A North Carolina man's scheme to steal as much as $350,000 during an automatic teller machine hacking spree was thwarted by an ex-convict, who turned the man in to authorities, federal prosecutors allege. Thor Alexander Morris approached the Texas-based ex-con looking for help identifying the locations of specific models of …
LEO is an acronym for...
LEO is an acronym for
Wait, not relevant to anything? Oh well...that's my coat...
No, LEO is...
Just the astrological sign represented by a lion, or the titular constellation.
Anne McCaffery's book _Pegasus in Space_ has a scene with confusion over which meaning when the Law Enforcement and Order commissioner walks into the Space Authority's office.
Mine's the one with the plans to terraform Mars in the pocket.
screw the banks
I found a way to beat the ATM as well.
I did it once just to test and it worked. I called the bank and made them aware of it.
Did I get a thank you, or any kind of reward?
No, I got the $50 withdrawn from my account immediately and then a few months later my accounts all closed.
I never did it more then once to test it.
They didn't even take a moment to investigate my claim, they immediate took the money that I told them I got.
Screw em, they would rob you if they could, Just look at return check fees and overdrafts.
Most of them charge you overdrafts even if your account isn't overdrawn.
Banks = Thieves and Liars.
You do realise that you could have just called them up and told them about the problem? Whereas what you have written reads along the lines of: I robbed a bunch of money from a bank, then told that that I had done so. They closed my accounts.
You are lucky they didn't press charges.
Oh and it's an overdraft facility that you pay for, if you don't use it, that's your fault, not the banks.
Re: "could have just called them"
Uh... he did. And your blaise restatement of the events acknowledges that you understood that he did.
Now, whether you are saying that a bank would take the time to actually do a thorough investigation of its ATM infrastructure if one lowly "member" makes a point to call his bank security laison (Tier 1-2 Customer Service Rep - phone jockey) that one or more of the machines "might" have a security issue (that OF COURSE is listed as a support feature from the manufacturer)... yeah - guess that would have gotten something done, eh?
This is the age-old quandry of exploit disclosure (IT angle!) although the person admittedly has not openly disclosed how he did it; only that *something* is amiss and that he properly notified the proper service provider.
And, like all researchers, he was ignored, derided, and summarily punished, although more directly than most. Plus ca change...
He told them that he'd found a security flaw in their ATM network AFTER he'd taken money using the flaw, he may well have had the best intentions, but it wasn't an especially sensible thing to do. I can easily see how a bank, who clearly had notification methods - he states that he called them up and told them about the flaw - would be mighty pissed off. Indeed there are many cases of people "helpfully" hacking systems to show that there is a fault which ended up in the helpful people being prosecuted.
Defrauding companies of money or hacking them, best intentions or not, is not a good idea. Call them up, let them know of the problem, tell them that you'll publicise if they don't do anything and leave it at that. Don't break the law to be helpful.
well if you were playing with a bank machine and discovered a flaw, obviously some money would have to be transferred, or else how would you know there was a flaw at all? you wouldn't know there was a 'problem' unless some money was transferred; that _is_ the problem.
so i think what you are saying doesn't hold water.
and he mentioned that it was $50 dollars - which hardly constitutes defrauding a bank.
Serious design flaw
The user-level interface should not have this much access. If the machine's case had to be opened to make administrative changes (as is the case with many models), this attack would never have been possible.
An even better design would scan the top bill in each stack to determine its denomination, rather than trust a user to enter the correct settings.
Re: Better Design
Agreed. However, banks (like most businesses) will not voluntarily upgrade or buy new equipment if they don't have to. Ignoring the issue is much easier in the short term, and any long term ramifications can be either (a) diverted to the manufacturer or insurance, or (b) reported as losses to insurance and calls for more authoritarian control and "enforcement".
What better way to get the shareholders to finance the latest planned binge than to wrap it up in (necessarily *secret*) security procedures development, training, and equipment procurement to prevent fraud.
That's called ensuring shareholder value. Phfffttt...
Sorry, just couldn't get that out with a straight face.
As Safe As A Bank
"The targeted ATMs contain a backdoor that gives unfettered administrative access to anyone who enters a simple series of keystrokes."
It is always very reassuring to see how competent the financial security people are. "Why should we change the default password ? Normal people don't read our manuals, anyway..."
I recently read a pamphlete from someone working for a major financial institution, who believed that "compressing this data structure will make it practically undecipherable". These "professionals" don't even waste time to read up on cryptology before they write "technical documents". I could go on writing about the financial IT failures I experienced as a developer and the reaction (or non-reaction) of management to that. Have a look at my Reg Posting history if you are interested.
Low earth orbit
Anyway - ATM's have a backdoor? How dumb is that?
It's not a backdoor per say,
Its the default password for the Engineers Menu
He also put Morris in touch with a purported ATM thief named Leo, who in reality was an undercover FBI agent.
Great choice of name there. how much more of a hint did he need.
mind you, BBC used sue windle and rob marks and people didnt get it did they.
fail icon, well
> The targeted ATMs contain a backdoor that gives unfettered administrative access to anyone who enters a simple series of keystrokes.
So the cash machines were made so that someone could gain administrative privilege from the customer facing keypad?! I'm thinking the people responsible for this should be facing a judge instead...
Fail by design
What kind of idiot would design an ATM that you could reconfigure using the public terminal?
A bit like..
the old "dial 4231" on coke machines trick... but more valuable!
It's not a backdoor, it's an administrative ID that didn't have the account password changed at the time the machine was installed.
It may not be a particularly brilliant idea for the machines to be administered when the back door isn't open (ie: the owner/operator of the machine isn't there) but suggesting that someone has put a back door into an ATM is wrong.
He should have gone for Rick Astley not Rick James. Never gonna give you up.
@dr_forrester (and others)
I'm happily surprised that there are more Anne McCaffery readers here.
P.S. Thought the very last book in the series was a bit of a let down.
Now, what was the topic, Wunch of Bankers, I believe. Oh no, just one this time.
Well glad to see the financial services industry leave the "operations manual for idiots" open again.
When will manufactures learn "hey lets put in an admin password which can only be accessed by a single keypad!!!" leads to serious problems.
Paris because? She loved a good backdoor!