LAS VEGAS—At the the Black Hat USA conference here, researchers from security firm Rapid7 publicly demonstrated an attack against an ATM cash machine that ended up with the machines shooting out a string of fake $100 bills.
The attack used some design flaws in the EMV chip system, which is just starting to roll out across the United States. Tod Beardsley, security research manager for Rapid7, explained that the attack made use of a tool he referred to as a “shimmer” installed inside the ATM to read the EMV data.
The challenge is that most existing ATMs in the United States are configured only for magnetic card stripe credit cards and are now in the process of being retrofitted to enable EMV technology. As the machines are upgraded, the risks of shimmer-type attacks concerns Beardsley.
Hacking ATM machines at Black Hat is not a new thing. Back in 2009, security researcher Barnaby Jack first had a scheduled talk on hacking ATMs, which never happened as legal issues forced the talk’s cancellation. In 2010, Jack did get to present and publicly “jackpotted” ATM machines at the Black Hat event that year.
Beardsley paid tribute to the pioneering work that Jack did, during a Black Hat press conference where the Rapid7 demo occurred. Beardsley noted that Rapid7 is working on responsible disclosure of the flaws with ATM vendors and banks in a process that Jack figured out back in 2010. Jack passed away tragically in July 2013.
Watch the full video from the Black Hat ATM hacking press conference below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.