Remote ATM Attack Uses SMS To Dispense Cash

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

Asleep at the wheel.

[Forbo]

"The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

Really? This stuff isn't being done to begin with?

Physical access?

[Vlado]

So, this method requires quite a bit of physical access to the ATM. You have to attach a phone (why smartphone, by the way?) to the actual ATM controller.

In my opinion this begs a whole set of other security questions first....

Re:Physical access?

[CastrTroy]

Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.

USB port?

How does anyone access the USB port of the computer that controls the ATM, without breaching enough physical security that they might as well just grab the money? Sounds like this could only work if an insider at the bank in question smuggles in a phone and hooks it to the computer. You can't just pull up to an ATM and do this.

Re:Physical Access = owned

[iggymanz]

or you could cut the ATM open at the point where the cashbox is installed

to say this attack is "just not interesting" is an understatement

Re:Diebold

[Russ1642]

Switching to Linux wouldn't solve their physical security issue.