A couple of crafty 14-year-old kids from Winnipeg figured out how to get past the security on a a Bank of Montreal ATM. Crazy as it might sound, the 'hack' didn't require any advanced computer hacking at all—these kids just looked up the ATM manual on the internet.
The Edmonton Journal reports that Matthew Hewlett and Caleb Turon went online to look up the operator's manual for the BMO ATM sitting at their local grocery store, and were able to switch the cash machine over to administrator mode by simply entering one of the default system passwords.
Luckily for the bank, the teens weren't trying to rob the ATM or install malicious card skimming software. Instead they reported the compromised ATM to employees at a local BMO branch. The extent of the damage they did was changing the ATM's welcome screen to read 'Go away. This ATM has been hacked.' According to the Edmonton Journal, Hewlett and Turon cooperated with the bank, but BMO hasn't responded more broadly to inquiries about security.
How Hack ATM Machine 100% Working. See more of Hack&virus codes on Facebook. January 11, 2014. How Hack ATM Machine 100% Working.
The conclusion of this story makes it more amusing than terrifying, but it could have easily ended in lots of people getting ripped off. This kind of passcode idiocy persists not just in ATMs but for security systems of all kinds. If you're using a default password anywhere, you're basically asking for a rough time down the line. [Edmonton Journal]
Image by Catatronicunder Creative Commons license
Video Thieves are sneaking malware dubbed Tyupkin into ATMs to force them to cough millions of dollars, we're told.
The crims don't need to use stolen or cloned cards. Instead, fraudsters infect the ATM's on-board PC, and later type a special combination of digits on the PIN keypad to drain the machine of banknotes – that's according to researchers at Kaspersky Lab.
Scams of this type were first recorded in Mexico, but they have since expanded in scope across the world – though mainly in Asia and Russia. Kaspersky Lab is calling on banks to double-check the physical security of their money machines to stamp out the thefts.
Experts at the Russian security firm were hired by a financial institution to investigate the disappearance of cash from its ATMs around the world. During this probe, the researchers discovered a piece of malware installed on the machines that allowed criminals to loot the devices. Some 50 infected ATMs were found in eastern Europe. Policing agency Interpol is now involved.
A video showing this attack, which has apparently netted 'millions of dollars', is embedded below.
First, the crims must gain physical access to the inside of the 32-bit Windows-powered ATM, and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected cash machine is under their control.
![Hack Hack](http://securityaffairs.co/wordpress/wp-content/uploads/2014/10/Tyupkin-malware-2.jpg)
The malware runs unseen in the background while awaiting instructions. Tyupkin only accepts commands at specific times on Sunday and Monday nights.
When a command to wake up the malware is typed at the keypad, a random number is shown. To proceed, the thief must must type into the keypad a valid key value derived from the random number.
If the thief doesn't know how to calculate the unlock key from the random seed, he or she can phone a crime boss who knows the algorithm and does the maths: this ensures the boss's money-collecting mules are unable to carry out the scam alone – they need help in converting the random numbers into unlock keys.
When the required key is entered correctly, the ATM displays how much money is available in each cash cassette, inviting the crim to choose which cassette to rob. After this is selected, the ATM dispenses 40 banknotes at a time from the chosen cassette.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky Lab’s global research and analysis team.
“Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly.
![2014 2014](/uploads/1/2/6/4/126412498/683251248.jpg)
“This is done by infecting ATMs themselves or launching direct Advanced Persistent Threat (APT)-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.'
Banks need to review the physical security of their ATMs and network infrastructure, Diaz recommends – the malware disables its local network when dishing out dosh to thieves, which should be a telltale sign something is up.
Banks should replace all locks and master keys on the upper hood of their ATM machines and ditch the default settings provided by the manufacturer, it's suggested. The use of security alarms can also help.
The masterminds behind Tyupkin only infected ATMs that had no security alarms. Changing the default BIOS access and boot passwords, and ensuring cash machines have up-to-date antivirus protection, are other sensible precautions.
Kaspersky Lab and cops hope highlighting the threat will encourage banks to take action against the fraudsters.
Sanjay Virmani, director of Interpol's digital crime centre, explained: “Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi.” ®
Sponsored: Harnessing the value of data