Cybercriminals Refine ATM Data-Sniffing Software

BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."

DES

[bluefoxlucid]

DES doesn't really mean "Designed Extremely Secure" ....

Re:DES

[hey]

You'd think the "cybercriminals" would be more security-aware and use a better encryption algo.

Re:DES

[mcgrew]

You don't need a rootkit, as I found out several years ago.

A woman I was seeing (for twenty dollars a pop) watched as I put the PIN number in. She then stole my checkbook, my debit card, and spare car keys. I think it's chronicled in one of my journals somewhere (there's a brief account in my latest, which I just posted a couple of hours ago, but there's a detailed one in an older one).

Any way, she wrote some bogus checks and withdrew money from the ATM. The bank made good on the checks, but not the debit card. If they have your PIN number, they're automatically authorized to use the card, even after it's reported stolen! It was a disaster; it caused several checks to bounce and ultimately cost me several thousand dollars, even though she only stole $700 before the card wouldn't work (no more money in the account).

I no longer use a debit card. Fool me once, shame on you. Fool me twice, shame on me.

Re:DES

Several years ago, there was a home-invasion robbery that made local headlines for a few days. The robbers stole ATM cards and forced the PINs out of the residents at gunpoint, threatening to come back and rape them if they gave the wrong PIN. In this case, the residents were obligated to give the correct PIN, since they could have been tied up and forced to wait for the robber to return with the cash.

My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.

Why not do this with ATMs? I would not be surprised if ATMs already had GSM-monitored burglar alarms for obvious reasons, and it wouldn't be that hard to have a secondary PIN that sends a duress signal.

Of course, that's useless against shoulder surfing.

Re:DES

[sopssa]

Just to note, ATM running Windows XP doesn't mean its less secure and that it could be exploited. If you've used ATM's, theres no really way to just run your programs on it or exploit it somehow. But when criminals have access to the hardware physically, there is no difference if its windows, linux or whatever else OS. That is how its probably been working here aswell, they get some insiders to give them access or they social engineer their way in. You cant exploit windows bugs in them because you cant connect to them from the internet.

Like said, when people get good physical access to the hardware, game is usually lost, no matter what the OS is.

Re:DES

[jDeepbeep]

If they have your PIN number, they're automatically authorized to use the card, even after it's reported stolen!

Well, there is a difference between reporting a card as stolen, and telling the bank to disable the card because of fraudulent use, no? Even so, if reported quickly enough, the bank ought to be able to credit your account back for any transactions that clear, and send you affidavits to sign in the mail afterwards.

Re:DES

[plague3106]

Um, as soon as you reported your card stolen, they should have deactivated it, regardless of whether or not someone had the pin.

I think the moral to your story is 1) be careful who you take to your ATM and 2) check your bank balance daily. Most ATMs networks impose a $300 limit per withdrawl.

Re:DES

[BlackSnake112]

Sneakier way that I have seen. The bad guys slide this metal piece into the ATM slot. This catches your card bit will not release it. Some even let you make your transaction but still keep the card. Usually one of the bad guys is around the ATM watching. They walk up pretending to help. They ask you to enter in you pin again or ask for your pin so they can enter the pin. Either way they now have your pin. Nothing works of course. You go away, they take out the piece of metal with your card. Now they have your pin and your card.

I read about this. I have so far taken 4 pieces of metal out of the ATM card slot at 3 different location around the Washington DC area. All 4 times, someone very quickly left the scene. I did report it to the each bank when they were open again. All 4 times happen to be after 9PM.

Look at the ATM slot before you put your card in. If it looks like there is a extra thin piece of metal, either go to a different ATM, or see if you can take it out. I used the trusty paperclip to remove the metal. Not that hard.

Re:DES

[stokessd]

True, that it's game over if you have physical access. But there still is a downside to using windows. If you have physical access and also a working knowledge of the OS and it's functions/vulnerabilities then you are miles ahead of having physical access and a WTF OS in front of you. I could be logged in as root on a linux box and set my wife down and ask her to do some damage; she is harmless because she is lost. On her native computer she can do some damage though.

I'd think ATMs would use some sort of high availability real-time OS like QNX or VXWorks. This is a perfect application for a high-availability OS.

Sheldon

Re:DES

[Muad'Dave]

I've said this since ATM cards came out way back when. I suggested the regular PIN backwards, to make it easy to remember.

Funny thing is, I think it started an internet rumor that it'd really work.

Re:DES

[Zaurus]

What you are describing is called a "Lebanese Loop"

http://en.wikipedia.org/wiki/Lebanese_loop

Re:DES

[PitaBred]

Next time you see a piece of metal in an ATM you should lean up against the wall a few steps away and call the cops, see if they want to catch someone in the act of trying to scam an ATM. If it's a slow night, you might get an officer to respond.

Re:DES

[vertinox]

My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.

I think it would be just as easy to create a "Zero balance" code to show the assailant you are broke when you are not.

Some of us don't need that though.

Re:DES

[justinlindh]

This idea already did the rounds in the form of an Internet rumor a couple of years back: http://www.snopes.com/business/bank/pinalert.asp

The Snopes page mentions why something like this hasn't been implemented:

No one in the banking industry seems to want the technology. The banks argue against its implementation, not only on the basis of cost but also because they doubt such an alert would help anyone being coerced into making an ATM withdrawal. Even if police could be summoned via the keying of a special "alert" or "panic" code, they say, law enforcement would likely arrive long after victim and captor had departed. They have also warned of the very real possibility that victims' fumbling around while trying to trigger silent alarms could cause their captors to realize something was up and take those realizations out on their captives. Finally, there is the problem of ATM customers' quickly conjuring up their accustomed PINs in reverse: Even in situations lacking added stress, mentally reconstructing one's PIN backwards is a difficult task for many people. Add to that difficulty the terror of being in the possession of a violent and armed person, and precious few victims might be able to come up with reversed PINs seamlessly enough to fool their captors into believing that everything was proceeding according to plan. As Chuck Stones of the Kansas Bankers Association said in 2004: "I'm not sure anyone here could remember their PIN numbers backward with a gun to their head."

Re:DES

[ls671]

My PIN is 7117, what then?

Re:DES

[jhol13]

ATM running Windows XP doesn't mean its less secure

Than e.g. OpenBSD? It sure does.

and that it could be exploited

True. But it makes it a hell lot likelier, especially as we know from experience that the companies involved do use "the cheapest possible way" principle.

You cant exploit windows bugs in them because you cant connect to them from the internet.

You know, the transaction from the ATM does go to the bank somehow. I would not be surprised if the attack uses that channel (I have heard some use Internet & VPN - not sure if true). Attacking a single ATM through physical access is much more likely to be noticed and/or recorded and has a lot less payback than accessing several through a communication channel.

Sure, there have been physical access attacks e.g. using readers "glued" on the ATMs, but they seem to have low return rate (of investment).

game is usually lost

Well, PS3 Linux has not escaped the "jail". So "usually" is true, but ATM's should not be "usual" in this sense.

Re:DES

True, but newer ATM's speak TCP/IP, and are indirectly connected to the internet (eg: connect to machines behind a firewall, or use VPNs...) Also, there have been bugs in touch screen ATMs that cause the front end software to crash, giving people access to the start menu.

Re:DES

[Muad'Dave]

You're hosed, and the cops would hate you 8-(

If they implemented this, then you'd have to choose another PIN.

Re:DES

I'd rather be robbed and not used as http://it.slashdot.org/story/09/06/04/1424210/Cybercriminals-Refine-ATM-Data-sniffing-Software?from=rss#a human sheild, but each to their own i guess ;p

Re:DES

[Jurily]

Than e.g. OpenBSD? It sure does.

If there is no possible attack vector either way, is there a difference?

Re:DES

[mindbomb2323]

I am an ATM repair tech. and I can tell you that you are correct about the duress codes for people admining and there are several different ways that it can be done. I have never seen any type of gps tracker used because you would have to put it somewhere that they couldn't remove it and that would be in the vault but if you put it in there then how could you get reception. As far as using the duress code I don't think i would ever use it for the simple fact that it is a guaranteed way to become a hostage and I'm sorry but 160k of money that isn't even mine is not worth it. I still think skimmers with wifi will be the first choice for crooks because it is easy to do and hard to get cought. There are alot of banks that actually perm lock the desktop out so it makes it very hard to actually get access to it to load the malware. also on newer atms they have plates blocking the drives and the usb ports. The atms I see this stuff being pulled on are non bank atms, the kind you see with no company name in your gas stations and places like that.

Re:DES

Of course then you run the risk of getting a piece of lead in your body...

Re:DES

[Bert64]

ATMs should be a dumb terminal and a couple of dumb input devices, which talk an encrypted protocol to a backend server... Compromising the display device should not impact the input devices, and the data entered via he reader/pinpad should never go onto the display device in any form.

Re:DES

[HTH+NE1]

My PIN is 7117, what then?

Then you tell us your account number.

Palindromic PINs obviously won't work. But then, they're not that secure.

For example, take the code used to unlock the infirmary door in WarGames where David Lightman was being held. The same code was used for entry and egress. A 16-button keypad and the code is audibly two digits pressed three times in succession. Now instead of 8008 possible combinations, it's down to 120. From the tones you can tell they're adjacent buttons, so that's down to 24 possible combinations. If you can actually see that they're adjacent horizontally, that's down to 12. No need to find a tape recorder, hook it up to the lock circuitry, get the guard to punch in the code, record the tones, play them back, and hope it works: you could brute-force that door code in seconds.

But then, if you know standard DTMF signaling—and seeing David was phreakishly dialing tens of thousands of long distance numbers without incurring an expensive phone bill—you'd know it was 222333 immediately. If 2 and 3 don't actually send 2 and 3, you're down to only 11 more attempts. And again, if you know DTMF, you'll be able to cut those odds further.

My point is, if someone only knows you repeat a digit in your PIN, that greatly reduces the security of your PIN. So never repeat a digit. Unless of course you make it clear to others that they should never repeat a digit, then they'll never think you would ("There's nothing more useless than a lock with a voice print").

Re:DES

[Eternauta3k]

A guy in my city was caught a few months ago doing a high-tech version of this. He made a kind of man-in-the-middle attack by putting a fake reader on top of the ATM's card reader, and a fake keyboard over the real one. That way, you used the ATM and your card info and PIN was recorded. Afterwards, the guy picked up the device, cloned your card and used your PIN. Clever, huh?

Re:DES

[flandar]

That's simple. Just tell us where you keep your ATM card and . . .

Re:DES

[PitaBred]

Right. If they run when you pull the metal bit out, they aren't the type for violent crime. When in the fuck did the entire world become scared of it's own shadow?

Re:DES

[ls671]

Well, not allowing repetition of digits actually diminish the number of possibilities for a PIN, one could argue that it makes the system less secure ...

For a five digit PIN instead of :

10*10*10*10*10 (100,000)
you get:
10*9*8*7*6 you get ( 30240 ) more than 3 times less possibilities. !

Also, the bank not allowing digit repetition would have to be quite public !

Not using digit repetition when it is allowed *might possibly* make the PIN harder to guess but not allowing digit repetition would make the system easier to crack in my humble opinion especially since digit based PIN have already few possibilities.

What about alpha-numeric PIN ?

21 = A
22 = B
23 = C
31 = D
32 = E

You could get away with it by using the same convention used to enter letter on a phone keypad so no need to upgrade keypads.

Re:DES

[bitt3n]

My PIN is 7117, what then?

you have nothing to worry about, since your bank account is now empty.

score one for social engineering!

Re:DES

[benjfowler]

That bit of metal that traps cards is known as a 'Lebanese Loop'.

If an ATM looks like its been tampered with, don't use it. If an ATM retains your card, get the card stopped immediatelly.

I'm paranoid, so I've memorized the toll-free phone number of my bank, so I can call them if something bad happens. The crooks aren't stupid, and if they get your card, they'll try and clean out the account as quickly as possible. This is especially serious with debit cards, where the banks shift more of the liabilities for fraud onto their customers (since it's your money, not theirs).

Re:DES

Non-sense. If the ATM's hardware concealed properly it should generally not be accessible to do the things described in this article without physical dammage to the ATM. If you have unfettered physical access all bets are off. In this case they were able to exploit the software running on the machine. Most likely Microsoft and the manufacturer were at fault. The manufacturer should have known better than to use Microsoft Windows in their ATM machines given the horrible track record. Microsoft is of course never blameless. They manipulate the market and limit the options of IT and executives alike.

Criminal if you ask me.

Re:DES

[HTH+NE1]

Of course it is best that an attacker not know whether or not you repeat digits. The point is you're more insecure if an attacker knows you repeat digits than if you don't.

For a five digit PIN instead of :

10*10*10*10*10 (100,000)
you get:
10*9*8*7*6 you get ( 30240 ) more than 3 times less possibilities. !

And for a five digit PIN with a known repeated digit:
10*10*10*10*1 ( 10,000 + 4 for permutations of the repeated digit < 30,240 ) more than 3 times again fewer possibilities (almost 10 times less baseline for no prior knowledge).

And it is easier to tell over the shoulder if you hit the same number more than once, especially twice in a row, so you're more vulnerable. If someone learns definitively whether or not a digit in my PIN is repeated, I'd rather they learn they are not than they are.

But even better is if they're deceived about it: then they'll be searching the wrong data space. It helps if your ATM allows you to enter more digits than necessary.

Re:DES

[jafac]

. . . not to mention, given the FLAKINESS of the general population, can you imagine the number of false hits?

"oops, I entered the wrong number by mistake, was that the PIN or the duress code? I dunno. . ."

Pretty soon, instead of the SWAT team, it would be an off duty cop that drives by 30 days later to double-check.

Re:DES

ATMs should be a dumb terminal and a couple of dumb input devices, which talk an encrypted protocol to a backend server... Compromising the display device should not impact the input devices, and the data entered via he reader/pinpad should never go onto the display device in any form.

They dont do this because if the network goes down the ATM becomes useless. They like to have all of the possible uptime they can, otherwise they lose money

Re:DES

[ls671]

Security wise, anything they learn about your PIN is bad.

As for typing, I hide as best as I can with my other hand and I fake typing some digits when I do, so PIN looks longer that it is actually and a watcher may think my PIN repeats digits while in fact it *may* not. Then again. I can also do the inverse; double a digit but make it look like I type only one digit when I in fact hit the key twice in a row. Again, that would make repeating digits more secure in this case.

So how could someone know my PIN repeats digits unless I post about it on slashdot?

And no, my PIN is not 7117, did you look at my signature? ;-)

I agree with you that more digits is better. Banks that force you to have a 4 number PIN are silly.

More digits/characters or more possibilities is always better. In fact, my passwords look more like passphrases than passwords for just that reason.

My original post was merely noting that reversing your PIN to signal an emergency would constitute a weak standard: Crooks who know this scheme could just reverse the PIN in order to get your real PIN. I would vouch for 2 different PINs if banks went ahead with this idea.

I also have other tricks that I use that may help against keyboard sniffers.

Finally, I never heard of a password validator that doesn't allow you to repeat digit/characters so that would be new to me. Not allowing to repeat digits is telling something about your PIN, which is always a bad thing.

Re:DES

[plover]

You joke, but it's adequate security for the task. The hackers are not the ones walking up to the ATMs and printing out the card data. Oh, no, that's too risky. They hire "mules" to go to the machines and print out these receipts, and bring them back. They are encrypting the card data (with DES) so the mules can't steal it!

Re:DES

[plover]

Because of advanced forms of fraud (and because networks are much more reliable than the dialups of yestermillenia) ATMs no longer work if the network goes down. They shut themselves down. They don't hand out cash when they're offline, because they have no way of authenticating your PIN, your card, or your account.

If it were possible, criminal organizations would have people trying a bad card in a different ATM every hour of every day of every week. Once they "luck" into an offline terminal, it's payout time. They'll use the opportunity to withdraw that sucker dry before it comes back online. And they'll call their buddies up and tell them to try the other ATMs in the neighborhood, and drain those too. Or if such a feat were possible, they'd just cut the network wire (with an axe or a chainsaw at the pole in the parking lot) and then empty it.

This is a different scenario than an offline cash register, where the machine can still scan barcodes and print receipts when it's offline, and you have a (semi-)trusted employee scanning the carton of milk and handling the change.

Re:DES

[cloricus]

For your interest if your sig says every thing you write is a lie but that everything in your sig is a lie then every thing out side of your sig must then be the truth. Is this possibly more misdirection! Seriously who would post their real pin number on slashdot? That would make the number you posted the last one any one who knew you would try. I love thinking this stuff through. ;)

Re:DES

[jhol13]

Apparently there is - otherwise the the news is a duck.

What is your point?

Re:DES

[digitalchinky]

You cant exploit windows bugs in them because you cant connect to them from the internet.

You don't need the internet, and they are exploitable - most definitely passively, and very probably actively (I never dared try). How so you ask? While this may be different for your area of the world, here in Asia many ATM's are linked by microwave or satellite depending upon geography. Having had some experience in digital communications for a decade or so, I can claim to have a teeny bit of knowledge on the subject. (Not hacking on ATM's, but in communications - particularly in the search and analysis fields)

Banks put a huge effort in to physical security, and one would naturally assume this extends to network security as well. Traditional copper or fiber based networks, sure, you'll usually find a security guard or two protecting these so it's not like you can just splice or patch your way in without getting the cuffs slapped on. But, Slashdot, meet the humble feed horn, and your bog standard radio link. If 'they' want to beam their signals in to my back yard, they are mine right? :-)

The glossy ATM brochures the bank manager pours over in his throne room portray a safe and secure point to point system. Though we know many aspects of 'security' are naught more than snake oil. These banks, they spend maybe 5 to 10 grand setting up the radio link, a bit more again for the ATM itself, with a nice big fat service contract to whoever maintains it. A simple and cost effective plug and play solution. If the little green light goes out in the comcen, you call the techs. For the bank manager, how it all works might as well be magic. Who cares, it's got 'microwave' so it must be secure.

So how do they communicate?

Simple ad-hoc packet switched network at speeds of generally 19.2 kbps - most have 1/2 rate viterbi - so you can see the information rate is quite low 9.6kbps.

Some are slower, some a little faster.

They are pretty chatty little machines too, they say a whole lot more than I'd ever allow. Since we might as well say they communicate in the clear, you would think the data channel would be devoid of any information that could actually identify the user or their card and its details. You would think!!!

Lets just say for the more technically inclined criminal, the ones they will likely never catch, there really is no point in even bothering to inject or exploit code into the ATM OS. That's too much effort for a single point of access.

If you can see the Clark belt from your particular patch of dirt, you can see this stuff for a few thousand USD too.

Re:DES

[SuperAndy]

ATM running Windows XP doesn't mean its less secure

Than e.g. OpenBSD? It sure does.

I think, as has previously been said, the difficulty in getting physical access to the business end of the hardware is infinitely harder than actually exploiting the equipment. The operating system is the least of your worries when you are trying to work out how to get to the machine itself, thus rendering the choice of operating system pretty much pointless, when you have things to worry about such as availability of software, cost based on insurance against this sort of thing, etc etc

Re:DES

[Ihlosi]

Clever, huh?

No, he just copied a method of attack that's been common in Europe for _years_. The criminals doing this over here have perfected their methods and manipulated ATMs are basically indistinguishable from clean ones without using force. They basically have "kits" for each type of ATM.

Re:DES

[PhiberOptix]

it actually started a rumor. I received it a few days ago in my mailbox in a huge chain letter. being distributed in brazilian portuguese.

Re:DES

[Zencyde]

ATM machines tend to use telephone networks for all of their information exchange. Traffic is encrypted but a man in the middle attack is very possible (and has been done, you just have to grab the data before encryption). I wish I had some sources to cite for you as this is something I haven't touched upon in a while.

ATM != desktop computer

[Smelly+Jeffrey]

An ATM is not a desktop computer. WTF is an ATM doing running Windows?

Re:ATM != desktop computer

An ATM is not a desktop computer. WTF is an ATM doing running Windows?

Most ATM's run Windows, not right, but that's the reality.

Re:ATM != desktop computer

[Gizzmonic]

I think most ATMs used to run OS/2 up until about 10 years ago. I'm waiting for the ATM that runs Mac OS X!

Re:ATM != desktop computer

[PrescriptionWarning]

but how else is Microsoft supposed get Office 2009 - ATM edition to market? And just think, Clippy could be a money clip instead of a paper clip! The bottom line is it's win-win in this rough riding tsunami wave of data mining nugget pack of wolves devouring economy for today's business-ready customer driven shim-sham!

Re:ATM != desktop computer

[Ethanol-fueled]

I'm waiting for the ATM that runs Mac OS X!

They already have those in San Francisco. They're called "gAyTMs"

Re:ATM != desktop computer

[abigsmurf]

Why run Windows? Linux? DOS? etc.

ATMs need an OS of some sort. More advanced OS' make it easier to have the software display videos and animations, have more complex functionality and better compatibility with modern software. So long as the firewalls are properly configured to sandbox the unit, vulnerabilities are irrelevant.

Re:ATM != desktop computer

[Eggz+Factor]

As much as I like the Mac OS, I don't think I want a "lickable" ATM. :-P

Re:ATM != desktop computer

[sigmoid_balance]

It's funny when you see it boot up if it previously had a failure or lost power. I never saw Win XP ATMs, but I saw lots of WinNT/Win2k ATMs. And yeah, I'm living in Eastern Europe.

Re:ATM != desktop computer

[Spazztastic]

I'm waiting for the ATM that runs Mac OS X!

They already have those in San Francisco. They're called "gAyTMs"

A2Ms?

Re:ATM != desktop computer

Here in Canada, the only ATMs I've crashed personally were both running linux (either that, or a version of Windows that displays a fake linux boot sequence to save face.)

Re:ATM != desktop computer

[NES+HQ]

Why shouldn't an ATM run Windows? Cue the standard Windows-bashing, but a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.

Yes, it's Windows. But without crazy Aunt Judy trying to install her cat screensavers Windows should be fine for the task.

Re:ATM != desktop computer

[91degrees]

Ultimately it comes down to "why not?" ATMs need an OS. The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development. Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer. It's easier to develop for windows that to develop for a custom devkit.

Re:ATM != desktop computer

Cheaper to develop. Use off the shelf Windows and some rapid application tools and you have yourself a pretty ATM in no time. The downside is that your ATM is compatible with the largest library of hacking tools and probably won't be patched nearly as often as a desktop PC.

Re:ATM != desktop computer

If they want to save costs, why don't they assemble the ATM out of thin plastic held with standard screws?

Re:ATM != desktop computer

[99BottlesOfBeerInMyF]

Ultimately it comes down to "why not?"

It costs a licensing fee. It has more security liability than pretty much any other choice.

The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development.

Linux costs nothing to license. BSD costs nothing to license. Windows costs something. That's an added, unneeded cost.

Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer.

Because there aren't lots of dev tools for Linux that run on a normal desktop computer?

. It's easier to develop for windows that to develop for a custom devkit.

How is it easier to develop an ATM on Windows than on Linux? They both have tons of tools and myriad experienced developers and companies. Linux is probably better optimized for appliance uses and has a larger share of the appliance market than Windows, making it easier to find companies to work on it.

In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

Re:ATM != desktop computer

[internerdj]

Presuming that the network designer had some sense then this type of hack happens at the physical location because a network update would set off far too many alarms: meaning it really doesn't matter what OS is running because the hackers are gaining physical access to the hardware. If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

Re:ATM != desktop computer

[jeremywc]

An ATM is not a desktop computer.

That's not completely true. For at least the last 10 years, most ATMs have been x86 boxes running OS/2 or Windows 2K/XP.

Re:ATM != desktop computer

[CopaceticOpus]

This is a perfect chance to call your bank:

YOU: "I've been reading online about ATMs which are based on Windows XP being attacked by cybercriminals, and I'm worried. Are your ATMs running on Windows?"

THEM: "I'm not sure about the particular technology used in our ATMs, but we've had no security issues thus far."

YOU: "THEN YOU'D BETTER GO CATCH THEM!" Tee hee-hee! (click!) Snicker, snicker, snort, snicker...

Re:ATM != desktop computer

Because that would clobber security. What does that have to with the post you were responding to? I don;t htink it mentioned costs.

Re:ATM != desktop computer

[lxs]

How is it easier to develop an ATM on Windows than on Linux?

Windows devs are a dime a dozen and therefore cheap to hire.

Re:ATM != desktop computer

[iamhigh]

I'll second your argument, and I could be considered an MS fanboy by this crowd's standard. But there is no reason to have an ATM running windows, the most used, most exploited OS on something like an ATM. I wouldn't even use Linux, but probably recommend a custom OS, as you can control the hardware used. Then the attackers have to hack some pretty much unknown system, that can easily be built from the ground up to use software and hardware security measures.

Re:ATM != desktop computer

[Reece400]

I've seen a windows 98 one here in Canada,

Re:ATM != desktop computer

[ILongForDarkness]

Hehe. We have a large Sun/Storage Tek tape library at my work. The SL300000 http://www.sun.com/storagetek/tape_storage/tape_libraries/sl3000/ . It runs Win2k. The question is what is a new $120k device (~70k but then that is before you get the drives for the library :-)) from an old school UNIX vendor doing running an out of support version of Windows :-) . We also have microscopes that are controlled by windows but the GUI is in Linux (they come with both computers in one case). It all comes down to what the developers were comfortable with at the time, and whether device drivers are available I guess.

Re:ATM != desktop computer

[Thaelon]

Probably acting as a general purpose OS to allow ATM manufacturers to do less work since they only have to write software for a common OS.

Re:ATM != desktop computer

It's cost effective, far easier to test and besides they aren't using regular copies of XP to this. Believe it or not these companies actually have the source to the version XP they use. I know it makes for a great slashdot post, but learn about something before posting popular banter.

Re:ATM != desktop computer

[WillKemp]

If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

Yeah, of course they would. Bank managements are well known for being sensible and never doing stuff that loses money.

Re:ATM != desktop computer

RE: "a decently hardened copied of XP is more than sufficient for the minimal work"..

That's the problem...it's more than sufficient. When designing something to be secure, you want the system to sufficient, nothing more. ATMs shouldn't even run Windows, linux, DOS, or any other general purpose OS. They should run the minimal set of programs required to perform banking transactions. There are levels of "security". While a hardened general purpose platform is better than an unhardened one, it is not a good design when security is paramount.

Re:ATM != desktop computer

[memojuez]

How is it easier to develop an ATM on Windows than on Linux?

Windows devs are a dime a dozen and therefore cheap to hire.

Ergo, they got what they paid for, sloppy programming full of holes

Re:ATM != desktop computer

[99BottlesOfBeerInMyF]

Windows devs are a dime a dozen and therefore cheap to hire.

Are you talking about Windows developers with experience creating user interfaces and coding for appliance style devices that don't use the normal inputs and only have fullscreen displays?

There are a lot more Linux people qualified to create such devices than Windows people from my experience in the industry. If, however, you're talking about developers with no experience and without the proper skills, sure you can find more Windows developers, but that sure isn't going to save you money.

Re:ATM != desktop computer

[WillKemp]

Crap Windows devs are a dime a dozen and therefore cheap to hire.

There, fixed that for you.

Re:ATM != desktop computer

[EXrider]

More advanced OS' make it easier to have the software display videos and animations.

As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.

Re:ATM != desktop computer

You have to multitouch move an on-screen representation of your money to the trashcan in order to get the ATM to eject it into your hand.

Re:ATM != desktop computer

[pilgrim23]

entry to the system is the big stumbling block; "open box, insert USB or other media close box". Every vending machine I have ever encountered has some code that puts it into a "service mode". I would not be at all surprised that if you say: Punch "Use English" twice then savings account then some other button then slide in a "special" card and do the service voodoo. Now given such a "service personnel only" HOLE and I am SURE its there, it would be trivial to program a basic overflow on a ATM card to make the whole system avaialble via keyboard. Then use ascii to punch in a .com on the keyboard and you are good to go.

Re:ATM != desktop computer

[91degrees]

It costs a licensing fee. It has more security liability than pretty much any other choice.

As far as I know though, most of this is via the browser and email applications and IIS. XP can be pretty secure if you disable all unneeded services.

In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

I'd have thought Linux would be cheaper, but for all we know, they did a thorough analysis, discovered there were suitable savings to be made through use of Windows. Speculating that it's cheaper with so little information is pointless.

There's no indication of how the malware is installed. I suspect this requires physical access, in which case the OS chosen makes no difference at all.

Re:ATM != desktop computer

[twistah]

They run XP embedded, which allow you to customize which components are used much more so than regular XP. That is not to say I don't see your point -- we've broken into plenty of Diebold XP ATMs during authorized penetration tests using regular Windows exploits. After that, it's game over with the software this product mentions. Then again, regular OS's have been running on ATMs for a long time, and many still run OS/2.

Re:ATM != desktop computer

[butabozuhi]

Bank management may be comprised of buffoons, but they aren't the only reason ATMs are Windows based. Although I'm no longer in the banking industry, when I left a few years ago the trend with the big ATM manufacturers was Windows. The vendors said they were locked down. The vendors said they gave greater functionality (i.e. marketing) than the old machines (notice they have ads showing on them nowadays?). Why change something if it ain't broke? Somehow, someway, the vendors were sold on Windows and pushed it down to the banks. Banks, who need to use established vendors and have support contracts, had really little choice than to 'move forward.' The day Diebold announced their 'next generation windows ATMs' I bet the criminal world let out a cheer!

Re:ATM != desktop computer

[AlecC]

Since the stole information is being printed off on the bank's receipt printer, they presumably have an insider in the bank who installs the malware and collects the output, but would be very hard to trace back to the fraudulent use.

Re:ATM != desktop computer

[Lonewolf666]

Even Unix won't save you if the attacker gets physical access to the machine. I learned how to "crack" SCO Unix 10 years ago in an administration course by booting from floppy and resetting the password file.
If you can prevent that, it should be possible to secure Windows with a firewall that blocks all ports except the one your ATM application uses.
This said, Linux may actually be easier/cheaper to secure. But I don't consider a Windows based ATM an automatic security risk if the developer does his homework.

Re:ATM != desktop computer

lol. the screen is a fullscreen window. takes like 5 lines of code. the buttons are huge standard buttons with images pasted on top.

you could probably create a production-ready ATM gui in .NET in a day.

not that you should..

Re:ATM != desktop computer

[Youngbull]

Why shouldn't an ATM run Windows? Cue the standard Windows-bashing, but a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

I guess the designers of this system is actually saying the same as you are, but here is the catch.. XP is too much for what an ATM is supposed to do. With all the features of a desktop OS it brings with it security issues and possible bugs. Something as vital as an ATM should be running on custom software top to bottom, developed to handle the task at hand securily.

Re:ATM != desktop computer

Using Windows on an ATM is a sign someone in management somewhere got a nice kickback from M$

there fixed that for ya.

captcha: reworked

Re:ATM != desktop computer

[networkconsultant]

It is however easier to find a tech that knows how to troubleshoot windows than one that knows how to run ifconfig & route.

Re:ATM != desktop computer

[91degrees]

Bad Linux programmers are more expensive than bad Windows programmers.

The problem, if anything, is the programmers. Not the platform they're developing for.

Re:ATM != desktop computer

[networkconsultant]

Actually they would Say: We outsource our ATM service via another company, in fact I couldn't tell you if they are on off green or purple.

Re:ATM != desktop computer

[Phroggy]

a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

It's the precise nature of the "more than" that has us worried.

Re:ATM != desktop computer

[plague3106]

Seriously, you're this dumb? Cell phones are desktop computers either, but they run Windows and Linux as well. My cable box is not a desktop computer, and it run Windows. My dads cable box runs Linux (which, oddly, seems to lockup from time to time).

Re:ATM != desktop computer

[eugene_roux]

s/is an ATM/is any system/

Just sayin'...

Re:ATM != desktop computer

[TJamieson]

As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.

THANK YOU! I remember several years ago, I stopped at my local ATM and noticed the screen was now in color. Hey, that's neat, I thought. Since I had just pulled up, it was displaying a picture of the bank. So I began to use the machine - wait, what the hell? The interface is still the exact same monochrome it has been since 1985! Why would they order a color screen? Then, as I completed my transaction and waited for my receipt, the reason came up -- a full-color ad for buying their shitty mortgage services.
Nevermind the fact that a good 30% of the time said ATM was "Temporarily unable to dispense cash" (read: empty).

Re:ATM != desktop computer

[sjames]

Because ATMs are very high value targets and there's no practical way to fully audit XP. Because XP is designed to do anything and everything while security calls for a fully audited system that can only do what it is supposed to do. Consider, the malware has to hook in somewhere. The less somewheres there are, the harder it is to do that. ATMs are an embedded application, it's silly to run a desktop OS on them.

Linux would be a better choice since it's design allows for it to be stripped down to the essentials and for a kernel to be built without most of the features and extraneous drivers. It's much easier to harden Linux because of that and the ability to remove the userspace. Strip it down to a minimalist kernel, a very few utilities to be used for booting and diagnostics and the actual embedded app.

Even that is inferior to an app running on bare metal as far as auditability goes.

Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.

And yet, the malware is apparently out there and ATMs HAVE been compromised. I guess either the banks have no such sense or it's just not enough.

Re:ATM != desktop computer

[joelmax]

There are times when some here would consider me to be a bit of an M$ fanboy as well, and I gotta say, for an atm, I would never use windows. Its too common, too popular, too exploited. I would use a linux or BSD distro. Not because it isn't the popular choice (Although that is a contributing factor), but because ultimately, you can harden one of these boxes a lot better than you can a windows box (Although they still technically would be hackable). Really, the way to do it would be to use a linux/bsd distro, take out the common desktop environs (gnome/kde) as they are a point of entry for a hacker (Much easier to hack gnome/kde than to try to hack the kernel), continue through hardening the box, and have it setup to boot direct to the application instead, and take the time to secure the app itself, the network, and the physical box. It doesn't matter what the OS is if the box can be physically compromised.

Re:ATM != desktop computer

[Captain+Hook]

I read the receipt printing trick as not needing an insider, hacker just goes up to the ATM, enter a special code/card and it prints out a DES encoded string of characters on the built-in printer which normally provides the cash withdrawal receipt.

Re:ATM != desktop computer

[The+Archon+V2.0]

Here in Canada, the only ATMs I've crashed personally were both running linux (either that, or a version of Windows that displays a fake linux boot sequence to save face.)

A Windows version with a sense of shame. That would be impressive, particularly coming from a company who's pretty much shameless.

Re:ATM != desktop computer

[Muad'Dave]

Dugg for using 'cue' (correctly) instead of 'queue'. 8-)

Re:ATM != desktop computer

[KagakuNinja]

Windows devs are a dime a dozen and therefore cheap to hire.

I'm looking for the guy who is supplying the dimes...

Re:ATM != desktop computer

If an ATM runs Windows, it should be Embedded or CE or some such and not full blown 2k or XP.

Re:ATM != desktop computer

Actually, no ... computers and computer-run devices like ATMs DO NOT need an OS.
Back in the 1970s, we used to run programs on basically "bare metal". We would key in the bootstrap manually which would read in the program and the program would run.... no OS at all
I know it would be way more complicated, but the OS/Program separation is artificial and is NOT required, and I'd argue, on important-to-secure machines, it might be that they should only run a program and not an OS as well.

Re:ATM != desktop computer

[goodmanj]

Mod parent up. A standard security mantra is, if you use a bigger hammer than necessary, you increase the chances of smashing your thumb.

The more complex the software tool, the more likely it is to have some sort of security hole in an obscure feature you don't care about and aren't aware of.

Re:ATM != desktop computer

[sjames]

If you pay peanuts, you get monkeys.

Re:ATM != desktop computer

[spartacus_prime]

I never go to those.

Re:ATM != desktop computer

[moose_hp]

Once in an ATM on a mall

And I have my money on that bank, I feel so secure.

Re:ATM != desktop computer

[coolsnowmen]

I'm pretty sure that linux isn't designed to be fully audited either though. In fact, last I read the kernel rejected patches to allow it to be (on the grounds that it would be abused by DRM advocates).

http://lwn.net/Articles/333825/

Re:ATM != desktop computer

[PitaBred]

Windows developers who don't care about lying on their resume. Ever read the Daily WTF? There are a lot of people who don't even know enough to know jack shit about development but lie through their teeth on their resumes, and get jobs because of it. And since they're willing to take less money than qualified devs, the HR buffoons who just hire people and don't actually know anything about the actual job requirements just rubber stamp them through since the resume has all the required bullet points and they've got the lowest salary requirements.

Why no, I'm not a cynic. Why do you ask?

Re:ATM != desktop computer

Why wouldn't it?

As an NCR Technician who works on them everyday I was very pleased to see the upgrade from OS2.

They are faster, more reliable, and have better troubleshooting tools.

They are no more vulnerable if you have access to the PC inside.

And I would like to point out I just finished working on an NCR that has an ASUS motherboard..2GB DDR2 RAM, and a 2.8GHz processor...all of the shelf components.. It is essentially a computer...

Re:ATM != desktop computer

[NES+HQ]

Thanks. Spent enough time in England to know that you cue the music and queue in line!

Re:ATM != desktop computer

[cptdondo]

Take a lesson from the gambling industry. They have to audit all of their machines regularly. The entire OS, including the bootloader, sits on SD cards. You can yank the SD card, audit it, and stick it back in. It's much more difficult to hack these on a long-term basis as the SD card audit will catch it. There are no keyboad ports. (Assuming, of course, the auditor is honest and the lock on the machine is secure. No joy if the person refilling the machine has access to the guts of the machine.)

Anyone here actually programmed one of these? I built an embedded box on the hardware, and the bootloader-on-the-SD-card made me ask what it was for.

Re:ATM != desktop computer

"Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network."

Apparently many banks don't employ such people, or their ATMs wouldn't have been hit by the slammer worm.

Sorry, but past evidence has shown that these Windows-based ATMs are not "decently hardened" nor are they run by "anyone with any network design sense".

Re:ATM != desktop computer

I see you're trying to clean out your account.

Would you also like to:
- Clean out your other accounts
- Open a new Credit Card
- Deposit millions from Nigeria.

Re:ATM != desktop computer

[mindbomb2323]

Both Diebolds and NCR atms use to run os/2 warp and would have to this day if it wasnt for IBM dropping it totally. Atms locking up use to be a once in a blue moon issue but now with xp embedded running on them it seems like i get 2 a week that have to be rebooted from a lock up.

Re:ATM != desktop computer

[JuniorJack]

Yeah but we are not in the 70s any more. They would code them in PHP or JAVA if they had a chance to choose. This is why professional hackers have a easy way to hack something that should be impossible to hack

Re:ATM != desktop computer

[Bert64]

Because it makes it cheaper...

Cheaper because windows coders are ten a penny and very cheap...
Cheaper because hardware that will run windows is also extremely cheap and widely available... They can use whatever the cheapest components available are, and be pretty much guaranteed that there will be drivers for it...

And because many of the people making decisions don't realize anything other than windows exists, so it just becomes a default component, you wouldn't build a computer without a processor and many people think windows is as integral to a computer as the processor.

Re:ATM != desktop computer

[Bert64]

Firewalls are not the ultimate solution, they have vulnerabilities and misconfigurations too... Also as firewalls become more complex, the risk of vulnerabilities increases.

Firewalls should not be relied on as the only facet of security, they should be only a small part of an in depth security policy. If the firewall is taken out of the equation, the system should be able to stand on it's own.

Re:ATM != desktop computer

[Bert64]

But you point out that an ATM has minimal work to do...
Windows is not a minimal OS, it contains a lot of functionality that serves no purpose in the context of an ATM. Any functionality could potentially have bugs, the less complexity you have the lower the risk.

Re:ATM != desktop computer

[serialband]

Why shouldn't an ATM run Windows? Cue the standard Windows-bashing, but a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.

Yes, it's Windows. But without crazy Aunt Judy trying to install her cat screensavers Windows should be fine for the task.

The ATM runs a very stripped down version of Windows XP. It then runs a single app that does all the work. The bank tellers also run XP desktops with a single application that connects to the centralized database. Nothing else is allowed to run on these systems, so why does it even need Windows XP. It's a ludicrous setup. The ATMs and bank teller systems have no need of Windows XP in any way shape or form.

Banks used to run dumb terminals that connected to a centralized server. That's all they still need now, because they run a single application to do just that. What idiot decided several years ago that they needed brand new Dells with XP that needed someone to whittle down to just run one and only one application? The banks make lots of money off us and demonstrate that they can waste it all on the expensive Dell systems.

Re:ATM != desktop computer

[sjames]

That's an entirely different sort of auditing. Linux does have the ability to audit processes. However, the sort of auditing I'm referring to is where a team of experts go over the code line by line detecting any potential vulnerability.

In the case of the kernel, they need only do that for features they enable in their build.

Re:ATM != desktop computer

[zmollusc]

NCR used OS/2 on their ATMs until replacing it with XP. Hilariously the XP ATMs had 8x the MHz, 10x the ram and took twice as long to boot. Once it has booted, the XP machines are slightly less responsive to the (unchanged) keypad. When power cycling kills XP, it takes a couple of hours to reinstall. OS/2 reinstalls in 20 minutes.
The rest of the ATM remained unchanged.

Re:ATM != desktop computer

[Eil]

Why shouldn't an ATM run Windows?

Because the Windows codebase has just about the worst security track record in history?

Because it was never designed to be a even general-purpose operating system?

Because there are many other operating systems that are designed and tested exclusively to operate reliably in embedded environments where security is a top priority?

Re:ATM != desktop computer

[HTH+NE1]

However, http://xkcd.com/463/

Re:ATM != desktop computer

[Fred_A]

I'd have thought Linux would be cheaper, but for all we know, they did a thorough analysis, discovered there were suitable savings to be made through use of Windows. Speculating that it's cheaper with so little information is pointless.

You're obviously not familiar with the way corporations work. Picking a solution because it's cheaper or the best tool for the job pretty much only happens through sheer luck.
Important considerations are :
- the colours used on the brochure
- whether the PHB liked the salesperson
- how much "incentives" were offered

Re:ATM != desktop computer

[91degrees]

This would be an inefficient use of Microsoft's resources. An ATM company is going to sell far fewer units than any but the smallest PC company. Once they've agreed to use embedded Windows, there's virtually no lock-in. The OS will have very little in the way of dedicated banking APIs, so it will be trivial for the company to switch, and they require no additional software, so Microsoft make no sales of other software as a result.

It's most likely an engineer said "let's just stick a Windows PC in there. It's not too expensive, easy to develop for and we can use our development machines to ruin the software directly", and nobody could come up with a compelling reason not to. In my experience people will often pick a platform simply because they need a platform, and it's better to choose a reasonable solution than spend months evaluating the options. Windows may not be the best solution but it's a good enough solution (there's nothing to suggest that this problem was caused by the OS), and it's a known quantity.

Re:ATM != desktop computer

[pcardno]

"It costs a licensing fee. It has more security liability than pretty much any other choice." Yes, it does when it's hooked up to internet with no protection. That isn't this case. I may be entirely wrong, but isn't it the case that an unconnected (except for a highly secure private network), fully patched Windows XP machine is no easier to break into that an equivalent Linux / OSX machine. "Linux costs nothing to license. BSD costs nothing to license. Windows costs something. That's an added, unneeded cost." The licensing fee means you can blame them when it's their fault. If you want to blame someone else with Linux for a fundamental OS security issue, you'll still need to license it for a cost. That's why Red Hat make money. "Because there aren't lots of dev tools for Linux that run on a normal desktop computer?" Original question was wrong. Who cares, as long as the development tool does the job effectively. "How is it easier to develop an ATM on Windows than on Linux? They both have tons of tools and myriad experienced developers and companies. Linux is probably better optimized for appliance uses and has a larger share of the appliance market than Windows, making it easier to find companies to work on it." Because they've been doing it for years so it's far easier to port from old Windows to new Windows rather than rebuild the whole things from scratch. There may well be a new, better technology, but it's a hell of a lot cheaper to regression test against a newer version of an existing platform than it is to rebuild for an entirely new one.

Re:ATM != desktop computer

[the_y_the]

I work for one of the biggest banks in Australia. The ATMs we use are Diebold machines. However, believe it or not, they are all running on Windows XP, with specialised Diebold software running on top. Everything that the customer sees on their ATM screen is simply the GUI of the Diebold software. I forget the name of the software package, but running XP on ATM is not as rare as you might think.

Re:ATM != desktop computer

[coolsnowmen]

Sorry, I misunderstood. What I was talking about apparently isn't called auditing.

Re:ATM != desktop computer

How is it easier to develop an ATM on Windows than on Linux?

Windows devs are a dime a dozen and therefore cheap to hire.

If you pay peanuts you get monkeys.

Re:ATM != desktop computer

[kmoser]

Citibank used to run their own proprietary software but now they (and others) run Windows: http://www.youtube.com/watch?v=FAnmuRHYamc

Re:ATM != desktop computer

[Timmmm]

"it really doesn't matter what OS is running because the hackers are gaining physical access to the hardware"

Bullshit. If you used Linux you could easily encrypt the entire disk and require a password to start the ATM software. Now you've gone from:

Windows: Connect USB drive (or whatever), install simple software.
Linux: Wipe hard disk, write drivers for the card reader, cash dispenser etc, install new OS with fake ATM interface.

Obviously it's not impossible but it only needs to be really really hard before the hackers will give up.

Re:ATM != desktop computer

[internerdj]

Either way there is a problem that someone is physically breaking open the ATM box or remotely accessing the box and it isn't throwing up any type of alarm or even logging the access. I have a big box of money and there isn't at the very least some way of knowing when it has been opened or remotely accessed? If someone is tampering with the box it needs to be taken down and serviced. It isn't that hard to clone the drive when you service the ATM and do a compare if tampering occurs. It isn't like they could hide code in with the customer data because the box is really going to have one section of data that is changing and it should have a pretty standard format. If I knew for sure my bank was pulling crap like that then I wouldn't bank there.

Re:ATM != desktop computer

...In that case I've got some really bad news about aeroplanes that may put you off flight ;)

Credit card companies need to wise up

[gurps_npc]

They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective. There are superior methods out there to verify credit card information, we don't need to use the same method that was used 50 years ago.

Re:Credit card companies need to wise up

[MoonBuggy]

Not directly related, but I still find it absolutely stunning that by giving a cheque to someone you are giving them enough information to empty your account. If that's their attitude to security, I get the impression it's going to be an uphill struggle for improvement.

Re:Credit card companies need to wise up

[maxume]

Nearly the entire Western world is mostly built on trust. Blindly assuming people are honest leads to more trust than constant paranoia.

I guess with the speed of electronic transactions it is a little crazy, but most people have never had an issue with it, so things don't change.

Re:Credit card companies need to wise up

[truthsearch]

They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective.

Actually, it does. There will always be fraud. And companies have a threshold which they consider acceptable (IIRC MasterCard's was generally 2% back when I worked for them). The cost of rolling out advanced security tech is huge, and compared to a small reduction in fraud it's simply not worth it to these companies.

Most fraud is not done through cloned plastic. So even completely eliminating this risk may not be cost effective.

(As a customer I want all fraud gone. I'm just explaining the corporate perspective.)

Windows XP?

..."on ATMs running Microsoft's Windows XP operating system..."

Let me be the first to say "ur doin it wrong."

Re:Windows XP?

[abigsmurf]

Yeah, clearly they should keep using Operating systems that no one has used on desktops since the late 80's.

I'm sure that would make general maintenance and updating the software easier.

Re:Windows XP?

[WillKemp]

Of course they're doing it wrong - they're a bank, that's what they do.

Stupid stupid users

When your ATM asks if you want to install an ActiveX control, you always say "no."

How many years do I have to keep telling them that?

Mac OSX on the ATM

[rliden]

"Hi!, I'm an ATM."

Re:Mac OSX on the ATM

[truthsearch]

"And I'm a PC."

but how?

But how does one install the malware on the ATM without insider help?

ATM's are housed in tamper-proof cases, the user interface is very limited (it's not like you can plugin a USB key or sth.) and they are under constant camera supervision.

Re:but how?

Via a network connection, using one of Windows XP's 7,243 known exploits. You can't possibly expect ATMs to run automatic updates and then just up and reboot every time an update is installed...

Re:but how?

[jafiwam]

Read the summary again and it's obvious.

Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.

There doesn't need to be an exploit beyond "Eastern European Country" involved.

Re:but how?

[delire]

Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.

Certainly there is plenty fo corruption in the Eastern European countries, however it's not like other countries are spared the same problems; American TV producers can't seem to get enough of the Good Cop / Bad Cop diametric, as though heaven and hell had a street address. Why is it popular? Because it's a hot topic: people know corruption in the police sector is rampant in America.

What of banks? You can almost be sure that banks in the West, now famous for their abusive secrecy and gambling, would not dare let their customers know the same thing was happening at an ATM near you.. Having lived in both 'sides' of Europe, I wish you luck with those Reagan-era East/West generalisations.

Re:but how?

[BrokenHalo]

In any case, the more common exploit is to add an often cunningly-designed and plausible device outside the slot to skim data on the magstripe, in combination with a camera to record PINs.

This has the advantage (to the thief) of being OS-agnostic, and requires no access to the back of the cabinet.

We've recently had a rash of them around where I live, which is why I now mask my PIN by holding my large clutch-wallet over my hand to hide keystrokes from camera access. So far, so good; we work with (or against) the technology that we have.

How come?

I RTFA (yes, yes... I know) but I couldn't find the answer to the most obvious question... how does the rootkit get installed?
If no physical access to the real PC inside the ATM is needed.. that's really cool!
But if you need to plug an usb drive in, this actually reduces the field of the potential thieves by several orders of magnitude...

M

Re:How come?

[dbcad7]

I imagine it's physical access, but I suppose it could be done other ways.. If it was more widespread than "mostly eastern european countries" then it would probably be more likely done remotely. In many of these countries corruption and bribery are just acceptable and sometime admired ways of life. It's pretty simple to investigate who has access to particular machines and figure it out, but it will probably take something extreme like the card companies refusing to do business in that country to force investigations and tighter security.

Ohhh

So when the ATM asks me if I'm sure I was to withdraw £200 it's just UAC.

At least it's not Vista . . .

[PolygamousRanchKid+]

"Are you sure you want to withdraw this money?"

"Will you spend it wisely?"

"You don't seem to have much left, have you planned for an emergency?"

. . . etc. . . .

Re:At least it's not Vista . . .

Do you realize that would actually be a fantastic improvement?

Re:At least it's not Vista . . .

[Reece400]

Agreed, I've often accidentally overdrawn my account without notice, and even if I deposit it right back, I still get overdraft charges...

Re:At least it's not Vista . . .

Maybe if ATMs did that the states would not be in the terrible mess they are currently in.

Re:At least it's not Vista . . .

[maxwell+demon]

and even if I deposit it right back, I still get overdraft charges...

Which of course means the bank will not warn you.

Re:At least it's not Vista . . .

As much improvement as Vista's UAC.

People *learn to ignore* prompts.

Re:At least it's not Vista . . .

[PitaBred]

I concur. Especially after having read Not Always Right lately.

Re:At least it's not Vista . . .

[bitt3n]

"Are you sure you want to withdraw this money?"

"Will you spend it wisely?"

the first operating system that prevents people from buying itself

Windows?

[grahamsaa]

Why a bank's IT / security team would feel it appropriate to operate ATMs that run Windows is completely beyond me. I mean, if bankers were really that stupid the world economy would probably have crumbled by now. Oh, wait. . .

Re:Windows?

[BrokenHalo]

Trouble is, there is still a surprisingly large number of banks who still insist that customers use Windows boxes to access internet banking. I have several friends who have been caught out and ripped off, despite having taken what they thought to be reasonable precautions re. keeping their anti-virus software up to date.

Fortunately, most banks here (Australia) now seem have to become OS-agnostic, but this wasn't the case as little as 5 years ago.

My own feeling is that an operating system with such an extensive and comprehensive record of being compromised has no business being used to handle critical data. And no amount of bleating about how "Linux doesn't have the customer-base to attract malefactors yet" suffices as an excuse. The simple fact is that Linux (or BSD, OS X or any other *nix) have had the benefit of some 30 years of hardening up security, and all of them are now pretty damn good by default. Microsoft doesn't seem to really care that their products have more holes than a Swiss cheese, and appear to be perfectly content to allow others to maintain security.

Who should we trust?

Re:Windows?

The people who run the multi-national banks are all in bed (metaphorically) with the people who run the rest of the multi-national businesses in the world (e.g. Microsoft).

It looks good for MS to be able to say they are the software behind the ATM network.

The grunts on the IT/Security team might like to use another [better] platform, but there is probably a lot of pressure from the top to make it work using Windows, for political reasons.

Re:Windows?

Why a bank's IT / security team would feel it appropriate to operate ATMs that run Windows is completely beyond me. I mean, if bankers were really that stupid the world economy would probably have crumbled by now.

Oh, wait. . .

do you mean wall street runs windows ?

dumb ass ... do you even know how an ATM operate ..???

Free gas courtesy of Mircosoft!

Once I found a gas station near my work that the pumps where running a version of Windows back around 1999-2000. If you swiped your card and pulled the nozzle at the same time the little LCD screen showed a BSOD and you got free gas. I fill up there for 1 week until they closed the station and changed the pumps. Never got charged a cent!

Re:Free gas courtesy of Mircosoft!

The gas wasn't free, you stole it.

Re:Free gas courtesy of Mircosoft!

That explains a critical update I saw once:

Some users are experiencing a massive loss of income due to Windows crashing and giving away free gas. Download this patch to increase the chances that Windows will crash with the pump in the 'off' position.

Re:Free gas courtesy of Mircosoft!

[Reece400]

Agreed, Seeing as most stations have slews of cameras, he's rather lucky not to be caught.

Re:Free gas courtesy of Mircosoft!

What, it's not like there was some guy in a booth that I could just walk up to and say, "Hey, your pump just crashed, who do I pay for my gas?"

Re:Free gas courtesy of Mircosoft!

[Paradise+Pete]

Agreed, Seeing as most stations have slews of cameras, he's rather lucky not to be caught.

The chances of being caught have nothing to do with the fact that it's theft. If the risk of being caught determines how you act then you should rethink your principles. It's easy to do the right thing when you'll get noticed. It's when you know that you could get away with it that reveals your true character.

Re:Free gas courtesy of Mircosoft!

But it's not theft, it's copyright infrigement!!! How many times do I have to keep repeating this on Slashdot. Sheesh.

Oh, wait..

Re:Free gas courtesy of Mircosoft!

I fill up there for 1 week

So you got one, maybe two free tanks when it cost next to nothing? Congrats?

Re:Free gas courtesy of Mircosoft!

Well, the gas was stolen from African or Arabian countries in the first place...

Re:Free gas courtesy of Mircosoft!

[pwfffff]

Holy shit Jesus reads Slashdot

D:

Re:Free gas courtesy of Mircosoft!

If you stuff 10 of a certain kind of postage stamp into a parking meter, you can freeze time forever.

Re:Free gas courtesy of Mircosoft!

[Stoned+Necromancer]

It's not a theft - it's a feature!

Re:Free gas courtesy of Mircosoft!

[TheLink]

That was Paradise Pete, not Jesus.

Re:Free gas courtesy of Mircosoft!

[ArsenneLupin]

The gas wasn't free, you stole it.

Yeah, the same way as "the pre-installed Windows isn't free, they just stole the license fee from the buyer". But, now go and try to complain about such a shop to the police...

Same way here: you can bet that if this was indeed theft, that the petrol station's operator wouldn't have hesitated to take the surveillance camera's footage to police, with more severe consequences to the poster. Yes, even in 1999-2000, petrol stations already had cameras.

So yes, taking advantage of poor business choices is not theft. After all, the poster didn't hold a gun the station operator's head and said "windows on the pumps or your life!".

Ok, you're right, grand-parent still wasn't completely honest... not guilty of theft, but rather of lying: indeed, even with Detroit's gaz guzzling landyachts, I can hardly imagine having to fill up several times in a same week...

Re:Free gas courtesy of Mircosoft!

[Culture20]

No, GGP engaged in theft. If the credit card machine is down, you walk into the station and pay in cash. Unless the big sign with the price said "Regular Unleaded: FREE, Premium Unleaded: FREE", GGP knew how much was expected to be paid, but chose to "pump-and-run" instead.

Re:Free gas courtesy of Mircosoft!

That was Paradise Pete, not Jesus.

Ok so it wasn't Jesus, just one of his apostles, but IMHO he still has a point. In any case, I can see how being Heaven's doorman would give you a lot of free time for web surfing, especially lately.

Re:Free gas courtesy of Mircosoft!

[The+Lord+God]

Holy shit Jesus reads Slashdot

Hardly. I just wish I could get him to stop running around in WoW "healing" everybody.

Re:Free gas courtesy of Mircosoft!

When a store makes a mistake with their pricing of a particular product, do you buy the product, or alert the store?
My guess is that it would depend on whether the price was higher or lower than what it should be.

Re:Free gas courtesy of Mircosoft!

[zigfreed]

The gas wasn't free, the machine didn't bill for it.

We've had this already...

[omuls+are+tasty]

There were already news of something similar in March.

Judging by the currencies the malware operates with, it seems the "Eastern European countries" are Ukraine and Russia. Does anyone know if it's Diebold again?

And putting aside the incredibly logical choice of the OS, any idea on how this gets installed on the ATMs in the first place?

Re:We've had this already...

At the bank I work for, the ATM runs Windows. Its connection is through a Frame Relay circuit that activates only as needed for outgoing data. About the only other way to load data to the ATM is by getting into the service console and inserting the disc. Kinda wonder if sabotage isn't going on?

How is the Malware getting on the ATM?

Isn't that the bigger issue. Regardless of what OS is being run by the machine, the hackers have some back door that is allowing them to install software. Even if it was Mac, Linux or something embedded, if they hackers can install software they can do whatever they want.

Simple but effecitve compliance law/rule

[erroneus]

To run any "public financial transaction device" certain compliances are required and many of these are related to physical security, data security and communications security standards. Clearly, the presence of malware on ATM core software indicates that the ATM security standards are either not being met or are terribly inadequate.

It occurs to me that one rule that might go a long way to making machines like ATMs (or even voting machines) more secure against corruption is a requirement that the system software should be stored in a read-only format such as CD/DVD or ROM chips. CD/DVD ROMs would probably be the most flexible method and various self-check measures could help ensure that the CD/DVD ROM was genuine. (Say, for example, a validation black-box device of some sort.)

With enough engineering and hacking, even this method could be thwarted I am sure but it would certainly raise the bar significantly beyond "crack the machine open, connect the system drive to a USB adapter, insert additional code, close up" which is the method of entry I suspect is most used. If there was limited to no local storage and ROM-based operating systems and software combined with solid verification technologies, it would take some serious knowledge to compromise such machines.

This sort of method would make running Windows XP as the operating system considerably more difficult, but if they are hard-set on running Windows, I am sure they would find a way to comply if it were required.

Re:Simple but effecitve compliance law/rule

Isn't that exactly what Trusted Computing was supposed to do some time ago?

Re:Simple but effecitve compliance law/rule

[Maximum+Prophet]

But then the banks couldn't upgrade all their machine remotely. They have to send a tech to each and every ATM in order to add new features like the "Send All Your Money to a Criminal" button.

Re:Simple but effecitve compliance law/rule

[erroneus]

Going ROM based is not "Trusted Computing" but yes, Trusted Computing is about running signed or otherwise verified code. The problems with trusted computing are many and as long as an OS is updatable by software means, there is also going to be a vector for compromise. Signed ROMs are another matter... the OS code isn't modifiable and more reliably verifiable. Software updates performed by a physical act means there is a chain of accountability to follow as well.

Re:Simple but effecitve compliance law/rule

[aitikin]

But correct me if I'm wrong, the fact that it's a CD/DVD allows one to use any hack that's discovered after the software has been installed that doesn't require a reboot? Sure that limits a lot of things, but still, that's not exactly effective. Of course, if they don't update anyway, wtf does it matter?

Re:Simple but effecitve compliance law/rule

[erroneus]

This is a good thing. It adds the opportunity for a verified in-person inspection of the machine at the same time any software/firmware update is performed. And the chain of responsibility and accountability can be more easily verified. When the variables of security are in flux, being able to trace back the path at some point is the most important thing. This is why it is so important that digital election machines provide a complete audit trail that cannot easily be forged or manipulated.

Re:Simple but effecitve compliance law/rule

[sysgeek01]

The problem with making the ATM storage read only is that you have to configure the device. There are a lot of configuration settings that have to be changed out of the box, with some of them specific to the ATM itself and to the processing company that it's using to process transactions through.

The ATM also keeps a electronic journal of all of the ATM's activity. It's kind of like a flight data recorder (black box). You have to have writable storage for that.

I go along the lines that ATM security standards are BOTH not being met and terribly inadequate.

One of the bigger rackets going on last year, with ATM's, was in San Francisco. An ATM provider were placing cheap ATM's with a money catch tray on street corners. Bum's would come along and stuff paper wads up into the catch tray so that the money wouldn't drop down when a person ran a transaction. Periodically through out the day the bum's would go and collect the money that never dispensed.

Re:Simple but effecitve compliance law/rule

[bzzfzz]

That will work great, because you can't just go out and buy blank recordable CD/DVDs or EPROMs. Oh, wait...

Re:Simple but effecitve compliance law/rule

Memory injection would still be a possibility. I guess it could be run off a ROM but electronics aren't really built that way anymore. At some point the OS will exist in a writable form and that is where it will be attacked.

Re:Simple but effecitve compliance law/rule

Someone with physical access could just disconnect the computer in the ATM and connect their own. Doesn't depend on operating system at all...

Magnetic strip?

[TheRaven64]

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Re:Magnetic strip?

[Spectre]

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Well, the USA for one. 1 debit card and 2 credit cards in my wallet right now. Everyone is chip-less, the electronically readable information is in the mag stripe on the back, old-fashioned raised numbers and letters for the imprinting machines are on the front.

Granted, they're all issued from the bank, but it is one of the largest in the USA, not some mom-and-pop outfit.

Re:Magnetic strip?

[Spectre]

I meant to say "from the same bank."

Re:Magnetic strip?

[u38cg]

Most of them? Is there anywhere that doesn't continue to issue mag stripes as a precaution against chip failures (~1% per annum)?

Re:Magnetic strip?

[117]

Here in the UK the EMV standard was only rolled out nationwide in 2004, and until that time all physical credit/debit card transactions used the magnetic strip, so it isn't too hard to believe that other countries are sitll using the magnetic strip.

Re:Magnetic strip?

[MoonBuggy]

It's the problem of legacy support. Cards still have magstripes because on occasion you'll come across a situation where there isn't a chip reader, and ATMs (presumably) still have magstripe readers for the occasions that the card doesn't have a chip. If you've got access to the OS, as the criminals mentioned in the article do, you can presumably activate whatever reader you like.

There's also the fact that this is Eastern Europe - without wanting to perpetuate negative stereotypes, I think it is quite fair to comment that they are not the most developed economies, and as such large scale investment in upgraded technology may well be low down on the list of priorities.

I'm not sure why the US often seems to share in this kind of technological resistance. A combination of large size and historical mistrust for coordination from a central authority might make it difficult to get cooperation on new projects from everyone simultaneously, I guess, which greatly exacerbates the legacy tech issue.

Re:Magnetic strip?

[gstoddart]

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Well, Canada and the US for example.

Cheers

Re:Magnetic strip?

[langelgjm]

I actually looked into getting a credit card with a chip in the U.S., and couldn't find a single provider that offered one. I think American Express offered one a while ago, but discontinued it when I was looking.

Ther reason I wanted one was because one time, I was in a French rail station trying to buy a ticket from an automated machine. The machine was broken, and refused to take bills; I didn't have enough change; and all the teller windows were closed. I was going to use my credit card, but the machine seemed to only take cards with chips, and my American card only had a magstripe. Eventually after pounding at the teller windows for a while, I got someone to sell me a ticket.

Re:Magnetic strip?

[xaxa]

I was disappointed that I was asked to sign both times I used my UK Visa Debit card in a shop in Germany at the weekend. I don't know if this was ignorance (e.g. the shop staff thinking my card wouldn't work) or incompatibility.

Re:Magnetic strip?

[maxwell+demon]

I was disappointed that I was asked to sign both times I used my UK Visa Debit card in a shop in Germany at the weekend. I don't know if this was ignorance (e.g. the shop staff thinking my card wouldn't work) or incompatibility.

Neither. In Germany it's standard practice that you have to sign if you pay with a card.

Re:Magnetic strip?

[MoonBuggy]

I've found the UK chip cards are pretty well supported by modern equipment in foreign countries. The key word there, however, is modern - if the banks aren't doing a country-wide rollout like they did in the UK then there's little impetus to replace otherwise functional terminals, although when they do come to the end of their service lifetime they'll probably be replaced with chip terminals.

A couple of times I've actually had to show shop assistants why their machine was refusing my card. Some terminals won't accept a magstripe reading from a chip-capable card and the people operating them were clearly unfamiliar with this, implying that the chip cards are not at all commonplace there.

ATM is bad enough

WITHOUT any data-sniffing involved...

Closed Network

[relguj9]

Plus firewall, 'nuf said. The problem is when people break into the back of a machine and physically install malware on it... if you have people breaking in or social engineering their way into the back of a physically locked machine then you are going to have problems. I don't care if it's running some logic flow on an EEPROM, it's still going to be hacked.

Not much of details

[140Mandak262Jamuna]

Despite all that scare flags the linked article is triggering, basically it does not say how the ATM is compromised. Can any ATM be compromised by the hacker without any inside help? Or does it require some help from the maintenance people who open the machine provide access to the innards? Unless the method works on the ATM without any inside help it might not be as scary as it sounds.

Re:Not much of details

[Canazza]

Maybe they're causing a stack overflow with code on a cards strip/Chip...

Re:Not much of details

So here's what you do: You have a card with a so-called "magic bullet" magstripe on it. Put it in, it causes a buffer overflow and the ATM is ripe for accepting instructions. Granted, you need to reserve a few bytes at the end of the magstripe to spit the card back out right away so you can continue inputting instructions with your stack of cards, each of which has a small part of the program you're trying to upload to the box (plus the "return card" instruction, naturally).

Of course, you have to feed in all the cards in order so it'll work, so make sure nobody knocks over your mountain of a few thousand cards while you're trying to do this. After a short matter of a few hours, you'll have the application installed and ready for your use! Just nonchalantly walk away with your card mountain and nobody will be any wiser!

Still not convinced? Well, go talk to an old fart who used to code on punchcards. He'll be sure to tell you how easy and fun it can be!

ATMs in the UK

[Canazza]

there are many ATMs in the UK that use Windows XP as their OS of choice. Having personally seen crash screens and machines caught in a restart loop.

Why they are using windows, I don't know to be honest. Why they'd be using a Linux distro, I don't know. The banks probably don't know either, as far as I'm aware they get their ATMs from companies like NCR or IBM (or Diebold, as we've seen before) who are the companies who supply the software. It just so happens that the software they write is written for Windows Operating System. Remember, the cost of hiring someone who can programme for Windows is significantly less for someone who can programme for Linux (As they will likely also be able to programme for Windows, thus, with a larger skill-set they'll demand more money) And a bulk licence for Windows where they're churning out 1,000+ ATMs boils down to next to nothing.

The cheapest programmer, the cheapest hardware, a slightly costly OS. Something has to be a weak link, and the exploiters exploit it.

Re:ATMs in the UK

[Canazza]

I found this flickr pic on an NCR ATM
This blog entry detailing a NationWide (UK Bank) ATM
and a Youtube video of an ATM on a boot cycle

Re:ATMs in the UK

The "Microsoft Visual C runtime error" was nice, but I rather had my card back. (or a mouse, so I could at least press the OK button)
Especially the code that calculates the possible combinations of notes/coins to withdraw an exact amount was a bit buggy at NatWest.

ATMs...

[EddyPearson]

...are probably one of the few devices that most Slashdotters would agree should definitely be running proprietary, private software.

I had no idea there were ATMs out there running Windows. Given access to the software/a machine running it, I can't see how this would have been difficult to pull off. This is a serious WTF? moment.

Re:ATMs...

[dingen]

...are probably one of the few devices that most Slashdotters would agree should definitely be running proprietary, private software.

W-what? Hell no! Software which require outstanding security and stability is the field where open source truly shines. More eyeballs, less bugs, you know. No security through obscurity, but actual secure designs instead.

You can never trust any software that isn't open. You never really know what it does. So in fields such as these (ATMs, but also voting machines for example), it is especially important that open software is deployed.

Re:ATMs...

Secrecy and security are not synonymous. Software that is subject to public scrutiny will tend to be more secure.

Re:ATMs...

...are probably one of the few devices that most Slashdotters would agree should definitely be running proprietary, private software.

Security through obscurity is NOT a valid security policy. It would only remain private for as long as it takes a thief to lift an ATM into a truck and drive away.

Re:ATMs...

[EddyPearson]

And as an idealist, I'm there with you. But as a pragmatist, this was a total fuckup.

Looking at it from a malicious perspective, if i knew a certain ATM brand ran Windows, I'd have a field day.

Why? Look online, anybody can learn to code for an XP machine, all the nooks and crannies where you can hide malware are easy to research, methods for bypassing anti-virus software are all public domain.
The ways INTO a windows machine are well known (we can assume this is running on standard hardware), be it via USB, CD, over the network (and remember, ps tools). All the tools for extracting/cracking windows password hashes are freely available, and was it up to date? Plenty of public exploits out there in the wild.

So Windows is out, because it's too well known. You can plan in advance how you'll attack the box, you can set up your own test bay (after all everybody can get their hands on a copy of windows), you can write the malware in your own time, and then, quickly infect the ATM when the time is right.

Are you telling me a different, fully open sourced and freely available, OS, would mitigate all these issues?

I will not get into the obscurity or security debate. Suffice to say this particular issue is not about transparency, this is about keeping the bad guys out, and by giving them the blueprints to your system, you make their lives infinatly easier.

Re:ATMs...

[EddyPearson]

By the way I agree entirely with you on the subject of voting machines, and on probably 99.9999% of other devices, but I understand the fraud "community" better than many others here, and while it would be nice to have openness, we're talking about motivated people who know what they're doing.

They don't give a shit about your idealism, they see weakness, they exploit it.

There are very few known ATM scams out there apart from skimming, that didn't require fairly intimate knowledge of the systems involved.

Re:ATMs...

Quite the opposite in fact. For the same reason as voting machines, I would feel much safer knowing that it was possible to check that the code was secure. See http://en.wikipedia.org/wiki/Security_through_obscurity

Another view via el reg & trustwave

[auric_dude]

A reasonable report via http://www.theregister.co.uk/2009/06/03/atm_trojans/ and something slightly more technical http://regmedia.co.uk/2009/06/03/trust_wave_atm_report.pdf via trust wave.

I call BS, mostly

[sysgeek01]

I think that this story is half bogus. PIN numbers aren't stored on a debit card. They are stored on a server located at a transaction network, that a bank uses to process their card base. When a PIN number is typed into an ATM machine it is automatically encrypted by a 3DES encryptor on the PIN pad. It's NEVER in clear text. The ATM machines and ATM transaction processing companies use a pivate/public key encryption system. At least in the USA, the only part of a transaction that is encrypted down the wire is the PIN number between the ATM machine and transaction network. If the data is sent over the internet, the transaction is encrypted via a IPSEC tunnel or SSL. I have not seen an ATM machine that runs on Windows XP. Most of the newer ATM machines run on Windows CE. It would be trivial to sniff the network and grab card numbers if you had access to the network that the transaction was running across, but the PIN number would be much tougher to get. It's would be a little more complicated to get the card information based upon a device or software installed on the ATM to grab the card number as it's being swiped in the card reader. IF you could do that, then you could also get the track2 data that is loaded on to the card. That information consists of the card holders name and address. Basically, I'm claiming BS on the article, as I see it as hype.

Re:I call BS, mostly

Ever heard of keyloggers, mate?

Re:I call BS, mostly

[Peter+Simpson]

From TFR:
"Additionally, the malware harvests what is believed to be key or PIN data, saving the
information in a file C:\WINDOWS\kl."

So, they waffle on whether the PIN is captured. The filename "kl", does imply "KeyLogger", though.

Perhaps Eastern European ATMs are built differently that those in North America...maybe "saving a bit of money" by doing the encryption of the PIN in the PC, instead using an encrypting secure keypad.

Or, since the same keypad is used for PIN entry and regular input, perhaps the control signal that tells the keypad whether to encrypt or pass keypresses through has been tampered with...so the entered PIN comes through as normal keypresses, and is encrypted by the malware and passed on after logging to the file?

Or, maybe it's just a guess on the part of the author.

Re:I call BS, mostly

[sysgeek01]

If you tamper with the software or the hardware of the pinpad, it goes belly up and has to be replaced. At which time you also have to load new encryption keys into the ATM.

Re:I call BS, mostly

[fullgandoo]

Keyloggers don't work on ATMs. The ATM's keypad is a "secure keypad". There is a DES chip built into the keypad. When the ATM software calls for PIN entry, the PIN is encrypted in DES and then given to the software.

However, if you compromise the ATM application software, then obviously anything is possible.

As per the article, this wasn't the case and any PIN information captured by the malware would have been encrypted (at least DES or even 3DES).

Re:I call BS, mostly

Or, since the same keypad is used for PIN entry and regular input, perhaps the control signal that tells the keypad whether to encrypt or pass keypresses through has been tampered with...so the entered PIN comes through as normal keypresses, and is encrypted by the malware and passed on after logging to the file?

I don't think that would work since they could just as well decrypt the PIN from the pad if they had the keys. If the pads used public key crypto, there would be no need to store the keys in a tamper resistant manner inside the pad. They could randomly switch the pad to clear text mode, log the pin and claim it was wrong. Then switch back to PIN entry mode and leave the ATM software do its job.

Re:I call BS, mostly

[deKernel]

I would say that all in all, you are pretty close.

However, at least 4 of the largest ATM vendors (Diebold, NCR, Wincore and Fujistu) all use either Windows XP or the embedded version. I have not seen Windows CE used on an actual true ATM. I have seen it used on Ticket-In/Ticke-Out machines in the gambling world that were "enhanced" by a third party to act like an ATM. Also, most of those vendors assume that the ATM is either sitting on a secure network link or using a framed connection for security.

Regarding your statement about BS on the article, I would pretty much agree. The only way to truly get the PIN that a customer enters at an ATM is if the ATM configuration has been comprised meaning the ATM was not put into a true PIN-entry state (that state must be entered after the card data has been read because the track data must be sent to the EPP so a proper encrypted PIN block can be created). If the new configuration could put the ATM into a state using a standard PIN entry screen but not in the correct state, the EPP will, in fact, give you the key presses. Now granted, that transaction could not be processed by the network because a valid encrypted block would not be created meaning it could not be authenticated by the final authorizor.

Re:I call BS, mostly

[oasisbob]

Keyloggers don't work on ATMs. The ATM's keypad is a "secure keypad". There is a DES chip built into the keypad. When the ATM software calls for PIN entry, the PIN is encrypted in DES and then given to the software.

That isn't entirely true. In the US, secure EPP (Encrypting Pin Pads) were defined and mandated beginning in 2005. Old ATMs don't share this requirement, and assuming that all international ATMs use competent EPPs is probably not accurate.

Re:I call BS, mostly

[slash.duncan]

> When a PIN number is typed into an ATM machine

You DO realize that PIN stands for "Personal Identification Number" and that ATM is short for "Automated Teller Machine", right?

So expanding the above, we have:

"When a personal identification number number is typed into an automated teller machine machine"...

WTF? Do you stutter stutter all all the time time when you type type?

(OTOH, I must admit for years I used the term "hot water heater"... until someone called my attention to the fact that it /actually/ was a "cold water heater". Why would someone wish to heat water that's already hot? It's not designed to be a steam generator and in fact if it gets to that point it's rather dangerous. Of course, here in Phoenix in the summer, it often /is/ a "hot water heater", or at least a "warm water heater", tho it then then becomes more a water storage unit than a water heating unit.)

Just something to think about.

Re:I call BS, mostly

[Ihlosi]

Keyloggers don't work on ATMs.

That depends on how you're going about logging the keys. If you manage to put a fake keypad over the real one, you've got all the keys that were pressed. Same thing goes for putting a camera in the right spot.

Re:I call BS, mostly

[Peter+Simpson]

"They could randomly switch the pad to clear text mode, log the pin and claim it was wrong. Then switch back to PIN entry mode and leave the ATM software do its job."

I like that. Guess I need to improve my "think like the bad guys" skillz...

The top 10 ways computer security list

[lwriemen]

10. Don't always run as root
9. Don't open attachments from unknown sources
8. Don't run Windows!
7. Don't run Windows!
6. Don't run Windows!
5. Don't run Windows!
4. Don't run Windows!
3. Don't run Windows!
2. Don't run Windows!
1. Don't run Windows!

Re:The top 10 ways computer security list

[Canazza]

Using Windows on the Internet is like having a unprotected sex with a member of the opposite sex you met in a club. Looks good enough for you, does what you need it to, but the risk of infection is high.
Using Linux on the internet is like having unprotected sex with a cow. It's harder to catch a compatible infection, but it's ugly and unlikely to play any of the games you'd like it to.

Re:The top 10 ways computer security list

[ELCouz]

brilliant analogy! :)

Re:The top 10 ways computer security list

Wait - Did you just compare going on the Internet with having sex?

  Maybe you should actually try going to one of those clubs some time.

Re:The top 10 ways computer security list

watch the post related to T-Mobile breach ......and post again ...
I'm not a Microsoft fan ...but really despise NIX ignorants ...

Withdraw my money?!

[TreyGeek]

"which would potentially allow criminals to clone the card in order to withdraw cash. "

Heh... the joke is on the hacker. I have no money in my bank account to withdraw!

True Story

[ohnotherobots]

A friend of mine had his atm card in a Bank of America machine to withdraw money when the power went out. When it came back on a few seconds later, he was greeted with the Windows XP Embedded splash screen before the atm interface came up. The machine didn't realize it still had his card, so he couldn't get it back. (This is especially funny since he is a MS fanboy.)

Insert ATM card...

[Bobfrankly1]

Insert ATM card...
Observe message stating that the ATM is now deleting all files on your ATM card.
Watch helplessly as the progress bar nears completions while filenames zip across the screen
Take possession of the card as the machine spits it out with an accompanying "GOT YA!" on the screen
Still waiting for this one...

It doesn't matter the software

I was talking to someone yesterday that works for a company that deals with card fraud. You wouldn't believe how easy it is to get someone's information; someone can simply put a skimmer on an ATM which will grab your card's track data without you knowing. Many of you have probably heard of it, it's just a piece of hardware that sits on top of the card reader, storing everyone's info. As far as I know it requires absolutely no connection to the ATM software.

The information on magstripe cards is most commonly stored in a two-track format. Track 1 contains your personal information, such as name, address, bank, etc. Track 2 contains the important information, such as card number, expiration, and the CVV/CV2 code.

Once the skimmer has enough information (which can easily be HUNDREDS of cards), they sell "dumps" of the track data which people can either buy and encode onto a card themselves, or buy on a fully-finished card. The latter option is more convenient for most carders (fraudsters), because many of the cards sold by these vendors are indistinguishable from the real thing. Most vendors also have a minimum buy amount, so you have to buy at least $300 worth of dumps, which can be dozens of cards, all with $10k limits.v

How do you trust an ATM?

[goodmanj]

This brings up a serious question. You need some cash in an unfamiliar state or country, and you come across an ATM. How do you know if you can trust it?

Given the number of people who've been scammed by everything from bolt-on ATM card skimmers to oldschool fake night deposit boxes, this is worth worrying about.

The standard security mantra is, "only use trusted hardware to authenticate yourself", but that can't happen here.

Anyone have any ideas for an ATM authentication system that will both prove to the bank that I am who I say I am, and prove to me that the ATM isn't stealing my authentication keys?

The only solution I can think of involves trusted hand-held devices like cell phones or keychain password tokens.

Re:How do you trust an ATM?

[goodmanj]

To clarify my question, there are tons of ways in which an ATM can be untrustworthy:

* It has additional hardware bolted on to steal card numbers
* Its software has been tampered with
* The bank running it is corrupt
* It's not actually an ATM, just a box that steals card numbers and hands out cash without talking to my bank.

Re:How do you trust an ATM?

[PPH]

* It's not actually an ATM, just a box that steals card numbers and hands out cash without talking to my bank.

I've been on the lookout for one of these.....with my library card in hand.

Re:How do you trust an ATM?

[FunkSoulBrother]

I think the best answer is choose the bank who is willing to cover you the best/most for having to use this inherently insecure (as you've illustrated) system.

If there is no such bank willing to accept the risk, I guess you just have to plan ahead/use travellers checks or something.

Re:How do you trust an ATM?

[phantomfive]

Go into a bank. It's what I've always done.

Makes no financial sense to the banks

[Lead+Butthead]

Why not do this with ATMs? I would not be surprised if ATMs already had GSM-monitored burglar alarms for obvious reasons, and it wouldn't be that hard to have a secondary PIN that sends a duress signal.

Because the banks protect their interests, not those of their customers. They will... exerts themselves to 'protect' their customers if it is of good PR value AND INEXPENSIVE, or required to by the government. Your suggestion made too much sense for the customers and offers no financial benefits to the banks' bottom line but instead will cost them money to implement. Sorry dude, it's never going to happen, short of an act of god.

SWAT team...

[schmiddy]

My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint ... hello SWAT team.

Good luck with that. My office building has a top-of-the line alarm system that gets tripped every few months from someone forgetting to disarm it in the morning. If the police show up at all, it usually takes them 2-3 hours. They seem to expect that almost all alarm activations are accidental.

Re:SWAT team...

Well the cops here have been known to call up first to make sure the robbers have gone... :)

Consulatation fees

Big companies have people tasked to make purchases. They have to find something that suits the parameters they have been given by their superiors. They could go for the free option or....not, they could pick the option that costs the company cash.

    The people who have something to sell have a large inducement to close the sale, (especially the 100% commission folks) moreso than the free version folks. Sometimes, not saying it happened here at xyz bank, but sometimes consultation fees occur in business to speed up this deal closing. These fees, the exchanged cash or gifts or services rendered, sometimes all three, might not be ethical or legal or reported, but they occur.

Apply this same rule to all big government purchase decisions, big corporations purchase decisions, etc. Then a lot of these decisions that look really stupid on the surface level start to make more sense why they went with the more expensive purchase option.

Also see, international voting on "new standards".... and "new law passed".....

"consulation fees" and "campaign contributions" and "lobbying expenses" rule the world right now

Diebold ATMs

[benjfowler]

I've noticed that a lot of the crappier plasticky, insecure-looking ATMs around the place tend to have big DIEBOLD badges on them.

Diebold also make criminally badly-engineered voting machines. Coincidence?

DEEP

[hh4m]

Its quite easy to infect all those machines, one just needs to be a geeky intern at the company that makes the firmware for the ATMs. (obviously there are other ways to break into the company) So all in all, infect/modify the firmware source at its weakest security point and you have a backdoor into the machine. that being said, id just like to point out that we have smart chips in our credit cards here in the middle of africa too.

ATMs in Australia

Criminals here dont bother with owning the ATM, the fill it with a gas and the explode it open.

So can I not swipe a properly prepared

Sixteen inch long mag stripe card that causes a buffer overflow to occur which executes a bit of code that then lets the hacker insert more code by swiping the stack of cards they have carefully made up.

But how?

[cavebison]

What I want to know is, *how* was the malware installed?

Do those ATMs have Autorun turned on for keycard slots? Did they type the code in binary using the 0 and 1 keys? How did it get there in the first place? TFA doesn't mention it, and surely that's the most important thing?

hacking PINs

[rs232]

"I think that this story is half bogus. PIN numbers aren't stored on a debit card"

But if you have a keylogger installed on a compromised XP system then you can read it off as they are typing it in.

"When a PIN number is typed into an ATM machine it is automatically encrypted by a 3DES encryptor on the PIN pad"

Do you have any citations for this?

'Abstract. We describe new attacks on the financial PIN processing API'

Re:hacking PINs

[sysgeek01]

I work in the industry and deal with it every day. It's as easy as reading the technical documentation on any ATM.

Again, ATM != Desktop

[DrYak]

ATMs need an OS of some sort.

Do they, really ?
All an ATM needs is to be able to :
- read data from the card
- read a PIN from the keypad
- read an amount of money from said key pad.
- display a couple of messages during this process.

That's something so simple that it could be mostly handled by a PIC microcontroller.

More advanced OS' make it easier to have the software display videos and animations, have more complex functionality and better compatibility with modern software.

But who in his/her right state of mind needs an OS and hardware capable to run a WoW-client on a simple ATM ?
(Or running Doom on an e-voting machine, for those who read the recent that story on /.)

There's no need to play video or surf web. Only handle a couple of simple tasks and that's it.

I understand that, for some embed type of machine, a full-blown OS may have some advantages. An embed machine driving an advertising display, for example. In that situation it has several advantages :
- Low cost (of-the-shelf parts instead of custom board with microcontroller)
- Low cost to develop something for it (any person with half a functional brain cell able to throw some shit under Visual Studio .Net can do the job)

But here we are speaking about banks (same goes also electronic voting machines).
The single most important feature for these machines is security.
Even if it comes at the expense of more custom hardware and less easy to develop for.
A simple micro-controller would be better because :

- A smaller code means easier to debug, audit and check for weaknesses
By Linus' law more eyeballs make bugs more shallow. A smaller code simply makes a higher eyeball-per-line-of-code ratio.

- Less opportunity to run unwanted software on the machine.
If running a full blown desktop OS on common hardware, you have enough resource to run a full Apache server serving the sensitive data to the web. Or use a "blue-pill" like hyper-visor running the main software in a virtual machine and doing all the bad trick from the outside of the machine.
With something as primitive as a micro-controller there's slightly less opportunity to add a malicious payload to the minuscule programme ROM.

If the bank company really needs to display some animated stupid adds, they should use 2 screens :
1 small screen, driven by a simple microcontroller handling the transaction, and the huge stupid blinking stuff executed out of a separate Windows XPe machine on a 2nd screen, with no connection by the 2 machines.