First 'Jackpotting' Attacks Hit US ATMs

Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

Windows XP in ATMs

Windows XP in ATMs
Moronic idea.

Windows is a toy for (rather retarded) children. Period.

Re: Windows XP in ATMs

You clearly don't have anything useful to contribute to this discussion. The issue isn't that the ATMs are running Windows, but rather that they're running old and unmaintained software. Running an old unsupported version of Linux is going to be just as vulnerable. Linux users bashing Windows is a lot like Donald Trump's obsession with Hillary Clinton. For desktops, a focus on bringing better applications to Linux would do far more to increase market share than bashing Windows. Instead, you come across as petulant and childish.

The other issue here is the physical access to the hardware, at which point all bets are off in regard to security. This really isn't about Windows, but more likely better limiting the physical access needed to carry out the attacks.

Grow up.

Re:Windows XP in ATMs

Windows XP is no more childish or retarded than Linux or any other OS. If someone has physical access to a computer it makes no difference what operating system it is running.

Re:Windows XP in ATMs

[jellomizer]

Consumer level multi-purpose OS's in single use devices is a bad idea.

This includes having ATM running, Windows 10, Windows Server 2012, Mac OS X, OS/2, Linux distributions like Ubuntu/Mint...

The Multi-purpose OS's has way too much stuff enabled by default. Allowing for possibilities of breaking in.

Re:Windows XP in ATMs

[xxxLCxxx]

He's got a point, nonetheless. You would expect a slim real-time-OS with a minimum of attack surface.
Windows isn't really 'deterministic'. You can do a lot of things much cleaner with a RTOS.
The problem here is that most of the big reputable companies don't have any decent programmers. Therefore, you can expect some crappy software at VB level on top of a 'not too reliable' OS.
A clever 13-year old computer kid could do a much better job. Marketing - and thus the big blenders in suits - always wins, however. :-(

Re: Windows XP in ATMs

The OP's point is still invalid. I agree that you want a slim OS with a reduced attack surface for that purpose. There are versions of Linux for exactly that purpose. And there's also a version of Windows for that purpose, now called Windows IoT, formerly Windows Embedded. Those ATMs probably aren't running consumer versions of Windows XP, but Windows XP Embedded. If they pay Microsoft for extended support beyond the EOL for XP, and continue to apply updates, the OS may not be that big of a problem. The issue here is mainly physical access to the system.

Re: Windows XP in ATMs

[MightyYar]

Yeah, we used Windows Embedded for years in an industrial product. There were two drivers. The first was a well-tested library that we needed was most commonly used in Windows. The vendor was willing to build for Linux, but we would be the first users and didn't like the risk. The second driver was, believe it or not, USB thumbdrive support. At the end of the 90s, floppies were too small, so we transitioned to superdrives (compatible with floppies, but capacity was up to 120MB). Only one vendor made these drives, though, and soon they were end of life. The only good alternative was to support thumbdrives. But Linux back then was very hit-or-miss for thumbdrive support. Windows worked with nearly everything our customers threw into it.

Ironically (or not), the USB support is where we've had virus problems with Windows Embedded.

Linux USB support is now just fine, so we've transitioned to Linux. But Windows Embedded was fine - it let you only install the services you needed, so the vulnerability profile was much smaller than "kitchen sink" Windows.

Re: Windows XP in ATMs

[webnut77]

Linux users bashing Windows...

Wait. I thought it was Microsoft that bashed Windows with Ubuntu.

Re:Windows XP in ATMs

[Wrath0fb0b]

Yes, there's no argument you can do a lot of things much cleaner with a bare-bones RTOS.

Then a few years pass and your boss needs to:

• Update the UI to support a new screen size
• Update the UI and HID to support a new touchscreen model
• Add ADA mandated audio prompts to the headphone jack
• Accept chip-card transactions as well as magstripe
• Reject magstripe attempts for a card with a chip
• Accept NFC enabled debit cards
• Accept the new cash-counting accessory for people to make cash deposits
• Accept the new check-deposit accessory for people to make check deposits
• ...

Then your bare-bones RTOS isn't looking so hot. Who knows what shit-tastic GUI library or HID parsing they wrote for it. Meanwhile your boss's boss's boss is wondering why the hell we can't update these things like everyone else can and the security folks are clamoring to get chip & PIN working while you are staring down who-knows-how-they-built-it pile of WTF.

I mean, stop for a second and think, there are reasons that we don't just hire 13 year old computer whiz kids to implement everythingÂin their favorite obscure OS. Business requirements are a real thing, and they are a moving target.

Of course, Embedded Linux is a perfectly good choice for an OS. Still need libraries/frameworks for GUI, Audio, HID and peripherals. And then figure out how you are going to take kernel security updates without breaking ALSA/PulseAudio, or else pay RH to do it for you. By the time you are done it's not going to be "slim" and it definitely won't be a a bare-bones RTOS.

Re:Windows XP in ATMs

[mysidia]

Then your bare-bones RTOS isn't looking so hot. Who knows what shit-tastic GUI library or HID parsing they wrote for it. Meanwhile your boss's boss's boss is wondering why the hell we can't update these things

These are not OS issues. If the company building the ATM can't afford to pay for decent SDK libraries for their chosen OS, then you have to write them from scratch, but don't blame the RTOS for that.

Re:Windows XP in ATMs

[CaptainDork]

Why is this modded down?

I'm running XP at the house and still get security updates because, via registry hack, the computers think they are ATMs or POS.

The hack, as reported by ZDNet, fools Microsoft into thinking the system is running Windows Embedded POSReady 2009, a variant of XP that's used by ATMs and cash registers. Those systems will keep getting security updates until 2019.

Lots of ATMs still run XP.

95% of bank ATMs face end of security support (2014).

Re:Windows XP in ATMs

[xxxLCxxx]

That was probably the status 20 years ago.
Check this out: From Qt 5.9 onwards, the Green Hills Software INTEGRITY Real-Time Operating System (RTOS) is a supported platform.
The Green Hills INTEGRITY Real-Time Operating System (RTOS) is widely used in safety- and security-critical systems.

This means you got a lib with Unicode, left to right, upside down writing, i18n as simple as breaking the egg and layout management. All the elements fall in place automatically, regardless of screen size and you can have the font adapting to the given DPI. It's all there - even Qt!
You don't really want a multi-user, multi-processing system for something like that. It can all cause unnecessary problems. It's straight down the line programming here: Input -> Action -> Output.

Re:Windows XP in ATMs

[omnichad]

This could easily be Windows XP Embedded. It's not even EOL yet.

Re:Windows XP in ATMs

[ctilsie242]

Ideally, an ATM should be running a secure, embedded OS. Not "secure" as in a mainstream OS, but secure as in an OS designed from the ground up, like QNX, Tock, Wind River, INTEGRITY, or similar. A desktop OS is not needed, because an ATM doesn't need much of the functionality (and attack surface) a general purpose OS provides, other than being able to drive a graphical touch screen so the designers can have their spring/fall fashions. There are secure hypervisor OSes out there which is useful since this allows the ATM's OS to be in a single OS image, so updates are as easy as having an image's signature validated, the image copied, the old image saved as a backup, the hypervisor shut down the old OS, and the new OS started. During the startup process, the image's signature is validated, so if it does get replaced by something off a USB flesh drive, the hypervisor will just throw an error code and tell the owner to call for service, or if the machine is always on the Internet, perhaps go and fetch the latest copy of the OS from the server, copy that in, validate and run from there.

Defense in depth can be done, and done relatively cheaply. Game consoles are a good example of this, where the latest XBox One and PS4 have been out for a number of years without a single significant break. It is just spending a little bit of cash to do it "right", rather than just grab a desktop OS and do the job cheaply.

Re:Windows XP in ATMs

Actually there have been at least two significant public "breaks" for the PS4 since it has been out.

Re:Windows XP in ATMs

A key item both of you left out was patents. Patents are why Linux ATMs are like Sasquatch. Sure, you could put together a RTOS to run your ATM hardware but you wont be able to interface with any ATM processor until your hardware appears as an established ATM terminal type or you pay a lot of money to each ATM processor to accept your new terminal type. Most ATM manufacturers choose the established ATM terminal type path, pay the licensing fee, and are then provided Windows API files.

Re:Windows XP in ATMs

[lgw]

The Multi-purpose OS's has way too much stuff enabled by default. Allowing for possibilities of breaking in.

You're talking out of your ass. None of the jackpotting attacks have anything to do with the OS.

The normal attack involves updating the firmware on the machine via a USB port, which is protected only by a key that is common across many ATMs. The attacker gets the key, opens the service panel on the ATM, and inserts the USB drive containing the new (unsigned) firmware. At no point is the OS involved.

Many ATMs are also vulnerable to remote attack - they are typically on dial-up for remote maintenance: guess the phone number of the ATM and you have only flimsy security to overcome (e.g., hard-coded common password) to update the FW remotely. Again, nothing to do with the OS.

The attack surface of an ATM has nothing to do with the attack surface of a server on the internet.

Re: Windows XP in ATMs

I worked at an ATM company when the switch to Windows happened. It happened, among other reasons, because customers demanded it. They wanted to manage the ATMs like other computing resources, and those other resources ran Windows (Windows NT at the time)

Re: Windows XP in ATMs

the OS may not be that big of a problem.

RTFA

The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack. - https://krebsonsecurity.com/20...

Re: Windows XP in ATMs

While I agree AC's comment could be better worded, it does raise a point, which is directly pointed out in the article which he may have actually read as you clearly did not....

This really isn't about Windows

From the fine article:
The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable

Not only was it about windows, it was about XP in particular!

And if you going to bring up non-existent political analogies, your post is like Trump supporters pointing out that, "Hillary would have done the same thing..." (on NAFTA for example).

You can't say that, you have no idea what she *would have* done, same as you have no idea how Linux would fair in ATM's because it didn't happen.

This is indeed a windows/XP issue and it is in fact a bad idea to have a general purpose OS used in this situation.

Re: Windows XP in ATMs

[fahrbot-bot]

The issue isn't that the ATMs are running Windows, but rather that they're running old and unmaintained software. Running an old unsupported version of Linux is going to be just as vulnerable. Linux users bashing Windows is a lot like Donald Trump's obsession with Hillary Clinton.

Are you implying that Hillary Clinton is old and unmaintained? :-)

Re: Windows XP in ATMs

Ah shutup, we never wanted you people in any of our products. Microsoft has always be a semi-fraudulent organization that does not expand into new markets by innovation but by political maneuvering.

Re: Windows XP in ATMs

"Particularly vulnerable" and "in particular" do not mean the same thing.

chase bank has ADT/tyco key pads inside them

[Joe_Dragon]

chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.

Re:chase bank has ADT/tyco key pads inside them

chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.

The sketchy looking ATMs in stores are the primary target. The criminals can get their hands on them and fuzz them all day to develop the attack.

What are criminals in the US coming to?

Bunch of pussies. In the UK, they dig the damn thing out with a backhoe
http://www.bbc.co.uk/news/av/u...

Re:What are criminals in the US coming to?

[bobbied]

Bunch of pussies. In the UK, they dig the damn thing out with a backhoe http://www.bbc.co.uk/news/av/u...

LOL.. Here in the US they just chain them to the back of a stolen 4W Drive SUV or large pickup truck and yank them out through the front of the store. So the backhoe thing seems a bit slow to me. Who needs a backhoe and 10 min when you have a 5,000 LB SUV and a logging chain?

Re: What are criminals in the US coming to?

[jabuzz]

Using a backhoe is old school now. Real criminals just insert a tube, squirt some gas inside and then literally blow the ATM up. Gets you instant access to the cash, and it happens too fast for the dye to make the bank note unusable.

slot machines make it hard to open with out settin

[Joe_Dragon]

slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

Proof that full stack Rust is needed

This is yet more proof that we need all software to be written in the Rust programming language. We need full stack Rust for high security situations like ATMs. Any firmware should be written in Rust. The OS should be written in Rust. The application software should be written in Rust. Rust is the only programming language around that has move semantics, guaranteed memory safety, threads without data races, and a minimal runtime. That's why we need to be using Rust for software where security matters, which really means that we should be using Rust for all software.

Re:Proof that full stack Rust is needed

[wed128]

People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around. If Rust is so much better, start fundraising for a startup! i'm sure you'll be rich in no time.

Re:Proof that full stack Rust is needed

[Cro+Magnon]

People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around.

Maybe if there was, we wouldn't have so many exploits. :p

Re:Proof that full stack Rust is needed

Ada sucked balls. It required 2 to 3 times the lines of code to match C. It was very inefficient.

I have no professional experience with Ada, even though my college professor told me I would see it all of the time. Of course, as the head of the department he made sure that the class "into to computers" was based around a book he wrote about Ada.

Re:Proof that full stack Rust is needed

[lgw]

Ada sucked balls. It required 2 to 3 times the lines of code to match C. It was very inefficient.

Ada was "C for a life-safety domain". It really wasn't any more code than you'd need to do C right for that domain, and it regularized a bunch of stuff to make it easier to review. E.g., when you declared an int you'd declare the legal range of values for that int. Assuming the int was an array index, this neatly solved all the bounds-checking problems in a way that made it obvious what to review. Everything in the language is like that. Sure, it's a real pain in the ass, but that was going to be true however you did it. Don't like it, don't write ABS controllers or avionics.

Of course, using Ada outside of that domain, as some sort of general-purpose language, would have been nuts.

Re:Proof that full stack Rust is needed

Interesting to know that VHDL is superset of Ada (well at least of an old version of Ada), it is used for FPGA development a lot. I actually like VHDL a lot, it is very strict and you have get to used to it, but it does make things very clear and very safe.

But why??

[CrimsonAvenger]

So, if I have physical access to the machine, I can install software that lets me loot the machine.

Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software install.

I'm failing to see this as a serious new threat to ATM's....

Re:But why??

[beelsebob]

What makes you think you can take money out of the machine without the software install?

Cracking safes, quickly and quietly with no one noticing is really hard. Sticking a USB stick with some malware on it into a port and leaving, without anyone noticing is pretty trivially easy.

Re:But why??

These questions are answered in the article.

Re:But why??

[Kierthos]

Okay, you have physical access to the machine, and you use that to take all the money out. And then the next person who tries to use the ATM notices that there's no cash in the ATM and calls the bank. (Or the ATM does that by itself.)

Or you install the software that allows you to take cash out as often as you want until the bank realizes what's happening and cycles that particular ATM out or unplugs it/puts an "Out of Order" sign on it.

The first method, you get cash once, and it's probably far more obvious who did it because they'll know when the ATM was emptied of cash. The second method, you wait a few days or weeks to start looting, and it's much less obvious when the hack occurred.

Re:But why??

Because the case is inside yet another safe within the main ATM. It is far easier to trick the machine into handing out the cash, then attempt to break into the inner safe that actually contains the cash. Plus, it doesn't sounds like they are opening the ATM itself, just using a endoscope to find and attach a USB cable through a small crack or opening. Actually opening an ATM is very difficult without the combination (both layers). For an example, check out https://www.youtube.com/watch?v=08EXOjZgxf0 where someone took a stolen backhoe to try to break into the ATM, they got into the side layer, but the vault with the money remained in tact. Another example: https://www.nbcsandiego.com/news/local/Stolen-Bulldozer-Used-in-Attempted-ATM-Theft-in-San-Diego-454079723.html In this example, you can eve see the secondary safe inside the primary casing at the 25sec mark.

Re:But why??

[Baron_Yam]

I imagine you need an 'inside man' - maybe the person who reloads the cash dispenser and unloads the collection bin, but maybe not if the computer hardware is secured in a separate lock box. Anyway, you need somebody with physical access to compromise the machine.

THEN you go and use the ATM to get cash... but remember you're on camera, and your transactions are logged, right? So what you probably want is the ability to have the machine spit out extra money when you enter a particular code (which hopefully you can do with a camera watching the suspicious activity) during an otherwise perfectly legitimate transaction.

And you want to time it so you do it immediately after the machine has been reloaded, so you have the maximum possible time before the machine runs out of cash before it should and an investigation starts. And then you want to never hit that ATM again, or your risk of getting caught skyrockets.

So you need two conspirators and you get one payout that needs to be limited so you don't get caught. You're going to clear a few hundred with a single attempt or maybe have it 'accidentally' slip you an extra bill over many visits. Certainly you're not going to make enough to justify the risks - the inside man is risking their presumably steady legitimate employment in addition to jail.

So who is doing this and why?

Re:But why??

[swb]

The standard argument seems to be it's a safe on the inside, you can't crack it easily or without setting off alarms.

To which I reply, why not steal the entire ATM? This limits you to a subset of all ATMs -- mainly freestanding models, but I can see potential ruses for thieves who make like they're doing an intentional swap of a machine, slightly broadening the potential number of machines and reducing the need for brute force thefts of the machines.

With the entire ATM at your disposal, you have much more time for more deliberate physical attacks on the machine's cash vault.

I can also see an angle using entirely fake ATMs as a giant skimmer. I also wonder how easy it would be to get a real-but-not-legitimate ATM filled with cash. Probably nearly impossible, as I'm sure the guards have to do a bunch of tasks with the terminal and not just add cash (in addition to the normal codes needing to work).

Re:But why??

Is much easier to trick the ATM controller into giving the cash than opening the ATM vault. So yes, is a new and serious problem.

Re:But why??

Any decent ATM with money (so with a vault) is heavy, you would need a pickup to carry it and this draws attention. The problem described by TFA is serious because it allows in theory that the thief can steal the ATM without having to move it (difficult) or force the safe open (even more difficult) by using the money dispensing mechanism itself.

Re:But why??

[Hognoxious]

Sticking a USB stick with some malware on it into a port and leaving, without anyone noticing is pretty trivially easy.

And so is designing a machine without an externally accessible usb port.

Just ask Apple.

Re:But why??

[angel'o'sphere]

Just having access to the ATM might not be enough to get money out of it.
In Germany, the ATM often is in the front floor, the money is in the basement. Without credentials or exploiting a software bug most maintenance guys have no access to the money ...
So, like in this scenario, they try to get malware installed on the machine.

Re:But why??

[azadrozny]

There is a whole lot of "it depends" here. The malware could be installed and lie in wait for weeks or months. Long enough that it is no longer clear which ATM tech installed the malware. A little Googling suggests that most ATM's are capable of holding up to $200k, but with the average amount stocked in the machine being around $35k. Enough for a decent payday, even with multiple conspirators. The article suggest this hasn't been done in the US until very recently, and they are targeting specific models, so I suspect that the internal controls that banks use to monitor employees is pretty good.

Re:But why??

[Baron_Yam]

>the average amount stocked in the machine being around $35k. Enough for a decent payday, even with multiple conspirators.

$17.5K/ea less any expenses for a two-man crew. That would NOT be worth it to me to even daydream about... in Canada the sentence for a conviction of Theft over $5000 is a max of 10 years... $1,750 per year (not indexed to inflation!) that you may not get to keep, though I suppose you do get free room and board.

Re:But why??

[green1]

What idiot would build a cash machine with a USB port on the OUTSIDE?????

Re:But why??

Low tech aproach... propane gas, stolen car, 2 wires connected to the battery and the card reader... BOOM profit!

Re:But why??

[azadrozny]

Good point, but your average criminal does not always weigh the consequences of getting caught, and often think they have the system beat. The evening news is filled with examples of stupid criminals robbing convenience stores for the $500 in the register. The cases of jackpotting that I have heard about are usually coordinated enterprises, with folks recruiting (blackmailing?) the inside man, and multiple people hitting the machines for small amounts over a short period of time. Like a lot of criminal gangs, the folks at the bottom are expendable, and often desperate. So for a one time payout, it might not be worth it, but if you can figure out how to scale it up, and be the man at the top with "clean hands", it is a reasonable risk to take.

Re:But why??

" though I suppose you do get free room and board.

And the sex! Don't forget about all the free sex you'll get!

Whether you want it or not, I suspect.

Re:But why??

[j-beda]

$17.5K/ea less any expenses for a two-man crew. That would NOT be worth it to me to even daydream about... in Canada the sentence for a conviction of Theft over $5000 is a max of 10 years... $1,750 per year (not indexed to inflation!) that you may not get to keep, though I suppose you do get free room and board.

People who turn to a "life of crime", even highly intelligent ones, don't think like "most people", and seldom think that they might get caught. A single $15,000 payout might be very enticing, even if it actually takes a whole lot of work to get it.

http://articles.latimes.com/20...

Why Drug Dealers Live With Their Moms
If you had a job paying $3.30 an hour, you'd be bunking at home too.
April 24, 2005|Steven D. Levitt and Stephen J. Dubner |

During the crack cocaine boom of the 1990s, the image of the millionaire crack dealer implanted itself on the public consciousness. But anyone who spent time around the Crips or Bloods or any other crack-selling gang might have noticed something odd: A great many crack dealers still lived at home with their moms. Why was that?

Sudhir Venkatesh, a University of Chicago graduate student at the time, discovered the answer.

He had originally been sent by his thesis advisor into a Chicago housing project to administer a sociological survey. But after a harrowing encounter with a local crack gang, he befriended its leader and virtually embedded himself with the gang for six years. He was given a pile of notebooks containing four years' worth of the gang's financial transactions -- a trove of data that, when subjected to an economic analysis, proved incredibly revealing.

At root, economics is the study of incentives -- how people get what they want, or need, especially when other people want or need the same thing. The rules apply just as well to a crack gang as to a Fortune 500 business.

As it turned out, the gang worked a lot like most American businesses, though perhaps none more so than McDonald's. If you were to hold a McDonald's organizational chart and the crack gang's organizational chart side by side, you could hardly tell the difference. ...

Re:But why??

Read wikipedia's article on ATMs; jackpotting is covered there. It involves drilling a hole in the machine and hooking up an external hard drive loaded with your malicious code.
After that the transaction logs and camera are irrelevant. Just tell the hardware to keep spitting out cash and it complies.

Re:But why??

[phantomfive]

So who is doing this and why?

Mexican gangs, from how I understand the article. They figure out a way to attack an ATM machine type, then train some low-level goons to perform the attack, then send them across the country looking for ATM machines of that type.

Re:But why??

[drinkypoo]

To which I reply, why not steal the entire ATM? This limits you to a subset of all ATMs -- mainly freestanding models,

People have literally broken into banks just so that they could punch holes in the wall so they could run a chain through the holes... and around the ATM. That lets them pull the ATM out of the wall with a truck, at which point it can be loaded onto the truck with a crane or a liftgate (or just four big guys.)

Re:But why??

[Macdude]

So, if I have physical access to the machine, I can install software that lets me loot the machine.

Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software installhttps://www.youtube.com/watch?...

Re: But why??

Teach a man to open an ATM and he can cash for a day.
Teach him to install software and he can cash, well, until they find out the machineâ(TM)s rigged.

Re: But why??

That's per ATM. A real insider would be infecting dozens...
And then he wouldn't be getting the cash himself or from a co-conspirator. He'd just sell "hacked" cards to people on "the dark web" that can only pull like $100-$1000 a day for $25-$100 each.

Re:But why??

It's always about race with you, man.

It may not be targetting *those ATMs

Having worked for a bank's front-end, our major financial institutions have their butts pretty much covered if they so much as lose a single bill from an ATM. Maybe those smaller ATM's that can be found at mom-and-pop stores, bodegas as they're called here in the tri-state area, convenience or dollar stores, provide a much easier target i.e. low-hanging fruit

Re:Pro tip from Europe...

Fuckwit retard

Re:slot machines make it hard to open with out set

[Chrisq]

slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

They don't. I suspect that a lot of these attacks are inside jobs

Deja Vu!

[Gravis+Zero]

Pro tip from Europe...
Culprits are Romanians. they are born with a propensity for card crime. they are filthy animals.

That's super weird, bro because I recently got a similar warning from home.

Pro tip from Vulcan...
Culprits are Humans. They are born with a propensity for crime, violence and other illogical behavior. They are filthy animals.

Just get rid of money

We have the technology. I don’t mean cash free, but no money all together. So much time and effort such as hacking, stealing, mining (physical and crypto) that we could have a society based without it.

Re:Pro tip from Europe...

you are a faggot

Re:Pro tip from Europe...

You are brain dead

Re:Pro tip from Europe...

[Baron_Yam]

1) You meant to say 'Romani', a distinct ethnic group that isn't actually bound to the nation of Romania.

2) Still racist. Yep, there's higher crime rates with the Romani, probably because they're not particularly interested as a cultural group in integrating into their larger community. Which may be due to racists like you, who discriminate against them and remove the opportunity from many of those who would integrate if they could. Chicken and egg.

3) People who describe other people as 'filthy animals' are rarely the best of humanity. You're dehumanizing others as a justification for treating them like shit. Aren't you a wonderful person?

Ahh, First World countries...

[Curupira]

...at least in Europe and in the US thieves are sofisticated enough to hack the ATMs. In my country, they explode them. It's a security nightmare in smaller towns with insufficient police forces.

Re:Ahh, First World countries...

[jittles]

...at least in Europe and in the US thieves are sofisticated enough to hack the ATMs. In my country, they explode them. It's a security nightmare in smaller towns with insufficient police forces.

You should never link to NY Daily News. They're lying bastards. They aren't even good liars, either. They try to blame my ad-blocker for preventing the loading of their articles when I see the whole article load and then get covered up by this page suggesting that there is some software bug in the ad-blocker.

Re:Ahh, First World countries...

[iggymanz]

that isn't them, it's liveleaks.com that something on the page refers.

Re:Ahh, First World countries...

[iggymanz]

my geek autism was triggered reading that article, claiming "TNT" being put in ATM when in fact it is dynamite that they're using. Dynamite is a trinitroglycerol gel

Re:Ahh, First World countries...

[Curupira]

You should never link to NY Daily News. They're lying bastards. They aren't even good liars, either. They try to blame my ad-blocker for preventing the loading of their articles when I see the whole article load and then get covered up by this page suggesting that there is some software bug in the ad-blocker.

Sorry about that. It was the first article in English that I've found (most Slashdot users don't speak Portuguese, I suppose) about a well-known problem in Brazil.

Re:Ahh, First World countries...

[dargaud]

[F12] in Firefox, identify the covering element, remove, voilà...

Re:Ahh, First World countries...

In Europe they usually use welding oxigen/fuel mix, much easier to find than dynamite and only needs a small hole to fill the whole cabinet.

Re:slot machines make it hard to open with out set

[jittles]

slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.

Re:Pro tip from Europe...

gypsies steal your goats? im surprised they have internet where ever you come from.

Re:slot machines make it hard to open with out set

[CodeHog]

Link? Replacing an HD is as simple a process as pushing a reset button. The latter might be possible without opening but disconnecting and reconnecting an HD without getting your hands dirty sounds near impossible.

Re:Pro tip from Europe...

Some prejudices are deeply rooted in reality. Americans usually call these people Gypsies. The have earned their association with scams and small time crime. Things like "Jackpotting" and pumping ATMs full of explosive gas and blowing them up to get to the cash require experience, so they're usually committed by groups where that experience can be shared. Gypsies also often abuse the law's leniency towards children by training them to commit petty theft and other small time property crime. And while I wouldn't call them animals, their disregard for public order also manifests in heaps of trash and damaged property whenever they leave for the next town to stay.

Re:Pro tip from Europe...

[Hognoxious]

1) You meant to say 'Romani'

Don't think he did.

Re:Pro tip from Europe...

It is understandable that Romani don't integrate, because there is so much bigotry against them in Europe, forcing them to band together. They tend to not be wanted in Europe's culture, no matter how they try, so wind up as outcasts, no matter how well they behave.

What is interesting is the fact that, Europeans tends to be just as racist, if not more so, than the US. In the US, overt racism tends to not happen because there are severe consequences, from losing one's job (and not ever being hirable again) to having their vehicle and home trashed, with the local police refusing to investigate because it was considered "justified". Europe, racism has no real social stigma.

Re:Pro tip from Europe...

You can call it racism all you want. These people are hated for their (often illegal and offensive) behavior, not their ancestry. Yes, it's prejudice, but what do you expect when the first thing you do in a new town is setting up an illegal camp and people read in the news that you left the last town you visited only when police threatened to dissolve the illegal camp by force, and that town was stuck with cleaning up after you? Sure, tell me more about your interesting culture then. I'm thrilled to hear it.

Obligatory Utopia clip:

Utopia - Romanian-Romani Rant

Re:Pro tip from Europe...

We have the same thing here in the US. They are called "bum jungles", and are not limited to a race that "mainstream" people love bashing and showing their bigotry against. An illegal camp gets set up, the police really can't keep up with it, so don't bother until there are reports of physical injuries, or more important (at least in the US) damage to a business, so the popo busts up the camp, and the cycle repeats.

Re:slot machines make it hard to open with out set

[lgw]

slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

The security in an ATM is mostly focused on protecting the cash box from physical attack, and from the maintenance tech. ATMs thus have two layers of security: something simple to allow maintenance of the "computer parts" of the ATM to be done cheaply, plus a much more robust inner layer to protect the cash from anyone but the guards from the armored car company. It's just old-school thinking about security.

It's also worth noting that there are still people who can open a slot machine, replace the ROM chip or whatever, and close the machine up again in a handful of seconds, before the alarm sounds. Sure, it's easier to update the FW on an ATM than a slot machine, but that only somewhat increases the time the attacker has before someone notices.

Re:Pro tip from Europe...

[Baron_Yam]

Interesting. Though it's difficult to weigh the relative prejudice of calling one group vs. another 'filthy animals', there's at least more diversity among Romanians overall making it even more ill-informed to choose them. And there's less pre-existing prejudice against them making it more difficult to understand (not forgive) as a product of upbringing.

Re:Pro tip from Europe...

[lgw]

Culprits are Romanians.... they are filthy animals.

Found the Bulgarian.

Re:slot machines make it hard to open with out set

slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

It depends on the type of machine and the owner. Bank owned machines are usually alarmed and will go off even if you have the key, but forget to disarm the alarm. They also have motion sensors, I have seen the alarm set off by an upset customer that hits the machine a little too hard.

Wow neato.

Too bad United States Federal Reserve Notes are less than zero value in actual terms.

Fiat money.
Fractional Reserve Banking System.
usdebtclock.org
Jews.

bank runs.

etc.

Wreck the Jews b4 it's too late. Exiled everywhere else already. Monopoly on all propaganda conduits and legal systems and financial institutions was not an accident or accident(s). It is an intentional infiltration and complex series of attempts to subvert the USA from the inside. Friend of Israel deez nuts thanks.

rekt. Fuck the Jews. Sucking freshly circumsized bloody baby penis (see youtube) and whirling chickens over their heads for their sins is weirdo shit straight up. Don't believe Noah's boat with 2 mosquitoes 2 eagles 2 chipmunks and 2 foxes either. Samson didn't lose any "power" from Delilah's haircut either. They will have you believe any old shit straight up. Deem Jews the Synagogue of Satan and delete. Thanks.

l8r. u know who this is spooks.

Time for an "ATM within an ATM"

[davidwr]

Hmm, maybe instead of reloading ATMs with cash, just have a "module" that is the real ATM that is drop-in-replaced into the "outside box" as needed.

The "outside box" would just handle the user interface and provide additional physical security.

The "module" would be very tamper-resistant. It would be taken to a controlled location to be reloaded. It would also have a time lock on it so it could not be accessed before it unlocked without causing obvious physical damage.

This wouldn't stop ATM thefts but it would make "I got physical access and pressed a switch to make it jackpot"-type attacks much harder if not impossible.

Bonus points if the ATM released a chemical to "ruin" all remaining currency inside if it was moved without some kind of authorization. If it worked, this alone would make attempts to steal the ATM or the "inside module" pretty useless.

Re:slot machines make it hard to open with out set

[dfm3]

Many ATMs are in locations that don't have many eyes watching them for long periods of time. If you want to tinker with an ATM, in theory you could work in the middle of the night and spend minutes or hours without anyone getting suspicious. Sure, you might be on camera, but those are rarely monitored. Try tinkering with a slot machine or exhibiting any other suspicious behavior on a casino floor and employees are likely to notice you within moments and intercept you.

Re:slot machines make it hard to open with out set

[Beat+The+Odds]

slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.

porously designed

Re:slot machines make it hard to open with out set

[subnomine]

Diebold. Not NCR. NCR hasn't been targeted by recent hacks.

I'm sure you wouldn't want someone to confuse your name with someone else's who got endoscoped and dumped his bowels without removing his pants.

Voting machines

[aberglas]

Is that the same Diebold that makes the voting machines?

Ah! But the voting machines are designed to be hackable.

I wonder

[pjbgravely]

Did they use the code 790 to get the cash?

Re:Pro tip from Europe...

[Hognoxious]

Why is it ill-informed? Not all Romanians are card-skimmers and not all card-skimmers are Romanian, but they're still vastly overrepresented in this form of crime relative to their percentage in the population.

OS/2

OS/2: More secure for your ATM, against jackpotting, than Windows XP.

Re:Pro tip from Europe...

[kaatochacha]

Aren't they the lettuce people?

easy money

[sad_]

with my atari profilo!