This page has been archived and commenting is disabled.

"ATM Jackpotting" Exposed - It's Not Just The Fed That Spits Out Free Money

Tyler Durden's picture




 

While the central banks of the world have yet to directly unleash the helicopter drop of free money to the end-consumer, preferring instead to seek financial asset inflation (and all its unintended consequences), it appears there is another way to get 'free money' direct to the average Joe... "ATM Jackpotting." According to Wired, using a special button sequence and some insider knowledge, it is possible to reconfigure ATMs to believe they are dispensing one dollar bills, instead of the twenties actually loaded into the cash trays. Though industry sources claim this to be rare, they note that "independent operators and financial institutions are very tight lipped about this sort of thing."

 

As Wired reports, "Two Dudes Prove How Easy It Is to Hack ATMs for Free Cash"

When a small-time Tennessee restaurateur named Khaled Abdel Fattah was running short of cash he went to an ATM machine. Actually, according to federal prosecutors, he went to a lot of them. Over 18 months, he visited a slew of small kiosk ATMs around Nashville and withdrew a total of more than $400,000 in 20-dollar bills. The only problem: It wasn’t his money.

 

Now Fattah and an associate named Chris Folad are facing 30 counts of computer fraud and conspiracy, after a Secret Service investigation uncovered evidence that the men had essentially robbed the cash machines using nothing more than the keypad. Using a special button sequence and some insider knowledge, they allegedly reconfigured the ATMs to believe they were dispensing one dollar bills, instead of the twenties actually loaded into the cash trays, according to a federal indictment issued in the case late last month. A withdrawal of $20 thus caused the machine to spit out $400 in cash, for a profit of a $380.

 

The first $20 came out of one of their own bank accounts. That’s right: They were using their own ATM cards.

"ATM Jackpotting" was first discussed in public at 2010's Las Vegas Black Hat Conference...

In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that made them spew out dozens of crisp bills.

 

The audience greeted the demonstration with hoots and applause.

 

 

In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

 

Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, but he hasn’t yet examined them.

 

To demonstrate, Jack punched keys on the keypad to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.

 

...

 

To conduct the remote hack, an attacker would need to know an ATM’s IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

But at the street level, criminals have exploited a simpler vulnerability that requires no hacking software or gear...

Unlike the machines deployed at brick-and-mortar bank locations, kiosk ATMs could be placed into a privileged “operator mode” simply by pressing a special sequence of buttons on the ATM keypad.

 

From that mode, you could manipulate a number of variables—one of which sets the denomination of the bills loaded into the machine’s currency cartridges.

 

A supposedly secret six-digit numeric password protects the Operator Mode, but in the Nashville case, one of the defendants, Fattah, was a former employee of the company that operated the machines, says the Secret Service’s Mays, so he knew the code.

Currency switching capers appear to be rare now, says David Tente, executive director of the ATM Industry Association, though hard data is difficult to come by.

“Nobody likes talking about fraud, especially when it’s against them,” Tente says. “Independent operators and financial institutions are very tight lipped about this sort of thing.”

 

But there’s some evidence that operator passcodes are still an issue, he notes. Last June, two 14-year-old boys in Winnipeg followed internet instructions to gain operator access to a Bank of Montreal ATM at a grocery store, successfully guessing the six digit master passcode. The boys immediately notified the bank, which changed the code.

Who knows how many ATM hackers have been less scrupulous?

Read more here...

 

- advertisements -

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Sun, 11/16/2014 - 19:27 | 5455361 Bunga Bunga
Bunga Bunga's picture

95% of ATMs run on Windows XP. It's like securing your bicycle with a rubber string.

Sun, 11/16/2014 - 19:44 | 5455422 stacking12321
stacking12321's picture

simply by pressing a special sequence of buttons on the ATM keypad.

ok ZHers, here's the code:

Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start

Sun, 11/16/2014 - 19:58 | 5455450 pitboots
pitboots's picture

Damn, I tried that and it started playing a Contra game. No Money ??? You beat me to the draw!

Sun, 11/16/2014 - 21:18 | 5455670 ACP
ACP's picture

Finish him!

Fatality!
Mon, 11/17/2014 - 10:18 | 5456910 Arius
Arius's picture

Bring bitcoin or digital money ... no problems

Sun, 11/16/2014 - 20:10 | 5455480 HedgeHammer
HedgeHammer's picture

Actually I played the shit outta Contra and the code is

Up, Down, Up, Down, Left, Right, Left, Right, A,B,A,B Start.

But hey I played way to much of that game back in the day.  Thank for the smile and the memories.

Sun, 11/16/2014 - 20:34 | 5455557 HedgeHammer
HedgeHammer's picture

Sorry it's select start lol

Sun, 11/16/2014 - 22:58 | 5455970 Heavy
Heavy's picture

yep

Sun, 11/16/2014 - 20:50 | 5455602 Cthonic
Cthonic's picture

Congratulations on defeating the vile red falcon and saving the universe.  Rapid repeat spread for the win.

Sun, 11/16/2014 - 21:46 | 5455761 Kirk2NCC1701
Kirk2NCC1701's picture

You should know that modern ATM machines, especially at banks, have a video camera that's recording everything.

Facial recognition SW from the SS will let them find you in a jiffy. Unless you take countermeasures.

Note that in one episode of Breaking Bad, the ATM camera had a wide Field of View (WFOV) and captured the image of Jesse's RV in the background.

Sun, 11/16/2014 - 22:50 | 5455952 willwork4food
willwork4food's picture

So you don't park your RV next to the ATM. You do not wear the same face you do elsewhere. You do not leave fingerprints. Fuck the banks. Kudos to the dudes.

If I found a $1000 in a wallet at a gas station..with an ID in it, I would give it back to the owner.

If I found $100,250.00 wraped up in a misplaced Bank of America bag I would laugh all the way to the matress.

Sun, 11/16/2014 - 19:54 | 5455439 Skateboarder
Skateboarder's picture

Blue Screen of Debt?

Sun, 11/16/2014 - 19:26 | 5455362 Seasmoke
Seasmoke's picture

That's armed robbery. (Well you fingers are on your arm)

Sun, 11/16/2014 - 19:32 | 5455385 kaiserhoff
kaiserhoff's picture

Yeah, seems like nothing more than creative channel surfing;)

Sun, 11/16/2014 - 20:08 | 5455477 ziggy59
ziggy59's picture

Banks hate competition...
Isnt it interesting the secret service gets involved with money fraud and where the hell are they when the public is defrauded?

Sun, 11/16/2014 - 21:43 | 5455753 VAD
VAD's picture

Who do you think the secret service works for?*

 

*Today's rhetorical question has been brought to you by VAD.

Sun, 11/16/2014 - 23:03 | 5455981 willwork4food
willwork4food's picture

They work for the same people that we are paying taxes to..that are robbing our country of wealh.

FORWARD REVOLUTION 2.0

fuck DC

Sun, 11/16/2014 - 21:54 | 5455774 Kirk2NCC1701
Kirk2NCC1701's picture

You should know that the original mission of the SS was to track competitive counterfeiting.

Their mission to protect the POTUS was a later addition. That way they decide which would-be assassin gets a viable chance at taking a shot. All they have to do, is to slip up on their coverage and maintain plausible deniability. E.g. Daley Plaza.

To this day the SS is still on the payroll of the Fed.

Sun, 11/16/2014 - 21:03 | 5455637 JohnG
JohnG's picture

 

 

Here's a more direct method:

(Just use a forklift..)

http://www.gwinnettdailypost.com/news/2007/jun/30/thieves-use-forklift-t...

 

Sun, 11/16/2014 - 19:43 | 5455417 LawsofPhysics
LawsofPhysics's picture

Awsome, finally, we know the location of some uncrowded Starbucks...  ...winning.

Sun, 11/16/2014 - 20:13 | 5455486 negative rates
negative rates's picture

Everybody check your hands, and do the saftey dance.

Sun, 11/16/2014 - 21:26 | 5455698 Divine Wind
Divine Wind's picture

 

 

I hate Starbucks as their coffee tastes burnt.

Sun, 11/16/2014 - 23:37 | 5456062 ThisIsBob
ThisIsBob's picture

Starbucks is to good coffee as McDonalds is to good beef.

Sun, 11/16/2014 - 20:28 | 5455510 stacking12321
stacking12321's picture

glad to see monsanto being defeated.

however, more laws are not the answer. forcing food makers to keep track of whether GMO are used at any point in the process and to report it, just puts another burdern on small companies. if people want to know, let them use their free market power to pressure the companies they buy from to provide info.

instead, they are going and crying to the man, saying make a new law and take care of me big brother! but we know the system is corrupt, and will be twisted and used against the public by those with money and power.

as tacitus put it, the more numerous the laws, the more corrupt the society.

better solution, is repeal all laws, and don't support crooks and violent people, especially the state.

don't feed the monster.

 

Sun, 11/16/2014 - 19:29 | 5455367 The_Prisoner
The_Prisoner's picture

Barnaby Jack was suicided for exposing the pacemaker and insulin pump hacking.

Note that Dick Cheney got a special pacemaker with no remote access capabilities.

Sun, 11/16/2014 - 20:17 | 5455498 DollarMenu
DollarMenu's picture

Stiil, Cheney will die thanks to God and the way he arranged things.

But, Cheney will be buried in an undisclosed location to avoid urine erosion of the gravesite.

Sun, 11/16/2014 - 20:22 | 5455519 stacking12321
stacking12321's picture

no, cheney will outlive us all.

his power of spite is far greater than you can imagine.

Sun, 11/16/2014 - 21:58 | 5455791 Kirk2NCC1701
Kirk2NCC1701's picture

FYI... ALL electronic devices are susceptible to electronic warfare devices.
E.g. RF generators of the right frequency, or a small EMP that's strong enough with a 100 m radius. Just saying.

Sun, 11/16/2014 - 22:10 | 5455830 The_Prisoner
The_Prisoner's picture

Sure, mate. But what Barnaby demonstrated is that targeted attacks are possible. Only the powerful were supposed to have know this.

Like Prometheus, Barnaby Jack tried to give the light to the common man.

Mon, 11/17/2014 - 00:04 | 5456139 Bananamerican
Bananamerican's picture

"Note that Dick Cheney got a special pacemaker with no remote access capabilities"

actually there is ONE remote access point and code number to go along with it.... #666

Sun, 11/16/2014 - 19:30 | 5455375 yogibear
yogibear's picture

It's OK. The Federal Reserve has it covered. The Fed can just print trillions more.

It's better than money growing on trees. That takes too long. All the Fed has to do is enter it on a keyboard in our financial fantasy-land.

Sun, 11/16/2014 - 19:34 | 5455393 cocoablini
cocoablini's picture

This is great. Plus they are in dialup! Can you imagine how these ATMS are going to get slammed now? You should probably have to have an operator ATM card that is the first key. Unfucking believable how stupid that is.

Sun, 11/16/2014 - 20:05 | 5455470 Bangalore Equit...
Bangalore Equity Trader's picture

Listen.

Barnaby introduced us to this in 2009, but DC18 was in 8/2010....

Jack was found dead in a San Francisco apartment on 25 July 2013 by his girlfriend. He was aged 35.

Sun, 11/16/2014 - 21:29 | 5455708 fishwharf
Sun, 11/16/2014 - 20:15 | 5455495 logicalman
logicalman's picture

The banks only give a shit about numbers with 9 or more zeros.

Everything else is small change.

They do have to keep up appearances, however.

 

Sun, 11/16/2014 - 21:33 | 5455724 Urban Redneck
Urban Redneck's picture

The wired article makes this sound like Triton had "just discovered" this vulnerability back in 2005 when Windows XP SP2 was trendy.

Actually, it has been known in the industry since before everyone realized Y2K was a dud.

I thought hackers were supposed to be hip and up with the times... Forget one upping the big bad bankstas (when in reality they are ripping off small business owners), this "news" reeks of revenge of the computer nerds being a decade and half slower than the local Slurpee® schlepper who can't even speak discernible English.

Sun, 11/16/2014 - 19:36 | 5455398 kowalli
kowalli's picture

He should fine 10% or less like banksters do.

Sun, 11/16/2014 - 19:41 | 5455412 LawsofPhysics
LawsofPhysics's picture

This is simply the natural outcome when you start allowing counterfeiting to increase exponentially.  As stupid as people are, I am surprised more counterfeiting rings haven't been exposed.

Sun, 11/16/2014 - 19:41 | 5455414 Hulk
Hulk's picture

The joke is on the Jackpotters, those twenties aren't even worth a buck anymore !!!

Sun, 11/16/2014 - 19:42 | 5455416 Karaio
Karaio's picture

In Brazil and Russia, the thing is a lot less subtle.

When you do not have magnetic card uses a stick of dynamite:

Russia:

http://englishrussia.com/2014/11/12/over-twenty-bank-atms-were-lately-bl...

Brazil:

https://www.google.com.br/search?q=explos%C3%A3o+caixa+eletr%C3%B4nico&b...

hehe.

Sun, 11/16/2014 - 19:46 | 5455427 stacking12321
stacking12321's picture

yes, but brazil is a 3rd-world country, they don't know how to use computers there.

what's russia's excuse?

Sun, 11/16/2014 - 20:00 | 5455455 Karaio
Karaio's picture

stacking12321:

Careful with that statement that "they do not know how to use computers there."

Maybe the thing is so hard to dodge that with only a stick of dynamite to get money.

I have two bank accounts, one private and one state-owned bank, both need my finger to do any transaction.

hehe.

Sun, 11/16/2014 - 20:25 | 5455528 stacking12321
stacking12321's picture

state owned bank?

damned communists!

i'll give them a finger, all right!

Sun, 11/16/2014 - 20:07 | 5455475 himaroid
himaroid's picture

Reminds me of some local "Dixie Mafia" dudes from the early '70's. They would tape a plastic bag inside the overnight deposit box at the different banks in this region. They were doing real well with it, but, like the banks they stole from, they did not know when to stop. I don't know if those guys ever got out of prison. Banks do not like competition.

Sun, 11/16/2014 - 20:10 | 5455482 Big Corked Boots
Big Corked Boots's picture

Lemme guess. The password is 123456.

Sun, 11/16/2014 - 20:16 | 5455494 Hulk
Hulk's picture

Close, it was 00000000 !!! AND WE GOT A  LAUNCH !!!

Sun, 11/16/2014 - 20:25 | 5455527 logicalman
logicalman's picture

Humans don't deserve to survive!

Sun, 11/16/2014 - 22:03 | 5455806 Kirk2NCC1701
Kirk2NCC1701's picture

Most don't and won't, for what's coming.

Darwinism rules. Note that it applies to groups and corporations just as well. Changing the environment to favor your group is part of Darwinism. Get over it, deal with it, or perish.

Sun, 11/16/2014 - 22:29 | 5455884 logicalman
logicalman's picture

It's not the strongest that survive, it's the most able to adapt.

Sun, 11/16/2014 - 20:30 | 5455529 medium giraffe
medium giraffe's picture

That's the stupidest combination I've ever heard in my life!  That's the kind of thing an idiot would have on his luggage!

Sun, 11/16/2014 - 20:17 | 5455504 DeusHedge
DeusHedge's picture

just another way to get dirty rich. haha, zh, GOT YA!!!

Sun, 11/16/2014 - 20:18 | 5455505 A Lunatic
A Lunatic's picture

I suppose the fat finger defense is useless in such situations..........?

Sun, 11/16/2014 - 20:29 | 5455534 DeusHedge
DeusHedge's picture

i'll shove you a f***ing fat finger for some more of those rubber bands.

Sun, 11/16/2014 - 20:50 | 5455598 Super Hans
Super Hans's picture

I was in the middle of an ATM cash deposit outside the bank and the fucking ATM crashed and turned off. I had to go into the bank and file a claim. It took about a half hour!

 

Sun, 11/16/2014 - 20:51 | 5455605 kchrisc
kchrisc's picture

Imagine that you knew how to do that, and did it.

Imagine that they some how figured out who you are.

Imagine that they would send a gun and badge thug SWAT team to take, and cage you.

Now imagine you are Jon Corzine, Steven Cohen, Bernanke, Dimon, Greenspan, Yellen..."printing" and stealing trillions.

No SWAT assault on you.

An American, not US subject.

 

Guillotines are justice.

Sun, 11/16/2014 - 21:01 | 5455628 Sokhmate
Sokhmate's picture

This is merely a feature for high end clients that need, in a jiffy, to circumvent the 500/day limit when the situation arises for cash transactions, such as paying for big end hookers

Sun, 11/16/2014 - 22:00 | 5455798 jmcadg
jmcadg's picture

'I don't like the transaction fees'. Lol.

Sun, 11/16/2014 - 23:42 | 5456075 ThisIsBob
ThisIsBob's picture

"Costs?"

 

Don'tcha think that are cadres of well supported hackers around the world with instructions to fuck-up anything in the US that they can get into?

 

Economic war is hell.

Mon, 11/17/2014 - 01:30 | 5456261 22winmag
22winmag's picture

Steal thousands, go to jail.

 

Steal millions, pay a fine and go to Wall Street.

 

Steal billions, go to Washington.

Mon, 11/17/2014 - 12:39 | 5457423 Emergency Ward
Emergency Ward's picture

Doesn't Diebold manufacture those things?  I mean, they gotta be secure, right?

Do NOT follow this link or you will be banned from the site!