Skip to main content

Hacker Makes ATMs Puke Money, Shows How

During the annual Black Hat conference in Las Vegas, computer hacker Barnaby Jack demonstrated how a hacker could trick an ATM machine into coughing up its full load of money.

Apparently the technique took two full years to perfect, and mainly works on stand-alone ATM machines found at convenience stores. Jack chose to go public with his findings so that ATM manufacturers would take notice of the exploit and plug the holes.

Although criminals have long known that ATM machines aren't tamper-proof, previously they gained access by installing fake card readers to steal card numbers, installing tiny cameras to capture PIN numbers and other methods.

However Jack's method takes a different approach by attacking the computer within the machine. What makes this somewhat easy is that--through his discovery of purchasing ATM machines online--manufacturers tend to use the same key across all models. He was able to gain access to the computers and download his program via standard USB slots.

But the demonstration didn't stop there. He also showed a second, more dangerous form of attack--hacking by remote. Based on the procedure, a hacker wouldn't need to break into the ATM cabinet.

"He hacked into the machines by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet," the Associated Press reported from the event. "Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs."

The remote hack allowed him to gain full control of the ATM--including the ability to harvest card data from anyone using the machine. It also wasn't limited to stand-alone convenience store machines as seen with his previous demonstration, opening the door to hacks against various ATMs used by mainstream banks.

"Every ATM I've looked at, I've been able to find a flaw in," he said. "It's a scary thing."

To read more, head here.