Four teenage Saudis have been arrested over a technically implausible ATM scam said to have netted US$533,000 (two million Saudi Riyals) over two years. The unnamed youngsters from the Taif area of Western Saudi Arabia apparently discovered game cards from the local mall allowed them to withdraw the same amount of money as the …
Sounds somewhat unlikely
Actually, sounds like bollocks to me. Unless these were homebrew ATM's based on a Casio calculator circa 1988, this sounds like nonsense.
How they cuff repeat offenders who don't have any hands?
Lost in the translation
If you read 'Cuff' right to left, like Arabic, I think you will understand what they do with repeat offenders.
Either that or leg irons. Or both. At the same time. Ever seen Midnight Express?
Most ATM's in this region use magnetic cards
I used to work as an ATM repair technician, really old Diebold ATMs (as in 20 years old) are easy to dupe, besides, the ATM techs use nothing more than normal magnetic cards with bogus details. The only way this could have been pulled off is if there is a major flaw in the security settings of the software in the ATM and if they ATMs are still using the old fashioned cash pocket style dispensers that drop the money into a box and a door opens and you pick up your cash from there. All modern ATMs poke out the money on rollers or belts and you have to pull it of them.
Any bank still using an ATM machine that is using cash pockets should be abandoned by all its customers and should be penalized by the central bank.
Are those the ATMs where you put in your cash card and it fixes the election result so Bush wins?
i wonder if my oyster card works...TFL certainly owe me some cash that's for sure.
Obvious reasons this worked
If the kids had a card that specifically spit out the same amount as the previous transaction. It simply was not a "service card" as a service card would provide additional diagnostics and almost certainly would require additional intervention such as a switch to be flipped behind the locked door before actually giving out money.
There may be a bug in the ATM software which triggers from a buffer overflow judging the transaction was incomplete. Then the cards the kids got were just dumb luck. But, the chances of this are very slim since the readers usually transmit the numbers, not the pulses to the main system.
Of course, the bank would have probably thought the cash delivery guy was to blame if no extra transactions were showing up, but there was money regularly missing. Either he was pocketing it, or he was installing it in a way where bills were sticking together.
Now, on the other hand. If they look deeper, it's very likely they're find some code in their system specifically responsible for making this happen. Then it's a matter of finding out who wrote it. It's extremely likely that someone was in fact tampering with the system internally. The kids either found out about it through leaked information or through luck.
As a former programmer at a banking warehouse (when I was young and couldn't get a real job), I found that if you were the guy working on something like ATMs and you needed some way to test code, it was much easier to use an old $1 prepaid phone card than it was to go through the bureaucracy involved with battling with the overpaid secretary who was responsible for issuing cards to get a test card. So, just swipe the prepaid card, link it to your test code and there you go. Now the programmer can test repeating the last transaction by using the calling card he used for calling his mom from college.
It might not have been intentional. It might be that there's a programmer somewhere living in a palace. Either way, it's almost certainly in the code.
P.S. - I even know banking programmers these days... I've seen at least one of them leave his car door unlocked with his wallet on their dashboard while going into the gas station to take a leak and buy a hot dog in a city. If that's how he treats his own money... do you really think he cares if the bank he works for which deals with 50 types of electronic theft a week loses a few bucks from an ATM?
Ah! The good old days.
Back in the '90's, I worked for a university as system and network admin. It was my job, being the junior admin, to set up the registration center for every semesters new student registration. We had 5 payment lines, each with a terminal, card read reader and card writer (for student IDs). After registration one evening, just for kicks, I read all of my cards, bank, gas, id, visa, mc, etc) into a text file, then wrote them back onto a different card. I then proceeded to the gas station and paid at the pump with my student id (which has my gas card info written onto it). Worked like a champ...and if it hadn't, I'd have had to pay cash inside...
Not so unlikely after all.
I remember as a kid finding out that daddy's car would lock fine with a key from a wildly different brand... but not open. That seems impossible, but nonetheless, that's how it was.
The thing is that these systems are more tested positively than negatively. That is, every change you make you check that nothing breaks. But do you also test, at every change, that everything that shouldn't work, doesn't? Probably not.
I've tinkered with state machines and such to *really* have input validation done correctly, including rejecting all invalid input next to accepting all valid input, and oftentimes getting every last corner case right took quite a bit of effort. And that was when I was out to get it right. Most programmers don't even try. "It compiles, ship it."
Not entirely unrelatedly, I wouldn't be surprised if this was an unauthorised testing back door as surmised elsewhere in the comments, or something to that tune. If people start to circumvent bureaucracy then that undermines your security. So best not be too bureaucratic, eh.
For the kids to have found out, well, that is probably sheer dumb luck. But it wouldn't be reality if there were no outlandish surprises.
Still think it is to do with old hardware in combination with dodgy software
As stated in another post, magnetic bank cards are easy to copy. The game cards could be used as blanks, since they are easier and cheeper to obtain than actually purchassing blank magnetic cards (say from and RS catalog for example). You do not need to have a back door in the software do dupe old ATMs, good thing that most banks have learned and updated their software. Old ATMs assumed you had taken the money out of the machine if it detected the cash pocket was empty. If the bank was stupid enough, they would program the ATM to deposit the money back into the account if it was not collected. A smart theif would replace the money with a piece of paper to dupe the optical sensor into thinking the money was not collected. The cash pocket closes and the software deposits the money back into the account. This in combination with a copy of a stollen card along with a valid pin code and bob's your uncle. Nowadays, most banks are smart enough to retire stupidly old ATM machines and they also change the software so that the money is not rediposited in the bank account unless somebody physically checks it first. Most banks also install hidden cameras on ATM machines to photograph every person who performs a transaction (so it is best not pick your nose while using the machine) Along with the usual obvious camera's set up somewhere visible as a deterant.
If your bank is not willing to invest in new hardware, you really should not trust it. So many things can go wrong with ancient hardware. As you can see, all you need is bad security procedures, not necessarily a hidden back door.
Reacently a chinese gang was caught here in Oman with very sofisticated equipment, they had thin keypads that were overlayed ontop of the ATM keypads. These were so thin as to be hard to notice, they also installed ultra thin magnetic strip readers on the card entry slot of the machine. Every customer to come to the ATM would have his card copied and his pin code stored! The gang was caught by chance when a bank employee was out for a spin at night and saw them installing the kit. Now all ATM machines have been modified so as to make it impossible to fit a card reader on the lip of the card slot.
Offcoure, the most brilliant one of them all used a buldozer to rip the ATM from the building. They caught him the next day when he tried to hire somebody to cut the safe open (you would have throught that with access to a buldozer he whould have had some suitable heavy duty cutting equipment)!
- Leaked screenshots show next Windows kernel to be a perfect 10
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK