35th Chaos Communication Congress

Truly cardless: Jackpotting an ATM using auxiliary devices.
12-29, 17:10–17:50 (Europe/Berlin), Adams
Language: English

Pursuit of “good customers’ experience“ not only leads to new customers, but also attract criminals of all sorts. Presentation will give overview of current security situation of ATMs with different auxiliary devices allowing cardless transactions. Cardless is new sexy for criminals.


Era of ATMs has started in London in 1967. Since time, when the “hole-in-the-wall” cash machine used radiocarbon paper cheques, ATMs became more complex and smart, providing opportunity to withdraw money without cards. Vendors, in accordance to banks and consumer’s demand, create ATMs that replace plastic cards and PINs with smartphones or QR codes.
Cash withdrawal from an ATM now easier than never before not only for clients, but also for attackers. Jackpotting an ATM via malware or black box are pretty familiar. Countermeasures against such attacks are already in place in many banks. Thus, attackers need to discover new (or well-forgotten) ways to achieve their evil goals.
We will not chew the fat, telling stories about the old days, because new functionality provides new possibilities. Migration from Windows XP to Windows 7/10 means there is always PowerShell on the ATM. “New” types of input devices allow BadBarcode-like attacks. Legitimate auxiliary device connected to the ATM in pursuit of so-called good customers’ experience may lead to ejection of all money from ATM.