Remote ATM Attack Uses SMS To Dispense Cash

← Back to Stories (view on slashdot.org)

Remote ATM Attack Uses SMS To Dispense Cash

Posted by timothy on Tuesday March 25, 2014 @03:40AM from the $$$-rofl-omg-$$$ dept.

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

19 of 150 comments (clear)

Min score:

Reason:

Sort:

Asleep at the wheel. by Forbo · 2014-03-25 03:46 · Score: 5, Insightful

"The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

Really? This stuff isn't being done to begin with?
1. Re:Asleep at the wheel. by Lumpy · 2014-03-25 03:55 · Score: 3, Interesting
  
  Banks barely do anything. They make insane profits but the scumbags refuse to spend a dime on security or maintenance.
  The difference between a bank and organized crime is that you know what to expect from organized crime.
  
  --
  Do not look at laser with remaining good eye.
2. Re:Asleep at the wheel. by Errol+backfiring · 2014-03-25 04:26 · Score: 2
  
  Actually, they do surf the web (or did. I sure hope they fixed it). That is one of the problems with ATMs. The connection with the bank may be secured, but the devices are still attached to the big bad internet. So if you replace a device driver (or add your own piece of hardware), all communication channels are just waiting for you to be abused.
  
  --
  Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
3. Re:Asleep at the wheel. by SQLGuru · 2014-03-25 04:57 · Score: 2
  
  The 7-11 I used to frequent had a ethernet jack near the soda dispensers......this jack was where the nearby ATM was plugged in. It would have been quite easy for me to insert any sort of device between the ATM and the jack. There was enough space between the jack and the ATM and there was also a valid reason for me to be in the area that it wouldn't look like I was doing anything with it. While it wasn't an official bank ATM (unaffiliated), I still could have been malicious had I wanted to. [I also never had a reason to use that ATM and am always wary of using an ATM that isn't physically at a bank...not that those are drastically safer.]
4. Re:Asleep at the wheel. by HornWumpus · 2014-03-25 05:51 · Score: 2
  
  I've seen genuine guru meditation errors on screen from the local public access channel in the last 5 years. Think about that. An Amiga still in daily use.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
5. Re:Asleep at the wheel. by camperdave · 2014-03-25 06:41 · Score: 2
  
  What do banks have to do with ATM design? They just buy/lease them from ATM providers.
  
  --
  When our name is on the back of your car, we're behind you all the way!
6. Re:Asleep at the wheel. by operagost · 2014-03-25 07:09 · Score: 3, Interesting
  
  Banks don't make ATMs. Blaming banks for poor ATM security is, for the most part, like blaming someone who was in an accident because their defective ignition switch shut off the car. Banks need to make sure their ATMs are physically protected and maintained. They do this, for the most part.
  Firms like Triton and Diebold build ATMs. That's where change will really have an impact.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
Physical access? by Vlado · 2014-03-25 03:47 · Score: 4, Insightful

So, this method requires quite a bit of physical access to the ATM. You have to attach a phone (why smartphone, by the way?) to the actual ATM controller.
In my opinion this begs a whole set of other security questions first....
1. Re:Physical access? by CastrTroy · 2014-03-25 04:13 · Score: 4, Insightful
  
  Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
There's an app for that by gnick · 2014-03-25 03:48 · Score: 4, Funny

I'd like to announce my new app for sale - Free after using the $200 rebate redeemable at a nearby ATM.

--
He's getting rather old, but he's a good mouse.
Diebold by Anonymous Coward · 2014-03-25 03:50 · Score: 2, Interesting

How's Diebold for a guess? Those fuckers are vulnerable to just about everything.
Who said no one would pay for SMS by Anonymous Coward · 2014-03-25 03:52 · Score: 3, Funny

after whatsapp.
Physical Access = owned by clovis · 2014-03-25 03:58 · Score: 3, Informative

This is a physical access attack and therefore not very interesting.
To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port (or in older versions, a USB stick, or keyboard). They recommend upgrading the OS and securing the hard drive. How about putting epoxy in the computer's device ports?
1. Re:Physical Access = owned by iggymanz · 2014-03-25 04:06 · Score: 4, Insightful
  
  or you could cut the ATM open at the point where the cashbox is installed
  to say this attack is "just not interesting" is an understatement
2. Re:Physical Access = owned by mlk · 2014-03-25 04:35 · Score: 2
  
  I'd assume the box that the money is in is secured and had paint or the like that will trigger when it is opened.
  Plus you can only do it once and it is very noticeable. Chopping a small hole in the box and secretly installing a small phone you could exploit time and time again without drawing attention from passers by.
  
  --
  Wow, I should not post when knackered.
3. Re:Physical Access = owned by sexconker · 2014-03-25 06:05 · Score: 2
  
  Physical access IS root access!
  Physical access is far, far greater than root access.
USB port? by Anonymous Coward · 2014-03-25 04:00 · Score: 2, Insightful

How does anyone access the USB port of the computer that controls the ATM, without breaching enough physical security that they might as well just grab the money? Sounds like this could only work if an insider at the bank in question smuggles in a phone and hooks it to the computer. You can't just pull up to an ATM and do this.
Re:HUH? by 50000BTU_barbecue · 2014-03-25 04:40 · Score: 2

"they are not charging you a red cent if they have a theft."
No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

--
Mostly random stuff.
Re:HUH? by coinreturn · 2014-03-25 04:48 · Score: 3, Informative

"they are not charging you a red cent if they have a theft."
No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.
Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.