A US District Judge in North Carolina handed down the sentence to Rodney Caverly along with a restitution order of more than $400,000 (70% to cover the cash stolen and 30% — over $100,000 — to cover “costs incurred by BOA” to remove the malware)

According to court records and sentencing proceedings, Caverly, who was hired by BOA to design and maintain its computer systems, had been assigned to work on a project involving the bank’s automated teller machine (ATM) system. Filed documents and court records show that from March 2009 to October 2009, Caverly knowingly and with intent to defraud exceeded his authorized access by gaining access to one or more protected BOA computers and deployed a malicious computer code to select BOA ATMs. The malicious code caused a limited number of infected ATMs to disburse cash from the ATMs without any transaction record of the cash disbursements. The code Caverly entered caused only the unauthorized disbursement of cash stored in the ATM machines and did not affect any financial accounts of BOA’s customers.

The charges were filed April 1, 2010 but the attacks started in early 2009, months before Barnaby Jack was to present at the BlackHat conference:

In the description of his talk on the conference web site, Jack wrote that, “The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.”

Jack’s talk was cancelled due to controversy over the timing.

…the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack’s presentation until all affected vendors have sufficiently addressed the issues found in his research

The vendors were given more time, but by early 2010 another case was filed, related to a North Carolina grocery worker planning to manipulate the software on 31 ATMs.

To prove to Brian Martin that Morris knew what he was actually in a position to gain unauthorized access into the specific Tranax ATM machines, Morris sent Brian Martin a manual titled Tranax_MB_Operator_Manual that describe the key sequence to enter the specific ATM machine’s programming and then the master password. Morris also sent Brian Martin two other manuals on how to gain unauthorized access into another type of ATM machine and a manual for a supermarket/store point of sale credit/debit card processor.

When Jack returned to the conference in the summer of 2010 he finally was able to present his views but with a very different tone. He no longer was talking about rareness of targeted attacks on software, but rather the ease of a software attack.

Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows me to get cash from the machine.

To sum it all up, the very large amount of restitution money ordered for “costs incurred” may not be just to fix Caverly’s bad code…it also may be influenced by an effort to secure ATMs against outsider attack methods that are increasingly public.