Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATM Hacks in 'More Than a Dozen' European Countries in 2016 (zdnet.com)

Posted by msmash on from the bank-heist dept.

Cybercriminals have hacked ATMs in more than a dozen countries in Europe this year using software that forces the machines to spit out cash, according to Russian cybersecurity firm Group IB. ZDNet adds: This type of attack, known as "jackpotting", is part of hackers' shifting focus from stealing card numbers and online banking details towards a more lucrative method that gives them access to both ATMs and electronic payments. The firm said attacks had successfully compromised banks in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, Poland, Romania, Russia, Spain, and the United Kingdom, as well as in Malaysia. However, the firm declined to disclose the banks' names. ATM makers Diebold Nixdorf and NCR Corp said that they are aware of the attacks, and have been working with customers to mitigate the threat. Dmitry Volkov, head of intelligence at Group IB said that he expects more heists on ATMs in the future.

11 of 22 comments (clear)

  1. Sonic by Big+Hairy+Ian · · Score: 1

    It's just evidence that Dr Who's been in town

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  2. Hmmmm... Useful by Esteanil · · Score: 2

    "software that forces the machines to spit out cash" sounds useful.
    Anybody got a copy? :-P

    --
    I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
    1. Re:Hmmmm... Useful by unixisc · · Score: 1

      Such software should be libre, and under AGPL

  3. Doesn't sound so bad to me. by sims+2 · · Score: 1

    Not so bad when compared to what they do around here http://5newsonline.com/2016/09...

    All the cash in the atm VS The storefront, the displays, the atm and all the cash in the atm.

    --
    Minimum threshold fixed. Thanks!
    1. Re:Doesn't sound so bad to me. by rwiggers · · Score: 1

      or here...

      http://g1.globo.com/pernambuco...

  4. Re:Sigh by war4peace · · Score: 1

    Not required if the security hole is big enough.
    Although I'd wager any hole size would suffice anyway. Skilled penis hacker, amirite?

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  5. I guess, it is a single bank by fubarrr · · Score: 3, Interesting

    >banks in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, Poland, Romania, Russia, Spain, and the United Kingdom, as well as in Malaysia

    The only bank with branches in aforesaid countries, with exception of Spain (they run a re-branded outlet after Spain busted Russian mafia there,) is Russian Sberbank; and yes, they had master password leakages many times before.

    And I believe that guys who were PWNing them were their own, as nobody except for Russians have mule networks with such size and reach.

  6. Another known trick by fubarrr · · Score: 2

    The other known "trick" is to make the ATM hardware to mess up it's cash cassette setup, to make it think than all cassettes have $5 buck notes instead of 100. This requires service password, but no physical access. It is impossible for the serviceman with this password to simply order the ATM to open its protected compartment or spew cash, but things like turning off its internet connection, see its VPN settings, launch internet explorer to a site with exploit (most ATMs are windows XP machines) and etc.

    Banks to have good checks on their tech staff, but this prevents nothing if a serviceman simply sell his password to a 3rd party.

    1. Re:Another known trick by mlts · · Score: 1

      I've wondered why passwords are used. With the tech we have (including a way to ensure the clock is set correctly via NTP), why not use both a service password and a OTP using a TOTP mechanism like the Google Authenticator? Done right with the key inputted to a device [1] handed to the service person, they wouldn't be able to extract the TOTP seed, which would prevent someone selling the password.

      Or, perhaps add a smartcard to the mix. The US government uses PIV/CACs all the time, why not use that tech in an ATM?

      [1]: This device could even be an iPod Touch. I keep one of these around just for the sole purpose of working with Duo and Authy, just in case I lose my phone. It wouldn't be too difficult for a bank to make a dedicated device that would lock itself if taken outside a geofenced area.

    2. Re:Another known trick by youngone · · Score: 1
      I saw two guards changing the money cassettes in an ATM in my local mall a couple of weeks ago, and I am quite pleased that I live in a country where they don't carry guns at all.

      Also skimming still goes on

      The article says that they were arrested after bank staff saw unusual transactions, which might be true, but I would be willing to bet a whole dollar that the police were onto them as soon as they arrived.

      Four Romanians in New Zealand for a holiday? Yeah, right.

  7. some are at the default passwords as well. by Joe_Dragon · · Score: 1

    some are at the default passwords as well.