This page has been archived and commenting is disabled.
"ATM Jackpotting" Exposed - It's Not Just The Fed That Spits Out Free Money
While the central banks of the world have yet to directly unleash the helicopter drop of free money to the end-consumer, preferring instead to seek financial asset inflation (and all its unintended consequences), it appears there is another way to get 'free money' direct to the average Joe... "ATM Jackpotting." According to Wired, using a special button sequence and some insider knowledge, it is possible to reconfigure ATMs to believe they are dispensing one dollar bills, instead of the twenties actually loaded into the cash trays. Though industry sources claim this to be rare, they note that "independent operators and financial institutions are very tight lipped about this sort of thing."
As Wired reports, "Two Dudes Prove How Easy It Is to Hack ATMs for Free Cash"
When a small-time Tennessee restaurateur named Khaled Abdel Fattah was running short of cash he went to an ATM machine. Actually, according to federal prosecutors, he went to a lot of them. Over 18 months, he visited a slew of small kiosk ATMs around Nashville and withdrew a total of more than $400,000 in 20-dollar bills. The only problem: It wasn’t his money.
Now Fattah and an associate named Chris Folad are facing 30 counts of computer fraud and conspiracy, after a Secret Service investigation uncovered evidence that the men had essentially robbed the cash machines using nothing more than the keypad. Using a special button sequence and some insider knowledge, they allegedly reconfigured the ATMs to believe they were dispensing one dollar bills, instead of the twenties actually loaded into the cash trays, according to a federal indictment issued in the case late last month. A withdrawal of $20 thus caused the machine to spit out $400 in cash, for a profit of a $380.
The first $20 came out of one of their own bank accounts. That’s right: They were using their own ATM cards.
"ATM Jackpotting" was first discussed in public at 2010's Las Vegas Black Hat Conference...
In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that made them spew out dozens of crisp bills.
The audience greeted the demonstration with hoots and applause.
In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.
Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, but he hasn’t yet examined them.
To demonstrate, Jack punched keys on the keypad to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.
...
To conduct the remote hack, an attacker would need to know an ATM’s IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.
But at the street level, criminals have exploited a simpler vulnerability that requires no hacking software or gear...
Unlike the machines deployed at brick-and-mortar bank locations, kiosk ATMs could be placed into a privileged “operator mode” simply by pressing a special sequence of buttons on the ATM keypad.
From that mode, you could manipulate a number of variables—one of which sets the denomination of the bills loaded into the machine’s currency cartridges.
A supposedly secret six-digit numeric password protects the Operator Mode, but in the Nashville case, one of the defendants, Fattah, was a former employee of the company that operated the machines, says the Secret Service’s Mays, so he knew the code.
Currency switching capers appear to be rare now, says David Tente, executive director of the ATM Industry Association, though hard data is difficult to come by.
“Nobody likes talking about fraud, especially when it’s against them,” Tente says. “Independent operators and financial institutions are very tight lipped about this sort of thing.”
But there’s some evidence that operator passcodes are still an issue, he notes. Last June, two 14-year-old boys in Winnipeg followed internet instructions to gain operator access to a Bank of Montreal ATM at a grocery store, successfully guessing the six digit master passcode. The boys immediately notified the bank, which changed the code.
Who knows how many ATM hackers have been less scrupulous?
- 24641 reads
- Printer-friendly version
- Send to friend
- advertisements -


95% of ATMs run on Windows XP. It's like securing your bicycle with a rubber string.
simply by pressing a special sequence of buttons on the ATM keypad.
ok ZHers, here's the code:
Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start
Damn, I tried that and it started playing a Contra game. No Money ??? You beat me to the draw!
Finish him!
Fatality!Bring bitcoin or digital money ... no problems
Actually I played the shit outta Contra and the code is
Up, Down, Up, Down, Left, Right, Left, Right, A,B,A,B Start.
But hey I played way to much of that game back in the day. Thank for the smile and the memories.
Sorry it's select start lol
yep
Congratulations on defeating the vile red falcon and saving the universe. Rapid repeat spread for the win.
You should know that modern ATM machines, especially at banks, have a video camera that's recording everything.
Facial recognition SW from the SS will let them find you in a jiffy. Unless you take countermeasures.
Note that in one episode of Breaking Bad, the ATM camera had a wide Field of View (WFOV) and captured the image of Jesse's RV in the background.
So you don't park your RV next to the ATM. You do not wear the same face you do elsewhere. You do not leave fingerprints. Fuck the banks. Kudos to the dudes.
If I found a $1000 in a wallet at a gas station..with an ID in it, I would give it back to the owner.
If I found $100,250.00 wraped up in a misplaced Bank of America bag I would laugh all the way to the matress.
Blue Screen of Debt?
That's armed robbery. (Well you fingers are on your arm)
Yeah, seems like nothing more than creative channel surfing;)
Banks hate competition...
Isnt it interesting the secret service gets involved with money fraud and where the hell are they when the public is defrauded?
Who do you think the secret service works for?*
*Today's rhetorical question has been brought to you by VAD.
They work for the same people that we are paying taxes to..that are robbing our country of wealh.
FORWARD REVOLUTION 2.0
fuck DC
You should know that the original mission of the SS was to track competitive counterfeiting.
Their mission to protect the POTUS was a later addition. That way they decide which would-be assassin gets a viable chance at taking a shot. All they have to do, is to slip up on their coverage and maintain plausible deniability. E.g. Daley Plaza.
To this day the SS is still on the payroll of the Fed.
Here's a more direct method:
(Just use a forklift..)
http://www.gwinnettdailypost.com/news/2007/jun/30/thieves-use-forklift-t...
Singer Neil Young boycotts Starbucks over Vermont GMO label lawsuit, over 300,000 sign petition
Awsome, finally, we know the location of some uncrowded Starbucks... ...winning.
Everybody check your hands, and do the saftey dance.
I hate Starbucks as their coffee tastes burnt.
Starbucks is to good coffee as McDonalds is to good beef.
glad to see monsanto being defeated.
however, more laws are not the answer. forcing food makers to keep track of whether GMO are used at any point in the process and to report it, just puts another burdern on small companies. if people want to know, let them use their free market power to pressure the companies they buy from to provide info.
instead, they are going and crying to the man, saying make a new law and take care of me big brother! but we know the system is corrupt, and will be twisted and used against the public by those with money and power.
as tacitus put it, the more numerous the laws, the more corrupt the society.
better solution, is repeal all laws, and don't support crooks and violent people, especially the state.
don't feed the monster.
Barnaby Jack was suicided for exposing the pacemaker and insulin pump hacking.
Note that Dick Cheney got a special pacemaker with no remote access capabilities.
Stiil, Cheney will die thanks to God and the way he arranged things.
But, Cheney will be buried in an undisclosed location to avoid urine erosion of the gravesite.
no, cheney will outlive us all.
his power of spite is far greater than you can imagine.
FYI... ALL electronic devices are susceptible to electronic warfare devices.
E.g. RF generators of the right frequency, or a small EMP that's strong enough with a 100 m radius. Just saying.
Sure, mate. But what Barnaby demonstrated is that targeted attacks are possible. Only the powerful were supposed to have know this.
Like Prometheus, Barnaby Jack tried to give the light to the common man.
"Note that Dick Cheney got a special pacemaker with no remote access capabilities"
actually there is ONE remote access point and code number to go along with it.... #666
It's OK. The Federal Reserve has it covered. The Fed can just print trillions more.
It's better than money growing on trees. That takes too long. All the Fed has to do is enter it on a keyboard in our financial fantasy-land.
This is great. Plus they are in dialup! Can you imagine how these ATMS are going to get slammed now? You should probably have to have an operator ATM card that is the first key. Unfucking believable how stupid that is.
Listen.
Barnaby introduced us to this in 2009, but DC18 was in 8/2010....
Jack was found dead in a San Francisco apartment on 25 July 2013 by his girlfriend. He was aged 35.
http://en.wikipedia.org/wiki/Barnaby_Jack
Rest in Peace brother.
The banks only give a shit about numbers with 9 or more zeros.
Everything else is small change.
They do have to keep up appearances, however.
The wired article makes this sound like Triton had "just discovered" this vulnerability back in 2005 when Windows XP SP2 was trendy.
Actually, it has been known in the industry since before everyone realized Y2K was a dud.
I thought hackers were supposed to be hip and up with the times... Forget one upping the big bad bankstas (when in reality they are ripping off small business owners), this "news" reeks of revenge of the computer nerds being a decade and half slower than the local Slurpee® schlepper who can't even speak discernible English.
He should fine 10% or less like banksters do.
This is simply the natural outcome when you start allowing counterfeiting to increase exponentially. As stupid as people are, I am surprised more counterfeiting rings haven't been exposed.
The joke is on the Jackpotters, those twenties aren't even worth a buck anymore !!!
In Brazil and Russia, the thing is a lot less subtle.
When you do not have magnetic card uses a stick of dynamite:
Russia:
http://englishrussia.com/2014/11/12/over-twenty-bank-atms-were-lately-bl...
Brazil:
https://www.google.com.br/search?q=explos%C3%A3o+caixa+eletr%C3%B4nico&b...
hehe.
yes, but brazil is a 3rd-world country, they don't know how to use computers there.
what's russia's excuse?
stacking12321:
Careful with that statement that "they do not know how to use computers there."
Maybe the thing is so hard to dodge that with only a stick of dynamite to get money.
I have two bank accounts, one private and one state-owned bank, both need my finger to do any transaction.
hehe.
state owned bank?
damned communists!
i'll give them a finger, all right!
Reminds me of some local "Dixie Mafia" dudes from the early '70's. They would tape a plastic bag inside the overnight deposit box at the different banks in this region. They were doing real well with it, but, like the banks they stole from, they did not know when to stop. I don't know if those guys ever got out of prison. Banks do not like competition.
Lemme guess. The password is 123456.
Close, it was 00000000 !!! AND WE GOT A LAUNCH !!!
Humans don't deserve to survive!
Most don't and won't, for what's coming.
Darwinism rules. Note that it applies to groups and corporations just as well. Changing the environment to favor your group is part of Darwinism. Get over it, deal with it, or perish.
It's not the strongest that survive, it's the most able to adapt.
That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
just another way to get dirty rich. haha, zh, GOT YA!!!
I suppose the fat finger defense is useless in such situations..........?
i'll shove you a f***ing fat finger for some more of those rubber bands.
I was in the middle of an ATM cash deposit outside the bank and the fucking ATM crashed and turned off. I had to go into the bank and file a claim. It took about a half hour!
Imagine that you knew how to do that, and did it.
Imagine that they some how figured out who you are.
Imagine that they would send a gun and badge thug SWAT team to take, and cage you.
Now imagine you are Jon Corzine, Steven Cohen, Bernanke, Dimon, Greenspan, Yellen..."printing" and stealing trillions.
No SWAT assault on you.
An American, not US subject.
Guillotines are justice.
This is merely a feature for high end clients that need, in a jiffy, to circumvent the 500/day limit when the situation arises for cash transactions, such as paying for big end hookers
'I don't like the transaction fees'. Lol.
"Costs?"
Don'tcha think that are cadres of well supported hackers around the world with instructions to fuck-up anything in the US that they can get into?
Economic war is hell.
Steal thousands, go to jail.
Steal millions, pay a fine and go to Wall Street.
Steal billions, go to Washington.
Doesn't Diebold manufacture those things? I mean, they gotta be secure, right?