Friday, July 30, 2010

A HACKER has stolen the show at a security conference by forcing ATMs to spit out cash.

Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online.

They were standalone machines, the type seen in convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

Yesterday at the Black Hat conference - an annual gathering devoted to exposing the latest computer-security vulnerabilities - he made three ATMs disgorge thousands of dollars onto the floor.

Upping the cool stakes, Mr Jack also forced the machines to display the word "Jackpot" while it was haemorrhaging cash.

His talk was one of the conference's most widely anticipated, as it had been pulled a year ago over concerns that fixes for the ATMs wouldn't be in place in time.

He used the extra year to craft more dangerous attacks.

He said the attacks could potentially be used against the ATMs operated by mainstream banks.

But how did he do it?

Mr Jack found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer.

He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each.

Then he compared the keys he got to pictures of other keys, found on the internet.

He used his key to unlock a compartment in the ATM that had standard USB slots.

He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

Mr Jack also hacked into ATMs by exploiting weaknesses in the way ATM makers communicate with the machines over the internet.

He said the problem was that outsiders were permitted to bypass the need for a password.

He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs".

"It's to raise the issue and have ATM manufacturers be proactive about implementing fixes," he said.

The remote style of attack is more dangerous because an attacker doesn't need to open up the ATMs, allowing them to gain full control of the machine.

Besides ordering it to spit out money, attackers can silently harvest account data from anyone who uses the machines.

Mr Jack said he didn't think he'd be able to break the ATMs when he first started probing them.

"My reaction was, 'this is the game-over vulnerability right here'," he said of the remote hack.

"Every ATM I've looked at, I've been able to find a flaw in. It's a scary thing."

Mr Jack wouldn't identify the ATM makers. He put stickers over the ATM makers' names on the two machines used in his demonstration.

But the audience, which burst into applause when he made the machines spit out money, could see from the screen prompts on the ATM that one of the machines was made by US firm Tranax Technologies.

Tranax did not immediately respond to email messages from The Associated Press.

Another US firm, Triton Systems, confirmed that one of its ATMs was used in the demonstration.

It said Mr Jack alerted the company to the problems and that Triton now has a software update in place that prevents unauthorised software from running on its ATMs.



Read more: http://www.news.com.au/technology/hacker-jacks-black-hat-cash-jackpot-gobsmack/story-e6frfro0-1225898907039#ixzz0v9LpbxPZ


Comments:
This is a very interesting twist to cyber crime. Organizing an event to gather the most talented yet somewhat dangerous hackers to display their gifted skills in exploiting security weakspots. In some sense, I believe this is a very beautiful way of killing two birds with one stone. Hackers get to do what they do best without harming others and their talent is recognized. Security companies also get to know the loopholes in their systems.
However, it goes to show that the world is very vulnerable and we're constantly exposed to dangers whether virtual or not. We need to constantly be proactive such as organizing such an event which helps unearth the concealed risks and problems that we rarely know about :)

1 comments:

ys said...

i have to admit this article and comment is great. :)