{"id":192,"date":"2008-03-09T20:47:58","date_gmt":"2008-03-10T04:47:58","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/09\/hacking-atms\/"},"modified":"2008-03-14T20:21:56","modified_gmt":"2008-03-15T04:21:56","slug":"hacking-atms","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/09\/hacking-atms\/","title":{"rendered":"Hacking ATMs"},"content":{"rendered":"<p><font face=\"Times New Roman\">ATMs are surprisingly easy to hack according to CNET.\u00a0 From a <a href=\"http:\/\/www.news.com\/Windows-based-cash-machines-easily-hacked\/2100-7349_3-6233030.html?tag=cd.lede\">report<\/a><\/font><font face=\"Times New Roman\"> on ATMs, up to 90 percent of the ATMs in the U.K. could be at risk for worms, denial-of-service attacks, getting customer data intercepted, and having money stolen from their safes.<!--more--><\/font><font face=\"Times New Roman\">Many ATMs rely on desktop PC technology such as Intel hardware and Windows operating systems.\u00a0 Often they are linked to other machines in the bank\u2019s network or connected to the Internet.\u00a0 This means that ATMs have to stay updated with all the current hotfixes and patches.\u00a0 This has been a large shift in the technology of ATMs over the last few years.\u00a0 Because ATM\u2019s are based on desktop technology, hacking a ATM is simpler than it once was once access has been obtained.\u00a0 An example of this is the <\/font><a href=\"http:\/\/www.news.com\/Damage-control\/2009-1001_3-983540.html\" title=\"Damage control -- Thursday, Feb 6, 2003\"><font face=\"Times New Roman\">SQL Slammer worm<\/font><\/a><font face=\"Times New Roman\"> which indirectly shut down 13,000 Bank of America ATMs.<\/font><\/p>\n<p><font face=\"Times New Roman\">In this article, researchers showed how easily ATMs could be unlocked and have their safes cleared out.\u00a0 They used a default key code they obtained from a safe manual online. They also reset the cabinet ATMs&#8217; software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine. <\/font><font face=\"Times New Roman\">Another threat is that personal information can be intercepted.\u00a0 Network Box showed that only the personal identification number was encrypted when information was sent from a U.S. ATM to networked bank computers. That leaves card numbers, card expiration dates, transaction amounts, and account balances in clear text for anyone to read over the network. <\/font><\/p>\n<p><font face=\"Times New Roman\">We are all so careful to ensure that we use secure websites with valid certificates and encryption, meanwhile ATMs, which should be almost as secure as the bank itself, have so many security problems.\u00a0 <\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ATMs are surprisingly easy to hack according to CNET.\u00a0 From a report on ATMs, up to 90 percent of the ATMs in the U.K. could be at risk for worms, denial-of-service attacks, getting customer data intercepted, and having money stolen &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/09\/hacking-atms\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":43,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,1,13],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-current-events","category-miscellaneous","category-physicalsecurity"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}