Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote ATM Attack Uses SMS To Dispense Cash

Posted by timothy on from the $$$-rofl-omg-$$$ dept.

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

10 of 150 comments (clear)

  1. Asleep at the wheel. by Forbo · · Score: 5, Insightful

    "The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

    Really? This stuff isn't being done to begin with?

    1. Re:Asleep at the wheel. by Lumpy · · Score: 3, Interesting

      Banks barely do anything. They make insane profits but the scumbags refuse to spend a dime on security or maintenance.

      The difference between a bank and organized crime is that you know what to expect from organized crime.

      --
      Do not look at laser with remaining good eye.
    2. Re:Asleep at the wheel. by operagost · · Score: 3, Interesting

      Banks don't make ATMs. Blaming banks for poor ATM security is, for the most part, like blaming someone who was in an accident because their defective ignition switch shut off the car. Banks need to make sure their ATMs are physically protected and maintained. They do this, for the most part.

      Firms like Triton and Diebold build ATMs. That's where change will really have an impact.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  2. Physical access? by Vlado · · Score: 4, Insightful

    So, this method requires quite a bit of physical access to the ATM. You have to attach a phone (why smartphone, by the way?) to the actual ATM controller.

    In my opinion this begs a whole set of other security questions first....

    1. Re:Physical access? by CastrTroy · · Score: 4, Insightful

      Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  3. There's an app for that by gnick · · Score: 4, Funny

    I'd like to announce my new app for sale - Free after using the $200 rebate redeemable at a nearby ATM.

    --
    He's getting rather old, but he's a good mouse.
  4. Who said no one would pay for SMS by Anonymous Coward · · Score: 3, Funny

    after whatsapp.

  5. Physical Access = owned by clovis · · Score: 3, Informative

    This is a physical access attack and therefore not very interesting.
    To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port (or in older versions, a USB stick, or keyboard). They recommend upgrading the OS and securing the hard drive. How about putting epoxy in the computer's device ports?

    1. Re:Physical Access = owned by iggymanz · · Score: 4, Insightful

      or you could cut the ATM open at the point where the cashbox is installed

      to say this attack is "just not interesting" is an understatement

  6. Re:HUH? by coinreturn · · Score: 3, Informative

    "they are not charging you a red cent if they have a theft."

    No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

    Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.