Rss

Archives for : ATM & AUTO PAYOUTS

Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear

atm-hack-image-www-scamsfakes-com

Not so long ago, enterprising thieves who wanted to steal the entire contents of an ATM had to blow it up. Today, a more discreet sort of cash-machine burglar can walk away with an ATM’s stash and leave behind only a tell-tale three-inch hole in its front panel.

Researchers from the Russian security firm Kaspersky on Monday detailed a new ATM-emptying attack, one that mixes digital savvy with a very precise form of physical penetration. Kaspersky’s team has even reverse engineered and demonstrated the attack, using only a portable power drill and a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. And though they won’t name the ATM manufacturer or the banks affected, they warn that thieves have already used the drill attack across Russia and Europe, and that the technique could still leave ATMs around the world vulnerable to having their cash safes disemboweled in a matter of minutes.

“We wanted to know: To what extent can you control the internals of the ATM with one drilled hole and one connected wire? It turns out we can do anything with it,” says Kaspersky researcher Igor Soumenkov, who presented the research at the company’s annual Kaspersky Analyst Summit. “The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.”

Drill, Baby, Drill

For Kaspersky, the mystery of the drilled ATMs began last fall, when a bank client showed them an emptied cash machine whose only evidence of tampering was a golf-ball sized hole next to its PIN pad. To hide their tidy surgery, the thieves had even covered the entry point with a sticker. Eventually, the researchers learned of close to a dozen similar ATM heists. And when police arrested a suspect in one of the cases, they found a laptop, along with a cable he’d apparently snaked into the PIN pad hole. “Just a laptop, some wiring, and a hole in the ATM, that’s it,” says Soumenkov.

Kaspersky’s researchers already had the same model of ATM in their test lab, one that’s been in wide use since the 1990s. They removed its front panel to find a serial port that would have been accessible from the thieves’ hole. It connected to a wire that ran through the ATM’s entire internal bus of components, from the computer that controlled its user interface to the cash dispenser. Then the researchers spent five solid weeks with an oscilloscope and logic analyzer, decoding the protocol of the ATM’s internal communications from raw electric signals. They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules.

In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM’s own trusted computer.

Eventually, the researchers were able to build their own device capable of sending cash-ejecting commands through just that exposed port. Their compact gadget, far smaller than even the arrested suspect’s laptop, consisted of only a breadboard, an Atmega microcontroller of the kind commonly found in Arduino microcomputers, some capacitors, an adapter, and a 9 volt battery. All told, it took less than $15 worth of equipment.

In their tests, the researchers found their finished tool could trigger the cash dispenser within seconds of connecting, and then spew as many bills as they wanted. The only limit to the attack’s speed came when the ATM’s computer “noticed” the dispenser acting independently and rebooted. But the researchers say that they could extract thousands of dollars before the reboot kicked in, and afterward they could simply repeat their attack, pulling more cash out of the machine until it was empty.

Easy Marks

Kaspersky says it’s alerted the vulnerable ATM manufacturer to the technique, but there’s no easy patch for the problem: The units’ software can’t be updated remotely. A fix, Kaspersky researchers say, will require replacing hardware in the ATMs to add more authentication measures—or failing that, adding physical security measures, like access controls and surveillance cameras, that might prevent thieves from daring an in-person raid on the machines. WIRED reached out to the ATM Industry Association for comment, but the trade group didn’t respond by the time of publication.

ATMs are a frequent hacker target. Lately, attacks from Thailand and Taiwan to Russia have infected banks’ own networks with malware that’s been used to trigger ATM cashouts. In tightly coordinated operations, money-mules retrieve the stacks of bills in person from the victim bank’s cash machines. In their conference talk Monday, Kaspersky researchers also revealed a new form of ATM malware they’ve found, which they say had been planted through stealthy fileless infections of banks in Russia and Kazakhstan. And other physical access attacks have planted malware on machines by opening their cases—either picking or breaking the panels’ locks—or used that physical access to a machine’s internals to connect a hacking tool directly to the cash dispenser.

www.crimefiles.net

But the Kaspersky researchers say the drill technique represents a simpler and stealthier path to an ATM’s innards. Breaching a bank’s back-end network requires far more sophisticated network intrusion skills, while opening the machine’s panel to plant malware or to connect a tool directly to the cash dispenser triggers an alarm. Drilling a gaping hole in the front of the machine, in this case, doesn’t set off that same warning.

Physical attacks on ATMs are, in some sense, an unsolvable problem. Computer security experts have long warned that no computer should be considered secure if an attacker takes physical control of it. But weak encryption and a lack of authentication between components leaves ATMs particularly vulnerable to physical attacks—access to any part of the insecure machine Kaspersky describes means access to its most sensitive core. And for computers that are left standing unprotected on a dark street in the middle of the night, stuffed full of money, a little more thought to digital security might be a worthwhile investment.

www.intelagencies.com

yunklooo

Henry Sapiecha

POSTING SELFIE ON FACEBOOK RESULTS IN STOLEN $900 FROM BARCODE

A woman who posted a selfie of her winning Melbourne Cup ticket – including its barcode – has been fleeced for her $825 winnings.

“Winner winner chicken dinner”, read the caption on the photograph of an elated Chantelle holding her winning ticket.

The Perth woman – whose last name has been suppressed – backed the 100-to-1 shot Prince of Penzance and jockey Michelle Payne in Tuesday’s Melbourne Cup

Prince of Penzance wins the Melbourne Cup image www.scamsfakes.com

But someone else dined out on her winnings after they used the barcode on the clearly displayed receipt to withdraw the cash from an automated machine.

“When we found out we naturally took a bit of a selfie to show my friends,” Chantelle told Merrick Watts on Triple M.

Just 15 minutes later she took her winning ticket to the TAB only to be told it had already been claimed.

auto payout ticket fraud victim image www.scamsfakes.com
The barcode was used by an unknown person to withdraw the $900 winnings from an automated machine. Photo: Facebook

“Someone had a pretty good game at filtering my picture and cutting out my barcode and putting it into an automated machine,” Chantelle said.

The theft was made all the worse after Chantelle realised the culprit must be one of her Facebook friends.

“To the low life who is obviously my friend on Facebook and used my photo to claim our winnings. You’re a massive dick. You ruined my day,” she later posted to Facebook.

“I might need a bit of a Facebook cull now,” she said.

Police were able to track down the machine that was used to withdraw the money and were confident they would be able to identify the person or people involved, Chantelle told Triple M.

The incident served as a warning to social media users posting seemingly innocuous images that may contain sensitive information.

Facebook users were sympathetic and scathing in equal measure once the radio station posted the story online.

“Wow what a scumbag,” wrote one user.

“Wow !!! Who need enemies with a ‘friend’ like that? [sic]” posted another.

Then came: “Stupidity at its worst. Moron.”

“Bahahahaha serves her right,” read another comment.

www.clublibido.com (5)

Henry Sapiecha