Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Discovers ATM Hack, Gets Silenced

Posted by kdawson on from the wait-wait-not-yet dept.

Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."

12 of 229 comments (clear)

  1. If it's an exploit for ATM *Machines*... by jeffb+(2.718) · · Score: 5, Funny

    ...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

    1. Re:If it's an exploit for ATM *Machines*... by N+Monkey · · Score: 5, Funny

      ...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

      No. It has to be an "ATM Machine" to in order to be able to enter a "PIN number".

  2. Ridiculous by Anonymous Coward · · Score: 5, Insightful

    So they've had 8 months warning, and now suddenly when researchers want to publish they now want time to fix it? Not indicative of a company that gives a flying fuck about security. They don't deserve time.

    1. Re:Ridiculous by Anonymous Coward · · Score: 5, Interesting

      No, they don't... but it depends on the hack.

      If it gives out free money, only harming the company which didn't seem to care, then no, don't give them any more time.

      If the hack gives them access to innocent people's account details, and they'd be out money, and/or time fighting the bogus withdrawals, then yes, give them time to fix it.

    2. Re:Ridiculous by Svartalf · · Score: 5, Insightful

      Actually, they HAD time to fix it. It still is highly problematic- but the big problem with all this thinking that bars people from disclosing this stuff at the stage it's at right now is the highly flawed thinking that disclosing a vulnerability discloses it to potential attackers which will use it.

      It's a bad thing to think the bad guys don't already know what you're showing off and presume that they're not doing it. Depending on the hack, they may be prepping for it or already screwing you over with it and you just don't know it yet. If a white/grey hat found it, I can assure you a black hat either has already found it or will shortly.

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
    3. Re:Ridiculous by Hizonner · · Score: 5, Insightful
      1. Diebold (or whoever; I don't know that it's Diebold) customers/partners are primarily banks, which are supposed to be in the business of worrying about securing money. It's negligent for a bank to buy a product without verifying its security. So, yes, they did in some sense cause the problem, or at least they bear a chunk of the blame for it.
      2. If I use an ATM, I am a customer of Diebold's (or whoever's) customer, the bank, not a customer of Diebold. And what I'm paying the bank to do is to secure my transactions. I will admit that I've obviously hired an incompetent bank and am perhaps at fault for doing so, but that doesn't excuse the bank's incompetence. And I think my fault is reduced by the unavailability of banks that actually do their jobs, whereas banks would have access to decent ATMs if it they bothered to demand them.
      3. Where do people get this nonsense? Diebold (or whoever) already charges as much for the ATMs as it can get away with. They don't set prices based on their costs; they set prices based on what customers willl pay, subject only to the proviso that if customers won't pay what it costs to make the product, they won't make the product at all. To a first approximation, in a properly functioning market with competition (and there is competition in ATMs), prices fall to approach marginal cost of production (for the most efficient producer). This doesn't increase marginal cost of production for anybody.
      4. Maybe, except that it's NON-disclosure that actually enables the criminals, and that goes beyond this particular bug and beyond the case of ATMs. Not only does non-disclosure enable ATM manufacturers and whoever else to continue to ignore the problem while the criminals continue to exploit it, but, by ecouraging other companies in similar situations to do the same, it guarantees further problems. To prevent companies in general from ignoring problems, there needs to be a credible threat of disclosure if there isn't prompt action on reported problems. 8 months is way, way more than enough time. In order to maintain the credibility of the threat of disclosure, there needs to actually BE disclosure once in a while, so that companies know they actually have to live up to their responsibilities.
  3. Re:What I don't get by 4D6963 · · Score: 5, Funny

    Is why everyone cares so much about Money. It's just pieces of paper and little bits of metal. What really matters is Love!

    Well, with money anyone can get some temporary love! And permanent herpes.

    --
    You just got troll'd!
  4. Release it anyway by Hatta · · Score: 5, Insightful

    You don't need a conference to publicize a security problem. Post it on the internet, and the vendor will have plenty of incentive to implement a fix immediately.

    --
    Give me Classic Slashdot or give me death!
  5. Re:WinCE when you say that by aristotle-dude · · Score: 5, Informative

    I can't believe that people use WinCE for a real world application that requires security and reliability. The morons who built these systems are reaping the reward for their ignorance.

    A lot of ATM's were previously running IBM OS/2 and were pretty stable. Not only are these ATMs now exploitable but they are also much slower than before they were "upgraded" to WinCE.

    Upgrades are supposed to improve functionality or improve performance but the text UI actually got about 2X slower to respond.

    --
    Jesus was a compassionate social conservative who called individuals to sin no more.
  6. They got the ability to talk though by Sycraft-fu · · Score: 5, Informative

    They are now much easier for the disabled to use. While it was possible for someone who was blind to use an OS/2 ATM, it relied more or less on memorizing what to do. The buttons had braille on them but there wasn't really any feed back other than beeps. So it was a situation of memorize the key presses to do what you want. New ATMs have headphone jacks and can give audio feedback, allowing those with vision problems to use them much easier.

  7. Never fear, BH presentation likely by 2gravey · · Score: 5, Interesting

    For those of you who aren't aware, the Black Hat tradition for vulnerability presentations which have been similarly blocked due to court orders, etc. is to offer BH a replacement safe/bland presentation and then deliver the banned exploit demonstration regardless. This action typically results in a large lawsuit against the researcher's employer, subsequent termination of the researcher, and a short-lived rock star notoriety for the researcher making the afore mentioned termination totally worth it.

  8. Not forced! by Sockatume · · Score: 5, Informative

    The article is transparent in saying that he chose to cancel his own presentation on his own volition, because it hadn't been fixed yet.

    --
    No kidding!!! What do you say at this point?