Slashdot Mirror
First 'Jackpotting' Attacks Hit US ATMs (krebsonsecurity.com)
Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
So, if I have physical access to the machine, I can install software that lets me loot the machine.
Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software install.
I'm failing to see this as a serious new threat to ATM's....
"I do not agree with what you say, but I will defend to the death your right to say it"
You clearly don't have anything useful to contribute to this discussion. The issue isn't that the ATMs are running Windows, but rather that they're running old and unmaintained software. Running an old unsupported version of Linux is going to be just as vulnerable. Linux users bashing Windows is a lot like Donald Trump's obsession with Hillary Clinton. For desktops, a focus on bringing better applications to Linux would do far more to increase market share than bashing Windows. Instead, you come across as petulant and childish.
The other issue here is the physical access to the hardware, at which point all bets are off in regard to security. This really isn't about Windows, but more likely better limiting the physical access needed to carry out the attacks.
Grow up.
Windows XP is no more childish or retarded than Linux or any other OS. If someone has physical access to a computer it makes no difference what operating system it is running.
Consumer level multi-purpose OS's in single use devices is a bad idea.
This includes having ATM running, Windows 10, Windows Server 2012, Mac OS X, OS/2, Linux distributions like Ubuntu/Mint...
The Multi-purpose OS's has way too much stuff enabled by default. Allowing for possibilities of breaking in.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Pro tip from Europe...
Culprits are Romanians. they are born with a propensity for card crime. they are filthy animals.
That's super weird, bro because I recently got a similar warning from home.
Pro tip from Vulcan...
Culprits are Humans. They are born with a propensity for crime, violence and other illogical behavior. They are filthy animals.
Anons need not reply. Questions end with a question mark.
He's got a point, nonetheless. You would expect a slim real-time-OS with a minimum of attack surface. :-(
Windows isn't really 'deterministic'. You can do a lot of things much cleaner with a RTOS.
The problem here is that most of the big reputable companies don't have any decent programmers. Therefore, you can expect some crappy software at VB level on top of a 'not too reliable' OS.
A clever 13-year old computer kid could do a much better job. Marketing - and thus the big blenders in suits - always wins, however.
1) You meant to say 'Romani', a distinct ethnic group that isn't actually bound to the nation of Romania.
2) Still racist. Yep, there's higher crime rates with the Romani, probably because they're not particularly interested as a cultural group in integrating into their larger community. Which may be due to racists like you, who discriminate against them and remove the opportunity from many of those who would integrate if they could. Chicken and egg.
3) People who describe other people as 'filthy animals' are rarely the best of humanity. You're dehumanizing others as a justification for treating them like shit. Aren't you a wonderful person?
People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around. If Rust is so much better, start fundraising for a startup! i'm sure you'll be rich in no time.
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.
People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around.
Maybe if there was, we wouldn't have so many exploits. :p
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.
The sketchy looking ATMs in stores are the primary target. The criminals can get their hands on them and fuzz them all day to develop the attack.
Yeah, we used Windows Embedded for years in an industrial product. There were two drivers. The first was a well-tested library that we needed was most commonly used in Windows. The vendor was willing to build for Linux, but we would be the first users and didn't like the risk. The second driver was, believe it or not, USB thumbdrive support. At the end of the 90s, floppies were too small, so we transitioned to superdrives (compatible with floppies, but capacity was up to 120MB). Only one vendor made these drives, though, and soon they were end of life. The only good alternative was to support thumbdrives. But Linux back then was very hit-or-miss for thumbdrive support. Windows worked with nearly everything our customers threw into it.
Ironically (or not), the USB support is where we've had virus problems with Windows Embedded.
Linux USB support is now just fine, so we've transitioned to Linux. But Windows Embedded was fine - it let you only install the services you needed, so the vulnerability profile was much smaller than "kitchen sink" Windows.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Link? Replacing an HD is as simple a process as pushing a reset button. The latter might be possible without opening but disconnecting and reconnecting an HD without getting your hands dirty sounds near impossible.
Fat, drunk, and stupid is no way to go through life, son.
Linux users bashing Windows...
Wait. I thought it was Microsoft that bashed Windows with Ubuntu.
That was probably the status 20 years ago.
Check this out: From Qt 5.9 onwards, the Green Hills Software INTEGRITY Real-Time Operating System (RTOS) is a supported platform.
The Green Hills INTEGRITY Real-Time Operating System (RTOS) is widely used in safety- and security-critical systems.
This means you got a lib with Unicode, left to right, upside down writing, i18n as simple as breaking the egg and layout management. All the elements fall in place automatically, regardless of screen size and you can have the font adapting to the given DPI. It's all there - even Qt!
You don't really want a multi-user, multi-processing system for something like that. It can all cause unnecessary problems. It's straight down the line programming here: Input -> Action -> Output.
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The security in an ATM is mostly focused on protecting the cash box from physical attack, and from the maintenance tech. ATMs thus have two layers of security: something simple to allow maintenance of the "computer parts" of the ATM to be done cheaply, plus a much more robust inner layer to protect the cash from anyone but the guards from the armored car company. It's just old-school thinking about security.
It's also worth noting that there are still people who can open a slot machine, replace the ROM chip or whatever, and close the machine up again in a handful of seconds, before the alarm sounds. Sure, it's easier to update the FW on an ATM than a slot machine, but that only somewhat increases the time the attacker has before someone notices.
Socialism: a lie told by totalitarians and believed by fools.