Slashdot Mirror
Card-Sniffing Malware On Diebold ATMs
angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."
the banks hold up you.
There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98.
That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.
As far as ATM venders go, how does Diebold rank in security?
Does it really matter, when their customers are allowing the bad guys to physically work with the machines? Bad guys who get to touch system like that have a real leg up. Machines that - even if the user allows the bad guy to play with the hardware - could withstand a serious onslaught by organized Russian techie criminals would probably be substantially more expensive for the average [Insert Name of Russian 7-11 here] or their banking vendor to deploy.
Don't disappoint your bird dog. Go to the range.
Ages ago in the past, OS/2 was the ATM platform of choice. Now, its either Windows 2000 Pro, or XP Embedded.
As for Windows 98, I can see that being used, but the ATM would require a watchdog card. This is a special hardware card that automatically resets the machine should the watchdog driver not send pulses after a certain period of time, or if a certain application is not present and running. This case, Windows 98 can be used, because if the ATM's app crashes, the card will reset the machine to a hopefully known good state.
From the last few US presidential elections where statistics where typically very different for electronic voting (Diebold) and paper ballots, a common conclusion was that either:
1. Diebold fixed the elections (a)
or
2. Diebold is completely incompetent (b)
But then.. People would argue that #2 is invalid because Diebold has atms all over the world that count money.. and they never have problems - so something as simple as voting should be easy.
Maybe Diebold is just trying to prove that they can be incompetent too? Which would give us a new set of alternatives:
3. Diebold is fabricating their own incompetence (c)
or
4. Diebold is really incompetent (d)
(d) = (b)
so..
((a) or (b)) and ((c) or (d))
so..
((a) or (b)) and ((c) or (b))
so..
((a) and (c)) or (b)
which translates to:
Why the fuck do we trust Diebold with anything?
--- We need more Ron Paul!
over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.
If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.
I work for the Department of Redundancy Department.
http://xkcd.com/463/
"I think it would be a good idea" Gandhi, on Western Civilisation
"...its ATM customers using the Windows operating system.
OK, stop. Did I just read what I think I just read? What...the...hell? Windows?
As if we don't have enough problems with the crooks that run the banks...
That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation.
A problem has been detected and windows has shut down to prevent damage to your bank account.
MONEY_LESS_OR_EQUAL
Somewhat OT, but my wife was one of the early recipients of a credit card which expired after 1999. She used to crash gas pumps whenever she tried to pay at the pump.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Since when is Sao Paulo, Brazil in the middle of Russia?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.
My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.
ACs don't waste your time replying, your posts are never seen by me.
Many older ATMs used to run OS/2 and were rock solid dependable. It also helps that IBM was a key player in developing the crypto hardware in those machines and they had the expertise to ensure everything was locked down and tamperproof.
What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.
I am becoming gerund, destroyer of verbs.
I did some work for a local bank, and their ATM's were running Windows XP (not embedded), IIS (can't remember the version), and IE. This was to allow them to serve "rich content" (movies, images, animations, etc), without having to write it all themselves. The ATM just had IE talking to IIS, and displaying the results in "kiosk mode". The buttons on the sides of the screen were mapped to keys on the keyboard (I think), and that's how it ran.
I specified a full set of ports that needed to be accessible to the ATM controllers, and that was all that was supposed to be accessible from the network.
However, if you can get access to the back of the machine, it has a second monitor, keyboard and mouse, and you can access the OS, and do whatever you want to do. I *THINK* that the keyboard and mouse were locked away in the vault (or at least behind a door), but the hardware itself is pretty standard PC, so I don't imagine that it would be particularly difficult to add a USB keyboard or mouse and gain access when rebooting the device. Maybe even boot from a USB disk or similar.
The reality is that if you have physical access to practically anything, it is game over.
Personally, I would have been a lot happier to see a stripped down Linux kernel + minimal OS, BIOS passwords, bootloader passwords, etc than the entire Windows stack. Less to verify == more security.
the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around
Why? Are you trying to say that something about the Windows Operating system is causing this ATM to fail? I hope not, because it would be foolish to assume that without more data. A lot can go wrong with an ATM. From faulty hardware to sloppy programming.
It's far more likely that in this case the benefit comes from simplicity in the hardware and software design, not anything to do with OS/2. From your description, the whole design is much older. Whatever bugs that may be present in the software or the operating system don't interfere with the machines day to day operation, so from the standpoint of a casual observer, it's perfect.
Using this single (biased) example as an endorsement for using OS/2 isn't insightful, it's just stupid.
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
You're thinking like an engineer. Think like a marketroid. You know...
"...If it ran Windows, we could put advertisements on it. And not just text ads like 'walk around the corner and ask for a loan', I mean full-screen animated ads of cute families overjoyed because they have credit cards, you know, like TV, and the customer would have to watch the ads, because if they walk away during the 5-second interstitial ad, they don't get the $100 they're trying to withdraw!"
CAPTCHA: "annoyed". Once again, Slashdot imitates life. Or at least, the fucking ATM going "ding" (with the same DING.WAV that's been in Windows since 3.1, what a dead giveaway as to what OS they're running) that I used this afternoon.
Anyways. Fucktards. Fucktards one and all. It's St. Paddy's day, and I'm finally drunk enough to take my engineering hat off and put my marketroid hat on. Fortunately, I'll be sober in the morning. Unfortunately, the marketroids will still be running the show.
You get what you pay for. In the case of security-critical technology I'd have hoped people would pay for something good. How naive of me.
HURD.
Finally had enough. Come see us over at https://soylentnews.org/
joke reverses you!
'ATM message protocols such as NCR's NDC and Diebold's 911/912 are based on ISO 85/83, a 20-year-old standard that industry observers agree looks pretty creaky in the age of Internet standards like XML'
'IFX is far more flexible than NDC and 911/912, which are "single monolithic pieces of code," NCR's Risto said. "With IFX, you're taking states-and-screens away and replacing each piece with an inherent application. Each function is broken out and handled separately."'
'The move to IFX requires a smaller leap of technology than the switch from an OS/2 to Windows operating system, Risto said. "Once you've made the move to Windows, IFX is going to be a far smoother and more intuitive move."'
davecb5620@gmail.com
Breaking in into a bank through the ATM machine is probably the worst idea ever. Banks (or at least the banks I worked at) have a motion detector in the room behind the ATM. Only once I saw a bank that had an ATM removed and just covered up with plywood from the outside while the motion detector was disabled in that room. Triggering the ATM alarm is worse than the premises alarm because the premises alarm gets triggered sometimes from cleaning personnel or other employees but for the ATM room you need a special key that not everyone has.
I'm also not sure that you can easily go into debug mode without anyone noticing (assuming some employee let you in that room) because the ATM technicians have to call Diebold before doing anything with the machine. They will know if someone unauthorized is using the ATM and restarting with a live CD won't work because that will also trigger an alarm.
I'm guessing it was an Diebold employee that installed the malware since he would have been the only who could have gotten that much access to it.
One of the best scams in the world was to buy a used atm and then put custom software on it to harvest info and then plop the whole thing in a mall. come back in a week and you got a CRAPLOAD of cards and pins.
Simply program it to act normal but it cant connect to the bank and spit the card back out.
Honestly I am sure this will still work today. Back in the lat 90's they caught a group of guys around Detroit doing this.
Do not look at laser with remaining good eye.
I may be wrong, but isn't this also the company that manufactured the voting machines that had been tampered with in the 2004 election? The name Diebold is awfully familiar to me, and I know I have read about them in the news before... and I am pretty sure it was for nothing good.