While I appreciate the information and presentation prepared by Mr. Jack, it mirrors what IT security folks have said for years. Couple of points come to mind:
1. How did he get access to a network?
2. Where did the money come from - wasn't this just a demo? Yes - if he was doing this with a real ATM in a real environment, it would be real money but I am pretty certain he would not be able to walk in to the location, plug in a disk, flash drive, etc and just start taking money out of the ATM. I am sure there are scenarios where the demo might be viable but off the top of my head, I cannot think of any.
3. As with computer systems, which ATMs are now these days, you must secure access to the them. In the case of ATMs, that means don't let just anyone open your ATMs, and certainly change the locks on the entrances to the computer driving the ATM to ensure the standard lock won't let you in.
4. ATM techs may keep extra "hood" keys to get into an ATM but wouldn't someone notice? Also, if the tech was there to work on the ATM - why would they be unloading cash and then leaving? There has to be some common sense in operating ATMs.
Any computer system can be compromised if unauthorized persons are allowed to access the interior or the computer operating system itself. Let's not forget - ATMs are computers with specialized peripherals. If Mr. Jack can do this in a live site, I will be much more concerned. The fact that he had access to the software, had unlimited time to develop software to do the demo and was not constrained by being arrested for theft doesn't say to me that in the real world this as big as a problem as noted. Do we need to secure our systems - NO DOUBT. Was this demo a reflection of the real world - I don't believe so. There are many ways to prevent Mr. Jack from ever doing this - too numerous to mention here - but simple computer security and access security would always stop him from doing what he did.
-
Triton issues dramatic ATM security warning
August 15, 2010 - Frederick Lowe
Triton has issued a dramatic security alert to its customers after an ethical hacker figured out a way to get Triton ATMs to dispense all of their vault cash.
Triton’s notification includes a photo of a pistol that asks the question, “Are you playing Russian Roulette with your ATM?” The warning then goes on to say, “With thieves getting more creative about finding ways to get at other people’s money, ATM owners must be vigilant in keeping up to date with all of the available methods to protect against fraud attempts.”
The notification then uses seven bullet points — literal images of bullets — to further get customers’ attention. Three of the bullet points ask if customers have installed all recommended security patches, changed all default passwords and installed high-security locks on all of their ATMs.
Triton issued the warning after Barnaby Jack, director of security at IOActive Inc., a Seattle-based security firm, demonstrated during the Black Hat conference in Las Vegas how he forced three ATMs, including one made by Triton, to dispense all of the funds stored in their safes. In the case of Triton, Jack inserted a disk that took control of the computer that operated the machine.
After Jack’s demonstration, Mike Lee, CEO of the ATMIA, said, "This type of research conducted by professionals like Jack should be leveraged by our industry to improve ATMs. Even though we have produced a whole set of ATM guidelines, we are always looking to raise awareness to continuously improve security of the ATM channel in a global environment that is faced with an evolving risk of fraud.”
Jack purchased the ATMs online. After his effective demonstration, Triton and Hantle, formerly Tranax Technologies Inc., issued security warnings concerning “Jackpotting ATMs,” which occurs when a hacker gets an ATM to dispense all of its vault cash.
Triton’s security warning applied to any ATM with the X2 platform purchased before Nov. 15, 2009 and any Triton with the X Scale platform, which is no longer in production. The security alert also applied to the Hantel 1700W, Hantel C4000 and Hantel 4000T.
|
|||||
|
|
|||||
 |
Mobile Banking: Future Trends and the State of the Industry As smartphones become more ubiquitous, people are increasingly accustomed to having instant access to data, making mobile banking a growing sector of the financial industry. But what do people really want from mobile banking? How can banks use it to increase ROI? |
||||
|
|
|||||
Triton, which is based in Long Beach, Miss., last fall released a software update for ATM models built on the X2 platform. “The update employs digital signatures to prevent loading of unauthorized software onto Triton’s ATMs,” executives of the manufacturer said. Bob Douglas, Triton’s vice president of engineering and product development, said Jack purchased the ATMs on the Internet, and Triton’s security patch was not installed.
Although the Triton’s initial warning was strong, its latest salvo is very powerful.
“I wanted to get their [customers’] attention,” said Douglas, who came up with the idea. “If customers support the security system as whole, the network is more secure.” But clients often ignore some parts, he said.
He explained that MACing (Message Authentication Code), the second bullet point, has received very little reaction from the industry officials. MACing prevents the hijacking of transactions between the host to the ATM, he said. “We sent out a bulletin in April 2009 about MACing and got very little response,” Douglas said.
Related Content
Features
Sponsored by:
News
User Comments
- No data available.
Sponsored by:
