ATM operating systems need security updates
EVER heard of Barnaby Jack? No?
He's the Kiwi who first hacked into an ATM. Having purchased a couple of ATMs online about 2007, he spent a couple of years in his lab poring over the ATM's operating system, looking for vulnerabilities, opportunities to add code, reconfigure, and control the behaviour of the machine.
Jack remarked that when the delivery guys would come to his house (lab) with the purchased machines, they would ask why someone would want ATMs in their house.
Feeling cheeky, Jack would reply, "I'm sick of the transaction fees bro."
His labour of love culminated in a presentation at Black Hat, the famous global hacking convention hosted in Las Vegas each year.
During his 2010 presentation, Jack famously wheeled a couple of ATMs on stage and proceeded to demonstrate within a few minutes how to make money spew from the machines like water from a tap.
We call these logical attacks and following his Black Hat performance, we know that Jack's pet project and technical know-how fell into the hands of organised crime.
Logical attacks typically focus on aging ATMs, where criminals "hack" into vulnerable and out-dated operating systems of the machines and reprogram them to dispense its cash.
An out-dated ATM is not necessarily measured in years.
Out-dated is a factor of whether the owner of the ATM and the manufacturer update its operating system. Just like our computers, tablets and mobile phones, ATM operating systems need updates to improve performance and security.
Attacks on ATMs are not new.
They're also not as common as we may think.
Australia had its spate of bash-and-crash ATM challenges a few years ago.
However, Australia is yet to see any reports of logical attacks impacting our ATMs. This may be a matter of time.
Public reporting of attacks on ATMs are a little hit and miss.
But you have to know what to look for and there is supporting evidence that such groups prefer the warmer months.
ATMs are in just about any retail and high cash-volume premises such as pubs and clubs.
If you run a business that has an ATM, ask your provider whether its operating system is vulnerable.
Dr David Lacey is a senior research fellow in the Centre for Human Factors and Sociotechnical Systems at the University of the Sunshine Coast and director of iDcare, Australia and
New Zealand's National Identity Support Service.