Tyupkin cash machine hack 'dispenses wads' By Dave Lee

Technology reporter, BBC News Published duration 8 October 2014

media caption WATCH: Kaspersky Lab published this clip showing the hack. Each attack requires a unique code on a pre-infected machine. Repeating the steps here will not produce the same result.

A flaw in cash machines that allows criminals to quickly steal wads of cash has been discovered.

Interpol has alerted countries in Europe, Latin America and Asia known to have been targeted - and is carrying out a widespread investigation.

Security firm Kaspersky Labs discovered the hack, which is enabled by entering a series of digits on the keypad.

Infected cash machines can be instructed to dispense 40 notes at once, without a credit or debit card.

Kaspersky Labs produced a video showing how the hack was carried out. More details were provided in a blog post

Prior to trying to obtain the cash, targeted machines are infected with malicious software via a boot CD.

To do this, criminals need physical access to the workings of the machine.

image copyright Kaspersky Labs image caption The attack requires a remote gang member to share a unique code

Once the malware - known as Tyupkin - has been installed, the "mule" sent to collect the cash must enter a code on the machine's key pad.

But Tyupkin then requires a second unique code - randomly generated by an algorithm at a remote location - to unlock the machine and dispense the cash.

It is this part of the process that ensures the criminal who has this algorithm retains control over when and how often these illegal withdrawals occur.

'Known security weaknesses'

"Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky.

"Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly."

Kaspersky carried out its initial investigation at the "request of a financial institution" - although it would not say which.

The attack does not affect individual customers, instead simply instructing the machine to dispense notes, with no link to bank accounts.

image copyright AP image caption Barnaby Jack rose to fame after demonstrating how to hack a cash machine

The weaknesses of cash machines are routinely under the spotlight in the security industry. Many machines run outdated software, which is hard to update for logistical and financial reasons - there are lots of cash machines, and money needs to be spent upgrading their hardware.

"The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently," Kaspersky wrote.

Earlier this year another malware strain, known as Ploutus, allowed hackers to command machines to dispense cash by sending a text message to them.

In 2010, hacker Barnaby Jack discovered a technique he dubbed "Jackpotting" - in which a cash machine could be made to spew out money.

His demonstration on stage at security conference Black Hat provoked a standing ovation.

Mr Jack died of a suspected accidental drugs overdose in 2013, just days before he was due to give a presentation on the weaknesses in medical devices.

Follow Dave Lee on Twitter @DaveLeeBBC