Slashdot Mirror
Cybercriminals Refine ATM Data-Sniffing Software
BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."
..."on ATMs running Microsoft's Windows XP operating system..."
Let me be the first to say "ur doin it wrong."
Why a bank's IT / security team would feel it appropriate to operate ATMs that run Windows is completely beyond me. I mean, if bankers were really that stupid the world economy would probably have crumbled by now. Oh, wait. . .
Facts have a liberal bias.
Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.
Yes, it's Windows. But without crazy Aunt Judy trying to install her cat screensavers Windows should be fine for the task.
Once I found a gas station near my work that the pumps where running a version of Windows back around 1999-2000. If you swiped your card and pulled the nozzle at the same time the little LCD screen showed a BSOD and you got free gas. I fill up there for 1 week until they closed the station and changed the pumps. Never got charged a cent!
Ultimately it comes down to "why not?"
It costs a licensing fee. It has more security liability than pretty much any other choice.
The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development.
Linux costs nothing to license. BSD costs nothing to license. Windows costs something. That's an added, unneeded cost.
Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer.
Because there aren't lots of dev tools for Linux that run on a normal desktop computer?
. It's easier to develop for windows that to develop for a custom devkit.
How is it easier to develop an ATM on Windows than on Linux? They both have tons of tools and myriad experienced developers and companies. Linux is probably better optimized for appliance uses and has a larger share of the appliance market than Windows, making it easier to find companies to work on it.
In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.
Using Windows on the Internet is like having a unprotected sex with a member of the opposite sex you met in a club. Looks good enough for you, does what you need it to, but the risk of infection is high.
Using Linux on the internet is like having unprotected sex with a cow. It's harder to catch a compatible infection, but it's ugly and unlikely to play any of the games you'd like it to.
It pays to be obvious, especially if you have a reputation for being subtle.
Several years ago, there was a home-invasion robbery that made local headlines for a few days. The robbers stole ATM cards and forced the PINs out of the residents at gunpoint, threatening to come back and rape them if they gave the wrong PIN. In this case, the residents were obligated to give the correct PIN, since they could have been tied up and forced to wait for the robber to return with the cash.
My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.
Why not do this with ATMs? I would not be surprised if ATMs already had GSM-monitored burglar alarms for obvious reasons, and it wouldn't be that hard to have a secondary PIN that sends a duress signal.
Of course, that's useless against shoulder surfing.
Just to note, ATM running Windows XP doesn't mean its less secure and that it could be exploited. If you've used ATM's, theres no really way to just run your programs on it or exploit it somehow. But when criminals have access to the hardware physically, there is no difference if its windows, linux or whatever else OS. That is how its probably been working here aswell, they get some insiders to give them access or they social engineer their way in. You cant exploit windows bugs in them because you cant connect to them from the internet.
Like said, when people get good physical access to the hardware, game is usually lost, no matter what the OS is.
Sneakier way that I have seen. The bad guys slide this metal piece into the ATM slot. This catches your card bit will not release it. Some even let you make your transaction but still keep the card. Usually one of the bad guys is around the ATM watching. They walk up pretending to help. They ask you to enter in you pin again or ask for your pin so they can enter the pin. Either way they now have your pin. Nothing works of course. You go away, they take out the piece of metal with your card. Now they have your pin and your card.
I read about this. I have so far taken 4 pieces of metal out of the ATM card slot at 3 different location around the Washington DC area. All 4 times, someone very quickly left the scene. I did report it to the each bank when they were open again. All 4 times happen to be after 9PM.
Look at the ATM slot before you put your card in. If it looks like there is a extra thin piece of metal, either go to a different ATM, or see if you can take it out. I used the trusty paperclip to remove the metal. Not that hard.