ATM Hack Gives Cash On Demand

angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."

Interesting Hacks...

[nosferatu1001]

Originally delayed to let the companies patch. Interested to see if he can live up to his claims to be able to find similar issues in other brand ATMs as well.

Re:Interesting Hacks...

[NJRoadfan]

Funny, this really wasn't a problem when all the ATMs were running OS/2.

Re:Interesting Hacks...

[fuzzyfuzzyfungus]

Unless he chose the two he purchased purely based on underground buzz about their weakness(possible; but you'd hope that a security researcher would go for novelty.), going 2 for 2 suggests that overall industry standards might not be that high...

Re:Interesting Hacks...

[fuzzyfuzzyfungus]

TFA isn't exactly heavy on the details(PCWorld, detail light? Shocking.); but the class of vulnerability being described, a vulnerable remote management program listening to a modem(if the number isn't in the phone book, it is super-secret, right?), seems pretty OS agnostic. Same with the ghastly corner-cutting on making keys not unique per-device.

It is conceivable that fewer corners were cut back in the day, or that a substantially greater percentage of ATMs were on bank premises, not being connected over public phone lines; but it would be surprising if OS/2 alone would save you from those design mistakes.

Re:Interesting Hacks...

[RMS+Eats+Toejam]

... all the ATMs were running OS/2.

There was never a time when all ATMs ran OS/2. Besides, OS/2 had its own problems.

Re:Interesting Hacks...

[silentcoder]

That reminds me. A couple of Christmas's ago I was visiting my sister in a small rural town where she lived at the time. Wanted to go draw cash at one point so walked down the main road to the town's only ATM - run by local bank ABSA (yeah - not afraid to mention it). My own bank not having an ATM in town this was the only choice available.

As I stepped up to it... the interface was obscured by a warning message:
F-Secure Anti-Virus for Windows has detected a virus in file ...

Floating around.

Being aware that
1) This bank's ATM's run windows
2) They use F-Secure for virus protection
3) It obviously is connected in such a way that it can still GET infections

I turned around, bummed cash of my sister and paid her bank online - there was just no way I was going to stick my card in that ATM. I am also really glad I'm not a customer of that bank - and despite the nearest ATM to my house being run by them - never use their ATM's - I would rather spend the bit of extra fuel and drive to my own bank (which may not be better - but at least I haven't seen with my own eyes that it's THAT bad). Besides the service charge saving I suspect outweighs what I spend on fuel so it's worth it either way.

Re:Interesting Hacks...

[mark72005]

And people complained about diebold...

Re:Interesting Hacks...

[Zerth]

AV on machines that shouldn't need them? yay...

Relevant xkcd

Re:Interesting Hacks...

[silentcoder]

The worst AV in history on the most insecure OS in history on machines that have access to my bank account ?

Re:Interesting Hacks...

You're right on all accounts except for (3). Just because an anti-virus says that something is infected doesn't mean it's the case. I have to deal with false positives on a daily basis. Please don't fall for the myth that anti-virus companies are infallible. There was a story recently about one anti-virus that had "mistakenly" classified a competitor's product as infected.

Re:Interesting Hacks...

[BrokenHalo]

It is conceivable that fewer corners were cut back in the day...

Not very likely. Back in the earliest days of ATMS (or nearly - when I was younger, my dad had one that was essentially just a punch-card) we used to make our own ATM cards out of cardboard and 800BPI (I think) mag tape encoded with a "999 99..." test pattern that worked beautifully for a while.

We didn't repeat the experiment many times (or withdraw large amounts), it was more for the challenge, such as it was at the time.

Re:Interesting Hacks...

[BrokenHalo]

Heh. I hadn't seen that xkcd before. Good one... ;-)

Re:Interesting Hacks...

[blisteringsilence]

Disclaimer: I own about 30 of these machines, and work as a repair tech for a statewide area. It's a nice side income. Let's start at the beginning. This hack requires that a machine be connected to the outside via phone. This is increasingly going away. I would guess that 40% of the machines I work on are connected via internet now, as opposed to 15% a year ago. My first comment is that the remote management software that is being exploited isn't turned on in the vast majority of the machines that are out there. Whether it's triton connect, or tranax's remote access, all of the processors that I've encountered require that it be disabled for the machine to work. This software was important 4 or 5 years ago from a machine management standpoint, but with realtime internet tracking of machine status, there's just no reason for it to be enabled. Now, as to the comment about keys not being unique per device: A key on an ATM opens two areas: the "computer" module on top of the safe, and the bit of plastic that obscures the safe dial. A service technician (like me) is most of the time a freelancer who's in this for some side cash. When I go to a customer's location, my goal is to fix the problem and get out. As I almost never need to get to the vault of the machine, I have a keyring that has the standard sized keys for all of the machines I work on. An access password or vault combination can be obtained by a call to the owner of the machine. A unique key, however, cannot. Moreover, as many older machines require access to the processing unit in order to fill the machine (you have to hit a physical button to get into that menu), you have to make it easy for your armored service to access the top as well as the vault. It's unreasonable to expect a vaulting company to haul around 60 or 70 keys to fill the machines that they have on their list for that day.

Re:Interesting Hacks...

[RobertM1968]

... all the ATMs were running OS/2.

There was never a time when all ATMs ran OS/2. Besides, OS/2 had its own problems.

Hmmm... if you knew anything about OS/2, you would realize that the COMPUTER (hardware) had a problem - not OS/2. A Trap 000e is generally a RAM error (as in a failed memory module), and the rest of the time, it is a failure of some component that gets mapped as RAM (such as the memory on a video card, or some device being accessed as memory).

So... you may wish to find a better example. Without the correct hardware (like let's say an IBM Netfinity or IBM eServer xSeries) with RAID memory mirroring enabled, when a memory module fails (especially on the relatively cheap hardware used in an ATM), then ANY PC operating system I currently know of goes down with it.

On a well built machine running OS/2, problems are few and far between.I just rebooted a machine at an ambulance company we support (runs eComstation v1.2MR) that was up for 1 month short of two years, continuously running web, MySQL, FTP and a variety of other services that get heavy access every day. It was rebooted because (1) I upgraded some system components (a couple DLLs and MySQL), and (2) it was long overdue to be opened and dusted out.

Re:Interesting Hacks...

[green1]

Let's start at the beginning. This hack requires that a machine be connected to the outside via phone. This is increasingly going away. I would guess that 40% of the machines I work on are connected via internet now, as opposed to 15% a year ago.

But does that really help matters any? wouldn't being connected to the internet be even MORE risky? surely the same "dial-in" access is still there, just over TCP/IP instead of dialup, and with exposure to the internet you have even more capacity for abuse by millions of hosts.

Now I work as a tech for a local telco, and the ATM machines I've worked with have mostly been connected by ADSL, but my understanding was that although it was still a TCP/IP connection, they were actually on a special logical connection back to the bank that kept their data away from the internet? wouldn't this make more sense? (from the stand point of a telco tech, these machines do not connect to our usual DHCP servers, and I believe their entire logical connection is separate, though what the end point is I don't know as I don't handle that end of the connection)

Re:Interesting Hacks...

It's worse than that...

The bank will have a LAN that is full of windows machines, probably a server room full of windows machines and its highly likely that all these machines will either be part of the same active directory domain, or have interconnecting trust relationships...
And even if the important stuff is stored on a mainframe, chances are it will be accessed from a windows system that is part of a domain...
If you plug into the main LAN of virtually any bank, someone remotely competent with a tool like metasploit could gain complete access to the domain in minutes, and then just keylog the appropriate windows workstations in order to get access to any non windows systems. Chances are noone will notice either unless you do something extremely stupid.

Getting physical access to an ethernet port is the hardest bit, once you're on there the rest will be trivial.

Re:Interesting Hacks...

[blisteringsilence]

But does that really help matters any? wouldn't being connected to the internet be even MORE risky? surely the same "dial-in" access is still there, just over TCP/IP instead of dialup, and with exposure to the internet you have even more capacity for abuse by millions of hosts.

Maybe yes, maybe no. The first part of this answer is that when you're connected to the internet, you remove the bandwidth problem of a modem connection. AND, because you're not tying up a phone line anymore, you have more flexibility with your communications.

So, machines that are hooked in via TCP/IP do not have the option to accept remote connections initiated from anywhere other than the machine. The communication HAS to start with the machine, and the data is encrypted 19 ways from Sunday. To start with, you have the master keys that allow the machine to communicate with the processor. After they are input, they're encrypted and stored in epoxy buried chips in the keypad, and any interruption of electrical power to those chips (which runs through fry wires from a battery also stored within the epoxy matrix) kills the keys.

So your communication starts with the machine opening a connection with a dedicated IP server on one of 3 possible ports. During handshake and authentication a unique time-based one time key is transmitted back to the machine. This super-encrypts the keys, which are then sent, followed by the transaction information, and the transmission is closed out. These machines are also usually programmed to auto-connect every 15 or 30 minutes with a machine status update (thereby eliminating the need to dial in remotely).

Now, as all this information is going out over the general internet, it's possible to intercept the packets, but I don't know what good they'd do for you, as there's no way to get to the original master keys assuming you could get past the super encryption, thereby securing the first level.

Now I work as a tech for a local telco, and the ATM machines I've worked with have mostly been connected by ADSL, but my understanding was that although it was still a TCP/IP connection, they were actually on a special logical connection back to the bank that kept their data away from the internet? wouldn't this make more sense? (from the stand point of a telco tech, these machines do not connect to our usual DHCP servers, and I believe their entire logical connection is separate, though what the end point is I don't know as I don't handle that end of the connection)

The machines that are located at gas stations and bars and whatnot use a standard internet connection. The only requirement is that the location has to have a static IP. You have to remember, these machines only cost $2K - $5K, and the owner only makes $100 - $500 per month on the machine. Not to mention, they're not doing that many transactions.

Would the solution you propose make more sense? Absolutely. But it's cost prohibitive, and beyond the scope of 99% of the owners, and 75% of the service techs. If these proposals were to be codified, you'd see fees go through the roof to make up the difference.

Also:

...and the ATM machines I've worked with...

Pet peeve.

Re:Interesting Hacks...

[green1]

when you're connected to the internet, you remove the bandwidth problem of a modem connection. AND, because you're not tying up a phone line anymore, you have more flexibility with your communications.

and that's the problem, on a modem only one machine can attack you at a time, on the internet millions can have a go at once. the flexibility argument also cuts both ways...

So, machines that are hooked in via TCP/IP do not have the option to accept remote connections initiated from anywhere other than the machine. The communication HAS to start with the machine,

So, what you're saying is that dialup connected machines have the facility to receive calls, but internet connected machines only do outgoing connections? that seems odd. It would be just as easy to secure a dialup machine by simply telling it not to answer the phone. I have to believe that if the dialup machine is set to answer phone calls, the internet connected machine will be set to receive some form of incoming connection as well. otherwise it's not the communication medium that is adding the security, but the decision on whether or not to accept incoming communications.

These machines are also usually programmed to auto-connect every 15 or 30 minutes with a machine status update (thereby eliminating the need to dial in remotely).

there's no reason a dialup machine couldn't behave exactly the same, once again the security increase isn't in changing to TCP/IP, it's in not accepting incoming connections. In fact arguably the TCP/IP connection is still less secure than a similarly configured dialup connection due to increased chance of various MITM attacks, IP or DNS spoofing attacks, or simple protocol vulnerabilities in the OS that get found/exploited by the millions of bots that can be brought to bear on attacking a machine over the internet

The machines that are located at gas stations and bars and whatnot use a standard internet connection. The only requirement is that the location has to have a static IP. You have to remember, these machines only cost $2K - $5K, and the owner only makes $100 - $500 per month on the machine. Not to mention, they're not doing that many transactions.

The machines I've worked on have mainly been big bank branded ATMs, but located at gas stations, convenience stores, etc. And they have definitely not been "consumer grade" ADSL lines (we call them ADSL CWAN (Carrier Wide Area Networking) it's still an ADSL modem, but instead of connecting to our DHCP servers and getting a public IP, the machine is logically connected to the bank's network directly and either gets it's IP from their DHCP server, or hard-codes an IP (I've left before that config is done so I'm not sure which)). The "white label" ATMs I've worked with have never required me to do more than supply a phone jack, so you may be right about them using consumer grade ADSL connections.

Would the solution you propose make more sense? Absolutely. But it's cost prohibitive, and beyond the scope of 99% of the owners, and 75% of the service techs.

It changes nothing for the owner, and likely nothing for the service tech either (he doesn't care what IP he enters in to the config screen, as long as it's the one on his work order). The only differences are cost of the connection itself (so you may be right about it being prohibitive) and some routing at the server end, however the big banks are already set up for that sort of stuff, so it shouldn't be much effort to do it for the white labels as well.

...and the ATM machines I've worked with...

Pet peeve.

DOH! and I thought I'd been so careful about that too!

Re:Interesting Hacks...

[blisteringsilence]

and that's the problem, on a modem only one machine can attack you at a time, on the internet millions can have a go at once. the flexibility argument also cuts both ways...

I agree completely. However, at the end, if the customer (owner) doesn't want the product (the ATM), the ATM company goes out of business.

So, what you're saying is that dialup connected machines have the facility to receive calls, but internet connected machines only do outgoing connections? that seems odd. It would be just as easy to secure a dialup machine by simply telling it not to answer the phone. I have to believe that if the dialup machine is set to answer phone calls, the internet connected machine will be set to receive some form of incoming connection as well. otherwise it's not the communication medium that is adding the security, but the decision on whether or not to accept incoming communications.

OK, with regard to the ability to accept incoming communications, it's about customer convienence. With a machine connected through a standard phone line, 99% of the machine's I've installed get to share their phone line with the location's fax line. If the ATM is dialing out at set intervals, it is taking both the machine and the phone line out of service for 45 seconds to a minute every time it goes out. That's bad for business. The solution used to be (5 or so years ago) that the processor would call the ATM twice or so a day to check on it's health status, etc.

Also, remember, most of my customers have this feature disabled.

Now, however, with an IP based connection, the information transfer is instantaneous (or nearly so, as viewed by the customer). Therefore, it's not a big deal for the machine to contact the processor every 15 minutes or so with a status update. Therefore, as there is no need to remotely access the machine, they simply removed the functionality.

In fact arguably the TCP/IP connection is still less secure than a similarly configured dialup connection due to increased chance of various MITM attacks, IP or DNS spoofing attacks, or simple protocol vulnerabilities in the OS that get found/exploited by the millions of bots that can be brought to bear on attacking a machine over the internet

This is a fair point. However, the data that you're capturing with all of these attacks is super encrypted (not in the "super! thanks for asking" sense, but more in the they encrypt data that has already been encrypted using a different process), a MITM attack is going to log a bunch of gibberish packets. Assuming you can break the one time key established in handshake, you can't break the secure keys that are only known at the source and destination.

The "white label" ATMs I've worked with have never required me to do more than supply a phone jack, so you may be right about them using consumer grade ADSL connections.

In every bar/gas station/liquor store/bowling alley/porn store I've ever worked on an internet connected machine, it's jacked into a consumer ADSL or Cable connection. I've yet to see a dedicated connection for the ATM. That's part of the value proposition for the owner, he gets to eliminate a $75 a month phone line from his overhead by putting the machine online.

The only differences are cost of the connection itself (so you may be right about it being prohibitive) and some routing at the server end, however the big banks are already set up for that sort of stuff, so it shouldn't be much effort to do it for the white labels as well.

When I said cost prohibitive, I was indeed talking about the cost of the connection. You work for a telco, so let's be charitable. What do you figure a setup like this costs? $250 or $300 a month? For a machine that only costs $3000 and only makes the owner $300 a month? What's his business justification for that purchase? There's no way he's going to pay that.

Like everything else in business, these little guys are 100% focused on the bottom line. They want to use that ATM to make money. Period. If the costs of keeping it going exceed the return, they're going to get out of it.

Re:Interesting Hacks...

[KahabutDieDrake]

I like how you conveniently ignore digital locking mechanisms that can be both unique, and easy to give access to. While at the same time allowing for better access tracking and instant lock out of compromised codes. The only reason banking, and ATMs don't have good security is because they choose not to as a cost cutting measure. Since banks are rarely liable for money they let be stolen, they have almost no reason to fix the massive flaws in their systems. This extends to almost every facet of money. From credit cards to ATMs.

I respect that you are working from a contractors point of view, and dealing with complicated and effective security would be a huge pain for you. That doesn't change the fact that it should be done anyway. A little more time and complication would save an awful lot of money in the long run. It's not like we are going to see LESS of this kind of crime. How much longer before someone comes up with a device that allows anyone to walk up to an ATM and force it to spit all the money out?

I've worked on ATMs. The security assumes you as a tech are honest. If you aren't, it would be easy to setup any number of scams. From card skimming to outright forcing the machine to spit out money. Also, they never asked for my keys back, so I have a key ring with 40 odd keys on it, that at last check, opens pretty much every ATM around.

Re:Interesting Hacks...

[blisteringsilence]

I like how you conveniently ignore digital locking mechanisms that can be both unique, and easy to give access to. While at the same time allowing for better access tracking and instant lock out of compromised codes.

I guess to start, when you refer to a digital locking mechanism, what are you locking? Are you talking about physical access to the top of the machine, or are you talking about programming access via the keypad?

Also, what digital lock are you referring to that will be (1) unique, (2) easy to give access to, (3) allow for better access tracking, and (4) instantly lock out compromised codes? I've seen these systems (my office has one on all of the access doors), but none of them satisify the all-so-important (5) inexpensive. How on earth are you going to convince a customer to install a $300 thin client to run $350 worth of RFID, plus an extra cable run for it to have access to the internet (to allow for this easy granting of access), plus issuing your vaulting company, your repair company, and anyone else that needs access the RFID cards necessary to get into the machine?

I respect that you are working from a contractors point of view, and dealing with complicated and effective security would be a huge pain for you. That doesn't change the fact that it should be done anyway. A little more time and complication would save an awful lot of money in the long run.

I appreciate that you understand where I'm coming from. I personally would love the increased complication. I'm tech savvy enough that it would only help my little nascent business. If working on machines becomes so complicated that it drives my (2) competitors out of business, I would increase my cashflow 4 or 5 times.

That being said, the complexity isn't what's stopping these proposed ideas. If I have to more than double the total cost of a machine, my profit margin stays the same, my sales fall by more than half, and I have fewer locations on which to work.

How much longer before someone comes up with a device that allows anyone to walk up to an ATM and force it to spit all the money out?

Hopefully quite a while. The fundamental tenet of security you're overlooking is the unmolested physical access to the machine. If you're monkeying about with internal bits, employees of the location in which the machine is installed come over and find out what's going on. Especially the places I have contracts with. I don't show up to monkey with the machine until they call me and tell me it's broken. Is it possible to socially engineer around that? You bet. But I promise you can socially engineer around any hurdle (real or imagined) in this business.

I've worked on ATMs. The security assumes you as a tech are honest. If you aren't, it would be easy to setup any number of scams. From card skimming to outright forcing the machine to spit out money.

And that, boys and girls, is why we're bonded and licensed by the state, and in my case, the Fed.

Moreover, EVERY part of security EVERYWHERE depends on trusting the guy who's in there fixing the broken bits. From the guys at Ft. Knox to the guys at the data aggreators, you have to trust your people.

Re:Interesting Hacks...

I own about 30 of these machines, and work as a repair tech for a statewide area. It's a nice side income.

Sounds like you've hit the jackpot..

Re:Interesting Hacks...

[dissy]

To start with, you have the master keys that allow the machine to communicate with the processor. After they are input, they're encrypted and stored in epoxy buried chips in the keypad, and any interruption of electrical power to those chips (which runs through fry wires from a battery also stored within the epoxy matrix) kills the keys.

I find it amazing that at least for a certain hardware vendor, when it comes to the machines holding the money, they resort to such extreme levels of security (Which is great btw!), yet when the machine is 'only' designed to hold the nations vote count for its next leader, for some reason now MSAccess files and user accessible CF cards with OS and data are concidered best practices!

Re:Interesting Hacks...

[pclminion]

This hack requires that a machine be connected to the outside via phone. This is increasingly going away.

No. I was there and saw the presentation live. There are actually two ways to accomplish this. The first way is to call in to the ATM and bypass the RMS authentication process (he did not describe how to do this, but it was apparently trivial). If your ATM is not plugged in, or if RMS is disabled, then this doesn't work, and he was very clear on that.

The second way is actually a physical attack. You get an ATM key (they are all single-key and you can order the keys online) which opens the electronics compartment (a much more secure key is used for the cash box, obviously). You reach in with a USB stick that contains a firmware update, and plug it in to an available USB port on the mobo. Then you close the enclosure and walk away for several minutes while the firmware updates itself.

My first impression was that the design of these ATMs is idiotic. You can buy a one-size-fits all key that gives access to the mobo, and once you have that, you can update the firmware with a USB stick, with no type of authentication whatsoever? Give me a fucking break. He sheepishly said "I really should be faster at this than I am now," but in reality he accomplished the physical hack in about 10 seconds.

It was a fucking AWESOME demo and he got a standing ovation.

I see what you did there...

[fuzzyfuzzyfungus]

This is clearly just a slashvertisement for Microsoft's expansion of their "Cashback" promotion from Bing to WinCE "The Product that Needs it More Than Bing"...

Editorial standards these days... I ask you...

The tip of the iceberg

[tedgyz]

Wait until they can hack payment-enabled smartphones.

All your cash are belong to us

Re:The tip of the iceberg

[necro81]

All your cash are belong to us

Worse than that, since the smartphones don't actually have any physical cash.

All your bits-that-provide-access-and-represent-money-in-an-account-that-is-itself-just-a-representation-of-cash-you-could-have-in-your-hand are belong to us. Much more fungible than cash.

Re:The tip of the iceberg

[rickb928]

It has begun.

Really?

[TwiztidK]

"After experimenting with two machines he purchased"

Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats.

Re:Really?

[Netshroud]

I presume they're just very expensive. Even more so if you have to secure them and connect them up to a banking network. Anything can be bought with enough money... like the bank itself.

Re:Really?

[fuzzyfuzzyfungus]

I assume that large purchasers, like banks, can easily enough commission "private label" versions of ATMs(based more or less closely on a manufacturer's available models, doing mechanical engineering much beyond the 'paste on a logo and some colored trim' level probably isn't cost effective; but running firmware tailored to them and their systems) that are for their exclusive order; but the generic ones you see in crummy convenience stores and the like are just appliances.

Because(like commercial scales, and gas pumps) they are appliances used in commerce, there may well be one or more state, or local authorities who want to take a look and put their sticker on it before it goes into use; but if some guy wants to buy a used one, I see no reason why that would be uncommon or controlled. If they are used for fraud or theft, that is just as illegal as any other flavor of the same; but there are loads of common and wholly legal tools that have potential in that area.

Re:Really?

[91degrees]

The sort you find in convenience stores can be purchased without too much difficulty. They're just automated machines that put a charge on your card and dispense money, so they're not that different from a till and card reader.

I imagine the heavy duty ones that banks use are a little more tricky to get hold of.

Re:Really?

[yumyum]

~$500 right now. Hurry! This opportunity won't last long!

http://cgi.ebay.com/Triton-Atm-Machine-Used-/270611229186?cmd=ViewItem&pt=LH_DefaultDomain_0&hash=item3f01afaa02#ht_500wt_1070

Re:Really?

[Pharmboy]

There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

Re:Really?

[paradxum]

They are not that expensive when there are tons of failed bank auctions around, a couple hundred will get you one. (You must remove though)

Re:Really?

[KarrdeSW]

Well... Bank of America may be a bit angry if you have one of their ATMs in your living room, but getting one of the mass produced brands that companies set up at street events or in convenience stores isn't very difficult.

The regulation isn't so much on who can have one as on the manufacturers to keep the data of the people using it secure, and even they aren't required to do much.

Re:Really?

[zigziggityzoo]

I know of a couple of restaurants that have their own ATMs with a "cash only" policy for acceptable payments. Anyone without cash is directed to the ATM they own. Instead of it costing them a percentage to accept cards, they make money off the ATM.

Re:Really?

[fuzzyfuzzyfungus]

True enough. I suspect that that has to do with their use for sinful, wicked, dirty gambling, which tends to draw legislative fire.

Since the gambling in the financial sector tends to be concentrated well away from the retail level, I'd suspect that ATMs would be safe.

Re:Really?

[tomhudson]

They're not that expensive. Look at the "white label" ATMs you'll see in restaurants and bars.

Here's one of the machines in question

esigned and assembled with pride in the USA, the RL1600's innovative configuration--including an embedded PC-based platform, Microsoft® Windows® CE 5.0 operating system with Triton's X2 technology--makes it as powerful as it is affordable and reliable. It has a large storage capacity for journaling, and is expandable to meet future compliance and application needs.

They can be configured for either phone or ip network, and they're not that expensive, especially if you buy it used at a bar or restaurant bankruptcy.

Re:Really?

[skgrey]

You would be absolutely correct. I used to work for one of the largest ATM manufacturers, and I'm still very close with the people that designed most of the ATM's you see in banks and convenience stores. It's really just a branding thing, and even then there isn't much they do besides slapping a plastic faceplate on the ATM. You have to be one of the larger banks and have a very large exclusivity contract before they'll even start considering a design specific for your bank - I only saw one in five years of working there.

Re:Really?

[CeruleanDragon]

I once saw a "How-to" video on how to acquire your own ATM. Just need a strong 4x4 truck, a long, strong chain, and a couple of friends...

Re:Really?

[skgrey]

It's not a matter of having a "Bank of America" or "FirstMerit" ATM in your living room, they don't make the ATM's. Banks buy ATM's to interface with their own network. If you would buy an ATM you'd need a banking entity, so you'd typically set up the account with the ATM manufacturer or a partner. For example, Triton sells those dinky little ATM's you see at gas stations. The gas station has an account with Triton, where Triton is the "banking entity" which is allowed to reach out into your bank's account, fills the ATM with money, collects the fees, etc.

Re:Really?

[Lumpy]

Shipping costs is gonna be a bitch on that one.

Re:Really?

Reliable my ass. I keep seeing BSOD-ed or out-of-memory ATMs around these parts, running what seems to be Windows XP (Embedded? At least, I hope it's XP and not Windows ME); even better are those with the "you may be a victim of software piracy" WGA notice. Closed my account at that bank after seeing that ("in what otther areas do they habitually and epically fail?")

Re:Really?

"Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats [xkcd.com]."

Sure. And it's only the first one that's "expensive". After that, money is no object. Think of it as an investment.

Re:Really?

[alexo]

There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free.

Yet another example of a bad law.

Re:Really?

[melstav]

ATMs can be had for ~$2k on ebay

Hell, there are even ebay listings for companies that'll ship you an ATM for free, have somebody come out and fill it with money, and give you a percentage of the surcharges they collect from cardholders.

Re:Really?

[John+Hasler]

> There is at least one precedent for making owning machines illegal.

There many precedents for loony laws making owning all sorts of things illegal. So what?

Re:Really?

[blisteringsilence]

That's a big selling point when I go to place a machine. Instead of the location paying $2,500+ monthly to their credit card processor, they can just charge a $0.25 transaction fee, and make some money. One of my customers realized a net monthly gain of about $4,000. It's been really popular with liquor stores and bars.

Re:Really?

[BrokenHalo]

As a matter of interest, if you buy an ATM with an embedded Microsoft OS, do you have to pay again for the license to use it? It seems crazy to me that anyone would even consider a proprietary OS such as this when so many free, and arguably much more secure alternatives are available. (No, it doesn't have to be Linux - there are plenty of BSDs that would do just fine.)

Re:Really?

[aztracker1]

There's only one restaurant I visit with any regularity that does this... however their fee is $0.50, which probably covers their costs... if it's more than that, they're probably making a fair profit on the ATM itself. Just the same, if it works out, awesome. I've also seen cash only restaurants set their pricing so that with tax, the pricing is at even dollar amounts.

Re:Really?

Tell me: at these 'restaurants', do the 'waitresses' take off their clothes while dancing on a stage?

Re:Really?

[Bert64]

Many of the people who design these systems just don't know anything else, so they design around what they know while being completely ignorant that they could improve security and save money by using something else.

Re:Really?

[harl]

Why would they be restricted?

Re:Really?

[nrozema]

Now that I've found a bank that doesn't charge for the "privilege" of dispensing your cash via someone else's machine, I could get on board with this, as it's a win-win for the business owner and myself (they save some money on card processing extortion fees, and presumably pass some of that overhead savings on to me). Unfortunately, the majority of people with accounts at the MegaBanks will still pay a $3+ "out of network ATM" fee, even if the restaurant's ATM only charges a quarter.

Re:Really?

[nacturation]

Well... Bank of America may be a bit angry if you have one of their ATMs in your living room

Or they may be ecstatic if it withdraws funds from your Bank of America account, but you have to fill the machine with your own cash.

Re:Really?

[blisteringsilence]

Now that I've found a bank that doesn't charge for the "privilege" of dispensing your cash via someone else's machine, I could get on board with this, as it's a win-win for the business owner and myself (they save some money on card processing extortion fees, and presumably pass some of that overhead savings on to me). Unfortunately, the majority of people with accounts at the MegaBanks will still pay a $3+ "out of network ATM" fee, even if the restaurant's ATM only charges a quarter.

disclaimer (again) - I own about 30 of these small ATM's, so have a vested business interest in this topic

See, I don't understand this line of thinking. Your using that ATM is indeed a "privilege." This isn't happy happy funtime world. This is the real world. That ATM that you used at the gas station didn't magically appear out of nowhere. Someone had to buy it, someone had to install and configure it, someone has to provide it with electricity and receipt paper, someone has to fill it with money, and someone has to do all the regulatory paperwork that allows it to exist. And that's just for the physical machine.

The work that you never see is the people and computers involved in transmitting that data and moving that money that you withdrew as cash to the bank account that provided the case. In most cases, that money goes from your account, to an account at the federal reserve, to an account at the processing company, to the account of the guy that sticks the cash in the machine.

And none of that is free. Sorry man.

And I, the owner of the machine, have no obligation to let you use my ATM for free. We have no business relationship. I've made no promises to you. Why do you think you should take my work and investment and use it for free, denying me not only the chance to make a profit, but also to recoup my investment?

And if you don't like it, get in your car/a bus/walk/take a segway down the street to your local bank, and use their ATM for free. They do have a relationship with you, and in exchange for your keeping your money with them, they will provide you certain things. Like free ATMs.

But I don't have to.

Re:Really?

[blisteringsilence]

The sort you find in convenience stores can be purchased without too much difficulty.

Agreed. I'll be happy to sell you one today for between $2000 and $5000, depending on model and options.

They're just automated machines that put a charge on your card and dispense money, so they're not that different from a till and card reader.

And here I totally disagree. You don't understand the process by which an ATM works, which is fine, but they have almost nothing in common with a till (cash drawer) and card reader.

I imagine the heavy duty ones that banks use are a little more tricky to get hold of.

Trickier, no. More expensive, yes. To get a bank-quality Diebold or NCR, you're looking at a starting price of around $50,000.

And honestly, the only difference between the two is how many bills it will hold. Quality wise, they're really pretty close. The ATMs that accept deposits, dispense stamps, and all that are a freaking fortune. You're looking at $100,000 minimum.

Re:Really?

[nrozema]

And I, the owner of the machine, have no obligation to let you use my ATM for free. We have no business relationship. I've made no promises to you. Why do you think you should take my work and investment and use it for free, denying me not only the chance to make a profit, but also to recoup my investment?
 

Perhaps you misunderstood the meat of my comment. I have no problem with you, the owner of the third party ATM in question, charging me a fee to use your machine. I fully support the premise of a "cash only" restaurant providing an ATM for use by their patrons at a reasonable fee.

My post was addressing the _additional_ fee that most people have to pay to their own bank for the privilege of using that third party ATM. The same bank they *do* have a business relationship with, that often charges a monthly fee just for the privilege of allowing them to hold your money for you interest-free.

That fee, which easily runs $2-3 at most big banks, raises the transaction cost for most people to the "ludicrous" level when added on to the perhaps totally reasonable fee charged for the privilege of using the third party ATM.

Re:Really?

[JimFive]

See, I don't understand this line of thinking. Your using that ATM is indeed a "privilege." [...]

The ATM in the public place (restaurant, gas station, etc.) is a marketing device for the location. The ATM allows the business to sell more stuff by ensuring that potential customers have the cash to buy it. It also saves money by reducing credit card transactions. If the ATM isn't paying for itself in additional sales, then it isn't worth it and shouldn't be in that location.

If you, as a third party ATM owner, are charging both the location and the consumer then you are double-dipping, not illegal, but not respectable either. If the concern is people coming in to the ATM and not purchasing anything at the facility then that is easily handled by having the transaction fee discounted at the register for cash purchases made within x minutes of the time on the receipt.

In short, you should be making your money off of the business owners(your customers), not the customers of those businesses.
--
JimFive

Re:Really?

[blisteringsilence]

The ATM in the public place (restaurant, gas station, etc.) is a marketing device for the location. The ATM allows the business to sell more stuff by ensuring that potential customers have the cash to buy it. It also saves money by reducing credit card transactions. If the ATM isn't paying for itself in additional sales, then it isn't worth it and shouldn't be in that location.

See, this statement right here tells me that you have little to no real understanding of the actual economics behind the ATM business. There's nothing wrong with that, but still, it's somewhat arrogant to criticize a business model without knowing a bit about the business.

Due to the proliferation of ATMs in the United States, a location having an ATM is no longer a marketing device. It is a convenience. And to be totally honest, the only product for which an ATM drives sales is the Lottery (which can only be bought with cash).

The assertion that "If the ATM isn't paying for itself in additional sales, then it isn't worth it and shouldn't be in that location" is just absurd, and shows a total lack of real knowledge on the subject.

If you, as a third party ATM owner, are charging both the location and the consumer then you are double-dipping, not illegal, but not respectable either. If the concern is people coming in to the ATM and not purchasing anything at the facility then that is easily handled by having the transaction fee discounted at the register for cash purchases made within x minutes of the time on the receipt.

I, the third party ATM owner, charge the customers of the business. Not the business itself. Actually, in every location but one that I have a machine installed, the business gets a piece of the surcharge, between $0.125 per transaction and $0.40 per transaction. Again, this is a CONVENIENCE charge. No one is forcing the customer to use the ATM. He or she is perfectly free to walk down the street to find another machine.

In short, you should be making your money off of the business owners(your customers), not the customers of those businesses.

You're welcome to your opinions, and I highly encourage you to take this moral model of yours and try to make it work. We in the industry might learn something from you. Likely, what we'll learn is that your business model sucks, and you can't make money with it, but I highly encourage you to try, and wish you the best of luck.

BoA

I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.

Re:BoA

[westlake]

I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.

Would you feel more confident with an ATM that didn't post an error dialog?

Re:BoA

I've seen Linux error screens on airplane televisions. I still fly.

Re:BoA

I'd feel more confident if it posted a 'Guru Meditation'. At least I'd know it was programmed by hard core programmers and not some green horn with an MS Visual Basic compiler.

T2

[bakamorgan]

I wonder if he can do something like a young john conor did in the movie T2? This sounds like a neat hack. Also I have read in the 2400 magazine/pamplet/book or whatever it is that yea people buy this type of stuff just to hack it. Also they buy cash registers and CC machines. Godo reading material while your on the pot.

Re:T2

Yeah, those guys at 2400 really know their stuff. I love their 64 pages of letters from 12 year olds asking how to hack thier schools computer systems and cheat codes for MW2. The last time I read it there was an article in it by a hacker named David Lightmen that recommended checking for a paper with the schools passwords attached to a desk's sideboard. Very insightful.

Re:T2

Sounds like a step up from that old 2600 magazine that used to be some whiney bitches that sounded like a greyer version of the FSF :D

Re:T2

You might be laughing now but my brothers friend said he hacked something called the Gibson that way. He was almost caught but the feds could not match the sheer speed and agility provided to him by his inline skates.

Re:T2

[BreazySpeculation]

The periodical you are referring to is "2600" Just saying.

Simple is beautiful (and secure)

If your idea of simple includes Windows CE (or Linux for that matter), you should not make engineering decisions.

Pretension

[aliddell]

Exploiting bugs in two different ATM machines

'ATM machines'? Really?

Re:Pretension

[Spad]

And he didn't even need a PIN Number

Re:Pretension

[Darth_brooks]

Yeah, ATM Machines. Those things that you put your PIN Number into.

Re:Pretension

[tag]

Submitter clearly has a case of RAS syndrome.

Re:Pretension

[davidbrit2]

It's a machine that operates the ATM for you. It also goes by the name Automated ATM.

Re:Pretension

[oodaloop]

Into which you put your Personal Identification Number Number. Whooooosh!

Re:Pretension

[noidentity]

No need to make fun of people who suffer from PNS syndrome.

Re:Pretension

[AC-x]

What, you never used an Automated Teller Machine Machine before? Where do you think banks get their ATMs from? Queue up in the store? I think not!

Re:Pretension

[alx5000]

One of the best whooshes of all times. Thank you!

Re:Pretension

[DoofusOfDeath]

'ATM machines'? Really?

Good call. He should have gone with the better known, "AT Machines".

Re:Pretension

[AndrewNeo]

So it's an Automated ATM machine Machine?

Re:Pretension

[WaroDaBeast]

Yeah, ATM Machines. Those things that you put your PIN Number into.

I got a friend who once made a presentation on the PC at uni, and some of his lines were about "CD and DVD disks." Other than that, the only acronym I can think of is MCB (Mauritius Commercial Bank), as I've often heard people say "MCB bank."

Re:Pretension

[davidbrit2]

I think that would be the machine operating the machine that's operating the ATM. It brings the level of automation to where you only have to subconsciously think of money, or anything that rhymes with money in order to make a withdrawal.

Re:Pretension

[camperdave]

'ATM machines'? Really?

Well, to be fair, ATM could be a brand name. Is saying "IBM machines" wrong?

Re:Pretension

>> Other than that, the only acronym I can think of is MCB (Mauritius Commercial Bank)

That was the first thing I thought of too.

Re:Pretension

[RulerOf]

Rumor has it that if the hacker can find the MAC controller address for the NIC card in the ATM machine, he can use specially crafted TCP/IP protocol and also expose your SSN number.

Re:Pretension

[troll8901]

... use specially crafted TCP/IP protocol ...

Cool ... is there an app for this?

(When will Hollywood release a movie that uses an you-know-what as a hacking machine?)

Re:Pretension

[need4mospd]

But only ATM machines with specific UPC codes and LCD displays will do this. And you should make sure your PC computer has enough RAM memory and is setup to run on AC current using only RF frequencies to communicate. Always back up these transactions to a DAT tape or CD disks. If you do this right, you should be able to avoid any VAT taxes so you can afford more KFC chicken.

Re:Pretension

PI Number. There is no such thing as a PIN number

Re:Pretension

[xtracto]

so you can afford more KFC chicken.

What's the name of the KFC menu that gives you chicken?

Re:Pretension

The "whoosh" of that one flying over your head is deafening.

Re:Pretension

[nacturation]

Exploiting bugs in two different ATM machines

'ATM machines'? Really?

Here is an ATM machine:

http://www.cisco.com/en/US/products/hw/switches/ps1893/prod_view_selector.html

One could ask whether these ATMs use ATM for their communications.

Re:Pretension

Yeah, ATM Machines. Those things that you put your PIN Number into.

connected to teh internet with a NIC card communicating using teh TCP/IP protocol.

Re:Pretension

[jofizz]

Hey, some of us suffer from RAS Syndrome, you insensitive clod!

Re:Pretension

NIC card

I was always taught to understand NIC as Network Interface Controller, so in this case "NIC card" is not a tautology, especially as there are increasing situations where the NIC is not actually a removable daughtercard.

Re:Pretension

[noirakita]

I find if I don't tell the older folks to enter their PIN number, they think I'm saying "pen" (since of course they are hard of hearing) which confuses their feeble old brains. If they are young enough looking though I'll tell them to just enter their PIN.

Re:Pretension

[noirakita]

So, I guess you don't work at the Department of the Redundancy Department.

Monopoly

[Wowsers]

You passed Go, please collect $ from bank, where $ = Amount Input.

Re:MSFT Fanboys HURRY!

Only need one: he didn't hack the OS, only the applications running on top of the OS.

Yup, they can.

[Cyberax]

ATMs are sold 'over the counter'.

They aren't even that expensive, it's possible to get a new ATM for about $2000 (though realistically a good ATM costs about $5000).

Re:Redundancy

[betterunixthanunix]

Something has to build the ATMs! Clearly, this hacker has discovered that the robots that build ATMs also create money.

Re:Redundancy

[prionic6]

But who makes the ATMMs?

MISSING

[Azmodan]

So where's the download link?

Re:Redundancy

[prionic6]

But who makes the ATMMs?

It's machines all the way down!

no wonder

Note the manufacturers. The big 3 of ATMs are Wincor, Diebold, and NCR. Check the ATM for pretty much any financial institution and you'll see one of those logos somewhere. When one of them gets hacked it's a big deal. When a white-label gets hacked it's just another day.

Re:no wonder

[Anonymusing]

Well, I do remember this...

Re:no wonder

Diebold, NCR and Wincor all suffer a similar problem - standardized keys to access the unit. Some of the first machines housed the cpu core in the vault - that was smart - but most have moved away from that design. Once you have access to the cpu core, loading custom software shouldn't be a problem.

Also, some of the big three also run windows based oses...the older ran a variant of os/2...

Re:MSFT Fanboys HURRY!

[dimethylxanthine]

he didn't hack the OS, only the applications running on top of the OS.

Hacking the OS would be too easy and not worthy of a Black Hat ;-)

scrooge?

[circletimessquare]

he should have called it robin hood

right subject matter (wealth redistribution), wrong direction (down to the lower classes: robin hood, not up to the higher classes: scrooge)

Re:scrooge?

[fuzzyfuzzyfungus]

A good rootkit tries to blend in with its environment...

open source shot

[grumling]

Quote from TFA: "Criminals could find vulnerable ATMs by using open-source 'war-dialling' software"

Nice. Because closed source software could never be used for criminal activity, right?

Re:open source shot

[Lumpy]

Nope. all the closed source war dialing apps have a list of all phone numbers to all the ATM's and refuse to dial them. They also have regular popups that ask you to confirm that you are not wardialing to do illegal activities...

Microsoft Bob was re purposed for this use. Microsoft BobDialer 6 is the most popular in the in crowd of casual wardialing.... Ohh BRB Mine has found a fax machine for me to listen to!

Re:open source shot

[Spad]

It's something that seems to be getting more and more common in a subset of security-related articles. With my less cynical hat on I'm tempted to believe that they're trying to imply that the software is free and freely available and thus has a low barrier to entry for people who want to try and replicate the exploit, however, my less cynical hat doesn't fit me very well.

Re:open source shot

All closed source war dialing apps follow RFC 3514n, ATMs simply firewall all incoming packets with the evil bit set.

Re:open source shot

[sheph]

Oh come on... everyone knows dirty hackers only use open source software.

Patchless ATM "hack"

[mcgrew]

There is no patch for social engineering except user education. Here's a way to "hack" any ATM. This "hack" doesn't require any computer skills, and the bank is not out any money -- the bank's customer is.

This procedure was used on me. Education can be expensive.

Here's how it works: simply watch someone enter the PIN number, then steal their card. If they're drinking, tired, or simply thinking about some problem on their mind it's easy to get their PIN.

When I was victimized, the theif also stole checks, and forged and cashed them. The bank reimbursed me for the obviously forged checks, but if someone has you PIN, no matter how they get it, they are authorized to use the card!

I no longer use a debit card. Nowdays I use cash whenever possible.

Re:Patchless ATM "hack"

[rtaylor]

They stole your card so they can probably steal your cash which will also not get refunded by the bank.

Better to use a debit card and keep a low value of funds in the account that it can access. Top up as necessary from a different account or a different bank entirely which is not accessible in any way through the card.

Now you get a bit of added security the card offers over cash but you also limit your losses in the event of theft because it is treated like cash (balance limited to typical daily use).

Re:Patchless ATM "hack"

[kevinmenzel]

What the heck is wrong with most banking regulation? If someone who isn't me makes debit transactions on my account, no matter what the amount, even if they use my card and my PIN, the fraud department at my bank (TD Canada Trust) is happy to reimburse me (especially if I'm fairly confident about the location and amount of my last transaction). And they have, even if someone is making small purchases over a period of time, which happened once (over a period of two months, someone had made a copy of my card, and was using it to make small purchases, less than $20 each time, I finally noticed the transactions, went in to the branch, and got refunded the... I think it was about $60 or $70 with in a month...

Re:Patchless ATM "hack"

Yeah, ALWAYS lean right in and cover the PIN pad with your other hand. I assume there could be a hidden look-down camera installed and try to make it hard to see what my PIN is even then.

Also:
- Swipe the slot with your finger before you insert the card to try and find card-catcher devices
- Consider having a withdrawal limit set on your account. That way, if everything else fails the damage is limited. These days you really don't ever need to withdraw large amounts of cash, unless you have a substantial coke habit or suchlike ...

Re:Patchless ATM "hack"

[NJRoadfan]

Use a credit card for larger purchases and only keep small sums of cash with you. Credit cards are technically not cash, and the consumer protections are generally stronger in cases of fraud. A charge back for fraud on a credit card results in no money leaving your bank account compared to a debit card.

Re:Patchless ATM "hack"

[iserlohn]

For 4 digit PINs, there is a 0.3% chance of an attacker randomly entering the PIN and succeeding. So is a 0.3% chance of losing all your money in your debit card account acceptable (which can be partially mitigated using EMV smartships on debit cards)?

Re:Patchless ATM "hack"

[iserlohn]

Sorry.. I meant 0.03%

Re:Patchless ATM "hack"

[John+Hasler]

What the heck is wrong with most banking regulation? If someone who isn't me makes debit transactions on my account, no matter what the amount, even if they use my card and my PIN...

How the hell are they to know it isn't you? Just because you say so? You know that there are people who would lie to defraud them. I don't see why the bank should be responsible for your loss of control of your card and PIN any more than they are for your loss of control of your cash.

Re:Patchless ATM "hack"

[John+Hasler]

The chance of losing all your money in your debit card account is not .03%. It is .03% times the probability of a thief acquiring possession of your card and using it before you discover that it is gone and cancel it.

Re:Patchless ATM "hack"

[BrokenHalo]

Debit and credit cards are OK so long as you are a bit careful about not where you use them and not letting them out of your sight (in order to to skim them), and check your accounts reasonably frequently. They are certainly better than cheques.

Banks will often not even look at a signature on a cheque, let alone make any attempt to verify it. As an example, I once accidentally grabbed my wife's chequebook and used it (signing my own name) to purchase goods. I realised my mistake a couple of days later and attempted to go into the shop to replace my presumably dodgy cheque with cash, but the bank had already paid up on it. Now in this case, it was an honest enough mistake, but it has made me a lot more careful about where we store our chequebooks since.

At least with credit cards, there is always the option of a chargeback.

Re:Patchless ATM "hack"

[angel'o'sphere]

How the hell are they to know it isn't you? Because it is not you who is on the video tape(s) made by the ATM and in the room where the ATM is installed. Often as well you can prove you where elsewhere during that particular time.

angel'o'sphere

Re:Patchless ATM "hack"

[BrokenHalo]

Yeah, ALWAYS lean right in and cover the PIN pad with your other hand.

I have a more effective approach: I use a large-ish "clutch" wallet that, when held above my "key" hand, not only effectively obscures it, but also shades it to the extent that most cameras would struggle to make a successful exposure. The size of wallet isn't a problem, since it's easier to secure it in a single bag than in one of many pockets in your clothing.

Re:Patchless ATM "hack"

[tlhIngan]

Banks will often not even look at a signature on a cheque, let alone make any attempt to verify it. As an example, I once accidentally grabbed my wife's chequebook and used it (signing my own name) to purchase goods. I realised my mistake a couple of days later and attempted to go into the shop to replace my presumably dodgy cheque with cash, but the bank had already paid up on it. Now in this case, it was an honest enough mistake, but it has made me a lot more careful about where we store our chequebooks since.

Actually, the signature is nothing more than an approval to a contract, not for comparison purposes. The signature panel on the back of your credit card signifies that you agreed to the cardholder agreement. The signature on the slip signifies that you are agreeing to pay the amount specified as a valid debt. The signature on the cheque indicates that you're agreeing to pay the amount specified on the note. A cheque can be written on anything as long as it contains the payee details (name), payer details (name, account number), the amount to be paid, the date and a signature indicating approval of the transaction. You could write this all on a piece of paper and it would be valid - it's how banks give you generic cheques where you have to fill in all the details yourself while your customized ones arrive later.

And yes, you should be careful how you store your chequebooks as there's a lot of valuable personal information on it.

Re:Patchless ATM "hack"

[BrokenHalo]

For 4 digit PINs...

...and if your bank insists on a PIN of only 4 digits, maybe it would be worth considering a different bank. I can't say all, but many banks here in Australia use 6-digit PINs. Of course, that doesn't take into account the advantages of a thermorectal cryptanalysis approach to accessing your funds, but what can?

Re:Patchless ATM "hack"

[CaseM]

Consumers are no more liable for debit/check card fraud than they are credit card fraud. This is a very common fallacy.

Re:Patchless ATM "hack"

True, a secure ATM machine is not going to guarantee your total financial security but an insecure machine will pretty much guarantee its vulnerability.

Re:Patchless ATM "hack"

[socz]

Actually, the signature is nothing more than an approval to a contract, not for comparison purposes. The signature panel on the back of your credit card signifies that you agreed to the cardholder agreement. The signature on the slip signifies that you are agreeing to pay the amount specified as a valid debt. The signature on the cheque indicates that you're agreeing to pay the amount specified on the note. A cheque can be written on anything as long as it contains the payee details (name), payer details (name, account number), the amount to be paid, the date and a signature indicating approval of the transaction. You could write this all on a piece of paper and it would be valid - it's how banks give you generic cheques where you have to fill in all the details yourself while your customized ones arrive later.

What bank is this? (So I know to avoid business with them.)


Having worked in a bank opening new accounts (not by choice!) I can verify that at least that banks policy was not just for contractual agreements, but for verifying the signer. For example:

) Someone walks in with a check. They wish to cash it. It's $60.
) The teller pays it because its $60.

) Someone later that day returns with a check for $260. The teller says hang on a sec while I verify the funds.
) The teller gets up, and if local, obtains the "signature card." If not, it calls and requests a fax of the signature card from the home branch.
) Teller then compares the signature card to signature on check using any of various techniques. If they match up then its paid. If it doesn't, then we have a process for that

So yes, the signature is important, not just for agreement. Also, regarding the checks, you can't put it on any paper. Those blanks you get from the bank, yeah, they're not accepted everywhere, and for good reason too! While at the bank, I was told - whether its true or not is another matter, that the account numbers use magnetic ink. So while in theory, you could "use any paper that looks like a check," hopefully most people will refuse it, and at worst checks are unique financial instruments with a lot of security features.

Re:Patchless ATM "hack"

[SQLGuru]

In the early 90's, I had a 10 digit pin with Wells Fargo. It was great for security, but it was a pain when all of the POS terminals didn't expect it. They only allowed for 4 digit input.

Also, my current bank (name withheld) offers the two account approach. One account has card access and the other has the money. You transfer periodically to cover the other. If your card is ever compromised, you stop the transfers and limit the losses. Of course, you still also get the protection you would normally get with your card.

Re:Patchless ATM "hack"

[thousandinone]

Times however many unsuccessful attempts are allowed before lockout, typically 3.

Re:Patchless ATM "hack"

[mcgrew]

If they watch you enter the PIN they don't have to guess.

Re:Patchless ATM "hack"

[mcgrew]

The size of wallet isn't a problem, since it's easier to secure it in a single bag than in one of many pockets in your clothing.

I don't carry bags unless I'm on my way home from shopping. Most men don't. Women carry bags because they need them a week out of every month, hard to carry three or four kotexes in a pocket. And it's a lot harder to pick my left front pocket than it is to snatch your purse.

Re:Patchless ATM "hack"

You're describing a different procedure. Specifically, cashing a check against an account.

Banks certainly verify signatures in those cases. But they generally have no way of verifying the signature of the check issuer, and that's what OP was talking about.

Re:Patchless ATM "hack"

[northstarlarry]

Actually, the signature is nothing more than an approval to a contract, not for comparison purposes. . . .The signature on the cheque indicates that you're agreeing to pay the amount specified on the note. A cheque can be written on anything as long as it contains . . . a signature indicating approval of the transaction.

Okay. . .but if the signature is that of someone who isn't authorized to approve this contract, i.e., not the owner of the account (or other person listed as having access), then the bank shouldn't pay the check! (Likewise for a credit card slip.) Which means that they ought to compare the signature to the one that they have on file (the one that they got when the account was opened), when they are moving the funds around.

You could write this all on a piece of paper and it would be valid. . .

This used to be the case, but AFAIK (based on asking the banks that I've used), most banks will only honor checks printed in specific formats. I assume this has a lot to do with making sure the account number is machine-readable to make processing easier, but there's some fraud protection that comes with it. However, based on the fact that you write "cheque" and I write "check", I surmise that we are in different parts of the world, so your ability to use a cocktail napkin as a note to pay your bills may differ from mine.

Re:Patchless ATM "hack"

[moortak]

You should inform the FTC, it seems they aren't aware of that fact. http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm If you are slow to report it you are responsible with a debit card more than you are with a credit card.

Re:Patchless ATM "hack"

[Tacvek]

Under Article 3 of the Uniform Commercial Code, which is a law that has been passed switch only minor modifications in every State of the US, the following are the sole criteria to be a valid negotiable instrument:

• It must have an unconditional promise or order to pay.
• The document must list a specific amount, except that it may an amount plus interest
• The document must have a specific date of payment, or be payable on demand.
• The document must be "payed to order of $SOME_NAME" (meaning in the way specified by the named recipient) or must be payable to bearer. This makes it negotiable, allowing me to use the $20 check addressed to me from Bob to pay Joe. This feature is very important but only the banks normally ever use it, behind the scenes.
• the document does not promise that the payer perform any act other than paying the specified money
• The document is not marked "Canceled", or "Nonnegotiable", or one of a few other methods used to void a negotiable instrument.[1]

A check is any negotiable instrument drawn on a bank (or legal equivalent, like a credit union).

If you give anybody any document that meets all those requirements, they can cash it, deposit it, offer it as payment to a third party, etc. Of course, the account in question may have insufficient funds, etc, but that doe not make it non-negotiable. But nobody is required to accept a check, since they are not legal tender. One can reject a check for any reason, including not liking the picture on it!

While I am not a lawyer I have read excerpts of the relevant law, and am fairly confident in the overall accuracy of my statements, although one or more may be incorrect on a minor technicality, the underlying message should still be valid.

[1] The law here implies that banknotes might also be rendered worthless if you write nonnegotiable on them, although the law in question does not actually cover banknotes.

Re:Patchless ATM "hack"

[dissy]

I don't carry bags unless I'm on my way home from shopping. Most men don't.

Little known geek secret: Laptop bag = man purse

My laptop bag is designed to hold two laptops and some accessories, has those expandable zippered sections to shrink it down to hide some of the extra space when it is not needed, and even has wheels and a pocket with a hidden retractable handle to convert it into what looks like a small piece of carry-on luggage.

Now you too can have all of the advantages one would expect by having their own bag-of-holding, just like our feminine counterparts!

Re:Patchless ATM "hack"

[BrokenHalo]

However, based on the fact that you write "cheque" and I write "check", I surmise that we are in different parts of the world, so your ability to use a cocktail napkin as a note to pay your bills may differ from mine.

Probably. I once knew a farmer who wrote a cheque on the side of a cow. Apparently the bank paid it, too. :-)

Re:Patchless ATM "hack"

[mcgrew]

Now you too can have all of the advantages one would expect by having their own bag-of-holding, just like our feminine counterparts!

A "secret" little known to male geeks: the best bag to hold your suff in is carried by a woman; that's one advantage of having a wife or girlfriend. You have all the advantages of a purse with none of the disadvanteges.

Rather than a laptop I have a netbook, which is about the same size and weight as a hardcover book. I haven't turned the laptop on in a long time, I think I'll give it to my daughter Leila. The netbook is the only thing I carry that won't fit in a pocket, and I don't need a bag for it.

woosh!

[ArsenneLupin]

..."double use of number", in case you wonder what is making this strange sound...

re ATM hack

[chentiangemalc]

That's nice and beautiful he hacked the ones he bought. But he still has to get remote access #'s, and if that's easy to get I think that's even a bigger security issue. Also "war-dialling" tactics to find a Windows CE based ATM may take a while, majority of ATMs now run Windows XP embedded, not Windows CE. Also I'm not sure about this, but I would hope ATM implemented call-back security on in-production devices.

Re:re ATM hack

[mcgrew]

I would hope ATM implemented call-back security on in-production devices.

Not on the ones in bars and restaraunts; in many places I've been in you couldn't use the ATM when someone was on the phone, meaning they had a single phone line, meaning the phone would have rang everytime someone used the ATM.

Easy!

[tripmine]

Easy Money!

video from the talk

[AmElder]

Security Week posted has some videos of the presentation that they uploaded to youtube.

confused!

[cheap.computer]

Advocates of closed source software claim that by their source being closed, adds more security to their products... now I am confused...

Re:confused!

[mcgrew]

"Security through obscurity" was debunked long ago. Welcome to slashdot!

Why go through all that trouble of hacking?

[qazwart]

The types of ATMs being talked about are the non-bank machines that you see in many smaller stores in New York City. They're installed and sold by third party vendors to connect to the main banking networks.

A salesman goes into a store, and tells the owner that if they had an ATM in their store, their sales will go up because people will stop in to get cash. The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

Re:Why go through all that trouble of hacking?

[blisteringsilence]

The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

Well, I guess if I'm going to criticize, I'll start here. No PCI-compliant machines allow you to go through the configuration process without inputting 3 different levels of new password. The attack you describe above might have worked 2 years ago. No longer. Sorry. And you don't have to buy the manual, they're (mostly) available for free.

There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

No there haven't. The only exploit that could be executed in person was the following:
1. Thief buys prepaid $200 visa card with PIN.
2. Thief accesses the service menu of the machine (using default or socially engineered password).
3. Thief changes the machine's internal systems to think it's holding $5 bills instead of $20 bills.
4. Thief exits service menus.
5. Thief puts in card and withdraws $200. Since the machine thinks it's holding $5's, it dispenses 40 total $20 bills ($800). The thief makes off with a net of $600.

However, this exploit is no longer possible, as the master keys that allow an ATM to communicate with the processor are now erased when you change the denomination of bills the ATM dispenses.

The process you describe has never worked. There is an option in a service menu called "test dispense," but it kicks the bill into the reject bin, not into the cash pickup.

Please try again.

Re:Redundancy

[TheRaven64]

Since the post above you says exactly the same thing, I couldn't decide whether you should be moderated redundant or funny.

'M' is for Machine

[ricosalomar]

The summary refers to 'ATM machines.'

I haven't read TFA article, but I wonder if you need a PIN number, or if the exploit uses a VM machine?

Has someone notified the federal FBI bureau?

Great.. this will make ATM thievery worse

[tacktick]

I'm all for security research but publicly displaying these exploits will bring ATM mischief to the next level. Why use skimmers and mini cameras when you can just hack the ATM remotely and have an accomplice stand there and get the cash that comes out? If proof-of-concept code gets out on the net, watch out! A lot of little banks and vendors are going to be sorry. And good luck trying to patch all the millions of machines around the world.

Re:Great.. this will make ATM thievery worse

[John+Hasler]

> I'm all for security research but publicly displaying these exploits will
> bring ATM mischief to the next level. ... If proof-of-concept code gets out on the net, watch out!

Right, because criminals could never figure this out by themselves.

> A lot of little banks and vendors are going to be sorry. And good luck
> trying to patch all the millions of machines around the world.

They bought cheap crap. Too bad. So sad.

Re:Great.. this will make ATM thievery worse

[tacktick]

> Right, because criminals could never figure this out by themselves.

Then why haven't they yet? Most criminals aren't smart enough to figure that out, so they just go for the tried and tested methods already out there.
Now that they learn that hacking the machines remotely isn't that hard to do, they will use their stolen money to fund research into it.
I don't know about you, but I didn't know that ATMs were remotely exploitable.

> They bought cheap crap. Too bad. So sad.

Easy to say until the ATM you use frequently is shutdown because it was hacked.

Re:Great.. this will make ATM thievery worse

[cdrguru]

Yes, but you are ignoring the critical point here: what happens next? There are relatively few options that obviously need to be clearly explained:

• The banks could just write off the (likely immense) losses as a cost of providing ATM services to the public at large. Ha ha ha ha.
• Banks and ATM service companies could replace their entire ATM networks over the next 6-12 months as soon as some new PKI-based system was available. With each machine being a lot more expensive and the old ones just being scrapped, it would be pretty expensive. Surely you know that would just be passed on to the ATM users, right? So you can start looking for the $5 fee to use the new, improved ATM machines.
• Nothing gets done at all, and while there are losses they aren't huge. Again, banks are there to make money and ATM fees just start creeping upward. Again, expect $5 ATM fees with the same old insecure hardware. This is of course the most likely.

Basically, while this is great news to the technically competent that can exploit ATM machines, it really sucks for the rest of humanity that gets to pay the increased fees. Because there isn't any way out of it - fees are going to go up as a result of this. Maybe the machines get replaced, but probably not. Until each an every machine is just spitting out cash to passersby the machines are going to stay put and people just get charged more for using them.

The history of ATM machines shows clearly that the banks decided they were a way to replace tellers originally. Then they figured out that wasn't going to work out so well and ATMs became a convenience item that could be a revenue source. Today there are companies that independently operate ATM-like machines in bars, restaurants and gas stations and are making a tidy profit from the fees to use such machines.

You think a free ATM is somehow a UN-promised right? Check out the machines in Vegas casinos. They aren't content with a fixed dollar amount, they charge a percentage like 5%. This is probably the upper end of where fees can go.

The result of exposing insecure systems is always going to be increased costs and/or hassle for the average, non-thieving users. Nothing is going to be fixed for free, even if the government somehow mandated that it be fixed. The average Joe just trying to get by will end up paying for it in the end with absolutely no benefit to anyone.

Re:Great.. this will make ATM thievery worse

[tacktick]

Thank you for your clear and convincing insight.

Re:Great.. this will make ATM thievery worse

[John+Hasler]

You think a free ATM is somehow a UN-promised right?

No, I don't. Whatever made you think I did?

Not most states, about 7 of them

[name_already_taken]

There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

I'm not so sure about them being illegal in "most states".

The list of states banning slot machine ownership I found is: Alabama, Connecticut, Hawaii, Indiana, Nebraska, South Carolina, and Tennessee.

I have a slot machine. It accepts quarters or tokens, and I can adjust the payout ratio.

I paid $160 for it at the flea market, at the county fairgrounds one county over. There were Sheriff's deputies everywhere and they didn't give the slot machines a second look.

Re:I should hope there's a patch soon

[sheph]

I don't know if that should be classified as flamebait. It is plausible based on past experience. As much as I hate Obama's policies I'll point out that he wasn't the first one to think bail outs were a good idea.

Number 4

[SuperKendall]

4) It had a virus ALREADY INSTALLED as per the message you saw, so malign in fact that even F-Secure could recognize it (which goes back to point #2).

Re:Number 4

[silentcoder]

This !

Re:Number 4

That!

Why not switch OS?

No, not linux, no not unix.... ATMs all over used to run off of OS/2.

So, why not continue using it?

Inside Man

[Itninja]

From TFA: "A single, standard key can open many different types of machines, he said, presenting another serious security problem."

Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.

Re:Inside Man

[DragonWriter]

Does not one need to be inside the bank to use said key?

Many ATMs are not inside, nor even on the premises of, a bank.

Re:Inside Man

[Itninja]

I was thinking about that too. I think many, if not all, of those are in very public places like Shopping Malls or 24-hour gas stations... not sure if I've seen one i a secluded area... Of course if the thief wore an official-looking uniform and name tag, I bet they could still get away with it.

Re:Inside Man

[jimicus]

Does not one need to be inside the bank to use said key? If the criminal has already physically broken into the bank, theft of the few grand inside the ATM is the least of the banks' worries.

So don't interfere with one at a bank. Show up in a uniform with an armoured van to a convenience store.

Re:Inside Man

[Itninja]

Considering it would cost several orders of magnitude more to buy the truck than one would ever get from small ATM's (most only hold a grand or two, and that's only when they are full), I doubt that would really be worth it. Maybe if you hit ten in one day you could break even.

Re:Inside Man

[jimicus]

Oh FFS.

What sort of criminal buys a truck?! You show up in a stolen van, and if the shop assistant comments on it, the usual van is in for servicing.

Re:Inside Man

[Itninja]

The only way I can see that happening nowadays would be if one were a legit employee of, say, Brinks for a few months. The person could have built a rapport with the maintenance people over time. Then, maybe, they could steal the truck without any immediate suspicion (but that's doubtful...professional security folks aren't as idiotic or careless as they are on TV). Of course they would have to somehow get around the GPS tracking system in such a way so corporate does not know it's been disabled. The GPS would alert corporate if they go off route or are unexpectedly delayed. Then they would have to get around the remote kill-switch put in all modern armored trucks. In short, they would have to be like one of those fictional 'master' criminals. If they were truly that elite of a thief, I seriously doubt they would be going after small-change ATMs.

paging...

john connor...john...connor...please pick up the white courtesy phone...

My head hurts

[JohnnyBGod]

Windows CE-based ATMs

I wonder who had that brilliant idea...

Re:My head hurts

[RightSaidFred99]

Probably someone who knows that the application running on top of the OS is what would be hacked in this case, not the OS itself.

I find most people making these decisions know more than Joe Random, smarmy nerd, on SlashDot in most cases.

Re:Redundancy

Actually it is at the moment machines. I.e. the machines before the update.

Bank? What bank?

These are ATMs. Most of them are in gas stations or whatnot.

With that common key, I have no idea why you can't just take the cash right out of the trays.

Re:Redundancy

[molecular]

and who made the first machine? a giant turtle?

Re:Redundancy

[mcgrew]

"Well, I never... machines making machines!" -CP30

Re:MSFT Fanboys HURRY!

[RightSaidFred99]

Microsoft fanboys don't care what computer illiterate people think, and only a computer illiterate wouldn't know that you can hack a system at multiple levels, both above and below the operating system. Microsoft only wrote the operating system, and it wasn't hacked here.

Re:Really? illegal?

Right .... better make those machines illegal so the manufacturer can keep making easily hackable devices without the public ever finding out.

Open hardware FTW! Closed hardware = unfound bugs.

Let's not enlist gov't to help businesses stay afloat by making it illegal for consumers to evaluate their failing products, used only by our "trusted" financial system. There's enough of that going around already.

Re:I should hope there's a patch soon

[krzysz00]

Dammit. Why isn't there an edit button. What I meant to say is that is this issue becomes exploitable, there will be very wide-reaching repercussions that might lead to government intervention.