Jackpotting (breaking into) an ATM

The talk of the 2010 Black Hat conference was security researcher Barnaby Jack’s presentation on “Jackpotting An ATM” using two little programs he developed called “Scrooge” and “Dillinger”. “Scrooge” is an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) that takes control of an ATM machine and causes it to spit all its money out. “Dillinger” is a program that gathers debit card numbers and passwords from the infected machine and sends it to a remote location for collection.
Since my main character is on the run from both the Police and the Federal Authorities, “Dillinger” is not much good to us. So it is “Scrooge” that we’ll be using. Time to plan a crime.
I got copies of “Scrooge” and “Dillinger” along with an ATM key (all ATM’s are keyed alike believe it or not!) as the beginning of my proof of concept. I was then ready to emulate emptying an ATM machine. Since most of the larger ATM’s, like the ones at the banks, had been patched I rejected them outright. That left me with the smaller ATM’s of the type found in convenience stores. The problem is, a lot of convenience stores are open 24 hours so I couldn’t just write in a staged after hours break in. Besides, this would have been such an inelegant solution and a betrayal of my readers. 
No, I needed a brazen, broad daylight exploit. Time for a little social engineering. There’s a section of route 12 in Fitchburg, Ma. that has a half dozen convenience stores and gas stations within a short 1/4 mile, so this became my target. The first step was a scouting expedition to find the brand names of the ATM’s. Done early in the morning, it allowed for a shift change before I had to go back. Armed with a Macbook Pro, a portable USB printer and a small laminator, it’s an easy matter to take a picture with the built in camera and use Photoshop to combine it with the corporate logos of the manufacturers’ of the machines I’d scouted and then downloaded as jpg’s from their respective websites on the internet. Cutting the results down with a barcode thrown in and laminating them makes a fairly effective*ID badge. With darkness falling, its easy to wait until the clerk of the store is getting slammed. That’s when I begin the attack.
Entering the store, I ignore the line and go right up to the counter. I push my ID in the busy clerk’s face and tell him I’m from the corporate office of the ATM’s manufacturer and I’m here to update the firmware of their unit. 99% of the time, the reaction of the clerk will be: “Whatever. Go do it and stop bothering me!” Now I’m all set. I can open the ATM with my key and can then, if I want to, proceed to insert a small flash drive containing “Scrooge”, collect the bills, and say thanks on the way out. 
This attack works so well because very few people know you can get (or used to be able to get) an ATM key quite easily on the internet. Opening the ATM with the key indicates that you are who you said you were, after all, you have a key. Waiting until the clerk is slammed, is an effective way to ensure he won’t be able to describe you later when the crime is discovered. An elegant “hacker” solution to the problem of raising cash when you are on the run from law enforcement. Part of the real fun involved in writing “Playing God”.

*Note – This was all done as a proof of concept and with the permission of a store owner who was grateful for the “heads up” about the need for a patch, and no money was taken.
…’till next time


There’s A Hack For Everything Part 2.

I know everyone wants me to get to the hacking of the Best Seller List, and I will in a minute, but you have to put the meat and potatoes down before you pour the gravy (otherwise it gets really messy.) 
The first step in any good attack, is to examine what’s worked in the past. However, it’s not the only one. A penetration tester also has to understand how the legitimate user (or in this case, book) gets in. Other things to consider are potential attack vectors (point of sale outlets, distributors, etc.) and the reporting methodology, i.e how the lists are compiled.
Okay, now that the meat and potatoes are down, we can pour the gravy. First, it should be noted that most publishing companies, like their record label and art world counterparts, are slime. They are happiest when they can take an unknown, sign them to a multi-year deal that puts most of the profits in their own pockets instead of the artist’s (unknowns are happy just to be there) and push them to the top of a list or chart they can manipulate. They are miserable when they have to write much larger royalty checks to established artists.
Don’t believe me? Read on. No one is exactly sure when the kids first broke into the candy store, but it went on for a pretty long time, “and them that knows ain’t sayin'” (boy did my spell checker hate that one.)
The major publishers concocted the following plan and they were all in on it. They would use their weight to push large amounts of a particular title out to the big distributors. The carrot was that all the books were returnable for credit. So the big distributors grumbled, but they went along with it. Now this alone was not enough to crack the lists, because there were no sales and, for obvious reasons, the publishers aren’t allowed to report sales to the list. So they did the next best thing. They used shell companies to buy back the books in large chunks at a discount. The shell companies would then warehouse them and pass them back to the publishers. The publishers now owned the books again so their overheads were zero on that batch which they pushed back out to the distributors again and repeated the process. When the book hit the best seller list it would get prime real estate at the book stores and people would buy it. (Go into a Barnes and Noble and take a look at the books that assault you as you walk in the door.) Thus, a title that appeared to sell 500k books, really only sold 250k but the publisher broke even on the first half and pocketed all the profits on the second half. Total marketing cost – “0”. Plus, all those shell companies posted nasty losses that were written off at tax time. The distributors were happy as profits were up. and the NY Times was none the wiser. (or were they, they are a big publishing conglomerate…)
Does this still go on? The answer is no. Someone figured it out and now books that sell in large blocks are asterisked like Barry Bond’s home run ball and never make it to the list. 
Do the major publishers still hack the list? Well the alternative is that they collectively developed a conscience and are now playing fair and square. (Yes, Virginia there really is a Santa Claus.)
Am I going to try to hack the list with my own novel, Playing God? No, but it was a cool mental exercise.
’till next time.