Typical attacks on ATMs will be presented during the workshop “ATM: every day trouble”. These attacks include sensitive information disclosure (Track1/2, PAN) and unauthorized money withdrawal.
The competition will be divided into two phases. During first phase attendees will be able to intercept and analyze different types of the traffic (network and USB). During second phase competitors will be given access to the USB interfaces to issue commands to ATM devices and network interface to conduct MiTM attack.
The goal of the competition is to show different approaches for money withdrawal and card data intercepting.
Rules of Engagement
. The goal of the challenge is to obtain sensitive information from the bank card or to withdraw money from the ATM;
. Each attendee/team that takes part in the contest will be given bank card and means to obtain network and USB traffic;
. Any attendee is welcome to participate in the competition, just bring yourself and a laptop to our Hack the Bank ATM;
. Denial of Service is not allowed;
. Report discovered approach for obtaining sensitive information and money withdrawal to the Competition’s Team Members;
. Points will be given based on the complexity of the finding;
. Extra points will be given for attacks over USB;
. Use tools and scripts of your liking;
. Any dispute will be resolved on-site by the Competition’s Team Members, who has final decision;
. Disrespecting any of these rules as well as any offensive action taken against any other participants will result in immediate disqualification;
Competition’s Team Members
Alexey Osipov, Lead Penetration Testing Specialist at Kaspersky Lab is the author of variety of techniques and utilities exploiting vulnerabilities in XML protocols and telecom equipment security. Author of advisories for various vulnerabilities for major ATM vendors. A speaker at international security conferences: Black Hat, Hack in Paris (presenting the paper on ATM vulnerabilities), NoSuchCon Paris, Nuit du Hack, Positive Hack Days, HITB GSEC, Chaos Communication Congress and others.
„ATM is a perfect target for criminals. Successful attack gives them real cash, instead of bytes and bits on accounts in Panama. When people spend thousands of dollars (not Zimbabwe dollars, US ones) in shopping malls, attacker get millions from ATMs at the same places. When bankers read financial ratings, hackers clean out their banks. In our presentation, we will cover topics on how to create botnet from ATM network, that will gather all card data, network attacks specific to ATMs connection to processing centers, direct control of the ATM software.” says Alexey who added that „This overview of the security issues in cash machines is not intended as a hacking guide.”
Presentation’s Co-Presenter is Olga Kochetova, Senior Penetration Testing Specialist at Kaspersky Lab.
About DefCamp
DefCamp is the most important annual conference on Hacking & Information Security in Central Eastern Europe that brings together the world’s leading cyber security doers to share latest researches and knowledge. At the 8th edition, on November 9th – 10th, 2017 in Bucharest, will attend more than 1300 decision makers, security specialists, entrepreneurs, developers, academicians, private and public sectors representatives.
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below:
