First 'Jackpotting' Attacks Hit US ATMs

Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

Re:Windows XP in ATMs

[xxxLCxxx]

He's got a point, nonetheless. You would expect a slim real-time-OS with a minimum of attack surface.
Windows isn't really 'deterministic'. You can do a lot of things much cleaner with a RTOS.
The problem here is that most of the big reputable companies don't have any decent programmers. Therefore, you can expect some crappy software at VB level on top of a 'not too reliable' OS.
A clever 13-year old computer kid could do a much better job. Marketing - and thus the big blenders in suits - always wins, however. :-(

Re: Windows XP in ATMs

The OP's point is still invalid. I agree that you want a slim OS with a reduced attack surface for that purpose. There are versions of Linux for exactly that purpose. And there's also a version of Windows for that purpose, now called Windows IoT, formerly Windows Embedded. Those ATMs probably aren't running consumer versions of Windows XP, but Windows XP Embedded. If they pay Microsoft for extended support beyond the EOL for XP, and continue to apply updates, the OS may not be that big of a problem. The issue here is mainly physical access to the system.

Re:slot machines make it hard to open with out set

[jittles]

slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.

Re: Windows XP in ATMs

[MightyYar]

Yeah, we used Windows Embedded for years in an industrial product. There were two drivers. The first was a well-tested library that we needed was most commonly used in Windows. The vendor was willing to build for Linux, but we would be the first users and didn't like the risk. The second driver was, believe it or not, USB thumbdrive support. At the end of the 90s, floppies were too small, so we transitioned to superdrives (compatible with floppies, but capacity was up to 120MB). Only one vendor made these drives, though, and soon they were end of life. The only good alternative was to support thumbdrives. But Linux back then was very hit-or-miss for thumbdrive support. Windows worked with nearly everything our customers threw into it.

Ironically (or not), the USB support is where we've had virus problems with Windows Embedded.

Linux USB support is now just fine, so we've transitioned to Linux. But Windows Embedded was fine - it let you only install the services you needed, so the vulnerability profile was much smaller than "kitchen sink" Windows.