Two Tennessee blokes use default ATM codes to steal over $400,000

Two Tennessee blokes use default ATM codes to steal over $400,000

Khaled Abdel Fattah, a man based in Tennessee has been arrested for withdrawing money using his debit card. The problem? He re-programmed the ATMs to dispense $20 dollar bills instead of $1 ones. He had taken help of his accomplice Chris Folad, and both of them from Tennessee, United States withdrew more than $400,000 from the ATMS around Nashville.

Former employee goes rogue

When a small-time Tennessee restaurateur named Khaled Abdel Fattah was running short of cash he went to an ATM machine. Actually, according to federal prosecutors, he went to a lot of them. Over 18 months, he visited a slew of small kiosk ATMs around Nashville and withdrew a total of more than $400,000 in 20-dollar bills.These two individuals managed to hack and reprogram the ATMs using just the keypad. These ATMs in question have an operator mode, using which a lot of variables of the machine can be managed and set to default mode. Most ATMs secure this mode by using a secret passcode. Fattah, being a former bank employee, knew this code and abused it to hack into the machines. Once hacked into the system, they reprogrammed the machine to think it was dispensing $1 bills when it reality it was dispensing $20 dollar bills. Once withdrawn, they programmed the machine back so that their little exercise wasn’t detected.

The hack shows how little details can be misused. Vulnerabilities in the most popular machines made by Tranax Technologies and Trident were showcased in a now-legendary “ATM jackpotting” demonstration delivered by security researcher Barnaby Jack at the Black Hat conference in 2010. Jack (who died last year) showed that the Tranax machines could be hacked into and reprogrammed remotely over dial-up, and the Trident ATMs could be physically opened and then reprogrammed through a USB port. The companies responded to Jacks’ research by closing those holes.

The scam

Fattah along with his friend Folad have been carrying out this scam since January 2009. Together, they have allegedly withdrawn $400,000- money which the government now hopes to recover from them. They repeated this scam across most of the ATMs in the city of Nashville. When contacted, Folad referred inquiries to his attorney. “Unfortunately, I am not in a position to discuss anything at the moment,” Folad said in an e-mail. His lawyer also declined to comment. Fattah, who now owns a well-reviewed restaurant in Nashville, didn’t return phone calls about the October 22 indictment.

The government says the men made a few mistakes in the thefts, including being captured on surveillance video while making withdrawals, and, of course, using debit cards issued under their real names. The amount of money taken in Nashville—$400,000—is unusually high, but plenty of other thieves have pulled the same currency-switching scam with more modest returns, and without Fattah’s inside knowledge. Most don’t make the mistake of using their own debit cards, opting instead to buy a prepaid debit card, the kind anyone can pick up at a Walgreens or any such outlets.

Past Hacks

Around 2005, crooks discovered that the default factory-set master passcodes for the Tranax and Trident ATMs were printed right in the service manuals, which were readily available online. Triton’s master passcode was “123456.” This was used by many cybercriminals to loot the Tranax and Trident ATMs then.

The manuals urged machine owners to immediately change the passcodes from the defaults, but many of the small business owners who favor the inexpensive, pedestal-sized machines never made the change. That led to an uncommon phenomenon in the world of cybercrime: hacking as a street crime. After spreading quietly for at least 18 months, the scheme went viral in 2006 when a man was caught on a surveillance tape looting an ATM at a Virginia gas station. The well known TV broadcaster CNN ran the video in 2006, and the truth of the default passcodes surfaced.

Both Tranax and Triton immediately changed their programs to enforce that administrators changed the default codes when the machines are deployed, but machines still exist, that are deployed before this change was made and are still vulnerable with banks not bothering to make any effort at all. “Nobody likes talking about fraud, especially when it’s against them,” Tente says. “Independent operators and financial institutions are very tight lipped about this sort of thing.”

But there’s some evidence that operator passcodes are still an issue, he notes. Last June, two 14-year-old boys in Winnipeg followed internet instructions to gain operator access to a Bank of Montreal ATM at a grocery store, successfully guessing the six digit master passcode. The boys immediately notified the bank, which changed the code.