Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Break Currency Validator To Pass Any Paper As Valid Euro

Posted by Unknown on from the teeny-tiny-security-hole dept.

Trailrunner7 writes "If espionage is the world's second-oldest profession, counterfeiting may be in the running to be third on that list. People have been trying to forge currency for just about as long as currency has been circulating, and anti-counterfeiting methods have tried to keep pace with the state of the art. The anti-counterfeiting technology in use today of course relies on computers and software, and like all software, it has bugs, as researchers at IOActive discovered when they reverse-engineered the firmware in a popular Euro currency verifier and found that they could insert their own firmware and force the machine to verify any piece of paper as a valid Euro note. 'The impact is obvious. An attacker with temporary physical access to the device could install customized firmware and cause the device to accept counterfeit money. Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible.'"

162 comments

  1. Firmware update? Unlikely. by mveloso · · Score: 4, Funny

    I doubt that you'd be able to hang around a cash register with a serial cable and update some device's firmware without someone noticing. At that point why not just update the cash register's firmware and have it give you money directly?

    1. Re:Firmware update? Unlikely. by Alsn · · Score: 2

      Who says you need to do it in secret? All you would need to do is convince someone to let you do it, either through being in on it, or some other covert means.

    2. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      Have you been shopping in a department store in the last 10 years? There are plenty of times when a cash register in some department is locked+unattended or closed. I mean sure, LP will probably be on you like flies on a turd as soon as you step into the booth, but there are sometimes windows of opportunity. That's why this is disappointing news.

    3. Re:Firmware update? Unlikely. by Moryath · · Score: 2

      Sneakier to modify the reader, because then the register doesn't give you any clues if it's on stock firmware (and someone running a register diagnostic, checking firmware checksum, maybe even checking the firmware flash increment counter will come up blank too).

      The attack here is going to be passing plausible-looking counterfeits to an unknowing person who trusts the reader/register in a "Garbage in, Gospel out" manner that most people approach computers with. Buy something or trick the cashier into making change and voila, "free money" for the counterfeiters.

    4. Re:Firmware update? Unlikely. by Qzukk · · Score: 5, Insightful

      "Hello, I'm from the maintenance department and I'm here to update your firmware to protect you from the exploit that was recently published on 2013-10-13."

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    5. Re:Firmware update? Unlikely. by jandrese · · Score: 5, Insightful

      Unless this attack is a buffer overflow or something when you put in a particularly formatted note, I don't see the issue. "Oh, you can bypass the bill checker if you break the machine open, pull the ROM chips, and put in new ROM chips!"

      According to TFA, the guy went and analyzed the firmware to discover how it worked, and then noted that you could bypass the check routines in it to always set the "good" pins high. About the only thing even mildly worrying is that there is apparently no crypto lock on the firmware, but a crypto lock on the firmware would be useless if you have physical access to the machine anyway, only slightly complicating the job of redesigning the internals, so that's not saying much. There's a reason these machines are secured with a lock and a sturdy metal case.

      --

      I read the internet for the articles.
    6. Re:Firmware update? Unlikely. by SJHillman · · Score: 1

      I used to do small subcontract jobs for extra cash. More than once, I was left alone in a bank branch with the vault open after the employees had left for the day. The only one still around was the manager, and he went outside for 10 minutes for a smoke and a phone call. Again, vault was wide open and less than 10 feet away... not to mentioned unfettered access to all of their PCs and other equipment behind the counter. The only ID check was to see that the name on my driver's license matched the guy they were expecting.

      If a major international bank has branch security that lax, imagine what your average corner store has.

    7. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 1

      as in the case of http://en.wikipedia.org/wiki/Ronald_Dale_Harris he worked as a slot tester for the Gaming Control Board and when he came to check the machine he also added his own code with an exploit

    8. Re:Firmware update? Unlikely. by mcrbids · · Score: 3, Funny

      All you have to do is get a technician costume. You know, a big, black bag with lots of tools in it, perhaps a utility belt, a button-up, short-sleeve shirt with a generic company logo on it. Walk up to the unit with a slightly bored expression, casually pull out your cable, and get to work. Pay no attention to anybody around you.

      Chances are, you just might get away with it.

      SOURCE: I watched Burn Notice a few times.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    9. Re:Firmware update? Unlikely. by TheCarp · · Score: 2

      Have you been in a department store in the past 20 years? They have cameras like would give the DHS a year long stiffy, and a large portion of them are trained right on the registers. Hell, when I was last in a security room, and this was the mid 90s, the Security folks could watch the video and pull up the real time transaction log to watch while watching the video.

      They tend to get upity about people they don't know about touching cash registers too. Though, maybe you could go unnoticed, they also seldom tell you up front "we keep our security footage for 10 days" so its not like you can be sure that you were not recorded doing it.

      --
      "I opened my eyes, and everything went dark again"
    10. Re:Firmware update? Unlikely. by holmedog · · Score: 1

      I *think* the point would be to make the modification once and abuse it multiple times. Where accessing the register would work great once, getting this in and sending in multiple pawns with the counterfeited bills could net considerably more money over long term.

    11. Re:Firmware update? Unlikely. by nospam007 · · Score: 1

      "Hello, I'm from the maintenance department and I'm here to update your firmware to protect you from the exploit that was recently published on 2013-10-13."

      A faster way would be to just give him a 'new' tester and take the old one with you.

    12. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 1

      Which is a vulnerability of your employees allowing access to some stranger, not the device itself. The attacker could equally have said he was replacing the device as well. You can't expect the thing to be a magic box that solves all security problems. Security is about everyone, not a silver bullet.

    13. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      That doesn't change the viability of the exploit. The point that was made, which is still valid, is that it IS feasible to accomplish this. There are so many access points (ie units) with various people around that it's entirely possible.

      Likely? That is a different question and is not really all that valid considering the risk involved.

    14. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      That assumes that you know how the reader works and sends it's data to the main processor for verification. Certainly this is a possible way but it may be much easier, due to the architecture of the system, to simply (as the hack proves) to simply modify the firmware which appears to be fairly insecurely written.

    15. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      You need to explain what you mean by "crypto lock". What should be happening is the firmware should be protected by an asymmetric key/certificate that validates against a certificate authority on a regular basis.

      Simply encrypting the firmware "on the device" without external validation would not be a strong enough protection unless there was a hardened root certificate/key in a chip such as a TPM.

    16. Re:Firmware update? Unlikely. by benjfowler · · Score: 1

      The euro bill validators I've seen look pretty standalone to me. Presumably not just because having them networked leaves them open to attack, also because it's not really necessary.

    17. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      Even if you cleaned out the entire branch of cash, then blew it up with C4, it would be less than 1% of the damage a rogue company trader can, and has done.

    18. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      Unless this attack is a buffer overflow or something when you put in a particularly formatted note, I don't see the issue. "Oh, you can bypass the bill checker if you break the machine open, pull the ROM chips, and put in new ROM chips!"

      Or you when the transactions are rounded off, you could have a subroutine take the left over decimal places and deposit them into an account that you set up. It would only be tiny fractions of a Euro each time - who would notice. What could possibly go wrong?

      BTW, where's Milton?

    19. Re:Firmware update? Unlikely. by sjames · · Score: 1

      Put on a jumpsuit and carry a toolbox. There's a fair chance you will be granted access. By the next week when your partners take advantage of it, nobody will remember what you looked like other than 'he was wearing a jumpsuit and had a toolbox".

    20. Re:Firmware update? Unlikely. by Ant2 · · Score: 2

      Once the machine is open, just take the piles of cash sitting there.

    21. Re:Firmware update? Unlikely. by Rob+the+Bold · · Score: 2

      They tend to get upity about people they don't know about touching cash registers too. Though, maybe you could go unnoticed, they also seldom tell you up front "we keep our security footage for 10 days" so its not like you can be sure that you were not recorded doing it.

      Despite these measures, somebody managed to tamper with POS terminals in dozens of Michaels stores across the US in 2011 (and ALDI markets the year before) and get away with it. In this case they were skimming PINs. The Secret Service investigated, and two guys were caught a year later. But the guys convicted were ATM cash withdrawers hired for the job, not the masterminds or the POS tamperers.

      --
      I am not a crackpot.
    22. Re:Firmware update? Unlikely. by wisnoskij · · Score: 1

      And how did that work out for him?

      --
      Troll is not a replacement for I disagree.
    23. Re:Firmware update? Unlikely. by sjames · · Score: 1

      You just have to plug in a serial cable. No need to break anything open or swap any chips.

    24. Re:Firmware update? Unlikely. by SuperCharlie · · Score: 4, Interesting

      When I was around 12 or so, my dad was in the army and worked on anti-aircraft systems. One Saturday he needed to get or do something at the shop so he drug me along for the ride. Both of us in our plain clothes. We walked up to the shop, 2 guards patrolling, he said hi, pulled out his keys and opened the door. I was in awe of what I saw inside.. 15 M163 Vulcan self-propelled anti-aircraft guns all in a line. We piddled with some things, he started one up and made sure to tell me repeatedly dont stand in front of this.. (the radar).. and after an hour or so we left.

      Almost to the car, he said.. "you remember those two guards?" "Yes.." I said "I didnt know them from Adam. You can get away with anything if you look like you know what you are doing."

      A lesson I have remembered all my life and used on more than one occasion.

    25. Re:Firmware update? Unlikely. by sootman · · Score: 4, Insightful

      > Which is a vulnerability of your employees
      > allowing access to some stranger...

      I work in an office with over 500 employees. Do you think I know everyone who works in security, telecom, and I.T.?

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    26. Re: Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      hi I am hear to install the update to take the new notes

    27. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      How do you access the serial port without breaking anything open?

    28. Re:Firmware update? Unlikely. by Baloo+Uriza · · Score: 3, Informative

      And yet, it still surprises me how many places that have called my company for service see me arrive on site holding a clipboard, a cardboard carton, and a toolpouch full of screwdrivers, and automatically assume that I'm there to fix critical equipment touching customer data without so much as checking my paperwork, much less checking ID. People are stupid. This trick could very easily work in plain sight.

      --
      Furries make the internet go.
    29. Re:Firmware update? Unlikely. by behrooz0az · · Score: 0

      Let's see...
      http://news.cnet.com/8301-17938_105-10027606-1.html (there are dozens of alternatives, the title was just so fit for here)
      linux
      PL2303
      Am I missing something?

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    30. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      I'm going to guess you never heard of the Teensy. This could be done with something that can fit in a small pill bottle.

    31. Re:Firmware update? Unlikely. by mlts · · Score: 3, Interesting

      There are some fairly sane security measures a maker of a security device can do for fairly cheap to ensure that a tampered device isn't going to work without a lot of money and time put in:

      1: If it is something static like a bill checker, take the time to heavily QA the device, including throw prototypes in the field for a while. Then, just have the firmware burned into a ROM (a true ROM, not an EEPROM, EPROM, PROM, flash, or an OS on a HDD... it goes into silicon and is not modifiable, period.) Of course, a bill checker might need updates when the currency gets a facelift, so a bill checker likely would need some type of upgrade mechanism.

      2: If an update mechanism is needed, TPM chips are not expensive. In fact, some ARM CPUs have them built in. That solves 95% of the problem right there, because if the OS isn't signed, the OS won't be able to decrypt the last stage and boot.

      3: As a subset of #2, the code that allows flashing of ROM images should be in a non-alterable, signed image. This way, if the main OS image has to change, it has to go through the "gatekeeper" image to be written to the boot medium, or it doesn't get on there.

      4: Multiple images. This way, if a flash image is verified and copied to a temporary space and is being copied to the main storage, a power failure doesn't brick the device. The TPM boots, finds the signature of the first image fails, tries the backup, boots from that. The flash process updates both images, so only one would be inoperable during an update at a time.

      5: To prevent flashing to a less secure previous version, the OS image that does the image update work can be set to look at version IDs, or optionally, if the ID is signed with a certain flag, can allow earlier versions to overwrite newer ones, or have beta images be able to be downgraded if needed.

      6: The image flashing would have to be via a physical process, such as a USB connection. This way, devices can't be upgraded over the network, which shuts out a lot of potential exploits.

      I'm sure I've missed a few items, but it doesn't take a lot of engineering to have an update mechanism in place that is tamper resistant.

    32. Re:Firmware update? Unlikely. by sjames · · Score: 1

      It's on the back.

    33. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      How do you access the serial port without breaking anything open?

      Because the serial port is already on the outside of the enclosure.

      An ATTiny PIC (Think a microchip with only 8 pins, 4 per side) smaller than my fingernail can be loaded up with code, clips for a battery, and an optional push button. Once powered and the button pushed, two of the pins are used as GND/TX of a serial port, and blast out the reprogramming commands to anything it's connected to.

      This "reprogrammer" would be physically smaller than the coin cell watch battery it was connected to, and could have a full db-9 serial port for "idiot proof" use, or just two wires to put into the right holes.

      Plug it in the exposed bill validaters serial port, clicky a button, and now the bill validater will accept real money in addition to sheets of paper with your special custom mark(s) on it.

      As both articles and the summary said, these machines are frequently used in non-staffed places, so used there you have very little to no chance of getting caught.

      But even in the other cases where a person is there, that doesn't change the location of the serial port on the back of the thing.

    34. Re:Firmware update? Unlikely. by Wycliffe · · Score: 3, Insightful

      And how did that work out for him?

      Don't be so smug. Crimes like these have a reverse survivorship bias. You usually
      only hear about the ones that get caught or at least leave evidence behind.

    35. Re:Firmware update? Unlikely. by Darinbob · · Score: 1

      You still have to create the counterfeit note. If the shop attendant is accepting your Monopoly money as valid currency which is then validated by the machine, then the weakest point in your security is not the currency validator.

    36. Re:Firmware update? Unlikely. by Belial6 · · Score: 1

      Until, part of logging into the register becomes running a test paper through the tester. This is one of those attacks that would be high risk, high skill, and low payoff.

    37. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      worked just fine until he got greedy and started on keno

    38. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      does it even have to be a register? what about automated vending machines? Free soda and chips!

    39. Re: Firmware update? Unlikely. by Anonymous Coward · · Score: 1

      Quite well, actually. "From 1993 to 1995, Harris and an accomplice stole thousands of dollars from Las Vegas casinos, accomplishing one of the most successful and undetected scams in casino history." Note, "undetected".

      He got caught when he got tired of hitting jackpots on slot machines and instead figured out how to predict the state's Keno game's pseudorandom number sequence. He didn't make his winning ticket believable enough to avoid them taking a closer look at the guy who redeemed it and noticing that he was linked to a computer programmer who worked for the gaming board... and, well, that sort of thing arouses suspicion.

    40. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      ROM isn't burned it's a step in making the wafers so it is expensive and you need to buy lots of them, and if you can do updates anyway what's the point in ROM?

    41. Re:Firmware update? Unlikely. by TheCarp · · Score: 1

      Well, I am not saying it can't be done or you can't get away with it. I am just saying its a pretty bold move and one that a smart crook would realize is likely going to be tricky to pull off without too much risk of getting caught.

      However, this case isn't really the same, i don't think. Check this part out:

      crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals.

      If that is true, then while it doesn't rule out someone entering individual stores and tampering with equipment, it does make me think that this was not the attack vector. Sounds to me like its more likely they were compromised at a higher level and the devices were likely trojans before they ever arrived on site.

      This, of course, makes me suspect someone at the company that services their cash register systems was involved in some way. I would suspect the payment processor (who, as I understand it, generally is the source of those pads, in fact, if I remember my wife's rants from when she used to work in that industry.... its quite a racket itself) but, then I would expect it to not be isolated to one chain..... but its all speculation.

      --
      "I opened my eyes, and everything went dark again"
    42. Re:Firmware update? Unlikely. by blackraven14250 · · Score: 1

      Ok, so let's not be proactive, since we can be reactive instead.

    43. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      I'm sure I've missed a few items, but it doesn't take a lot of engineering to have an update mechanism in place that is tamper resistant.

      Sure you did: what about JTAG ?

    44. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 1

      He drugged you when you were 12? Shit...

    45. Re: Firmware update? Unlikely. by pclminion · · Score: 1

      Suspicion yes, but that's still not proof of anything. How did they eventually nail him? I realize you can convict on circumstantial evidence, but "He was capable of it" doesn't seem like quite enough proof.

    46. Re: Firmware update? Unlikely. by wickedskaman · · Score: 1

      It's highly likely his accomplice flipped on him in a plea deal.

      --
      Sand's overrated... it's just tiny little rocks.
    47. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      Along the same lines, I have gained free entry to a few concerts and rave parties, simply by walking through the gate like I own the place.

    48. Re: Firmware update? Unlikely. by Samantha+Wright · · Score: 1

      Oh yes it is. Why else would this exist or this be so aggressive? If you're a programmer, then you are a witch and you are suspicious; end of story. No one with any lawmaking responsibility knows what you might be capable of, but it's probably at least as bad as this. Therefore, this happens. How does it feel to be branded a potential enemy of the state just because of an aptitude for creative problem-solving?

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    49. Re:Firmware update? Unlikely. by Askmum · · Score: 1

      And that is why you never, ever, in a security situation allow people access without prior written notice.
      This random dude shows up at your desk and tells you to change your machine? Go away and have someone validate your presence and purpose here. At least talk to my boss because I haven't been told anything needs to be done. And yes, believe me: these things are announced prior to it taking place. If they are not, well do I really have to explain it's a big security hole?

    50. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      And all this defeated easily by just replacing the electronics with a custom version with your own microcontroller. One could possibly sign the results cryptographically, but then you end up with the classic key distribution problem.

    51. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      So you dress up as a "repair man" complete with company jumpsuit and tools before approaching the device. Most people don't stop to question the "repair man" because it looks like a perfectly normal situation, but it wouldn't be the first time that disguise was used as part of a hack that required physical presence.

    52. Re:Firmware update? Unlikely. by sumdumass · · Score: 1

      Obviously, this happens somewhat a lot. All we need to do is look at the credit card skimmers that get installed on gas pumps and ATM machines. They may not even need a knowing insider either. But it already happens

    53. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      Less well than it works out for all of us who get free money from the slots pretty regularly.

    54. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      Spend a week in Italy where shop keepers are frequently absent from or unobservant of their POS terminals. People regularly bring in 50 Euro notes for change. A regular money maker would be to flash the validator near a POS and then bring by a counterfeit 50 for change about three times a week. If noone else knows the scam you can continue for several weeks before stopping. It's not a long term scam, just an easy one.

    55. Re:Firmware update? Unlikely. by Anonymous Coward · · Score: 0

      My experience has been that the generic uniform of: hat with company logo, polo and khakis, a small tool bag, box of CAT5, and a sense of 'supposed to be there' are all you need. It's a cliche' but it's effective. As long as people are ignorant of the work of technicians of any variety social engineering will work. That said, noone can or should specialize in the work of all technicians, so social engineering will always have a place.

  2. Well duh by PhilHibbs · · Score: 4, Insightful

    If you can physically access and modify a machine, you can change the way it behaves. Is this really news? Can they do it wirelessly? Over the internet?

    1. Re:Well duh by CastrTroy · · Score: 2

      Of course, now that the vulnerability is known, owners of the machines should be regularly verifying that they work correction. They should verify that real notes are not flagged as counterfeits, and they should be able to verify that counterfeits do not get verified as legitimate. However, it might be hard to verify, depending on how the machines work. If you reprogrammed the firmware so that all valid notes are verified, but that only counterfeits with your unique ultraviolet ink pattern are legitimate, then most tests with other counterfeit bills would fail, and the machine would look as though it was working properly. If you had physical access to the machine, and there's enough free space in there, you could probably get it to respond to a bluetooth signal to give the desired response, in which case black box testing with different notes could not verify that the machine was working correctly.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Well duh by Anonymous Coward · · Score: 0

      Some people are unaware that if you change things, things change.

    3. Re:Well duh by gstoddart · · Score: 5, Insightful

      f you can physically access and modify a machine, you can change the way it behaves. Is this really news?

      This part of the article is what struck me:

      After watching some videos from the vendor Inves on the machine's operations and reading through the machine's documentation, Santamarta came to the conclusions that some of the security claims the vendor makes were somewhat specious.

      "Unfortunately, some of these claims are not completely true and others are simply false. It is possible to understand how Secureuro works; we can access the firmware and EEPROM without even needing hardware hacking. Also, there is no encryption system protecting the firmware"

      So it sounds more like the company said "our stuff is secure, awesome, and hax0r proof", and someone essentially said "challenge accepted".

      That he could do the initial reverse engineering without ever even having had the device (he downloaded just the free firmware) tells me that this device was pretty ripe for the picking.

      --
      Lost at C:>. Found at C.
    4. Re:Well duh by Anonymous Coward · · Score: 0

      Can they do it wirelessly? Over the internet?

      But more importantly, will it blend?

    5. Re:Well duh by Anonymous Coward · · Score: 0

      The news is that there is absolutely no security to make the manipulation hard. If they used signed or encrypted binaries changing the behaviour of the validator would require visible changes (replacing the chip with the hardcoded decryption key). Right now you can switch a hacked validator with a working validator or just hack a certified working validator and nobody would be able to tell the difference. It is like giving people direct access to the internal state of a voting machine.

    6. Re:Well duh by Anonymous Coward · · Score: 0

      If you can physically access and modify a machine, you can change the way it behaves. Is this really news? Can they do it wirelessly? Over the internet?

      Better. They can do it ELECTRONICALLY!

      Run and hide!

    7. Re:Well duh by Anonymous Coward · · Score: 0

      Not quite sure how your post got an insightful rating since you seem to imply that the device needs no special protections other than from over the wire. That's showing quite a depth of ignorance as to the security that needs to surround these types of high risk devices. If you think it's "reasonable" to think that if you manage to steal an ATM that it should be reasonable to expect that you should then be able to find ways to hack other ATMs "in place" then you are mistaken. If the security of the device is sufficient you should NOT be able to do so.

      And don't bring up proxy keypads and other external, non-integral, device hacks. Those don't break the devices security. They act as a user using a users credentials. Those hacks require greater physical security and other methods not necessarily internal to the operation of the system.

    8. Re:Well duh by leonardluen · · Score: 1

      If you reprogrammed the firmware so that all valid notes are verified, but that only counterfeits with your unique ultraviolet ink pattern are legitimate

      but that makes it easier to pin you to other counterfeiting instances where they find those bills with your "signature" on them in a dozen different places. if you weren't using fancy counterfeit bills, then they might only be able to pin you to the place they caught you.

      you would have a similar issue with the bluetooth dongle when they catch you using it. "hey we found those fancy bluetooth things in 3 other stores i bet this guy is responsible for those too!"

      these people often are caught when they get greedy and attempt to repeat it over and over or do it for such a large sum of money that it doesn't go unnoticed.

    9. Re:Well duh by tlhIngan · · Score: 1

      If you can physically access and modify a machine, you can change the way it behaves. Is this really news? Can they do it wirelessly? Over the internet?

      Or in this case, when you're in front of the kiosk. Wirelessly is nice, over the internet is nice, but can I, when I'm about to insert my money, update the firmware from that side of the machine? If not, and I have to break into the kiosk to get at it, well, it's not a very interesting hack anymore.

    10. Re:Well duh by mjwalshe · · Score: 1

      or have each machine checked with a dud before as part of the store opening / shift change routine

    11. Re:Well duh by pjt33 · · Score: 1

      The cunning approach would be to make it check for only the easiest to forge markers. E.g. if you make it ignore ultraviolet and just look for the yellow Eurion rings it will accept valid notes and any note which is a reasonable copy.

    12. Re:Well duh by fatphil · · Score: 1

      Heheh, but I modified the firmware so that the first check of the day returns "dud"!

      --
      Also FatPhil on SoylentNews, id 863
  3. This is a hack? by Joce640k · · Score: 2

    Sure... if I'm allowed to take the machine away and modify it I can just replace the electronics with a 555 timer or something. All it has to do is light up a green LED when a piece of paper goes through it.

    --
    No sig today...
    1. Re:This is a hack? by Anonymous Coward · · Score: 0

      If you can take the machine away and modify it, why worry about any of this? Why not just open it, and grab the cash inside?

    2. Re:This is a hack? by Anonymous Coward · · Score: 1

      Pulling a machine apart, figuring out how it works, putting it back together.... the original definition of the word 'hacking', before media got involved.

  4. Big surprise there by Anonymous Coward · · Score: 0

    You mean to tell me once you get physical access to something all bets are off? No way!

    1. Re:Big surprise there by IndustrialComplex · · Score: 1

      There is physical access, and then there is physical access for a long period of time.

      This is more impressive because compromising the system only takes a few seconds. Contrast that to a laptop with epoxy on the ports. I have no doubt it could be broken into, but not in a few seconds, and not without obvious physical signs of access.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
  5. Just Hogwash by Anonymous Coward · · Score: 0

    If you need to open the machine in order to get access to the validator to re-flash the firmware you can just take whatever you want out of the machine (including any cash already in it).

    What benefit is there to convince the machine to accept counterfeit currency just so you can buy something you already had physical access to?

    1. Re:Just Hogwash by PPH · · Score: 1

      This.

      Because any company that discovers its cash machine is stuffed with paper and doesn't take it off line immediately is an idiot. The total take from any hacked machine will be the cash and product sitting inside it at the moment. p.Now, this could be different if the 'access' needed to flash the firmware is much less than that needed to grab the cash. A cash machine linked to the bank over an unsecure wireless link and no firmware signing protocol? That could be worthwhile. Push an update and then stand in front of the machine as it makes change or spits out product?

      --
      Have gnu, will travel.
  6. Some sense of history? by Anonymous Coward · · Score: 0

    "If espionage is the world's second-oldest profession, counterfeiting may be in the running to be third on that list.

    Money is pretty recent, the oldest stamped coins were about 650 BC, paper money around 1000 CE.

    1. Re:Some sense of history? by Anonymous Coward · · Score: 0

      If espionage is the world's second-oldest profession, then the moon is made of cheese.

      Ex falso quodlibet sequitur

    2. Re:Some sense of history? by SJHillman · · Score: 1

      There were probably counterfeit goods before then in the sense that they were incredible crap that appeared real until the trade was over with and the counterfeiter long gone.

    3. Re:Some sense of history? by IndustrialComplex · · Score: 1

      I define cheese as Lunar regolith. You wouldn't believe the prices NASA charges for a simple gouda.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    4. Re:Some sense of history? by Anonymous Coward · · Score: 0

      If espionage is the world's second-oldest profession, then the moon is made of cheese.

      I define cheese as Lunar regolith. You wouldn't believe the prices NASA charges for a simple gouda.

      It does not matter how you define cheese: you can infer anything, be it true or false, from a false proposition.

      Your re-definition of cheese might make the second part of the implication true, but the complete statement is true anyway.

  7. In other news. . . by Anonymous Coward · · Score: 0

    Hackers with temporary physical access to bank vaults could steal money.

  8. Second-oldest profession FTFY by Anonymous Coward · · Score: 4, Funny

    Politics is the worlds second oldest profession, noted for it's uncanny likeness to the first.

    1. Re:Second-oldest profession FTFY by Chemisor · · Score: 3, Insightful

      You are absolutely right. Here are the top ten similarities between politics and programming:

      • Design is always better than the implementation.
      • Our number generators are random. Really.
      • Polling is a lousy way to gather information.
      • Codes always have bugs and loopholes. When they are found, lawyers are often involved.
      • Old codes never die and never fade away.
      • After failure, always blame the third party.
      • Paying for support is expensive.
      • DRM and vendor lock-in are the best means of increasing sales.
      • Never listen to your your customers when they say they want fewer features. They must be lying.
      • Power corrupts. That's why we have checksums and balancing.
  9. physical access is total access. by Anonymous Coward · · Score: 0

    physical access is total access.

  10. Movie plot by guytoronto · · Score: 1

    This sounds like something they could use as the basis for Ocean's 14.

    1. Re:Movie plot by Thanshin · · Score: 1

      I thought they had passed the twenties by now. You know, like "Ocean's horde.", "Ocean King", "The savage sword of Ocean"...

    2. Re:Movie plot by gstoddart · · Score: 1

      "The savage sword of Ocean"...

      Sounds like a porn title to me. ;-)

      --
      Lost at C:>. Found at C.
    3. Re:Movie plot by mythosaz · · Score: 1

      You must not watch enough porn.

      I was thinking Magic The Gathering card...

  11. Good start by c · · Score: 1

    The next step in the attack process I'd like to see is a design for a counterfeit bill that'll trigger a bug in the firmware causing it to pass the bill. No need for pesky access to the machines in advance.

    --
    Log in or piss off.
    1. Re:Good start by FrankSchwab · · Score: 1

      That has a very narrow window of opportunity - basically, from the time the machine is serviced (cash removed and added) until the next time it's serviced. As soon as the money counting room notices your counterfeit bill, countermeasures will begin to be developed. The machine will be replaced and sent for analysis, firmware will get reflashed, ports will get sealed up.

      This is a great hack if your intent is to hire a large number of people to pass counterfeit bills at many machines in the same day, as a one-time hack. You could collect millions and pay out hundreds of thousands. Not a bad approach - but it requires a fairly large organization. Likelihood of long-term success (think not going to a federal PMITA prison (they have those in Europe, don't they?)): low.

      --
      And the worms ate into his brain.
    2. Re:Good start by c · · Score: 1

      This is a great hack if your intent is to hire a large number of people to pass counterfeit bills at many machines in the same day,

      This would be a great hack if your intent was to demonstrate the simplest and least detectable attack against an anti-counterfeiting device, which is a logical follow-through on the "need a few minutes alone with the machine" attack.

      I don't find the money-making angle particularly interesting, myself, nor (apparently) do the people who came up with the firmware hack.

      --
      Log in or piss off.
  12. green blinking light by tommeke100 · · Score: 1

    Sure.
    You can also just open the box and let the green light blink when it senses a paper.
    Fix: test the machine first with real euros and plain paper.

    1. Re:green blinking light by fatphil · · Score: 1

      counter-counter-measure: still fail blank pieces of paper

      --
      Also FatPhil on SoylentNews, id 863
  13. Scraping the bottom of the barrel much? by ugen · · Score: 2

    I've got a better "hack" for them. Buy one of these devices (I am sure they are not hard to obtain). When it arrives, update firmware - or better yet, remove internal IC board, and replace with a battery hard-wired to "green light" (or whatever method they use to flag "good currency"). Then come to the store of your choice, and with a sleight of hand replace the device they already have. Presto! Will take a lot less time than "hacking" one at the store.

    Of course, if that's a "hack" - how about just taking a cash register and carrying it off?

  14. Easier to just steal by wiredlogic · · Score: 2

    If you have physical access to the validator it would be easier to skim some bills from the machine and remain undetected rather than modify it to accept fake bills that will be noticed as soon as the owner brings them to a bank.

    --
    I am becoming gerund, destroyer of verbs.
    1. Re:Easier to just steal by IndustrialComplex · · Score: 1

      If you have physical access to the validator it would be easier to skim some bills from the machine and remain undetected rather than modify it to accept fake bills that will be noticed as soon as the owner brings them to a bank.

      Ever hear the phrase, "Her register was short"?

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    2. Re:Easier to just steal by wiredlogic · · Score: 1

      Bill validators are mostly used on vending and change machines. A typical operator just visits periodically to restock the product dispensed and take the money inside. The validator tracks how much it took in but many require additional hardware to read that information out which most people would be too lazy to bother with. Skimming from a compromised machine is likely to go undetected.

      --
      I am becoming gerund, destroyer of verbs.
  15. espionage? by Anonymous Coward · · Score: 0

    "espionage is the world's second-oldest profession" who says that ?

  16. More sensational junk... by Lumpy · · Score: 1

    "Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible."

    Yes if they have a lock picking set and gain access to the inside of the device to do the modification first.

    Heck stealing all the gold in Fort Knox is easy as they have the gold bars just laying there, all you have to do is get inside!

    --
    Do not look at laser with remaining good eye.
  17. in the running by Anonymous Coward · · Score: 0

    How can anything "be in the running" for the third-oldest profession? It either is or it isn't.

    1. Re:in the running by mark-t · · Score: 1

      The expression "in the running" is used to describe that there exists some uncertainty about the matter, but not so much as to significantly diminish the likelihood of whatever it is that is being described.

      --
      File under 'M' for 'Manic ranting'
  18. Secure Boot by Anonymous Coward · · Score: 0

    there is the difference between being able to trivially boot a new firmware and non-trivially boot a new firmware

  19. So what and who cares. by Anonymous Coward · · Score: 0

    I'm just asking because a.) these things are going to be primarily installed in vending machines. Who is going to go through the trouble of
    breaking into something like that and changing the firmware (nevermind the research and the risk) b.) just to get what?? Free
    Coffee? It's not like they have ATMs over there that accept cash, I've never seen anything like that in Deutschland and even if
    they did .. again so what.. break into the ATM (!) to manipulate the cash verifier so you can deposit what...? A thousand EUR??
    This isn't news and who cares.

  20. Let me get this straight :D :D by gurps_npc · · Score: 1
    If I have access to a machine, enough to say, open it up physically, remove the hard drive that runs the computer, and replace it a doctored one I created, then I can make it do what I want?

    Oh, you mean I don't have to trade the hard ware, just the software?

    And, the ski is BLUE, you say?

    I am shocked, SHOCKED to hear these disturbing facts. Someone should do something.

    --
    excitingthingstodo.blogspot.com
  21. Currency Validators? by Necron69 · · Score: 2

    Ok, dumb American here. Are 'currency validators' that common in Europe? The only thing that comes to mind here in the US is the 'dollar bill accepters' on vending or change machines. Other than those, I don't think I've ever seen a currency validator on a cash register anywhere. Occasionally, you get a sales clerk who will hold a $20 or $100 up to the light to look for the security strip (in American bills), but that's pretty much it over here.

    - Necron69

    1. Re:Currency Validators? by freeze128 · · Score: 2

      ...And if you read the summary thinking of a bill validator, you come away with a "DUH! No kidding dummy!" feeliing. In order to hack a bill validator, you would need to open the vending machine, remove the bill validator, disassemble the validator, update or replace the rom, then put everything back together again. If you're going to do that, you could just grab the money and a coke after the first step.

    2. Re:Currency Validators? by swb · · Score: 1

      They sometimes use those pens that are supposed to either leave a mark or not leave a mark if the bill isn't legitimate. I've had that done the few times I've used $100 bills.

    3. Re:Currency Validators? by Minwee · · Score: 1

      They're pretty common anywhere that money is worth more than the US dollar.

      The simplest ones are little more than an ultraviolet light that you could pass the bill under. Not that much different in principle from holding it up to a light to see the security strip, but significantly more effective.

    4. Re:Currency Validators? by ericloewe · · Score: 1

      Short answer: Yes, but you'll never notice them.

      Long answer: Any large store (supermarket and up) has one of those things at every cashier station. Typically, low-denomination bills are simply accepted without any non-trivial checks. 50€ and up and you may start raising some flags (50€ banknotes are supposedly, by far, the most common counterfeit of all Euro banknotes) - mostly they'll go in the machine and that's it.

      The "fun" starts with 100€ banknotes - you don't see those much in your average store. Try to pay with a 200€ and the manager will probably be called to double-check it. Try to pay with one or more 500€ banknotes and you're in for a wait while the manager checks them out.

      Since nobody in their right minds tries to pay stuff with 100€+ banknotes in the vast majority of cases, and most cash purchases are in coins and/or 5€, 10€ and 20€ (50€ banknotes are popular with somewhat older people who don't have or prefer not to use cards, but are otherwise only seen when an ATM inexplicably gives you one or two instead of smaller denominations), the typical cash experience does not involve getting your cash "validated".

    5. Re:Currency Validators? by Anonymous Coward · · Score: 0

      As recently as a couple of months ago, here in the UK, I'd have said no, but both of the supermarkets that I shop at regularly have had them installed recently. They also have the advantage that they keep the bill after validating it, so the cashier only has access to the float in the till.

    6. Re:Currency Validators? by Anonymous Coward · · Score: 0

      Not in the UK (to my knowledge as a store manager). The only devices used by a cashier are either reactive pens (the ink of which only shows up on forgeries) or UV light sources. There may well be some equivalent kind of currency validator used in vending machines that accept notes, but those are relatively new introductions over here (past 10 years or so).

    7. Re:Currency Validators? by Anonymous Coward · · Score: 0

      So, the hack mentioned is even more ridiculous that I even first screamed about? The validators they are talking about aren't consumer facing? No one is forcing a cashier to use them, or a business to use them? The only people that have that access are the cashier/owner, so if they hacked their reader, they'd only be hurting themselves?

    8. Re:Currency Validators? by pspahn · · Score: 1

      Yeah, I was wondering about these devices as well. Clicking through a couple links on TFS, I found the Secureuro device that looks not all that different than one of those check (as in checking account) readers.

      I've never seen one of these being used, and the closest thing I could think of that might be the same is the insert cash slot thing on the grocery store self-service checkout kiosks. I doubt you're going to be able to hack those devices physically unless you have an insider to grant access after hours or something. The run-of-the-mill "I'm a technician" hack isn't going to work on those, as the store manager is not going to let an unscheduled "service" be done on a device that handles that many transactions.

      I imagine the best place to go to find these in the States is a Las Vegas casino cage. Again, another place where physical security is going to be difficult to bypass.

      --
      Someone flopped a steamer in the gene pool.
    9. Re:Currency Validators? by Anonymous Coward · · Score: 0

      People still use bundles of large bills to make legitimate purchases in stores in Europe? Are you sure you live in the 21st century over there?

    10. Re:Currency Validators? by Anonymous Coward · · Score: 0

      It's worth more if you try to convert them to each other on a 1:1 basis. Purchasing power parity? Might want to reconsider your statement.

    11. Re:Currency Validators? by Anonymous Coward · · Score: 0

      Most retailers here in the UK have a UV lamp on the desk. Someone pays with a lot of notes or high value notes? just fan them out under the lamp - there are bright green and red markings on the notes that only show up under UV light, and the inks needed to print them are impossible to get hold of (source materials are controlled as well).

      You've got multiple levels of fallback on top of that as well; real notes are linen, not paper, so don't give that blue glow when under a UV lamp (and don't respond to starch detector pens). holograms, the metal strip woven through the note, micro text (look at the linework under a magnifying glass - the lines are tiny text that read 'twenty pounds' or whatever. Typeface is too small for even high resolution laser or photo printers to reproduce on stock that would pass as a note), and lots of markings that show through against a light source so you can check for alignment.

      In six years of 'cashing up' a retail store, I've only seen two counterfeit notes get through the till clerks. One was a blatant photocopy on a home inkjet (cashier must have been asleep, didn't even have the right colour!), the other looked good and had the right alignment, but the UV marks were missing and the metal thread & holograms were printed over the top with a foil machine or something. Paper stock as well, so glowed white under the lamp.

      Kept that last one around to show new cashiers what to look for.

      Basically, there's so much that a counterfeiter has to get right over here that most just don't bother now. Instead it's all cloned cards (no sir, your Visa Electron card is *not* supposed to ask for a signature, it's meant to ask for a PIN. Sure it's just the machine on the blink but I'm going to have to call for authorisation all the same) and identity theft.

    12. Re:Currency Validators? by pjt33 · · Score: 1

      One of the three supermarkets I regularly shop in in Spain uses them. The device is separate from the cash register, and they definitely test notes as low as 20€. I'm not sure whether they also test 10s.

    13. Re:Currency Validators? by Anonymous Coward · · Score: 0

      That's because your government is printing money as fast as it can, counterfeiting is actually helping them

    14. Re:Currency Validators? by Anonymous Coward · · Score: 0

      From my experience, only old people (and maybe criminals) use cash for larger purchases in Europe.

  22. Prostitution is the second oldest profession. by metrix007 · · Score: 1

    We had to farm before we had civilization.

    We had to have civilization before we could have money, and charge to fuck.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
    1. Re:Prostitution is the second oldest profession. by Laxori666 · · Score: 1

      You are thinking too narrowly. Who says it has to be for currency? "I will fuck you if you give me food." Better if you imagine it conveyed with body language and grunts vs. english.

    2. Re:Prostitution is the second oldest profession. by Anonymous Coward · · Score: 0

      Hunting and gathering is the oldest activity. Prostitution (giving sex in exchange for something someone else hunted or gathered) is the oldest profession.

    3. Re:Prostitution is the second oldest profession. by metrix007 · · Score: 1

      In that context, food is the currency.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    4. Re:Prostitution is the second oldest profession. by danlip · · Score: 1

      We have observed chimps exchanging food for sex. No civilization, farming, or even language necessary for prostitution.

    5. Re:Prostitution is the second oldest profession. by David_Hart · · Score: 1

      We have observed chimps exchanging food for sex. No civilization, farming, or even language necessary for prostitution.

      We still exchange food for sex, isn't that what date night is?

    6. Re:Prostitution is the second oldest profession. by PPH · · Score: 1

      "I will fuck you if you give me engagement ring."

      FTFY.

      --
      Have gnu, will travel.
    7. Re:Prostitution is the second oldest profession. by Anonymous Coward · · Score: 0

      Grunting is part of the transaction. It's like an old-time cash register going "ka-ching".

      Fluid transfer and children are the receipt. Sorry, no returns.

      Thank you, please come again! (There are so many jokes to be made...)

    8. Re:Prostitution is the second oldest profession. by Anonymous Coward · · Score: 0

      I saw a nature show that demonstrated this exact scenario in some type of ape.

      I think that pretty well puts it in 'oldest profession' territory.

    9. Re:Prostitution is the second oldest profession. by Amouth · · Score: 1

      we were both thinking along the same lines

      http://www.youtube.com/watch?v=c82z_bxy60E

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    10. Re:Prostitution is the second oldest profession. by Laxori666 · · Score: 1

      Well, sort of. In any case, you need neither farming nor civilization to have food. Humans were hunter-gatherers before farmers. Thus YOUR INITIAL POST IS WRONG - YOU ARE DEFEATED - I HAVE WON AN ARGUMENT ON THE INTERNET! OH YES!

    11. Re:Prostitution is the second oldest profession. by metrix007 · · Score: 1

      Hunting and gathering is not farming. Farming is a profession, and is older than prostitution.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    12. Re:Prostitution is the second oldest profession. by fatphil · · Score: 1

      I would contend that he who makes the best spearheads, or makes them most efficiently, would probably be relied upon for making spearheads for many other hunters, and possibly not even have a hunting role himself. So perhaps flint-knapper is the oldest profession? (Wood equivalents too.)

      However, we really don't know how far back prostitution goes, so date comparisons are destined to be uncertain.

      Maybe shaman is the oldest profession?

      A *lot* (in fact everything) depends on how you define "profession", of course.

      --
      Also FatPhil on SoylentNews, id 863
    13. Re:Prostitution is the second oldest profession. by metrix007 · · Score: 1

      I think it's pretty simple.

      We know that civilization came from agriculture.

      Agriculture...is a job, not just a behaviour.

      Monitoring crops, watering them etc.

      How is that not the first profession?

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    14. Re:Prostitution is the second oldest profession. by fatphil · · Score: 1

      The fact that we were doing a whole range of specialised tasks *before* embarking on agriculture takes the wind out of those sails.

      --
      Also FatPhil on SoylentNews, id 863
    15. Re:Prostitution is the second oldest profession. by metrix007 · · Score: 1

      What? Like what?

      It is widely acknowledged that civilization stems from agriculture.

      We really were not doing anything too advanced before agriculture besides fucking, eating and sleeping. Maybe drawing on a wall here and there.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    16. Re:Prostitution is the second oldest profession. by fatphil · · Score: 1

      What are you eating? Food doesn't just land on your plate. We were accomplished hunters of animals in pre-agricultural times. And we didn't hunt with our bare hands - we were fashioning spears and other weapons to aid in hunting, and other knives for food preparation and clothing manufacture. We were making rope, and making sleds.

      There were plenty of specialised tasks to do before we decided to settle down. If you've got specialisation, and a system of quid pro quo, then you've got professions, IMHO.

      --
      Also FatPhil on SoylentNews, id 863
  23. Re:Let me get this straight :D :D by Iceykitsune · · Score: 1

    And, the ski is BLUE, you say?

    I could have sworn my skis were red...

    --
    GENERATION 24: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
  24. Sure Obama has some accomplishments, but... by nucrash · · Score: 1

    He put some of the people responsible for the 2008 banking crisis in charge of the places were they can continue to loot the economy. He managed to put a troll in charge of Homeland Security He managed to put the company that paid 0 in taxes and took more tax credits in charge of economic development. I am certain that if he weren't chasing down the heads of terrorist groups with drones, he would probably put them in charge of the CIA. Do we have anyone charged with being a peeping tom to put in charge of the NSA, because the current guys just aren't creepy enough. I vote KY_Anonymous for being the head of the Cybercrimes division. While we are at it, let's get Bernie Madoff and get him somewhere important for heading up the SEC.

    --
    Place something witty here
  25. So.. what? by Anonymous Coward · · Score: 1

    So... if people with the right cmoputer skills are given time and access to a computer that decides stuff, they can change how it decides stuff?

    No shit?

  26. LOL by Anonymous Coward · · Score: 0

    Criminal 1: "Woohooo! The dumbasses left the machine all alone without cameras and they even left it unlocked!"
    Criminal 2: "Sweet! Let me just bust out this laptop and serial cable and download some firmware updates and then we can come back tomorrow and trick it to give us free stuff!"
    Criminal 1: "WHAT WAS THAT??? I can't hear you over the noise of the truck I'm backing up. Help me unload the thing so we can drive away!"

    I mean, seriously, as a criminal, why would you spend your time hacking the firmware on the thing if you already have it open? Take the shit out of it (money that people have already put in it, even!) and take all the product too, then GTFO.

    I guess it was fun for the hackers, but this is not really an exploit even worth the effort to patch.

  27. Does it count at counterfeiting? by linear+a · · Score: 1

    Does it count as counterfeiting if I reprogram the machine to take any paper as cash and then feed it blank paper?

  28. Counterfeiting ? by mbone · · Score: 3, Insightful

    If it accepts _any_ piece of paper, I don't see how that is counterfeiting - theft and fraud, sure, but if I make no effort to copy something, how is that still counterfeiting?

  29. Vote Parent Up by Another,+completely · · Score: 1

    My first thought too. If the thing the machine sells is worth so much (maybe train tickets), then the money in there is probably still worth more than free tickets until the hack is patched.

  30. Astronomy / astrology by mbone · · Score: 2

    If you go by buildings, you could make a good case for astronomy / astrology being the oldest profession. Stonehenge, the pyramids, etc., they all either were observatories, or needed a fair amount of astronomical knowledge to build.

    1. Re:Astronomy / astrology by danlip · · Score: 1

      Astronomy came after farming. Farming came after hunting and gathering. But prostitution may have occurred any of them. Chimps exchange sex for food. But what do you consider a profession? If you do one thing as your primary source of wealth and barter for other things you need that is a profession. Early farmers more or less took care of all their own needs, but bartered some with the blacksmith, miller, cobbler, etc. Unless you are talking about extremely early farmers. Priests may have been one of the earliest professions (and not that different from prostitutes, they take money to make you feel good about yourself).

    2. Re:Astronomy / astrology by Anonymous Coward · · Score: 0

      Computer Science is the oldest profession. It is confirmed by the holy bible:

      'In the beginning was chaos'... and who do you think created chaos?

  31. get what you pay for by kirkb · · Score: 1

    I worked in the vending industry for a very long time, and have worked with all sorts of bill and coin acceptors.

    If the stakes are low (parking meters, etc), then a cheapass validator from some random Spanish company (like this one) is probably fine.
    If the stakes are high, get a Swiss-designed Sodeco BNA validator with impeccable security, reliability, and accuracy. Unfortunately, it'll cost a small fortune.

    --
    Slashdot: come for the pedantry, stay for the condescension.
  32. "The impact is obvious"??? by mark-t · · Score: 1

    I would think the very fact that you can potentially compromise a machine once you have sufficient physical access to the system that you are able to replace its internals with whatever you want should be pretty damn obvious to almost anybody all on its own

    --
    File under 'M' for 'Manic ranting'
  33. Since they serialize currency... by swb · · Score: 1

    ...couldn't they come up with some way to put a unique cryptographic fingerprint on the currency that would enable it to be verified as legitimate?

    1. Re:Since they serialize currency... by jklovanc · · Score: 1

      That would require a server system that is up 24/7 to verify that the key was correct. and every validation device would need a connection to that service.

    2. Re:Since they serialize currency... by swb · · Score: 1

      Two words: credit cards.

      While it's true that once in a blue moon someone will take your credit card manually (I am old enough to still remember when they were called "charge plates" and were used with carbon paper), almost always someone uses a machine with dialup or connected to the internet to validate a credit card transaction.

      Nor is it necessary to validate every bit of cash you take in -- once in a while someone will take a magic pen to a $100 bill, but most of the time at least in Minnesota nobody bothers to validate cash, so it would probably be something that only banks and people who cared to have a box would have.

      But it sounds a lot simpler in practice to at least *provide* a method for cryptographic verification, even if nobody uses the system, than it is to spend increasingly large amounts of money trying to just print paper in a way that nobody else can easily duplicate.

    3. Re:Since they serialize currency... by jklovanc · · Score: 1

      Two words: credit cards.

      The vendor is charged a fee for every credit card transaction. Are you going to do that for every cash transaction too? Who is going to pay for the servers?

      Nor is it necessary to validate every bit of cash you take in

      Cashiers are trained to automatically validate billed by just looking at them. One can not hand over a blank piece of paper to a cashier and expect it to me accepted. Simple validation was done. Suspect bills are tested further. With your system, every bill would need to be validated because the bill can be easily duplicated and visual validation would be meaningless.

      But it sounds a lot simpler in practice to at least *provide* a method for cryptographic verification, even if nobody uses the system, than it is to spend increasingly large amounts of money trying to just print paper in a way that nobody else can easily duplicate.

      Lets print money that is easy to duplicate and will be accepted because no one uses the system that could catch it. /sarcasm

    4. Re:Since they serialize currency... by Anonymous Coward · · Score: 0

      What stops the counterfeiter from copying the fingerprint?

  34. people still use cash? by Anonymous Coward · · Score: 0

    i just use my Mastercard debit card at stores.

    1. Re:people still use cash? by PPH · · Score: 1

      Until strippers hang card readers from their g-strings, yes.

      --
      Have gnu, will travel.
  35. Why give the machine updatable firmware? by Karmashock · · Score: 1

    There is likely some sort of data port... likely this thing flashes by USB or something... better to make firmware updates require a chip change.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  36. No, it's likely by dutchwhizzman · · Score: 2

    In Euro land, you either pay with your debit card, or you pay cash. If you pay cash, the cashier usually either just puts the bills in the register, or they do a check in a standalone machine to see if the machine approves of the currency. Registers that count money and have a built in validator are rare and only now are starting to appear in bigger supermarkets.

    Crooks here in Europe are very good at firmware updates or hardware modification on POS type equipment. Until very recently our omnipresent debit cards used a magnet strip and a pin code for payments. It got to be a weekly news item that such and such store or popular gas station had their PIN terminals skimmed and thousands of customers had their bank accounts cleaned out with copied cards and "recorded" PIN numbers. Cards still occasionally get skimmed, but debit cards are usually blocked by default outside the EU and inside the EU you need a smart card to make PIN payments. Skimmers can't copy the smart chip of the debit card, so they can't use the card unless they steal the physical item. This leaves the success rate of skimming a magnet strip+pin to the rare cards that are unblocked for outside of the EU and it requires accomplices in for instance India or so to clean out the accounts of the cards you swiped. Until someone finds a nice attack on the smart cards (I don't think it will take long, cell phone SIM cards have been hacked too), we won't be seeing them attack electronic payments in brick and mortar stores on a large scale soon. They will most likely move their game towards getting their own fake currency accepted by the validators and start buying small items with large bills, or resell the items to replace the "loss of income" since skimming debit cards wasn't profitable any more.

    TL;DR In Europe firmware mods are the most successful mods for this sort of hack/fraud.

    --
    I was promised a flying car. Where is my flying car?
  37. A trivial hack, not impressed. by kheldan · · Score: 1

    Given physical access this is a trivial firmware hack. You simply bypass all the verification routines other than the one that checks the length of the bill inserted.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  38. Zombie money by manu0601 · · Score: 0

    The hack is interesting, but the euro is irrelevant here, it died in 2009.

    1. Re:Zombie money by manu0601 · · Score: 1

      That was moderated -1 troll: someone has no sense of humor here.

  39. Bitcoin? by Anonymous Coward · · Score: 0

    Bitcoin users not affected!