ATM hacking spree foiled by tip from ex-con
Rick James look-alike apprehended
A North Carolina man's scheme to steal as much as $350,000 during an automatic teller machine hacking spree was thwarted by an ex-convict, who turned the man in to authorities, federal prosecutors allege.
Thor Alexander Morris approached the Texas-based ex-con looking for help identifying the locations of specific models of ATMs that are known to be vulnerable to tampering, the prosecutors said in court documents filed late last month. With that information in tow, Morris allegedly planned to reprogram the machines to overpay him by changing the cash denominations from $20 bills to $1 bills.
It would appear Morris contacted the wrong man. Brian Rhett Martin turned over a CD containing chat transcripts, photos of Morris, and other evidence to FBI agents. He also put Morris in touch with a purported ATM thief named Leo, who in reality was an undercover FBI agent.
Wearing a wig fashioned after 80s pop star Rick James, Morris was arrested inside a South Houston market after unsuccessfully trying to hack the first of 35 targeted machines, prosecutors said.
The targeted ATMs contain a backdoor that gives unfettered administrative access to anyone who enters a simple series of keystrokes. Wired.com, which reported the arrest earlier, said ATMs manufactured by both Tranax and Triton are known to have the backdoor, though both have updated the firmware on newer machines to force owners to change the passcodes when the ATMs are first booted.
Morris allegedly planned to travel to locations throughout the Houston area where and reprogram their cash denominations. He then planned to use prepaid payment cards worth $410, authorities said.
The ATMs would then deliver $8,000 instead of $400. The remaining $10 was left over for banking fees.
To disguise himself, Morris allegedly "donned a long black curly hair wig" that he dubbed his "Rick James wig."
Morris has not yet entered a plea, according to court records. His attorney didn't return a phone call seeking comment. ®
As Safe As A Bank
"The targeted ATMs contain a backdoor that gives unfettered administrative access to anyone who enters a simple series of keystrokes."
It is always very reassuring to see how competent the financial security people are. "Why should we change the default password ? Normal people don't read our manuals, anyway..."
I recently read a pamphlete from someone working for a major financial institution, who believed that "compressing this data structure will make it practically undecipherable". These "professionals" don't even waste time to read up on cryptology before they write "technical documents". I could go on writing about the financial IT failures I experienced as a developer and the reaction (or non-reaction) of management to that. Have a look at my Reg Posting history if you are interested.
screw the banks
I found a way to beat the ATM as well.
I did it once just to test and it worked. I called the bank and made them aware of it.
Did I get a thank you, or any kind of reward?
No, I got the $50 withdrawn from my account immediately and then a few months later my accounts all closed.
I never did it more then once to test it.
They didn't even take a moment to investigate my claim, they immediate took the money that I told them I got.
Screw em, they would rob you if they could, Just look at return check fees and overdrafts.
Most of them charge you overdrafts even if your account isn't overdrawn.
Banks = Thieves and Liars.
Re: Better Design
Agreed. However, banks (like most businesses) will not voluntarily upgrade or buy new equipment if they don't have to. Ignoring the issue is much easier in the short term, and any long term ramifications can be either (a) diverted to the manufacturer or insurance, or (b) reported as losses to insurance and calls for more authoritarian control and "enforcement".
What better way to get the shareholders to finance the latest planned binge than to wrap it up in (necessarily *secret*) security procedures development, training, and equipment procurement to prevent fraud.
That's called ensuring shareholder value. Phfffttt...
Sorry, just couldn't get that out with a straight face.