Slashdot Mirror
Card-Sniffing Malware On Diebold ATMs
angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."
the banks hold up you.
As far as ATM venders go, how does Diebold rank in security?
There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98.
That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.
I've certainly seen a number of ATM's running Windows 2000 Professional, but windows 98! *shudder*
Windows CE, XP, whatever, an ATM shouldn't be running a consumer OS for a variety of reasons (security holes, stability, error rate). Why not use either a very trimmed down Linux distro or roll your own OS? I mean, there is a bit of investment having to make the drivers and all- but surely it can't be too expensive to do (not with what is at stake).
Still, it's a trojan (has to be put on individual ATMs) - and criminals would have to gain physical access to the computer inside the ATM, which would mean breaking the ATM itself or somehow getting the keys (pretty difficult). So it's not the most widespread issue.
I wouldn't put my card in one of those. What company, so I can never bank with them?
Ages ago in the past, OS/2 was the ATM platform of choice. Now, its either Windows 2000 Pro, or XP Embedded.
As for Windows 98, I can see that being used, but the ATM would require a watchdog card. This is a special hardware card that automatically resets the machine should the watchdog driver not send pulses after a certain period of time, or if a certain application is not present and running. This case, Windows 98 can be used, because if the ATM's app crashes, the card will reset the machine to a hopefully known good state.
From the last few US presidential elections where statistics where typically very different for electronic voting (Diebold) and paper ballots, a common conclusion was that either:
1. Diebold fixed the elections (a)
or
2. Diebold is completely incompetent (b)
But then.. People would argue that #2 is invalid because Diebold has atms all over the world that count money.. and they never have problems - so something as simple as voting should be easy.
Maybe Diebold is just trying to prove that they can be incompetent too? Which would give us a new set of alternatives:
3. Diebold is fabricating their own incompetence (c)
or
4. Diebold is really incompetent (d)
(d) = (b)
so..
((a) or (b)) and ((c) or (d))
so..
((a) or (b)) and ((c) or (b))
so..
((a) and (c)) or (b)
which translates to:
Why the fuck do we trust Diebold with anything?
--- We need more Ron Paul!
Should of not droped OS/2 For windows on the ATMs. Also was the administrative passwords set to the default like the other ATM's that got hacked?
Is the locked-down version of Windows that Diebold provides to locked down for some banks use? Locked in to Diebold for getting the windows updates? Vs being able to do it on your own / use your own WSUS system?
Are diebold voting machines just as easy or easier to hack?
Can someone link to this story whenever someone asks why Premier Election Systems' (AKA Diebold's) voting machines aren't as good as their ATMs?
over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.
If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.
I work for the Department of Redundancy Department.
http://xkcd.com/463/
"I think it would be a good idea" Gandhi, on Western Civilisation
There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98. That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.
waaait a second. so people actually put a atm running windows 98 in the middle of russia and expected it NOT to get immediately hijacked?
WÌÌfÍ--ÍSÌÒÍ...Í...ÌHÌÍfÍÍÍ--ÍÍÍ
"...its ATM customers using the Windows operating system.
OK, stop. Did I just read what I think I just read? What...the...hell? Windows?
As if we don't have enough problems with the crooks that run the banks...
Can hardware really be secured against a determined attack? Would a TPM (Trusted Platform Module) withstand all hacking attempts?
That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation.
A problem has been detected and windows has shut down to prevent damage to your bank account.
MONEY_LESS_OR_EQUAL
Somewhat OT, but my wife was one of the early recipients of a credit card which expired after 1999. She used to crash gas pumps whenever she tried to pay at the pump.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Since when is Sao Paulo, Brazil in the middle of Russia?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.
If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.
No access? What about the card slot?
Just so you know, the ATMs of the largest retail bank in my country has keyboard at them.
If you delay pleasure infinitely, the pleasure will be infinite. (YM)
Wow, especially considering extended support retired in July 2006.
Why use Windows at all for high-security embedded applications? Seems to me that using a stripped-down Linux kernel would be a better deal!!
...which I can guarantee is not hooked up to the PS2 port on the ATM PC. Your point?
Pretty becomes an issue when you gain revenue displaying motion picture advertising and providing additional "value added" features.
It isn't just Diebold. I work with a few different brands of ATMs and they all seem to be moving in the same direction.
-- Rich
If only it were one specific banking establishment. Diebold sell ATMs to all banks.
Money under the matress much?
Finally had enough. Come see us over at https://soylentnews.org/
Exploit an ATM from the card reader?
You've watched D.A.R.Y.L. one too many times.
Finally had enough. Come see us over at https://soylentnews.org/
joke reverses you!
No citation provided, but I saw one running Windows 98 in the touristy district of the Spanish city of Santiago de Compostela (right near the cathedral).
I wasn't game enough to trust my debit card with it, but a passerby used it, and boy was it slow. You could see the individual images redrawing on the screen. It's been so long since it was last updated that the CRT monitor has the text burnt into its screen. (Although I thought modern CRTs were supposed to be immune to burn-in.)
'Diebold, .. releases its new Advanced Skimming Detection technology for automated teller machines (ATMs). This fraud-deterrence technology .. is the most effective method to guard against card skimming, the act of retrieving consumers' account information from their ATM card magnetic strips via a fraudulent device illegally attached to an ATM'
...
It would have been more technologically secure to not use magnetic strips in the first place and design a machine that only worked with authorized hardware. Something Diebold don't seem to be able to manage. It should have been foreseen that the crooks would attempt to hack the machines after all they are crooks
davecb5620@gmail.com
'ATM message protocols such as NCR's NDC and Diebold's 911/912 are based on ISO 85/83, a 20-year-old standard that industry observers agree looks pretty creaky in the age of Internet standards like XML'
'IFX is far more flexible than NDC and 911/912, which are "single monolithic pieces of code," NCR's Risto said. "With IFX, you're taking states-and-screens away and replacing each piece with an inherent application. Each function is broken out and handled separately."'
'The move to IFX requires a smaller leap of technology than the switch from an OS/2 to Windows operating system, Risto said. "Once you've made the move to Windows, IFX is going to be a far smoother and more intuitive move."'
davecb5620@gmail.com
'That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation'
..
You wouldn't use a desktop OS in such a situation. A small embedded obfuscated encrypted OS performing a small set of dedicated functions. Not a modified Windows OS that could be compromised using a few DLL redirects
'The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code to ATM's processes '
davecb5620@gmail.com
I wonder would Chrome have prevented such a hack?
'Google Chrome is implementing support to run native x86 code from within the browser'
davecb5620@gmail.com
'over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems do't count'
That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.
'Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi worm raises the specter'
'Last August, the Nachi (Welchia) worm contaminated the cash machines at two financial institutions. When the Slammer virus hit the back end systems of the Bank of America in January 2003, 13,000 US ATMs became unavailable '.
davecb5620@gmail.com
I know a fair few banks in the UK use Windows in their ATM's. the Halifax/Bank of Scotland for one, i've seen their ATM's with windows ok/cancel error boxes rendering them totally useless, i've also seen a Lloyds TSB machine stuck on the Windows XP boot screen.
I don't know who makes their ATM's (i'm guessing NCR as they have/had a big factory in Dundee) but Windows on ATMs isn't rare.
It pays to be obvious, especially if you have a reputation for being subtle.
Postamat, banking service offered by the Italian Post. It sucked my card in, crashed, and promptly spitted it out after a few minutes of reboot, while I was inside the post office trying to explain what happened.
Windows 2000 Pro btw.
I thought all Diebold ATMs ran Windows
There are probably some older supported Diebold ATMs out there running OS/2. Just like IBM is still supporting OS/2 use by some banks.
You don't need Windows however to have Microsoft crash your cash dispenser - about ten years ago, I saw an ATM in Florence display A)nnulla, R)iprova, T)ralascia, E)limina? - which is of course the Italian equivalent of MS DOS's notorious yet futile Abort, Retry, Ignore, Fail? option menu upon hardware failure...
I quit when I withdrew 20$ from one and my recipt said I voted for Bush.
I guess the fact the Obama got elected and the GOP with the help of dielbold according to the Slashdogma here did not manage to steal this election is lost on you dopes.
Now your on to the next conspiracy, ATM's.
Your worried about ATMs while Obama is spending trillions and much of it to go down a global rat hole.
Nothing like the absence of intellectual honesty from a bunch of blowhard intellectuals, yoour all doomed and you dont even know it
In USSA banks rob you.
Free Martian Whores!
I'm currently trying to used a hardware watchdog on a card design... but the watchdog proves less reliable than the main hardware itself ! Kind of defeats the purpose... C:-(
Non-Linux Penguins ?
This kind of reminds me of the Denver International Airport baggage handling fiasco of a few years ago. They tried to implement a very complex, distributed, real-time baggage handling system using Windows NT. Needless to say, it failed and the entire system was scrapped after incurring costs in the $100s of millions of USD. Anyone who uses Microsoft operating systems for hard real-time or high-security applications are totally out of their minds and deserve whatever happens to them - like getting run over by a tank! Unfortunately, a lot of innocent folks are squashed along with the pinheads who spec'd the systems in question, and they (the pinheads) usually get away with all their bonus $$ intact, much like the thieves at AIG, et al.
Sometimes, real fast is almost as good as real-time.
Yes, I believe that to be the idea as presented... In fact, the exploit this article talks about is an example of that very concept.
I know that's not exactly what you're talking about, but consider that ANY input device is an input stream that can theoretically have any pattern (even those beyond design specs, like over-voltage) send down it. Steps can be taken to mitigate any threat of course, but taking for granted that those steps have been taken is too optimistic a view as far as I'm concerned. There is a whole lot of crappy production code floating around out there.
If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.
No access? What about the card slot?
I just checked the microsoft knowledge base, and apparently there are zero known exploits in windows 98's non-existent bundled driver for the mag stripe slot...
I may be wrong, but isn't this also the company that manufactured the voting machines that had been tampered with in the 2004 election? The name Diebold is awfully familiar to me, and I know I have read about them in the news before... and I am pretty sure it was for nothing good.
A Diebold ATM in my hometown was found crashed; apparently running XP. With an open DOS window and a flashing prompt. There was some dotNet class dump gobbledygook scrolled up in that window. I could enter numbers with the keypad, and the enter button would return "bad command or file name".
I found it that way in the morning, and when I drove past later that afternoon, it was still sitting in that state. Scary.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Diebold doesn't have a software stack that runs on Windows 98, it may be third party software on Diebold hardware.
I put all my money under my mattress in August 2007.
So far, it has out-performed my 401k's "35 year retirement fund" by 600%!!!
Yeah, and bankers wonder why we think they are all crooks...
But mine with the good old OS2 machines have that now too! How? They just mounted a cheap little flat panel screen and speaker above the ATM. It is actually quite nice, with the pretty music and pointing out extra features and services you can choose from. And most importantly when it goes down the ATM still works.
As an old greybeard who ran BeOS and OS2 during the 90s(I think I still have my Warp discs in a storage crate in my mom's attic somewhere) I can say without a doubt that the best OS lost. BeOS ran rings around both Win9X and WinNT when it came to multitasking and multimedia creation/editing/viewing and OS2 was built like a freaking tank. While I may use Windows now simply because I have no choice(my hardware and software don't like Linux) BeOS and OS2 were much better for just about anything than Windows was and frankly still is.
I believe in KISS and switching to Windows on ATMs, where hackers have every reason to hit with everything they've got, is truly madness. OS2 WORKS. It runs 24/7/365 solid as a damned rock and from what I understand OS2 by design is a hell of a lot harder to crack than the tissue paper tiger that is Windows security. That is why eComstation still sells it and continually is updating it to run on newer hardware. I have been thinking of building a box around eCom for when my mom gets online. It is simple, basic design, and frankly just works. But sticking Windows on an ATM is just crazy. Always use the right tool for the job, and Windows frankly should not be used in RTOS jobs, especially where security is critical. That is just stupid PHB thinking there.
ACs don't waste your time replying, your posts are never seen by me.