Jack, Barnaby

Barnaby Michael Douglas Jack (1977–2013), born in New Zealand, made a real splash in the cybersecurity world before his untimely death. Barnaby Jack was indeed his real name—and “jackpotting” was his game. Here’s his story.

In my years researching financial cybercrime, I’ve learned that there are two ways to steal money from a bank. The first is to move the numbers around in the bank’s computer system—digital means, like gaining access to a victim’s online banking through a phishing attack, or by stealing their debit or credit card. The second is the old-fashioned way, by taking physical bills and coins. In Jack’s innovative attack, which he called “jackpotting”, no numbers are moved around in people’s bank accounts. It simply removes the cash from the machine by exploiting vulnerabilities in ATMs that make them spit out all of the money they contain, like a slot-machine jackpot. A single ATM typically contains anywhere from $2,000 to $20,000 in cash, and many run modified versions of Windows.

Jack rose to relative fame at 2010’s Black Hat conference in Las Vegas by publicly demonstrating his jackpotting attack on ATMs by two major manufacturers, Tranax Technologies and Triton Systems: “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows me to get cash from the machine.” He put malware onto the Tranax ATM through its remote administration network connection, and on the Triton ATM with a USB stick. The Black Hat 2010 audience ...