[Owasp-delhi] Hacker shows off remote ATM exploit

Tue Aug 3 01:07:39 EDT 2010

Hacker shows off remote ATM exploit
Posted Sun Aug 1, 2010 10:06am AEST
A computer hacker has demonstrated a technique to remotely make an ATM spit out cash using the internet.
New Zealand researcher Barnaby Jack publicly showed off the "ATM jackpotting" technique at the DefCon hackers conference in Las Vagas, in the United States.
Mr Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the US, but said the flaw likely exists in machines at well-known banks.
"You don't have to go to the ATM at all," Mr Jack said.
"You can do it from the comfort of your own bedroom."
Mr Jack says banks use remote management software to monitor and control their ATMs.
He says he used a weakness in that software to take control of machines over the internet.
He says his method bypasses the need to submit passwords and serial numbers to access ATMs remotely.
Once in the machines, he says he can command them to spit out cash or transfer funds.
He says he could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.
"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Mr Jack said.
"This is the first time anyone has taken the approach of trying to attack the underlying software.
"It is time to find software defences rather than hardware defences."
Mr Jack did not reveal specifics of the attack to hackers at the conference, but did tell ATM makers about the flaw so they could bolster machine defences.
"I might get my butt in hot water if I released the code," he said.
"I was careful not to release the keys to the kingdom."
Mr Jack says he has grown wary of ATMs since discovering the remote exploit.
"I just keep my cash under the bed now," he said.

These messages including any attachments are intended only for the
addressee and may contain confidential, proprietary or legally privileged
information. If you are not the named addressee or authorized to
receive this mail, you shall not copy, forward, disclose or take any
action based on this message or any part thereof. 
In such case, please notify the sender of receipt of this message and
delete this message including any attachment to it from your computer
system immediately. 
The recipient acknowledges that the views, opinions, conclusions and
other information expressed in this message are those of the individual
sender and shall be understood as neither given nor endorsed by IDFC*,
unless the sender does so expressly with due authority of IDFC and IDFC
shall not be liable for any errors or omissions in the context of
this message. E-mail transmission cannot be guaranteed to be secure
or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission.
*Includes IDFC and all its subsidiary companies.


This email has been scrubbed for your protection by SecureMX.
For more information visit http://securemx.in

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100803/9d6ffd2c/attachment-0001.html 

More information about the Owasp-delhi mailing list