ATM Hijack Hijinks
That’s a pretty stupid crime from the git-go. When I worked for a manufacturer of security hardware and software, I got to know a lot of folks who work for security retailers, big and small, including retailers that also installed and maintained ATMs. If you can get away with one without leaving your bumper (and license tag) in the convenience store parking lot, you have a box with a computer on top and a safe with two-inch-thick steel and concrete walls in the bottom. Joe Yokel is not getting into that safe.
Getting into the computer may be another thing. The San Jose Mercury-News reports that a security researcher has discovered several flaws in the security of stand-alone ATMs (the story specifically states that the researcher’s findings do not apply to the networked ATMs you see in the walls of banks).
- (Barnaby) Jack found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got with pictures of other keys, found on the Internet.
He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.
- Jack also hacked into ATMs by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet. Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn’t go into much more detail because he said the goal of his talk “isn’t to teach everybody how to hack ATMs. It’s to raise the issue and have ATM manufacturers be proactive about implementing fixes.”
The remote style of attack is more dangerous because an attacker doesn’t need to open up the ATMs.
Ten years ago, according to the techs I knew, most ATMs ran on OS/2. OS/2 is pretty much dead insofar as innovation is concerned; I suspect that most of them now run on Windows, though I do know know that.
I do know that I have walked up to an ATM I used frequently and seen the WindowsNT/2000/2003 BSOD (not the bank shown in this picture). This inspired confidence to bloom within me.