Cybercriminals Refine ATM Data-Sniffing Software

← Back to Stories (view on slashdot.org)

Cybercriminals Refine ATM Data-Sniffing Software

Posted by CmdrTaco on Thursday June 4, 2009 @03:00AM from the win-atm-lose dept.

BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."

36 of 257 comments (clear)

Min score:

Reason:

Sort:

DES by bluefoxlucid · 2009-06-04 03:03 · Score: 3, Funny

DES doesn't really mean "Designed Extremely Secure" ....

--
Support my political activism on Patreon.
1. Re:DES by Anonymous Coward · 2009-06-04 04:24 · Score: 5, Interesting
  
  Several years ago, there was a home-invasion robbery that made local headlines for a few days. The robbers stole ATM cards and forced the PINs out of the residents at gunpoint, threatening to come back and rape them if they gave the wrong PIN. In this case, the residents were obligated to give the correct PIN, since they could have been tied up and forced to wait for the robber to return with the cash.
  My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.
  Why not do this with ATMs? I would not be surprised if ATMs already had GSM-monitored burglar alarms for obvious reasons, and it wouldn't be that hard to have a secondary PIN that sends a duress signal.
  Of course, that's useless against shoulder surfing.
2. Re:DES by sopssa · 2009-06-04 04:24 · Score: 5, Interesting
  
  Just to note, ATM running Windows XP doesn't mean its less secure and that it could be exploited. If you've used ATM's, theres no really way to just run your programs on it or exploit it somehow. But when criminals have access to the hardware physically, there is no difference if its windows, linux or whatever else OS. That is how its probably been working here aswell, they get some insiders to give them access or they social engineer their way in. You cant exploit windows bugs in them because you cant connect to them from the internet.
  Like said, when people get good physical access to the hardware, game is usually lost, no matter what the OS is.
3. Re:DES by BlackSnake112 · 2009-06-04 04:46 · Score: 5, Interesting
  
  Sneakier way that I have seen. The bad guys slide this metal piece into the ATM slot. This catches your card bit will not release it. Some even let you make your transaction but still keep the card. Usually one of the bad guys is around the ATM watching. They walk up pretending to help. They ask you to enter in you pin again or ask for your pin so they can enter the pin. Either way they now have your pin. Nothing works of course. You go away, they take out the piece of metal with your card. Now they have your pin and your card.
  I read about this. I have so far taken 4 pieces of metal out of the ATM card slot at 3 different location around the Washington DC area. All 4 times, someone very quickly left the scene. I did report it to the each bank when they were open again. All 4 times happen to be after 9PM.
  Look at the ATM slot before you put your card in. If it looks like there is a extra thin piece of metal, either go to a different ATM, or see if you can take it out. I used the trusty paperclip to remove the metal. Not that hard.
4. Re:DES by vertinox · 2009-06-04 05:37 · Score: 3, Interesting
  
  My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.
  I think it would be just as easy to create a "Zero balance" code to show the assailant you are broke when you are not.
  Some of us don't need that though.
  
  --
  "I am the king of the Romans, and am superior to rules of grammar!"
  -Sigismund, Holy Roman Emperor (1368-1437)
5. Re:DES by mindbomb2323 · 2009-06-04 06:51 · Score: 3, Informative
  
  I am an ATM repair tech. and I can tell you that you are correct about the duress codes for people admining and there are several different ways that it can be done. I have never seen any type of gps tracker used because you would have to put it somewhere that they couldn't remove it and that would be in the vault but if you put it in there then how could you get reception. As far as using the duress code I don't think i would ever use it for the simple fact that it is a guaranteed way to become a hostage and I'm sorry but 160k of money that isn't even mine is not worth it. I still think skimmers with wifi will be the first choice for crooks because it is easy to do and hard to get cought. There are alot of banks that actually perm lock the desktop out so it makes it very hard to actually get access to it to load the malware. also on newer atms they have plates blocking the drives and the usb ports. The atms I see this stuff being pulled on are non bank atms, the kind you see with no company name in your gas stations and places like that.
ATM != desktop computer by Smelly+Jeffrey · 2009-06-04 03:03 · Score: 4, Insightful

An ATM is not a desktop computer. WTF is an ATM doing running Windows?
1. Re:ATM != desktop computer by PrescriptionWarning · 2009-06-04 03:09 · Score: 3, Funny
  
  but how else is Microsoft supposed get Office 2009 - ATM edition to market? And just think, Clippy could be a money clip instead of a paper clip! The bottom line is it's win-win in this rough riding tsunami wave of data mining nugget pack of wolves devouring economy for today's business-ready customer driven shim-sham!
2. Re:ATM != desktop computer by Ethanol-fueled · 2009-06-04 03:11 · Score: 4, Funny
  
  I'm waiting for the ATM that runs Mac OS X!
  They already have those in San Francisco. They're called "gAyTMs"
3. Re:ATM != desktop computer by Spazztastic · 2009-06-04 03:16 · Score: 4, Funny
  
  I'm waiting for the ATM that runs Mac OS X!
  They already have those in San Francisco. They're called "gAyTMs"
  A2Ms?
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
4. Re:ATM != desktop computer by NES+HQ · 2009-06-04 03:23 · Score: 5, Insightful
  
  Why shouldn't an ATM run Windows? Cue the standard Windows-bashing, but a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.
  Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.
  Yes, it's Windows. But without crazy Aunt Judy trying to install her cat screensavers Windows should be fine for the task.
5. Re:ATM != desktop computer by 99BottlesOfBeerInMyF · 2009-06-04 03:35 · Score: 5, Insightful
  
  Ultimately it comes down to "why not?"
  It costs a licensing fee. It has more security liability than pretty much any other choice.
  
  The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development.
  Linux costs nothing to license. BSD costs nothing to license. Windows costs something. That's an added, unneeded cost.
  
  Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer.
  Because there aren't lots of dev tools for Linux that run on a normal desktop computer?
  
  . It's easier to develop for windows that to develop for a custom devkit.
  How is it easier to develop an ATM on Windows than on Linux? They both have tons of tools and myriad experienced developers and companies. Linux is probably better optimized for appliance uses and has a larger share of the appliance market than Windows, making it easier to find companies to work on it.
  In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.
6. Re:ATM != desktop computer by internerdj · 2009-06-04 03:36 · Score: 3, Insightful
  
  Presuming that the network designer had some sense then this type of hack happens at the physical location because a network update would set off far too many alarms: meaning it really doesn't matter what OS is running because the hackers are gaining physical access to the hardware. If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.
7. Re:ATM != desktop computer by CopaceticOpus · 2009-06-04 03:45 · Score: 4, Funny
  
  This is a perfect chance to call your bank:
  YOU: "I've been reading online about ATMs which are based on Windows XP being attacked by cybercriminals, and I'm worried. Are your ATMs running on Windows?"
  THEM: "I'm not sure about the particular technology used in our ATMs, but we've had no security issues thus far."
  YOU: "THEN YOU'D BETTER GO CATCH THEM!" Tee hee-hee! (click!) Snicker, snicker, snort, snicker...
8. Re:ATM != desktop computer by iamhigh · 2009-06-04 03:52 · Score: 4, Insightful
  
  I'll second your argument, and I could be considered an MS fanboy by this crowd's standard. But there is no reason to have an ATM running windows, the most used, most exploited OS on something like an ATM. I wouldn't even use Linux, but probably recommend a custom OS, as you can control the hardware used. Then the attackers have to hack some pretty much unknown system, that can easily be built from the ground up to use software and hardware security measures.
  
  --
  No comprende? Let me type that a little slower for you...
9. Re:ATM != desktop computer by 99BottlesOfBeerInMyF · 2009-06-04 04:02 · Score: 3, Insightful
  
  Windows devs are a dime a dozen and therefore cheap to hire.
  Are you talking about Windows developers with experience creating user interfaces and coding for appliance style devices that don't use the normal inputs and only have fullscreen displays?
  There are a lot more Linux people qualified to create such devices than Windows people from my experience in the industry. If, however, you're talking about developers with no experience and without the proper skills, sure you can find more Windows developers, but that sure isn't going to save you money.
10. Re:ATM != desktop computer by EXrider · 2009-06-04 04:03 · Score: 3, Insightful
  
  More advanced OS' make it easier to have the software display videos and animations.
  As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.
  
  --
  grep -iw skynet /etc/services
11. Re:ATM != desktop computer by Anonymous Coward · 2009-06-04 04:06 · Score: 3, Funny
  
  You have to multitouch move an on-screen representation of your money to the trashcan in order to get the ATM to eject it into your hand.
12. Re:ATM != desktop computer by twistah · 2009-06-04 04:12 · Score: 3, Interesting
  
  They run XP embedded, which allow you to customize which components are used much more so than regular XP. That is not to say I don't see your point -- we've broken into plenty of Diebold XP ATMs during authorized penetration tests using regular Windows exploits. After that, it's game over with the software this product mentions. Then again, regular OS's have been running on ATMs for a long time, and many still run OS/2.
13. Re:ATM != desktop computer by 91degrees · 2009-06-04 04:32 · Score: 3, Insightful
  
  Bad Linux programmers are more expensive than bad Windows programmers.
  
  The problem, if anything, is the programmers. Not the platform they're developing for.
14. Re:ATM != desktop computer by TJamieson · 2009-06-04 04:44 · Score: 4, Funny
  
  As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.
  THANK YOU! I remember several years ago, I stopped at my local ATM and noticed the screen was now in color. Hey, that's neat, I thought. Since I had just pulled up, it was displaying a picture of the bank. So I began to use the machine - wait, what the hell? The interface is still the exact same monochrome it has been since 1985! Why would they order a color screen? Then, as I completed my transaction and waited for my receipt, the reason came up -- a full-color ad for buying their shitty mortgage services.
  Nevermind the fact that a good 30% of the time said ATM was "Temporarily unable to dispense cash" (read: empty).
  
  --
  For the last time, PIN Number and ATM Machine are redundancies!
Credit card companies need to wise up by gurps_npc · 2009-06-04 03:04 · Score: 3, Insightful

They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective. There are superior methods out there to verify credit card information, we don't need to use the same method that was used 50 years ago.

--
excitingthingstodo.blogspot.com
Windows XP? by Anonymous Coward · 2009-06-04 03:05 · Score: 5, Funny

..."on ATMs running Microsoft's Windows XP operating system..."
Let me be the first to say "ur doin it wrong."
Stupid stupid users by Anonymous Coward · 2009-06-04 03:07 · Score: 3, Funny

When your ATM asks if you want to install an ActiveX control, you always say "no."
How many years do I have to keep telling them that?
How come? by Anonymous Coward · 2009-06-04 03:18 · Score: 4, Interesting

I RTFA (yes, yes... I know) but I couldn't find the answer to the most obvious question... how does the rootkit get installed?
If no physical access to the real PC inside the ATM is needed.. that's really cool!
But if you need to plug an usb drive in, this actually reduces the field of the potential thieves by several orders of magnitude...
M
At least it's not Vista . . . by PolygamousRanchKid+ · 2009-06-04 03:19 · Score: 4, Funny

"Are you sure you want to withdraw this money?"
"Will you spend it wisely?"
"You don't seem to have much left, have you planned for an emergency?"
. . . etc. . . .

--
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
1. Re:At least it's not Vista . . . by Anonymous Coward · 2009-06-04 03:34 · Score: 3, Insightful
  
  Do you realize that would actually be a fantastic improvement?
Windows? by grahamsaa · 2009-06-04 03:22 · Score: 5, Funny

Why a bank's IT / security team would feel it appropriate to operate ATMs that run Windows is completely beyond me. I mean, if bankers were really that stupid the world economy would probably have crumbled by now. Oh, wait. . .

--
Facts have a liberal bias.
Free gas courtesy of Mircosoft! by Anonymous Coward · 2009-06-04 03:23 · Score: 5, Funny

Once I found a gas station near my work that the pumps where running a version of Windows back around 1999-2000. If you swiped your card and pulled the nozzle at the same time the little LCD screen showed a BSOD and you got free gas. I fill up there for 1 week until they closed the station and changed the pumps. Never got charged a cent!
1. Re:Free gas courtesy of Mircosoft! by Anonymous Coward · 2009-06-04 04:38 · Score: 5, Insightful
  
  The gas wasn't free, you stole it.
2. Re:Free gas courtesy of Mircosoft! by Paradise+Pete · 2009-06-04 05:50 · Score: 3, Insightful
  
  Agreed, Seeing as most stations have slews of cameras, he's rather lucky not to be caught.
  The chances of being caught have nothing to do with the fact that it's theft. If the risk of being caught determines how you act then you should rethink your principles. It's easy to do the right thing when you'll get noticed. It's when you know that you could get away with it that reveals your true character.
Simple but effecitve compliance law/rule by erroneus · 2009-06-04 03:25 · Score: 4, Insightful

To run any "public financial transaction device" certain compliances are required and many of these are related to physical security, data security and communications security standards. Clearly, the presence of malware on ATM core software indicates that the ATM security standards are either not being met or are terribly inadequate.
It occurs to me that one rule that might go a long way to making machines like ATMs (or even voting machines) more secure against corruption is a requirement that the system software should be stored in a read-only format such as CD/DVD or ROM chips. CD/DVD ROMs would probably be the most flexible method and various self-check measures could help ensure that the CD/DVD ROM was genuine. (Say, for example, a validation black-box device of some sort.)
With enough engineering and hacking, even this method could be thwarted I am sure but it would certainly raise the bar significantly beyond "crack the machine open, connect the system drive to a USB adapter, insert additional code, close up" which is the method of entry I suspect is most used. If there was limited to no local storage and ROM-based operating systems and software combined with solid verification technologies, it would take some serious knowledge to compromise such machines.
This sort of method would make running Windows XP as the operating system considerably more difficult, but if they are hard-set on running Windows, I am sure they would find a way to comply if it were required.
ATMs in the UK by Canazza · 2009-06-04 03:40 · Score: 3, Interesting

there are many ATMs in the UK that use Windows XP as their OS of choice. Having personally seen crash screens and machines caught in a restart loop.
Why they are using windows, I don't know to be honest. Why they'd be using a Linux distro, I don't know. The banks probably don't know either, as far as I'm aware they get their ATMs from companies like NCR or IBM (or Diebold, as we've seen before) who are the companies who supply the software. It just so happens that the software they write is written for Windows Operating System. Remember, the cost of hiring someone who can programme for Windows is significantly less for someone who can programme for Linux (As they will likely also be able to programme for Windows, thus, with a larger skill-set they'll demand more money) And a bulk licence for Windows where they're churning out 1,000+ ATMs boils down to next to nothing.
The cheapest programmer, the cheapest hardware, a slightly costly OS. Something has to be a weak link, and the exploiters exploit it.

--
It pays to be obvious, especially if you have a reputation for being subtle.
Another view via el reg & trustwave by auric_dude · 2009-06-04 03:44 · Score: 3, Interesting

A reasonable report via http://www.theregister.co.uk/2009/06/03/atm_trojans/ and something slightly more technical http://regmedia.co.uk/2009/06/03/trust_wave_atm_report.pdf via trust wave.
Re:but how? by jafiwam · 2009-06-04 03:52 · Score: 3, Insightful

Read the summary again and it's obvious.
Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.
There doesn't need to be an exploit beyond "Eastern European Country" involved.
Re:The top 10 ways computer security list by Canazza · 2009-06-04 04:15 · Score: 5, Insightful

Using Windows on the Internet is like having a unprotected sex with a member of the opposite sex you met in a club. Looks good enough for you, does what you need it to, but the risk of infection is high.
Using Linux on the internet is like having unprotected sex with a cow. It's harder to catch a compatible infection, but it's ugly and unlikely to play any of the games you'd like it to.

--
It pays to be obvious, especially if you have a reputation for being subtle.