Remote ATM Attack Uses SMS To Dispense Cash

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

Asleep at the wheel.

[Forbo]

"The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

Really? This stuff isn't being done to begin with?

Re:Asleep at the wheel.

[Lumpy]

Banks barely do anything. They make insane profits but the scumbags refuse to spend a dime on security or maintenance.

The difference between a bank and organized crime is that you know what to expect from organized crime.

Re:Asleep at the wheel.

[Joce640k]

Really? This stuff isn't being done to begin with?

Why would they? It's in a locked steel box. People aren't using it to surf the web.

Re:Asleep at the wheel.

[gstoddart]

Do you know how many times I've seen an ATM with the Windows Blue Screen of Death on it?

Not hundreds, but over 30. I have *long* suspected these things are exceedingly vulnerable computers being used when they shouldn't be.

I've been airports and seen the arrivals/departures board showing NT errors. I have seen stuff in shop windows and other stuff showing similar stuff. A lot of medical devices can't be upgraded because the company never certified it beyond a certain level of Windows.

I usually make a point of photographing them when I see them, and I've seen more than a few.

You shouldn't be surprised, though, you should be disappointed. This has been true for at least a decade, and probably even longer.

Vendors just throw stuff on top of Windows and leave it unpatched. Often the security features rely on either obscurity, prayer, or somewhat weak physical security.

Re:Asleep at the wheel.

[Errol+backfiring]

Actually, they do surf the web (or did. I sure hope they fixed it). That is one of the problems with ATMs. The connection with the bank may be secured, but the devices are still attached to the big bad internet. So if you replace a device driver (or add your own piece of hardware), all communication channels are just waiting for you to be abused.

Re:Asleep at the wheel.

[JoeMerchant]

Banks are protected by law enforcement, insurance, etc. They have well established loss rates due to theft, fraud, etc. and they take appropriate measures to address those loss rates.

I, personally, would not want to pay a surcharge on my ATM card or other bank accounts to supplement the current security with "overkill" measures that cost more than they benefit, just for the satisfaction of knowing that crooks can't steal from MY bank.

Re:Asleep at the wheel.

[AmiMoJo]

Banks usually make an effort to have physical security, but not so much all the random supermarkets and shops that have an ATM inside.

What is more interesting is that the cash draw is physically secure. The attackers don't bother trying to open it. Instead they attack the control hardware, and you would think they could make that equally secure. It seems that the desire to load firmware updates, or more specifically new advertising on to machines via a simple and largely unprotected USB connection was too much to resist.

Re:Asleep at the wheel.

Overkill such as following standard security protocols and networking and IT basics? Or using 2 decade old smart-card technology that EUROPE has used for 20 years? The solution is to go back to strict bank regulation. They obviously cant be trusted to operate on their own.

Re:Asleep at the wheel.

[JDG1980]

I once went to a BB&T ATM and when I tried to use it, it crashed with an Internet Explorer script error.

Re:Asleep at the wheel.

[SQLGuru]

The 7-11 I used to frequent had a ethernet jack near the soda dispensers......this jack was where the nearby ATM was plugged in. It would have been quite easy for me to insert any sort of device between the ATM and the jack. There was enough space between the jack and the ATM and there was also a valid reason for me to be in the area that it wouldn't look like I was doing anything with it. While it wasn't an official bank ATM (unaffiliated), I still could have been malicious had I wanted to. [I also never had a reason to use that ATM and am always wary of using an ATM that isn't physically at a bank...not that those are drastically safer.]

Re:Asleep at the wheel.

They've obviously done the cost-benefit analysis. Why should you care which choice they make? Your money's not at risk.

Re:Asleep at the wheel.

[GTRacer]

It is if some other weakness they've allowed due to the cost/bene analysis leads to someone taking money from my account. Sure, I can get it back, likely without much trouble. But what if a bill came due during the loss and recovery that wasn't paid out and then I get stuck with a late fee and the headache of dealing with that account?

Re:Asleep at the wheel.

[HornWumpus]

I've seen genuine guru meditation errors on screen from the local public access channel in the last 5 years. Think about that. An Amiga still in daily use.

Re:Asleep at the wheel.

[camperdave]

What do banks have to do with ATM design? They just buy/lease them from ATM providers.

Re:Asleep at the wheel.

[operagost]

Banks don't make ATMs. Blaming banks for poor ATM security is, for the most part, like blaming someone who was in an accident because their defective ignition switch shut off the car. Banks need to make sure their ATMs are physically protected and maintained. They do this, for the most part.

Firms like Triton and Diebold build ATMs. That's where change will really have an impact.

Re:Asleep at the wheel.

[Marxist+Hacker+42]

In this case, overkill like a $4.95 locking doorknob?

Re:Asleep at the wheel.

[sjames]

So how do you like paying for the added burden on law enforcement to track the crooks down and get the money back?

Re:Asleep at the wheel.

[sjames]

And they decided that they get the most benefit by shifting the cost onto law enforcement paid for by other people.

Re:Asleep at the wheel.

Well it's cheaper not to and they don't really have any reason to care, not when the taxpayers will foot the bill.

Re:Asleep at the wheel.

[JoeMerchant]

No, more like management oversight, design review, and other bureaucratic steps to ensure that the proper locking doorknob is selected and properly installed. Even if the committee selected a $4.95 knob as proper (which, after examining the situation they probably wouldn't), the overhead costs of all that would amount to thousands of dollars per doorknob effectively installed.

Re:Asleep at the wheel.

[JoeMerchant]

Better than I would like for paying for theoretical "perfect" security on the banking system.

Besides, everybody knows the cops can catch bank robbers, and those same cops actually protect my home - if they weren't out there getting a rep. with hold up artists, people might be more inclined to B&E on private residences.

Re:Asleep at the wheel.

[sjames]

Nobody is asking for perfect. At this point, some sign of actually trying would be a step in the right direction.

Re:Asleep at the wheel.

[SharpFang]

"Please enter the amount."

700

"The amount entered is not divisible by 0. Please select:
[650]
[750]
[other]
[cancel]"

I choose "Cancel" just in case it applies similar mathematics to my actual payout.

Physical access?

[Vlado]

So, this method requires quite a bit of physical access to the ATM. You have to attach a phone (why smartphone, by the way?) to the actual ATM controller.

In my opinion this begs a whole set of other security questions first....

Re:Physical access?

Yeah, can someone with knowledge of how ATM's are set up enlighten us? I'd think that if you had physical access to the USB port, you would also have physical access to the cash itself and could just take it. Is there typically a USB port stuck on the *outside* of the box somewhere?

Re:Physical access?

In my opinion this begs a whole set of other security questions first....

No, it doesn't. It raises questions.

"Begs the question" means something entirely different than what you meant. Please don't misuse this term.

http://begthequestion.info/
http://public.wsu.edu/~brians/...

Re:Physical access?

[CastrTroy]

Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.

Re:Physical access?

It says in the article's links that you have to cut a hole in the ATM to access the controller computer's USB port.
I think the difference is that to get to the cash, you have to cut a big hole.

Re:Physical access?

Which begs the question, who's on first?

Re:Physical access?

[Joce640k]

(why smartphone, by the way?)

It probably connects to a serial port or something.

ATM machines have ports where you can plug in a diagnostic computer. One of the diagnostic functions will be "test the cash dispenser".

The SMS trigger is just there so they can do it at night and make sure somebody's standing there to grab the money.

Re:Physical access?

In the vast majority of atms there is just an ordinary pc running windows xp, they are not secure at all from a tech standpoint. This is about being able to steal in the future. If you come in dressed as the repair guy and hide a phone connected to the pc, you didn't take any money, the money fillers won't notice anything nor any audits if any are done. Then you wait a year or whatever and start stealing from it, if they do manage to figure out it's infected/find the phone, who put it there? Do they still have the footage? How many people have used/filled/fixed/etc this machine? etc. etc. Makes it a lot harder to get back to the real perp.

Re:Physical access?

[Splab]

Wrong century... ATMs of today are running on off the shelf hardware, with "special" (as in special needs) operating systems (Windows). They have exposed USB ports under the hood and to make it completely idiotic, the only thing locked behind high security is the money. The motherboard is quite often found just under the keypad, which can be accessed by standard keys.

See these guys http://www.youtube.com/watch?v... (Unfortunately the actual hack is poorly recorded, but still quite interesting).

Re:Physical access?

...AFTER drilling a hole in the physical device...

There's a joke somewhere in there; complete the phrase "Any 'remote' exploit which involves drilling..."

Re:Physical access?

[JoeMerchant]

Seems to me that it needn't be a smartphone, any device with the proper digital interface can probably do the trick - but it makes better press to say "Force the ATM to dispense cash using SMS..."

I suppose it might make it easier for the crooks to blend in while they take away the loot - just send the SMS while you act like you are doing a legitimate transaction and then walk away with $400. Come back later and do it again, and again... Get a lot of "theft rush" and exposure to potential arrest for your efforts, not so much cash, but you don't look as suspicious a you would if you tried to stuff $10K in 20 dollar bills into your pockets all at once.

Re:Physical access?

[MightyYar]

That battle is lost, man. The language has already changed.

Re:Physical access?

I don't think it's possible to secure a computer that grants users physical access. I think they need to start putting the computers down below, in the safe where the money is (or 2nd safe). This includes the diagnostic/usb ports. Then, they should employ software that will shut down the system if there's a change in attached USB hardware. Legit diagnostics will become less convenient, but there's balance.

Re:Physical access?

[hankwang]

"So, this method requires quite a bit of physical access to the ATM. "

I did once peek over the shoulders of a guy servicing one of those in-store ATMs (i.e., one that looks like a stand-alpne cabinet, not one that's integrated into a wall). Apparently, it's not all that tightly locked down, hardware-wise. The guy told me that only the compartment that contains the banknotes and the counting mechanism have heavy physical security, and that he couldn't access that part. That was why he was allowed to service the machine by himself, in the middle of a busy store.

Re:Physical access?

'It's' also seems to mean 'its' more often than 'it is' these days. I try to stick to the old definitions.

Re:Physical access?

[mlts]

I'm pretty sure that the rationale for slack physical security (other than the cash box) is that the store clerk or the camera pointed at it will discourage people from drilling holes in the CPU.

As per a previous /. article, maybe ATM makers moving to a new OS and PC might help matters. Linux is a good candidate. No AutoRun/AutoPlay capability present for starters (although Windows can have it easily turned off as well.)

Ideally, what might be best is to move to a motherboard that is designed from the ground up to make it tamper resistant. Yes, the initial expense might be a bit high, but once made, the only thing needed to upgrade future ATMs would be new graphics for the dancing animals in the background and signed OS updates for future security issues. ARM itself has TrustZone and TPM capabilities... and an ATM is where those capabilities would be perfect for the job without expensive additional hardware or ASICs.

Re:Physical access?

[228e2]

Isnt this what Barnaby did years ago at Black Hat? Where is the news? Physical access to a (sadly) not locked down computer isnt too hard to compromise.

Re:Physical access?

[camperdave]

I'd think that if you had physical access to the USB port, you would also have physical access to the cash itself and could just take it.

I think that that would be a poor design. One box for the hardware (you don't need armoured car knuckle draggers messing with the electronics), and one box containing the cash (You don't need the maintenance nerds walking away with pocketsfuls of crisp new bills). Both of those would be inside a box that locks out the general public. Actually, I'd probably put the cash inside a box inside the cash portion of the machine, so the armoured car folks are not dealing with cash, but with locked boxes that they cannot open. They pull out the empty box, and load in the full one, much like replacing a toner cartridge. Actually, the electronics should be done the same way: a one piece, factory sealed, replaceable module.

Re: Physical access?

Physical access is required, the software that runs I the background that talks to the cash dispenser control board will require a switch or some sort of physical access to the safe, ncr have a physical switch on the board that requires toggling before cash is dispensed, wincor require the safe door to be opened and closed before being dispensed. There are ATMs that use GPRS rather than physical network access, I would imagine that it's these that have been compromised, I'm not sure how it would work exactly but I know that the remote teams have the ability to cycle the dispenser to attempt to clear cash jams with out access so a cash cycle that dispenses is only one slight step away. -ATM engineer 15 years experience.

Re:Physical access?

I am a former employee of Triton Systems (a manufacturer of off-premiss ATMs), hence the AC post. I remember our machines had an encryption algorithm that was present on all software we created, and if the code did not have this encryption then it would not load. We also physically separated the cash from the control board on all of our machines. We did have an issue with the locks on the fascia of the machines though, they normally all used a very simple lock that could be picked very quickly. We set up controls though on the software where it would disable the USB ports unless the machine was in "programing mode" and only then would it load any software that had the right encryption. The various peripherals were set up with a "safety" that would require the machine to hard restart (physically switch power on and off) to get them to restore communications with the control board. This likely involved a Diebold or NCR style machine as they run Windows based O.S.'s and are essentially dumb terminals.

There's an app for that

[gnick]

I'd like to announce my new app for sale - Free after using the $200 rebate redeemable at a nearby ATM.

Diebold

How's Diebold for a guess? Those fuckers are vulnerable to just about everything.

Re:Diebold

[DickBreath]

Okay. Let me amend the article summary for you . . .

"Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines . . . because Diebold already has a bad enough reputation with it's e-voting machines.

Better?

Re:Diebold

[Russ1642]

Switching to Linux wouldn't solve their physical security issue.

Re:Diebold

I can confirm it's Diebold. Posting as AC because fuck you, Diebold.

Re:Diebold

[nwf]

That was my first guess. My bank uses them, and they are absolutely amazing in terms of completely uninformed user interface design. They've upgraded them over the years and are a little better, but they are just terrible to use physically and electronically. Not really related to hacking, other than by the fact they just don't care about making a quality product.

Diebold?

[jsepeta]

It's gotta' be Diebold, famous makers of the voting machines used to swing the Bush "elections". They now call themselves Premier Election Systems. But Diebold is one of the primary manufacturers of ATMs.

Re:Diebold?

Seriously? The % variance from election to election is about 2-5%. Has been for years. Our country pretty votes 50/50 for the two parties. The only exception was the 92 election in which periot got a significant amount. It has been this way since the 60s. Even the 'landslide' of Regan vs Mondale was by ~2%.

Accept it. Both dudes lost by a narrow margin. You are clinging to conspiracies because your dude lost. Even the 'crushing victory' in the last two was by ~1%. Voter fraud does exist. However, statistically it is negligible. Even Nate Silver accepts that...

Re: Diebold?

Actually Obama beat Romney by 3.7 % of popular vote, not 1%. And about 100 more electoral college votwa for Obama.
    And Reagan's landslide over Mondale was indeed a landslide. Reagan--57% to Mondale's 42%. The only state Mondale took was Minnesota. And in the electoral college Reagan had 97% od the votes.

Re:Diebold?

Yes it's tight between the two sides, but that makes it even easier to rig things. You don't cheat in obvious/noticeable ways, like by flipping districts/states that are solidly in either camp and where a change would cause serious surprise and possible/likely investigation, instead minute tweaks in disputed/swing districts/states can be enough to shift the national result thanks to the FPTP system...

Re:Diebold?

[DickBreath]

> They now call themselves Premier Election Systems.

OT, I know, but shouldn't that be: Premier Election Rigging Systems?

Re:Diebold?

[sexconker]

Seriously? The % variance from election to election is about 2-5%. Has been for years. Our country pretty votes 50/50 for the two parties. The only exception was the 92 election in which periot got a significant amount. It has been this way since the 60s. Even the 'landslide' of Regan vs Mondale was by ~2%.

Accept it. Both dudes lost by a narrow margin. You are clinging to conspiracies because your dude lost. Even the 'crushing victory' in the last two was by ~1%. Voter fraud does exist. However, statistically it is negligible. Even Nate Silver accepts that...

Successful voter fraud is undetectable, and thus immeasurable.
You cannot quantify it without verifying individual votes, and you can't do that without tracking each individual vote and removing voter's anonymity.

I am not claiming that it is rampant. I am merely stating the fact that you cannot know how much of a problem it is. Saying it's very rare is as much bullshit as saying it's very frequent.

Re:Diebold?

[dryeo]

You can set up systems where it is hard to do fraud and systems where fraud is trivial. That is the problem with most electronic voting so far. How do you ever know if Diebold has a way to flip 1% of the votes? In a close election it doesn't take much to flip the results.
Then there is the other types of election fraud, often legal. Gerrymandering, strategic placement of polling station, limiting the number of polling booths in areas are some examples.

Who said no one would pay for SMS

after whatsapp.

Re:Who said no one would pay for SMS

In soviet russia SMS pays yo... wait, that doesn't make sense since this is about the USA.

Re:Who said no one would pay for SMS

In soviet russia SMS pays yo... wait, that doesn't make sense since this is about the USA.

Where do you think the banknotes end up?

Symantec ad

[roman_mir]

So this is a Symantec ad, I don't have a problem with advertising, but call it what it is. Windows XP used in an ATM? Well, I can see how this can be a problem, but how is this SMS based attack specific to Windows XP exactly? What, if the ATM in question was running VAX/VMS it wouldn't support SMS based attack due to its lack of SMS support? :) I mean there are no details as to how an SMS makes it possible to get cash out of the machine and I don't see at this point how it is OS related. Any OS with appropriate software could do the same, no?

Re:Symantec ad

[mlk]

The SMS is just a way to communicate to the phone. What the hackers have done (if I'm reading the FA correctly) is make a phone pretend to be a USB keyboard attached to the PC in the ATM. The phone can then be set up to send a control sequence to the ATM tell the ATM to spit out money. So the problem has nothing to do with either SMS or Windows XP. If the ATM was VAX or Mac OS or Home brew OS or Linux and you did not lock down the local USB ports then it would have the same issue.

The general issue of USB ports happily accepting keyboard has been an issue with ATMs before, but you have to stand by the ATM with a keyboard. This way you just plug in the phone and leave it there to exploit time and time again.

Physical Access = owned

[clovis]

This is a physical access attack and therefore not very interesting.
To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port (or in older versions, a USB stick, or keyboard). They recommend upgrading the OS and securing the hard drive. How about putting epoxy in the computer's device ports?

Re:Physical Access = owned

[locotx]

Physical access IS root access!

Re:Physical Access = owned

[iggymanz]

or you could cut the ATM open at the point where the cashbox is installed

to say this attack is "just not interesting" is an understatement

Re:Physical Access = owned

[StripedCow]

If you have physical access, why not grab the money directly?

Re:Physical Access = owned

[Russ1642]

The money is locked in a hardened steel enclosure similar to a safe. Apparently the computer is not. This attack is probably one of the easier ways to get at the money.

Re:Physical Access = owned

[redmid17]

Probably because they need to be able to upgrade the the OS and apply security patches.

Re:Physical Access = owned

New atms use usb to link tge parts in side

Re:Physical Access = owned

[CastrTroy]

Because this way, assuming they didn't notice the actual hardware in there, you could dispense cash for a long period of time, and get more money. Taking all the cash at once and they would probably notice it. Take $20 once a day, and they might just attribute it to the machine miscounting the bills.

Re:Physical Access = owned

[gstoddart]

To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port

Which, apparently, might not be as difficult as we think.

Security is only as good as its weakest link, as they say. And if one of these things is in a place where you could get in and out without being observed (because, say, you've got a clone of the key or know how to bypass the lock) ... well, then this is going to happen.

Free money is worth someone spending time working these things out.

Re:Physical Access = owned

[mlk]

I'd assume the box that the money is in is secured and had paint or the like that will trigger when it is opened.

Plus you can only do it once and it is very noticeable. Chopping a small hole in the box and secretly installing a small phone you could exploit time and time again without drawing attention from passers by.

Re:Physical Access = owned

You've never been to a liquor store with one of these standalone ATMs and found the door open? I have. You can't take money but you can see the computer in there. 5 seconds to install a USB device and you're done, and that baby will pay out for who knows how long before they notice.

Re:Physical Access = owned

[JaredOfEuropa]

The machine might report cash being taken out; very unfortunate if that happens while you stand there shoving piles of bills into your pockets. Better to install the device and come back at night, with a hoodie over your face, grab all the cash, and run.

These machines rarely miscount, and if it happens once a day, the bank will probably take notice. There was a weird little trick on certain ATMs a while back that let you tease an extra note from the machine, but the banks caught on very quickly.

Re:Physical Access = owned

[JoeMerchant]

As I said above, you can get the access and look like a maintenance tech, then button it up and walk away with big bulges in your pockets.

Come back later, looking innocent, and take a few hundred bucks per transaction. It makes machines that are protected by highly public physical location (most ATMs) more vulnerable to attack in plain sight by innocent looking people.

Sure, you could cut out the cash box and haul ass in a big pickup truck, but somebody would probably notice that something isn't right about that picture.

Re:Physical Access = owned

[JoeMerchant]

In the early days of ATMs (1980s) I used to get "overcounts" about 5% of the time at certain machines... that doesn't happen (to me) as much anymore, but I'm mostly plastic based now, so maybe it still does.

You could probably spit out several hundred dollars per "pull" with the phone-hack and not raise suspicion - a really good hack would falsify the expected balance, too, so they don't notice the missing cash, but you'd think the guy changing the cash box would notice the thing stuck in the USB port, eventually.

Re:Physical Access = owned

[u38cg]

Well, not so much. Physical attacks are extremely difficult on ATMs as they are difficult to move or access and usually have dye bombs. The usual approach in the UK is to steal a JCB and van and remove the whole thing. So something like this is definitely an improvement for the attacker.

Re:Physical Access = owned

[iggymanz]

look up how they're made, you won't be "chipping a small hole" in anything to access its system and you will set alarm off

Re:Physical Access = owned

[PRMan]

I remember way back in the old days (80s), an ATM that I went to dispensed my cash twice. I took it inside and let them know that I had gotten $80 when the machine told me that I got $40. They had released new ATM software the night before. It was 9 AM and I was the first person to bring it to their attention.

Re:Physical Access = owned

[malvcr]

Let me explain what happen with the ATM devices.

The ATM has a computer having the operating system and a basic bootstrap software. In fact, the configuration itself it is not located in the ATM but when the ATM is turned on, it is sent to it from the Bank. One important reason is that when somebody steal the ATM, will lost all the configuration including many different types of keys, making the task of opening it or to learn more about the ATM's network behaviour a difficult task.

When the security employees load the ATM with money, they actually have no access to such money. The Bank fills security money boxes (actually small security boxes that are not so easy to open). These boxes have a special key that is used only inside the Bank's vault. The employes that will give maintenance to the ATMs receive the loaded boxes from the Bank's personnel and replace the previous ones "complete" in the ATM (they don't have the keys), and deliver the full or partially empty boxes to the Bank for internal maintenance (to count remaining bills, clean, reload, etc.).

So, the security employees are the ones that could install the phone in the computer because they need to open the ATM to replace the money boxes. As they are the ones do this work, they also could put the phone, and the next time they load the ATM, they will quit it for let no trace of such action. So, it is not necessary for them to violate the physical boxes or to cut the ATM by half (that it is not easy anyway), but just to connect a phone, continue with their daily work and somebody else will come to extract the money with the help of the phone and the ATM itself.

As 80% of the attacks are from "insider", this have all the sense for me. To resolve the problem, however, it is not so easy, because they need to replace their ATM system for one would be invulnerable to USB or other type of ports access, something was not thought when the current systems where designed many years ago.

Re:Physical Access = owned

[sexconker]

Physical access IS root access!

Physical access is far, far greater than root access.

Re:Physical Access = owned

[JoeMerchant]

I should also mention that I got one or two "undercounts" during that era... my ATMs were all remotely located from the branches, so reporting wasn't exactly convenient. I figured it all worked out in the end, but I might have come out $20 to $30 ahead, overall.

The swipe your ATM card to checkout at the grocery also failed to process a couple of the earliest transactions (there really was a free lunch, those days...), I waited months and months looking for them to show up on the statements, but they never did. These days I don't keep my receipts or check my statements as closely, not sure if that ever happened after the initial rollout.

Then there was the bank I had a deposit account with in 1991 - their computer made a $20 addition error, in their favor, when summing up my deposits and withdrawals (none of which were for $20) - when I pointed it out to the branch manager he acted like I was being a jerk for bringing it up. I didn't still have that account by 1992.

Re:Physical Access = owned

Keep a few ATMs compromised, and you can act like you own the money, and the bank will happily refill it for you.

Re:Physical Access = owned

[Obfuscant]

This is a physical access attack and therefore not very interesting.

This. Everyone knows all you have to do is play some music on the keypad and the ATM will give you money. "Take me down to the basement, fill the buckets with cheese..."

"And we won't, won't pay for this song 'cause it's pub-lic domain!"

Re:Physical Access = owned

Ahh, someone who's noticed the ubiquitous little ATM's in lots of mom an dpop stores and small bars. The ones whose staff are basically as competent as those in the "Clerks" movie.

Re:Physical Access = owned

[dryeo]

In the early days of ATMs (1980s) I used to get "overcounts" about 5% of the time at certain machines... that doesn't happen (to me) as much anymore, but I'm mostly plastic based now, so maybe it still does.

I'm quite surprised how well the ATMs handle the plastic money, especially during this transition phase when it is a mix of paper and plastic. As a human, I have trouble correctly counting the plastic money, it's thinner and sticks to neighbouring bills.

USB port?

How does anyone access the USB port of the computer that controls the ATM, without breaching enough physical security that they might as well just grab the money? Sounds like this could only work if an insider at the bank in question smuggles in a phone and hooks it to the computer. You can't just pull up to an ATM and do this.

Re:USB port?

The money is stored in a heavily secured enclosure within the ATM. The computer, not so much. I don't recall the model, but I saw a small ATM where there was just a small panel covering the USB ports. Looked like 16 - 18 gauge sheet metal covering it (the unit was open, and being serviced by a tech).

Re:USB port?

http://www.zdnet.com/robbing-atms-by-sms-not-in-the-real-world-7000027689/

Re:USB port?

[PPH]

The money is stored in a heavily secured enclosure within the ATM.

It comes down to exposure time for the thief. Popping an access plate off the USB ports, plugging in and feeding $20s out, one at a time is going to take a while. The stolen tow truck, chain and winch is much faster.

ATM running Windows 2000

Last year (2013) I went for a tour in a foreign country.

One day I went to a local bank's atm trying to get some cash, in the ATM lobby there were 6 ATM machines. 4 were working, one had totally shut down, and on the sixth, I saw the desktop (Win 2000 version) appearing on its screen.

Re:ATM running Windows 2000

Thanks for the MS bash. Once you realize the level of access you need to the machine to deploy this exploit you'd realize that the OS that machine runs is pretty much irrelevant.
 
But I know you don't have much else to live for so bash away.

Re:ATM running Windows 2000

[NatasRevol]

What, you think the exploit wasn't using Windows? And that wasn't relevant?

Delusional!

Re:ATM running Windows 2000

[PRMan]

I have also seen a Windows 2000 screen on an ATM recently in America.

Re:ATM running Windows 2000

What? You don't think having PHYSICAL FREAKING ACCESS to the box isn't a bigger problem then what OS they're running? Delusional!
 
You're debating what knife an assassin used to kill a target in what should have been highly secured fortress.

Re:ATM running Windows 2000

[NatasRevol]

Yeah, I'd be complaining if there were no soldiers on the inside to protect a wall breach.

The emperor really doesn't have any clothes.

Re: ATM running Windows 2000

Well, however, earlier windows version were known for their vulnerabilities, so an atm running, windows 2k is definitely an open door for even the hobbyist hacker

Re:ATM running Windows 2000

[Kalriath]

It would be irrelevant, considering there shouldn't even be a wall breach (physical access to the I/O ports of the hardware).

You should be able to insert a card, receive cash, and enter PINs. That's it.

Knowing Diebold though, you can probably buffer overrun the machine with a malformed track 3 on the card.

Re:ATM running Windows 2000

According to a video from DEFCON a few years back, most ATMs open with a universal key, so physical access takes about five seconds. The only meaningful security is the overwhelming likelihood of getting caught on one of the cameras during/afterwards, followed by 25 years in a Federal PMITA Penitentiary.

Security has been outsourced to the police state, in a sense. You're not prevented from stealing. Just prevented from getting away with stealing.

Every management team ever.

Of course it isn't being done already. You have any idea how much it cost to get someone to lock down/upgrade everything due to how idiotic the people in management are and who think "more expensive is better" ?

Diebold

[SirSpammenot]

And they make election equipment, to count votes. Sheeesh! ATMs I am less worried about because I get my money back when they screw up... If the theft amount gets too painful, the banks will look a better vendor. And switch to Linux...

Smartphones have more processing power

to emulate other devices such as a keyboard or mouse. Its easier to write an app that reads SMS on a smart phone then on a normal one. Also the term ATM is fairly broad here. There are atm's that are built into a wall of a bank and then there are the freestanding atm's that are often 'jackpotted' as described above.

HUH?

what do you mean "scumbags". they are not charging you a red cent if they have a theft.
for all you know they have weighed the options and to implement security at this time is more expensive than to deal with a few isolated losses.

Either way! it doesent effect you, and you have a obvious and wrong bias.

Re: HUH?

Yeah want my money in a bank that facilitates thief.

Re:HUH?

[50000BTU_barbecue]

"they are not charging you a red cent if they have a theft."

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Re:HUH?

[coinreturn]

"they are not charging you a red cent if they have a theft."

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.

Re:HUH?

[50000BTU_barbecue]

Either way, the bank either charges you higher service fees and lower interest, or it gets private insurance, or it goes crying, Oliver Twist-style, to the government with its hands out. The bank loses nothing. Ever. But they sure tell YOU to take risks!

Re:HUH?

[codebonobo]

"they are not charging you a red cent if they have a theft."

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.

I seem to remember trillions of dollars in bailout insurance being paid to banks, not the customers through FDIC, while they remained open and more profitable than ever. This is socialized government insurance, where moral hazard is removed and its business as usual.

Re:HUH?

[galloog1]

You mean loaned out to banks. Banks either paid that back or they failed. Most of it was paid back.

Re:HUH?

[coinreturn]

Either way, the bank either charges you higher service fees and lower interest, or it gets private insurance, or it goes crying, Oliver Twist-style, to the government with its hands out. The bank loses nothing. Ever. But they sure tell YOU to take risks!

Like I said, government does not pay for theft. Okay, so it raises service fees or gets private insurance. Are you complaining that their business model is to profit?

Re:HUH?

[bbeesley]

you suggest that the banks are scheming to make a profit on theft?!?!? sorry, but Occam's Razor shreds your argument to bits my friend the banks don't want nefarious individuals stealing our money any more than we do. It's very, very bad for business

Re:HUH?

[codebonobo]

You mean loaned out to banks. Banks either paid that back or they failed. Most of it was paid back.

You are repeating the banks' talking points. Some of it loaned out. Some of it was given out. Some of it was exchanged for worthless assets. In the end the bottom line is most people were screwed and the the banks profited.

Were you offered extremely low interest loans which you immediately were allowed to profit massively off of by selling higher interest loans and dissolving your bad investments?

Why didn't the Fed do the right think and allow the irresponsible banks to fail and instead invest those trillions on paying directly to the consumers the raised 250k FDIC insurance? Why weren't the bad actors weeded out? Instead the banks were told quite clearly they must stay large so they become too big to fail and in a couple years they can start aggressively find new games to play with peoples life savings.

Re:HUH?

You mean loaned out to banks. Banks either paid that back or they failed. Most of it was paid back.

And by "most of it" you mean all but several tens, maybe hundreds, of billions of dollars.

Totally a rounding error.

Re:HUH?

[dryeo]

They sure aren't very fast or dependable at replacing any money that is stolen through a debit card (such as debt card being used in a fraudulent ATM to skim the PIN).
Similarly we all pay increased costs through fees being spread out through the whole customer base for credit card fraud.

Re:HUH?

[dryeo]

If the banks were truly too big to fail, they should have been nationalized, senior management at least fired, preferably arrested and charged and the banks broken into small pieces and sold.

Re:HUH?

[codebonobo]

If the banks were truly too big to fail, they should have been nationalized, senior management at least fired, preferably arrested and charged and the banks broken into small pieces and sold.

Yes, completely. Whether it was fraud or incompetence it is sheer lunacy that we permitted such behavior.

Re:HUH?

[dryeo]

Funny thing is all the people who scream "socialist" about Obama and the Democrats and even obvious things like nationalizing the failing banks they don't do, rather instead supporting them.
Newest American Ambassador to my country is a former Wells Fargo big shot, which shows their true stripes.

Re:HUH?

[LordWabbit2]

I worked for a bank back in the day, was told to make code changes to the online screens to add an extra 'service fee' to the clients account, had to add a checkbox so that it could be switched off if the client complained. Checked it a couple months later, not many people even noticed it or complained, netted them an extra half a mil a month.
Don't trust banks / bankers / insurance / sales people. They do not have your own best interests at heart.

Re:HUH?

The FDIC is not funded with taxpayer cash. They don't get a penny of congressionally appropriated money. Their funding, like any other insurance company, comes from the premiums they charge the banks for their coverage, and that includes the cash pool that is used to reimburse depositors when a bank goes into receivership.

Re:HUH?

[50000BTU_barbecue]

Who talked about profit? The original point was that banks don't charge a "cent" to customers for theft... You people are as dense as neutronium.

Re:HUH?

[50000BTU_barbecue]

Where did I talk about a profit? Do you profit when you get robbed and your insurance pays your claim?

Re:HUH?

[coinreturn]

Um, you did. You said "either way, the bank either charges you higher service fees or lower interest." Maybe you should check your own density, dipwad.

Re:HUH?

[50000BTU_barbecue]

That isn't a profit. That's "covering your costs", dumbfuck.

Re:HUH?

[coinreturn]

That isn't a profit. That's "covering your costs", dumbfuck.

Wow, you don't seem to understand that "covering your costs" is the first step to profit. You, are the dumbfuck of the year.

Re:HUH?

[50000BTU_barbecue]

Exactly. The "covering your costs" is done either with social programs or from your pockets, then they make a profit. The original point was about "not charging a cent" when they get robbed. How profit got into this, I have no idea, but derailing discussions and tossing in irrelevant subjects that no one brought up isn't helpful.

Re:HUH?

[coinreturn]

Exactly. The "covering your costs" is done either with social programs or from your pockets, then they make a profit. The original point was about "not charging a cent" when they get robbed. How profit got into this, I have no idea, but derailing discussions and tossing in irrelevant subjects that no one brought up isn't helpful.

Exactly right on the original point. Except you derailed the conversation when claiming that the government covered their costs when the banks lose money. That is just plain wrong. And when I pointed that out, you brought up the service fees as a way of showing that they do charge for losses. But they don't. Service fee increases are used to increase profit, not as a reaction to some ATM losses.

Re: HUH?

As someone who has done Vulnerability analysis work in the banking industry the other guy is right about them not spending money on security. Really the systems are outdated and unpatched.

Re:HUH?

[galloog1]

None of it was simply given to banks; it was all loaned to them. The banks had to pay that back. People love to mention the fact that the banks received trillions of dollars. The fail to mention that those banks also paid trillions back. Those same people also failed to mention that this happens on a smaller scale every second of every day between the banks and the federal reserve.

Didn't John Connor use this method?

So all one needs to do is plug a USB cable into an ATM machine and use their cellphone to brute force?

So the C&C structure only exists so a "mastermind" can send in a fool to have his photo taken while robbing the ATM?
Is there a non spyware supported version that bypasses the need for an accomplice who may rat on me?

cash?

people still use cash? I hate dealing with change. let me count the pennies and nickles...ugg

Re:cash?

[tsqr]

people still use cash?

Yes, people still use cash. People still use phones to make voice calls. People still commute to work. People still play CDs and DVDs. People still have standard def televisions. People still use cars powered exclusively by internal combustion engines. People still buy things in actual physical stores. People still wear baseball caps with the bills pointed forward. People still take an entire television season to watch a season's worth of television shows. And some people still actually converse with other people live and in person, in real time. I know that some of these things are hard for you to believe, and hard for you to relate to. But they persist nonetheless.

Hackers

[OcabJ]

"Anyway, anyway, guys guys guys, come on. I'm in this computer, right. So I'm looking around, looking around, you know, throwing commands at it, I don't know where it is or what it does or anything. It's like, it's like choice, it's just beautiful, okay. Like four hours I'm just messing around in there. Finally I figure out, that it's a bank. Right, okay wait, okay, so it's a bank. So, this morning, I look in the paper, some cash machine in like Bumsville Idaho, spits out seven hundred dollars into the middle of the street. That was me. That was me. I did that."

Re:Hackers

"And you did this from your home computer?"

Re:Hackers

You did this from your house?

Never hack a bank across state lines, you'll get burned by the FBI.

BTW do you know what the 3 most commonly used passwords are.....

Re:Hackers

[HornWumpus]

If you've ever been the victim of crime you will know the cops do nothing for you. They fill out a report so you can make an insurance claim. That is all. They will give you attitude while doing it. You are bothering them.

The FBI has buildings full of cops dedicated to protecting the banks.

Re:Hackers

[heefeneet]

BTW do you know what the 3 most commonly used passwords are.....

"Secret", "sex" and (thanks to XKCD) "correct horse battery staple".

Look at the bright side

[DickBreath]

At least most modern mobile plans give you unlimited SMS.

Uh, no kidding

Let me get this straight. They physically have to attach new gear to the computer that can control what the ATM is doing. That device is then able to issue commands to the computer, and thus the ATM. That device happens to be a device that can receive SMS messages. And it's shocking that "You can make it do stuff based on an SMS message"?! No surprise there. And in case you missed it, you could also call it and issue commands over the voice channel, or you could use the data connection and issue commands to it through your favourite IRC command and control channel, or email, or REST call, or whatever. This isn't a remote attack.

Windows XP Based ATM

[Fitch]

Does anyone find fault with the phrase "Windows XP Based ATMs"?

Regardless of whether this exploit requires an insider for access to the physical machine, securing $10k-$20k worth of cash with one of the most commonplace operating systems on the planet seems beyond asinine to me.

Re:Windows XP Based ATM

I'm not so sure "common" is the problem as the word insecure and unhardened are.

Re:Windows XP Based ATM

[Kalriath]

XP Embedded. It's a slightly different beast from XP Home. And either way, you shouldn't have physical access, so it's irrelevant whether it runs Windows, Linux, FreeDOS, or even frigging BeOS.

Oh, take a wild guess

[ThatsNotPudding]

Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines.

Gotta be Diebold. Yes, they changed their name. No, those thieves should never be allowed to remove the albatross of crooked voting machines from their scrawny, corrupt necks.

Re:Oh, take a wild guess

[drinkypoo]

Yeah, that was my response too. Diebold is well-known to do a shit job with ATM security.

'Magic Number' could be a valid Credit Card Number

[Muad'Dave]

FWIW, the magic number '5449610000583686' mentioned in the article passes the Luhn Algorithm, and is therefore valid as a credit card number. The BIN indicates the card was/would be issued by the following bank, transcribed from this site:

Bin: 544961
Card Brand: MASTERCARD
Issuing Bank: HSBC BANK (PANAMA) S.A.
Card Type: CREDIT
Card Level: PLATINUM
Iso Country Name: PANAMA
Iso Country A2: PA
Iso Country A3: PAN
Iso Country Number: 591

Please...

[Ryanrule]

...if you want an ATM open, you smash it on a methhead's head.

Probably one of the XP machines

the subject says it all

encrypted

[stepho-wrs]

ATM's make heavy use of encryption. Sensitive data (eg customer PIN) is encrypted so that you can not decode it. Unencrypted data is not sensitive (eg the dollar amount of the transaction). Each packet sent to the bank host is digitally signed. Each packet received from the host is also checked for its digital signature. The digital signatures have the time as part of the generation algorithm, so replay attacks don't work. If you monitored traffic on that cable then you would get a log of who took out money, the account number, the amount, the time and possibly how much was left in their account. You would get similar information by ransacking the receipt bin. If you tried to inject or replay packets in either direction then they would be rejected. I used to design EFTPOS credit card terminals. We designed them with the understanding that malicious people would be listening to everything on the cable and they would be trying to inject malicious data at every opportunity. Note that the cable might be ethernet, phone (ie modem), X.25, serial or a handful of less common types but the above applies to all of them. The worst you could really do is to cut that cable and deny the service to the customers.

Re:encrypted

[SharpFang]

Actually, that sounds like info muggers would find pretty valuable.

Re:encrypted

[Errol+backfiring]

Note that the cable might be ethernet,

So there's your attack vector. Note that you may heavily encrypt the output of all the input devices, but with your own device drivers or added hardware there is little you can do about replaying the input signals themselves. Or from "swallowing" the cards and transmitting all the PIN codes.

Around here, they use gas...

[SharpFang]

Fill up the ATM with propane gas through the money slot.
Set up a fuse.
Pick up money and run.
Some photos.

Quite impressive, though the success ratio isn't too high.

fud

fud