ATM CTF by RedBalloonSecurity
Hey all, this weekend I got to play a really neat CTF at Hushcon West, an ATM based CTF put on by Red Balloon Security. This wasn't the official Hushcon CTF, rather a side CTF set up by a sponsor. This was a novel CTF to me because it involved cloning and writing new ATM cards to access other bank accounts, abusing the lack of security controls around traditional mag stripe credit cards. It started by interacting with the ATM, which provided instructions for joining the local network. Once on the network you could locate and scan a host, which provided several ports for interacting with the ATM and a web page with simple CTF challenges. The first challenge involved decoding some hex to get a new URL, which required getting your cards account number and entering it into the application for a new account number. Thankfully they had a mag stripe reader and writer there on site, along with an application for formatting the data for writing to the track 1, 2, and 3 locations. To start, I simply read in my card and edited some of my basic account information. After entering the account number into the application I was able to get a new account number and re-write my card with the new primary account number to access another account.
The security control in this case, other than just the account number, would be a pin for the account. However the ATM forwards the pin to the bank to check the authentication and in this case a raspberry pi was set up to send a successful authentication for any pin number entered. Now that I could access this new account, I simply checked the account balance and cashed it out for what it contained, in this case $6!
There were two additional challenges in this CTF, that I believe @jrozner and @dade solved, but I continued to wander around the conference. It was super cool seeing real time cash prizes for a CTF vs just prizes for first, second, and third place; I thought this was a really interesting and awesome CTF feature. I also thought this CTF had a really cool theme, as it felt pretty realistic to how credit card theft / cloning can work in the real world (at least pre chip and pin in the US). Hopefully we start to see more of these unique device CTFs popping up at conferences.
