MalwareSecurity

Thousands of dollars stolen from Texas ATMs using Raspberry Pi

A Texas court has heard how last month a gang of men used a Raspberry Pi device to steal thousands of dollars from ATMs.

According to local media reports, three men were arrested in Lubbock, Texas, after attempting to steal “large sums of US currency” from ATMs.

The men – 38-year-old Abel Valdes, 41-year-old Yordanesz Sanchez, and 33-year-old Carlos Jordano Herrera-Ruiz – were arrested on August 3 in a hotel room, where a number of Raspberry Pis and other evidence was recovered.

According to court documents, the men used a Raspberry Pi to assist in the heist – plugging it into the ATM and deactivating its security system so that money in the cash drawer could be accessed.

Witnesses allegedly saw the men steal more than US $5,700 from one ATM, and multiple other ATMs across West Texas are thought to have been targeted.

Frankly, a cash out of $5,700 from an ATM feels pretty underwhelming. If you’ve been smart enough to work out how to trick an ATM into handing over its cash, and audacious enough to have the nerve to plug an unauthorised device into a cash machine to subvert its security, then you’re probably looking to get more than $5,700 split between the three of you.

But, if the technique works and can be exploited time and time again, at multiple ATMs, and – critically – if you are not captured in the process, then it may begin to look more attractive to the typical budding criminal.

Details of how the gang breached the security of the ATMs have not been made public – perhaps understandably, as if it was released into the public domain there is clearly the possibility that other criminal groups might try something similar.

Although the use of a Raspberry Pi may make some raise an eyebrow of surprise, it makes a lot of sense for any criminal attempting to interfere with an ATM. A Raspberry Pi is not only cheaper than a laptop computer, but it’s also much easier for a would-be ATM thief to hide about their person without raising unnecessary suspicion.

Valdes, Sanchez, and Herrera-Ruiz have been charged with Unlawful Interception, Use, or Disclosure of Wire, Oral or Electric Communications, as well as Engaging in Criminal Activity.

Cybercriminals targeting ATMs is, of course, nothing new.

Perhaps most famously, the late Barnaby Jack demonstrated his technique of “jackpotting” at the Black Hat conference in 2010, when he was able to trick an ATM into spitting out hundreds of dollars after injecting malware into their operating system through exploitation of vulnerabilities and default passwords.

In 2016, a Thai bank shut down half of its ATMs following a malware attack that cost it $378,000. In the same year, a malicious hacking gang was accused of perpetrating malware attacks against ATMs across Europe.

More recently, in the space of just two hours on 11 August 2018, $14 million was stolen from thousands of ATMs around the world, in an attack linked to North Korea.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button