ATMs use computers. Computers have weaknesses. Hackers exploit weaknesses. See where this is going? A hacker developed software that can force an ATM’s computer to give free cash. Luckily for banks, he showed off his technique at the Black Hat conference.
How did hacker Barnaby Jack, director of security research for IOActive Inc, manage to trick ATMs into giving him all they have? Rather simply, actually. One manufacturer’s ATMs used the same physical key to access its computers. Once opened, he threw in his software and forced the ATM to make it rain:
He figured [that all ATMs have the same key]by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got with pictures of other keys, found on the Internet. He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.
The computers in the ATMs were all running Windows CE and there are actually even more ways to commandeer them. Barnaby’s particular method was shown off at the Black Hat conference – where hackers show vulnerabilities to companies – so don’t think you can just go email Barnaby for the how to. [SFGate]