Hacking Next-Gen ATMs: From Capture to Cashout

Presented at Black Hat USA 2016, Aug. 4, 2016, 11 a.m. (50 minutes).

Over the past year I have worked at understanding and breaking the new methods that ATM manufactures have implemented on producing "Next Generation" Secure ATM systems. This includes bypassing Anti-skimming/Anti-Shimming methods introduced to the latest generation ATMs, along with NFC long range attacks that allow real-time card communication over 400 miles away. This talk will demonstrate how a $2000 investment can perform unattended "cash outs," touching also on failures in the past with EMV implementations and how credit card data of the future will most likely be sold with the new EMV data - with a short life span. This talk will include a demonstration of "La-Cara," an automated cash out machine that works on current EMV and NFC ATMs. "La-Cara" is an entire fascia placed on the machine to hide the auto PIN keyboard and flashable EMV card system that silently withdraws money from harvested card data. This demonstration of the system can cash out around $20,000/$50,000 in 15 min. With these methods revealed we will be able to protect against similar types of attacks.


Presenters:

  • Weston Hecker - Rapid7
    Weston Hecker has been pen-testing for 11 years and has 12 years of experience doing security research and programming. He is currently working for Rapid 7. Weston has recently spoken at Defcon 22 & 23, Enterprise Connect 2016, ISC2-Security Congress, SC-Congress Toronto, BSIDESBoston, HOPE 11 and at over 50 other speaking engagements from telecom regional events to Universities on security subject matter. Weston works with a major university's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. He attended school in Minneapolis Minnesota and studied Computer Science and Geophysics. Weston found several vulnerabilities in very popular software and firmware, including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Links:

Similar Presentations: