Two researchers speaking at the Chaos Computing Congress in Hamburg, Germany have revealed an elaborate caper carried out by a gang of hackers that saw ATM machines being emptied of their cash in an undisclosed European country.
At some point in 2013, hackers came up with an elaborate scheme that would give them complete control of ATM machines from an unknown bank in Europe. The plan involved cutting a hole into the actual machine to gain access to a USB port and then inserting a thumb drive with malware into it. After entering a 12 digit code, a custom user interface would pop up that gave them control of the machine. Amongst the tools at their disposal was a readout of just how much cash was contained in the ATMs safe by denomination, and controls to release specific amounts of each bank note.
When the thieves were done they would remove the drive, cover up the hole and the machine would return to normal operations.
The plot was uncovered in July when the unnamed bank noticed its ATM safes were empty. Additional surveillance was posted around the machines in question which finally revealed what was happening. The thieves had continued to use the same machines over and over as it allowed them to skip the process of having to cut new holes.
Proving that there is no honor amongst criminals, it seems that going through the infected files after they were discovered revealed that no one could pull this job off alone. Once the drive was inserted into the port, a series of numbers would be displayed on the screen. The operator would then have to call another member of the gang to be told the correct numeric response to those numbers to activate the interface. Apparently there was a fear that someone from the group would take the drive assigned to them and go rogue.
The two researchers, both of whom declined to be named, said that the hack showed the criminals had “profound knowledge” of the target ATMs. And while there was a lot of security on the hackers side, including the fact the malware was extremely hard to deconstruct, the same policies didn’t extend to the file names. The main file involved in the hack was revealed to be named “hack.bat.”
We’re all left to wonder if all of the ATMs have been repaired by this time, but we’re sure there are some developers working on far more extensive security software at this point.