Once again criminals hacked ATMs with knowledge of default settings

Two individuals exploited knowledge of the default passcode to hack ATMs and steal more than $400,000 in 18 months from the targeted machines.

Another story of ATM hacking is circulating on the web, once again criminals exploited the knowledge of the default configuration of the machine, factory-set passcodes.

The hackers haven’t run a brute-force attack against the ATM, neither have found the code online, the passcode in fact was printed in the ATM’s service manual.

The attacks against the ATMs were organized by a former employee of the company that operated the kiosk automated teller machine a criminal crew hacked. The man, with the support of an accomplice, has stolen more than $400,000 in 18 months from the ATMs.

The former employee, Tennessee-based Khaled Abdel Fattah, was aware of the procedure to set the ATM into Operator Mode, it is enough to type a code to reconfigure the ATM to dispense $20 bills when he asks for $1 dollar ones.

The man operated with the complicity of another person, Chris Folad, they then ask the ATM to dispense, for example, $20, and they would get $400. Once the men have taken the cash they would revert back the setting so that the attack would go unnoticed.

The couple has been charged with 30 counts of computer fraud and conspiracy as reported by Wired:

“Now Fattah and an associate named Chris Folad are facing 30 counts of computer fraud and conspiracy, after a Secret Service investigation uncovered evidence that the men had essentially robbed the cash machines using nothing more than the keypad. ” reported Wired in a blog post.

The thefts went on for about 18 months before the owner of one the businesses where one of these kiosk ATMs was installed noted that something of strange when the machine was running out of money.

hacking ATMs 2

The Secret Service that investigated in the case has identified the criminals analyzing the images captured by surveillance cameras, the men also made the error to use their own debit cards to make withdrawals.

As reported by media, attacks exploiting factor settings happened several times in the past, in 2005 cyber criminals discovered that the default factory-set master passcodes for the Tranax and Trident ATMs were printed in the service manuals, which were available online.

Last June, two 14-year-old boys in Winnipeg, Matthew Hewlett and Caleb Turon discovered on the Internet a manual of the ATM reporting the instructions to gain operator mode access to a Bank of Montreal ATM at a grocery store.

The problem is that despite the ATM vendors suggests to immediately change the factory passcodes, many of the small business owners never made the change. After the last series of attack, the ATM vendors which produce the hacked machines made it mandatory for operators to change the default password during the first installation.

The real problem is that there are many vulnerable ATMs in the wild, running outdated systems and poorly configured.

Pierluigi Paganini

(Security Affairs –  ATMs, cybercrime)