While the central banks of the world have yet to directly unleash the helicopter drop of free money to the end-consumer, preferring instead to seek financial asset inflation (and all its unintended consequences), it appears there is another way to get 'free money' direct to the average Joe… "ATM Jackpotting." According to Wired, using a special button sequence and some insider knowledge, it is possible to reconfigure ATMs to believe they are dispensing one dollar bills, instead of the twenties actually loaded into the cash trays. Though industry sources claim this to be rare, they note that "independent operators and financial institutions are very tight lipped about this sort of thing."
As Wired reports, "Two Dudes Prove How Easy It Is to Hack ATMs for Free Cash"
When a small-time Tennessee restaurateur named Khaled Abdel Fattah was running short of cash he went to an ATM machine. Actually, according to federal prosecutors, he went to a lot of them. Over 18 months, he visited a slew of small kiosk ATMs around Nashville and withdrew a total of more than $400,000 in 20-dollar bills. The only problem: It wasn’t his money.
Now Fattah and an associate named Chris Folad are facing 30 counts of computer fraud and conspiracy, after a Secret Service investigation uncovered evidence that the men had essentially robbed the cash machines using nothing more than the keypad. Using a special button sequence and some insider knowledge, they allegedly reconfigured the ATMs to believe they were dispensing one dollar bills, instead of the twenties actually loaded into the cash trays, according to a federal indictment issued in the case late last month. A withdrawal of $20 thus caused the machine to spit out $400 in cash, for a profit of a $380.
The first $20 came out of one of their own bank accounts. That’s right: They were using their own ATM cards.
"ATM Jackpotting" was first discussed in public at 2010's Las Vegas Black Hat Conference…
In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that made them spew out dozens of crisp bills.
The audience greeted the demonstration with hoots and applause.
In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.
Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, but he hasn’t yet examined them.
To demonstrate, Jack punched keys on the keypad to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.
…
To conduct the remote hack, an attacker would need to know an ATM’s IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.
But at the street level, criminals have exploited a simpler vulnerability that requires no hacking software or gear…
Unlike the machines deployed at brick-and-mortar bank locations, kiosk ATMs could be placed into a privileged “operator mode” simply by pressing a special sequence of buttons on the ATM keypad.
From that mode, you could manipulate a number of variables—one of which sets the denomination of the bills loaded into the machine’s currency cartridges.
A supposedly secret six-digit numeric password protects the Operator Mode, but in the Nashville case, one of the defendants, Fattah, was a former employee of the company that operated the machines, says the Secret Service’s Mays, so he knew the code.
Currency switching capers appear to be rare now, says David Tente, executive director of the ATM Industry Association, though hard data is difficult to come by.
“Nobody likes talking about fraud, especially when it’s against them,” Tente says. “Independent operators and financial institutions are very tight lipped about this sort of thing.”
But there’s some evidence that operator passcodes are still an issue, he notes. Last June, two 14-year-old boys in Winnipeg followed internet instructions to gain operator access to a Bank of Montreal ATM at a grocery store, successfully guessing the six digit master passcode. The boys immediately notified the bank, which changed the code.
Who knows how many ATM hackers have been less scrupulous?
via Zero Hedge http://ift.tt/1A4FYYO Tyler Durden