The sale, which ended early on Monday, saw a Triton 9100 ATM machine sold, with the seller describing the item as “removed from a working environment” and “ATM has error code”. The ATM was listed for sale at £300, and swiftly disappeared from sale with the message “Les enchères sur cet objet sont terminées” (the bids/bets on this object are finished) replacing it.
In an email to IT Security Guru, a spokesperson for eBay said that it was unable to comment on specific sales, but said that eBay sellers must comply with its published policies, which includes prohibiting items which promote or relate to criminal activity, and we take steps to ensure this takes place.
They said: “The listing you highlighted does not relate to criminal activity and so is permitted on the site.”
According to research by Group IB, hackers are able to reprogram ATM machines to introduce malicious scripts to ATM software. In some cases, the purpose is to record any ATM card numbers and pins used on the compromised machines and to make cash withdrawals from those accounts, while other scripts can reprogram an ATM to pay out larger value notes than they should.
Dave Hartley, managing consultant at MWR InfoSecurity, told IT Security Guru that this ATM, and any others for sale, should not be able to communicate or authenticate with the same back end that it did before being decommissioned so you could not just plug it into the wall and/or data connection, and expect it to be able to operate it as a working ATM.
He said: “That is not to say that you couldn’t install your own software or modify existing software on the device to return an ‘out of order’ message and simply leave it in a location to capture card details as they were inserted or entered by unsuspecting members
of the public, but the system shown for sale in the link provided looks very similar to those found in non banking locations, such as convenience stores, public houses, places of work, entertainment venues etc.
“It would be very difficult to ascertain from visual impressions alone, that this ATM was not legitimate if found in one of those locations. These often show out of order messages/insufficient funds etc. after entering details. I’d argue that this is a risky endeavour and would likely result in someone being arrested when they return to retrieve the machine. It might be worth the £300,000 listing price on eBay though if the data is collected remotely. However as its placement is likely to require the cooperation of the location proprietor, it is a risky criminal enterprise that could likely be traced.”
He suspected that someone bought it to conduct research in order to identify points of attack, and if found, craft exploitation kits to target live ATM systems. “It is also just as likely that enthusiasts may purchase the machine to use it as an interesting feature piece in their home,” he said.
With regards to the owner’s responsibili
ties, Hartley said that whoever originally owned this system should have contacted the supplier to request advice on how best to dispose of it.
“Often these things are sold in the same configuration they were using when deployed, so it’s theoretically possible that they may be able to operate, and possibly even dispense cash,” he said. “However, the advantage to someone doing this by buying the ATM is minimal, they would still be charged for the withdrawal, and the commission for the transaction would likely go to the previously registered merchant. Similarly, modifying the software or hardware of the device is likely to be a highly skilled activity, although it is theoretically possible.”
He said that ultimately, buying an ATM from an untrusted source is not a secure way to conduct card transactions, hence why most ATMs are purchased directly from approved resellers.