Slashdot Mirror
First 'Jackpotting' Attacks Hit US ATMs (krebsonsecurity.com)
Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
So, if I have physical access to the machine, I can install software that lets me loot the machine.
Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software install.
I'm failing to see this as a serious new threat to ATM's....
"I do not agree with what you say, but I will defend to the death your right to say it"
You clearly don't have anything useful to contribute to this discussion. The issue isn't that the ATMs are running Windows, but rather that they're running old and unmaintained software. Running an old unsupported version of Linux is going to be just as vulnerable. Linux users bashing Windows is a lot like Donald Trump's obsession with Hillary Clinton. For desktops, a focus on bringing better applications to Linux would do far more to increase market share than bashing Windows. Instead, you come across as petulant and childish.
The other issue here is the physical access to the hardware, at which point all bets are off in regard to security. This really isn't about Windows, but more likely better limiting the physical access needed to carry out the attacks.
Grow up.
Windows XP is no more childish or retarded than Linux or any other OS. If someone has physical access to a computer it makes no difference what operating system it is running.
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
They don't. I suspect that a lot of these attacks are inside jobs
Consumer level multi-purpose OS's in single use devices is a bad idea.
This includes having ATM running, Windows 10, Windows Server 2012, Mac OS X, OS/2, Linux distributions like Ubuntu/Mint...
The Multi-purpose OS's has way too much stuff enabled by default. Allowing for possibilities of breaking in.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Pro tip from Europe...
Culprits are Romanians. they are born with a propensity for card crime. they are filthy animals.
That's super weird, bro because I recently got a similar warning from home.
Pro tip from Vulcan...
Culprits are Humans. They are born with a propensity for crime, violence and other illogical behavior. They are filthy animals.
Anons need not reply. Questions end with a question mark.
He's got a point, nonetheless. You would expect a slim real-time-OS with a minimum of attack surface. :-(
Windows isn't really 'deterministic'. You can do a lot of things much cleaner with a RTOS.
The problem here is that most of the big reputable companies don't have any decent programmers. Therefore, you can expect some crappy software at VB level on top of a 'not too reliable' OS.
A clever 13-year old computer kid could do a much better job. Marketing - and thus the big blenders in suits - always wins, however.
1) You meant to say 'Romani', a distinct ethnic group that isn't actually bound to the nation of Romania.
2) Still racist. Yep, there's higher crime rates with the Romani, probably because they're not particularly interested as a cultural group in integrating into their larger community. Which may be due to racists like you, who discriminate against them and remove the opportunity from many of those who would integrate if they could. Chicken and egg.
3) People who describe other people as 'filthy animals' are rarely the best of humanity. You're dehumanizing others as a justification for treating them like shit. Aren't you a wonderful person?
People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around. If Rust is so much better, start fundraising for a startup! i'm sure you'll be rich in no time.
...at least in Europe and in the US thieves are sofisticated enough to hack the ATMs. In my country, they explode them. It's a security nightmare in smaller towns with insufficient police forces.
The OP's point is still invalid. I agree that you want a slim OS with a reduced attack surface for that purpose. There are versions of Linux for exactly that purpose. And there's also a version of Windows for that purpose, now called Windows IoT, formerly Windows Embedded. Those ATMs probably aren't running consumer versions of Windows XP, but Windows XP Embedded. If they pay Microsoft for extended support beyond the EOL for XP, and continue to apply updates, the OS may not be that big of a problem. The issue here is mainly physical access to the system.
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.
People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around.
Maybe if there was, we wouldn't have so many exploits. :p
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Yeah, we used Windows Embedded for years in an industrial product. There were two drivers. The first was a well-tested library that we needed was most commonly used in Windows. The vendor was willing to build for Linux, but we would be the first users and didn't like the risk. The second driver was, believe it or not, USB thumbdrive support. At the end of the 90s, floppies were too small, so we transitioned to superdrives (compatible with floppies, but capacity was up to 120MB). Only one vendor made these drives, though, and soon they were end of life. The only good alternative was to support thumbdrives. But Linux back then was very hit-or-miss for thumbdrive support. Windows worked with nearly everything our customers threw into it.
Ironically (or not), the USB support is where we've had virus problems with Windows Embedded.
Linux USB support is now just fine, so we've transitioned to Linux. But Windows Embedded was fine - it let you only install the services you needed, so the vulnerability profile was much smaller than "kitchen sink" Windows.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Link? Replacing an HD is as simple a process as pushing a reset button. The latter might be possible without opening but disconnecting and reconnecting an HD without getting your hands dirty sounds near impossible.
Fat, drunk, and stupid is no way to go through life, son.
Don't think he did.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Linux users bashing Windows...
Wait. I thought it was Microsoft that bashed Windows with Ubuntu.
Yes, there's no argument you can do a lot of things much cleaner with a bare-bones RTOS.
Then a few years pass and your boss needs to:
Then your bare-bones RTOS isn't looking so hot. Who knows what shit-tastic GUI library or HID parsing they wrote for it. Meanwhile your boss's boss's boss is wondering why the hell we can't update these things like everyone else can and the security folks are clamoring to get chip & PIN working while you are staring down who-knows-how-they-built-it pile of WTF.
I mean, stop for a second and think, there are reasons that we don't just hire 13 year old computer whiz kids to implement everythingÂin their favorite obscure OS. Business requirements are a real thing, and they are a moving target.
Of course, Embedded Linux is a perfectly good choice for an OS. Still need libraries/frameworks for GUI, Audio, HID and peripherals. And then figure out how you are going to take kernel security updates without breaking ALSA/PulseAudio, or else pay RH to do it for you. By the time you are done it's not going to be "slim" and it definitely won't be a a bare-bones RTOS.
Bunch of pussies. In the UK, they dig the damn thing out with a backhoe http://www.bbc.co.uk/news/av/u...
LOL.. Here in the US they just chain them to the back of a stolen 4W Drive SUV or large pickup truck and yank them out through the front of the store. So the backhoe thing seems a bit slow to me. Who needs a backhoe and 10 min when you have a 5,000 LB SUV and a logging chain?
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Then your bare-bones RTOS isn't looking so hot. Who knows what shit-tastic GUI library or HID parsing they wrote for it. Meanwhile your boss's boss's boss is wondering why the hell we can't update these things
These are not OS issues. If the company building the ATM can't afford to pay for decent SDK libraries for their chosen OS, then you have to write them from scratch, but don't blame the RTOS for that.
Why is this modded down?
I'm running XP at the house and still get security updates because, via registry hack, the computers think they are ATMs or POS.
The hack, as reported by ZDNet, fools Microsoft into thinking the system is running Windows Embedded POSReady 2009, a variant of XP that's used by ATMs and cash registers. Those systems will keep getting security updates until 2019.
Lots of ATMs still run XP.
95% of bank ATMs face end of security support (2014).
It little behooves the best of us to comment on the rest of us.
That was probably the status 20 years ago.
Check this out: From Qt 5.9 onwards, the Green Hills Software INTEGRITY Real-Time Operating System (RTOS) is a supported platform.
The Green Hills INTEGRITY Real-Time Operating System (RTOS) is widely used in safety- and security-critical systems.
This means you got a lib with Unicode, left to right, upside down writing, i18n as simple as breaking the egg and layout management. All the elements fall in place automatically, regardless of screen size and you can have the font adapting to the given DPI. It's all there - even Qt!
You don't really want a multi-user, multi-processing system for something like that. It can all cause unnecessary problems. It's straight down the line programming here: Input -> Action -> Output.
This could easily be Windows XP Embedded. It's not even EOL yet.
Ideally, an ATM should be running a secure, embedded OS. Not "secure" as in a mainstream OS, but secure as in an OS designed from the ground up, like QNX, Tock, Wind River, INTEGRITY, or similar. A desktop OS is not needed, because an ATM doesn't need much of the functionality (and attack surface) a general purpose OS provides, other than being able to drive a graphical touch screen so the designers can have their spring/fall fashions. There are secure hypervisor OSes out there which is useful since this allows the ATM's OS to be in a single OS image, so updates are as easy as having an image's signature validated, the image copied, the old image saved as a backup, the hypervisor shut down the old OS, and the new OS started. During the startup process, the image's signature is validated, so if it does get replaced by something off a USB flesh drive, the hypervisor will just throw an error code and tell the owner to call for service, or if the machine is always on the Internet, perhaps go and fetch the latest copy of the OS from the server, copy that in, validate and run from there.
Defense in depth can be done, and done relatively cheaply. Game consoles are a good example of this, where the latest XBox One and PS4 have been out for a number of years without a single significant break. It is just spending a little bit of cash to do it "right", rather than just grab a desktop OS and do the job cheaply.
A key item both of you left out was patents. Patents are why Linux ATMs are like Sasquatch. Sure, you could put together a RTOS to run your ATM hardware but you wont be able to interface with any ATM processor until your hardware appears as an established ATM terminal type or you pay a lot of money to each ATM processor to accept your new terminal type. Most ATM manufacturers choose the established ATM terminal type path, pay the licensing fee, and are then provided Windows API files.
The Multi-purpose OS's has way too much stuff enabled by default. Allowing for possibilities of breaking in.
You're talking out of your ass. None of the jackpotting attacks have anything to do with the OS.
The normal attack involves updating the firmware on the machine via a USB port, which is protected only by a key that is common across many ATMs. The attacker gets the key, opens the service panel on the ATM, and inserts the USB drive containing the new (unsigned) firmware. At no point is the OS involved.
Many ATMs are also vulnerable to remote attack - they are typically on dial-up for remote maintenance: guess the phone number of the ATM and you have only flimsy security to overcome (e.g., hard-coded common password) to update the FW remotely. Again, nothing to do with the OS.
The attack surface of an ATM has nothing to do with the attack surface of a server on the internet.
Socialism: a lie told by totalitarians and believed by fools.
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The security in an ATM is mostly focused on protecting the cash box from physical attack, and from the maintenance tech. ATMs thus have two layers of security: something simple to allow maintenance of the "computer parts" of the ATM to be done cheaply, plus a much more robust inner layer to protect the cash from anyone but the guards from the armored car company. It's just old-school thinking about security.
It's also worth noting that there are still people who can open a slot machine, replace the ROM chip or whatever, and close the machine up again in a handful of seconds, before the alarm sounds. Sure, it's easier to update the FW on an ATM than a slot machine, but that only somewhat increases the time the attacker has before someone notices.
Socialism: a lie told by totalitarians and believed by fools.
Interesting. Though it's difficult to weigh the relative prejudice of calling one group vs. another 'filthy animals', there's at least more diversity among Romanians overall making it even more ill-informed to choose them. And there's less pre-existing prejudice against them making it more difficult to understand (not forgive) as a product of upbringing.
Ada sucked balls. It required 2 to 3 times the lines of code to match C. It was very inefficient.
Ada was "C for a life-safety domain". It really wasn't any more code than you'd need to do C right for that domain, and it regularized a bunch of stuff to make it easier to review. E.g., when you declared an int you'd declare the legal range of values for that int. Assuming the int was an array index, this neatly solved all the bounds-checking problems in a way that made it obvious what to review. Everything in the language is like that. Sure, it's a real pain in the ass, but that was going to be true however you did it. Don't like it, don't write ABS controllers or avionics.
Of course, using Ada outside of that domain, as some sort of general-purpose language, would have been nuts.
Socialism: a lie told by totalitarians and believed by fools.
Culprits are Romanians.... they are filthy animals.
Found the Bulgarian.
Socialism: a lie told by totalitarians and believed by fools.
Hmm, maybe instead of reloading ATMs with cash, just have a "module" that is the real ATM that is drop-in-replaced into the "outside box" as needed.
The "outside box" would just handle the user interface and provide additional physical security.
The "module" would be very tamper-resistant. It would be taken to a controlled location to be reloaded. It would also have a time lock on it so it could not be accessed before it unlocked without causing obvious physical damage.
This wouldn't stop ATM thefts but it would make "I got physical access and pressed a switch to make it jackpot"-type attacks much harder if not impossible.
Bonus points if the ATM released a chemical to "ruin" all remaining currency inside if it was moved without some kind of authorization. If it worked, this alone would make attempts to steal the ATM or the "inside module" pretty useless.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Many ATMs are in locations that don't have many eyes watching them for long periods of time. If you want to tinker with an ATM, in theory you could work in the middle of the night and spend minutes or hours without anyone getting suspicious. Sure, you might be on camera, but those are rarely monitored. Try tinkering with a slot machine or exhibiting any other suspicious behavior on a casino floor and employees are likely to notice you within moments and intercept you.
Using a backhoe is old school now. Real criminals just insert a tube, squirt some gas inside and then literally blow the ATM up. Gets you instant access to the cash, and it happens too fast for the dye to make the bank note unusable.
The issue isn't that the ATMs are running Windows, but rather that they're running old and unmaintained software. Running an old unsupported version of Linux is going to be just as vulnerable. Linux users bashing Windows is a lot like Donald Trump's obsession with Hillary Clinton.
Are you implying that Hillary Clinton is old and unmaintained? :-)
It must have been something you assimilated. . . .
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.
porously designed
Diebold. Not NCR. NCR hasn't been targeted by recent hacks.
I'm sure you wouldn't want someone to confuse your name with someone else's who got endoscoped and dumped his bowels without removing his pants.
Is that the same Diebold that makes the voting machines?
Ah! But the voting machines are designed to be hackable.
Did they use the code 790 to get the cash?
Star Trek, there maybe hope.
Why is it ill-informed? Not all Romanians are card-skimmers and not all card-skimmers are Romanian, but they're still vastly overrepresented in this form of crime relative to their percentage in the population.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Aren't they the lettuce people?
with my atari profilo!
On a long enough timeline, the survival rate for everyone drops to zero.