download his program via standard USB slots.

But the demonstration didn't stop there. He also showed a second, more dangerous form of attack--hacking by remote. Based on the procedure, a hacker wouldn't need to break into the ATM cabinet.

"He hacked into the machines by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet," the Associated Press reported from the event. "Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs."

The remote hack allowed him to gain full control of the ATM--including the ability to harvest card data from anyone using the machine. It also wasn't limited to stand-alone convenience store machines as seen with his previous demonstration, opening the door to hacks against various ATMs used by mainstream banks.

"Every ATM I've looked at, I've been able to find a flaw in," he said. "It's a scary thing."

To read more, head here.

Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then, he’s loved all things PC-related and cool gadgets ranging from the New Nintendo 3DS to Android tablets. He is currently a contributor at Digital Trends, writing about everything from computers to how-to content on Windows and Macs to reviews of the latest laptops from HP, Dell, Lenovo, and more. 

  • jonpaul37
    Job Security for some, not so much for others...
  • ecnovaec
    this is why I always wear my foil hat when I use the ATM :)
  • cbrownx88
    Can we be friends?
  • joebob2000
    Isn't this obvious, like saying "there is no such thing as a safecracker-proof vault"? As ATMs become more computerized they are naturally going to be more bug-prone and finding those weaknesses is only a matter of time. The only thing stopping the banks from losing all their money is the deterrents they put in place like locks, security cameras, network monitors, etc. to make it hard to steal and get away with it.

    Stealing will always be possible, though. There is no getting around it.
  • Strider-Hiryu_79
    They make debit cards more secure and difficult to copy by combining MICR technology with chip/circuit technology. Yet the backdoor is left wide open. :(
  • enzo matrix
    He was able to gain access to the computers and download his program via standard USB slots.
    You mean upload, right?:P
  • Nightsilver
    People use ATMs?
  • Assmar
    One more reason to go to your bank's ATMs, on top of saving fifty cents.

    It's not so much a duh moment, of course stealing will always be possible, but that doesn't mean these people should be so lazy about security that they facilitate such theft.
  • rambo117
    Can't they just encrypt the damned data? Doesn't seem too difficult to protect such data, geez.
  • Andriko_08
    Uhh, no, he meant make the atm WANT to download his program, cause an atm would never want it if it's being uploaded, it takes the program and downloads it by itself using some method I don't know of, basically, it tricks the atm into downloading the program, if you try to upload it it's like forcefeeding a toddler broccoli