Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Card-Sniffing Malware On Diebold ATMs

kdawson posted more than 5 years ago | from the atm-russia-you-do-the-math dept.

Security 143

angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."

cancel ×

143 comments

Sorry! There are no comments related to the filter you selected.

In Soviet Russia... (5, Funny)

Pyrus.mg (1152215) | more than 5 years ago | (#27236963)

the banks hold up you.

Re:In Soviet Russia... (1)

zonky (1153039) | more than 5 years ago | (#27237007)

only if windows has actually been activated [englishrussia.com]

Re:In Soviet Russia... (2, Funny)

Anonymous Coward | more than 5 years ago | (#27237089)

the banks hold up you.

I thought for that joke there was supposed to be a reversal in there somewhere?

On Soviet Slashdot (2, Funny)

pisto_grih (1165105) | more than 5 years ago | (#27239037)

joke reverses you!

As good as their voting machines are... (0)

Anonymous Coward | more than 5 years ago | (#27237235)

Can someone link to this story whenever someone asks why Premier Election Systems' (AKA Diebold's) voting machines aren't as good as their ATMs?

Re:As good as their voting machines are... (1)

neomunk (913773) | more than 5 years ago | (#27240923)

Sure, because hard-hacking an ATM with electronic devices and putting a file on a memory card demonstrate the same level of security planning, right? Right?

Re:In Soviet Russia... (0, Flamebait)

Shivinski (1053538) | more than 5 years ago | (#27238325)

No..no reversal, that's actually true, here in the west..well it was, a year or two ago...banks held you up, and forced you to get a loan that you could never afford...unfortunatley somewhere along the line of repaying the loan and filing for bankruptcy the whole system went a bit tits-up.

Re:In Soviet Russia... (0)

Anonymous Coward | more than 5 years ago | (#27238373)

Bullshit, what is this Democrat amateur night? No bank forced anyone to take out a loan, much less anything someone couldn't afford. It was always up to the borrower to determine whether they would take that loan or not. You can argue predatory tactics but don't be a total douche and pretend that it was all the banks faults. You must be a totalitarian asshole who believes that a continent that has been through countless wars and even more unstable governments know better. The United States is going through a rough patch but don't act as if forcing everyone to bow to the Federal Government is going to make everything better.

BTW The neo-cons were basically the worst of the 2 parties, big overbearing government and fuck all for middle class federal assistance

Re:In Soviet Russia... (1)

daveime (1253762) | more than 5 years ago | (#27239185)

Yup, in the same context that Eve didn't FORCE Adam to eat the fucking apple !

Credit + US Citizen == Carrot + Donkey

Re:In Soviet Russia... (1)

WhatAmIDoingHere (742870) | more than 5 years ago | (#27239285)

So, fat people were FORCED to eat McDonalds simply because it was there?

No, you're wrong. The banks said "If you want, you can borrow some money." It's the people who jumped all over themselves to spend more than they make.

Re:In Soviet Russia... (3, Insightful)

daveime (1253762) | more than 5 years ago | (#27239499)

Umm, no ... the banks said something more akin to ...

Want some money, we got lots of money, want more money that you can afford, no problem, we'll give you 10 times your salary, even though the recognised multiplier is just 3.

And with low low interest rates, what could possibly go wrong ? Also, while you're here, would you like to borrow more money for a car, and a holiday, and that 80" flatscreen TV ? How about a new kitchen ? We can also give you credit cards with more spending power than God.

And what the heck if the sum total of all your credit comes to 5 times more than you can conceivably earn in your lifetime, this is the American Way (TM).

Re:In Soviet Russia... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27240551)

The government controlling every bit of people's lives isn't going to cure stupid.

Re:In Soviet Russia... (0)

Anonymous Coward | more than 5 years ago | (#27240557)

yeah, the bastards do it over here too!

Track record? (1)

Tubal-Cain (1289912) | more than 5 years ago | (#27236971)

As far as ATM venders go, how does Diebold rank in security?

Re:Track record? (5, Insightful)

ScentCone (795499) | more than 5 years ago | (#27237017)

As far as ATM venders go, how does Diebold rank in security?

Does it really matter, when their customers are allowing the bad guys to physically work with the machines? Bad guys who get to touch system like that have a real leg up. Machines that - even if the user allows the bad guy to play with the hardware - could withstand a serious onslaught by organized Russian techie criminals would probably be substantially more expensive for the average [Insert Name of Russian 7-11 here] or their banking vendor to deploy.

Re:Track record? (1)

Logic Worshiper (1480539) | more than 5 years ago | (#27237133)

Why would an ATM allow access to anything but the needed functions?

I couldn't imagine an ATM that ran a consumer OS.

Re:Track record? (5, Insightful)

hairyfeet (841228) | more than 5 years ago | (#27237605)

You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.

My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.

Re:Track record? (0)

Anonymous Coward | more than 5 years ago | (#27238003)

If it ain't broke, don't fix it.

BUT.. if something stays "ain't broke" for too long, the manufacturer cannot make money on new equipment, software, upgrades, support contracts, etc. So they got to sell it "broken" to ensure that additional (and highly lucrative) revenue stream.

Same system has worked all this time for Microsoft....

Re:Track record? (5, Insightful)

Jamie's Nightmare (1410247) | more than 5 years ago | (#27238151)

the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around

Why? Are you trying to say that something about the Windows Operating system is causing this ATM to fail? I hope not, because it would be foolish to assume that without more data. A lot can go wrong with an ATM. From faulty hardware to sloppy programming.

It's far more likely that in this case the benefit comes from simplicity in the hardware and software design, not anything to do with OS/2. From your description, the whole design is much older. Whatever bugs that may be present in the software or the operating system don't interfere with the machines day to day operation, so from the standpoint of a casual observer, it's perfect.

Using this single (biased) example as an endorsement for using OS/2 isn't insightful, it's just stupid.

Re:Track record? (0)

Anonymous Coward | more than 5 years ago | (#27238389)

Are you trying to say that something about the Windows Operating system is causing this ATM to fail? I hope not, because it would be foolish to assume that without more data.

I get 27,000 Google hits for "ATM BSOD". Looks like data to me.

Re:Track record? (1)

batquux (323697) | more than 5 years ago | (#27240055)

It's far more likely that in this case the benefit comes from simplicity in the hardware and software design

This is true. Something like an ATM doesn't even need an OS but it makes it a lot easier to produce, not to mention redesign and upgrade.

Re:Track record? (4, Insightful)

Anonymous Coward | more than 5 years ago | (#27238243)

But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work.

You're thinking like an engineer. Think like a marketroid. You know...

"...If it ran Windows, we could put advertisements on it. And not just text ads like 'walk around the corner and ask for a loan', I mean full-screen animated ads of cute families overjoyed because they have credit cards, you know, like TV, and the customer would have to watch the ads, because if they walk away during the 5-second interstitial ad, they don't get the $100 they're trying to withdraw!"

CAPTCHA: "annoyed". Once again, Slashdot imitates life. Or at least, the fucking ATM going "ding" (with the same DING.WAV that's been in Windows since 3.1, what a dead giveaway as to what OS they're running) that I used this afternoon.

Anyways. Fucktards. Fucktards one and all. It's St. Paddy's day, and I'm finally drunk enough to take my engineering hat off and put my marketroid hat on. Fortunately, I'll be sober in the morning. Unfortunately, the marketroids will still be running the show.

Re:Track record? (1)

IntlHarvester (11985) | more than 5 years ago | (#27238387)

You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.

  My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.

Hah, please tell me someone copy-pasted this from a Slashdot thread circa 2001.

If not, your ATM runs Microsoft OS/2 1.3, btw.

Re:Track record? (1)

zMaile (1421715) | more than 5 years ago | (#27238415)

I dont know much about it, but perhaps price is an issue? Is the Windows solution cheaper? I would understand why a bank would choose that option, even if I dont agree with it.

Re:Track record? (0)

Anonymous Coward | more than 5 years ago | (#27238599)

I really have got to agree about the stability and security of OS/2. But I feel that it's a classic case of "security by obscurity". But hey, I still run one or two OS/2 machines and they're far more stable than their NT counterparts.

Re:OS/2 or Windows (1)

BbMaj7 (61539) | more than 5 years ago | (#27238803)

Pretty becomes an issue when you gain revenue displaying motion picture advertising and providing additional "value added" features.

It isn't just Diebold. I work with a few different brands of ATMs and they all seem to be moving in the same direction.

Re:Track record? (1)

Lumpy (12016) | more than 5 years ago | (#27239911)

Because you HAVE to upgrade!

OS2 wont support the latest video card, sound card, or any of my usb devices!!!!

OMG! I would just die if my ATM did not use my webcam and ipod!

many times it's because bank executives are making the decision. windows based ATM's exist because some retarded moron of a bank executive asked for it.

Re:Track record? (1)

L3sPau1 (1503477) | more than 5 years ago | (#27240009)

Good call on OS2, it's right under their noses. Like you said WTF. BTW, I've bookmarked an interesting video with Avi Rubin on e-voting machine security that kinda sorta relates. http://tinyurl.com/dehz2q [tinyurl.com]

Re:Track record? (1)

ChangelingJane (1042436) | more than 5 years ago | (#27237609)

No imagination required! Visit your local ATM today!

Re:Track record? (4, Interesting)

wiredlogic (135348) | more than 5 years ago | (#27237883)

Many older ATMs used to run OS/2 and were rock solid dependable. It also helps that IBM was a key player in developing the crypto hardware in those machines and they had the expertise to ensure everything was locked down and tamperproof.

What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.

Re:Track record? (4, Interesting)

Gollum (35049) | more than 5 years ago | (#27237989)

I did some work for a local bank, and their ATM's were running Windows XP (not embedded), IIS (can't remember the version), and IE. This was to allow them to serve "rich content" (movies, images, animations, etc), without having to write it all themselves. The ATM just had IE talking to IIS, and displaying the results in "kiosk mode". The buttons on the sides of the screen were mapped to keys on the keyboard (I think), and that's how it ran.

I specified a full set of ports that needed to be accessible to the ATM controllers, and that was all that was supposed to be accessible from the network.

However, if you can get access to the back of the machine, it has a second monitor, keyboard and mouse, and you can access the OS, and do whatever you want to do. I *THINK* that the keyboard and mouse were locked away in the vault (or at least behind a door), but the hardware itself is pretty standard PC, so I don't imagine that it would be particularly difficult to add a USB keyboard or mouse and gain access when rebooting the device. Maybe even boot from a USB disk or similar.

The reality is that if you have physical access to practically anything, it is game over.

Personally, I would have been a lot happier to see a stripped down Linux kernel + minimal OS, BIOS passwords, bootloader passwords, etc than the entire Windows stack. Less to verify == more security.

Re:Track record? (-1, Troll)

DrSkwid (118965) | more than 5 years ago | (#27238237)

I would prefer if it didn't have Monkey Linux on it either but a proper OS.

Re:Track record? (1)

Gollum (35049) | more than 5 years ago | (#27238281)

Care to elaborate a little?

What do you consider a "proper OS"?

Re:Track record? (2, Funny)

L4t3r4lu5 (1216702) | more than 5 years ago | (#27238805)

HURD.

Re:Track record? (0)

Anonymous Coward | more than 5 years ago | (#27239173)

All the peripherals (screen, keyboard, printer, log printer, card reader...) are in the top part of the machine, which is different than the vault that actually holds the money.
A kid with a screwdriver can open the top door.

This reminds me of a story I heard, and I was shown the difference between an old and new ATM, so I'm inclined to believe it. Some time ago they installed a hardware upgrade in the form of a steel bar behind the customer screen, to prevent thieves from actually breaking out the screen, and then enter the bank through the top part of the ATM. Presumably from video's they have, some men broke out the screen, and then used kids to enter the bank.
It still gives me the chills that it was so easy. Once inside you generally have access to the entire bank. The backside of the ATM machines is in a separate room, which is not locked most of the times, even though the banks should.

You can enter the bank and go for the cash registers, or just stay where you are now, and start working on the vault.

If you have the right input codes, it may even be possible and much easier to trick the machine into "debug" mode from the operator keyboard in the backside, and tell it to keep dispensing notes until it runs dry. That way you don't have to crack the vault and can be done in 10 minutes tops for each ATM. Assuming they are reasonably filled and there's about 4 in a bank, you can make a hell of a lot of money in no time before the cops show up.

Note: this story is a couple of years old, and I'm not responsible for what you may or may not do with this information.

Re:Track record? (3, Interesting)

Carlosos (1342945) | more than 5 years ago | (#27239555)

Breaking in into a bank through the ATM machine is probably the worst idea ever. Banks (or at least the banks I worked at) have a motion detector in the room behind the ATM. Only once I saw a bank that had an ATM removed and just covered up with plywood from the outside while the motion detector was disabled in that room. Triggering the ATM alarm is worse than the premises alarm because the premises alarm gets triggered sometimes from cleaning personnel or other employees but for the ATM room you need a special key that not everyone has.

I'm also not sure that you can easily go into debug mode without anyone noticing (assuming some employee let you in that room) because the ATM technicians have to call Diebold before doing anything with the machine. They will know if someone unauthorized is using the ATM and restarting with a live CD won't work because that will also trigger an alarm.
I'm guessing it was an Diebold employee that installed the malware since he would have been the only who could have gotten that much access to it.

Re:Track record? (0)

Anonymous Coward | more than 5 years ago | (#27239205)

I'm going to go ahead and call BS, having worked for these guys [phoenix-interactive.com] as a developer that is *not* how it works for any major vendors. Buttons are not mapped to keyboard buttons for a number of reasons, the main one being that as you point out they have a separate keyboard and there are functions you can perform on that keyboard without taking the atm out of service. The keyboard and mouse are generally not in the vault as there's no need for them to be, both the OS and the software are locked down such that even an authorized administrator shutting down the software puts up big red flags in the banks' network ops center. There is no way to bypass without shutting down as a separate monitor ensures the software is always active, full-screen, and on top. Also, you don't want someone going around refilling the toner and receipt paper on the atms to have to get into the god damned vault to let the software know he's replenishing supplies, please disable the printer for a moment.

If you somehow manage to get into the system with the software down where does that get you? The binary system files are checked against a signature on system startup, the config file are also signed, and since the atm is on the banks AD, they should be locking down the allowed running processes to only what they need. You can't even grab the cash unless you have a copy of the vendor's drivers and a pretty good idea of how to use them.

Re:Track record? (1)

Lord Ender (156273) | more than 5 years ago | (#27240491)

That's actually a fairly clever design. I would not want to even begin implementing UI-embedded video on a microcontroller-based ATM. But so long as the user's input capabilities are severely limited, it really would be possible to use the capabilities of a web app without sacrificing too much security.

Re:Track record? (1)

troll8901 (1397145) | more than 5 years ago | (#27238143)

What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.

I don't know about Diebold ATMs. For voting machines, here's a quote from this Slashdot [slashdot.org] story (March 03, 2009):

Except that Diebold didn't make these machines. Premier Election Systems made them, and then was bought up by Diebold. - DrLang21 (900992)

Re:Track record? (0)

Anonymous Coward | more than 5 years ago | (#27238405)

and yet you use one all the time. I remember back in my hayday seeing a loomis fargo (amored car transport) guy walk away from an ATM he opened and leave it showing an XP desktop for over 15 minutes while I checked out at my grocer, think again anything not in your pocket is not safe... even then keep a hand near by

Re:Track record? (1)

squidinkcalligraphy (558677) | more than 5 years ago | (#27237657)

As far as ATM venders go, how does Diebold rank in security?

Does it really matter, when their customers are allowing the bad guys to physically work with the machines?

Yes it does matter; security is a chain as strong as its weakest link. Proper encryption and authentication systems could/should have been used here to harden the weak link of physical access. As for cost of deployment, well, security organisations (including banks and Diebold) live on their reputations to keep things out of the hands of criminals. If they fail to do this, their security suffers. We're talking about Diebold here, not some two-bit Russian ATM provider.

Re:Track record? (1)

koiransuklaa (1502579) | more than 5 years ago | (#27238839)

They have physical access and are sniffing cards. How do you think you can prevent that by adding encryption or authentication?

Re:Track record? (0)

Anonymous Coward | more than 5 years ago | (#27239733)

> Does it really matter, when their customers are allowing the bad guys to physically work with the machines?

Yes it does matter; security is a chain as strong as its weakest link. Proper encryption and authentication systems could/should have been used here to harden the weak link of physical access.

You're not making any sense. Look again, OP just described the weakest link.

(And chain links hardly harden each other... but I think the chain metaphor is too simplistic here to begin with.)

Maybe there could be gov. regulation of ATM design (5, Interesting)

Futurepower(R) (558542) | more than 5 years ago | (#27236981)

There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98.

That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.

Re:Maybe there could be gov. regulation of ATM des (1)

zonky (1153039) | more than 5 years ago | (#27236989)

I've certainly seen a number of ATM's running Windows 2000 Professional, but windows 98! *shudder*

Re:Maybe there could be gov. regulation of ATM des (1)

Logic Worshiper (1480539) | more than 5 years ago | (#27237143)

I wouldn't put my card in one of those. What company, so I can never bank with them?

Re:Maybe there could be gov. regulation of ATM des (1)

L4t3r4lu5 (1216702) | more than 5 years ago | (#27238819)

If only it were one specific banking establishment. Diebold sell ATMs to all banks.

Money under the matress much?

Re:Maybe there could be gov. regulation of ATM des (0)

Anonymous Coward | more than 5 years ago | (#27239535)

Postamat, banking service offered by the Italian Post. It sucked my card in, crashed, and promptly spitted it out after a few minutes of reboot, while I was inside the post office trying to explain what happened.
Windows 2000 Pro btw.

Re:Maybe there could be gov. regulation of ATM des (2, Informative)

mlts (1038732) | more than 5 years ago | (#27237153)

Ages ago in the past, OS/2 was the ATM platform of choice. Now, its either Windows 2000 Pro, or XP Embedded.

As for Windows 98, I can see that being used, but the ATM would require a watchdog card. This is a special hardware card that automatically resets the machine should the watchdog driver not send pulses after a certain period of time, or if a certain application is not present and running. This case, Windows 98 can be used, because if the ATM's app crashes, the card will reset the machine to a hopefully known good state.

Re:Maybe there could be gov. regulation of ATM des (4, Insightful)

v1 (525388) | more than 5 years ago | (#27237237)

over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.

If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.

Re:Maybe there could be gov. regulation of ATM des (0)

Anonymous Coward | more than 5 years ago | (#27237713)

over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.

If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.

No access? What about the card slot?

Re:Maybe there could be gov. regulation of ATM des (1)

L4t3r4lu5 (1216702) | more than 5 years ago | (#27238837)

Exploit an ATM from the card reader?

You've watched D.A.R.Y.L. [wikipedia.org] one too many times.

Re:Maybe there could be gov. regulation of ATM des (1)

Amitz Sekali (891064) | more than 5 years ago | (#27237779)

Just so you know, the ATMs of the largest retail bank in my country has keyboard at them.

Re:Maybe there could be gov. regulation of ATM des (1)

RMH101 (636144) | more than 5 years ago | (#27238719)

...which I can guarantee is not hooked up to the PS2 port on the ATM PC. Your point?

ATMs struck by the W32/Nachi worm (1)

rs232 (849320) | more than 5 years ago | (#27239489)

'over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems do't count'

That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.

'Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi [infoworld.com] worm raises the specter'

'Last August, the Nachi (Welchia) worm contaminated the cash machines at two financial institutions. When the Slammer virus hit the back end systems of the Bank of America in January 2003, 13,000 US ATMs became unavailable [theregister.co.uk] '.

Re:ATMs struck by the W32/Nachi worm (1)

v1 (525388) | more than 5 years ago | (#27240747)

That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.

The ATMs run on their own encrypted (VPN) network, a bit like a darknet. Just because they're using the internet doesn't make that an easy vector. It's like saying your company's internal network isn't secure if your offices are connected with a VPN. As long as the exterior doors are secure, internal security is irrelevant.

That worm was probably due to the fault of some ATM engineer using an infected flash drive while servicing the machines.

I saw one (1)

Jeremy Visser (1205626) | more than 5 years ago | (#27239105)

No citation provided, but I saw one running Windows 98 in the touristy district of the Spanish city of Santiago de Compostela [google.com] (right near the cathedral).

I wasn't game enough to trust my debit card with it, but a passerby used it, and boy was it slow. You could see the individual images redrawing on the screen. It's been so long since it was last updated that the CRT monitor has the text burnt into its screen. (Although I thought modern CRTs were supposed to be immune to burn-in.)

Re:Maybe there could be gov. regulation of ATM des (1)

Denihil (1208200) | more than 5 years ago | (#27237293)

There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98. That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.

waaait a second. so people actually put a atm running windows 98 in the middle of russia and expected it NOT to get immediately hijacked?

Obviously a product of the LAUSD (2, Funny)

Amazing Quantum Man (458715) | more than 5 years ago | (#27237543)

Since when is Sao Paulo, Brazil in the middle of Russia?

Re:Obviously a product of the LAUSD (0)

daveime (1253762) | more than 5 years ago | (#27239213)

In Soviet Russia, Brazil Sao Paulo's you !

Re:Maybe there could be gov. regulation of ATM des (1)

pgn674 (995941) | more than 5 years ago | (#27237827)

Wow, especially considering extended support retired in July 2006 [microsoft.com] .

Re:Maybe there could be gov. regulation of ATM des (1)

shirque (1335717) | more than 5 years ago | (#27239755)

You don't need Windows however to have Microsoft crash your cash dispenser - about ten years ago, I saw an ATM in Florence display A)nnulla, R)iprova, T)ralascia, E)limina? - which is of course the Italian equivalent of MS DOS's notorious yet futile Abort, Retry, Ignore, Fail? option menu upon hardware failure...

Uh...why are they running Windows? (0, Redundant)

Coopjust (872796) | more than 5 years ago | (#27237099)

Windows CE, XP, whatever, an ATM shouldn't be running a consumer OS for a variety of reasons (security holes, stability, error rate). Why not use either a very trimmed down Linux distro or roll your own OS? I mean, there is a bit of investment having to make the drivers and all- but surely it can't be too expensive to do (not with what is at stake).

Still, it's a trojan (has to be put on individual ATMs) - and criminals would have to gain physical access to the computer inside the ATM, which would mean breaking the ATM itself or somehow getting the keys (pretty difficult). So it's not the most widespread issue.

Re:Uh...why are they running Windows? (1)

Gamma746 (1361063) | more than 5 years ago | (#27237173)

Windows programmers are much cheaper than Linux programmers.

(not with what is at stake).

The banks are liable for that, not Diebold.

Re:Uh...why are they running Windows? (1)

shentino (1139071) | more than 5 years ago | (#27237867)

True, but the banks might turn around and sue diebold for damages if the hackability was a breach of diebold's warranty...

AND diebold didn't be a sleaze and put "your exclusive remedy is a full refund and we disclaima ll warranties" such and such...

Sounds like the banks are going to get ripped off. Poetic justice perhaps but diebold should still eat the dogfood it served.

Re:Uh...why are they running Windows? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#27238423)

Windows programmers are much cheaper than Linux programmers.

You get what you pay for. In the case of security-critical technology I'd have hoped people would pay for something good. How naive of me.

Re:Uh...why are they running Windows? (1)

AndrewNeo (979708) | more than 5 years ago | (#27237595)

CE is not a consumer OS, it's meant to be embedded.. a better question is why are they running 98, instead of CE, when you get full source for CE and the licenses are cheaper, too. Though maybe they get an OEM discount for buying and building x86 machines bundled with Windows? (Or they were just stripping Dells? *shudder*)

Re:Uh...why are they running Windows? (1)

lwriemen (763666) | more than 5 years ago | (#27239443)

IBM told them that OS/2 was dead.

Re:Uh...why are they running Windows? (2, Interesting)

Lumpy (12016) | more than 5 years ago | (#27239959)

One of the best scams in the world was to buy a used atm and then put custom software on it to harvest info and then plop the whole thing in a mall. come back in a week and you got a CRAPLOAD of cards and pins.

Simply program it to act normal but it cant connect to the bank and spit the card back out.

Honestly I am sure this will still work today. Back in the lat 90's they caught a group of guys around Detroit doing this.

Maybe an attempt to prove incompetence? (4, Insightful)

brxndxn (461473) | more than 5 years ago | (#27237183)

From the last few US presidential elections where statistics where typically very different for electronic voting (Diebold) and paper ballots, a common conclusion was that either:

1. Diebold fixed the elections (a)
or
2. Diebold is completely incompetent (b)

But then.. People would argue that #2 is invalid because Diebold has atms all over the world that count money.. and they never have problems - so something as simple as voting should be easy.

Maybe Diebold is just trying to prove that they can be incompetent too? Which would give us a new set of alternatives:

3. Diebold is fabricating their own incompetence (c)
or
4. Diebold is really incompetent (d)

(d) = (b)

so..

((a) or (b)) and ((c) or (d))

so..

((a) or (b)) and ((c) or (b))

so..

((a) and (c)) or (b)

which translates to:

Why the fuck do we trust Diebold with anything?

Re:Maybe an attempt to prove incompetence? (1)

AHuxley (892839) | more than 5 years ago | (#27237855)

Diebold makes good cash machines because there is revenue stream, making a product as good as banks request them.
Diebold got into voting because it was testing the water and made a product down a price point.
If states wanted good voting machines they should have thought of that in the contracts.
A bit like toxic paints on toys or plastics in food.
Next time ask for quality and spell out exactly what you want.

Re:Maybe an attempt to prove incompetence? (1)

AnalPerfume (1356177) | more than 5 years ago | (#27239697)

You'd think that counting "one vote for party A" as "one vote for party A" without losing any would be a basic feature of a voting machine, regardless of the quality specified in advance. Maybe Diebold don't inhabit the same universe as the rest of us, maybe they live in "politico-world" along with the rest of the crooks we vote for. I didn't know they did ATMs until I read this article, now I'm wary of my own ATM.

Ain't an ATM well named for recycling money? Ass To Mouth also describes that same process.

Re:Maybe an attempt to prove incompetence? (1)

drinkypoo (153816) | more than 5 years ago | (#27239693)

Why the fuck do we trust Diebold with anything?

Who is this 'we'? If I see a Diebold ATM, I try to find another one. No joke. I've gone into banks and told them I won't use the ATM because I don't trust the company that has been proven to miscount votes to build anything else, either. (They love me. I also tell the bitches at Wells Fargo that I love my Credit Union because the money stays in the community when they ask me to open an account - which they do every month when I go pay my rent with cash, direct into my landlord's account. I'm not sure why that makes them think I have money to put into the bank, but whatever. Maybe next time I'll tell them very loudly that my bank didn't need a bailout.)

Vote with your feet, but make sure people know what you're voting for.

Should of not droped OS/2 For windows on the ATMs (1, Redundant)

Joe The Dragon (967727) | more than 5 years ago | (#27237195)

Should of not droped OS/2 For windows on the ATMs. Also was the administrative passwords set to the default like the other ATM's that got hacked?

Is the locked-down version of Windows that Diebold provides to locked down for some banks use? Locked in to Diebold for getting the windows updates? Vs being able to do it on your own / use your own WSUS system?

Are diebold voting machines just as easy or easier to hack?

Should of not dropped OS/2 For windows on the ATMs (-1, Redundant)

Joe The Dragon (967727) | more than 5 years ago | (#27237201)

Should of not dropped OS/2 For windows on the ATMs. Also was the administrative passwords set to the default like the other ATM's that got hacked?

Is the locked-down version of Windows that Diebold provides to locked down for some banks use? Locked in to Diebold for getting the windows updates? Vs being able to do it on your own / use your own WSUS system?

Are diebold voting machines just as easy or easier to hack?

Windows? (4, Insightful)

geekmux (1040042) | more than 5 years ago | (#27237295)

"...its ATM customers using the Windows operating system.

OK, stop. Did I just read what I think I just read? What...the...hell? Windows?

As if we don't have enough problems with the crooks that run the banks...

Re:Windows? (1)

play_in_traffic (946193) | more than 5 years ago | (#27237471)

Really, Windows was good enough for voting machines, shouldn't it work just as well for ATMs? Or maybe Diebold should just stick with the voting machine business!!!!

Finally a use for Trusted Computing? (0)

Anonymous Coward | more than 5 years ago | (#27237315)

Can hardware really be secured against a determined attack? Would a TPM (Trusted Platform Module) withstand all hacking attempts?

Re:Finally a use for Trusted Computing? (1)

MadnessASAP (1052274) | more than 5 years ago | (#27238185)

Well yes and no, it's like safe building. You can get a very, very, very expensive safe that will take the best man in the world 100 hours to break through or you can get a cheaper one thta my only take a reasonably skilled person 12 hours to open. But the bigger question about these ATMs is why do they need so much hardware? They should be little more then a microcontrolelr then encrypts and decrypts data to and from a mainframe. No fancy videos, hard drives, high speed internet links. if they break in then so what? Sure, there's the cash that's unavoidable but how is the thing going to steal card numbers and send them out when there's not even enough RAM for them.

"using the Windows operating system" (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27237331)

That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation.

Re:"using the Windows operating system" (1)

camperdave (969942) | more than 5 years ago | (#27237549)

If it's running windows, the criminal may have only need communication access to the box. Windows security was designed by the same people who brought you Swiss Cheese.

Re:"using the Windows operating system" (0)

Anonymous Coward | more than 5 years ago | (#27238259)

There are no holes in swiss cheese (gruyere). You're probably thinking about emmental (a french cheese).

Re:"using the Windows operating system" (1)

Haeleth (414428) | more than 5 years ago | (#27238461)

No, he's thinking about the product sold in America under the name "Swiss cheese". This is not to be confused with the foodstuff popular in Europe that is also, confusingly, called cheese.

"Swiss cheese" is a waxy, rubbery, flavourless chemical solid that differs from regular "cheese" only in the fact that it has holes in. There are persistent rumours that it may be edible.

(Oh, and Emmental is a Swiss cheese. It gets made in France too, but then Cheddar, an English cheese, gets made all over the world, so that doesn't prove much.)

Re:"using the Windows operating system" (1)

AHuxley (892839) | more than 5 years ago | (#27237895)

If it was "linux,mac" they would have to steal the whole unit and take it back to the small shared apartment.
After letting the two large dogs and other families children have a sniff and look at the flashing lights, they would have to extract and study the code.
A week later, they would be out looking for a windows ATM, thankful that everybody studied banking at Moscow U and learned windows.

whatever is just a vulnerable .. (1)

rs232 (849320) | more than 5 years ago | (#27239387)

'That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation'

You wouldn't use a desktop OS in such a situation. A small embedded obfuscated encrypted OS performing a small set of dedicated functions. Not a modified Windows OS that could be compromised using a few DLL redirects ..

'The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code [sophos.com] to ATM's processes '

NSF (4, Funny)

castorvx (1424163) | more than 5 years ago | (#27237413)

A problem has been detected and windows has shut down to prevent damage to your bank account.

MONEY_LESS_OR_EQUAL

Y2K... (5, Funny)

rthille (8526) | more than 5 years ago | (#27237435)

Somewhat OT, but my wife was one of the early recipients of a credit card which expired after 1999. She used to crash gas pumps whenever she tried to pay at the pump.

Re:Y2K... (1)

troll8901 (1397145) | more than 5 years ago | (#27238175)

Did the gas pumps really hang? Were the staff able to reset them?

Re:Y2K... (1)

BBird (664014) | more than 5 years ago | (#27238667)

Parent is funny? where?

Using the Windows operating system (-1, Redundant)

Phroggy (441) | more than 5 years ago | (#27237871)

...to its ATM customers using the Windows operating system.

Does Diebold have ATM customers that aren't using the Windows operating system? I thought all Diebold ATMs ran Windows; was this incorrect?

If all Diebold ATMs run Windows, then it's redundant to mention it in this way.

Re:Using the Windows operating system (1)

lwriemen (763666) | more than 5 years ago | (#27239565)

I thought all Diebold ATMs ran Windows

There are probably some older supported Diebold ATMs out there running OS/2. Just like IBM is still supporting OS/2 use by some banks.

spon6e (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27238015)

Why use Windows at all for high-security embedded (0, Redundant)

Anonymous Coward | more than 5 years ago | (#27238211)

Why use Windows at all for high-security embedded applications? Seems to me that using a stripped-down Linux kernel would be a better deal!!

Diebold card skimming detection technology (1)

rs232 (849320) | more than 5 years ago | (#27239263)

'Diebold, .. releases its new Advanced Skimming Detection technology [thomasnet.com] for automated teller machines (ATMs). This fraud-deterrence technology .. is the most effective method to guard against card skimming, the act of retrieving consumers' account information from their ATM card magnetic strips via a fraudulent device illegally attached to an ATM'

It would have been more technologically secure to not use magnetic strips in the first place and design a machine that only worked with authorized hardware. Something Diebold [wired.com] don't seem to be able to manage. It should have been foreseen that the crooks would attempt to hack the machines after all they are crooks ...

Diebold and ATM message protocols .. (2, Interesting)

rs232 (849320) | more than 5 years ago | (#27239341)

'ATM message protocols such as NCR's NDC and Diebold's 911/912 are based on ISO 85/83, a 20-year-old standard that industry observers agree looks pretty creaky in the age of Internet standards like XML'

'IFX is far more flexible than NDC and 911/912, which are "single monolithic pieces of code," NCR's Risto said. "With IFX, you're taking states-and-screens away and replacing each piece with an inherent application. Each function is broken out and handled separately."'

'The move to IFX requires a smaller leap of technology than the switch from an OS/2 to Windows operating system, Risto said. "Once you've made the move to Windows [gokis.net] , IFX is going to be a far smoother and more intuitive move."'

dangers of running native x86 code .. (1)

rs232 (849320) | more than 5 years ago | (#27239429)

I wonder would Chrome have prevented such a hack [sophos.com] ?

'Google Chrome is implementing support to run native x86 code [ezinearticles.com] from within the browser'

UK ATMs (1)

Canazza (1428553) | more than 5 years ago | (#27239513)

I know a fair few banks in the UK use Windows in their ATM's. the Halifax/Bank of Scotland for one, i've seen their ATM's with windows ok/cancel error boxes rendering them totally useless, i've also seen a Lloyds TSB machine stuck on the Windows XP boot screen.
I don't know who makes their ATM's (i'm guessing NCR as they have/had a big factory in Dundee) but Windows on ATMs isn't rare.

I quit using Diebold ATMs years ago. (0)

Anonymous Coward | more than 5 years ago | (#27240391)

I quit when I withdrew 20$ from one and my recipt said I voted for Bush.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?