Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

USB Sticks Used In Robbery of ATMs

samzenpus posted about 9 months ago | from the crime-on-a-stick dept.

Crime 252

First time accepted submitter JeffOwl writes "BBC is reporting that thieves are infecting ATMs with malware using USB sticks. The malware creates a backdoor that can be accessed at the front panel. The thieves are damaging the ATM to access a USB port then patching it back up to avoid notice. This indicates that the crew is highly familiar with the ATMs in question. Once the ATM is infected, the thieves use a 12 digit code to bring up the alternate interface. The thieves, not wanting their crew to go rogue, have built a challenge-response access control into their software and must call another member who can generate the response for them."

Sorry! There are no comments related to the filter you selected.

That's what you get (5, Insightful)

fisted (2295862) | about 9 months ago | (#45820187)

That's what you get from running Windows on ATMs, lol.

Re:That's what you get (5, Funny)

Anonymous Coward | about 9 months ago | (#45820225)

Mod parent up! Linux machines are impenetrable, even if an expert has physical access. This is why Torvalds gets so aggressive: he keeps locking himself out of his testing machines and has to buy new ones.

Re:That's what you get (4, Insightful)

fisted (2295862) | about 9 months ago | (#45820265)

I don't know any Linux or unix machine which would be compromised merely by plugging a memory stick. Hint, hint: autorun.
Furthermore, you presumably wouldn't get administrative access.

Re:That's what you get (-1, Troll)

Anonymous Coward | about 9 months ago | (#45820309)

That's ok, you probably don't know every design or implementation available for ATMs, so your lack of knowledge of this specific model's parameters is perfectly normal.

The fact is, administrative access is sometimes necessary for systems, and having a way to do it? Perfectly normal. What do you think, they never need to control their system in any way that isn't done by resoldering an eeprom?

Re:That's what you get (4, Insightful)

TWX (665546) | about 9 months ago | (#45820633)

I think that it's stupid to allow the USB port to do anything more than provide a Human Interface Device level of access to the OS unless credentials are entered in to the machine to enable those features.

Or, in layman's terms, AT BEST the USB port should only work for a keyboard interface as a prompt for a password until the operator is authenticated.

It's CRIMINALLY STUPID for the USB port to provide any other kind of access by default. It should not give the OS kernel access to media plugged into it. It should CERTAINLY not automatically engage media plugged into it to read it. Arguably, it shouldn't do ANYTHING even with a keyboard plugged in until the technician servicing the machine has otherwise entered passwords, like on an internal keypad.

Re:That's what you get (2)

Archangel Michael (180766) | about 9 months ago | (#45820901)

With properly managed devices, USB is disabled. This is an option, even in windows. And it is even an option at the BIOS/UEFI level on some systems. However, I wonder why they aren't using some soft of VDI for protecting the ATMS. This would prevent any direct access to the hardware running windows.

Quack! (1)

freeze128 (544774) | about 9 months ago | (#45820929)

Even HID-Only access isn't going to save you. See the USB rubber ducky.

http://hakshop.myshopify.com/products/usb-rubber-ducky

Re:That's what you get (1)

TangoMargarine (1617195) | about 9 months ago | (#45820643)

Yeah, but you don't have to give it up to the first male USB connector that comes by.

Re:That's what you get (1, Insightful)

Anonymous Coward | about 9 months ago | (#45820773)

most bank of america atms use windows, this is due to some worm virus that shut them down,

if they cared they would use linux, which many gambling machines use

Re:That's what you get (1)

DaHat (247651) | about 9 months ago | (#45820385)

Yes, because it's impossible to configure Linux to auto-mount all new devices, check for the presence of a specifically named file and execute commands within.

Re:That's what you get (0)

Anonymous Coward | about 9 months ago | (#45820525)

I suppose that's a "feature", but Linux sure seemed primitive to me a few years ago when I discovered what an ordeal it was to read a floppy disk: with Windows, you just put it into the drive and it worked. I assume the same ordeal holds true today for USB sticks on Linux. (Ever wonder why "The Year of the Linux Desktop" always seems to be in the future, Linus?...)

(posting as AC due to non-orthodox opinion favoring Windows over Linux.)

Re:That's what you get (2)

jeffmeden (135043) | about 9 months ago | (#45820615)

I suppose that's a "feature", but Linux sure seemed primitive to me a few years ago when I discovered what an ordeal it was to read a floppy disk: with Windows, you just put it into the drive and it worked. I assume the same ordeal holds true today for USB sticks on Linux. (Ever wonder why "The Year of the Linux Desktop" always seems to be in the future, Linus?...)

(posting as AC due to non-orthodox opinion favoring Windows over Linux.)

Go ahead and take your head out of your ass, and re-read his comment: "Yes, because it's impossible to configure Linux to auto-mount all new devices, check for the presence of a specifically named file and execute commands within.

Emphasis mine. Linux can easily auto-mount thumb drives. Many distros have it enabled out of the box. What you wont find is any that scans the drive for things to run and then does so, with elevated privileges (something present in many recent versions of windows). Having an easy way for an attacker to steal/destroy all the data on a machine might seem like a "Feature" but it sure seems primitive... (if you need examples, confirmed attacks via unwitting use of an infected USB key on windows systems are plentiful.)

Floppy disk? (0)

Anonymous Coward | about 9 months ago | (#45820621)

You're taking a decade-ago experience with a floppy disk and guessing that the same problem applies today to a USB stick?

Here's a tip: Linux has thousands of new features since the time you last glanced at it. Including detection of whenever a USB stick is inserted, and it's easy as anything to click on the little USB icon and look at the file manager and do whatever you want.

Re:That's what you get (1)

MBGMorden (803437) | about 9 months ago | (#45820637)

I suppose that's a "feature", but Linux sure seemed primitive to me a few years ago when I discovered what an ordeal it was to read a floppy disk: with Windows, you just put it into the drive and it worked. I assume the same ordeal holds true today for USB sticks on Linux. (Ever wonder why "The Year of the Linux Desktop" always seems to be in the future, Linus?

Um - I plug a USB stick into my Linux computer and an icon pops up on the desktop named "USB Drive" (or whatever name it has) that I can double click and do whatever I need.

I'm guessing that if you were actually trying to read an honest to goodness floppy disk it was more than a "few years ago". Linux has come a long way. The "year of Linux on the desktop" was 5 years ago for me.

Of course my parents called me to come look at their (Windows) computer a while back because it wasn't acting quite right, and I was reminded of the headache of spyware and malware. I had forgotten such things existed while using Linux.

Re:That's what you get (2)

TangoMargarine (1617195) | about 9 months ago | (#45820687)

I'm pretty sure Ubuntu (and derivatives) have add the "auto detect plugged USB, put icon on desktop, double-click to mount" practically since I started futzing with it back in 2007...and if you're going to say "Year of the Linux Desktop," you pretty much mean Ubuntu.

QED.

And even Windows machines don't generally have floppy drives anymore, right?

Re:That's what you get (2)

mlts (1038732) | about 9 months ago | (#45820889)

CentOS will automount removable flash drives under the /media directory. Similar with optical media. One can disable this so media will need manually mounted to be used. It won't run or execute anything on the drives though... just mount it and have it usable for the user.

Re:That's what you get (1)

Anonymous Coward | about 9 months ago | (#45820541)

not impossible to do stupid thing X on OS Y != very hard to get OS W not to do stupid thing X

Re:That's what you get (1)

fisted (2295862) | about 9 months ago | (#45820663)

Sure, but then, you wouldn't do that on an ATM. Much like you apparently wouldn't bother to disable autoplay for Windows based ATMs...

Re:That's what you get (1)

ericloewe (2129490) | about 9 months ago | (#45820459)

Same autorun that is now disabled by default and was always trivially disabled?

Re:That's what you get (1)

robmv (855035) | about 9 months ago | (#45820523)

It is probably a fake keyboard and mouse device, many of those ATMs run their applications with administrator privileges, so anything can be run with that kind of device

Re:That's what you get (1)

Joce640k (829181) | about 9 months ago | (#45820613)

You know how I know you didn't read the article?

Hint: It runs a file called "hack.bat"

Re:That's what you get (4, Informative)

cusco (717999) | about 9 months ago | (#45820503)

I'd be very surprised if the "alternative interface" isn't installed by rebooting the machine off the USB stick. The Diebold voting machines were configured to preferably boot off a USB, and Diebold is still the largest manufacturer of ATMs in the US.

Re:That's what you get (3, Informative)

TWX (665546) | about 9 months ago | (#45820677)

You mean, the trick I use on the computers I support, by password-protecting the BIOSes and restricting boot to the fixed disk only, a trick that I've used for about twenty years, was ignored on commercial-grade equipment that's responsible for the basic security of our form of government and of our financial system?

Say it ain't so...

Re:That's what you get (3, Interesting)

cusco (717999) | about 9 months ago | (#45820875)

You should read up on what a security nightmare the voting machines are, it's appalling. Doesn't help that there are a dozen or more manufacturers, all of them being sold on the basis of friendly back slaps with local politicians rather than actual analysis of the hardware and software (which is always closed source). Testing procedures are a joke, by design, and even systems that fail testing get sold on the promise of an update in future firmware versions. Don't overlook punch card counters either, they put out by far the largest deviations from exit polls of any of the machines.

Re:That's what you get (3, Interesting)

Nkwe (604125) | about 9 months ago | (#45820515)

I don't know any Linux or unix machine which would be compromised merely by plugging a memory stick. Hint, hint: autorun. Furthermore, you presumably wouldn't get administrative access.

It doesn't require autorun. A usb device that emulates a keyboard or other input device would do the trick. Send the keystrokes necessary to break in. Think Linux is immune? How about the keystrokes necessary to reboot the machine and start up in single user mode? Even if single user mode has been protected, the usb device could provide both keyboard emulation and cdrom emulation -- during reboot the hack could boot to alternate media. The real fail is a design that allows access to the hardware (physical access is full access) and not the choice of operating system.

Re:That's what you get (3, Interesting)

Penguinisto (415985) | about 9 months ago | (#45820947)

Err, not really. If we're building a *nix ATM, then you can fix it in one go: If the USB port requires elevated privs just to mount/use anything plugged into it (say, a long numbered sequence entered from the ATM keypad, unique to that machine, that would translate to a variation of "sudo /bin/mount"), the whole USB stick trick falls flat.

Not sure if there would even be a feasible analog for that in embedded XP/CE/WE

Re:That's what you get (0)

Anonymous Coward | about 9 months ago | (#45820691)

I don't know any Linux or unix machine which would be compromised merely by plugging a memory stick. Hint, hint: autorun.
Furthermore, you presumably wouldn't get administrative access.

I hear you can plug keyboards in through USB now.

Re:That's what you get (1)

AK Marc (707885) | about 9 months ago | (#45820735)

So it's impossible to set up a Linux system to mount a USB stick and run a specific file, if present? Sounds like a lame OS.

Based on the limited information, it looks like it was setup as a recovery/maintenance feature that required physical security, and physical security was compromised. Sure, for "security" you could program all ATMs to self destruct on any OS halt, but I'm not sure that would be in the best financial interests of the owning company.

Re:That's what you get (0)

Anonymous Coward | about 9 months ago | (#45820787)

Have a look at BadBIOS http://blog.erratasec.com/2013/10/badbios-features-explained.html [erratasec.com] , which infects BIOS by merely inserting a reprogrammed USB flash drive. It works on OS X, which is a certified Unix. And to know how easy it is to reprogram the firmware of a managed flash (SD card, USB flash drives), check this post from few days ago http://www.bunniestudios.com/blog/?p=3554 [bunniestudios.com]

Re:That's what you get (0)

Anonymous Coward | about 9 months ago | (#45820411)

"However, they added that the approach did not extend to the software's filenames - the key one was called hack.bat."

wake me up when it's called hack.sh

Re:That's what you get (5, Insightful)

Spy Handler (822350) | about 9 months ago | (#45820291)

no, this is what you get when you put a USB port on a frigging ATM. Whose bright idea was that anyways?

Re:That's what you get (4, Insightful)

wvmarle (1070040) | about 9 months ago | (#45820357)

Making it easy to install upgrades? Or to connect say, a proper keyboard, to do maintenance?

USB stick is better than over network as physical access is needed. And in this case, they indeed had to physically break the ATM to gain access to this USB port.

Re:That's what you get (1)

camperdave (969942) | about 9 months ago | (#45820493)

Color me puzzled, but if you already have already physically broken into the ATM to gain access to the USB port, why not just grab the cash instead?

Re:That's what you get (4, Informative)

BosstonesOwn (794949) | about 9 months ago | (#45820529)

Because that part of the atm is heavily protected, whereas the usb port is behind a plastic panel.

Re:That's what you get (5, Insightful)

jeffmeden (135043) | about 9 months ago | (#45820665)

Because that part of the atm is heavily protected, whereas the usb port is behind a plastic panel.

All of the flames about windows vs linux are a red herring. This is the real design flaw. Any design that assumes the USB interface to the software is not just as important to protect as the cash itself completely ignores why they would ever put the USB port on there in the first place (to make material changes to the ATM software).

Re:That's what you get (2)

bickerdyke (670000) | about 9 months ago | (#45820775)

Which really begs the question which idiot designed the machine with a USB port for updates and NOT protecting it properly!

Re:That's what you get (1)

wvmarle (1070040) | about 9 months ago | (#45820919)

That'd mean a lot more destruction to the ATM, and as a result instant detection of the crime. Instead of days or weeks later when the number of notes in the machine was compared with the ledger (no idea how frequently that's done).

touch screen and other parts are USB. new SLOT MAC (1)

Joe_Dragon (2206452) | about 9 months ago | (#45820373)

Well the touch screen, printer and maybe even the link to the cash system may be USB.

Even new SLOT MACHINES use USB and the Incredible Technologies games are ALL USB and load code from USB drives.

Re:That's what you get (5, Insightful)

asmkm22 (1902712) | about 9 months ago | (#45820405)

The USB port is pretty well hidden and secure, which is why the article points out the fact that the thieves appear to be familiar with the machines enough to know where and how to best break that part open. Even the best of security measures won't hold up against an inside job.

Re:That's what you get (3, Interesting)

ericloewe (2129490) | about 9 months ago | (#45820497)

ATMs generally run on commodity hardware and a commodity OS (most I've seen are Windows NT 4.0 and newer).

Re:That's what you get (1)

cr_nucleus (518205) | about 9 months ago | (#45820911)

No directly related but that reminds me of the time i saw an EJB error displayed on a credit card terminal :-)

Re:That's what you get (0)

Anonymous Coward | about 9 months ago | (#45820551)

that is like saying "this is what you get when you put currency inside."

Well, yeah. but the machine is supposed to withstand physical assault. the USB interface that was locked away inside is no different from the cash that was locked away inside: secure unless you break in that far.

Re:That's what you get (3, Interesting)

dugancent (2616577) | about 9 months ago | (#45820299)

My bank still uses os/2 on their ATMs.

Re:That's what you get (1)

The Grim Reefer (1162755) | about 9 months ago | (#45820417)

My bank still uses os/2 on their ATMs.

Do they also wear "Team OS/2" t-shirts?

Re:That's what you get (1)

Anonymous Coward | about 9 months ago | (#45820795)

I know one bank in the UK that ran Windows XP ATM's a few years ago, as indicated by the boot sequence after I got a Microsoft C++ runtime error, caused by entering an amount it could not deliver using the available note dominations.

It would not give my card back until I pressed [OK], which was not possible with the physical buttons I had available.
The bank did not open for more than an hour, and it took another hour for someone to arrive who knew how/where to power-cycle the ATM.

An USB-port where I could plug in a mouse would have been very helpful :-)

Re:That's what you get (1)

mlts (1038732) | about 9 months ago | (#45820941)

eCS/2 (eComStation, the company that is maintaining OS/2) still is used in some ATMs. If the OS works, is well maintained, and has earned its bones, why change? ATMs have not changed much in 10-20 years, other than maybe display a news blurb or the daily weather on the demo screens. Might as well keep with what works.

Re:That's what you get (5, Informative)

lgw (121541) | about 9 months ago | (#45820443)

That's what you get from running Windows on ATMs, lol.

No, it really isn't. I've seen this demo'd at a security conference, and the OS has nothing at all to do with the attack. ATMs have a USB port which can be used to replace the firmware. The port is behind a simple lock, not in the vault with the money.

This attack replaces the OS on the ATM with the image the attacker provides. What the OS was before the attack really isn't all that relevant. The fact that images aren't signed or anything is.

Re:That's what you get (1)

mlts (1038732) | about 9 months ago | (#45820959)

The ironic thing is that even the cheapest, no-name Android phone has better protection than ATMs against this avenue of attack, assuming a bootloader with a signing process.

Re:That's what you get (1)

Anonymous Coward | about 9 months ago | (#45820477)

Uh, no... most run OS2 Warp... plus, in order to do this with most ATMs, you would have to crack the safe to get to the actual computer. This probably refers to the little cheesy ATMs at most gas stations. Their computers are in the upper part, and NOT behind the same safe that protects the money. ...yes, I used to be an ATM tech...

Re:That's what you get (1)

Skiron (735617) | about 9 months ago | (#45820767)

Yes, and I have seen many a BSOD on a few in my time - and once one that had dropped to the desktop with a message (and mouse cursor) 'Reboot Now? [Ok] [Cancel]'. Bloody joke whoever put MS stuff on them.

Re:That's what you get (4, Funny)

durrr (1316311) | about 9 months ago | (#45820855)

I guess this was a...
STICK-up.

Moral of the story (1)

schneidafunk (795759) | about 9 months ago | (#45820189)

Video cameras to prevent drilling of the outer shell was never considered?

Re:Moral of the story (2, Insightful)

Anonymous Coward | about 9 months ago | (#45820221)

How exactly would a video camera prevent a masked marauder from drilling?

Re:Moral of the story (1)

Anonymous Coward | about 9 months ago | (#45820729)

How exactly would a video camera prevent a masked marauder from drilling?

Robo ATM Cop, that's how.
Bang! Bang!! Stop or I'll shoot ... again.

Re:Moral of the story (1)

bleh-of-the-huns (17740) | about 9 months ago | (#45820229)

There is no need to drill the outer shell, apparently it is not difficult to buy keys for ATM machines online, dress as a repair man and no one thinks twice. Failure by some institutions to utilize maintenance logs and scheduling for ATM repairs.

Re:Moral of the story (1)

bleh-of-the-huns (17740) | about 9 months ago | (#45820253)

My bad, I posted before I read the article. I was thinking that they used keys.

Re:Moral of the story (4, Informative)

Richard_at_work (517087) | about 9 months ago | (#45820289)

In the UK you cannot access the internals of the ATM unit without either accessing the rear of the machine, which is locked away in the safe that they mention, or by cutting into the fascia of the external face, which is what they did here.

You cannot gain access to the ATM simply by using a key bought off of the internet.

And yes, most ATMs in the UK have a video camera on them to help identify fraudsters, but that does NOT help prevent the fraud from occurring because someone would have to watch it in real time and intervene. Infact they identified just how this hack was occurring by watching the CCTV footage to see just how the money was going missing, because it wasn't triggering any other alarms.

Re:Moral of the story (2)

lgw (121541) | about 9 months ago | (#45820533)

In most countries it depends on the ATM - there are many different kinds of ATMs installed in many different ways. Is there really some standard in the UK? Are there not cheap ATMs in convenience stores that are very different from the big ATMs next to banks?

Pretty much all ATMs these days have a camera, sure, but it typically records images on storage in the ATM. After the attack, it's going to have whatever comical pictures the attackers want it to have.

Re:Moral of the story (2)

alexander_686 (957440) | about 9 months ago | (#45820231)

Well, there is nothing to indicate anything is wrong. The ATM machines still look like they are functioning normally from the operations center and the tapes are (normally) only reviewed if they suspect something has gone wrong. It’s not like they have a bank of rent a cops monitoring these things 24/7.

Re:Moral of the story (4, Insightful)

Crudely_Indecent (739699) | about 9 months ago | (#45820279)

When has a video camera ever stopped someone from doing exactly what they intend to do? Youtube is full of examples of people behaving badly in front of a video camera (sometimes - because of the video camera)

Sure, video cameras may cause people to reconsider their behavior - but a criminal intent on committing a crime will just wear a mask or disable the camera with some high-tech sticky tape. If the group is repairing the machines so their modification can't be detected - nobody would be the wiser. They might consider the tape to be the work of a prankster and peel it off.

Maybe if the video camera was attached to a flame-thrower - that might do the trick.

Re:Moral of the story (1)

Groghunter (932096) | about 9 months ago | (#45820575)

you have ten seconds to comply.

Re:Moral of the story (2)

Rob the Bold (788862) | about 9 months ago | (#45820301)

Video cameras to prevent drilling of the outer shell was never considered?

Right. Every bank I've ever been in in the last . . . many . . . years has cameras all around, including pointed at the 24-hour ATMs. So I guess you'd do it as surreptitiously as possible so it wouldn't necessarily get noticed on the footage without carefully watching it. Then don't do anything for a while, preferably long enough that the footage with the tampering has been overwritten -- or at least long enough that it's tedious and time-consuming to look through everything and you've got the money and made your getaway. Also, having someone else do the dirty work is always a good idea, like the POS tamperers/vandals/thieves/skimmers that hit Michaels stores using Armenian LA street gang members or something like that as contractors to collect the cash with forged debit cards. I'm probably mixing up several stories there, but the concept is the important thing, not the specific details of any one specific crime.

Re:Moral of the story (1)

jeffmeden (135043) | about 9 months ago | (#45820849)

Video cameras to prevent drilling of the outer shell was never considered?

Right. Every bank I've ever been in in the last . . . many . . . years has cameras all around, including pointed at the 24-hour ATMs. So I guess you'd do it as surreptitiously as possible so it wouldn't necessarily get noticed on the footage without carefully watching it.

To add to the complexity, there are plenty of ATMs (more than enough for a gang to live off of) that are nowhere near a bank. Since the plan was well thought out (the software they hacked in was particularly brilliant to have two-factor auth) they probably also cased ATMs that had a minimum of video surveillance and "hit" them when there were few people around.

Then don't do anything for a while, preferably long enough that the footage with the tampering has been overwritten -- or at least long enough that it's tedious and time-consuming to look through everything and you've got the money and made your getaway.

What is apparently necessary is a software tool to match up physical presence with a lack of ATM transaction activity, since these guys no doubt left no electronic trail in the logs of the machine. Therefore you need to find the spots in the tape where someone was at the machine but not performing a (recorded) transaction.

Re:Moral of the story (0)

Anonymous Coward | about 9 months ago | (#45820303)

Mod parent up! Cameras create impenetrable force fields. At no point in history has any ne'er-do-well covered their faces before engaging in shenanigans.

captcha: stocking. I love you, context-sensitive captcha generator.

Re:Moral of the story (1)

znrt (2424692) | about 9 months ago | (#45820315)

Video cameras to prevent drilling of the outer shell was never considered?

unfortunately all available video cameras are busy pointing at random public places. we're trying to run a surveillance state here, you insensitive clod!

Re:Moral of the story (1)

wvmarle (1070040) | about 9 months ago | (#45820427)

Security cameras are only to record what happens, for later viewing. They don't help prevent crime, they only help solving it (they might prevent some because of the higher risk of getting caught).

These thieves did their best to not have their work detected. They drilled the hole, installed the software, then patched up the hole. Later they came back to get the money out of the machine - basically by nicely asking the machine to give it to them. And that again was detected only much later when the notes in the machine were counted and the numbers were found to be off, which in turn triggered an investigation, taking even more time before the bank finally found out what was going on.

Those security cameras did nothing. A smart thieve will wear a cap or so, inconspicuous (wearing a mask would make you stand out of course) but it hides your face from the overhead camera, so even seeing them do it won't give many clues.

Sounds like the FBI. (0)

Anonymous Coward | about 9 months ago | (#45820213)

Sounds like the NSA. FBI. CIA. US Government.
 
Trust, but verify... and we're gonna take all that you value.

Barnaby jack jackpotting ATMS (4, Informative)

bleh-of-the-huns (17740) | about 9 months ago | (#45820215)

Google the subject, he performed this attack live at both Blackhat and Defcon 18. It was definately an eye opener, and one of the reasons I tend to avoid those rental ATM's you see in mom and pop stores, and restaurants/bars...

yes I realize that even the major Bank ATM's are susceptible, but at least with a major bank you have some recourse if you have issues.

Re:Barnaby jack jackpotting ATMS (0)

Anonymous Coward | about 9 months ago | (#45820381)

Really? That's how you're going to layout your comment? By putting the relevant part of the comment in the subject, which is a link, it's difficult to highlight with the mouse so we can copy/paste which inconveniences anyone else who might have an inkling of interest in your, well, subject.

Since you're too "clever" (or lazy) to properly edit your post in the first place, and as a courtesy to everyone else who might be interested, here is the google results link for "barnaby jack jackpotting atms" [google.com]

HTH HAND et. al.

Re:Barnaby jack jackpotting ATMS (0)

Anonymous Coward | about 9 months ago | (#45820837)

Take your tissues and wipe your tears. For once.

Re:Barnaby jack jackpotting ATMS (0)

Anonymous Coward | about 9 months ago | (#45820395)

Barnaby Jack was a great hacker. Too bad he made enemies who knows when it is possible to determine cause of death and when it is not.

Re:Barnaby jack jackpotting ATMS (1)

mlts (1038732) | about 9 months ago | (#45820555)

I've wondered why ATMs are not designed with some defense in depth. Yes, the cash pile and outer case tend to be well armored, but I wonder about having the core computer be in a tamper resistant case, similar to a HSM, with software for copying signed updates [2]. There wouldn't be a USB port, but just a port for a SD card (a USB card can register as more than just a drive, so having just a SD card prevents that) and a restricted interface for updates might help things. If the case holding the core CPU is opened, the module with the core keys for PIN encoding/decoding would fry itself automatically, similar to how physical tampering on a HSM will cause it to zero itself.

[1]: Always amuses me (except if I have to get cash out) to see a WGA piracy warning, or (if the ATM doesn't get updates) a demand for activation. That is a failure on the part of the ATM maker because they really should have specced XPe, not XP. As an added bonus, XPe can redirect all writes to a different area so the OS can be on a read-only SSD.

[2]: Could be just a simple bootable BSD partition with netpgp that copies the OS image to a temporary directory, checks to see if the signature is valid, then if so, uses dd to write do the final writing.

Re:Barnaby jack jackpotting ATMS (1)

AK Marc (707885) | about 9 months ago | (#45820811)

, but just a port for a SD card (a USB card can register as more than just a drive, so having just a SD card prevents that)

Are you sure about that? http://nz.transcend-info.com/products/CatList.asp?FldNo=24&Func2No=203 [transcend-info.com]

That one runs a disconnected Wi-Fi to share the photos using the power supplied, but no connection back to the host, but I've also used networking cards in PCMCIA slots. You do know what the MC stands for in that, right? memory cards have been used for more than just flash memory, since as soon as they were invented.

Re:Barnaby jack jackpotting ATMS (0)

Anonymous Coward | about 9 months ago | (#45820721)

In Canada most of the small ATM machines belong to organized crime. They're not ripping you off (well, except for the $3 fee). What they are doing is making dirty money clean.

You would be stupid to tangle with those groups.

http://www.cbc.ca/news/canada/private-atms-vulnerable-to-money-laundering-1.2288659

well... (0)

Anonymous Coward | about 9 months ago | (#45820217)

I am selling USB sticks on EBay if anyone wants them.

POT (Personal Open Terminal) reduces dark deeds (-1)

Anonymous Coward | about 9 months ago | (#45820283)

hard to resist the notion of all the gizmos being accessible to all of us 24/7? even the crooks when they got home would expose themselves? if we all chip in it could lighten the load?

Why did we get rid of OS2 on the ATM's? (2)

Joe_Dragon (2206452) | about 9 months ago | (#45820285)

that one was hard to hack

Re: Why did we get rid of OS2 on the ATM's? (0)

Anonymous Coward | about 9 months ago | (#45820465)

Because the new kids only know .NET

Re: Why did we get rid of OS2 on the ATM's? (0)

Anonymous Coward | about 9 months ago | (#45820829)

Is it really that hard to teach them COBOL.

Two-factor authentication (1)

Anonymous Coward | about 9 months ago | (#45820333)

Well, it's nice to see that someone in the, uh.. banking industry.. has managed to figure out two-factor authentication to stop people from taking off with money.

Tech is perfect (1)

Catbeller (118204) | about 9 months ago | (#45820349)

Remember to contract private companies to build machines and systems to count votes as well. Nothing could possibly go wrong, and those companies will be as assiduous in detecting flaws in voting systems and their front ends as they are in counting vast quantities of cash. Because, you know, they will. 'Cause. Perfect.

Re:Tech is perfect (1)

DaHat (247651) | about 9 months ago | (#45820431)

Yes, because seeking solutions from government is so much better... they never deceive and only have the most purist intentions at heart.

Re:Tech is perfect (0)

Anonymous Coward | about 9 months ago | (#45820715)

Fighting straw with straw doesn't work, kid.

It's not the USB drives, it's the USB ports (1)

WOOFYGOOFY (1334993) | about 9 months ago | (#45820369)

USB ports will take literally any instruction at face value and execute it. In the eyes of a USB port, there is no such thing as malware.

How do we prevent this? (4, Informative)

EMG at MU (1194965) | about 9 months ago | (#45820425)

I feel like I might know how something like this happened.

Dev: "Hey we need to spend some time on security, for example the USB ports are not disabled, if we wan't to use them for service we should put authentication on them."
Project Manager: "Well, you have a point but none of our competitors focus on security either and were also behind on the project. It will be fine and we can fix it next time"

As a embedded dev I have had that conversation.

Re:How do we prevent this? (0)

Anonymous Coward | about 9 months ago | (#45820563)

Why didn't you just do it in the first place, you know, as part of your job? Yeah boss, I've installed LAMP, and left all the passwords set to 12345. We're ready to release. Profit!

Re:How do we prevent this? (1)

NatasRevol (731260) | about 9 months ago | (#45820873)

Why?

Deadlines.

Costs.

Salaries.

Oh, ffs. (5, Insightful)

ledow (319597) | about 9 months ago | (#45820457)

Fail #1: A port that can be accessed without triggering an alarm.
Fail #2: A USB port.
Fail #3: Software running that looks at, and allows unsigned executable code to be executed from, a USB storage device without explicit authorisation.
Fail #4: No intrusion detection whatsoever to notice that this USB device has been inserted, has had code taken from it, that that code has been made executable and executed, or that that code is running with privilege enough to dispense cash.

I stopped caring at #2, if I'm honest.

You can state for all the world that the ATM's need software updates, etc. but there's just no excuse for a commodity device to be able to run arbitrary code without at least BOTHERING to check the authenticity of the code it runs first and ALERTING someone somewhere that that's what's happening (i.e. alert the branch, alert the central bank, etc.).

There's nothing stopping you issuing your updates over the local banking network, even, if that's what you want to do. Just make sure they are signed, verified, encrypted and secured. Honestly, you can't download a fecking game or movie nowadays without requiring DRM... and this is where DRM, code-signing and all that other stuff we do is supposed to be being used the most.

General purpose computers SHOULD NOT BE USED in security-conscious situations.

If your ATM isn't a SecureBoot machine (at a minimum), with code-signing explicitly required for any and all updates, and ALL WAYS to execute external code disabled, you're just a fecking idiot.

Re:Oh, ffs. (0)

Anonymous Coward | about 9 months ago | (#45820603)

Dude, the money is safe, as long as they don't know the money is in there. DUH!

Re:Oh, ffs. (0)

Anonymous Coward | about 9 months ago | (#45820713)

I would imagine that the FAILs you refer to, are all addressed in electronic slot machines and other gambling devices. It would be a sick fact if the armless bandits have less security than the ATMs used to feed them.

Inside Job (2)

Princeofcups (150855) | about 9 months ago | (#45820593)

When I worked at ABN/AMRO, I would pass the locked ATM machine engineering room, and wonder what could happen if one of these people was fired. Now we know.

Did we mention they're thieves? (1)

TangoMargarine (1617195) | about 9 months ago | (#45820631)

If we used that word any less than 4 times in the 6-sentence summary, people might forget who we're talking about!

Software security in finance is surprisingly low (5, Informative)

quietwalker (969769) | about 9 months ago | (#45820697)

I used to write financial software for a living, including ATM driving software.

I realized, after a while, that I had certain preconceived notions about the sort of software and hardware that is running on these sorts of high profile, high risk systems. Obviously, the software will have been made highly secure; redundant checks on every action, code signing, etc. It'd likely be running a custom operating system that was built from the ground up and booted off a (P)ROM. The case would be just as impenetrable, with a separate compartment for the computer itself, requiring specialty equipment so that could only really be opened at the point of origin or in a manner certain to destroy the innards - and certainly not in the field.

Right? I mean, any of us can think up a set of reasonably secure basic premises from which we could build a system like this out of.

Imagine my surprise when I found out that half of the ATMs out there are just running off the shelf windows desktops, with the original demo software still installed. There's no real optimization, no cleanup, no limited boot, nothing; it's just a desktop machine jammed in a vending machine with a custom card & cable for driving the mechanics of the ATM. Sometimes they're even in the original manufacturer's case (though usually they're just the board). I've also done some work on vending machines, and I can tell you that they're often better made!

As a software developer, one of the things I was shocked to see was that security for ATMs was almost entirely focused on the physical. There's little to stop someone from hooking up an external line and sending approvals or just do basic proxying - most of the data is sent in the clear, just skim it, or to update the system with a cd or usb if you pull the front cover of the ATM off. Many times, you'll find someone left a keyboard and mouse behind in the unit because it's a pain to always carry your own when doing updates or what have you.

This follows the same basic trend in the rest of the financial systems I've seen; physical security is very high, software security is relatively low. When it comes down to it, most companies place a focus on tracking transactions rather than securing them, and rely on constant manual review by staff to detect problems (that's why banks close so early - the folks who don't run the registers are in the back doing the day's reconciliation.

Not robbery (1)

Dan East (318230) | about 9 months ago | (#45820751)

Robbery as defined as taking something from a person through threat of force or violence. You cannot rob an inanimate object. Theft is the correct term, or perhaps burglary (which also includes illegally entering a place to commit theft). I'm rather surprised to see the BBC misusing the term as well, but I notice they refer to it as "theft" in the story, and only use "rob" in the title. Sounds like an overzealous editor tried to make headline more catchy when posting the article.

Re:Not robbery (1)

Dan East (318230) | about 9 months ago | (#45820801)

As an addendum, it would seem burglary is the most accurate legal term in this case, as the criminals had to physically break into an authorized area of the ATM in order to commit the theft. But "robbery" is definitely the wrong terminology regardless.

Interesting (1)

lapm (750202) | about 9 months ago | (#45820763)

Hmm why rob the bank when you can empty ATM with much less risk of cops catching you. Somehow i would have expected ATM to use something else then Windows or Dos system.

Crooks are better at security than the banks!! (4, Interesting)

cs668 (89484) | about 9 months ago | (#45820909)

At least they built a challenge response system into their hack, that's just f*'ing funny to me!!

Re:Crooks are better at security than the banks!! (1)

Registered Coward v2 (447531) | about 9 months ago | (#45820943)

Yes, because you just can't trust crooks.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?