ATM Hacking and Cracking to Steal Money with ATM Backdoor Default Master Password

You should know what a Automated Teller Machine (or Automatic Teller Machine or cash machine) which commonly known as ATM is. Yes, ATM is commonly used to access bank accounts in order to make cash withdrawals or credit card cash advances, where after keying in your PIN number, ATM will disburse cash notes to you. You should also know that when you withdraw let’s say 100 dollars, the ATM should dispense 5 USD notes in 20-dollar denomination. But what if now the ATM dispenses 20 20-dollar USD bills instead? It happened not because the bills and notes are not been stocked in correct denomination, but because you can actually make it happens at the ATM cash machines that leave its backdoor opened by not changing default factory administrative passwords and default combinations for the safe.

So what you going to do in order to hack and crack the ATM so that the cash machine will give you more money than it suppose to? It’s unlikely common ATM trickery or fraud scam that uses various high-tech devices to capture identity of your ATM card and PIN number. Firstly, identify the ATM maker and model from the video on news about ATM reprogramming scam fraud at at a gas station on Lynnhaven Parkway in Virginia Beach.

Unable to identify what model of ATM cashpoint is it? Matasano has revealed the brand and model of the ATM to be Tranax Mini Bank 1500 series. So it’s this type of cash machine is possible for hacking.27B Stroke 6 reported that Triton’s ATMs’ manuals also contains factory default pass-code and backdoor key sequence, although no successful fraud story been reported on Triton’s ATM machines. Matasano also details the step that needed to be taken in order to be able to hack into the ATM for re-programming. That’s to get hold on a copy to Tranax Mini Bank 1500 Series (MB1500) operator manual or installation manual, which contains a lot of security sensitive information includes:

  • Instructions on how to enter the diagnostic mode or operator function menu.
  • Default Master, Service or Operator passwords.
  • Default Combinations For the Safe.

The manual that was found on the web Tranax_MB_Operator_Manual.pdf has been taken down, however, Google should be able to help you with its cache. Inside the Tranax Mini-Bank 1500 user guide manual, you can also learn how to set the denomination of the type of bill (the value of the cash notes i.e $1, $5, $10, $20, $50 or $100) that the ATM’s cassettes will be dispensing. That’s all you probably need to trick the ATM to think that the $20 bills it dispensed are actually of the $5 or $1 bill, possibly earning you a hefty profit. So, the only thing left now if you trying your luck to find an ATM cash machine that haven’t been changed its factory default passcodes and passwords. Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around US, where majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist, according to eWeek.

The ATM scammer in Virginia Beach case successfully to re-program and trick the Tranax MB1500 series ATM to act as if it had $5 bills in its dispensing tray instead of $20 bills, and the withdraw cash using a pre-paid debit card with a 300% profit. However, he forgot to reprogram back the ATM to correct denomination, and the ATM was left misprogrammed for next 9 days before somebody reported the misconfiguration, and hence revealed the fraud.

Disclaimer: This article is not an instruction.

NCR ATM API Documentation Available on Baidu Posted by FSLabs @ 14:28 GMT

A recent ATM breach in Malaysia has caused havoc for several local banks. According to reports, approximately 3 million Malaysian Ringgit (almost 1 million USD) was stolen from 18 ATMs. There is no detailed information on how the attack was performed by the criminals, but according to one local news report, police claimed the criminals installed malware with the file name “ulssm.exe” which was found on the compromised ATMs. Based on the file name, we know that the malware in question was first discovered by Symantec and it is known as “PadPin”. The basic technical information of this malware can be found here. We have no confirmation that PadPin is the same malware used in the Malaysian ATM hacks. But even so, we have discovered something interesting by doing our own analysis of PadPin’s code.

We searched through our backend sample collection system and quickly located a few samples related to the aforementioned file name. Our automated sample analysis system did not determine the samples to be malicious because the sample will not work on a typical Windows computer; it requires a DLL library which appears to be available on machines such as ATMs or self-service terminals running Windows Embedded operating system. The DLL library is known as Extension for Financial Services (XFS):

Malware import Extension for Financial Services library
Image: Malware import Extension for Financial Services library

When we took a look at the code, we saw some unfamiliar API functions which are apparently imported via MSXFS.dll as shown in the image above. Unfortunately Microsoft does not provide official documentation for these APIs which makes understanding of the malware code more difficult. Questions continued until we came across a part of the malware code in which the malware attempts to establish a communication channel with the ATM pin pad device via one of the APIs. Basically, its purpose is to listen and wait for the key entered into the pin pad by the criminals in order to carry out different tasks as described in Symantec’s write-up. In other words, the commands supported by the malware are limited to the keys available on the pin pad device. For instance, when the criminal enters “0” on pin pad, it will start dispensing money from the ATM machine. Analyzing the code, we started wondering how the malware author knows which pin pad service name to provide to the API so that the program is able to interact with the pin pad device. It’s a valid question because the pin pad service name used in the code is quite unique and it is very unlikely one can figure out the service name without documentation.

Therefore, we did some web searches for the API documentation using the API name and the pin pad service name. And the result? We easily found the documentation from a dedicated ebooks website hosted on Baidu which appears to be the NCR programmer’s reference manual.

WOSA/XFS Programer's Reference Manual

After skimming through the documentation, we concluded that writing a program interacting with the ATM machine becomes handy even for someone without any prior knowledge on how to write software communicating with these ATM devices. The documentation is helpful enough to give programmers some sample code as well. Coincidentally, we also found that the alleged malware targeting Malaysian banks’ ATM machines attempt to remove the “AptraDebug.lnk” shortcut file from the Windows startup folder as well as the launch point registry key “AptraDebug” on the infected machine. Its purpose is presumably to disable the default ATM software running on the machine and replaced it with the malware when the machine is rebooted. This file and registry key seem to be referring NCR APTRA XFS software, so it is safe to assume that the malware aims to target only the machine running this self-service platform software.

In conclusion, it’s possible this documentation was leaked and uploaded by somebody other than PadPin’s authors. And we should not rule out that the malware could be written by some experienced programmers who are or were bank employees.

It is practically impossible to stop somebody from viewing or downloading the documentation once it is available on the Internet, but there are some countermeasures banks can use to prevent such breaches from happening again. One of the most straightforward mitigation methods is to prevent the ATM machine from running files directly from USB or CD-ROM.

Post by — Wayne

Stolen Millions Expose Middle East Banks’ Vulnerability to Cyber Thieves

The men smiled at the smartphone camera, holding up wads of cash. They were members of a cybercriminal gang, eager to show off the spoils of targeting two banks in the Middle East: The National Bank of Ras al-Khaimah (Rakbank) in the United Arab Emirates, and the Bank of Muscat in Oman. In two different attacks, spanning just 10 hours, United States prosecutors said the gang of eight managed to steal US$45 million by hacking into a database of prepaid credit cards belonging to the banks, and then using fake swipe cards to withdraw money from ATMs in 27 countries.

Their gleeful spree would be cut short. Announcing the arrests of the gang members, the U.S. Attorney for the Eastern District of New York Loretta Lynch called it “a massive 21st-century bank heist,” adding, “In the place of guns and masks, this cyber crime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City.”

The arrests in the U.S. revealed the coordinated sophistication of the gang, and the ease by which they looted the banks. Experts say financial institutions in the Middle East are tempting targets for such heists, and they are partly to blame. They argue that institutions need better Internet security protocols, particularly when outsourcing information services, as regional companies regularly come under attack from politically motivated hackers as well.

“It’s a question of enforcement of regulatory controls, which are broken and sketchy in the Middle East, so obviously you’re going to have a higher number of cyber crimes in that particular context,” said Gurpreet Dhillon, professor of information technology at Virginia Commonwealth University. “There’s also an immaturity aspect with a lot of these organizations, in dealing with cyber crimes. There’s all sorts of capabilities that go into cybercrime management, and I believe many organizations are premature in that sense.”

Weak Links

The gang were actually strangers who came together via Internet forums where illicit information is traded and people are recruited for cyber crimes. Jason Weinstein, a lawyer who once oversaw the U.S. Justice Department’s computer crime unit, told Reuters, “It’s sort of like Craigslist for cyber criminals.”

The gang planted computer viruses inside the financial institutions’ networks. Once they had gathered enough information, they produced fake ATM cards, coding stolen data onto magnetic swipe strips. The cards were distributed to “cashers” whose sole role was to drain funds, and the money passed onto mules who moved them either in cash bundles or by buying luxury items.

The gang stole US$5 million from RakBank on Dec. 21, and the remaining millions from the Bank of Muscat on Feb. 19. The weak links exploited by the gang were two card payment processing centers in India. The gang managed to hack them, raised the balance and withdrawal limits on the compromised accounts, then sent out teams to make withdrawals.

The Indian companies that were hacked publicly acknowledged they had been successfully infiltrated after the attacks were made public. “In three or four accounts, there was a breach, where the limit of cash that can be withdrawn from a pre-paid card was increased,” said Ramesh Mengawade, chief executive officer of ElectraCard Services, in an interview with Reuters. ElectraCard handled payment processing for RakBank’s prepaid travel cards. EnStage was the other company attacked by the gang. “Our customers were adversely affected by this sophisticated crime,” EnStage CEO Govind Setlur said in a statement in the Times of India.

In response to the attacks becoming known publicly, the chief executive officer of Rakbank, Graham Honeybill, told Reuters “none of its customers suffered any financial loss as a result of this fraud.” In a note, the Bank of Oman stated, “We are exploring all avenues of recovery so as to protect shareholder interests and will advise the markets accordingly if there are any material developments in this regard.”

Dhillon said the lack of disclosure beforehand was an example of organizational immaturity when it came to dealing with cyber security issues. He cited as an example the state of California, which requires institutions to inform their customers when a security breach occurs. “As a result, it has become natural for individuals to receive emails of this sort, that ‘Yes, your account has been compromised, we’re sorry about that, and here are the steps we are going to take.’ That isn’t a solution, but it’s a step in the right direction. It brings about an awareness that there is a problem with security, and this is how you deal with it.”

Some financial institutions may fear losing customers if they were to reveal how often their security is compromised. But Dhillon said not all attacks result in reputational loss. A few years back, Visa suffered a series of Denial of Service attacks that impacted a number of its clients, including banks. But the banks themselves were not compromised. “Sometimes its simply better to communicate the magnitude of the problem to your clients,” he said.

Regional Targets

Rakbank and Bank of Muscat in Oman were easy targets, said one cyber security expert, partly because Middle Eastern banks let their customers put large sums on cards yet do not monitor them as carefully as banks in other regions would. “It’s a target-rich environment in terms of soft electronic security,” Shane Shook, global vice president of consulting for the security firm Cylance Inc., told Reuters.

“It’s important for individuals to recognize that at the end of the day, they are the custodians of their own data,” Dhillon added. “If they are not responsible users of their own data, what’s the point of having security policies or security strategies for an enterprise? So it goes both ways. Increased individual awareness, and that enterprises are aware of their responsibilities of ensuring cyber security policies.”

For companies, it is important to have good cyber security policy, Dhillon said, but oftentimes he said policies do not have anything to address actual problems. “So having policies make sense, and how you build them out, that’s a whole educational awareness aspect that needs to be touched upon.”

Another regional banker pointed out that for a number of regional institutions, cyber security still is a bottom-line issue because of cost, and do little diligence when it comes to securing information, or choosing partners for sensitive information service outsourcing. “They are unwilling to pay for such measures,” said the banker, who was not authorized to speak publicly about the issue.

Dhillon is one of the authors of a new paper that will be presented at a cyber security conference. The paper, “Secure Outsourcing: An Investigation of the Fit Between Clients and Providers,” speaks to the issue of security and outsourcing information services, such as payment processing.

“Many of the problems stem from a lack of fit between what IT outsourcing vendors consider to be the key success factors and what outsourcing clients perceive to be critical for the success of the relationship,” the paper notes. “[The] majority of IT outsourcing projects fail because of a lack of appreciation as to what matters to the clients and the vendors. [Secondly], several IT outsourcing projects fall victim to security breaches because of a range of issues — broken processes, or a failure to appreciate client requirements, among others.”

“What the vendors perceive to be the top security issues are not necessarily in sync with what the client wants,” Dhillon says. “I think the blame is shared. Once you get a vendor to do something, it is the responsibility of clients to ensure that all of the processes are secure, regardless of whether they are in-house or they have been outsourced.”

The cyber robbery of Rakbank and the Bank of Muscat was similar to one in 2008, when a gang from Eastern Europe and Russia hacked the Royal Bank of Scotland’s credit card processor. The indictment against the gang noted they drained US$9 million from more than 2,100 coordinated ATM withdrawals in less than half a day.

Other financial institutions in the Middle East have been attacked by hackers, but not for money. Last year, a self-described Saudi Arabian hacker posted details of 400,000 Israeli credit cards online. More Israeli bank accounts were compromised, before retaliation from Israeli hackers, who posted information from Saudi Arabian credit cards. Hackers then disrupted websites of the Tel Aviv Stock Exchange, El Al Airlines and several Israeli banks, the Abu Dhabi Securities Exchange and Tadawul, Saudi Arabia’s exchange, then the United Arab Emirates’ Central Bank website and that of the Arab Bank Palestine.

“From a government standpoint, some kind of regulatory framework has to be created,” Dhillon says. “There are laws dealing with cybercrime in the Middle East. But they need to be revisited every so often, and integrated with the path of the rest of the world. It’s not just one country having its own set of laws. How do they link up with the rest of the world?”

Dhillon noted that there isn’t a complete harmonization of Internet regulations on an international scale, so the task remains difficult. Still, he said, “One of the problems of cyber security is that its not location dependent. So when you talk about regulatory frameworks, they have to go beyond your own country.”




Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:


Stai commentando usando il tuo account Chiudi sessione /  Modifica )

Google+ photo

Stai commentando usando il tuo account Google+. Chiudi sessione /  Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione /  Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione /  Modifica )


Connessione a %s...