Slashdot Mirror
Bank Employee Plants Malware on ATMs
Wired's Threat Level has a piece on a Bank of America employee, Rodney Reed Caverly, who has been charged with installing malware on ATMs in North Carolina. Caverly, who worked on the bank's IT staff, allegedly withdrew cash untraceably from the ATMs over a period of 7 months last year. "The charges were filed the same day that credit card company Visa warned the banking industry that Eastern European ATM malware recently showed up in America for the first time. That code, initially spotted last year on some 20 ATMs in Russia and Ukraine, was designed primarily to capture PINs and bank card magstripe data, but also allowed thieves to instruct the machine to eject whatever cash was still in it... At least 16 versions of the East European malware have been found so far and were designed to attack ATMs made by Diebold and NCR, according to the April 1 Visa alert. There is no information tying the malware found in Russia with the malware allegedly used by Caverly."
I RTFA, and maybe I just missed it...but did they detail how they caught the guy?
Living With a Nerd
I once deposited cash at a Diebold BofA ATM that didn't use envelopes. The little door around the cash-taker closed on the bills and stuck there, so I had to slide/pull them back out. It couldn't read the amount I'd put it (since it ended up being $0) so it made me enter it on the keypad. It wouldn't accept that I'd deposited $0, so eventually I told it I'd deposited $1 so it would give the card back.
To put a long story short, those things are not well-programmed.
Hmmm, where have I heard that before, the terms Diebold and untraceable in the same sentence...beats me!
Tired of my customary (Score:1)
This fellow will serve more time than any of the bank CEOs responsible for the huge mess in America's economy.
Although I hear diebold does better with ATM's, I can't help but wonder how much effort they put into ATM security versus the voting machine fiasco.
Meanwhile, ATM's have always been pretty shoddy on security. It's a given. People essentially have physical access to the device.
I wonder if it would be better to have ATM's running a virtual or other remote hosted ATM client so that nothing is hosted on the ATM directly? Or is this already being done in some places?
Diebold ATM's run a special version of Windows - it's not stock Windows XP. They work directly with Microsoft to create a specialized version where Diebold has much more control of the low-level functions and it's missing a lot of standard Windows components. I worked there for a years.
Now I'm not saying that it is 100% safer and full-proof as I hate the fact that it is Windows-anything, but its definitely better than stock XP.
Who did he kill? How many children did they find in his basement?
> Although I hear diebold does better with ATM's, I can't help but wonder how
> much effort they put into ATM security versus the voting machine fiasco.
Probably completely unrelated. They got into the voting machine business by purchasing a company that was showing a prototype and then rushing the prototype into production without bothering to develop an actual product. That says a lot (none of it good) about their top management, but nothing about the people in their ATM division.
They eventually dumped the voting machine business, and it is possible that they learned from the experience.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
... what do you do if you get counterfeit bills from an ATM?
File under 'M' for 'Manic ranting'
Although I hear diebold does better with ATM's, I can't help but wonder how much effort they put into ATM security versus the voting machine fiasco.
I went to a Bank of America branch here in Eastern NC one day last year, and saw a Windows XP error screen on the ATM. I then saw a Diebold guy coming out of the bank, and asked him about it. He says that the BoA ATMs are now running XP on them. How safe do you feel knowing that?
A lot of ATMs have been running Windows for years. I remember 10 or so years ago after I finished my transaction the ATM rebooted. On the green monochrome screen was the POST check, followed by a Windows NT splash screen. I've also seen various Windows errors over the years on ATMs. Some were still NT4.0 errors, even recently. A lot of kiosks run Embedded version of Windows. As do cash registers.
I've also seen my fair share of Linux based kiosks sitting with an error, or in an endless reboot cycle, so Windows isn't alone in this regard.
Is this the dude who put that "This bank charges a $3 fee for you to get your own money" exploit on there?
I hate that.
Hang him.
And I suggest you do not use them either. They just operate and behave wrongly, even when they don't have malware installed.
They're slow. -- ATM's in the 80's were faster.
They're obviously running window XP. -- The standard windows sounds are used.
Well.. maybe. Or Maybe not. But Definitely not sort of.
When you don't change the default password, it doesn't matter if you're running XP, 95, OS/2 or SELinux.
When you can overlay a fake cardreader over the top of the device's real reader, it doesn't matter if you're running XP, 95, OS/2 or SELinux.
When the criminal behind it is also a device admin, it doesn't matter if you're running XP, 95, OS/2 or SELinux.
How safe do you feel knowing that?
This is why banks should use Linux. That way it would be impossible to install the same malware on all systems. Because each slightly different model, released on slightly different dates, would have different versions of incompatible libraries
“Why GNU/Linux Viruses are fairly uncommon” from Charlie Harvey
A couple of years back, I saw an engineer fixing one of the mini-ATMs you get in bars and rest stops, and it booted in to IBM OS/2 Warp - bet eastern European hackers would have trouble cracking that one.
NO AC, it is not special, it is the regular plan vanilla. It is stock XP with branding done on it with the Diebold name (just like DELL and all the others do to their XP to make them look special)...and yea its installed with a script that leaves out some windows stuff that you don't need...but again this is not special either. I can't say how I know, but trust me I know.
Caverly, who worked on the bank's IT staff, allegedly withdrew cash untraceably from the ATMs over a period of 7 months last year.
Someone watched Officespace one too many times.
Motorcycles, Robots, Space Gossip and More!
Well as an aside, it is windows XP embedded kiosk edition, but other than that, its the stock banana, so all the viruses and back doors will still work as written.
"I can't say how I know, but trust me I know."
Now there is a security issue right there.......
Rick B.
IBM bids OS/2 farewell
When will people learn ... windows is bad for you !
And which "junk" would that be ?
I'm all for "Life without Parole" for DUI, how does that sound to you?
And since our prisons are all filled to the brim, we need to start executing. A LOT.
I'm all for executing drug dealers, child porn people, rapists and murderers.
We need to put an end to this junk, so if we send the message that the POLICE STATE will KILL YOU for just about anything, that should put citizens in their place. After all, if you're not cop, you're little people.
If telephones are outlawed, then only outlaws will have telephones.
As I recall, Nachia infected several of them.
How safe do you feel knowing that?
Answer 1: Perfectly safe. I keep my money in my mattress.
Answer 2: I feel much better about keeping my money in the stock market. Even during a crash.
if you've ever worked for a bank (I have, and have relatives in the IT side), you'd know that the poster above is correct. It's a branded but stock version of XP.
I thought most companies were trying to replace that, though.
Not to say you can't make that more secure, I don't know if diebold does or not, but I do know for certain that terminals running XP run it stock.
I am sure they made modifications to them, but not to the extent that it is noticeable to the worms and viruses.
Yep I agree. One of the things that could help reduce the problems is have the gov't (yes, those bastards!) regulate the ATMs (yes thats a nightmare).
So here's my idea, because the companies won't do it themselves, require that all ATMs look the same: they all have a slanted FLAT front. If a card skimmer is placed on it you'll know right away. Make them all touch screen - no more buttons. Have all of their openings flush.
Sometimes I see ATMs and get confused with what goes where. I understand everyone wants their machine to stand out, but come on it looks like bad 80's scifi movies!
My abilities are only limited by my imagination
yeah, that's why I was hesitant to type up what I did. It was mostly a question if "is it linked", but that kinda implies that it is, and I didn't know which way the ATM division versus voting machine division sits.
Security through obscurity
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Not really a security issue, nothing fishy in that statement, just don't want to get anyone in trouble.
When you become CEO you should sign a contract saying "I will return 100% of my bonuses if my fuckups cause this company to fail".
They do. It used to be called "bankruptcy". Sadly, we have a serious aversion to that under the current administration because it might be uncomfortable for many people living beyond their means.
GM, GMAC, GE, countless banks, many insurance companies --- all of them "bailed out" of bankruptcy.
And yes, I am bitter and pissed, as are MANY other business owners. My company doesn't get bailed out if I fail. Rather, I lose all my shit and have to start over. And for the record, that's how it should be. Bankruptcy is the ultimate "stick" to keep management and owners from doing stupid and/or risky stuff. Take that option off the table and you create a moral hazard that encourages MORE, rather than less, risk taking. ie: exactly the opposite of what you are trying to accomplish
... sends out an alert on the 1st April? Seriously?
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Cough: http://en.wikipedia.org/wiki/Justice_(TNG_episode)
With the first link, the chain is forged.
Make them all touch screen - no more buttons.
"Hey blindey, what's the matter? can't see the screen?!?"
Windows-anything handling your money is Just Not a Good Idea.
http://www.flickr.com/photos/27159137@N08/3186737368/
-- *My* journal is more interesting than *yours*...
Yeah, guess it doesn't matter he had physical access and passwords to the device.
Security through obscurity is not the solution. Proper IT policies are the solution. This is an ATM; not something that needs to play dancing bunnies. It should not have been possible to alter the system state away from a trusted environment without forcing a crash.
And, by the way, you can do that on Windows.
What I fail to understand is why America seems to get few if any of the best bank robbery events. How difficult is it for two people to figure out who the bank manager is, grab his wife one morning, have her call him on the phone and have the manager hand relieved 50-100k to one of the robbers in the parking lot. Two people, doing it this way once every couple of months, in several states, could make a very nice living.
Many moons ago, my brother-in-law was an ATM tech. He told me that ATMs were the last major users of BeOS. Waddayaknow.
My debut novel AMITY now available: http://jeremydbrooks.c
So what haveyou done? Tripled your fire insurance? What happens when you fall asleep with a hooker over? Does she just helpherself on theway out?
i thought once I was found, but it was only a dream.
You should see the god-awful mess they made of the Wachovia ATMs since they merged with Wells Fargo.
What used to be a fairly simple and standard ATM setup all of the sudden grew all sorts of push-advertising for additional services and "value" "added" features. And they slapped at least six stickers on the front, each with enough text for a EULA. It really made it hard to find the usual basic transactions quickly when you're leaning out of your car window trying to just grab some cash.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
One issue with touch screens is the ability for a would be attacker to merely clean the screen before you use it. Although recovering further data is not as simple (magstrip, chip, removable device) you are still filling in blank spaces for a would be attacker and that is not usually a good idea.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
The article mentions how some malware previously seen in Ukraine and Russia has shown up in the USA for the first time. While I have not been to Russia, I have been to Ukraine several times. For years now, Kiev (the capital of Ukraine) has been infamous for ATM fraud. Rule of law is very weak in Ukraine and police and the judicial system are notoriously corrupt. Anyone "caught" for ATM fraud could just bribe his way out of trouble. I even heard of fake ATMs placed in various locations in Kiev that never give out money, all they do is record info off the ATM cards and pin numbers and that info is used by the crooks later. It's been like this since at least the early 2000s. I never used an ATM on the times when I was in Kiev. I brought enough cash with me to use anytime I was going to Kiev. For the record, I used ATMs in various other Ukrainian cities and I never had a problem. In fact the only city I've ever heard of ATM fraud happening in is Kiev, but it wouldn't surprise me if it happened in some other large cities like Odessa.
Actually, I'm pretty sure they're using an embedded version, which really isn't so much stock. On embedded versions of windows, you have the ability to strip out pretty much everything that your application doesn't need to run.
Michael J. Ryan - tracker1.info
Not all, because on embedded systems, usually it's SOP to remove anything that isn't needed by the application layer, also on ATM systems, they aren't (afaik) used on a public internet connection, usually a private network, or pots connection, and encrypted channels on top of that.
Michael J. Ryan - tracker1.info
It's not Windows XP embedded, at least never on any install I've seen.
Uhm, BeOS was never used by any major ATM vendor. I know because I argued vehemently while at Diebold that we should have at a minimum, investigated BeOS as a replacement for OS/2 as opposed to going to XP.
for electronic cash transactions.
I expect to be back to only using cash in about 20 years.
The Kruger Dunning explains most post on
Um, apparently not.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
they probably didn't have a manufacturer of custom hardware, so when the OTS hardware changed with time, OS/2 didn't support the newer hardware and they had to update to a OS that could.
That *does* remind me of Office Space.
I guess a "pound me in the ass" prison is now in order...
Alot of them run on Windows so that pretty much sums up their security. In the UK, a lot of rail ticket machines are windows too.
The last place I want Windows is where I stick my bank card.
They still crash (often) like XP from my experience.
I expect to be back to only using cash in about 20 years.
If the economy keeps heading in the direction it's going, I expect to be using the barter system within 20 years.
Like as in: Hey Mr. Blacksmith, I'll swap you 3 dozen fresh hen's eggs for a pound of nails and this here yearling billygoat for welding up my broken plow blade.
I've also seen my fair share of Linux based kiosks sitting with an error, or in an endless reboot cycle, so Windows isn't alone in this regard.
Both of them (actually any OS) will suffer from hardware problems. My last PC started first developing reboots and bluescreens on the Windows side, and eventually Mandiva as well. The problem was the power supply, which finally croaked; its voltages had been undstable for some time, causeing the problems in both OSes.
Free Martian Whores!
That happens all the time in the US. Someone shows up at the mall early Friday morning with a new ATM and an official-looking shirt. Sometimes the guards even help them bring it into the building and find a power outlet. The machine sits there all weekend, and every time someone puts a card and PIN into it the machine comes back with a polite message about how it's out of order. Monday morning the official-looking shirt guy shows up and says that there have been complaints that the machine is not working and they'll have to take it back for repair. Guard holds the door for them as they wheel it and a couple hundred bank account numbers out the door. I also heard of them picking up the data wirelessly, but a convincing-looking fake ATM isn't cheap.
We set up security cameras for a mall where this happened, about a month after the incident.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Oh, I dunno; maybe he showed up to work one day driving a car worth ten times his annual salary?
Just because someone can write code doesn't necessarily mean they're not dumber than a turnip.
Regards;
My point exactly.
It seems you are a 3rd party in possession of what could be/is confidential information about the structure of a Diebold ATM.
How is that not a breach of security?
Rick B.
One solution is to have the numbers in two rows, with the second row pseudo-randomised by the remote bank; you do a lookup on your PIN from the first row, and enter the corresponding second row values. This resists both smudge-reading on touch-screens and key-loggers on push-pads, because the data you send isn't your PIN, merely a one-time hash that only the receiving bank understands.
Neither of course helps if someone can get actual video of your PIN entry, but there are other solutions for that. :)
Remember the good old days, when ATMs ran OS/2?
Why, no, I haven't meta-moderated lately. Thanks for asking!