When a small-time Tennessee restaurateur named Khaled Abdel Fattah was running short of cash he went to an ATM machine. Actually, according to federal prosecutors, he went to a lot of them. Over 18 months, he visited a slew of small kiosk ATMs around Nashville and withdrew a total of more than $400,000 in 20-dollar bills. The only problem: It wasn’t his money.
Now Fattah and an associate named Chris Folad are facing 30 counts of computer fraud and conspiracy, after a Secret Service investigation uncovered evidence that the men had essentially robbed the cash machines using nothing more than the keypad. Using a special button sequence and some insider knowledge, they allegedly reconfigured the ATMs to believe they were dispensing one dollar bills, instead of the twenties actually loaded into the cash trays, according to a federal indictment issued in the case late last month. A withdrawal of $20 thus caused the machine to spit out $400 in cash, for a profit of a $380.
The first $20 came out of one of their own bank accounts. That’s right: They were using their own ATM cards.
“They were little kiosk ATMs, like you would find in a business or a convenience store,” says Greg Mays, assistant special agent in charge of the US Secret Service’s Nashville office. “I believe the businesses noticed there was a problem when the machine was running out of money.”
As charged, the caper is an unusually successful example of a low-tech ATM hack that’s been used for minor pilfering in the past, and a reminder of the security weaknesses that have troubled kiosk ATMs. Vulnerabilities in the most popular machines made by Tranax Technologies and Trident were showcased in a now-legendary “ATM jackpotting” demonstration delivered by security researcher Barnaby Jack at the Black Hat conference in 2010. Jack (who died last year) showed that the Tranax machines could be hacked into and reprogrammed remotely over dial-up, and the Trident ATMs could be physically opened and then reprogrammed through a USB port. The companies responded to Jacks’ research by closing those holes.
But at the street level, criminals have exploited a simpler vulnerability that requires no hacking software or gear: Unlike the machines deployed at brick-and-mortar bank locations, kiosk ATMs could be placed into a privileged “operator mode” simply by pressing a special sequence of buttons on the ATM keypad.
From that mode, you could manipulate a number of variables—one of which sets the denomination of the bills loaded into the machine’s currency cartridges.
A supposedly secret six-digit numeric password protects the Operator Mode, but in the Nashville case, one of the defendants, Fattah, was a former employee of the company that operated the machines, says the Secret Service’s Mays, so he knew the code.
Fattah allegedly recruited his friend Folad into the scheme, and in January 2009 they began visiting the cash machines. First they’d use the code to change the denomination register on the machine, then they’d make their withdrawals, and finally change the configuration back. Repeating the scam all over town, by March 2010 they’d pulled down $400,000 between them—money the government is now hoping to seize.
Contacted by WIRED, Folad referred inquiries to his attorney. “Unfortunately, I am not in a position to discuss anything at the moment,” Folad said in an e-mail. His lawyer also declined to comment. Fattah, who now owns a well-reviewed restaurant in Nashville, didn’t return phone calls about the October 22 indictment.
The government says the men made a few mistakes in the thefts, including being captured on surveillance video while making withdrawals, and, of course, using debit cards issued under their real names.
The amount of money taken in Nashville—$400,000—is unusually high, but plenty of other thieves have pulled the same currency-switching scam with more modest returns, and without Fattah’s inside knowledge. Most don’t make the mistake of using their own debit cards, opting instead to buy a prepaid debit card, the kind anyone can pick up at a Walgreens.
Around 2005, crooks discovered that the default factory-set master passcodes for the Tranax and Trident ATMs were printed right in the service manuals, which were readily available online. Triton’s master passcode was “123456.”
The manuals urged machine owners to immediately change the passcodes from the defaults, but many of the small business owners who favor the inexpensive, pedestal-sized machines never made the change. That led to an uncommon phenomenon in the world of cyber crime: hacking as a street crime. After spreading quietly for at least 18 months, the scheme went viral in 2006 when a man was caught on a surveillance tape looting an ATM at a Virginia gas station. CNN ran the video, and the truth of the default passcodes surfaced.
Both Tranax and Triton promptly tweaked the programming for new ATMs to force operators to change the default passcodes on first use. Machines already deployed, though, were still vulnerable, and reports of more incidents followed. In 2007, a Derry, Pennsylvania, convenience store called Mastrorocco’s Market was hit for $1,540 by an unidentified man in flip flops and shorts. In 2008, two 21-year-old men hit Lobo’s City Mex in Lincoln, Nebraska, for $1,400 in three separate visits–on the fourth, the son of the store owner pulled a gun on them and called the police. In 2010, a North Carolina grocery worker plotted to hit 30 different ATMs while wearing a wig, but his plan was thwarted when an associate turned him in to the FBI. He was sentenced to 37 months.
Currency switching capers appear to be rare now, says David Tente, executive director of the ATM Industry Association, though hard data is difficult to come by. “Nobody likes talking about fraud, especially when it’s against them,” Tente says. “Independent operators and financial institutions are very tight lipped about this sort of thing.”
But there’s some evidence that operator passcodes are still an issue, he notes. Last June, two 14-year-old boys in Winnipeg followed internet instructions to gain operator access to a Bank of Montreal ATM at a grocery store, successfully guessing the six digit master passcode. The boys immediately notified the bank, which changed the code.
Who knows how many ATM hackers have been less scrupulous?
No comments:
Post a Comment