Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybercriminals Refine ATM Data-Sniffing Software

Posted by CmdrTaco on from the win-atm-lose dept.

BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."

21 of 257 comments (clear)

  1. ATM != desktop computer by Smelly+Jeffrey · · Score: 4, Insightful

    An ATM is not a desktop computer. WTF is an ATM doing running Windows?

    1. Re:ATM != desktop computer by abigsmurf · · Score: 2, Insightful

      Why run Windows? Linux? DOS? etc.

      ATMs need an OS of some sort. More advanced OS' make it easier to have the software display videos and animations, have more complex functionality and better compatibility with modern software. So long as the firewalls are properly configured to sandbox the unit, vulnerabilities are irrelevant.

    2. Re:ATM != desktop computer by NES+HQ · · Score: 5, Insightful
      Why shouldn't an ATM run Windows? Cue the standard Windows-bashing, but a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

      Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.

      Yes, it's Windows. But without crazy Aunt Judy trying to install her cat screensavers Windows should be fine for the task.

    3. Re:ATM != desktop computer by 99BottlesOfBeerInMyF · · Score: 5, Insightful

      Ultimately it comes down to "why not?"

      It costs a licensing fee. It has more security liability than pretty much any other choice.

      The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development.

      Linux costs nothing to license. BSD costs nothing to license. Windows costs something. That's an added, unneeded cost.

      Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer.

      Because there aren't lots of dev tools for Linux that run on a normal desktop computer?

      . It's easier to develop for windows that to develop for a custom devkit.

      How is it easier to develop an ATM on Windows than on Linux? They both have tons of tools and myriad experienced developers and companies. Linux is probably better optimized for appliance uses and has a larger share of the appliance market than Windows, making it easier to find companies to work on it.

      In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

    4. Re:ATM != desktop computer by internerdj · · Score: 3, Insightful

      Presuming that the network designer had some sense then this type of hack happens at the physical location because a network update would set off far too many alarms: meaning it really doesn't matter what OS is running because the hackers are gaining physical access to the hardware. If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

    5. Re:ATM != desktop computer by iamhigh · · Score: 4, Insightful

      I'll second your argument, and I could be considered an MS fanboy by this crowd's standard. But there is no reason to have an ATM running windows, the most used, most exploited OS on something like an ATM. I wouldn't even use Linux, but probably recommend a custom OS, as you can control the hardware used. Then the attackers have to hack some pretty much unknown system, that can easily be built from the ground up to use software and hardware security measures.

      --
      No comprende? Let me type that a little slower for you...
    6. Re:ATM != desktop computer by WillKemp · · Score: 2, Insightful

      If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

      Yeah, of course they would. Bank managements are well known for being sensible and never doing stuff that loses money.

    7. Re:ATM != desktop computer by Anonymous Coward · · Score: 2, Insightful

      RE: "a decently hardened copied of XP is more than sufficient for the minimal work"..

      That's the problem...it's more than sufficient. When designing something to be secure, you want the system to sufficient, nothing more. ATMs shouldn't even run Windows, linux, DOS, or any other general purpose OS. They should run the minimal set of programs required to perform banking transactions. There are levels of "security". While a hardened general purpose platform is better than an unhardened one, it is not a good design when security is paramount.

    8. Re:ATM != desktop computer by 99BottlesOfBeerInMyF · · Score: 3, Insightful

      Windows devs are a dime a dozen and therefore cheap to hire.

      Are you talking about Windows developers with experience creating user interfaces and coding for appliance style devices that don't use the normal inputs and only have fullscreen displays?

      There are a lot more Linux people qualified to create such devices than Windows people from my experience in the industry. If, however, you're talking about developers with no experience and without the proper skills, sure you can find more Windows developers, but that sure isn't going to save you money.

    9. Re:ATM != desktop computer by EXrider · · Score: 3, Insightful

      More advanced OS' make it easier to have the software display videos and animations.

      As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.

      --
      grep -iw skynet /etc/services
    10. Re:ATM != desktop computer by 91degrees · · Score: 2, Insightful

      It costs a licensing fee. It has more security liability than pretty much any other choice.

      As far as I know though, most of this is via the browser and email applications and IIS. XP can be pretty secure if you disable all unneeded services.

      In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

      I'd have thought Linux would be cheaper, but for all we know, they did a thorough analysis, discovered there were suitable savings to be made through use of Windows. Speculating that it's cheaper with so little information is pointless.

      There's no indication of how the malware is installed. I suspect this requires physical access, in which case the OS chosen makes no difference at all.

    11. Re:ATM != desktop computer by 91degrees · · Score: 3, Insightful

      Bad Linux programmers are more expensive than bad Windows programmers.

      The problem, if anything, is the programmers. Not the platform they're developing for.

    12. Re:ATM != desktop computer by Phroggy · · Score: 2, Insightful

      a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

      It's the precise nature of the "more than" that has us worried.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  2. Credit card companies need to wise up by gurps_npc · · Score: 3, Insightful

    They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective. There are superior methods out there to verify credit card information, we don't need to use the same method that was used 50 years ago.

    --
    excitingthingstodo.blogspot.com
  3. Simple but effecitve compliance law/rule by erroneus · · Score: 4, Insightful

    To run any "public financial transaction device" certain compliances are required and many of these are related to physical security, data security and communications security standards. Clearly, the presence of malware on ATM core software indicates that the ATM security standards are either not being met or are terribly inadequate.

    It occurs to me that one rule that might go a long way to making machines like ATMs (or even voting machines) more secure against corruption is a requirement that the system software should be stored in a read-only format such as CD/DVD or ROM chips. CD/DVD ROMs would probably be the most flexible method and various self-check measures could help ensure that the CD/DVD ROM was genuine. (Say, for example, a validation black-box device of some sort.)

    With enough engineering and hacking, even this method could be thwarted I am sure but it would certainly raise the bar significantly beyond "crack the machine open, connect the system drive to a USB adapter, insert additional code, close up" which is the method of entry I suspect is most used. If there was limited to no local storage and ROM-based operating systems and software combined with solid verification technologies, it would take some serious knowledge to compromise such machines.

    This sort of method would make running Windows XP as the operating system considerably more difficult, but if they are hard-set on running Windows, I am sure they would find a way to comply if it were required.

    1. Re:Simple but effecitve compliance law/rule by sysgeek01 · · Score: 2, Insightful

      The problem with making the ATM storage read only is that you have to configure the device. There are a lot of configuration settings that have to be changed out of the box, with some of them specific to the ATM itself and to the processing company that it's using to process transactions through.

      The ATM also keeps a electronic journal of all of the ATM's activity. It's kind of like a flight data recorder (black box). You have to have writable storage for that.

      I go along the lines that ATM security standards are BOTH not being met and terribly inadequate.

      One of the bigger rackets going on last year, with ATM's, was in San Francisco. An ATM provider were placing cheap ATM's with a money catch tray on street corners. Bum's would come along and stuff paper wads up into the catch tray so that the money wouldn't drop down when a person ran a transaction. Periodically through out the day the bum's would go and collect the money that never dispensed.

  4. Re:At least it's not Vista . . . by Anonymous Coward · · Score: 3, Insightful

    Do you realize that would actually be a fantastic improvement?

  5. Re:but how? by jafiwam · · Score: 3, Insightful

    Read the summary again and it's obvious.

    Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.

    There doesn't need to be an exploit beyond "Eastern European Country" involved.

  6. Re:The top 10 ways computer security list by Canazza · · Score: 5, Insightful

    Using Windows on the Internet is like having a unprotected sex with a member of the opposite sex you met in a club. Looks good enough for you, does what you need it to, but the risk of infection is high.
    Using Linux on the internet is like having unprotected sex with a cow. It's harder to catch a compatible infection, but it's ugly and unlikely to play any of the games you'd like it to.

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
  7. Re:Free gas courtesy of Mircosoft! by Anonymous Coward · · Score: 5, Insightful

    The gas wasn't free, you stole it.

  8. Re:Free gas courtesy of Mircosoft! by Paradise+Pete · · Score: 3, Insightful

    Agreed, Seeing as most stations have slews of cameras, he's rather lucky not to be caught.

    The chances of being caught have nothing to do with the fact that it's theft. If the risk of being caught determines how you act then you should rethink your principles. It's easy to do the right thing when you'll get noticed. It's when you know that you could get away with it that reveals your true character.