Cyber-crooks have been cutting open ATMs to get to USB ports and installing malware which lets them empty the machines of cash, security researchers have demonstrated.
In a presentation, which can be watched online, at the Chaos Communication Congress, two researchers showed how hackers sliced open the ATMs of an unnamed bank and plugged in USB sticks containing malware.
Once the malware was installed and the ATMs patched up, the crooks used a 12-digit code to access a special interface on the machines which displayed a breakdown of how much money, and in what denominations, was in them.
With no honour among thieves, the malware required crooks to enter a second, one-time code to withdraw cash, which had to be obtained by phoning the gang leaders.
When the targeted bank realised that its ATMs were being hit, it stepped up surveillance and caught a man trying to cash out a machine. He was arrested with a malware-holding USB stick on him which was given to the security researchers for analysis.
The analysis suggests that the malicious code was designed only to remove cash - not to steal card data - and was written by a large and skilled team with a deep knowledge of ATMs, say the researchers. It had been written specifically to target one bank but could be of use against other machines running Windows XP.