Hacker Develops ATM Rootkit

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Thursday May 6, 2010 @12:48AM from the well-that-doesn't-make-me-feel-better dept.

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

181 comments

Min score:

Reason:

Sort:

Change your password every day by For+a+Free+Internet · 2010-05-06 00:52 · Score: 1, Funny

This will stop the Hackors from using your money. Personally I have no problem, because I gave all my money to Obama so he could give it to my bank so it could not be bankrupt so we could all RECOVER and HOPE for CHANGE with WAR WAR WAR WAR!!!!!!!!

--
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
OK, That's It! by WrongSizeGlass · 2010-05-06 00:52 · Score: 5, Funny

I'm stuffing all my cash under my mattress from now on. If you can't trust a Deibold ATM, what can you trust?
1. Re:OK, That's It! by MiniMike · 2010-05-06 01:30 · Score: 5, Funny
  
  If you can't trust a Deibold ATM, what can you trust?
  Weren't they voted as the #1 ATM?
2. Re:OK, That's It! by Rogerborg · 2010-05-06 01:39 · Score: 5, Funny
  
  If you can't trust a Deibold ATM, what can you trust?
  Weren't they voted as the #1 ATM?
  By 107% of the respondents.
  
  --
  If you were blocking sigs, you wouldn't have to read this.
3. Re:OK, That's It! by Anonymous Coward · 2010-05-06 03:16 · Score: 0
  
  Yes they were, but the votes were taken on Deibold voting machines.
4. Re:OK, That's It! by tehcyder · 2010-05-06 03:59 · Score: 1
  
  Weren't they voted as the #1 ATM?
  
  By readers of "What ATM?" magaine?
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
5. Re:OK, That's It! by Anonymous Coward · 2010-05-06 04:13 · Score: 0
  
  Are you joking? Check out their line of voting machines sometime (http://www.google.com/cse?cx=009552434778964892360%3Azdhgrn6svoy&q=diebold&sa=Search&siteurl=www.blackboxvoting.org%2F).
6. Re:OK, That's It! by Anonymous Coward · 2010-05-06 04:44 · Score: 0
  
  Yes, that was the joke, thanks.
7. Re:OK, That's It! by Anonymous Coward · 2010-05-06 05:15 · Score: 0
  
  > If you can't trust a Deibold ATM, what can you trust?
  
  I give -- a Diebold Voting Machine? :-p
Lawsuit? by _PimpDaddy7_ · 2010-05-06 00:54 · Score: 3, Interesting

Can the banks file a lawsuit at him?
I can't stand companies not taking security seriously.
Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
1. Re:Lawsuit? by Anonymous Coward · 2010-05-06 01:00 · Score: 1, Insightful
  
  is this true?
  contrary to europe, i've seen a lot of in-store ATM's in the US. which obviously didn't have leased lines. so any malicious store manager could see the transactions? MITM anyone?
2. Re:Lawsuit? by Capt+James+McCarthy · 2010-05-06 01:01 · Score: 4, Insightful
  
  Can the banks file a lawsuit at him?
  I can't stand companies not taking security seriously.
  Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
  Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.
  Everyone should know that a lock can be picked. It's just a matter of return for a thief. Making the lock so time consumable to pick that it's not worth it. So the ATM manufactures have to create security that is not worth the criminals time. Now if these hacks are easy, then I think the consumers have a right to hold the banks accountable.
  
  --
  There are no loopholes. It's either legal or it's not.
3. Re:Lawsuit? by _PimpDaddy7_ · 2010-05-06 01:03 · Score: 4, Insightful
  
  Don't you remember Verizon and other companies SUED people when they showed their websites were UNSECURE?
4. Re:Lawsuit? by Anonymous Coward · 2010-05-06 01:08 · Score: 1, Informative
  
  Did they win?
5. Re:Lawsuit? by Yvanhoe · 2010-05-06 01:15 · Score: 2, Insightful
  
  Can the clients of the banks file lawsuits at them ? I can't stand companies not taking security seriously.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
6. Re:Lawsuit? by baKanale · 2010-05-06 01:23 · Score: 3, Informative
  
  Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.
7. Re:Lawsuit? by Ubergrendle · 2010-05-06 01:26 · Score: 4, Interesting
  
  It would depend upon the nature of hte hack. The promotional materials for his speech are light on details. Is this a top end ATM from NCR, or a white label generic ATM which are little more than PCs with a cash handler attached? What level of physical access does he need to the cabinet? Is this an internal exploit (implying you get your software/rootkit installed as part of a distribution) or he looking an something more subtle?
  
  I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.
  
  --
  John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
8. Re:Lawsuit? by MBGMorden · 2010-05-06 01:28 · Score: 4, Informative
  
  Don't recall that one. Depends on the circumstances though. I remember a ton of other cases where the "showing they were insecure" part included hacking into the network in question. That's illegally accessing a computer system.
  It'd be akin to you telling your neighbor that his lock sucks and him just dismissing your idea.
  One of two possible scenarios then play out:
  a. You show at the next town meeting that your neighbor - John Q. Noob, is using a Lockatron LT-200 front door lock, and then proceed to show pictures, diagrams, and and example lock and how to pick it.
  b. He comes home the next day, and you're standing in his living room yelling "I TOLD YOU THE LOCK WASN'T ANY GOOD!!!!".
  A is fine. He'll get pissed and change his lock. B is trespassing. Too often in computer security terms people consider them the same action, and they aren't.
  
  --
  "People who think they know everything are very annoying to those of us who do."-Mark Twain
9. Re:Lawsuit? by mjwalshe · 2010-05-06 01:28 · Score: 1
  
  but selling the gear to do it to the genernal public isn't
10. Re:Lawsuit? by Daley_G · 2010-05-06 01:36 · Score: 3, Insightful
  
  As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with. I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.
11. Re:Lawsuit? by crow_t_robot · 2010-05-06 01:38 · Score: 0, Insightful
  
  File a lawsuit? For publishing information on security weaknesses in critical financial infrastructure that is already known by malicious individuals? Do you know how silly this is? By publishing he is forcing these companies to get their acts together. If he doesn't publish, this information will remain in the realm of people who will use it for theft without any corrective action taken by the ATM manufacturer. Don't try to fool yourself by thinking this is the only guy on the planet that has figured out these weaknesses.
12. Re:Lawsuit? by Capt+James+McCarthy · 2010-05-06 01:44 · Score: 2, Insightful
  
  As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with.
  I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.
  Very good point. So how do you deal with that concerning your customers? Do you warn them with a signed statement that says there is a risk of theft on atm systems? Or are banks willing to eat the cost of a break in (reimbursement) when it happens and not warn customers.
  
  --
  There are no loopholes. It's either legal or it's not.
13. Re:Lawsuit? by Anonymous Coward · 2010-05-06 01:47 · Score: 0
  
  Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.
  Of course. There are usually two strategies:
  1. Get a judge to prohibit the publication of anything the researcher found, so the conference presentation cannot be held.
  2. Intimidate them into oblivion. Companies don't have to win a lawsuit or even start one. The threat alone is enough because no individual (or group) can afford to spend as much money on a bogus lawsuit as any of these companies. It doesn't matter if the one who found the vulnerability has the law on their side in the end. Companies can drag out lawsuits so it never gets to that point.
  A year ago or so there were students who wanted to hold a speech on how easily they hacked some transportation company's bus/subway tickets. The result was, the company in question buried them in legal threats and injuctions. They got intimidated and only held a redacted talk and published very little. Not sure if a law suit was filed but the threat alone obviously was enough.
14. Re:Lawsuit? by Anonymous Coward · 2010-05-06 01:56 · Score: 2, Insightful
  
  Yes, they did. Ever heard of "No More Free Bugs"?
15. Re:Lawsuit? by halcyon1234 · 2010-05-06 01:58 · Score: 2, Funny
  
  Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.
  Not a chance. To get the cash to pay the fines, he'll just break into a bunch of ATMS.
  "Here's your $100,00, in $20 and $50s."
  
  --
  UTF-8: There and Back Again
16. Re:Lawsuit? by evilandi · 2010-05-06 01:59 · Score: 5, Interesting
  
  Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
  Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?
  The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.
  
  --
  Andrew Oakley - www.aoakley.com
17. Re:Lawsuit? by Lumpy · 2010-05-06 02:00 · Score: 3, Interesting
  
  No it doesnt, you point out the flaws without any info about you attached. I.E. Publish all the info outside the country.
  Honestly it blows my mind that any Computer nerd tries to do the white hat thing and tell a company about a problem. Simply send it in a letter that is untraced and say, "I'm publishing this in 90 days. you are getting a heads up because I'm a nice guy"
  Then in 90 put it on the net.
  They cant sue you if they have no idea who you are. Problem is most of these white hats are looking more for street "cred" and getting their name out than actually being a good guy.
  
  --
  Do not look at laser with remaining good eye.
18. Re:Lawsuit? by Bakkster · 2010-05-06 02:05 · Score: 4, Interesting
  
  The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.
  One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...
  
  --
  Write your representatives! Repeal the 2nd Law of Thermodynamics!
19. Re:Lawsuit? by evilandi · 2010-05-06 02:10 · Score: 2, Informative
  
  The threat alone is enough because no individual (or group) can afford to spend as much money on a bogus lawsuit as any of these companies
  Perhaps, in America. But civilised countries have systems of taxpayer-funded legal aid for those unable to mount their own defence, or have strict rules about misuse of court process. This kind of tomfoolery simply doesn't happen in the UK, for example; the most recent attempt being some chiropractors who tried to sue a British science journalist for proving their profession was bunkum. The chiropractors suffered the judicial equivalent of having flaming oil poured over them.
  
  --
  Andrew Oakley - www.aoakley.com
20. Re:Lawsuit? by mapkinase · 2010-05-06 02:14 · Score: 1
  
  Let's make off-line analogy:
  Ominpresent part of off-line security system nowadays is a security camera. Suppose you know that a particular building has blind spots that could be used by perpetrators to avoid identification during their physical approach to the building before or after attack.
  Would it be ethical to publicize those blind spots?
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
21. Re:Lawsuit? by Anonymous Coward · 2010-05-06 02:34 · Score: 0
  
  Wouldn't a break in at an ATM be effectively the same thing as a bank robbery and therefore the consumer be protected by FDIC or NCUA anyway?
22. Re:Lawsuit? by zeroshade · 2010-05-06 02:51 · Score: 1
  
  Entirely ethical. Once you've publicized them, it becomes the responsibility of the owner/person in charge of security to fix the blind spots. If they do not fix them, then they obviously decided that the risk was acceptable. Think about it in terms of risk versus reward. If you only tell them and don't publicize it, the risk is very small. If you publicize the blind spots, then a lot more people know about them and thus the risk is much higher. If the new, higher risk is more than the cost of fixing the blind spots, then they'll fix them.
23. Re:Lawsuit? by HungryHobo · 2010-05-06 03:01 · Score: 3, Insightful
  
  In the case of academics getting their names on the publications is more than an ego thing- it actually influences their chances of staying employed.
24. Re:Lawsuit? by bws111 · 2010-05-06 03:03 · Score: 2, Interesting
  
  On what grounds? If you have been the victim of a fraud, and the bank didn't correct it, you can probably sue them. If you haven't been the victim of a fraud, but you just think their security is too lax, then don't use them. Kind of hard to rail at someone else for not taking security seriously when by definition you yourself aren't taking security seriously if you trust someone you consider non-trustworthy.
25. Re:Lawsuit? by somersault · 2010-05-06 03:08 · Score: 1
  
  Even if we didn't have legal aid, I'm pretty sure the "loser pays" system would get rid of most spurious lawsuits.
  
  --
  which is totally what she said
26. Re:Lawsuit? by ClosedSource · 2010-05-06 03:15 · Score: 0, Redundant
  
  "Why? For pointing out security flaws?"
  Yes, that is the standard excuse, but it doesn't wash. There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock.
27. Re:Lawsuit? by hrieke · 2010-05-06 03:16 · Score: 4, Insightful
  
  No, the real reason is liability.
  If you sell the machine and believe it to be secure and sell it as such with out the review & audit, and then it's proven to be insecure, fine, unknown bug.
  If you audit the machine with white hat hackers, they tell you of issues, you sell the machine anyways, it's hacked, you're on a very big hook.
  
  --
  III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...
28. Re:Lawsuit? by ClosedSource · 2010-05-06 03:17 · Score: 0, Troll
  
  Or the white-hats could just mind their own business and avoid a catch-22 situation.
29. Re:Lawsuit? by bws111 · 2010-05-06 03:18 · Score: 1
  
  The FDIC and NCUA do not insure banks against robbery, they insure the depositors (you) against the failure of the bank. Anyway, yes it would basically be the same thing, and the loss would be covered by the banks insurer.
30. Re:Lawsuit? by ClosedSource · 2010-05-06 03:21 · Score: 3, Informative
  
  Perhaps you're thinking of a night deposit box which isn't an ATM. There were no ATMs in the 1950s.
31. Re:Lawsuit? by VIPERsssss · 2010-05-06 03:25 · Score: 1
  
  How difficult is it to imagine that he's a site admin testing security on his or his company's own equipment.
  
  --
  We are eternal, all this pain is an illusion.
32. Re:Lawsuit? by Capt+James+McCarthy · 2010-05-06 03:29 · Score: 1
  
  The FDIC and NCUA do not insure banks against robbery, they insure the depositors (you) against the failure of the bank. Anyway, yes it would basically be the same thing, and the loss would be covered by the banks insurer.
  So why would anyone be upset by the presentation then if the security flaws are already covered by the FDIC and NCUA? Could it be that then the cost of protection starts to eat away profits?
  
  --
  There are no loopholes. It's either legal or it's not.
33. Re:Lawsuit? by vegiVamp · 2010-05-06 03:32 · Score: 1
  
  No encryption does not necessarily mean no authentication.
  
  --
  What a depressingly stupid machine.
34. Re:Lawsuit? by vegiVamp · 2010-05-06 03:35 · Score: 1
  
  Regardless of anything else, if you break into an ATM you're not gonna take the time to extract the money from victim accounts, you just tell it to start spitting bills.
  
  --
  What a depressingly stupid machine.
35. Re:Lawsuit? by Anonymous Coward · 2010-05-06 03:36 · Score: 0
  
  ... eventually.
  Singh has still had a monumental fight on his hands to get to that point.
  Andy
36. Re:Lawsuit? by Sir_Lewk · 2010-05-06 03:40 · Score: 1
  
  And authentication without encryption protects you from eavesdroppers how exactly?
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
37. Re:Lawsuit? by vegiVamp · 2010-05-06 03:46 · Score: 1
  
  Not from eavesdroppers, but it does protect you from MITM attacks.
  
  --
  What a depressingly stupid machine.
38. Re:Lawsuit? by mapkinase · 2010-05-06 03:49 · Score: 1
  
  There is also a factor of cost. Suppose, it's a mom-and-pop store and they actually knew already about their blind spots when they bought their cameras from "securitate kameras, ltd". They know they do not have money to invest in better security.
  Is it ethical to publicize the information about blind spots in this case?
  You can see that this example is partially applicable to any target, since the factor of cost is there.
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
39. Re:Lawsuit? by Legion303 · 2010-05-06 03:55 · Score: 4, Interesting
  
  "There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock."
  Not legally, there isn't. I'll be giving a talk on exactly this subject in 6 weeks. Marc Tobias, a lawyer, has co-authored an extremely detailed book on picking, bypassing, and completely ignoring the security of Medeco Biaxial locks. Find a better analogy.
40. Re:Lawsuit? by Golddess · 2010-05-06 04:25 · Score: 1
  
  At first, I thought that it would still be ethical. But then I thought, "isn't this almost like Please Rob Me?" Ultimately though, I guess it depends on what a criminal could steal from that Mom & Pop store.
  
  If all a criminal could do is bankrupt Mom and Pop, it probably isn't ethical to release the information on the blind spots.
  
  But if customer records are stored in the store, then it probably is ethical to still reveal the blind spots, as Mom and Pop probably have an ethical responsibility to the protection of their customer's data.
  
  --
  "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
41. Re:Lawsuit? by Zenaku · 2010-05-06 04:26 · Score: 3, Funny
  
  That's like saying that keeping your money in a big pile on your front lawn will protect you from safe-crackers.
  
  --
  If fate makes you a motorcycle, you become a motorcycle.
42. Re:Lawsuit? by Anonymous Coward · 2010-05-06 04:41 · Score: 0
  
  I'm pretty sure that the OP meant for banks to sue the ATM manufacturers/developers/engineers.
  They should certainly be held liable. We'd hang the engineers of a failed bridge, and the construction teams that built it, out to dry.
43. Re:Lawsuit? by moeinvt · 2010-05-06 04:43 · Score: 1
  
  "A year ago or so there were students who wanted to hold a speech on how easily they hacked some transportation company's bus/subway tickets."
  It was MIT students and the MA Transit Authority. They weren't exactly "buried" in legal threats. A judge just issued a court order telling them not to discuss the vulnerabilities they had discovered. Not sure what ultimately happened.
  http://www.ft.com/cms/s/0/72ed83e0-58ac-11df-a0c9-00144feab49a.html
44. Re:Lawsuit? by Bakkster · 2010-05-06 04:43 · Score: 1
  
  Exactly, and so the only way for people like us to have dependably secure systems to use (ATMs, banks, CCs, anything with a logon or PII) is for white-hat hackers to break the law. That needs to be fixed, one way or the other.
  
  --
  Write your representatives! Repeal the 2nd Law of Thermodynamics!
45. Re:Lawsuit? by moeinvt · 2010-05-06 04:46 · Score: 1
  
  )*(&^%#! cut and paste. Ignore the previous link about Fannie Mae and Freddie Mac. Sorry.
  http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=210002185
46. Re:Lawsuit? by opus_magnum · 2010-05-06 04:48 · Score: 1
  
  It might be their business too, as customers.
47. Re:Lawsuit? by Sir_Lewk · 2010-05-06 04:54 · Score: 1
  
  You don't really need to MITM the transaction if it's being transmitted in the clear. I know you were just being pedantic, but honestly, nobody cares about the subtle differences between MITM and eavesdropping in this situation. The point is there was a serious issue.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
48. Re:Lawsuit? by Anonymous Coward · 2010-05-06 04:58 · Score: 0
  
  As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with.
  I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.
  Very good point. So how do you deal with that concerning your customers? Do you warn them with a signed statement that says there is a risk of theft on atm systems? Or are banks willing to eat the cost of a break in (reimbursement) when it happens and not warn customers.
  Actually, they declaim responsibility and say you are a victum of "identity theft", not they the bank's are victims of fraud. That way you have to pay to clean up their mess, and the quarterly profits go up by a penny.
49. Re:Lawsuit? by Anonymous Coward · 2010-05-06 05:06 · Score: 0
  
  Can the banks file a lawsuit at him?
  I can't stand companies not taking security seriously.
  Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
  Honestly banks should not sue him. It is the same idea that many vulnerabilities are put in the public eye: to get people to deal with them.
  We need people talking about these, and companies taking them serious, if he was some guy sitting in his garage and using it instead of telling others how to do so, he could rip off more money than the few that understand what he has to say. In the meantime the attempted attacks will put a fire under the ATM developers.
  The open source community has shown that things are better when lots of people get together to work on things. If we stop people like this from talking in public forums, they will talk in private forums where the few people that know about the vulnerabilities will be more likely to use them for years to come. Sure speaking in an open forum gets lots of people playing with the idea, but more importantly it shows the people in charge and the users the risks involved with the technology so they can take measures to combat losses.
50. Re:Lawsuit? by Anonymous Coward · 2010-05-06 05:26 · Score: 0
  
  That's why you FIX THE ISSUES before you sell it.
  Duh.
51. Re:Lawsuit? by Anonymous Coward · 2010-05-06 05:29 · Score: 1, Insightful
  
  Do they have to?
52. Re:Lawsuit? by wolrahnaes · 2010-05-06 05:39 · Score: 1
  
  Perhaps, in America. But civilised countries have systems of taxpayer-funded legal aid for those unable to mount their own defence, or have strict rules about misuse of court process. This kind of tomfoolery simply doesn't happen in the UK, for example; the most recent attempt being some chiropractors who tried to sue a British science journalist for proving their profession was bunkum. The chiropractors suffered the judicial equivalent of having flaming oil poured over them.
  Actually the British libel laws were and still are fairly far in favor of those like the British Chiropractic Association. The case was dropped when Simon won his appeal over an earlier judgment that was going to force him to defend an interpretation of his words which any sane person would see wasn't what he meant. He would have been doomed had that appeal not gone his way, and even with the win it was still more of a 50/50 shot under British law (from my understanding as an American having loosely followed this case). The BCA apparently decided to give up once it wasn't a slam dunk for them anymore, but Simon is still out over 100,000 pounds in legal costs (though he is trying to recover some of that).
  In civilized countries, the burden of proof for libel lies on the one supposedly being libeled. In Britain, the writer of the supposed libel is guilty until proven innocent.
  
  --
  I used to get high on life, but I developed a tolerance. Now I need something stronger.
53. Re:Lawsuit? by hesaigo999ca · 2010-05-06 05:42 · Score: 1
  
  I tend to agree with your approach, if we had less people trying to get cred, and more that did exactly as you mentioned, you have 90 days to fix your bug or i go REALLY public with a how to video that way even your grandmother can do this hack, then they have no choice.
54. Re:Lawsuit? by freedom_india · 2010-05-06 05:59 · Score: 1
  
  And pray tell me which ATM has $50 bills Most ATM's i withdraw, especially, the Wells machines have a max $20 bill. Dumb ass machines
  
  --
  "Doing what i can, with what i have." ~ Burt Gummer
55. Re:Lawsuit? by Lunoria · 2010-05-06 06:14 · Score: 1
  
  Some machines in Alberta just dispense $50 bills. Of course, very few people even take the $50's anyways.
56. Re:Lawsuit? by zmollusc · 2010-05-06 06:33 · Score: 1
  
  Lol. The 'top end' NCR ATM is little more than a pc with a cash handler glued on. Also the cash handler is somewhat flaky and fragile and seems like a prototype rather than something that had been developed for and made on a production line.
  Mind you, Wincor Nixdorf aren't much better, although they look like they have been designed with CAD.
  
  --
  They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
57. Re:Lawsuit? by Anonymous Coward · 2010-05-06 06:47 · Score: 0
  
  But they market it as "Trustworthy"! If it's not trustworthy, then that's false advertising!
  (Sorry to hate on MS, but I hate that anyone uses words like that... it essentially kills the meaning of the word)
58. Re:Lawsuit? by Anonymous Coward · 2010-05-06 07:50 · Score: 0
  
  ... I think the consumers have a right to hold the banks accountable.
  take back the "bail out" you mean?
59. Re:Lawsuit? by archmcd · 2010-05-06 08:13 · Score: 1
  
  There are ATMs in the AC Trump Casinos that dispense $100s, and I'm sure elsewhere.
  
  --
  I'm not an expert, but I play one on slashdot.
60. Re:Lawsuit? by tc3driver · 2010-05-06 08:30 · Score: 1
  
  With most white hats, this is how they make their living, cred is how they make their living, asking them not to do something for cred, is like asking you to work for free.
  
  --
  42 69 6C 6C 20 47 61 74 65 73 20 69 73 20 61 20 77 68 6F 72 65 21
61. Re:Lawsuit? by Frnknstn · 2010-05-06 09:39 · Score: 1
  
  That isn't even slightly true. Authentication without encryption is more like having a see-through safe: everyone can see how much money you have, but they still can't touch it.
  
  --
  If it's in you sig, it's in your post.
62. Re:Lawsuit? by Sulphur · 2010-05-06 10:30 · Score: 1
  
  "Here's your $100,00, in $20 and $50s."
  You can have $100 as five $20s or two $50s, but not both denominations.
63. Re:Lawsuit? by halcyon1234 · 2010-05-06 15:24 · Score: 1
  
  "Here's your $100,00, in $20 and $50s."
  You can have $100 as five $20s or two $50s, but not both denominations.
  
  Seems I lost a zero. Stupid Diebold machines.
  
  --
  UTF-8: There and Back Again
64. Re:Lawsuit? by Sir_Lewk · 2010-05-06 17:10 · Score: 1
  
  I seriously hope you are kidding me. Do you really think the only thing that is transmitted over those wires is your account balance?
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
65. Re:Lawsuit? by vegiVamp · 2010-05-06 20:00 · Score: 1
  
  Yes, people could eavesdrop on your transactions, which is not a desireable situation; but unless they can access the actual hardware to 'fix' the authentication (at least challenge/response, I would hope) they can't *modify* the transactions and steal your monies.
  
  Maybe that's not a major difference for you, but it is for me.
  
  --
  What a depressingly stupid machine.
66. Re:Lawsuit? by vegiVamp · 2010-05-06 20:02 · Score: 1
  
  No, it's saying that the first order of business is to keep you from stealing my money, not keep you from seeing it.
  
  --
  What a depressingly stupid machine.
67. Re:Lawsuit? by Zenaku · 2010-05-07 00:25 · Score: 2, Informative
  
  The entire purpose of a man-in-the-middle attack is work around the fact that the attacker cannot eavesdrop directly on an encrypted channel. The attacker wants the authentication credentials for your bank account, but the communication is encrypted. So instead he tricks the client device into opening an encrypted channel to HIM instead, by poisoning a DNS cache for instance, and gets you to send him the credentials directly. The whole point is to get access to what he needs to access your account.
  If the data is transmitted in the clear, MITM is completely unnecessary. He just eavesdrops on the communication and gets the credentials.
  It's not about "seeing your money." It's about seeing the secret numbers needed to access your money. Perhaps it would have been a better analogy if I had said that it was akin to thinking that posting the combination to your safe on a sign right next to it would protect you from safe-crackers, but I still fail to see your point.
  
  --
  If fate makes you a motorcycle, you become a motorcycle.
68. Re:Lawsuit? by Sir_Lewk · 2010-05-07 01:27 · Score: 1
  
  Theoretically they don't need to modify *your* transaction to steal your money if they can record the entirety of the plaintext of your transaction. If they are able to collect the right data (as would be the case if the entire transaction was in the open) then they would be able to use the ATM to authorize a second transaction at a later date. In this hypothetical the attacker is the shop-owner anyways, so physical access to the ATM can be assumed, even if it isn't strictly needed.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
69. Re:Lawsuit? by Frnknstn · 2010-05-07 11:00 · Score: 1
  
  Apart from the pictures of your mom?
  Yeah, other stuff is sent. Instructions for money transfer, I suppose. You could work to which charities the guy donates.
  What you *couldn't* do is steal any money, or make the guy think he had more or less money than he did. If you tried, he and the bank would see that the messages were coming from somebody else; that's the definition of authentication.
  
  --
  If it's in you sig, it's in your post.
70. Re:Lawsuit? by Sir_Lewk · 2010-05-07 11:26 · Score: 1
  
  Provided enough information you don't have to fake being an ATM. You can *be* an ATM. If the authentication is done in the clear, then you can capture it. ATMs don't authenticate your pin number and whatnot, they are basically just thin clients in that regard. Capture the guys account information, pin number, ect, then you have all you need to screw him over. If you don't believe that, then feel free to post your such information in a reply.
  The OP was asserting that ATMs originally worked like telnet or rsh. Authentication but vulnerable to eavesdropping. Listen to the original connection an you have all the information you need to authenticate yourself at a later date. You can't just say "there is authentication so it is safe", you have to do the authentication correctly. You know what else is a form of authentication? The "shave and a hair cut" door-knock.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
71. Re:Lawsuit? by Frnknstn · 2010-05-07 19:47 · Score: 1
  
  Well, it is lucky I am not arguing with the OP, I am arguing with some guy who said 'And authentication without encryption protects you from eavesdroppers how exactly?' Luckily, he seems to have realised he is wrong, and is backing off from his original position.
  There are many ways to authenticate both ends of a channel, and have it be safe from MITM attacks, replay attacks, any any other forgery or injection into the channel that that a third party would use, especially considering that the both the ATM and bank card are issued by the bank.
  As I said, it seems that the guy may have realised that, and now he is taking the juvenile position that if authentication is done poorly, it doesn't work. What a revelation! You mean if there is no authentication, there is no authentication?
  
  --
  If it's in you sig, it's in your post.
72. Re:Lawsuit? by Sir_Lewk · 2010-05-08 06:29 · Score: 1
  
  I am arguing with some guy who said 'And authentication without encryption protects you from eavesdroppers how exactly?' Luckily, he seems to have realised he is wrong, and is backing off from his original position.
  
  Wrong. This is exactly what I am still arguing, read my post again.
  
  There are many ways to authenticate both ends of a channel, and have it be safe from MITM attacks, replay attacks, any any other forgery or injection into the channel that that a third party would use, especially considering that the both the ATM and bank card are issued by the bank.
  Completely and utterly irrelevant. Those are not the only threats an eavesdropper can pose. As I stated much earlier in this dicussion MITM attacks are not really what you need to be concerned about in this kind of situation.
  You are asserting that they used authentication schemes several decades ago for ATM transactions that 1) did not use encryption, and 2) were secure against eavesdroppers. This is, simply put, not true. If you attempt to use authentication in absence of encryption, you are not going to be secure from squat.
  Alice and Bob wish to do some banking. Alice is at an ATM, and Bob is a Bank. Alice authenticates with Bob by telling Bob her account number, and the PIN for the account. She does this by shouting across the room for all to here. Eve, listening to this plaintext shouting exchange, writes down Alice's information, and the next day pretends to be Alice to Bob.
  You can prevent this scenario a number of ways. For example, authentication can be done over a secure channel (Which is not the case in this situation with older ATMs, they use the same unsecured phoneline for everything).
  Or, Alice and Bob can use a challenge-response scheme to authenticate each other. The problem there is still the eavesdropper however. The way to do a challenge-response authentication in the clear is to have Bob generate a random number, and send it to Alice. Alice then takes her PIN and the random number from Bob, applies a one-way function to both of them, and sends the result back to Bob. Bob, knowing both his random number, and Alice's PIN, can also calculate the result of the one-way function, and compare the results.
  This is great. Secure authentication without encryption (arguably)! Eve can listen to this transaction all day and still not learn Alice's PIN! So what exactly is the issue? Well, simply put, they did not have one-way functions to do this with during the time we were talking about. Literature on one-way functions from even just before the 80s is severely lacking, it is not reasonable at all to expect that banks, some of the last people to adopt new security technologies, would know about it, and be correctly using it. Even though they could have done this, they didn't know how to. Furthermore, once you use challenge-response authentication in a secure fashion such as this, it becomes much harder to argue that encryption was not in fact used. The original statement was that ATMs originally did not use any sort of encryption at all, assuming that although they didn't bother to use encryption, but had the presense of mind to use a secure challenge-response authentication scheme, is just plain silly.
  
  You mean if there is no authentication, there is no authentication?
  Authentication does not imply secure authentication.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
hmm... by Pojut · 2010-05-06 00:55 · Score: 2, Interesting

I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

--
Living With a Nerd
1. Re:hmm... by Ephemeriis · 2010-05-06 01:02 · Score: 2, Insightful
  
  I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?
  I'm sure he can.
  Which is stupid.
  Because if he knows this stuff he probably isn't the only one. And just the news that these machines can be hacked is going to have other people trying to figure out what he knows, even if he doesn't say anything. So whether he opens his mouth or not really isn't going to change how secure these machines are.
  All it will do, hopefully, is scare the manufacturers into improving their security.
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
2. Re:hmm... by thegrassyknowl · 2010-05-06 01:02 · Score: 0
  
  I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?
  What pisses me off is that he is publishing this. Others probably know about it and are silently exploiting it. The banks don't care. They want to present an illusion of security because fixing security would cost them more money than it currently saves. They'll only do something about it when it becomes really widespread and starts actually costing serious green.
  
  --
  I drink to make other people interesting!
3. Re:hmm... by Abcd1234 · 2010-05-06 01:26 · Score: 1
  
  I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?
  I would think only if he shows himself, either in pre-recorded video or live, actually performing the hack on a real ATM. At that point, he could be charged under the computer fraud and abuse act. But simply doing a presentation on the topic, with details of the hacks? No, I don't think there's any law, yet, that makes *that* illegal, and any such law would likely be unconstitional in any case (pesky first amendment and all that).
4. Re:hmm... by JasterBobaMereel · 2010-05-06 01:38 · Score: 1
  
  Probably yes ...
  Any case would be trying to prove he used protected information illegally or actually hacked an ATM for gain ..... ...he can't be prosecuted for publishing known information (freedom of the press)
  
  --
  Puteulanus fenestra mortis
5. Re:hmm... by GrahamCox · 2010-05-06 01:38 · Score: 2, Insightful
  
  They'll only do something about it when it becomes really widespread and starts actually costing serious green
  
  And that will be a good thing. Which the publishing will help bring about. I don't follow your argument, unless it's that you don't want this published widely so *you* can personally exploit it.
6. Re:hmm... by L4t3r4lu5 · 2010-05-06 01:41 · Score: 2, Insightful
  
  What pisses me off is that he is n't publishing this.
  FTFY, considering the tone of the rest of your comment.
  
  You want him to publish so the banks have to fix it, not have him keep it secret and leave the rest to exploit it.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
7. Re:hmm... by plover · 2010-05-06 02:03 · Score: 4, Insightful
  
  What pisses me off is that he is publishing this.
  Why does that make you mad?
  Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes.
  The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them.
  So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)
  
  --
  John
8. Re:hmm... by Anonymous Coward · 2010-05-06 02:52 · Score: 2, Interesting
  
  I don't know about banks but credit unions care about security and keeping their ATMs up to date. Unfortunately, they are at the mercy of the ATM manufacturers, vendors and whoever provides the maintenance. I suppose banks could have different maintenance contract due to their size but normally software updates are part of the annual support contract.
9. Re:hmm... by Opyros · 2010-05-06 02:56 · Score: 1
  
  Ask Dimitri Sklyarov.
10. Re:hmm... by kz45 · 2010-05-06 03:11 · Score: 1
  
  "Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes."
  It's foolish to think that banks will be able to fix these holes instantly. Even if they knew about it today, it could take months to fix these flaws.
  Releasing it to the world may push the banks to fix it. But it could also result in innocent people getting their money stolen because the banks couldn't fix it fast enough.
  "The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them."
  Would it be okay if your money got stolen using one of these flaws and you couldn't get access to it for months while they were investigating? You would probably blame the banks.
  It's irresponsible for these guys (or anyone) to release these types of flaws without first telling the banks and allowing them enough time to fix the problem.
  "So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)"
  I have to LOL at this. This is similar to: The government should be able to search your private home without a warrant. If you don't agree to this, you MUST have something to hide.
11. Re:hmm... by bws111 · 2010-05-06 03:15 · Score: 1
  
  If people are exploiting some hole and the banks are absorbing the loses (ie it is not affecting account balances), then they are not 'presenting an illusion of security', they are providing security.
12. Re:hmm... by Mister+Whirly · 2010-05-06 03:16 · Score: 1
  
  I know how to rob a bank. I think just about anybody else could figure it out. So if I tell someone "All you need to do is get a gun, go in the bank, demand money, and leave." does that make me guilty of any crime? Hell no. Knowledge by itself isn't illegal. Robbing a bank with said knowledge is. Until you actually commit the action, knowing how to do it doesn't matter.
  
  --
  "But this one goes to 11!"
13. Re:hmm... by Inda · 2010-05-06 03:17 · Score: 1
  
  Green? Phew!
  
  Our money is blue, brown, purple and red!
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
14. Re:hmm... by plover · 2010-05-06 03:26 · Score: 4, Insightful
  
  His talk is a year old already. You don't think he's disclosed it to the banks long ago? No, they've had all the warning they need. Now it's time to prove they've fixed their equipment.
  Seriously, if he never releases his info, it will never get fixed. You can talk to the I.T. staff for a year about the problems and nothing will get done. The banks can even have a guy inside I.T. shouting "we gotta fix this!!" and he'll be ignored.
  Post it on the internet, deliver it to a roomful of blackhats, THEN something will get done. Until then, however, we're all still vulnerable to the bad guys who are already exploiting this kind of crap.
  
  --
  John
ATM machine by Anonymous Coward · 2010-05-06 00:55 · Score: 5, Funny

You almost made it through the whole summary without saying it.
1. Re:ATM machine by Anonymous Coward · 2010-05-06 01:00 · Score: 0
  
  His code runs on the JVM virtual machine using IP protocol, too.
2. Re:ATM machine by Anonymous Coward · 2010-05-06 01:20 · Score: 0
  
  Of course he does. How else is he going to process your PIN number?
3. Re:ATM machine by Anonymous Coward · 2010-05-06 02:27 · Score: 0
  
  ...brought to you by the department of redundancy department
4. Re:ATM machine by Nadaka · 2010-05-06 03:02 · Score: 1
  
  But is it his personal PIN number?
5. Re:ATM machine by Anonymous Coward · 2010-05-06 03:39 · Score: 0
  
  Its not polite to write the full version of Ass To Mouth machine
6. Re:ATM machine by xystren · 2010-05-06 03:43 · Score: 1
  
  ... who will now be checked, audited and examined by the department who's mission is to stamp out, reduce and eliminate all forms of excess, unnecessary and repeated forms of redundancy.
7. Re:ATM machine by operagost · 2010-05-06 03:56 · Score: 1
  
  HEY! We're lampooning redundancy here, not apostrophe abuse!
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
8. Re:ATM machine by Anonymous Coward · 2010-05-06 04:37 · Score: 0
  
  I work for a textbook distributer. Customers often inquire about an ISBN.
  "Can you give me the ISBN number?"
  "I need this book ISBN number."
  "Where can I find the ISBN book number?"
  Yes, it's wonderful.
9. Re:ATM machine by gwjgwj · 2010-05-06 05:36 · Score: 1
  
  You almost made it through the whole summary without saying it.
  But forgotten to mention PIN numbers.
...how to hack an OS/2 ATM ? by martiniturbide · 2010-05-06 00:58 · Score: 1

Let's see if at the conference he says how to hack an OS/2 ATM !!!
Why can't the ATM suppliers just... by drc003 · 2010-05-06 00:58 · Score: 5, Funny

...just get a deal going with McAfee? Then there systems would be completely safe and always online!
1. Re:Why can't the ATM suppliers just... by Anonymous Coward · 2010-05-06 01:20 · Score: 0, Redundant
  
  ...just get a deal going with McAfee? Then there systems would be completely safe and always online!
  except that one time when they sent out a new DAT update...
2. Re:Why can't the ATM suppliers just... by Anonymous Coward · 2010-05-06 02:00 · Score: 0
  
  Symantec got there first! So their systems are completely unsafe and always online!!!
3. Re:Why can't the ATM suppliers just... by Anonymous Coward · 2010-05-06 03:32 · Score: 0
  
  Ob ref:
  http://xkcd.com/463/
There's always a paper trail by Maarek+Stele · 2010-05-06 00:58 · Score: 0

If you didn't like to talk to a teller before, now's the time. The receipt you receive is sometimes more then what's given back from the ATM. You can stuff it into your file cabinet until the money is spent. Your money is secure up to $250k, so if you have more, then start creating different accounts or start investing the money into something else.
I can go on and on or better yet someone else will add to my comments.

--
"Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind." -Dr. Seuss
1. Re:There's always a paper trail by Lumpy · 2010-05-06 02:06 · Score: 1
  
  ATM? Teller? Who uses those anymore?
  direct deposit -> wire transfer to account.
  Credit card -> wire transfer to merchant.
  I haven't used an ATM in 3 years. I haven't used a teller in 7.
  Cash? Who carries cash anymore? I Know it's a slippery slope to a cashless society where everything can be taxed multiple times, but I like not having cash on me.
  
  --
  Do not look at laser with remaining good eye.
2. Re:There's always a paper trail by Jorth · 2010-05-06 03:52 · Score: 1
  
  How on earth do you buy a drink in a pub? Or do you reside soley in your parents basement?
3. Re:There's always a paper trail by Lumpy · 2010-05-06 04:16 · Score: 1
  
  I hand them my credit card like everyone else in the place. In fact most will swipe your card once and run your tab on it if you are a regular. My favorite Irish Pub in Dublin even does this, same as the die Kneipe I was in 12 weeks ago in a little town outside of Berlin.
  Have you ever been in a pub?
  
  --
  Do not look at laser with remaining good eye.
4. Re:There's always a paper trail by Anonymous Coward · 2010-05-06 04:24 · Score: 0
  
  Offtopic: you spelled "inane" as "inanae" in the graphic at the top of your blog page.
5. Re:There's always a paper trail by Mister+Whirly · 2010-05-06 04:44 · Score: 1
  
  Have you ever been in a pub?
  Yes, but only the really dodgy ones that are cash only. Ones that take plastic forms of payment are a little too classy for the likes of me.
  
  --
  "But this one goes to 11!"
Come on Taco, more imagination! by Dystopian+Rebel · 2010-05-06 00:59 · Score: 4, Funny

"from the well-that-doesn't-make-me-feel-better dept."
Where's the zip, the punch in your writing? This is the news business! If Larry Wall can be funny AND write Perl code, so can you!
Suggestions:
"from the All Your ATM Are Belong To Us dept"
"from the Who Says Cybercrime Doesn't Pay dept."
"from the Your Money Is In Good Hands -- NOT dept"
"from the Can We Have Human Tellers Again dept"
"from the It'll Be The Debit Of Me dept."

--
Rich And Stupid is not so bad as Working For Rich And Stupid.
Same hack that was used on diebold voting systems? by Joe+The+Dragon · 2010-05-06 01:02 · Score: 1

Same hack that was used on diebold voting systems?
Operating System specific? by tecker · 2010-05-06 01:18 · Score: 2, Interesting

The title says it is multi-platform but doesnt mention that anywhere in the article. So is this one that runs on CustomFW, Windows and Linux based ATMS?

To me it would seem better to create a system that would raise the "your-not-with-OUR-bank-so-we-can-stiff-you" charge (charge em 3.50 for the transation then send 2 back to the bank per normal). Slow but would make money over time if EVERY atm had your code.

--
Procrastinating life a way at a rapid rate of speed.
1. Re:Operating System specific? by IBBoard · 2010-05-06 01:24 · Score: 2, Insightful
  
  You get charged for using ATMs that aren't from your own bank? What weird kind of economy is that? The only way you generally get charged in the UK is a) if you're using a credit instead of a debit card (and then it is your card company charging you "cash advance" fees), b) if you're using one of those "convenience" ATMs that are in a pub etc or c) if you're not in the UK, at which point it is to "cover" international fees and talking with other banks in other countries (apparently).
2. Re:Operating System specific? by Anonymous Coward · 2010-05-06 01:51 · Score: 0
  
  For non-UK people LINK is how it works. Much like PLUS internationally, but I guess they charge.
3. Re:Operating System specific? by cayenne8 · 2010-05-06 04:06 · Score: 1
  
  "You get charged for using ATMs that aren't from your own bank? "
  Absolutely!! Actually, I'm surprised that isn't a universal thing..guess you learn something new every day,eh?
  Yep, usually if you use an ATM that is not from your bank, that ATM will charge you about $2.50 fee at time of transaction, and later, your bank will charge you another $3 or so for using an out of bank machine.
  That's why when choosing a bank, I first look to see how many ATM's they have around town (and the country if it happens to be a national bank).
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
4. Re:Operating System specific? by tecker · 2010-05-06 06:29 · Score: 1
  
  Wow your bank charges you AGAIN for using a non-bank atm? My bank actually refunds them because they found it was cheaper for people to use others ATMs and then refund then upkeep their small network.
  
  --
  Procrastinating life a way at a rapid rate of speed.
Re:Did anyone else read it as saying..... by ProfMobius · 2010-05-06 01:22 · Score: 3, Funny

It is just you. I know a good specialist if you want.

--
EULA : By reading the above message, you agree that I now own your soul.
ATM Machines by ThrowAwaySociety · 2010-05-06 01:28 · Score: 4, Funny

Can anyone determine if these are Automated ATM Machines?
I'd better be careful entering my personal PIN number into these from now on.
1. Re:ATM Machines by mutube · 2010-05-06 01:54 · Score: 1, Funny
  
  Yes, they're Automated Automated Teller Machines. It's the extra level of automation that is really insecure.
  I remember when things were only automated once. Simpler times.
  (Your question was so daft I'm half waiting for a 'Whoosh!')
  
  --
  Python coder | PyQt Applications | Writer
2. Re:ATM Machines by Anonymous Coward · 2010-05-06 02:00 · Score: 0
  
  Sorry, the whoosh was so high it was in lunar orbit and there wasn't enough gas to propagate the soundwaves back to earth.
3. Re:ATM Machines by TJamieson · 2010-05-06 02:04 · Score: 1
  
  Ugh, no kidding. That's one of my biggest language pet peeves. (sig related)
  
  --
  For the last time, PIN Number and ATM Machine are redundancies!
4. Re:ATM Machines by Splab · 2010-05-06 03:26 · Score: 1
  
  No, it's automated automated teller machines machines.
5. Re:ATM Machines by spidrw · 2010-05-06 04:06 · Score: 3, Funny
  
  I find it best to use part of my vehicle's VIN number when picking out my personal PIN number for use at the automated ATM machines. That way I can just read the reflection off my dash when punching the numbers into the LCD display.
6. Re:ATM Machines by Anonymous Coward · 2010-05-06 04:26 · Score: 0
  
  Exactly, it doesn't even make logical sense: How the heck do you have an Asynchronous Transfer Mode "Machine"?
  If everyone would just stop with those silly and pointless redundancies and just call it an "ATM" we'd all know perfectly well what switching technique you're talking about.
7. Re:ATM Machines by Anonymous Coward · 2010-05-06 04:33 · Score: 0
  
  Yo dawg I heard you like automation, so we automated your automated teller machine so you can withdraw while you automate.
8. Re:ATM Machines by Anonymous Coward · 2010-05-06 04:52 · Score: 0
  
  wooosh then. anyway if you are expanding to show OP wrong you missed something: automated automated teller machine machine... double woosh? I dont know.
9. Re:ATM Machines by Anonymous Coward · 2010-05-06 04:54 · Score: 0
  
  No, they're Automated Automated Teller Machines Machines that require use of a Personal Personal Identification Number Number.
10. Re:ATM Machines by gwjgwj · 2010-05-06 05:42 · Score: 1
  
  Exactly, it doesn't even make logical sense: How the heck do you have an Asynchronous Transfer Mode "Machine"?
  You put in the card, enter pin and then the machine releases the money at some later time.
11. Re:ATM Machines by Anonymous Coward · 2010-05-06 06:05 · Score: 0
  
  Yes, they're Automated Automated Teller Machines. It's the extra level of automation that is really insecure.
  I remember when things were only automated once. Simpler times.
  (Your question was so daft I'm half waiting for a 'Whoosh!')
  and a WOOOOOOOSH you shall have. He mentioned Automated ATM Machine (AATMM) and Personal PIN Number (PPINN), so you missed the extra "Machine" and the other half of the joke.
12. Re:ATM Machines by Anonymous Coward · 2010-05-07 02:42 · Score: 0
  
  Thats cause you're another pasty skinned AssBurgers wannabe that gets bothered by too much oxygen in the air. I wish you guys would be taken outside and shot in the head. You probably pretend to be smart and a hot shot with computers, but really you just smell like munster cheese.
What OS? by AlecC · 2010-05-06 01:40 · Score: 4, Insightful

As far as I can tell, all ATMs are based on data processing OSes - either ones with a desktop heritage then multi-processing and networking added on (Windows) or with a data processing/networking heritage with desktop added on (*nix families). It seems to me that they ought to be based on real-time control OSs, such as those used in the automotive and aerospace industry, I don't see how an ATM is any more complicated than a Digital Engine Control system, especially for state-of-the art engines. People who design such systems know about reliability, which can include security in a limited function machine. The problem with general-purpose machines is that they have generalized functionality, just hidden away. Such systems can be subverted and the extra functionality exploited. Machines built from the ground up to do only what they have to do do not have the functionality to be subverted.
I see no reason why such fixed-function machines should be much more expensive that those based on general purpose machines. There is an up-front cost in getting started, probably compensated by reduced security testing later. Wat will be harder is all the dreams the marketing people will have, of using the ATM to do other things, such as sell insurance. It will do only what it is built to do. Inflexible, but secure.

--
Consciousness is an illusion caused by an excess of self consciousness.
1. Re:What OS? by Anonymous Coward · 2010-05-06 01:49 · Score: 1, Informative
  
  I used to repair Wincor-Nixdorf ATMs a few years ago (2006) Its basically a PC runnign winXP with some usb peripherals attached, and a few serial ones. Very simple electronics inside. Having a dedicated OS would be the best for security.
2. Re:What OS? by Miser · 2010-05-06 01:58 · Score: 5, Informative
  
  Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.
  If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.
  I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.
  The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.
  NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.
  -Miser
3. Re:What OS? by Cumanes-alpha · 2010-05-06 02:25 · Score: 0
  
  Seconded as well... There are sooo many troubles with ATMs this days, and not only with weak configured OSs (or weak/inappropiate ones) but with other technical issues as the underlying app that manages the transaction with the "host" system and the ways it communicates, and the banks internal processes regarding the handling of the ATMs (a non-technical issue, but a MAJOR one).
  
  In some cases you can plain and simple obtain all the data needed to clone cards, and you should think that by sniffing it out off the wire (which is possible in a lot of cases) but no, you only need to look on a plain-text file for the data you need and goodbye misissippi!. Ok but you need local access... no problem, chances are that the poorly-built door which guard the pc inside the atm is open (or with the key attached to the lock), or attack it remotely (common is windows xp, cant be very hard), usually because the patch management unit of the bank are excluding the atms because they're not servers or workstations..and so on.
  
  There are several ATMs that runs on OS/2 as well, they're NOT more secure than the winxp ones, just almost the same kind of vulnerabilities (the vast majority coming out of the app that handles the transaction).
  
  It's a fun world out there on the finnancial channels (POS, WEB and alternative channels and dispensers included), and is always good to know of these efforts on bringing the truth to the surface...in despite of my fears about the potentials bad consequences it may have.
4. Re:What OS? by Anonymous Coward · 2010-05-06 03:51 · Score: 0
  
  I used to work on ATMs for a part-time job. All of the bank ATMs had the PC inside the vault. Just the card reader, receipt printer and screen were on top.
5. Re:What OS? by spidrw · 2010-05-06 04:11 · Score: 2, Interesting
  
  I managed to crash an ATM once (not a good feeling when you just deposited 50 big checks). When it rebooted, there was the Start menu. Before the 'ATM software' fired up I was able to easily open a command prompt and even get IE going. Then the ATM stuff went full screen and everything was hunky dory - except for my deposit.
6. Re:What OS? by Anonymous Coward · 2010-05-06 04:49 · Score: 0
  
  The biggest problem with a RTOS - "Does it run FLASH!?"
7. Re:What OS? by Anonymous Coward · 2010-05-06 04:51 · Score: 1, Informative
  
  1. The flimsy door is rigged. Fiddle with it for a while and a big red light goes off at the bank telling them to check their security cameras as some bozo is playing with an ATM. Break into it and they'll just call police. You have maybe 5 minutes from when you get access to the computer to when you need to be leaving in a hurry. The computer can't be in the safe as that would require air circulation in the safe, which introduces a weak point.
  2. The bank sets the passwords, the banks I'm aware of used random strings of 20-30 characters. Not guessable. That's for the OS password, the password to the software to just do normal tasks like restock the ATM or print off some data would be simpler.
  3. Windows is the industry standard. Diebold, Wincor, and NCR all use it. They all used OS/2 before Windows. The presentation layer is a *huge* part of an ATM's duty, and at the time Linux wasn't up to the task. Or do you not remember swearing at your X.conf files for days?
  4. I wrote ATM software at one point. Even with the program to send signals to the hardware and direct access to the PC inside getting cash out is not trivial. There's generally a sequence of 6-7 events that need to be sent to the right pieces of hardware in the right order to get the cash from the drawer to the slot. IIRC some ATMs also have a 'production mode' that requires some form of shared key to be exchanged on every hardware event.
8. Re:What OS? by muphin · 2010-05-06 11:35 · Score: 1
  
  not true.
  i was at the mall a few weeks ago and there was an ATM with the pc door open, when i was in line i could see everyone at the ATM's looking it, was funny.
  next week i go there, ITS STILL OPEN. yeah very secure, when EVERYONE using the ATM's have to have a peek, no one really cared.
  
  --
  It's not a typo if you understood the meaning!
9. Re:What OS? by Miser · 2010-05-06 13:13 · Score: 2, Insightful
  
  I'll address some of your points - you weren't totally wrong, but it is also not as cut and dry as you say. Never think what is malice could not be mistaken for stupidity, or whatever the saying goes. The human element is in play here more than the technological one, even more so when you have short sighted MBA's at the helm of some of these financial institutions ...
  
  1. The flimsy door is rigged. Fiddle with it for a while and a big red light goes off at the bank telling them to check their security cameras as some bozo is playing with an ATM.
  Not necessarily. In all of the offsite (10+) ATMs I have had experience with, they were all for small, mid, and largish institutions. You'd be surprised how "penny wise, pound foolish" financial institutions are - they either don't connect them, or just flat out don't have the offsite ones alarmed at all. ($50 per month is too expensive for a POTS line, or $20 per month is too expensive for cellular alarm, I guess ...)
  Now if this ATM is inside a bank or other F/I, well then you need to assume that it is connected to the premise alarm system - HOWEVER, that could also mean just the vault, and NOT the flimsy door. YMMV of course.
  
  2. The bank sets the passwords, the banks I'm aware of used random strings of 20-30 characters. Not guessable. That's for the OS password, the password to the software to just do normal tasks like restock the ATM or print off some data would be simpler.
  In the case of Agilis, the Diebold software for Opteva and other series ATM's, it's just all zeros to get into Agilis - that's the master password. Hardly any institution that I have seen changes it. Oh, and BTW - the Windows XP side auto logs in. There is an opportunity to "stop" the Agilis software from running, and you get - you guessed it Explorer - free to do whatever you wish with an admin level account.
  
  3. Windows is the industry standard. Diebold, Wincor, and NCR all use it. They all used OS/2 before Windows. The presentation layer is a *huge* part of an ATM's duty, and at the time Linux wasn't up to the task. Or do you not remember swearing at your X.conf files for days?
  Ok, point slightly conceded that I don't like swearing at x.conf files, HOWEVER - with a company as big as Diebold they could save the licensing costs (they may have a bad reputation here on slashdot, but they employ some smart cookies) and use that to make what essentially is a "pattern disk" with all the little intricacies already worked out. Remember: these are little more than appliances, with the only difference is peripheral mix and what network they are connected to.
  
  4. I wrote ATM software at one point. Even with the program to send signals to the hardware and direct access to the PC inside getting cash out is not trivial. There's generally a sequence of 6-7 events that need to be sent to the right pieces of hardware in the right order to get the cash from the drawer to the slot.
  
  I'll agree with you there, although I wasn't suggesting attacking the USB peripherals directly, I was more thinking of attacking Agilis itself. It's a windows app, leaks memory something terrible, and I'm betting could be easily exploitable by those with access to an ATM. And before you say "good luck getting one" I could easily get a refurb stand up Opteva with no safe for about $4k. Chump change for the bad guys.
10. Re:What OS? by Stone2065 · 2010-05-06 22:58 · Score: 1
  
  A lot of what you say is true, however, as a former ATM tech myself, a LOT of the security issues that they're referring to is simply poor setup by the ATM tech at the time of the installation, or the latest update/upgrade. IF the unit is set up correctly, it ONLY talks to whoever is handling the transaction, and is a bit harder to tap into than junior's laptop. Also, not ALL ATMs record any keystrokes for PIN numbers, etc. Some, sure, but not all, and it's usually buried in the file system pretty deep. Also, for all of you that were guessing at OSes, the vast majority of those that I worked on, (various brands, Diebold, NCR, Wincor, Triton *shudder*, etc.) either had a firmware OS, like the little Tritons, or OS2 Warp. The numbers of systems that were being shipped with XP were growing, but I never DID see a 'nix based ATM. Also, there were a few Windows NT, and a few Windows 2k Pro out there, but the vast majority were all OS2 Warp. I about tripped out the first time I saw that on an ATM I was working on... like stepping back in time. :)
  
  --
  Stone
11. Re:What OS? by Anonymous Coward · 2010-05-07 00:41 · Score: 0
  
  Actually, some nice ATM's come with a board that has Bluetooth and IR ports that are not used, or have been 'upgraded' to take usb keypads and usb cameras.
  So like a heart surgeon doing keyhole surgery, threading a fine optic fibre to talk to the latent IR sensor, or an optic fibre to look in,, then fine wires to connect to any usb or firewire line. Sometimes just modulating the card reader sensor does it.
  The preferred method, is somehow distract the guards while the machine is open, and plug in your own dongle to one unused usb port. You would only bother, if you did not know which buttons to push on the front to get into engineer/debug mode.
  How would they possibly get this info? Easy, ATM's get stolen, or upgraded/ sold all the time, so any backdoors get outed. Some countries even manufacture stick on fronts, and custom bios upgrades.
  With 100's of models and 100's of software variations - SOME will have more issues than others.
Not Sarah, John This Time! by Scholasticus · 2010-05-06 01:41 · Score: 3, Funny

John Connor did this way back in '91 ... which means the machines ... oh shit.
Re:Same hack that was used on diebold voting syste by Rogerborg · 2010-05-06 01:41 · Score: 1

Same hack that was used on diebold voting systems?
Same hack that was used on diebold voting systems.

--
If you were blocking sigs, you wouldn't have to read this.
Pick one by Anonymous Coward · 2010-05-06 01:41 · Score: 2, Funny

...just get a deal going with McAfee? Then there systems would be completely safe or always online!
Fixed that for you.
MITM? by ArcCoyote · 2010-05-06 01:44 · Score: 2, Insightful

I'm wondering if this is more of a Man-in-the-Middle attack on the ATM's communication with the EFT network.
The ATMs I've seen that aren't stuck right in a bank building's wall use some form of dial-up, be it a land line or a GSM modem.
Re:My friend is a Linux hacker... by Yvan256 · 2010-05-06 01:44 · Score: 4, Funny

So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Great way to get money out of ATMS by Rogerborg · 2010-05-06 01:46 · Score: 4, Interesting

Threaten to disclose the vulnerabilities, get paid hush money to pull your presentation (again). Rinse, repeat.

--
If you were blocking sigs, you wouldn't have to read this.
Re:My friend is a Linux hacker... by Anonymous Coward · 2010-05-06 01:53 · Score: 0

HEY ! I'm not an idiot, I just have some memory troubles !
There is NOT always a paper trail by hAckz0r · 2010-05-06 01:54 · Score: 2, Insightful

May I ask how using a live teller keeps someone else from empting out your bank account electronically? After all, you can't prove a negative. You simply can't prove you did not use a machine unless you are lucky enough to be out of town at the time your account was emptied out. But even that does not work if the transaction was electronic and from somewhere other than a physical ATM. We are talking about rootkits on ATM's that by definition have a direct connection into your banking system, and no doubt have a way to export whatever information they want from it.
Granted, the fact that the ATM will not be given the opportunity to capture your personal pin code is a step in the right direction, but having a corrupt hacker on the inside of your banking network cant be good for your bottom line either. There are security vulnerabilities in ALL computer systems and if a hacker has a foothold inside the network proper the rest of the system can fall like dominoes if the bank is naive enough to think they are safe from such an exploit.
1. Re:There is NOT always a paper trail by Rockoon · 2010-05-06 02:32 · Score: 2, Insightful
  
  None of my accounts have an ATM/DEBIT card attached to them.
  
  "But don't you want a debit card?" asks the bank manager when opening the account.
  
  "Nope. I use a credit card."
  
  Yes, my bank account can be raided electronically, but I have very plausible deniability. Can't say that I used my ATM card to withdraw the funds, or my debit card to buy all that junk.
  
  --
  "His name was James Damore."
2. Re:There is NOT always a paper trail by Inda · 2010-05-06 03:25 · Score: 1
  
  "You simply can't prove you did not use a machine"
  
  A lot of ATMs in the UK take a picture. The lens is clearly visible.
  
  You know us, cameras everywhere and that's the way we like it!
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
3. Re:There is NOT always a paper trail by hAckz0r · 2010-05-06 07:23 · Score: 1
  
  Can't say that I used my ATM card to withdraw the funds, or my debit card to buy all that junk.
  I would agree, as the ARM cards, or other pieces of plastic, are only entry/authentication mechanisms to get into the banking network. In this case the perpetrator is working from within the network, and all that is needed to ruin your day is some carefully crafted electrons. No plastic necessary, and no denyability since plastic was not required to empty the account in the first place.
  All you need is to have someone mistype/process an electronic check once in your life and you will understand the power of banks to make your life miserable through money transfers. I had a payment mistyped by an operator at another bank and debited from my personal account electronically, where an extra digit was added to the amount paid, putting that transaction at six figures. Yes, I could eventually prove I didn't approve any payments for that amount, but in the mean time that account was drained and my savings account was then held hostage by my own bank as well because the checking account ran under. All that happened electronically with no plastic, and no physical paper involved. All that is needed is for someone to make a change to a database record with the destination being another bank not under your control. Yes you might eventually prove your case and have the money returned (insured fdic?), but who actually pays for the missing funds? Hint; its not likely to be the guy in Russia that actually took it.
I hope by pjbgravely · 2010-05-06 01:58 · Score: 2, Funny

I hope they didn't use my hack where I type in 790 and get all the money I want.

--
Star Trek, there maybe hope.
ATM Security by MC68040 · 2010-05-06 02:08 · Score: 2, Insightful

I live in Europe, during my time having all sorts of cards that works in ATM's I've came to the conclusion that.. Most of them seem to run Windows (I've seen more BSOD's than its decent to mention).
I'm not wanting to get in to a debate about Windows security here; rather the point that there are plenty of rootkits for any given platform on the go today.
The interesting point would be the actual attack vector; getting in to a bank's internal network to access the ATM nodes would mean (from my point of view) that the ATM's are pretty uninteresting, however what else might lurk on the bank's network would be worth a lot more? On the other hand, if you could perform the "hack" quickly with just regular customer access to the machine, that'd be interesting... (thinking of terminator movie here...) ;)
According to my bank balance that is my... well, I've no cents left, damn recession!
Re:My friend is a Linux hacker... by Anonymous Coward · 2010-05-06 02:18 · Score: 0

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!
Oh, John Connor does it AGAIN... by Cumanes-alpha · 2010-05-06 02:40 · Score: 0

... bringing his ATM trick to the masses, always making us believe he`s the mankind`s savior.

A SERIOUS question: In your countries, are not the banks obliged by law to pay your money back in case you're a victim of an ATM/POS fraud???
In Venezuela at least, they are, unless you can`t bring your credit/debit card with you at the time you make your claim.

On a side note: Interesting presentation, hope it changes the way banks and ATMs providers think about the security measures they have in place for those devices.
Again with the security through obfuscation... by al0ha · 2010-05-06 03:29 · Score: 1

All this attempted security through obfuscation by these companies is ridiculous, this talk will fill the room at the conference this year and with good reason. Hopefully, but unlikely, the ATM manufacturers have been talking with Barnaby over the past year so that the exploits he will unveil are remedied.

By the way people, though the banks are the front, the ultimate responsibility for ATM device security lies in the manufacturer.

--
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Seems like make work by Anonymous Coward · 2010-05-06 05:51 · Score: 0

Why bother with all the high techno mumbo jumbo when ATM manufacturers post entry codes online, and armored car companies hire any boob of the street... give him a gun, and all the codes to every brand... which is typically 3 beers away from becoming a come on line in every bar in America.
XKCD already did that one... by Joce640k · 2010-05-06 06:16 · Score: 2, Funny

http://xkcd.com/463/

--
No sig today...
Re:"personal pin code" by Joce640k · 2010-05-06 06:18 · Score: 1

Maybe you meant to say "personal PIN number"...?

--
No sig today...
Re:"ATM's are pretty uninteresting" by Joce640k · 2010-05-06 06:23 · Score: 1

Imagine if you tell your partner "at 2am it's gonna dispense all the money, make sure you're standing there with a big bag to catch it all".
That's be very interesting to most thieves.

--
No sig today...
Re: not a catch-22 by hierophanta · 2010-05-06 06:43 · Score: 1

its not a catch-22, you just need a dev environment. now that might be difficult in some [most] situations, but if you work for the firm in question they will probably have one. if you dont, well maybe you can research their setup enough to create one (good luck) for where i work [in IT], it would not be difficult to do that research - but i work in the public sector and our internals are well, public
Re: not a catch-22 by Bakkster · 2010-05-06 07:07 · Score: 1

its not a catch-22, you just need a dev environment. now that might be difficult in some [most] situations, but if you work for the firm in question they will probably have one.
Even a clean environment might not be a reasonable protection. One could still run afoul of the DMCA if you break any encryption along the way. As well, such a development environment is expensive in itself, which further pushes the ideal research environment back to the very companies that don't want to fund them.

--
Write your representatives! Repeal the 2nd Law of Thermodynamics!
Re: not a catch-22 by MBGMorden · 2010-05-06 07:23 · Score: 1

One could still run afoul of the DMCA if you break any encryption along the way.
IIRC, breaking encryption isn't in and of itself a DMCA violation (well, breaking ENCRYPTION isn't a violation at all - it's the breaking of copy protection that's the hangup - copy protection just happens to often involve encryption). Neither is creating tools to do so. DISTRIBUTING those tools is whats illegal. If you make the tools to do it, and demonstrate to others that it can be done, but without handing out the tools to do so, then you're still ok as far as the DMCA goes.

--
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Re:"ATM's are pretty uninteresting" by MC68040 · 2010-05-06 09:10 · Score: 1

> Imagine if you tell your partner "at 2am it's gonna dispense all the money, make sure you're standing there with a big bag to catch it all".
Sure, that is not my main point, however valid :) A big bag of cash is of course nice, but what you can perhaps access without being detected for some time, is another point. Hence the importance of the attack vector [in my point].
An empty ATM machine with no logs; where the money went to should sound off immediate alarm bells...
Fair game if you empty half a country's machines in one night, but the risk of doing that might outweigh other options...
Re:My friend is a Linux hacker... by El_Oscuro · 2010-05-06 10:57 · Score: 1

Hey! That is my slashdot password! How did you get it?

--
"Be grateful for what you have. You may never know when you may lose it."
Voting machines by minstrelmike · 2010-05-06 10:57 · Score: 1

If Diebold makes them, what are the odds that they use the same sort of security on their much vaunted but completely unexamined vote-tallying machines?
Different ATM by Anonymous Coward · 2010-05-06 14:33 · Score: 0

Yeah, it's worse than that. I read that heading as " Hacker Develops ATM Robot". Which made me think of something related to an animatronic real doll.... when made by Diebold this only increases the terror.