Remote ATM Attack Uses SMS To Dispense Cash

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

Asleep at the wheel.

[Forbo]

"The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

Really? This stuff isn't being done to begin with?

Physical access?

[Vlado]

So, this method requires quite a bit of physical access to the ATM. You have to attach a phone (why smartphone, by the way?) to the actual ATM controller.

In my opinion this begs a whole set of other security questions first....

Re:Physical access?

[CastrTroy]

Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.

There's an app for that

[gnick]

I'd like to announce my new app for sale - Free after using the $200 rebate redeemable at a nearby ATM.

Re:Physical Access = owned

[iggymanz]

or you could cut the ATM open at the point where the cashbox is installed

to say this attack is "just not interesting" is an understatement