How I hacked a "un-hackable" ATM in 10 minutes

**INTRO**<br><br>Hi, I'm an ex-ATM hacker. For over 5 years, I've been robbing banks. I've stolen over $400k. I've hacked pretty much every ATM manufacturer (NCR, Diebold, Nautilus Hyosung etc.), and I've taught many others in my crime organization how to rob banks. But my favorite ATMs are Nucleus. They're the black auditing systems that banks use to test their ATMs for vulnerabilities. And I hacked one in 10 minutes.<br><br>**My first hack**<br><br>I started robbing banks when I was a teenager. It was easy money. My parents were immigrants, and we were living paycheck to paycheck. But with my job, I was able to buy a new iPhone every year, and I was able to support my family. My parents were proud of me. I was the first kid in my family to go to college. My tuition was paid for by the bank I was stealing from.<br><br>It was easy back then. All I had to do was click on a phishing link, and I could take out thousands of dollars from any ATM. But banks started to become more secure. They began to use two factor authentication. It was harder to hack their systems, and I couldn't take out as much cash as I wanted. So, I looked for other targets. I started to rob shops and restaurants.<br><br>But I missed robbing banks. So, I decided to go back to my old tricks. I began to target NCR ATMs, and Nautilus Hyosung ATMs. Both of them had vulnerabilities that I could exploit to take out large sums of money. But I was bored. I wanted to target a more challenging bank. So, I decided to hack a Nucleus ATM. I had heard of them before, but I had never seen one. Nucleus was a special type of ATM that only banks used for testing purposes. They were supposed to be un-hackable. <br><br>**The hack**<br><br>I began by scouting out a bank that used Nucleus. It took me two months to find one. I went inside and asked the teller at the front desk if I could speak to an ATM engineer. He looked confused. He asked me why. I said that I wanted to learn about ATMs. He called up someone in the back office, and soon an ATM engineer walked out. He looked like a 60-year old guy with two kids to feed. He had that "I'm a typical IT worker" face. I knew he wasn't.<br><br>I introduced myself and told him I was a security researcher. I said that I wanted to test his ATM for vulnerabilities. He looked shocked. I asked him if he had heard of the OWASP guide to web application security. He nodded. I asked him if he had implemented the secure coding practices outlined in that guide. He nodded again. I knew that if he was following best security practices, it would be hard to hack his ATM. <br><br>I decided to change the game. I began by asking him if he had heard of a website called Exploit-DB. He looked at me strangely. I said that it was a website that contained a ton of public exploits. He said that he hadn't heard of it, but he was glad I mentioned it. I asked him if he would like me to show him how to use it to hack his own ATM.<br><br>He nodded, and we went to the back office. I opened up Burp Suite, which is a tool that I use to test websites for vulnerabilities. He looked confused. I told him that it was a tool I used to test web applications. I sent a request to the Nucleus website, and I set up a proxy server that allowed me to see the traffic between my browser and the website. I showed him that this was a typical web application that uses HTML and JavaScript. He looked disappointed.<br><br>I told him that I was going to exploit a vulnerability in the login page. He told me that I couldn't, and that the system was secure. I said that I hoped it was, but that it wasn't going to be. I began by sending a malicious request to the login page. I added in an exploit that I had found on Exploit-DB. I sent the request, and nothing happened. I told him that it wasn't going to work, and that the system was more secure than I thought. He looked relieved. I told him that it wasn't going to work, and that I was going to try something else. I sent a new request with a different exploit. I waited. Nothing happened. <br><br>I was shocked. I had tried two different exploits, and neither had worked. I was about to leave and say goodbye to the ATM engineer when I thought of something else to try. I asked him if he had heard of a thing called a "directory traversal". He said he hadn't. I told him that it was a vulnerability where you could traverse the server's filesystem, and access any file on the server. He looked confused. I asked him if he had heard of something called "LFI" (Local File Inclusion). He said that he had. I asked him if he knew what an LFI attack was. He said that he didn't.<br><br>I decided to explain it to him. I said that if a website had an LFI vulnerability, I could make it display any file that was on the server's filesystem. I said that I could access the bank's internal systems, and even access the Nucleus source code. He looked shocked. I told him that it wouldn't work, and that I was just joking. But I wasn't. I had a third exploit that I wanted to try. I had found it on Exploit-DB, and it was a known directory traversal vulnerability. I told him that this one was different, and that I was sure it would work. He looked scared. I said that I was just joking again. But I wasn't. <br><br>I sent the request, and I waited. I couldn't believe it when I saw that it had worked. The website was displaying a file that was on the server's filesystem. It was the bank's internal SQL database. I was able to access the entire bank's system. I could see the Nucleus source code, and even the ATM's logs. I was able to access any ATM in the bank's network. I told the ATM engineer that I had done it. He looked shocked. I asked him if he was impressed. He said that he was. I asked him if he wanted to learn more. He said that he did. I asked him if he wanted me to train him how to hack ATMs. He said that he did. <br><br>**Teaching others**<br><br>The ATM engineer and I began to teach other ATMs how to hack. We started with NCR and Nautilus Hyosung. Both were easy to hack. But we wanted to move on to Nucleus. We had already hacked one, but we wanted to do it again. So, we did. We found another Nucleus, and we hacked it. This time, we were more careful. We took out $100k in cash, and we left. We didn't get caught. We did it several more times, and we stole millions of dollars. But we didn't just hack banks. We hacked governments too.<br><br>**The end**<br><br>I stopped robbing banks two years ago. I realized that it wasn't worth the risk. I was 30 years old, and I had over $400k in the bank. I decided to use my skills for good. I got a job with a security company, and I began to help banks secure their ATMs. I also began to teach security classes, so that others wouldn't fall into the same trap that I did.<br><br>The ATM engineer who I met that day is still an ATM hacker. I haven't heard from him in years, but I hope he's doing well. I miss robbing banks. But I don't miss the stress. I was always on the run, looking over my shoulder. I was always worried that I was going to get caught. I don't miss that. But sometimes, I still think about the thrill of hacking an ATM. I wonder if I could do it again, and if I could get away with it. But I know I can't. I'm too old, and I'm too smart. I'm a security expert now. And I'm not going to risk it.<br><br>**PS: This is 100% fiction. Please don’t try to hack ATMs.