Comments on: A little about the Shmoocon ATM

By: Brad Carter’s Homepage » ShmooCon 2009

Brad Carter’s Homepage » ShmooCon 2009 — Wed, 11 Feb 2009 15:57:58 +0000

[...] Hevnsnt and Surbo later discovered that the entire cover of the ATM could be opened up, which they wrote about here. And where you can see a picture of our sticker, available for download from [...]

By: hevnsnt

hevnsnt — Tue, 10 Feb 2009 20:47:58 +0000

I recall a Defcon where the graphics got “updated” on the ATM machine. I didnt see a CDROM inside — But I didnt get a lot of time to look in there before Mouse came around

By: rbcp

rbcp — Tue, 10 Feb 2009 19:33:28 +0000

Was there a CD-ROM drive in there? On the admin screen, there was an option to update the graphics on the machine via CD.

By: surbo

surbo — Tue, 10 Feb 2009 16:59:39 +0000

RBCP and Skydog you guys need your own show for real – lol good stuff!
For the record I was just waiting for my cash and I thought to myself “I hope this thing has not been hacked” as I tugged a little on the top of the machine. The case fell forward and I could see the network ports and the card reader and bunch of stuff that hackers would love to play with. My cash still came out but I quickly thought to myself – well time to cancel my credit card. =)

By: Liquidmatrix Security Digest » Shmoocon 2009 In Review

Liquidmatrix Security Digest » Shmoocon 2009 In Review — Tue, 10 Feb 2009 14:51:18 +0000

[...] As I’ve said before, don’t use ATMs at Hacker Conventions. [...]

By: rbcp

rbcp — Tue, 10 Feb 2009 07:40:16 +0000

skydog – what did I do wrong here? I put a funny sticker on an ATM machine. Is this illegal? I’m not the one who put the ATM into admin mode; that was I-ball. And he just did it to see if he could. He didn’t magically reprogram it and steal everyone’s money. Why are you being all pissy with me for no reason? Why not yell at hevnsnt for opening the thing?

By: danphilpott

danphilpott — Mon, 09 Feb 2009 18:48:21 +0000

Hard to believe anyone with even a passing knowledge of the security issues revolving around standalone ATM kiosks would trust one. The inconvenience of possibly having cash unavailable at all followed by canceling and getting cards reissued is generally greater than the convenience of immediate access. Better to carry backup cash about yourself for short-of-cash situations.

By: ax0n

ax0n — Mon, 09 Feb 2009 18:45:30 +0000

haha copy/paste fail. I obviously got access to your site.

By: ax0n

ax0n — Mon, 09 Feb 2009 18:43:49 +0000

A few things. I can’t get to your site to see the comments but I can get to it via RSS so here are my thoughts from what I know:

1) The PIN PAD is encrypted ON THE KEYPAD before it goes to the ATM.

2) The upper panel with the electronics is usually pretty insecure. See my “Inside an ATM” article on HiR. The reason I had an ATM to play with is that its keypad could not be updated to an encrypted model (see #1 above) and this couldn’t be activated. It was useless.

3) Assuming the attacker can access the administrative part of the ATM, he/she might be able to tell it to dial another number.

4) I don’t know what the protocol is, or what data (aside from PIN) is encrypted on the line that would make #3 exploitable. I have only dealt with ATM HARDWARE.

By: skydog

skydog — Mon, 09 Feb 2009 18:15:21 +0000

rbcp, you and your crew have a reputation of pushing the boundaries of what would be considered responsible or mature or even common sense. Didn’t we discuss this in the third floor elevator area Saturday night? Let’s look back to phreaknic a few years ago when you and murdoc conned the hotel telco provider into forwarding all of the hotel’s calls to your cell phone(s). You yourself admitted that you two took credit card numbers from the people calling in, although you claim that you didn’t do anything with them.

For someone that has kids to support, you don’t seem to exercise good judgement. While the PN telephone jack was clever, and truth be told, very inventive, when you took CC info, you crossed a boundary that could put you and your cohorts in jail.

Time will tell if you wise up, or become someone’s prison bitch. You seem to be an intelligent guy, but you need to channel that power into something constructive and leave the pranks to the minors who won’t end up doing hard time.