Mon 9 Feb 2009
Last night I put out a post on twitter informing that the Shmoocon ATM had been compromised, and everyone who had used it should cancel & reissue their cards. This of course got retweeted a bunch, and then FINALLY some security people started commenting that we should have some evidence before they take action.
So some may have seen the ATMs in the hotel were “tagged” with this prank and thought that THIS was the compromise I was referring to.
This was funny, and I have a pretty good idea who put it there. (and really if it was “them” I would think twice of touching that ATM anyways) But it was not a compromise.
@surbo and I were running late to the airport, and the taxi driver wouldnt take a card. Having spent all our cash the night before, we ran over to the ATM located in the main hallway of the Marriott (across from the hotel convenience store) and I tried the ATM. It was acting very odd, it was taking about 5 minutes to change screens, and it was NOT TAKING MY PIN on my card, and occasionally told me that it could not read the card. I got a very bad feeling, but I was in a hurry, so I tried another card. Same story — acting weird not taking my pin. I asked Surbo to give it a go, and this time it took his pin, but it was still acting weird.
Surbo then did something that made us both say “F&^K”. He pulled the facepanel down off the ATM exposing the internal computer and authentication “dialer”, someone had either picked or left the panel unlocked. (the safe panel ($$$$) remained locked). The electronics that control the authorization of funds were easily accessed. You can imagine what an person of “low moral standards” could have benefited from this situation.
Right about the time that Surbo pulled the front panel down, Mouse came strolling by and said “Boys! What are you doing!?” It didnt look good, and since we had already had some run-ins with hotel police we immediately put it back and made sure it was reported. We didnt take any pictures because we didnt want to be any more involved than we already were. I am sure you can understand that although we pull some harmless pranks here or there, ATM fraud is not up our alley.
So, Do I have evidence that if you used that ATM that your card numbers & pin were exposed and/or recorded? No, in-fact I did not see any suspicious looking equipment inside that would indicate that it had, however the security of the ATM was compromised and the potential was definitely there. Don’t risk it, if you used this ATM, please call your bank and get your card reissued.
Update: I have now learned that the ATMs were using the default admin password. (crap see comments below)
11 Responses to “A little about the Shmoocon ATM”
Leave a Reply
You must be logged in to post a comment.
February 9th, 2009 at 11:23 am
I-Ball was able to put this ATM into admin mode too, and play around with the settings. Same with the other ATM in the hotel. Both were using the default passwords and both were extremely laggy in a way that I’ve never seen an ATM act before.
Glad you liked my sticker.
February 9th, 2009 at 12:15 pm
rbcp, you and your crew have a reputation of pushing the boundaries of what would be considered responsible or mature or even common sense. Didn’t we discuss this in the third floor elevator area Saturday night? Let’s look back to phreaknic a few years ago when you and murdoc conned the hotel telco provider into forwarding all of the hotel’s calls to your cell phone(s). You yourself admitted that you two took credit card numbers from the people calling in, although you claim that you didn’t do anything with them.
For someone that has kids to support, you don’t seem to exercise good judgement. While the PN telephone jack was clever, and truth be told, very inventive, when you took CC info, you crossed a boundary that could put you and your cohorts in jail.
Time will tell if you wise up, or become someone’s prison bitch. You seem to be an intelligent guy, but you need to channel that power into something constructive and leave the pranks to the minors who won’t end up doing hard time.
February 9th, 2009 at 12:43 pm
A few things. I can’t get to your site to see the comments but I can get to it via RSS so here are my thoughts from what I know:
1) The PIN PAD is encrypted ON THE KEYPAD before it goes to the ATM.
2) The upper panel with the electronics is usually pretty insecure. See my “Inside an ATM” article on HiR. The reason I had an ATM to play with is that its keypad could not be updated to an encrypted model (see #1 above) and this couldn’t be activated. It was useless.
3) Assuming the attacker can access the administrative part of the ATM, he/she might be able to tell it to dial another number.
4) I don’t know what the protocol is, or what data (aside from PIN) is encrypted on the line that would make #3 exploitable. I have only dealt with ATM HARDWARE.
February 9th, 2009 at 12:45 pm
haha copy/paste fail. I obviously got access to your site.
February 9th, 2009 at 12:48 pm
Hard to believe anyone with even a passing knowledge of the security issues revolving around standalone ATM kiosks would trust one. The inconvenience of possibly having cash unavailable at all followed by canceling and getting cards reissued is generally greater than the convenience of immediate access. Better to carry backup cash about yourself for short-of-cash situations.
February 10th, 2009 at 1:40 am
skydog - what did I do wrong here? I put a funny sticker on an ATM machine. Is this illegal? I’m not the one who put the ATM into admin mode; that was I-ball. And he just did it to see if he could. He didn’t magically reprogram it and steal everyone’s money. Why are you being all pissy with me for no reason? Why not yell at hevnsnt for opening the thing?
February 10th, 2009 at 8:51 am
[...] As I’ve said before, don’t use ATMs at Hacker Conventions. [...]
February 10th, 2009 at 10:59 am
RBCP and Skydog you guys need your own show for real - lol good stuff!
For the record I was just waiting for my cash and I thought to myself “I hope this thing has not been hacked” as I tugged a little on the top of the machine. The case fell forward and I could see the network ports and the card reader and bunch of stuff that hackers would love to play with. My cash still came out but I quickly thought to myself - well time to cancel my credit card. =)
February 10th, 2009 at 1:33 pm
Was there a CD-ROM drive in there? On the admin screen, there was an option to update the graphics on the machine via CD.
February 10th, 2009 at 2:47 pm
I recall a Defcon where the graphics got “updated” on the ATM machine. I didnt see a CDROM inside — But I didnt get a lot of time to look in there before Mouse came around
February 11th, 2009 at 9:57 am
[...] Hevnsnt and Surbo later discovered that the entire cover of the ATM could be opened up, which they wrote about here. And where you can see a picture of our sticker, available for download from [...]