Skip to main content

Tyupkin hack causes ATMs to give cash away in its thousands

Security firm Kaspersky Labs has discovered a security flaw in cash machines across the world that allows criminals to steal thousands of pounds without a debit or credit card.

Interpol has already alerted countries in Europe, Latin America and Asia and is carrying out a widespread investigation.

Read more: 'Unpatchable' malicious USB hack now available online

Kaspersky explained the hack step-by-step online, which can force cash machines to dispense up to 40 notes at any one time.

The initial step requires physical access to the workings of the cash machine in order to install malicious software via a boot CD. Once the malware, known as Tyupkin, has been installed, a criminal can be sent to the machine to enter a code on the ATM's keypad.

A second unique code is then randomly generated by an algorithm from a remote location. Only when this second code is entered does the machine dispense cash, giving the criminal at the remote location control over how often and when these withdrawals occur.

Vicent Diaz, principle security researcher at Kaspersky, stated that hackers are increasingly targeting financial institutions directly.

"Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," he said.

The attack is not linked to any individual bank accounts, so customers are not affected by the illegal withdrawals.

Kaspersky confirmed that an anonymous financial institution requested that it carried out the investigation, as concerns over ATM security continue to grow.

Many cash machines run outdated operating systems leaving a number of vulnerabilities. The logistic and financial difficulties of updating ATMs often mean this issue is not addressed.

Read more: Teenagers expose ATM weakness in easy hack

A malware strain called Ploutus allowed hackers to dispense cash from ATMs by sending them a text message earlier this year, while renowned hacker Barnaby Jack discovered a similar technique in 2010 called "Jackpotting."