The presentation “Jackpotting Automated Teller Machines” was originally on the schedule at Black Hat USA 2009 but the talk was pulled at the last minute. This year Barnaby Jack was shown demonstrating both local and remote attacks and a multi-platform ATM rootkit.

“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” he said. One vulnerability he demonstrated even allows a hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to disgorge its entire supply of cash. He bought two ATM (Tranax and Triton) via the internet and spent years to investigate the code. He used the vulnerabilities he found to create his own ‘ATM jackpot’ code. “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine,” Jack said. “I’ve looked at four ATMs. I’m four for four.” (He said he has not evaluated built-in ATMs like those used by banks and credit unions.). As a responsible hacker, he informed the ATM manufacturers of the flaws. Both Tranax and Triton allegedly patched their ATM software.

CNET: ‘ Many (ATM’s) run Windows CE with an ARM processor and an Internet connection or a dialup modem, all of which controls access to the armored safe through a serial port connection. Jack said he used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, giving him access to the file system and allowing him to copy off the files for analysis. In the case of Tranax, a Hayward, Calif.-based company, Jack said he found a remote access vulnerability that allows full access to an unpatched machine without a password needed. He wrote two pieces of software to exploit that programming error: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery. Scrooge “hides itself from the process list, hides itself from the operating system,” Jack said. “There’s a hidden pop-up menu that can be activated by a special key sequence or a custom card.” Triton’s ATMs didn’t have an obvious remote access vulnerability. And the built-in vaults were well-armored. But the PC motherboard that dispenses cash from the vault was protected only by a standard (not unique) key that could be purchased over the Internet for about $10. So Jack did, and found he could force the machine to accept his backdoor-enabled software as a legitimate update.’

The leaves the question whether Jack was the first hacker to pull this off…. He probably was the first to report it anyway.

http://news.cnet.com/8301-1009_3-20012019-83.html

http://www.securityweek.com/atm-hacking-video-barnaby-jack-demonstrates-atm-hacking-black-hat-usa-2010

By the way: hackers seems to be a bit more alert on fake ATM’s. They quickly discovered a fake ATM setup while having their annual hackers meeting. Who still falls for the fake ATM scam? More people than you would think…

http://www.bloggernews.net/122944

http://www.theregister.co.uk/2009/08/03/fake_atm_scam_busted_at_defcom/

http://www.collisiondetection.net/mt/archives/2005/03/_next_time_you.php

http://www.actimize.com/index.aspx?page=news223

Even ATM’s get enough at some moment. How can they take revenge on nasty skimmers? We can help them by arming them… with pepperspray or mace. This is what happened in South Africa. Next question; how can we train an ATM how to recognize a skimmer and distinguish skimmers from clients or maintenance staff? Ooops.

The technology uses cameras to detect people tampering with the card slots. Another machine then ejects pepper spray to stun the culprit while police response teams race to the scene. But the mechanism backfired in one incident last week when pepper spray was inadvertently inhaled by three technicians who required treatment from paramedics. Patrick Wadula, spokesman for the Absa bank, which is piloting the scheme, told the Mail & Guardian Online: “During a routine maintenance check at an Absa ATM in Fish Hoek, the pepper spray device was accidentally activated. “At the time there were no customers using the ATM. However, the spray spread into the shopping centre where the ATMs are situated.”

Believe us; there are much more intelligent (and more elegant) solutions to the skimming problem.

http://www.bankinfosecurity.com/articles.php?art_id=1523&opg=1

http://news.bbc.co.uk/2/hi/africa/8147315.stm

http://www.mg.co.za/article/2009-07-09-absas-atm-pepperspray-plan-backfires

A review of some Florida court cases show how much (or: how little) the actual skimmer receives for the magstripe information. Obviously, we are talking about the individual waiter or clerk that as a solo initiative starts to copy magstripes from clients as ourselves and subsequently sells the info to fraudsters.

Wired provided some skimming info from Florida courtcases:

“Lan Pan Asian Café, Miami $7.50

Too many middlemen depressed the price for Daniel Argueta, who, until February, was a server at this Asian restaurant in a Miami mall. At the top level, a buyer named “Warijo” was paying a decent $20 for skimmed cards. But there were two more layers of crooks between Argueta and Warijo, and by the time they all took their piece, the waiter was making less than the menu price of a Tuna Tataki. Meanwhile, the fruits of Argueta’s labor were used to ring up $30,000 in bogus charges on 43 cloned cards — or about $700 a piece.

Popeyes, Louisiana Kitchen, Miami $10

Last month an alert customer at one of the chicken chain’s Miami stores spotted a worker skimming his card behind the counter. When the cops arrived, the sticky fingered employee initially claimed he was innocent, then cracked like a poultry egg when the Secret Service appeared with their crisp suits and a few more questions. After turning over his Mini-123 magstripe reader, the worker told the agents that he’d been offered $10 per credit card by a guy from the neighborhood, who was quickly rounded up and thrown in the pen.

Burger King, West Palm Beach $10

Hold the pickles, hold the lettuce, but don’t let Alex Joel Garcia hold your credit card. In March, Garcia admitted to the feds that he’d supplemented his fast food income to the tune of $7,000 by selling credit card data he skimmed from drive-through patrons. He’d been recruited by a customer — “want to make some extra money?” — and was earning only $10 per card, but evidently made it up in volume.

Latin Café 2000, Miami $20

Now we’re getting into some real money. Waiter Evolio Mechado got his skimmer from a contact he knew as “Chispa,” who slipped him a Jackson for every swipe. Last April the Secret Service, following up an informant’s tip, nailed Mechado, turned him, busted Chispa, turned Chispa, then set up the alleged mastermind of the ring, one Ivan Banguela. On the drive to jail, Banguela complained to the agents that he’d been having trouble finding a real job.

McDonalds, Miami $30

We’re surprised to see fried patties beat out flame broiled Whoppers and quality Latin fare, but there you have it. Hernandez Gonzalez was given a beefy $30 per card for skimming at the drive-through lane at a Miami McDonalds last month. He was caught after a customer noticed his visit to the golden arches was immediately followed by a fraudulent charge on his card, prompting the manager to go through the restaurant’s surveillance tapes. Gonzalez told the feds he was being paid by someone named “Arturo,” but we want to know if the Hamburglar has an alibi.”

Skimming is actually easier done than said; getting more money for magstripe information than the financial damage to victims is indeed easier said than done. Now you know where not to loose sight of your credit card. Take care.

http://www.wired.com/threatlevel/2009/10/florida_skimming/

EAST (the European ATM Security Team) has reported a 149% rise in ATM related fraud attacks during 2008 in 22 European countries (total of 357,241 ATM’s). This reverses a previous trend and is primarily led by the 129% increase in card skimming incidents, with a total of 10,302 reported. Despite this significant increase in incidents, fraud related losses increased by just 11% with a total loss of €485 million reported. This smaller increase in losses, relative to the significant rise in reported incidents, is indicative that that deployed counter-measures, such as anti-skimming devices, are increasingly effective, as are fraud monitoring and detection capabilities.

Although the actual loss per skimming may be on the decline in Europe, the problem has not been solved globally. Skimming seems to be a trend that is travelling from East to West, with the US seeing an increase? Let’s wait for the trending in the US.

http://allpaynews.com/content/payments-fraud-australia

http://www.apacs.org.uk/09_03_19.htm

http://www.newswiretoday.com/news/49218/