Bits Blog: Robbing a Gas Station: The Hacker Way

Justin Sullivan/Getty Images

Thieves of the future will look back on today’s stick-up artists and have a good old belly laugh. Why would anyone ever rob a cashier with a gun, when all that is needed is a smartphone?

Matt Bergin, a security consultant at Core Security, discovered he could hack a cash register remotely, popping it open, by sending two digits from his smartphone to the service running on the cash register’s point-of-sale system. No gun or holdup note was required. He was able to do so through a vulnerability in Xpient, which makes point-of-sale software that runs on cash drawers.

“It was extremely trivial,” Mr. Bergin said in an interview Wednesday. He reverse-engineered Xpient’s point-of-sale system, expecting that to interact with it he would have to crack a password or break through a layer of encryption. To his surprise, he encountered neither. By simply sending a two-digit code from his phone to the point-of-sale system, he discovered he could pop open the cash register remotely.

Christopher Sebes, the chief executive of Xpient, said in an interview Thursday that the company had issued a patch for the vulnerability, which Xpient customers can download to their systems. Mr. Sebes noted that customers who had a Windows firewall switched on would be protected from the hack, regardless of whether they had downloaded the patch. He also noted that someone could just as easily pop open a cash register by physically hitting the “No Sale” button on the register itself.

Increasingly, criminals are finding ways to use digital tactics for physical theft. In February, thieves stole $45 million from thousands of New York City A.T.M.’s in a few hours using a few keystrokes. It was one of the largest heists in New York City history, the authorities said, on par with the 1978 Lufthansa robbery at Kennedy Airport that inspired a scene in the 1990 film “Goodfellas.”

Bits Blog: Woman Accused of Robbing Bank and Bragging About It on YouTube

Screen shot via YouTube The authorities say Hannah Sabata stole a car and robbed a bank in Nebraska, and bragged about it on YouTube.

This might seem obvious to some, but here’s a little life tip: If you steal a car and then rob a bank at gunpoint, don’t brag about it in a video on YouTube.

Hannah Sabata, a 19-year-old from Nebraska, stands accused of doing this very thing.

A YouTube user named Jellee Beanie, who the authorities say is Ms. Sabata, posted a seven-minute video last week bragging about a robbery of a Cornerstone Bank in Waco, Neb., where the county sheriff says Ms. Sabata stole $6,000.

Dale Radcliff, the York County sheriff, said in a phone interview that he had already arrested Ms. Sabata by the time residents started notifying him about the video.

“My doctor called me and told me about the video,” Sheriff Radcliff said. “Then we started getting a lot of other calls about the video from people.”

Sheriff Radcliff said that Ms. Sabata had been identified as a suspect by her ex-husband. She sent him a text message, the sheriff said, bragging that she “had a pile of money after robbing a bank and asking if he wanted to go get a new tattoo with her.”

The authorities said Ms. Sabata posted the video, titled “Chick Bank robber,” from her messy bedroom at her parents’ house. She was wearing the same clothes she had worn during the bank robbery, according to the sheriff: a pink and white striped T-shirt and black jeans.

A brief text description of the holdup was attached to the video: “I just stole a car and robbed a bank. Now I’m rich, I can pay off my college financial aid and tomorrow i’m going for a shopping spree.” It added: “Bite me. I love GREENDAY!”

“I’ve been sheriff for 19 years, and in law enforcement for 42 years, and I’ve never seen anything like this,” Sheriff Radcliff said.

In the video, Ms. Sabata writes on a pad of paper describing a play-by-play of the robbery, then holds up the pad to her webcam. It’s difficult to read because the camera creates a mirror image of the words, as most Web cameras do. For those who can’t read backward, the video had subtitles added.

Ms. Sabata paused in the video to smoke something from a pipe — the subtitle says it is a “full bowl of weed.” The Green Day song “Warning” accompanies the video.

At the very end of the video, Ms. Sabata holds up a large pile of cash and smiles. Sheriff Radcliff said the video would most likely be entered at any trial as evidence.

Sheriff Radcliff said that the case would be charged by the York County attorney’s office. Candace Bottorf Dick, the York County attorney, could not immediately be reached for comment.