Slashdot Mirror
Metel Hackers Roll Back ATM Transactions, Steal Millions (threatpost.com)
msm1267 writes: Researchers from Kaspersky Lab's Global Research & Analysis Team today unveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and also shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards of $1 billion from more than 100 financial companies. The heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known as Metel. This gang targets machines that have access to money transactions, such as call center and support machines, and once they are compromised, the attackers use that access to automate the rollback of ATM transactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on the stolen accounts remained untouched.
I'm on the mobile site, as I usually am, reading /. on my phone while having a cig (no judgments please). I can't, for the life of me, find the link to RTFA when it's not included in the summary text! What am I missing?!?!
Just to confirm...
Rollback means playback, right? Like, they record how the ATM communicates the authentication portion of the transaction, and replay that same communication with the ATM until its stored cash has all been dispensed and it's now empty?
Seems like the people that designed the ATMs and their authentication protocols have some 'splaining to do. This kind of vulnerability should have been anticipated and the software hardened against, given that this is machine-to-machine encryption, not person-to-machine.
Do not look into laser with remaining eye.
http://usa.kaspersky.com/about-us/press-center/press-releases/carbanak-and-beyond-banks-face-new-attacks
Is there a real article here or just some guy's rant about something?
just bits displaced to make room for more vodka-soak cells.
let's hear it for the boyz.
smells.
The only reason why an ATM transaction should be able to be "rolled-back" is if the machine dispensed never dispensed the cash.
Cash dispensers aren't generally "smart enough" to know if they actually dispense cash or not. They try hard (photo-sensors, knowing how much cash in the system, etc) -- but at the end of the day you're talking about ejecting paper. Paper jams do occur. A rollback mechanism must be in place.
Here's the thing - we're talking VERY small amounts. $200 at a shot. Multiple ATMs. This is a LOT of work and the security cams at the ATMs should be seeing who's getting the cash (thus the ski mask).
And they're claiming they've hit the banks for Billions?
An ATM would hold...maybe...$100,000 (5000 $20 bills)?
45 6E 67 6C 69 73 68 2E
Minimum threshold fixed. Thanks!
Really people, don't use abbreviations, or ambiguous terms. No matter how 'cool' you think you are, there are less technical people out there that still want to know what you have to say. Using that kind of crap without explaining it doesn't make you see knowledgeable, it just makes you seem like a fool. Nor is it that hard to put an actual LINK in the article.
excitingthingstodo.blogspot.com
... that have borrowed heavily from targeted nation-state attacks
'nough said.
Select from tblFriends where interesting >= 4;
A team of 50 people - that's $5 million a day. Do it sporadically over the course of a few years - yeah, a billion is possible...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Modded down because - The TFA didn't mention that the ATMs ran Windows and even if they did, what is notable is the access to the databases. Also, why rant about the loss of american jobs ... in Russia?
But TFA DID. It spoke of the value to the hackers in gaining control of the domain controller. That's a Windows thing.
People are generally upset with our banks because while they accept them as basically essential, they don't approve of much of what they do.
The banks can and do screw me, from time to time, yet yes - I leave my money with them. I might not have an "obligation" to do so, but it becomes very difficult to go around them. Most employers prefer to pay with direct deposit to a bank account, for example. If you opt out? They might cut you checks which you've got to go to check cashing places to cash, and incur fees for doing so right off the bat. Then you incur the risk of carrying that much cash around with you everywhere too.
Try to make a major purchase and the country flags you as a terrorist suspect the minute you make a large cash payment for it! Try to take cash on an airline flight and again, you're flagged and pulled out of the security line. If you ever do try to make monthly payments with a business on something, they typically run your credit and find that your credit score stinks too -- since there's no record of you having your name on a savings or checking account or any other real credit history.
I'm not suggesting all of us think bank robbers are "heroes". I know I don't. There's still a system in place that those people think they're "above everyone else", bypassing it, and costing everyone else in the long run. (Banks that lose money are covered by FDIC insurance, but eventually -- it's we the taxpaying public who gets to pay to keep that insurance program going.)
This is awesome.
The bank still has the same digital balance, it just doesn't have the physical notes any more.
It's the perfect victimless crime.
Where did I rant about loss of American jobs? Not a once. I spoke ONLY of the security issue. And I will bet that each of these are running windows which makes it easy to leave backdoors in.
I prefer the "u" in honour as it seems to be missing these days.
57 68 79 20 64 69 64 20 49 20 77 61 73 74 65 20 6D 79 20 74 69 6D 65 20 64 65 63 69 70 68 65 72 69 6E 67 20 74 68 61 74 3F
go fuck yourself and your religious bullshit, this is /. so keep it geek not religious
initial compromises were carried out via spear-phishing and a malicious RAR archive disguised as a Word document
People sure love clicking random email attachments
Why are these ATMs connected to the Internet and who decided to run Windows on them: Carbank ring steals $1 billion from banks
Didn't you know, the microserfs monitor this forum for an criticism of MICROS~1 Windows :)
33 73 3b 26 63 23 6b 76 3e 7e 36 2b 6e 2e 66 7b d3 93 db 06 43 03 4b 96 de 9e d6 0b 4e 0e 46 9b 57 17 5f 82 c7 87 cf 12 5a 1a 52 8f ca 8a c2 1f d9 99 d1 00 49 09 41 90 d8 98 d0 01 48 08 40 91 3d 7d 35 24 6d 2d 65 74 3c 7c 34 25 6c 2c 64 75 dd 9d d5 04 4d 0d 45 94 dc 9c d4 05 4c 0c 44 95 59 19 51 80 c9 89 c1 10 58 18 50 81 c8 88 c0 11 d7 97 df 02 47 07 4f 92 da 9a d2 0f 4a 0a 42 9f 53 13 5b 86 c3 83 cb 16 5e 1e 56 8b ce 8e c6 1b b3 f3 bb a6 e3 a3 eb f6 be fe b6 ab ee ae e6 fb 37 77 3f 22 67 27 6f 72 3a 7a 32 2f 6a 2a 62 7f b9 f9 b1 a0 e9 a9 e1 f0 b8 f8 b0 a1 e8 a8 e0 f1 5d 1d 55 84 cd 8d c5 14 5c 1c 54 85 cc 8c c4 15 bd fd b5 a4 ed ad e5 f4 bc fc b4 a5 ec ac e4 f5 39 79 31 20 69 29 61 70 38 78 30 21 68 28 60 71 b7 f7 bf a2 e7 a7 ef f2 ba fa b2 af ea aa e2
Cash dispensers aren't generally "smart enough" to know if they actually dispense cash or not.
I've experienced the very thing you're speaking of - the machine could not dispense the entire amount I requested due to a mechanical malfunction. The screen informed me of such and the amount that _was_ dispensed was reflected on the receipt. My account balance reflected my original withdrawal and a refund for the amount the machine couldn't dispense.
So yeah, they have those kinds of brains in them. I wouldn't be surprised if it was required by law.
If are reading this, you have called my bluff (as this was a really dead story ...). It is being used as a pseudo-citation and was intended to be humor, but feel free to mod as a troll or flamebait or whatever else strikes your fancy.
can't say anyhing bad about windows.
check cashing places to cash, and incur fees for doing so right off the bat. Then you incur the risk of carrying that much cash around with you everywhere too.
So the bank is supposed to take this risk you don't want to take and guarantee the safety of your money at no cost?
The alternative is for you to hire a security company to escort the money to your safe.
Try to make a major purchase and the country flags you as a terrorist suspect the minute you make a large cash payment for it!
Wrong, they flag your transaction for review. Two very different things.
Try to take cash on an airline flight and again
If you are crossing borders that makes absolute sense. If you aren't crossing borders you can carry as much money as you want. You should notify TSA ahead of travels: http://www.airsafe.com/issues/...
since there's no record of you having your name on a savings or checking account or any other real credit history.
Would you loan your money to someone else without a way to check who they are and how reliable they are? Probably not. Borrowing money is not a given right, it's a privilege that's become a standard in our society but that still requires validation.
What did the banks actually do to you to make you hate them OR are you one of the sheeps that flames said entities because it's the popular thing to do?
In my life banks have allowed me to collect interest on savings, build large gains on mutual funds and borrow money at low interest rates. I'm not sure where they screwed me. Are we talking about the $2-$4 / month I get charged for transactions?
Seriously? I'm a "sheep" for hating the banking system we've got in place?
Let's talk about that "interest collected on savings", shall we? It's so little these days, it's pretty much worthless. Meanwhile, you let the bank use your money while it sits there, to lend out to someone else at a FAR higher interest rate than you're being paid on it.
Or let's talk ATM machines.... Ostensibly deployed for customer convenience, they're ALSO quite popular with banks because it allowed them to stop hiring nearly so many tellers to help people in person with transactions. That means, a big cost savings for the banks. All fine and good, except why then do I get dinged for $2.00 or more each time I try to take my OWN money out of my account using a machine not owned by my particular bank? And why, in most cases, will the bank who owns that ATM *also* add on a $2.00 or more fee for withdrawing the money? If I only need $10, that's a good 40% of what I'm withdrawing they want as a cut for doing it! With almost all of these machines in the same "network", it should be a trivial process for banks to sort out who owes who for a "foreign transaction" and straighten that out on the back end. Maybe worth a 25 cent surcharge, at most.
In fact, pretty much ANY interaction with a bank involves surcharges tacked on. Want a new box of checks ordered? You can be sure they'll sell them to you for at least 2x the going rate from any of the custom check printing services that advertising in the local newspaper and elsewhere (and get less choice about how you want them to look). Accidental overdraft? Now we're really talking extra charges! I guess they figure since YOU made the mistake, they can soak you with impunity on those, right?
I have no problem with a lender verifying a person is reliable and statistically likely enough to repay them before agreeing to the loan. But loans are where banks really should be making all the money they need to survive and thrive! All of the savings or checking accounts should just be tools to gather up some of that money to lend back out, and not viewed as MORE ways to profit from people. Most of the people opening one of those accounts will eventually need an auto loan, a home loan, or some kind of personal loan anyway.
And lastly -- I never found a bank that would lend me money at an interest rate as low as a local credit union. They're simply not competitive with them!