Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remote ATM Attack Uses SMS To Dispense Cash

timothy posted about 3 months ago | from the $$$-rofl-omg-$$$ dept.

Security 150

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

cancel ×

150 comments

Asleep at the wheel. (5, Insightful)

Forbo (3035827) | about 3 months ago | (#46574443)

"The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

Really? This stuff isn't being done to begin with?

Re:Asleep at the wheel. (3, Interesting)

Lumpy (12016) | about 3 months ago | (#46574537)

Banks barely do anything. They make insane profits but the scumbags refuse to spend a dime on security or maintenance.

The difference between a bank and organized crime is that you know what to expect from organized crime.

HUH? (0)

Anonymous Coward | about 3 months ago | (#46574715)

what do you mean "scumbags". they are not charging you a red cent if they have a theft.
for all you know they have weighed the options and to implement security at this time is more expensive than to deal with a few isolated losses.

Either way! it doesent effect you, and you have a obvious and wrong bias.

Re: HUH? (0)

Anonymous Coward | about 3 months ago | (#46574865)

Yeah want my money in a bank that facilitates thief.

Re:HUH? (2)

50000BTU_barbecue (588132) | about 3 months ago | (#46574949)

"they are not charging you a red cent if they have a theft."

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Re:HUH? (3, Informative)

coinreturn (617535) | about 3 months ago | (#46575023)

"they are not charging you a red cent if they have a theft."

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.

Re:HUH? (1, Flamebait)

50000BTU_barbecue (588132) | about 3 months ago | (#46575237)

Either way, the bank either charges you higher service fees and lower interest, or it gets private insurance, or it goes crying, Oliver Twist-style, to the government with its hands out. The bank loses nothing. Ever. But they sure tell YOU to take risks!

Re:HUH? (0)

coinreturn (617535) | about 3 months ago | (#46575847)

Either way, the bank either charges you higher service fees and lower interest, or it gets private insurance, or it goes crying, Oliver Twist-style, to the government with its hands out. The bank loses nothing. Ever. But they sure tell YOU to take risks!

Like I said, government does not pay for theft. Okay, so it raises service fees or gets private insurance. Are you complaining that their business model is to profit?

Re:HUH? (1)

codebonobo (2762819) | about 3 months ago | (#46575339)

"they are not charging you a red cent if they have a theft."

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.

I seem to remember trillions of dollars in bailout insurance being paid to banks, not the customers through FDIC, while they remained open and more profitable than ever. This is socialized government insurance, where moral hazard is removed and its business as usual.

Re:HUH? (1)

galloog1 (3433335) | about 3 months ago | (#46575639)

You mean loaned out to banks. Banks either paid that back or they failed. Most of it was paid back.

Re:Asleep at the wheel. (1)

JoeMerchant (803320) | about 3 months ago | (#46574849)

Banks are protected by law enforcement, insurance, etc. They have well established loss rates due to theft, fraud, etc. and they take appropriate measures to address those loss rates.

I, personally, would not want to pay a surcharge on my ATM card or other bank accounts to supplement the current security with "overkill" measures that cost more than they benefit, just for the satisfaction of knowing that crooks can't steal from MY bank.

Re:Asleep at the wheel. (1)

Anonymous Coward | about 3 months ago | (#46574971)

Overkill such as following standard security protocols and networking and IT basics? Or using 2 decade old smart-card technology that EUROPE has used for 20 years? The solution is to go back to strict bank regulation. They obviously cant be trusted to operate on their own.

Re:Asleep at the wheel. (0)

Anonymous Coward | about 3 months ago | (#46575309)

They've obviously done the cost-benefit analysis. Why should you care which choice they make? Your money's not at risk.

Re:Asleep at the wheel. (1)

GTRacer (234395) | about 3 months ago | (#46575357)

It is if some other weakness they've allowed due to the cost/bene analysis leads to someone taking money from my account. Sure, I can get it back, likely without much trouble. But what if a bill came due during the loss and recovery that wasn't paid out and then I get stuck with a late fee and the headache of dealing with that account?

Re:Asleep at the wheel. (2)

camperdave (969942) | about 3 months ago | (#46576229)

What do banks have to do with ATM design? They just buy/lease them from ATM providers.

ATM running Windows 2000 (0)

Anonymous Coward | about 3 months ago | (#46574581)

Last year (2013) I went for a tour in a foreign country.

One day I went to a local bank's atm trying to get some cash, in the ATM lobby there were 6 ATM machines. 4 were working, one had totally shut down, and on the sixth, I saw the desktop (Win 2000 version) appearing on its screen.

Re:ATM running Windows 2000 (0)

Anonymous Coward | about 3 months ago | (#46574735)

Thanks for the MS bash. Once you realize the level of access you need to the machine to deploy this exploit you'd realize that the OS that machine runs is pretty much irrelevant.
 
But I know you don't have much else to live for so bash away.

Re:ATM running Windows 2000 (1)

NatasRevol (731260) | about 3 months ago | (#46574975)

What, you think the exploit wasn't using Windows? And that wasn't relevant?

Delusional!

Re:ATM running Windows 2000 (0)

Anonymous Coward | about 3 months ago | (#46575855)

What? You don't think having PHYSICAL FREAKING ACCESS to the box isn't a bigger problem then what OS they're running? Delusional!
 
You're debating what knife an assassin used to kill a target in what should have been highly secured fortress.

Re:ATM running Windows 2000 (1)

NatasRevol (731260) | about 3 months ago | (#46575999)

Yeah, I'd be complaining if there were no soldiers on the inside to protect a wall breach.

The emperor really doesn't have any clothes.

Re:ATM running Windows 2000 (1)

PRMan (959735) | about 3 months ago | (#46575567)

I have also seen a Windows 2000 screen on an ATM recently in America.

Every management team ever. (0)

Anonymous Coward | about 3 months ago | (#46574601)

Of course it isn't being done already. You have any idea how much it cost to get someone to lock down/upgrade everything due to how idiotic the people in management are and who think "more expensive is better" ?

Re:Asleep at the wheel. (1)

Joce640k (829181) | about 3 months ago | (#46574667)

Really? This stuff isn't being done to begin with?

Why would they? It's in a locked steel box. People aren't using it to surf the web.

Re:Asleep at the wheel. (2)

Errol backfiring (1280012) | about 3 months ago | (#46574795)

Actually, they do surf the web (or did. I sure hope they fixed it). That is one of the problems with ATMs. The connection with the bank may be secured, but the devices are still attached to the big bad internet. So if you replace a device driver (or add your own piece of hardware), all communication channels are just waiting for you to be abused.

Re:Asleep at the wheel. (2)

SQLGuru (980662) | about 3 months ago | (#46575105)

The 7-11 I used to frequent had a ethernet jack near the soda dispensers......this jack was where the nearby ATM was plugged in. It would have been quite easy for me to insert any sort of device between the ATM and the jack. There was enough space between the jack and the ATM and there was also a valid reason for me to be in the area that it wouldn't look like I was doing anything with it. While it wasn't an official bank ATM (unaffiliated), I still could have been malicious had I wanted to. [I also never had a reason to use that ATM and am always wary of using an ATM that isn't physically at a bank...not that those are drastically safer.]

Re:Asleep at the wheel. (1)

gstoddart (321705) | about 3 months ago | (#46574745)

Do you know how many times I've seen an ATM with the Windows Blue Screen of Death on it?

Not hundreds, but over 30. I have *long* suspected these things are exceedingly vulnerable computers being used when they shouldn't be.

I've been airports and seen the arrivals/departures board showing NT errors. I have seen stuff in shop windows and other stuff showing similar stuff. A lot of medical devices can't be upgraded because the company never certified it beyond a certain level of Windows.

I usually make a point of photographing them when I see them, and I've seen more than a few.

You shouldn't be surprised, though, you should be disappointed. This has been true for at least a decade, and probably even longer.

Vendors just throw stuff on top of Windows and leave it unpatched. Often the security features rely on either obscurity, prayer, or somewhat weak physical security.

Re:Asleep at the wheel. (1)

JDG1980 (2438906) | about 3 months ago | (#46575081)

I once went to a BB&T ATM and when I tried to use it, it crashed with an Internet Explorer script error.

Re:Asleep at the wheel. (2)

HornWumpus (783565) | about 3 months ago | (#46575633)

I've seen genuine guru meditation errors on screen from the local public access channel in the last 5 years. Think about that. An Amiga still in daily use.

Re:Asleep at the wheel. (1)

AmiMoJo (196126) | about 3 months ago | (#46574881)

Banks usually make an effort to have physical security, but not so much all the random supermarkets and shops that have an ATM inside.

What is more interesting is that the cash draw is physically secure. The attackers don't bother trying to open it. Instead they attack the control hardware, and you would think they could make that equally secure. It seems that the desire to load firmware updates, or more specifically new advertising on to machines via a simple and largely unprotected USB connection was too much to resist.

Physical access? (4, Insightful)

Vlado (817879) | about 3 months ago | (#46574455)

So, this method requires quite a bit of physical access to the ATM. You have to attach a phone (why smartphone, by the way?) to the actual ATM controller.

In my opinion this begs a whole set of other security questions first....

Re:Physical access? (0)

Anonymous Coward | about 3 months ago | (#46574631)

Yeah, can someone with knowledge of how ATM's are set up enlighten us? I'd think that if you had physical access to the USB port, you would also have physical access to the cash itself and could just take it. Is there typically a USB port stuck on the *outside* of the box somewhere?

Re:Physical access? (0)

Anonymous Coward | about 3 months ago | (#46574685)

It says in the article's links that you have to cut a hole in the ATM to access the controller computer's USB port.
I think the difference is that to get to the cash, you have to cut a big hole.

Re:Physical access? (1)

228e2 (934443) | about 3 months ago | (#46576059)

Isnt this what Barnaby did years ago at Black Hat? Where is the news? Physical access to a (sadly) not locked down computer isnt too hard to compromise.

Re:Physical access? (1)

Anonymous Coward | about 3 months ago | (#46574709)

In the vast majority of atms there is just an ordinary pc running windows xp, they are not secure at all from a tech standpoint. This is about being able to steal in the future. If you come in dressed as the repair guy and hide a phone connected to the pc, you didn't take any money, the money fillers won't notice anything nor any audits if any are done. Then you wait a year or whatever and start stealing from it, if they do manage to figure out it's infected/find the phone, who put it there? Do they still have the footage? How many people have used/filled/fixed/etc this machine? etc. etc. Makes it a lot harder to get back to the real perp.

Re:Physical access? (1)

Anonymous Coward | about 3 months ago | (#46574639)

In my opinion this begs a whole set of other security questions first....

No, it doesn't. It raises questions.

"Begs the question" means something entirely different than what you meant. Please don't misuse this term.

http://begthequestion.info/ [begthequestion.info]
http://public.wsu.edu/~brians/... [wsu.edu]

Re:Physical access? (0)

Anonymous Coward | about 3 months ago | (#46574689)

Which begs the question, who's on first?

Re:Physical access? (1)

MightyYar (622222) | about 3 months ago | (#46574993)

That battle is lost, man. The language has already changed.

Re:Physical access? (0)

Anonymous Coward | about 3 months ago | (#46575483)

'It's' also seems to mean 'its' more often than 'it is' these days. I try to stick to the old definitions.

Smartphones have more processing power (0)

Anonymous Coward | about 3 months ago | (#46574663)

to emulate other devices such as a keyboard or mouse. Its easier to write an app that reads SMS on a smart phone then on a normal one. Also the term ATM is fairly broad here. There are atm's that are built into a wall of a bank and then there are the freestanding atm's that are often 'jackpotted' as described above.

Re:Physical access? (4, Insightful)

CastrTroy (595695) | about 3 months ago | (#46574683)

Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.

Re:Physical access? (1)

Anonymous Coward | about 3 months ago | (#46574873)

...AFTER drilling a hole in the physical device...

There's a joke somewhere in there; complete the phrase "Any 'remote' exploit which involves drilling..."

Re:Physical access? (0)

Anonymous Coward | about 3 months ago | (#46575367)

I don't think it's possible to secure a computer that grants users physical access. I think they need to start putting the computers down below, in the safe where the money is (or 2nd safe). This includes the diagnostic/usb ports. Then, they should employ software that will shut down the system if there's a change in attached USB hardware. Legit diagnostics will become less convenient, but there's balance.

Re:Physical access? (1)

Joce640k (829181) | about 3 months ago | (#46574691)

(why smartphone, by the way?)

It probably connects to a serial port or something.

ATM machines have ports where you can plug in a diagnostic computer. One of the diagnostic functions will be "test the cash dispenser".

The SMS trigger is just there so they can do it at night and make sure somebody's standing there to grab the money.

Re:Physical access? (1)

Splab (574204) | about 3 months ago | (#46574777)

Wrong century... ATMs of today are running on off the shelf hardware, with "special" (as in special needs) operating systems (Windows). They have exposed USB ports under the hood and to make it completely idiotic, the only thing locked behind high security is the money. The motherboard is quite often found just under the keypad, which can be accessed by standard keys.

See these guys http://www.youtube.com/watch?v... [youtube.com] (Unfortunately the actual hack is poorly recorded, but still quite interesting).

Re:Physical access? (1)

mlts (1038732) | about 3 months ago | (#46576031)

I'm pretty sure that the rationale for slack physical security (other than the cash box) is that the store clerk or the camera pointed at it will discourage people from drilling holes in the CPU.

As per a previous /. article, maybe ATM makers moving to a new OS and PC might help matters. Linux is a good candidate. No AutoRun/AutoPlay capability present for starters (although Windows can have it easily turned off as well.)

Ideally, what might be best is to move to a motherboard that is designed from the ground up to make it tamper resistant. Yes, the initial expense might be a bit high, but once made, the only thing needed to upgrade future ATMs would be new graphics for the dancing animals in the background and signed OS updates for future security issues. ARM itself has TrustZone and TPM capabilities... and an ATM is where those capabilities would be perfect for the job without expensive additional hardware or ASICs.

Re:Physical access? (1)

JoeMerchant (803320) | about 3 months ago | (#46574901)

Seems to me that it needn't be a smartphone, any device with the proper digital interface can probably do the trick - but it makes better press to say "Force the ATM to dispense cash using SMS..."

I suppose it might make it easier for the crooks to blend in while they take away the loot - just send the SMS while you act like you are doing a legitimate transaction and then walk away with $400. Come back later and do it again, and again... Get a lot of "theft rush" and exposure to potential arrest for your efforts, not so much cash, but you don't look as suspicious a you would if you tried to stuff $10K in 20 dollar bills into your pockets all at once.

Re:Physical access? (1)

hankwang (413283) | about 3 months ago | (#46575479)

"So, this method requires quite a bit of physical access to the ATM. "

I did once peek over the shoulders of a guy servicing one of those in-store ATMs (i.e., one that looks like a stand-alpne cabinet, not one that's integrated into a wall). Apparently, it's not all that tightly locked down, hardware-wise. The guy told me that only the compartment that contains the banknotes and the counting mechanism have heavy physical security, and that he couldn't access that part. That was why he was allowed to service the machine by himself, in the middle of a busy store.

There's an app for that (4, Funny)

gnick (1211984) | about 3 months ago | (#46574457)

I'd like to announce my new app for sale - Free after using the $200 rebate redeemable at a nearby ATM.

Diebold (2, Interesting)

Anonymous Coward | about 3 months ago | (#46574481)

How's Diebold for a guess? Those fuckers are vulnerable to just about everything.

Re:Diebold (1)

DickBreath (207180) | about 3 months ago | (#46574521)

Okay. Let me amend the article summary for you . . .

"Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines . . . because Diebold already has a bad enough reputation with it's e-voting machines.

Better?

Re:Diebold (0)

Anonymous Coward | about 3 months ago | (#46575685)

I can confirm it's Diebold. Posting as AC because fuck you, Diebold.

Diebold? (-1, Troll)

jsepeta (412566) | about 3 months ago | (#46574503)

It's gotta' be Diebold, famous makers of the voting machines used to swing the Bush "elections". They now call themselves Premier Election Systems. But Diebold is one of the primary manufacturers of ATMs.

Re:Diebold? (0)

Anonymous Coward | about 3 months ago | (#46574731)

Seriously? The % variance from election to election is about 2-5%. Has been for years. Our country pretty votes 50/50 for the two parties. The only exception was the 92 election in which periot got a significant amount. It has been this way since the 60s. Even the 'landslide' of Regan vs Mondale was by ~2%.

Accept it. Both dudes lost by a narrow margin. You are clinging to conspiracies because your dude lost. Even the 'crushing victory' in the last two was by ~1%. Voter fraud does exist. However, statistically it is negligible. Even Nate Silver accepts that...

Re: Diebold? (1)

Anonymous Coward | about 3 months ago | (#46574907)

Actually Obama beat Romney by 3.7 % of popular vote, not 1%. And about 100 more electoral college votwa for Obama.
    And Reagan's landslide over Mondale was indeed a landslide. Reagan--57% to Mondale's 42%. The only state Mondale took was Minnesota. And in the electoral college Reagan had 97% od the votes.

Re:Diebold? (0)

Anonymous Coward | about 3 months ago | (#46575029)

Yes it's tight between the two sides, but that makes it even easier to rig things. You don't cheat in obvious/noticeable ways, like by flipping districts/states that are solidly in either camp and where a change would cause serious surprise and possible/likely investigation, instead minute tweaks in disputed/swing districts/states can be enough to shift the national result thanks to the FPTP system...

Re:Diebold? (1)

sexconker (1179573) | about 3 months ago | (#46575769)

Seriously? The % variance from election to election is about 2-5%. Has been for years. Our country pretty votes 50/50 for the two parties. The only exception was the 92 election in which periot got a significant amount. It has been this way since the 60s. Even the 'landslide' of Regan vs Mondale was by ~2%.

Accept it. Both dudes lost by a narrow margin. You are clinging to conspiracies because your dude lost. Even the 'crushing victory' in the last two was by ~1%. Voter fraud does exist. However, statistically it is negligible. Even Nate Silver accepts that...

Successful voter fraud is undetectable, and thus immeasurable.
You cannot quantify it without verifying individual votes, and you can't do that without tracking each individual vote and removing voter's anonymity.

I am not claiming that it is rampant. I am merely stating the fact that you cannot know how much of a problem it is. Saying it's very rare is as much bullshit as saying it's very frequent.

Re:Diebold? (1)

DickBreath (207180) | about 3 months ago | (#46575129)

> They now call themselves Premier Election Systems.

OT, I know, but shouldn't that be: Premier Election Rigging Systems?

Who said no one would pay for SMS (3, Funny)

Anonymous Coward | about 3 months ago | (#46574505)

after whatsapp.

Re:Who said no one would pay for SMS (1)

Anonymous Coward | about 3 months ago | (#46574597)

In soviet russia SMS pays yo... wait, that doesn't make sense since this is about the USA.

Symantec ad (1)

roman_mir (125474) | about 3 months ago | (#46574555)

So this is a Symantec ad, I don't have a problem with advertising, but call it what it is. Windows XP used in an ATM? Well, I can see how this can be a problem, but how is this SMS based attack specific to Windows XP exactly? What, if the ATM in question was running VAX/VMS it wouldn't support SMS based attack due to its lack of SMS support? :) I mean there are no details as to how an SMS makes it possible to get cash out of the machine and I don't see at this point how it is OS related. Any OS with appropriate software could do the same, no?

Re:Symantec ad (1)

mlk (18543) | about 3 months ago | (#46574841)

The SMS is just a way to communicate to the phone. What the hackers have done (if I'm reading the FA correctly) is make a phone pretend to be a USB keyboard attached to the PC in the ATM. The phone can then be set up to send a control sequence to the ATM tell the ATM to spit out money. So the problem has nothing to do with either SMS or Windows XP. If the ATM was VAX or Mac OS or Home brew OS or Linux and you did not lock down the local USB ports then it would have the same issue.

The general issue of USB ports happily accepting keyboard has been an issue with ATMs before, but you have to stand by the ATM with a keyboard. This way you just plug in the phone and leave it there to exploit time and time again.

Physical Access = owned (3, Informative)

clovis (4684) | about 3 months ago | (#46574561)

This is a physical access attack and therefore not very interesting.
To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port (or in older versions, a USB stick, or keyboard). They recommend upgrading the OS and securing the hard drive. How about putting epoxy in the computer's device ports?

Re:Physical Access = owned (0)

locotx (559059) | about 3 months ago | (#46574573)

Physical access IS root access!

Re:Physical Access = owned (2)

sexconker (1179573) | about 3 months ago | (#46575805)

Physical access IS root access!

Physical access is far, far greater than root access.

Re:Physical Access = owned (4, Insightful)

iggymanz (596061) | about 3 months ago | (#46574625)

or you could cut the ATM open at the point where the cashbox is installed

to say this attack is "just not interesting" is an understatement

Re:Physical Access = owned (2)

mlk (18543) | about 3 months ago | (#46574895)

I'd assume the box that the money is in is secured and had paint or the like that will trigger when it is opened.

Plus you can only do it once and it is very noticeable. Chopping a small hole in the box and secretly installing a small phone you could exploit time and time again without drawing attention from passers by.

Re:Physical Access = owned (1)

iggymanz (596061) | about 3 months ago | (#46575245)

look up how they're made, you won't be "chipping a small hole" in anything to access its system and you will set alarm off

Re:Physical Access = owned (0)

Anonymous Coward | about 3 months ago | (#46574915)

You've never been to a liquor store with one of these standalone ATMs and found the door open? I have. You can't take money but you can see the computer in there. 5 seconds to install a USB device and you're done, and that baby will pay out for who knows how long before they notice.

Re:Physical Access = owned (1)

JoeMerchant (803320) | about 3 months ago | (#46574963)

As I said above, you can get the access and look like a maintenance tech, then button it up and walk away with big bulges in your pockets.

Come back later, looking innocent, and take a few hundred bucks per transaction. It makes machines that are protected by highly public physical location (most ATMs) more vulnerable to attack in plain sight by innocent looking people.

Sure, you could cut out the cash box and haul ass in a big pickup truck, but somebody would probably notice that something isn't right about that picture.

Re:Physical Access = owned (1)

StripedCow (776465) | about 3 months ago | (#46574635)

If you have physical access, why not grab the money directly?

Re:Physical Access = owned (1)

Russ1642 (1087959) | about 3 months ago | (#46574665)

The money is locked in a hardened steel enclosure similar to a safe. Apparently the computer is not. This attack is probably one of the easier ways to get at the money.

Re:Physical Access = owned (1)

CastrTroy (595695) | about 3 months ago | (#46574721)

Because this way, assuming they didn't notice the actual hardware in there, you could dispense cash for a long period of time, and get more money. Taking all the cash at once and they would probably notice it. Take $20 once a day, and they might just attribute it to the machine miscounting the bills.

Re:Physical Access = owned (1)

JaredOfEuropa (526365) | about 3 months ago | (#46574933)

The machine might report cash being taken out; very unfortunate if that happens while you stand there shoving piles of bills into your pockets. Better to install the device and come back at night, with a hoodie over your face, grab all the cash, and run.

These machines rarely miscount, and if it happens once a day, the bank will probably take notice. There was a weird little trick on certain ATMs a while back that let you tease an extra note from the machine, but the banks caught on very quickly.

Re:Physical Access = owned (1)

JoeMerchant (803320) | about 3 months ago | (#46575017)

In the early days of ATMs (1980s) I used to get "overcounts" about 5% of the time at certain machines... that doesn't happen (to me) as much anymore, but I'm mostly plastic based now, so maybe it still does.

You could probably spit out several hundred dollars per "pull" with the phone-hack and not raise suspicion - a really good hack would falsify the expected balance, too, so they don't notice the missing cash, but you'd think the guy changing the cash box would notice the thing stuck in the USB port, eventually.

Re:Physical Access = owned (1)

PRMan (959735) | about 3 months ago | (#46575615)

I remember way back in the old days (80s), an ATM that I went to dispensed my cash twice. I took it inside and let them know that I had gotten $80 when the machine told me that I got $40. They had released new ATM software the night before. It was 9 AM and I was the first person to bring it to their attention.

Re:Physical Access = owned (1)

JoeMerchant (803320) | about 3 months ago | (#46576205)

I should also mention that I got one or two "undercounts" during that era... my ATMs were all remotely located from the branches, so reporting wasn't exactly convenient. I figured it all worked out in the end, but I might have come out $20 to $30 ahead, overall.

The swipe your ATM card to checkout at the grocery also failed to process a couple of the earliest transactions (there really was a free lunch, those days...), I waited months and months looking for them to show up on the statements, but they never did. These days I don't keep my receipts or check my statements as closely, not sure if that ever happened after the initial rollout.

Then there was the bank I had a deposit account with in 1991 - their computer made a $20 addition error, in their favor, when summing up my deposits and withdrawals (none of which were for $20) - when I pointed it out to the branch manager he acted like I was being a jerk for bringing it up. I didn't still have that account by 1992.

Re:Physical Access = owned (1)

redmid17 (1217076) | about 3 months ago | (#46574681)

Probably because they need to be able to upgrade the the OS and apply security patches.

Re:Physical Access = owned (0)

Anonymous Coward | about 3 months ago | (#46574713)

New atms use usb to link tge parts in side

Re:Physical Access = owned (1)

gstoddart (321705) | about 3 months ago | (#46574799)

To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port

Which, apparently, might not be as difficult as we think.

Security is only as good as its weakest link, as they say. And if one of these things is in a place where you could get in and out without being observed (because, say, you've got a clone of the key or know how to bypass the lock) ... well, then this is going to happen.

Free money is worth someone spending time working these things out.

Re:Physical Access = owned (1)

u38cg (607297) | about 3 months ago | (#46575185)

Well, not so much. Physical attacks are extremely difficult on ATMs as they are difficult to move or access and usually have dye bombs. The usual approach in the UK is to steal a JCB and van and remove the whole thing. So something like this is definitely an improvement for the attacker.

Re:Physical Access = owned (1)

malvcr (2932649) | about 3 months ago | (#46575673)

Let me explain what happen with the ATM devices.

The ATM has a computer having the operating system and a basic bootstrap software. In fact, the configuration itself it is not located in the ATM but when the ATM is turned on, it is sent to it from the Bank. One important reason is that when somebody steal the ATM, will lost all the configuration including many different types of keys, making the task of opening it or to learn more about the ATM's network behaviour a difficult task.

When the security employees load the ATM with money, they actually have no access to such money. The Bank fills security money boxes (actually small security boxes that are not so easy to open). These boxes have a special key that is used only inside the Bank's vault. The employes that will give maintenance to the ATMs receive the loaded boxes from the Bank's personnel and replace the previous ones "complete" in the ATM (they don't have the keys), and deliver the full or partially empty boxes to the Bank for internal maintenance (to count remaining bills, clean, reload, etc.).

So, the security employees are the ones that could install the phone in the computer because they need to open the ATM to replace the money boxes. As they are the ones do this work, they also could put the phone, and the next time they load the ATM, they will quit it for let no trace of such action. So, it is not necessary for them to violate the physical boxes or to cut the ATM by half (that it is not easy anyway), but just to connect a phone, continue with their daily work and somebody else will come to extract the money with the help of the phone and the ATM itself.

As 80% of the attacks are from "insider", this have all the sense for me. To resolve the problem, however, it is not so easy, because they need to replace their ATM system for one would be invulnerable to USB or other type of ports access, something was not thought when the current systems where designed many years ago.

USB port? (2, Insightful)

Anonymous Coward | about 3 months ago | (#46574577)

How does anyone access the USB port of the computer that controls the ATM, without breaching enough physical security that they might as well just grab the money? Sounds like this could only work if an insider at the bank in question smuggles in a phone and hooks it to the computer. You can't just pull up to an ATM and do this.

Re:USB port? (0)

Anonymous Coward | about 3 months ago | (#46574997)

The money is stored in a heavily secured enclosure within the ATM. The computer, not so much. I don't recall the model, but I saw a small ATM where there was just a small panel covering the USB ports. Looked like 16 - 18 gauge sheet metal covering it (the unit was open, and being serviced by a tech).

Diebold (1)

SirSpammenot (1075889) | about 3 months ago | (#46574609)

And they make election equipment, to count votes. Sheeesh! ATMs I am less worried about because I get my money back when they screw up... If the theft amount gets too painful, the banks will look a better vendor. And switch to Linux...

Re:Diebold (1, Insightful)

Russ1642 (1087959) | about 3 months ago | (#46574791)

Switching to Linux wouldn't solve their physical security issue.

Didn't John Connor use this method? (0)

Anonymous Coward | about 3 months ago | (#46574755)

So all one needs to do is plug a USB cable into an ATM machine and use their cellphone to brute force?

So the C&C structure only exists so a "mastermind" can send in a fool to have his photo taken while robbing the ATM?
Is there a non spyware supported version that bypasses the need for an accomplice who may rat on me?

cash? (0)

Anonymous Coward | about 3 months ago | (#46574837)

people still use cash? I hate dealing with change. let me count the pennies and nickles...ugg

Hackers (1)

OcabJ (13938) | about 3 months ago | (#46574921)

"Anyway, anyway, guys guys guys, come on. I'm in this computer, right. So I'm looking around, looking around, you know, throwing commands at it, I don't know where it is or what it does or anything. It's like, it's like choice, it's just beautiful, okay. Like four hours I'm just messing around in there. Finally I figure out, that it's a bank. Right, okay wait, okay, so it's a bank. So, this morning, I look in the paper, some cash machine in like Bumsville Idaho, spits out seven hundred dollars into the middle of the street. That was me. That was me. I did that."

Re:Hackers (0)

Anonymous Coward | about 3 months ago | (#46575075)

"And you did this from your home computer?"

Re:Hackers (0)

Anonymous Coward | about 3 months ago | (#46575557)

You did this from your house?

Never hack a bank across state lines, you'll get burned by the FBI.

BTW do you know what the 3 most commonly used passwords are.....

Re:Hackers (1)

HornWumpus (783565) | about 3 months ago | (#46575837)

If you've ever been the victim of crime you will know the cops do nothing for you. They fill out a report so you can make an insurance claim. That is all. They will give you attitude while doing it. You are bothering them.

The FBI has buildings full of cops dedicated to protecting the banks.

Look at the bright side (1)

DickBreath (207180) | about 3 months ago | (#46575139)

At least most modern mobile plans give you unlimited SMS.

Uh, no kidding (0)

Anonymous Coward | about 3 months ago | (#46575199)

Let me get this straight. They physically have to attach new gear to the computer that can control what the ATM is doing. That device is then able to issue commands to the computer, and thus the ATM. That device happens to be a device that can receive SMS messages. And it's shocking that "You can make it do stuff based on an SMS message"?! No surprise there. And in case you missed it, you could also call it and issue commands over the voice channel, or you could use the data connection and issue commands to it through your favourite IRC command and control channel, or email, or REST call, or whatever. This isn't a remote attack.

Windows XP Based ATM (1)

Fitch (584748) | about 3 months ago | (#46575393)

Does anyone find fault with the phrase "Windows XP Based ATMs"?

Regardless of whether this exploit requires an insider for access to the physical machine, securing $10k-$20k worth of cash with one of the most commonplace operating systems on the planet seems beyond asinine to me.

Re:Windows XP Based ATM (0)

Anonymous Coward | about 3 months ago | (#46575629)

I'm not so sure "common" is the problem as the word insecure and unhardened are.

Oh, take a wild guess (1)

ThatsNotPudding (1045640) | about 3 months ago | (#46575521)

Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines.

Gotta be Diebold. Yes, they changed their name. No, those thieves should never be allowed to remove the albatross of crooked voting machines from their scrawny, corrupt necks.

Re:Oh, take a wild guess (1)

drinkypoo (153816) | about 3 months ago | (#46576177)

Yeah, that was my response too. Diebold is well-known to do a shit job with ATM security.

'Magic Number' could be a valid Credit Card Number (1)

Muad'Dave (255648) | about 3 months ago | (#46576429)

FWIW, the magic number '5449610000583686' mentioned in the article passes the Luhn Algorithm [wikipedia.org] , and is therefore valid as a credit card number. The BIN indicates the card was/would be issued by the following bank, transcribed from this site [bindb.com] :

Bin: 544961
Card Brand: MASTERCARD
Issuing Bank: HSBC BANK (PANAMA) S.A.
Card Type: CREDIT
Card Level: PLATINUM
Iso Country Name: PANAMA
Iso Country A2: PA
Iso Country A3: PAN
Iso Country Number: 591

Please... (1)

Ryanrule (1657199) | about 3 months ago | (#46576437)

...if you want an ATM open, you smash it on a methhead's head.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...