ATM hacking spree foiled by tip from ex-con A North Carolina man's scheme to steal as much as $350,000 during an automatic teller machine hacking spree was thwarted by an ex-convict, who turned the man in to authorities, federal prosecutors allege. Thor Alexander Morris approached the Texas-based ex-con looking for help identifying the locations of specific models of …
Just the astrological sign represented by a lion, or the titular constellation.
Anne McCaffery's book _Pegasus in Space_ has a scene with confusion over which meaning when the Law Enforcement and Order commissioner walks into the Space Authority's office.
Mine's the one with the plans to terraform Mars in the pocket.
I found a way to beat the ATM as well.
I did it once just to test and it worked. I called the bank and made them aware of it.
Did I get a thank you, or any kind of reward?
No, I got the $50 withdrawn from my account immediately and then a few months later my accounts all closed.
I never did it more then once to test it.
They didn't even take a moment to investigate my claim, they immediate took the money that I told them I got.
Screw em, they would rob you if they could, Just look at return check fees and overdrafts.
Most of them charge you overdrafts even if your account isn't overdrawn.
Banks = Thieves and Liars.
You do realise that you could have just called them up and told them about the problem? Whereas what you have written reads along the lines of: I robbed a bunch of money from a bank, then told that that I had done so. They closed my accounts.
You are lucky they didn't press charges.
Oh and it's an overdraft facility that you pay for, if you don't use it, that's your fault, not the banks.
Uh... he did. And your blaise restatement of the events acknowledges that you understood that he did.
Now, whether you are saying that a bank would take the time to actually do a thorough investigation of its ATM infrastructure if one lowly "member" makes a point to call his bank security laison (Tier 1-2 Customer Service Rep - phone jockey) that one or more of the machines "might" have a security issue (that OF COURSE is listed as a support feature from the manufacturer)... yeah - guess that would have gotten something done, eh?
This is the age-old quandry of exploit disclosure (IT angle!) although the person admittedly has not openly disclosed how he did it; only that *something* is amiss and that he properly notified the proper service provider.
And, like all researchers, he was ignored, derided, and summarily punished, although more directly than most. Plus ca change...
He told them that he'd found a security flaw in their ATM network AFTER he'd taken money using the flaw, he may well have had the best intentions, but it wasn't an especially sensible thing to do. I can easily see how a bank, who clearly had notification methods - he states that he called them up and told them about the flaw - would be mighty pissed off. Indeed there are many cases of people "helpfully" hacking systems to show that there is a fault which ended up in the helpful people being prosecuted.
Defrauding companies of money or hacking them, best intentions or not, is not a good idea. Call them up, let them know of the problem, tell them that you'll publicise if they don't do anything and leave it at that. Don't break the law to be helpful.
well if you were playing with a bank machine and discovered a flaw, obviously some money would have to be transferred, or else how would you know there was a flaw at all? you wouldn't know there was a 'problem' unless some money was transferred; that _is_ the problem.
so i think what you are saying doesn't hold water.
and he mentioned that it was $50 dollars - which hardly constitutes defrauding a bank.
The user-level interface should not have this much access. If the machine's case had to be opened to make administrative changes (as is the case with many models), this attack would never have been possible.
An even better design would scan the top bill in each stack to determine its denomination, rather than trust a user to enter the correct settings.
Agreed. However, banks (like most businesses) will not voluntarily upgrade or buy new equipment if they don't have to. Ignoring the issue is much easier in the short term, and any long term ramifications can be either (a) diverted to the manufacturer or insurance, or (b) reported as losses to insurance and calls for more authoritarian control and "enforcement".
What better way to get the shareholders to finance the latest planned binge than to wrap it up in (necessarily *secret*) security procedures development, training, and equipment procurement to prevent fraud.
That's called ensuring shareholder value. Phfffttt...
Sorry, just couldn't get that out with a straight face.
"The targeted ATMs contain a backdoor that gives unfettered administrative access to anyone who enters a simple series of keystrokes."
It is always very reassuring to see how competent the financial security people are. "Why should we change the default password ? Normal people don't read our manuals, anyway..."
I recently read a pamphlete from someone working for a major financial institution, who believed that "compressing this data structure will make it practically undecipherable". These "professionals" don't even waste time to read up on cryptology before they write "technical documents". I could go on writing about the financial IT failures I experienced as a developer and the reaction (or non-reaction) of management to that. Have a look at my Reg Posting history if you are interested.
> The targeted ATMs contain a backdoor that gives unfettered administrative access to anyone who enters a simple series of keystrokes.
So the cash machines were made so that someone could gain administrative privilege from the customer facing keypad?! I'm thinking the people responsible for this should be facing a judge instead...
It's not a backdoor, it's an administrative ID that didn't have the account password changed at the time the machine was installed.
It may not be a particularly brilliant idea for the machines to be administered when the back door isn't open (ie: the owner/operator of the machine isn't there) but suggesting that someone has put a back door into an ATM is wrong.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
