Hackers Can Force ATMs to Spit Out Money With a Text Message

It's getting remarkably easy to hack ATMs these days, and security researchers say that Microsoft's aging Windows XP is making the problem worse. This week, security analysts at Symantec blogged about a new technique popping up in Mexico that uses text messages to give hackers access. It's as wild as it sounds.

The method does take some grunt work, though. The first step in this method involves installing a known type of malware called Ploutus on an ATM. This requires the thief to physically break into the cabinet and use a CD-ROM or USB stick to infect that machine. In the past, the attack would then be carried out using an external keyboard to crack the ATM's security system. Now, however, you can simply connect a cell phone to the machine via USB and send a text to the phone. The phone turns the text into a network packet that commands the ATM to spit out cash.

This is pretty clever. Basically, the cell phone enables the hackers to mount multiple attacks without having to break into the ATM cabinet every time. Instead, they just need a "money mule" to hang out by the machine and collect the cash after they do the text message trick. And because the USB cable that connects the phone to the ATM also charges the phone, the hackers can do the trick again and again.

As Symantec points out in its blog post, this is all made easier by the fact that 95 percent of ATMs run Windows XP software which Microsoft is about to kill. And that will make it even easier for hackers to develop malware and other techniques to exploit the machines. ATM owners will benefit from updating their software, though that will hardly protect them against the hackers' many methods for milking money out of ATMs.

I guess that's the risk you take when you run a business based on leaving boxes full of cash lying around cities. [Symantec]