Wednesday, August 11, 2010


I saw this interesting article from Wired, regarding the ATM reprogramming hacking. Its apparent how tempting are these cash machines for under world people hackers. Story is
A North Carolina grocery worker is being held without bail in Houston on attempted computer hacking charges after inadvertently partnering with an undercover FBI agent in an alleged citywide ATM-reprogramming caper. Thor Alexander Morris, 19, was arrested at a Houston flea market last month after trying a default administrative passcode on a Tranax Mini-Bank ATM there, according to the FBI. Morris, who was wearing a wig to disguise his appearance, allegedly hoped to reprogram the machine to think it was loaded with $1 bills instead of $20 bills. That would let him pull $8,000 in cash with $400 in withdrawals from a prepaid debit card.
Cash-machine–reprogramming scams were first noticed in the financial industry in 2005, and surfaced publicly in 2006 when a cyber thief was caught on video looting an ATM at a Virginia gas station. Threat Level later confirmed that default administrative passcodes for retail ATMs manufactured by Tranax and Triton were printed in owner’s manuals easily found online.
On the drive to his first cash machine, Morris bragged to the undercover agent that he’d already conducted ATM hacking trips to Tennessee, Florida, South Carolina and Virginia, and hit machines in his home town of Jacksonville. He also boasted about other supposed exploits as a “hacker”, claiming he’d stolen credit card information from  the Food Lion where he worked, and had targeted the Navy Federal Credit Union and Walmart in a manner unspecified in the criminal complaint.
When he was through gabbing, Morris donned a long, black curly hair hairpiece he called his “Rick James” wig and walked with the agent to an ATM at the Mercado 6 flea market, where managers had previously agreed to cooperate in the investigation. The agent watched as Morris entered the key sequence that brings up the “Enter Password” screen, and then keyed in the default passcode for the Tranax Mini-Bank.
The code, though, had been changed on this machine, and Morris was thwarted. He allegedly tried two more times, then tried a completely different code before the FBI agents surveilling the scene got impatient and arrested him.
ATM hacking being a interesting topic, i did further research and astonished to find out the some facts on how easy is to hack the ATM and make it dispense more money than it ideally should. Please read it for information purpose and do not try to hack ATM if this vulnerability still exist/left unpatched.
Its unlikely common ATM tricks uses various high tech devices to capture identity of your ATM card and Pin number. Hackers are first trying to identify the ATM maker and model from the video like one on news about ATM reprogramming scam fraud at at a gas station on Lynnhaven Parkway in Virginia Beach.
ATM brand  model number Tranax Mini Bank 1500 series is uncovered to be of serious issues with possibilities of hacking. Hackers managed to find the default pass code and back door sequence for that particular machine and tried reprogramming the machine to dispense more money with the help of  Tranax Mini Bank 1500 Series (MB1500) operator manual or installation manual, which contains a lot of security sensitive information includes:
  • Instructions on how to enter the diagnostic mode or operator function menu.
  • Default Master, Service or Operator passwords.
  • Default Combinations For the Safe.
Inside the Tranax Mini-Bank 1500 user guide manual, you can also learn how to set the denomination of the type of bill (the value of the cash notes i.e $1, $5, $10, $20, $50 or $100) that the ATM’s cassettes will be dispensing. That’s all you probably need to trick the ATM to think that the $20 bills it dispensed are actually of the $5 or $1 bill, possibly earning you a hefty profit. So, the only thing left now if you trying your luck to find an ATM cash machine that haven’t been changed its factory default passcodes and passwords. Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around US, where majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist, according to eWeek.
The ATM scammer in Virginia Beach case successfully to re-program and trick the Tranax MB1500 series ATM to act as if it had $5 bills in its dispensing tray instead of $20 bills, and the withdraw cash using a pre-paid debit card with a 300% profit. However, he forgot to reprogram back the ATM to correct denomination, and the ATM was left misprogrammed for next 9 days before somebody reported the misconfiguration, and hence revealed the fraud.
ATM hacking becomes common in all places including checking gas station pumps,  food world, supermarkets, hotels. Any unattended card reader, not just feral ATMs. But skimmers are pocket-sized or smaller, so even attended readers are at risk. Another card trick, detected at a fast food joint, had the cashier dip the card beneath the counter, just for an instant, where it was skimmed before coming back up and run through the real card reader.
Further reading:
Kerbs on Security blog had more information on previous ATM attacks and worth reading. click here