WEBVTT

00:00:00.000 --> 00:00:02.640
JACK: Hey, what’s up? DADE: Not much, just reading.

00:00:02.640 --> 00:00:06.560
JACK: Cool. What are you reading? DADE: I’m reading Exploding the Phone.

00:00:06.560 --> 00:00:09.440
It’s about phone phreaking, kind of the history of it.

00:00:09.440 --> 00:00:10.960
JACK: Sounds interesting. DADE: Yeah.

00:00:10.960 --> 00:00:15.200
JACK: This is Dade. That’s not his real name; that’s just his online name. I met him at a BSides

00:00:15.200 --> 00:00:19.600
conference once and was just really impressed with his knowledge of security and hacking.

00:00:19.600 --> 00:00:23.680
So I’d chat him up sometimes and ask him questions on things that I’m researching. Hey,

00:00:23.680 --> 00:00:31.360
I’m calling ‘cause I want – I’m trying to think. Are there any old movies that have like a hacker

00:00:31.360 --> 00:00:37.440
getting into an ATM and dispensing cash? DADE: Yeah, so there’s a couple. It’s kind of a

00:00:37.440 --> 00:00:44.800
trope in hacking movies, most prominently I think in Hackers. They’re all sitting around

00:00:44.800 --> 00:00:49.920
the table at Cyberdelia and Joey’s really trying to get all of his friends’ attention.

00:00:49.920 --> 00:00:55.360
He’s talking about how he hacked this bank. JOEY: Right? Okay wait, okay, so it’s a bank. So

00:00:55.360 --> 00:01:01.600
this morning, look at the paper. Some cash machine in Bumsville, Idaho spits out $700

00:01:01.600 --> 00:01:03.840
into the middle of the street. CEREAL: That’s kind of cool.

00:01:03.840 --> 00:01:08.160
JOEY: That was me. That was me. I did that. DADE: Then Joey takes credit for it

00:01:08.160 --> 00:01:12.800
and he’s really bragging. JACK: Wait, wait, hold on. How do you know

00:01:12.800 --> 00:01:20.480
this much about that one scene in Hackers? DADE: I watched it a lot. I picked my

00:01:20.480 --> 00:01:24.080
hacker handle because of that movie. It’s what inspired me

00:01:24.080 --> 00:01:28.400
to get into computers in the first place. JACK: Do you know every scene of Hackers?

00:01:28.400 --> 00:01:34.080
DADE: I know almost every scene of Hackers. I can find myself quoting

00:01:34.080 --> 00:01:40.320
it unintentionally quite frequently. JACK: That’s impressive. That’s really crazy.

00:01:40.320 --> 00:01:44.960
Alright, so what year was Hackers? DADE: That was 1995. There was actually a couple

00:01:44.960 --> 00:01:55.440
of ATM hacks before that as well. In 1985 a movie called Prime Risk was basically all about finding

00:01:55.440 --> 00:01:58.720
out ways to rip off ATM machines. TONI: Got over twenty frequency

00:01:58.720 --> 00:02:01.360
codes today. LEE: What is that?

00:02:01.360 --> 00:02:06.960
TONI: It’s a spectrum analyzer. It reads the electromagnetic environment and creates magnitude

00:02:06.960 --> 00:02:12.080
readings for the proper frequencies. LEE: Oh. What are you doing with it in your

00:02:12.080 --> 00:02:13.440
car? TONI: Well,

00:02:13.440 --> 00:02:17.360
it’s just an experiment for now but if we’re lucky we should be able to

00:02:17.360 --> 00:02:21.520
pick up oh, $200 from each account. LEE: You know you can get into a lot of trouble

00:02:21.520 --> 00:02:23.600
fooling around with the banks. TONI: Would you relax?

00:02:23.600 --> 00:02:26.320
LEE: I’m relaxed. You’re talking about ripping people off.

00:02:26.320 --> 00:02:30.240
TONI: Look, it’s a banking system. We aren’t stealing from people.

00:02:30.240 --> 00:02:39.200
DADE: Then again in 1991 a young John Connor in Terminator 2 hooks up his little laptop

00:02:39.200 --> 00:02:43.680
into the card reader slot of an ATM. JOHN: [BEEPS] Please insert your stolen card

00:02:43.680 --> 00:02:45.360
now. DADE:

00:02:45.360 --> 00:02:50.080
He hits a couple buttons. Some Hollywood hacking appears on screen, you know, numbers flying down

00:02:50.080 --> 00:02:55.200
the screen, changing really fast. JOHN: Go baby, go baby, go baby. Alright.

00:02:55.200 --> 00:02:58.400
Pin number… DADE: Eventually he’s cracked the pin.

00:02:58.400 --> 00:03:05.520
JOHN: Withdraw 3-0-0 bucks. Come on baby, come on, come on. Yes!

00:03:05.520 --> 00:03:08.240
TIM: Hey, it worked. JOHN: Easy money.

00:03:08.240 --> 00:03:11.760
JACK: Huh. Alright. So if Hollywood is doing this in the 80s and 90s

00:03:11.760 --> 00:03:16.080
I think I’m gonna look into where we are with ATM hacking today and do an episode on that.

00:03:16.080 --> 00:03:19.200
DADE: Yeah, that sounds great. JACK: Alright, this information has been

00:03:19.200 --> 00:03:21.120
great. Thanks so much. DADE: Yeah, no problem.

00:03:21.120 --> 00:03:23.360
Thanks for reaching out. JACK: Alright, see you later.

00:03:23.360 --> 00:03:29.200
DADE: Hack the planet. JACK (INTRO): [INTRO MUSIC]

00:03:29.200 --> 00:03:36.000
These are true stories from the dark side of the internet.

00:03:36.000 --> 00:03:54.880
I’m Jack Rhysider. This is Darknet Diaries. [INTRO

00:03:54.880 --> 00:03:57.280
MUSIC ENDS] JACK: ATMs are an obvious target for criminals.

00:03:57.280 --> 00:04:02.000
It’s just a hunk of metal holding a bunch of cash. There can be anywhere from $3,000 all the way up

00:04:02.000 --> 00:04:09.520
to $250,000 in each ATM. Getting into one of these could be a big win for someone. At its core an ATM

00:04:09.520 --> 00:04:14.640
is just a computer, often a Windows computer with an input device like a touch screen or buttons.

00:04:14.640 --> 00:04:19.760
Then there’s the cassettes that hold the cash. The cassettes are the crown jewels of the ATM since

00:04:19.760 --> 00:04:25.280
they hold all the money. One tactic is to steal the cassettes. [MUSIC] Smash and grab is still a

00:04:25.280 --> 00:04:29.760
common ATM hacking technique. This is a simple as smashing a window of the store, running in,

00:04:29.760 --> 00:04:34.400
grabbing the whole ATM, drag it outside, throw it in your truck, and drive off.

00:04:34.400 --> 00:04:38.480
To defend against this shop owners and banks have securely fastened the ATM to the ground,

00:04:38.480 --> 00:04:41.120
often with huge bolts right into the concrete.

00:04:41.120 --> 00:04:46.000
But criminals will still smash the window, throw a rope around the ATM, attach it to their truck and

00:04:46.000 --> 00:04:51.440
pull it out with the truck to knock it loose and then grab the whole ATM and drive off.

00:04:51.440 --> 00:04:56.080
But then there are ATMs built right into the walls of the bank where you can’t knock it over

00:04:56.080 --> 00:05:00.640
or pull it loose. What some criminals do here is they’ll run up to it, create a hole in the

00:05:00.640 --> 00:05:04.720
ATM [00:05:00] somehow like jamming a crowbar right into it or under it, and then they’ll

00:05:04.720 --> 00:05:12.160
load up that hole with explosives and blow up the ATM itself. Usually the cash box that holds

00:05:12.160 --> 00:05:18.560
the money is knocked loose from the explosion and a thief can run off with just that box of money.

00:05:18.560 --> 00:05:22.880
But all these techniques are messy and very destructive. There’s even one video of a guy

00:05:22.880 --> 00:05:27.200
driving a forklift right through a convenience store window, knocking over all the shelves,

00:05:27.200 --> 00:05:31.760
and making a ton of damage just to get the ATM loose and out of there.

00:05:31.760 --> 00:05:37.520
It’s shocking and there’s just much more elegant ways of stealing money out of an ATM.

00:05:37.520 --> 00:05:42.240
A little over a decade ago, a story came out that said a master admin password was

00:05:42.240 --> 00:05:48.080
configured for many ATMs. Some thieves got ahold of this password and used it to access the ATM.

00:05:48.080 --> 00:05:52.800
However, the admin access didn’t let them dispense money so they couldn’t just steal the money.

00:05:52.800 --> 00:05:57.920
The hackers poked around at what they had access to. Inside the ATM are a number of cassettes with

00:05:57.920 --> 00:06:02.720
different denominations. Maybe there are three cassettes with $5 bills, $10 bills, and $20

00:06:02.720 --> 00:06:08.640
bills. With admin access you could assign which cassette was which denomination. The hackers told

00:06:08.640 --> 00:06:14.560
the ATMs that all the cassettes have just $1 bills in them. When they went to withdraw $20, it gave

00:06:14.560 --> 00:06:21.360
them twenty $20 bills. Their balance only went down by twenty bucks but they actually got $400.

00:06:21.360 --> 00:06:28.000
These criminals did this a few times and got a whopping $1,540 from this attack.

00:06:28.000 --> 00:06:32.640
The admin password has since been fixed and that attack is no longer valid.

00:06:32.640 --> 00:06:38.080
Around 2009 a security researcher named Barnaby Jack was interested in seeing what kind of hacks

00:06:38.080 --> 00:06:41.840
he could do on ATMs. He bought a few and had them delivered to his house.

00:06:41.840 --> 00:06:45.200
BARNABY: I remember when one of the ATM delivery guys came in. He wheeled the

00:06:45.200 --> 00:06:51.920
ATM into my place and he’s just like why on earth do you need an ATM in your house for?

00:06:51.920 --> 00:06:55.680
[LAUGHTER] I was feeling a bit cheeky that day so I just looked at him and was like oh, I just don’t

00:06:55.680 --> 00:07:00.640
like the transaction fees, mate. [LAUGHTER] JACK: This is Barnaby Jack speaking at Defcon 18,

00:07:00.640 --> 00:07:04.800
the largest hacker convention in the world. Once he got the ATMs into his house he took

00:07:04.800 --> 00:07:10.000
them apart and analyzed how they worked. [MUSIC] He started looking for vulnerabilities in the ATM

00:07:10.000 --> 00:07:14.880
he had. He found the ATM had two different keys; one key opens a door to the cassettes

00:07:14.880 --> 00:07:19.840
where the cash is but these were high-security keys and each ATM had a different key. But there

00:07:19.840 --> 00:07:25.840
was another key which opened up the cabinet. The cabinet holds the computer that controls the ATM.

00:07:25.840 --> 00:07:31.440
He found a serious problem with this key. BARNABY: One key will open all the models from

00:07:31.440 --> 00:07:36.560
that same manufacturer, the cabinet. JACK: Yeah, that’s right. One key opens the

00:07:36.560 --> 00:07:41.760
ATM up for all ATMs that that manufacturer makes. This only gave you access to the

00:07:41.760 --> 00:07:46.160
motherboard in the ATM, not the cash. But Barnaby Jack being a security researcher,

00:07:46.160 --> 00:07:50.480
he tried to figure out how he could attack the motherboard to dispense cash. Sure enough,

00:07:50.480 --> 00:07:54.800
he found a way. He was able to load a custom firmware onto a USB flash drive. Now that he

00:07:54.800 --> 00:07:59.920
has access to the motherboard he can plug that USB drive into the motherboard, reboot the ATM,

00:07:59.920 --> 00:08:05.200
and it would load his custom firmware. This firmware pretty much let him do anything.

00:08:05.200 --> 00:08:08.560
BARNABY: I placed hooks at the card reader, the pin pad, and the parts of the handles

00:08:08.560 --> 00:08:13.680
the remote configuration commands. With those hooks we can add some fairly handy features,

00:08:13.680 --> 00:08:19.520
save the track data, capture the pin pads, and a few customer commands. The track data remotely

00:08:19.520 --> 00:08:23.280
saw remote jackpot and might as well. JACK: With the USB drive plugged into the

00:08:23.280 --> 00:08:27.760
motherboard and new firmware installed, he closed up the lid and the ATM looked and operated just

00:08:27.760 --> 00:08:33.120
like normal except he had programmed a hidden menu to let him control it however he wanted.

00:08:33.120 --> 00:08:37.840
He could read and store any cards that were swiped on that machine and the pins that were entered.

00:08:37.840 --> 00:08:42.480
The most astonishing thing he could do was dispense all of the cash from all

00:08:42.480 --> 00:08:48.160
the cassettes which he called jackpotting. He demonstrated how he could do this live,

00:08:48.160 --> 00:08:52.160
right there on the stage at Defcon 18. BARNABY: [BEEPING] Okay so it pops up my

00:08:52.160 --> 00:08:56.880
hidden menu there. It will let me dispense fifty notes from A, B, C,

00:08:56.880 --> 00:09:02.400
or D which are the four cassettes on the ATM. Let’s just try dump fifty bills from the first

00:09:02.400 --> 00:09:12.640
cassette. [MUSIC] [LAUGHING, APPLAUSE] JACK:

00:09:12.640 --> 00:09:17.360
This is unbelievable. I was there for that and I’m still blown away by how crazy this

00:09:17.360 --> 00:09:23.040
was to see this live on stage. It just blew my mind. But physical attacks on ATMs might seem a

00:09:23.040 --> 00:09:27.280
little too risky. I mean, you’ve gotta actually go there and lift the cover up to get into it.

00:09:27.280 --> 00:09:32.080
There may be cameras watching you, too. But ATMs are sometimes found in gas stations or bars

00:09:32.080 --> 00:09:36.240
and they’re often tucked away, sometimes hidden like by the bathrooms or cigarette machine.

00:09:36.240 --> 00:09:40.720
And we give people privacy when they’re using the ATMs so it’s entirely possible to do this

00:09:40.720 --> 00:09:46.160
in broad daylight and nobody would notice. [MUSIC] But Barnaby wanted to take this a step

00:09:46.160 --> 00:09:51.120
further and see if he could figure out a way to gain remote access to an ATM over the network. He

00:09:51.120 --> 00:09:55.520
plugged in the ATMs to his home network and began trying to see what he could get into.

00:09:55.520 --> 00:09:59.680
Well, there was a remote login to the ATM but it had a username and password.

00:09:59.680 --> 00:10:03.680
But Barnaby found a [00:10:00] vulnerability in the software to let him bypass that authentication

00:10:03.680 --> 00:10:09.120
altogether, allowing him to get right into the ATM. From there he couldn’t do much

00:10:09.120 --> 00:10:12.960
other than check the system, see how much cash was there, and basic troubleshooting.

00:10:12.960 --> 00:10:18.240
No way to actually dispense cash, but Barnaby had already made a custom firmware that could give him

00:10:18.240 --> 00:10:23.200
extra access. He was able to connect all these exploits together which allowed him to…

00:10:23.200 --> 00:10:29.120
BARNABY: Upload rootkit. That’s not a bad feature; bypasses authentication,

00:10:29.120 --> 00:10:32.960
initiates the software upload which lets me replace the firmware so, awesome.

00:10:32.960 --> 00:10:37.840
JACK: Awesome it was. Barnaby could now remote-control an ATM with his

00:10:37.840 --> 00:10:41.920
own custom firmware that allowed him to do whatever he’d want such as dispensing cash

00:10:41.920 --> 00:10:50.480
out of an ATM on the other side of the world without even touching it. [MUSIC, LAUGHING]

00:10:50.480 --> 00:10:56.480
Again, unbelievable. The research that Barnaby Jack did with ATMs was just amazing. He didn’t

00:10:56.480 --> 00:11:00.560
stop there. He had a passion for finding vulnerabilities in embedded devices. There are

00:11:00.560 --> 00:11:05.200
electronic imbedded devices in so many products we interact with, devices like a washing machine,

00:11:05.200 --> 00:11:10.400
your thermostat, a refrigerator, dishwasher, your phone, video games, printers, and medical devices.

00:11:10.400 --> 00:11:15.440
After Barnaby demonstrated to the world how you can hack into ATMs live on stage at Defcon,

00:11:15.440 --> 00:11:19.840
he turned to researching the electronics within medical devices. He found that he

00:11:19.840 --> 00:11:23.520
could gain remote access to insulin pumps that were actually strapped onto people

00:11:23.520 --> 00:11:28.880
and worn about. On stage at the RSA convention in 2012 he demonstrated what he found.

00:11:28.880 --> 00:11:34.960
BARNABY: From a hundred meters away I can scan for any insulin pumps in the vicinity. I will return

00:11:34.960 --> 00:11:41.600
those insulin pump IDs and then I can have them dispense their entire 300 units of insulin which

00:11:41.600 --> 00:11:46.880
for a Type 1 diabetic, will easily prove fatal. JACK: This guy really wasn’t messing around. I

00:11:46.880 --> 00:11:51.360
mean, first robbing banks, now killing people? The point he was trying to make is that medical device

00:11:51.360 --> 00:11:55.840
manufacturers really need to take security a lot more seriously than they already were.

00:11:55.840 --> 00:12:00.720
BARNABY: I’m trying to go as public with this research as I can just to show how easily these

00:12:00.720 --> 00:12:05.920
pumps can actually be attacked and hopefully change the mind of the FDA and of Medtronic,

00:12:05.920 --> 00:12:08.400
and of the public that maybe a recall could be in order.

00:12:08.400 --> 00:12:13.120
JACK: Barnaby then began looking to see if he could remote-control a pacemaker.

00:12:13.120 --> 00:12:18.080
This is a device used to keep your heart beating regularly. Sure enough, he figured out a way in.

00:12:18.080 --> 00:12:22.720
See, Barnaby was an amazingly good security researcher. He had a keen ability to find

00:12:22.720 --> 00:12:28.080
weaknesses and security holes in so many systems. When he found a way to remote-control a pacemaker

00:12:28.080 --> 00:12:33.120
implanted into a human, he took his findings on the road to a security conference in Melbourne,

00:12:33.120 --> 00:12:38.880
Australia. He demonstrated this hack live on stage to show how someone could send a lethal shock to

00:12:38.880 --> 00:12:46.480
a human through hacking a pacemaker. This news of this vulnerability, again, was a big deal.

00:12:46.480 --> 00:12:50.960
Barnaby refined his demonstrations and was accepted to speak at Black Hat, the security

00:12:50.960 --> 00:12:56.080
conference in Las Vegas to demonstrate this medical device hacking live on stage.

00:12:56.080 --> 00:13:03.680
But he never did give that talk because he died a week before the conference. His girlfriend found

00:13:03.680 --> 00:13:08.480
him lying on the floor in their San Francisco apartment. [MUSIC] The coroner examined his

00:13:08.480 --> 00:13:14.560
body and ruled that the cause of death was an overdose of drugs. He was thirty-five years old.

00:13:14.560 --> 00:13:17.680
Barnaby had a lot of talent and potential

00:13:17.680 --> 00:13:30.080
and opened our eyes to a lot of things. Losing him was a tragedy and he will be missed immensely.

00:13:30.080 --> 00:13:33.680
Alright, so if you could start out by telling me your name and what do you do.

00:13:33.680 --> 00:13:39.760
JORNT: My name is Jornt v.d. Wiel. I’m a security researcher within the Kaspersky Lab.

00:13:39.760 --> 00:13:44.240
JACK: [BACKGROUND CONV.] Kaspersky Lab is based in Moscow, Russia and makes antivirus software

00:13:44.240 --> 00:13:47.920
amongst many other things. They need to keep their finger on the pulse of what the security

00:13:47.920 --> 00:13:52.640
threats are in the world so they can develop ways to detect and defend against these threats.

00:13:52.640 --> 00:13:57.600
Okay, so Jornt, what were you saying after Barnaby Jack demonstrated how to hack into ATMs?

00:13:57.600 --> 00:14:04.320
JORNT: Yeah, so he introduced it and he showed that it was possible. What we saw after that

00:14:04.320 --> 00:14:12.000
was people started copying him, [MUSIC] especially in Russia and the surrounding countries.

00:14:12.000 --> 00:14:16.640
JACK: Surely Barnaby Jack wasn’t the first person to have figured out how to hack an ATM. But he was

00:14:16.640 --> 00:14:22.480
the first to demonstrate it live on stage. After he did demonstrate it, banks and ATM vendors did

00:14:22.480 --> 00:14:27.760
improve the security of their machines but ATM hacking started gaining in popularity after the

00:14:27.760 --> 00:14:32.240
talk. There was an ATM hack in particular that Jornt will always remember.

00:14:32.240 --> 00:14:36.240
JORNT: Yeah, it’s one of our colleagues. He got a call or an

00:14:36.240 --> 00:14:39.360
e-mail from somebody that he knew. JACK: It was an e-mail. It was from an

00:14:39.360 --> 00:14:44.320
IT guy working at a bank in Ukraine. JORNT: He told us that he had a problem and

00:14:44.320 --> 00:14:49.840
he didn’t really want to disclose what it was. He said that you guys just have to come.

00:14:49.840 --> 00:14:54.720
JACK: Jornt and his team were like well, going to Kiev is far and it’s not easy to get to. Just

00:14:54.720 --> 00:14:58.720
tell us what the problem is. We’ve probably seen it before and we’ll just tell you how to fix it.

00:14:58.720 --> 00:15:03.280
But the bank was insistent on telling [00:15:00] them they must fly to Ukraine to see the problem

00:15:03.280 --> 00:15:09.600
themselves. Jornt and his team hopped on a plane and flew to Kiev to visit this bank.

00:15:09.600 --> 00:15:12.880
[MUSIC] They took him into a room which had all the surveillance footage for the bank.

00:15:12.880 --> 00:15:15.440
JORNT: We went there and then they showed us video footage.

00:15:15.440 --> 00:15:18.880
JACK: Okay, so the scene in the video is this; there’s a bank with ATMs. Okay,

00:15:18.880 --> 00:15:23.600
but it’s three a.m. so the bank is closed. The ATMs are in this little

00:15:23.600 --> 00:15:27.120
foyer lobby something of the bank. JORNT: Like a portal, kind of.

00:15:27.120 --> 00:15:31.520
JACK: Yeah, but the doors are locked so you have to swipe your debit card on the door in order to

00:15:31.520 --> 00:15:36.480
get into that portal to use the ATMs. But you can’t get into the rest of the bank. Jornt

00:15:36.480 --> 00:15:39.600
watches this video footage. JORNT: In the video you see a

00:15:39.600 --> 00:15:44.880
guy walking towards the bank. JACK: This guy is wearing a big black hoodie,

00:15:44.880 --> 00:15:48.320
he’s got a long scarf but he wraps it around his face so you can’t see what he looks like,

00:15:48.320 --> 00:15:52.640
and he’s holding a big black duffel bag. He opens up his jacket, takes out his debit card,

00:15:52.640 --> 00:15:56.320
and swipes it on the doors, which lets him into the lobby where the ATMs are.

00:15:56.320 --> 00:16:02.800
JORNT: As soon as he got in the ATMs started to blink. He walked towards the first ATM and

00:16:02.800 --> 00:16:07.360
then this whole pack of money came out. JACK: Literally the moment he enters the lobby

00:16:07.360 --> 00:16:12.640
the ATMs suddenly start spitting out all kinds of cash in all of the cassettes. He didn’t even

00:16:12.640 --> 00:16:17.200
touch a single button on the ATM. JORNT: Then the money just kept on coming

00:16:17.200 --> 00:16:22.000
out so he just kept on filling his sports bag. Then he went to the next ATM and to

00:16:22.000 --> 00:16:25.520
the next one, and to the next one. JACK: There were four ATMs in this lobby

00:16:25.520 --> 00:16:30.000
and all four of them are blinking wildly and they’re spewing out thousands of Hryvnia, the

00:16:30.000 --> 00:16:34.400
Ukrainian money. As fast as they’re popping out of the ATM, this guy is shoving them into

00:16:34.400 --> 00:16:38.720
his duffel bag. The operation seemed very precise and was done very quick.

00:16:38.720 --> 00:16:43.840
JORNT: When all four ATMs were empty he left and without even

00:16:43.840 --> 00:16:51.280
touching the ATMs he was able to rob them. JACK: The bank said there was around $250,000 in

00:16:51.280 --> 00:16:57.120
each of the ATMs he just stole from which meant he took about a million US dollars in just a few

00:16:57.120 --> 00:17:03.600
minutes, [MUSIC] somehow magically emptying all the ATMs without even touching them. This isn’t

00:17:03.600 --> 00:17:07.440
a hack; this is a superpower of some kind. Forget about the team at Kaspersky to solve this. You

00:17:07.440 --> 00:17:10.560
need Batman or someone on this one. JORNT: Yeah but come on, it’s not

00:17:10.560 --> 00:17:14.960
something that is… JACK: Hollywood movie magic?

00:17:14.960 --> 00:17:19.760
But seriously, no matter how weird a hack may seem there is always an explanation for it.

00:17:19.760 --> 00:17:23.200
Jornt and his team began trying to think of what this could be.

00:17:23.200 --> 00:17:28.880
JORNT: First we thought that this was a modified version of another malware that we already knew

00:17:28.880 --> 00:17:32.640
about that was called Toucan. JACK: Yeah, Toucan is pretty slick.

00:17:32.640 --> 00:17:36.320
It first requires hackers to remotely access the ATM over the network.

00:17:36.320 --> 00:17:42.320
JORNT: For your information an ATM is just a computer running Windows so it’s possible

00:17:42.320 --> 00:17:45.040
to install malware on it. JACK: Once a hacker gets into the

00:17:45.040 --> 00:17:48.560
ATM over the network they plant this Toucan malware on it.

00:17:48.560 --> 00:17:54.240
JORNT: This malware, it was active between twelve o’clock and three o’clock in the night. When you

00:17:54.240 --> 00:17:57.920
entered a special code… JACK: This is a special code

00:17:57.920 --> 00:18:01.920
you just put right on the pin pad of the ATM, then you get access to the Trojans

00:18:01.920 --> 00:18:07.280
menu. From here you can see how many cassettes there are and how many bills are in each one.

00:18:07.280 --> 00:18:11.600
Then there’s a little special code at the bottom of the screen which is called a challenge.

00:18:11.600 --> 00:18:15.920
JORNT: Then you get the challenge. You send it to your boss and he calculates

00:18:15.920 --> 00:18:19.840
response. You enter the response. JACK: Whoever is at the ATM sends this code back

00:18:19.840 --> 00:18:24.240
to the hacker and then they generate another code so that you enter it back into the ATM.

00:18:24.240 --> 00:18:28.000
JORNT: Then you basically get into the god-mode menu because you can choose

00:18:28.000 --> 00:18:31.840
from which cassettes you want the money. JACK: Then you literally get to say ‘give me the

00:18:31.840 --> 00:18:36.400
money from cassette one’ and money just comes right out. It’s a pretty slick attack and it

00:18:36.400 --> 00:18:44.240
works really well when set up correctly. JORNT: Back at the time it was one of the first

00:18:44.240 --> 00:18:50.160
ATM malware versions that was there, you know? Now there are dozens, way more, but back then

00:18:50.160 --> 00:18:56.720
it was one of the first. Because of the modus operandi, you enter in the middle of the night.

00:18:56.720 --> 00:19:02.080
We thought that this was a modified version so we asked the bank for hard disks of the

00:19:02.080 --> 00:19:07.520
ATM so we could search for malware. JACK: Jornt took these disks back to the lab

00:19:07.520 --> 00:19:10.560
and investigated them thoroughly. JORNT: We couldn’t find anything.

00:19:10.560 --> 00:19:18.000
JACK: [MUSIC] The trail went cold. Jornt was stumped. He had absolutely no clue how this

00:19:18.000 --> 00:19:22.720
attack happened. There was no sign of any malware or suspicious activity on the ATMs.

00:19:22.720 --> 00:19:27.168
How could this be? Months go by; no progress.

00:19:27.168 --> 00:19:32.880
Jornt just stopped investigating, thinking it was just some really weird anomaly. Maybe magic,

00:19:32.880 --> 00:19:37.360
who knows. But then out of nowhere… JORNT: We got a call

00:19:37.360 --> 00:19:41.600
from one of an account manager. JACK: But this wasn’t an ordinary

00:19:41.600 --> 00:19:45.280
call. The account manager was calling him at three a.m.

00:19:45.280 --> 00:19:48.080
JORNT: It was in the middle of the night and the guy just said that

00:19:48.080 --> 00:19:50.960
we have to call this number. We were like man, it’s in the middle

00:19:50.960 --> 00:19:54.480
of the night. We’re sleeping. JACK: Jornt was like can’t you just tell

00:19:54.480 --> 00:19:59.653
me what this is for? But the account manager was insistent that he just call this number.

00:19:59.653 --> 00:20:02.640
Jornt and a few of his colleagues [00:20:00] got out of bed, splashed some water on their face to

00:20:02.640 --> 00:20:06.480
wake up a little, and called the number.