Saudi cops cuff four for mad bank card scam Four teenage Saudis have been arrested over a technically implausible ATM scam said to have netted US$533,000 (two million Saudi Riyals) over two years. The unnamed youngsters from the Taif area of Western Saudi Arabia apparently discovered game cards from the local mall allowed them to withdraw the same amount of money as the …
This post has been deleted by its author
I used to work as an ATM repair technician, really old Diebold ATMs (as in 20 years old) are easy to dupe, besides, the ATM techs use nothing more than normal magnetic cards with bogus details. The only way this could have been pulled off is if there is a major flaw in the security settings of the software in the ATM and if they ATMs are still using the old fashioned cash pocket style dispensers that drop the money into a box and a door opens and you pick up your cash from there. All modern ATMs poke out the money on rollers or belts and you have to pull it of them.
Any bank still using an ATM machine that is using cash pockets should be abandoned by all its customers and should be penalized by the central bank.
If the kids had a card that specifically spit out the same amount as the previous transaction. It simply was not a "service card" as a service card would provide additional diagnostics and almost certainly would require additional intervention such as a switch to be flipped behind the locked door before actually giving out money.
There may be a bug in the ATM software which triggers from a buffer overflow judging the transaction was incomplete. Then the cards the kids got were just dumb luck. But, the chances of this are very slim since the readers usually transmit the numbers, not the pulses to the main system.
Of course, the bank would have probably thought the cash delivery guy was to blame if no extra transactions were showing up, but there was money regularly missing. Either he was pocketing it, or he was installing it in a way where bills were sticking together.
Now, on the other hand. If they look deeper, it's very likely they're find some code in their system specifically responsible for making this happen. Then it's a matter of finding out who wrote it. It's extremely likely that someone was in fact tampering with the system internally. The kids either found out about it through leaked information or through luck.
As a former programmer at a banking warehouse (when I was young and couldn't get a real job), I found that if you were the guy working on something like ATMs and you needed some way to test code, it was much easier to use an old $1 prepaid phone card than it was to go through the bureaucracy involved with battling with the overpaid secretary who was responsible for issuing cards to get a test card. So, just swipe the prepaid card, link it to your test code and there you go. Now the programmer can test repeating the last transaction by using the calling card he used for calling his mom from college.
It might not have been intentional. It might be that there's a programmer somewhere living in a palace. Either way, it's almost certainly in the code.
P.S. - I even know banking programmers these days... I've seen at least one of them leave his car door unlocked with his wallet on their dashboard while going into the gas station to take a leak and buy a hot dog in a city. If that's how he treats his own money... do you really think he cares if the bank he works for which deals with 50 types of electronic theft a week loses a few bucks from an ATM?
Back in the '90's, I worked for a university as system and network admin. It was my job, being the junior admin, to set up the registration center for every semesters new student registration. We had 5 payment lines, each with a terminal, card read reader and card writer (for student IDs). After registration one evening, just for kicks, I read all of my cards, bank, gas, id, visa, mc, etc) into a text file, then wrote them back onto a different card. I then proceeded to the gas station and paid at the pump with my student id (which has my gas card info written onto it). Worked like a champ...and if it hadn't, I'd have had to pay cash inside...
I remember as a kid finding out that daddy's car would lock fine with a key from a wildly different brand... but not open. That seems impossible, but nonetheless, that's how it was.
The thing is that these systems are more tested positively than negatively. That is, every change you make you check that nothing breaks. But do you also test, at every change, that everything that shouldn't work, doesn't? Probably not.
I've tinkered with state machines and such to *really* have input validation done correctly, including rejecting all invalid input next to accepting all valid input, and oftentimes getting every last corner case right took quite a bit of effort. And that was when I was out to get it right. Most programmers don't even try. "It compiles, ship it."
Not entirely unrelatedly, I wouldn't be surprised if this was an unauthorised testing back door as surmised elsewhere in the comments, or something to that tune. If people start to circumvent bureaucracy then that undermines your security. So best not be too bureaucratic, eh.
For the kids to have found out, well, that is probably sheer dumb luck. But it wouldn't be reality if there were no outlandish surprises.
As stated in another post, magnetic bank cards are easy to copy. The game cards could be used as blanks, since they are easier and cheeper to obtain than actually purchassing blank magnetic cards (say from and RS catalog for example). You do not need to have a back door in the software do dupe old ATMs, good thing that most banks have learned and updated their software. Old ATMs assumed you had taken the money out of the machine if it detected the cash pocket was empty. If the bank was stupid enough, they would program the ATM to deposit the money back into the account if it was not collected. A smart theif would replace the money with a piece of paper to dupe the optical sensor into thinking the money was not collected. The cash pocket closes and the software deposits the money back into the account. This in combination with a copy of a stollen card along with a valid pin code and bob's your uncle. Nowadays, most banks are smart enough to retire stupidly old ATM machines and they also change the software so that the money is not rediposited in the bank account unless somebody physically checks it first. Most banks also install hidden cameras on ATM machines to photograph every person who performs a transaction (so it is best not pick your nose while using the machine) Along with the usual obvious camera's set up somewhere visible as a deterant.
If your bank is not willing to invest in new hardware, you really should not trust it. So many things can go wrong with ancient hardware. As you can see, all you need is bad security procedures, not necessarily a hidden back door.
Reacently a chinese gang was caught here in Oman with very sofisticated equipment, they had thin keypads that were overlayed ontop of the ATM keypads. These were so thin as to be hard to notice, they also installed ultra thin magnetic strip readers on the card entry slot of the machine. Every customer to come to the ATM would have his card copied and his pin code stored! The gang was caught by chance when a bank employee was out for a spin at night and saw them installing the kit. Now all ATM machines have been modified so as to make it impossible to fit a card reader on the lip of the card slot.
Offcoure, the most brilliant one of them all used a buldozer to rip the ATM from the building. They caught him the next day when he tried to hire somebody to cut the safe open (you would have throught that with access to a buldozer he whould have had some suitable heavy duty cutting equipment)!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
