Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cybercriminals Refine ATM Data-Sniffing Software

CmdrTaco posted more than 5 years ago | from the win-atm-lose dept.

Security 257

BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."

cancel ×

257 comments

DES (3, Funny)

bluefoxlucid (723572) | more than 5 years ago | (#28209889)

DES doesn't really mean "Designed Extremely Secure" ....

Re:DES (1)

hey (83763) | more than 5 years ago | (#28210023)

You'd think the "cybercriminals" would be more security-aware and use a better encryption algo.

Re:DES (1)

mcgrew (92797) | more than 5 years ago | (#28210773)

You don't need a rootkit, as I found out several years ago.

A woman I was seeing (for twenty dollars a pop) watched as I put the PIN number in. She then stole my checkbook, my debit card, and spare car keys. I think it's chronicled in one of my journals somewhere (there's a brief account in my latest, which I just posted a couple of hours ago, but there's a detailed one in an older one).

Any way, she wrote some bogus checks and withdrew money from the ATM. The bank made good on the checks, but not the debit card. If they have your PIN number, they're automatically authorized to use the card, even after it's reported stolen! It was a disaster; it caused several checks to bounce and ultimately cost me several thousand dollars, even though she only stole $700 before the card wouldn't work (no more money in the account).

I no longer use a debit card. Fool me once, shame on you. Fool me twice, shame on me.

ATM != desktop computer (4, Insightful)

Smelly Jeffrey (583520) | more than 5 years ago | (#28209901)

An ATM is not a desktop computer. WTF is an ATM doing running Windows?

Re:ATM != desktop computer (0)

Anonymous Coward | more than 5 years ago | (#28209915)

An ATM is not a desktop computer. WTF is an ATM doing running Windows?

Most ATM's run Windows, not right, but that's the reality.

Re:ATM != desktop computer (1, Funny)

Anonymous Coward | more than 5 years ago | (#28210143)

Here in Canada, the only ATMs I've crashed personally were both running linux (either that, or a version of Windows that displays a fake linux boot sequence to save face.)

Re:ATM != desktop computer (0)

Gizzmonic (412910) | more than 5 years ago | (#28209933)

I think most ATMs used to run OS/2 up until about 10 years ago. I'm waiting for the ATM that runs Mac OS X!

Re:ATM != desktop computer (4, Funny)

Ethanol-fueled (1125189) | more than 5 years ago | (#28209979)

I'm waiting for the ATM that runs Mac OS X!

They already have those in San Francisco. They're called "gAyTMs"

Re:ATM != desktop computer (4, Funny)

Spazztastic (814296) | more than 5 years ago | (#28210055)

I'm waiting for the ATM that runs Mac OS X!

They already have those in San Francisco. They're called "gAyTMs"

A2Ms?

Mac OSX on the ATM (1, Funny)

rliden (1473185) | more than 5 years ago | (#28209991)

"Hi!, I'm an ATM."

Re:Mac OSX on the ATM (1)

truthsearch (249536) | more than 5 years ago | (#28210227)

"And I'm a PC."

Re:ATM != desktop computer (1, Funny)

Eggz Factor (455382) | more than 5 years ago | (#28210027)

As much as I like the Mac OS, I don't think I want a "lickable" ATM. :-P

Re:ATM != desktop computer (3, Funny)

Anonymous Coward | more than 5 years ago | (#28210789)

You have to multitouch move an on-screen representation of your money to the trashcan in order to get the ATM to eject it into your hand.

Re:ATM != desktop computer (3, Funny)

PrescriptionWarning (932687) | more than 5 years ago | (#28209955)

but how else is Microsoft supposed get Office 2009 - ATM edition to market? And just think, Clippy could be a money clip instead of a paper clip! The bottom line is it's win-win in this rough riding tsunami wave of data mining nugget pack of wolves devouring economy for today's business-ready customer driven shim-sham!

Re:ATM != desktop computer (2, Insightful)

abigsmurf (919188) | more than 5 years ago | (#28209995)

Why run Windows? Linux? DOS? etc.

ATMs need an OS of some sort. More advanced OS' make it easier to have the software display videos and animations, have more complex functionality and better compatibility with modern software. So long as the firewalls are properly configured to sandbox the unit, vulnerabilities are irrelevant.

Re:ATM != desktop computer (3, Insightful)

EXrider (756168) | more than 5 years ago | (#28210751)

More advanced OS' make it easier to have the software display videos and animations.

As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.

Re:ATM != desktop computer (1)

sigmoid_balance (777560) | more than 5 years ago | (#28210039)

It's funny when you see it boot up if it previously had a failure or lost power. I never saw Win XP ATMs, but I saw lots of WinNT/Win2k ATMs. And yeah, I'm living in Eastern Europe.

Re:ATM != desktop computer (1)

Reece400 (584378) | more than 5 years ago | (#28210637)

I've seen a windows 98 one here in Canada,

Re:ATM != desktop computer (5, Insightful)

NES HQ (1558029) | more than 5 years ago | (#28210147)

Why shouldn't an ATM run Windows? Cue the standard Windows-bashing, but a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.

Yes, it's Windows. But without crazy Aunt Judy trying to install her cat screensavers Windows should be fine for the task.

Re:ATM != desktop computer (3, Insightful)

internerdj (1319281) | more than 5 years ago | (#28210331)

Presuming that the network designer had some sense then this type of hack happens at the physical location because a network update would set off far too many alarms: meaning it really doesn't matter what OS is running because the hackers are gaining physical access to the hardware. If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

Re:ATM != desktop computer (2, Insightful)

WillKemp (1338605) | more than 5 years ago | (#28210703)

If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

Yeah, of course they would. Bank managements are well known for being sensible and never doing stuff that loses money.

Closed Network (2, Interesting)

relguj9 (1313593) | more than 5 years ago | (#28210355)

Plus firewall, 'nuf said. The problem is when people break into the back of a machine and physically install malware on it... if you have people breaking in or social engineering their way into the back of a physically locked machine then you are going to have problems. I don't care if it's running some logic flow on an EEPROM, it's still going to be hacked.

Re:ATM != desktop computer (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28210713)

RE: "a decently hardened copied of XP is more than sufficient for the minimal work"..

That's the problem...it's more than sufficient. When designing something to be secure, you want the system to sufficient, nothing more. ATMs shouldn't even run Windows, linux, DOS, or any other general purpose OS. They should run the minimal set of programs required to perform banking transactions. There are levels of "security". While a hardened general purpose platform is better than an unhardened one, it is not a good design when security is paramount.

Re:ATM != desktop computer (1)

AlecC (512609) | more than 5 years ago | (#28210975)

Since the stole information is being printed off on the bank's receipt printer, they presumably have an insider in the bank who installs the malware and collects the output, but would be very hard to trace back to the fraudulent use.

Re:ATM != desktop computer (2, Interesting)

91degrees (207121) | more than 5 years ago | (#28210157)

Ultimately it comes down to "why not?" ATMs need an OS. The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development. Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer. It's easier to develop for windows that to develop for a custom devkit.

Re:ATM != desktop computer (0)

Anonymous Coward | more than 5 years ago | (#28210275)

If they want to save costs, why don't they assemble the ATM out of thin plastic held with standard screws?

Re:ATM != desktop computer (0)

Anonymous Coward | more than 5 years ago | (#28210495)

Because that would clobber security. What does that have to with the post you were responding to? I don;t htink it mentioned costs.

Re:ATM != desktop computer (5, Insightful)

99BottlesOfBeerInMyF (813746) | more than 5 years ago | (#28210327)

Ultimately it comes down to "why not?"

It costs a licensing fee. It has more security liability than pretty much any other choice.

The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development.

Linux costs nothing to license. BSD costs nothing to license. Windows costs something. That's an added, unneeded cost.

Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer.

Because there aren't lots of dev tools for Linux that run on a normal desktop computer?

. It's easier to develop for windows that to develop for a custom devkit.

How is it easier to develop an ATM on Windows than on Linux? They both have tons of tools and myriad experienced developers and companies. Linux is probably better optimized for appliance uses and has a larger share of the appliance market than Windows, making it easier to find companies to work on it.

In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

Re:ATM != desktop computer (1)

lxs (131946) | more than 5 years ago | (#28210527)

How is it easier to develop an ATM on Windows than on Linux?

Windows devs are a dime a dozen and therefore cheap to hire.

Re:ATM != desktop computer (1)

memojuez (910304) | more than 5 years ago | (#28210723)

How is it easier to develop an ATM on Windows than on Linux?

Windows devs are a dime a dozen and therefore cheap to hire.

Ergo, they got what they paid for, sloppy programming full of holes

Re:ATM != desktop computer (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 5 years ago | (#28210725)

Windows devs are a dime a dozen and therefore cheap to hire.

Are you talking about Windows developers with experience creating user interfaces and coding for appliance style devices that don't use the normal inputs and only have fullscreen displays?

There are a lot more Linux people qualified to create such devices than Windows people from my experience in the industry. If, however, you're talking about developers with no experience and without the proper skills, sure you can find more Windows developers, but that sure isn't going to save you money.

Re:ATM != desktop computer (1)

WillKemp (1338605) | more than 5 years ago | (#28210733)

Crap Windows devs are a dime a dozen and therefore cheap to hire.

There, fixed that for you.

Re:ATM != desktop computer (4, Insightful)

iamhigh (1252742) | more than 5 years ago | (#28210571)

I'll second your argument, and I could be considered an MS fanboy by this crowd's standard. But there is no reason to have an ATM running windows, the most used, most exploited OS on something like an ATM. I wouldn't even use Linux, but probably recommend a custom OS, as you can control the hardware used. Then the attackers have to hack some pretty much unknown system, that can easily be built from the ground up to use software and hardware security measures.

Re:ATM != desktop computer (2, Insightful)

91degrees (207121) | more than 5 years ago | (#28210857)

It costs a licensing fee. It has more security liability than pretty much any other choice.

As far as I know though, most of this is via the browser and email applications and IIS. XP can be pretty secure if you disable all unneeded services.

In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

I'd have thought Linux would be cheaper, but for all we know, they did a thorough analysis, discovered there were suitable savings to be made through use of Windows. Speculating that it's cheaper with so little information is pointless.

There's no indication of how the malware is installed. I suspect this requires physical access, in which case the OS chosen makes no difference at all.

Re:ATM != desktop computer (1)

butabozuhi (1036396) | more than 5 years ago | (#28210967)

Bank management may be comprised of buffoons, but they aren't the only reason ATMs are Windows based. Although I'm no longer in the banking industry, when I left a few years ago the trend with the big ATM manufacturers was Windows. The vendors said they were locked down. The vendors said they gave greater functionality (i.e. marketing) than the old machines (notice they have ads showing on them nowadays?). Why change something if it ain't broke? Somehow, someway, the vendors were sold on Windows and pushed it down to the banks. Banks, who need to use established vendors and have support contracts, had really little choice than to 'move forward.' The day Diebold announced their 'next generation windows ATMs' I bet the criminal world let out a cheer!

Re:ATM != desktop computer (1)

Lonewolf666 (259450) | more than 5 years ago | (#28211021)

Even Unix won't save you if the attacker gets physical access to the machine. I learned how to "crack" SCO Unix 10 years ago in an administration course by booting from floppy and resetting the password file.
If you can prevent that, it should be possible to secure Windows with a firewall that blocks all ports except the one your ATM application uses.
This said, Linux may actually be easier/cheaper to secure. But I don't consider a Windows based ATM an automatic security risk if the developer does his homework.

Re:ATM != desktop computer (0)

Anonymous Coward | more than 5 years ago | (#28210179)

Cheaper to develop. Use off the shelf Windows and some rapid application tools and you have yourself a pretty ATM in no time. The downside is that your ATM is compatible with the largest library of hacking tools and probably won't be patched nearly as often as a desktop PC.

Re:ATM != desktop computer (1)

jeremywc (865836) | more than 5 years ago | (#28210395)

An ATM is not a desktop computer.

That's not completely true. For at least the last 10 years, most ATMs have been x86 boxes running OS/2 or Windows 2K/XP.

Re:ATM != desktop computer (4, Funny)

CopaceticOpus (965603) | more than 5 years ago | (#28210477)

This is a perfect chance to call your bank:

YOU: "I've been reading online about ATMs which are based on Windows XP being attacked by cybercriminals, and I'm worried. Are your ATMs running on Windows?"

THEM: "I'm not sure about the particular technology used in our ATMs, but we've had no security issues thus far."

YOU: "THEN YOU'D BETTER GO CATCH THEM!" Tee hee-hee! (click!) Snicker, snicker, snort, snicker...

Re:ATM != desktop computer (1)

ILongForDarkness (1134931) | more than 5 years ago | (#28210655)

Hehe. We have a large Sun/Storage Tek tape library at my work. The SL300000 http://www.sun.com/storagetek/tape_storage/tape_libraries/sl3000/ [sun.com] . It runs Win2k. The question is what is a new $120k device (~70k but then that is before you get the drives for the library :-)) from an old school UNIX vendor doing running an out of support version of Windows :-) . We also have microscopes that are controlled by windows but the GUI is in Linux (they come with both computers in one case). It all comes down to what the developers were comfortable with at the time, and whether device drivers are available I guess.

Re:ATM != desktop computer (1)

Thaelon (250687) | more than 5 years ago | (#28210683)

Probably acting as a general purpose OS to allow ATM manufacturers to do less work since they only have to write software for a common OS.

Re:ATM != desktop computer (0)

Anonymous Coward | more than 5 years ago | (#28210695)

It's cost effective, far easier to test and besides they aren't using regular copies of XP to this. Believe it or not these companies actually have the source to the version XP they use. I know it makes for a great slashdot post, but learn about something before posting popular banter.

Re:ATM != desktop computer (1)

pilgrim23 (716938) | more than 5 years ago | (#28210833)

entry to the system is the big stumbling block; "open box, insert USB or other media close box". Every vending machine I have ever encountered has some code that puts it into a "service mode". I would not be at all surprised that if you say: Punch "Use English" twice then savings account then some other button then slide in a "special" card and do the service voodoo. Now given such a "service personnel only" HOLE and I am SURE its there, it would be trivial to program a basic overflow on a ATM card to make the whole system avaialble via keyboard. Then use ascii to punch in a .com on the keyboard and you are good to go.

Re:ATM != desktop computer (3, Interesting)

twistah (194990) | more than 5 years ago | (#28210903)

They run XP embedded, which allow you to customize which components are used much more so than regular XP. That is not to say I don't see your point -- we've broken into plenty of Diebold XP ATMs during authorized penetration tests using regular Windows exploits. After that, it's game over with the software this product mentions. Then again, regular OS's have been running on ATMs for a long time, and many still run OS/2.

Credit card companies need to wise up (3, Insightful)

gurps_npc (621217) | more than 5 years ago | (#28209905)

They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective. There are superior methods out there to verify credit card information, we don't need to use the same method that was used 50 years ago.

Re:Credit card companies need to wise up (1)

MoonBuggy (611105) | more than 5 years ago | (#28210067)

Not directly related, but I still find it absolutely stunning that by giving a cheque to someone you are giving them enough information to empty your account [stanford.edu] . If that's their attitude to security, I get the impression it's going to be an uphill struggle for improvement.

Re:Credit card companies need to wise up (1)

maxume (22995) | more than 5 years ago | (#28210489)

Nearly the entire Western world is mostly built on trust. Blindly assuming people are honest leads to more trust than constant paranoia.

I guess with the speed of electronic transactions it is a little crazy, but most people have never had an issue with it, so things don't change.

Re:Credit card companies need to wise up (1)

truthsearch (249536) | more than 5 years ago | (#28210619)

They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective.

Actually, it does. There will always be fraud. And companies have a threshold which they consider acceptable (IIRC MasterCard's was generally 2% back when I worked for them). The cost of rolling out advanced security tech is huge, and compared to a small reduction in fraud it's simply not worth it to these companies.

Most fraud is not done through cloned plastic. So even completely eliminating this risk may not be cost effective.

(As a customer I want all fraud gone. I'm just explaining the corporate perspective.)

Windows XP? (5, Funny)

Anonymous Coward | more than 5 years ago | (#28209921)

..."on ATMs running Microsoft's Windows XP operating system..."

Let me be the first to say "ur doin it wrong."

Re:Windows XP? (1)

abigsmurf (919188) | more than 5 years ago | (#28210057)

Yeah, clearly they should keep using Operating systems that no one has used on desktops since the late 80's.

I'm sure that would make general maintenance and updating the software easier.

At least it's not Vista . . . (4, Funny)

PolygamousRanchKid (1290638) | more than 5 years ago | (#28210097)

"Are you sure you want to withdraw this money?"

"Will you spend it wisely?"

"You don't seem to have much left, have you planned for an emergency?"

. . . etc. . . .

Re:At least it's not Vista . . . (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28210317)

Do you realize that would actually be a fantastic improvement?

Re:At least it's not Vista . . . (1)

Reece400 (584378) | more than 5 years ago | (#28210677)

Agreed, I've often accidentally overdrawn my account without notice, and even if I deposit it right back, I still get overdraft charges...

Re:Windows XP? (1)

WillKemp (1338605) | more than 5 years ago | (#28210815)

Of course they're doing it wrong - they're a bank, that's what they do.

Stupid stupid users (3, Funny)

Anonymous Coward | more than 5 years ago | (#28209939)

When your ATM asks if you want to install an ActiveX control, you always say "no."

How many years do I have to keep telling them that?

but how? (0)

Anonymous Coward | more than 5 years ago | (#28210009)

But how does one install the malware on the ATM without insider help?

ATM's are housed in tamper-proof cases, the user interface is very limited (it's not like you can plugin a USB key or sth.) and they are under constant camera supervision.

Re:but how? (0)

Anonymous Coward | more than 5 years ago | (#28210273)

Via a network connection, using one of Windows XP's 7,243 known exploits. You can't possibly expect ATMs to run automatic updates and then just up and reboot every time an update is installed...

Re:but how? (1)

BrokenHalo (565198) | more than 5 years ago | (#28211035)

In any case, the more common exploit is to add an often cunningly-designed and plausible device outside the slot to skim data on the magstripe, in combination with a camera to record PINs.

This has the advantage (to the thief) of being OS-agnostic, and requires no access to the back of the cabinet.

We've recently had a rash of them around where I live, which is why I now mask my PIN by holding my large clutch-wallet over my hand to hide keystrokes from camera access. So far, so good; we work with (or against) the technology that we have.

Re:but how? (3, Insightful)

jafiwam (310805) | more than 5 years ago | (#28210567)

Read the summary again and it's obvious.

Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.

There doesn't need to be an exploit beyond "Eastern European Country" involved.

Re:but how? (2, Interesting)

delire (809063) | more than 5 years ago | (#28210845)

Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.

Certainly there is plenty fo corruption in the Eastern European countries, however it's not like other countries are spared the same problems; American TV producers can't seem to get enough of the Good Cop / Bad Cop diametric, as though heaven and hell had a street address. Why is it popular? Because it's a hot topic: people know corruption in the police sector is rampant in America.

What of banks? You can almost be sure that banks in the West, now famous for their abusive secrecy and gambling, would not dare let their customers know the same thing was happening at an ATM near you.. Having lived in both 'sides' of Europe, I wish you luck with those Reagan-era East/West generalisations.

How come? (4, Interesting)

Anonymous Coward | more than 5 years ago | (#28210077)

I RTFA (yes, yes... I know) but I couldn't find the answer to the most obvious question... how does the rootkit get installed?
If no physical access to the real PC inside the ATM is needed.. that's really cool!
But if you need to plug an usb drive in, this actually reduces the field of the potential thieves by several orders of magnitude...

M

Ohhh (0)

Anonymous Coward | more than 5 years ago | (#28210085)

So when the ATM asks me if I'm sure I was to withdraw £200 it's just UAC.

Windows? (5, Funny)

grahamsaa (1287732) | more than 5 years ago | (#28210137)

Why a bank's IT / security team would feel it appropriate to operate ATMs that run Windows is completely beyond me. I mean, if bankers were really that stupid the world economy would probably have crumbled by now. Oh, wait. . .

Free gas courtesy of Mircosoft! (5, Funny)

Anonymous Coward | more than 5 years ago | (#28210161)

Once I found a gas station near my work that the pumps where running a version of Windows back around 1999-2000. If you swiped your card and pulled the nozzle at the same time the little LCD screen showed a BSOD and you got free gas. I fill up there for 1 week until they closed the station and changed the pumps. Never got charged a cent!

We've had this already... (1)

omuls are tasty (1321759) | more than 5 years ago | (#28210167)

There were already news of something similar in March [slashdot.org] .

Judging by the currencies the malware operates with, it seems the "Eastern European countries" are Ukraine and Russia. Does anyone know if it's Diebold again?

And putting aside the incredibly logical choice of the OS, any idea on how this gets installed on the ATMs in the first place?

Re:We've had this already... (0)

Anonymous Coward | more than 5 years ago | (#28210771)

At the bank I work for, the ATM runs Windows. Its connection is through a Frame Relay circuit that activates only as needed for outgoing data. About the only other way to load data to the ATM is by getting into the service console and inserting the disc. Kinda wonder if sabotage isn't going on?

How is the Malware getting on the ATM? (0)

Anonymous Coward | more than 5 years ago | (#28210181)

Isn't that the bigger issue. Regardless of what OS is being run by the machine, the hackers have some back door that is allowing them to install software. Even if it was Mac, Linux or something embedded, if they hackers can install software they can do whatever they want.

Simple but effecitve compliance law/rule (4, Insightful)

erroneus (253617) | more than 5 years ago | (#28210183)

To run any "public financial transaction device" certain compliances are required and many of these are related to physical security, data security and communications security standards. Clearly, the presence of malware on ATM core software indicates that the ATM security standards are either not being met or are terribly inadequate.

It occurs to me that one rule that might go a long way to making machines like ATMs (or even voting machines) more secure against corruption is a requirement that the system software should be stored in a read-only format such as CD/DVD or ROM chips. CD/DVD ROMs would probably be the most flexible method and various self-check measures could help ensure that the CD/DVD ROM was genuine. (Say, for example, a validation black-box device of some sort.)

With enough engineering and hacking, even this method could be thwarted I am sure but it would certainly raise the bar significantly beyond "crack the machine open, connect the system drive to a USB adapter, insert additional code, close up" which is the method of entry I suspect is most used. If there was limited to no local storage and ROM-based operating systems and software combined with solid verification technologies, it would take some serious knowledge to compromise such machines.

This sort of method would make running Windows XP as the operating system considerably more difficult, but if they are hard-set on running Windows, I am sure they would find a way to comply if it were required.

Re:Simple but effecitve compliance law/rule (0)

Anonymous Coward | more than 5 years ago | (#28210251)

Isn't that exactly what Trusted Computing was supposed to do some time ago?

Re:Simple but effecitve compliance law/rule (1)

erroneus (253617) | more than 5 years ago | (#28210669)

Going ROM based is not "Trusted Computing" but yes, Trusted Computing is about running signed or otherwise verified code. The problems with trusted computing are many and as long as an OS is updatable by software means, there is also going to be a vector for compromise. Signed ROMs are another matter... the OS code isn't modifiable and more reliably verifiable. Software updates performed by a physical act means there is a chain of accountability to follow as well.

Re:Simple but effecitve compliance law/rule (1)

Maximum Prophet (716608) | more than 5 years ago | (#28210529)

But then the banks couldn't upgrade all their machine remotely. They have to send a tech to each and every ATM in order to add new features like the "Send All Your Money to a Criminal" button.

Re:Simple but effecitve compliance law/rule (1)

erroneus (253617) | more than 5 years ago | (#28210745)

This is a good thing. It adds the opportunity for a verified in-person inspection of the machine at the same time any software/firmware update is performed. And the chain of responsibility and accountability can be more easily verified. When the variables of security are in flux, being able to trace back the path at some point is the most important thing. This is why it is so important that digital election machines provide a complete audit trail that cannot easily be forged or manipulated.

Re:Simple but effecitve compliance law/rule (1)

aitikin (909209) | more than 5 years ago | (#28210707)

But correct me if I'm wrong, the fact that it's a CD/DVD allows one to use any hack that's discovered after the software has been installed that doesn't require a reboot? Sure that limits a lot of things, but still, that's not exactly effective. Of course, if they don't update anyway, wtf does it matter?

Re:Simple but effecitve compliance law/rule (2, Insightful)

sysgeek01 (866290) | more than 5 years ago | (#28210759)

The problem with making the ATM storage read only is that you have to configure the device. There are a lot of configuration settings that have to be changed out of the box, with some of them specific to the ATM itself and to the processing company that it's using to process transactions through.

The ATM also keeps a electronic journal of all of the ATM's activity. It's kind of like a flight data recorder (black box). You have to have writable storage for that.

I go along the lines that ATM security standards are BOTH not being met and terribly inadequate.

One of the bigger rackets going on last year, with ATM's, was in San Francisco. An ATM provider were placing cheap ATM's with a money catch tray on street corners. Bum's would come along and stuff paper wads up into the catch tray so that the money wouldn't drop down when a person ran a transaction. Periodically through out the day the bum's would go and collect the money that never dispensed.

Re:Simple but effecitve compliance law/rule (1)

bzzfzz (1542813) | more than 5 years ago | (#28210805)

That will work great, because you can't just go out and buy blank recordable CD/DVDs or EPROMs. Oh, wait...

Magnetic strip? (0, Troll)

TheRaven64 (641858) | more than 5 years ago | (#28210197)

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Re:Magnetic strip? (2, Informative)

Spectre (1685) | more than 5 years ago | (#28210363)

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Well, the USA for one. 1 debit card and 2 credit cards in my wallet right now. Everyone is chip-less, the electronically readable information is in the mag stripe on the back, old-fashioned raised numbers and letters for the imprinting machines are on the front.

Granted, they're all issued from the bank, but it is one of the largest in the USA, not some mom-and-pop outfit.

Re:Magnetic strip? (1)

Spectre (1685) | more than 5 years ago | (#28210415)

I meant to say "from the same bank."

Re:Magnetic strip? (1)

u38cg (607297) | more than 5 years ago | (#28210435)

Most of them? Is there anywhere that doesn't continue to issue mag stripes as a precaution against chip failures (~1% per annum)?

Re:Magnetic strip? (1)

langelgjm (860756) | more than 5 years ago | (#28210749)

I actually looked into getting a credit card with a chip in the U.S., and couldn't find a single provider that offered one. I think American Express offered one a while ago, but discontinued it when I was looking.

Ther reason I wanted one was because one time, I was in a French rail station trying to buy a ticket from an automated machine. The machine was broken, and refused to take bills; I didn't have enough change; and all the teller windows were closed. I was going to use my credit card, but the machine seemed to only take cards with chips, and my American card only had a magstripe. Eventually after pounding at the teller windows for a while, I got someone to sell me a ticket.

Re:Magnetic strip? (1)

117 (1013655) | more than 5 years ago | (#28210507)

Here in the UK the EMV [wikipedia.org] standard was only rolled out nationwide in 2004, and until that time all physical credit/debit card transactions used the magnetic strip, so it isn't too hard to believe that other countries are sitll using the magnetic strip.

Re:Magnetic strip? (2, Informative)

MoonBuggy (611105) | more than 5 years ago | (#28210539)

It's the problem of legacy support. Cards still have magstripes because on occasion you'll come across a situation where there isn't a chip reader, and ATMs (presumably) still have magstripe readers for the occasions that the card doesn't have a chip. If you've got access to the OS, as the criminals mentioned in the article do, you can presumably activate whatever reader you like.

There's also the fact that this is Eastern Europe - without wanting to perpetuate negative stereotypes, I think it is quite fair to comment that they are not the most developed economies, and as such large scale investment in upgraded technology may well be low down on the list of priorities.

I'm not sure why the US often seems to share in this kind of technological resistance. A combination of large size and historical mistrust for coordination from a central authority might make it difficult to get cooperation on new projects from everyone simultaneously, I guess, which greatly exacerbates the legacy tech issue.

Re:Magnetic strip? (1)

gstoddart (321705) | more than 5 years ago | (#28210541)

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Well, Canada and the US for example.

Cheers

ATM is bad enough (0)

Anonymous Coward | more than 5 years ago | (#28210301)

WITHOUT any data-sniffing involved...

Not much of details (1)

140Mandak262Jamuna (970587) | more than 5 years ago | (#28210367)

Despite all that scare flags the linked article is triggering, basically it does not say how the ATM is compromised. Can any ATM be compromised by the hacker without any inside help? Or does it require some help from the maintenance people who open the machine provide access to the innards? Unless the method works on the ATM without any inside help it might not be as scary as it sounds.

Re:Not much of details (1)

Canazza (1428553) | more than 5 years ago | (#28210427)

Maybe they're causing a stack overflow with code on a cards strip/Chip...

ATMs in the UK (3, Interesting)

Canazza (1428553) | more than 5 years ago | (#28210385)

there are many ATMs in the UK that use Windows XP as their OS of choice. Having personally seen crash screens and machines caught in a restart loop.

Why they are using windows, I don't know to be honest. Why they'd be using a Linux distro, I don't know. The banks probably don't know either, as far as I'm aware they get their ATMs from companies like NCR or IBM (or Diebold, as we've seen before) who are the companies who supply the software. It just so happens that the software they write is written for Windows Operating System. Remember, the cost of hiring someone who can programme for Windows is significantly less for someone who can programme for Linux (As they will likely also be able to programme for Windows, thus, with a larger skill-set they'll demand more money) And a bulk licence for Windows where they're churning out 1,000+ ATMs boils down to next to nothing.

The cheapest programmer, the cheapest hardware, a slightly costly OS. Something has to be a weak link, and the exploiters exploit it.

ATMs... (1)

EddyPearson (901263) | more than 5 years ago | (#28210413)

...are probably one of the few devices that most Slashdotters would agree should definitely be running proprietary, private software.

I had no idea there were ATMs out there running Windows. Given access to the software/a machine running it, I can't see how this would have been difficult to pull off. This is a serious WTF? moment.

Re:ATMs... (1)

dingen (958134) | more than 5 years ago | (#28210601)

...are probably one of the few devices that most Slashdotters would agree should definitely be running proprietary, private software.

W-what? Hell no! Software which require outstanding security and stability is the field where open source truly shines. More eyeballs, less bugs, you know. No security through obscurity, but actual secure designs instead.

You can never trust any software that isn't open. You never really know what it does. So in fields such as these (ATMs, but also voting machines for example), it is especially important that open software is deployed.

Re:ATMs... (0)

Anonymous Coward | more than 5 years ago | (#28210889)

Secrecy and security are not synonymous. Software that is subject to public scrutiny will tend to be more secure.

Re:ATMs... (0)

Anonymous Coward | more than 5 years ago | (#28210939)

...are probably one of the few devices that most Slashdotters would agree should definitely be running proprietary, private software.

Security through obscurity is NOT a valid security policy. It would only remain private for as long as it takes a thief to lift an ATM into a truck and drive away.

I call BS, mostly (1)

sysgeek01 (866290) | more than 5 years ago | (#28210481)

I think that this story is half bogus. PIN numbers aren't stored on a debit card. They are stored on a server located at a transaction network, that a bank uses to process their card base. When a PIN number is typed into an ATM machine it is automatically encrypted by a 3DES encryptor on the PIN pad. It's NEVER in clear text. The ATM machines and ATM transaction processing companies use a pivate/public key encryption system. At least in the USA, the only part of a transaction that is encrypted down the wire is the PIN number between the ATM machine and transaction network. If the data is sent over the internet, the transaction is encrypted via a IPSEC tunnel or SSL. I have not seen an ATM machine that runs on Windows XP. Most of the newer ATM machines run on Windows CE. It would be trivial to sniff the network and grab card numbers if you had access to the network that the transaction was running across, but the PIN number would be much tougher to get. It's would be a little more complicated to get the card information based upon a device or software installed on the ATM to grab the card number as it's being swiped in the card reader. IF you could do that, then you could also get the track2 data that is loaded on to the card. That information consists of the card holders name and address. Basically, I'm claiming BS on the article, as I see it as hype.

Re:I call BS, mostly (0)

Anonymous Coward | more than 5 years ago | (#28210697)

Ever heard of keyloggers, mate?

Re:I call BS, mostly (1)

fullgandoo (1188759) | more than 5 years ago | (#28210993)

Keyloggers don't work on ATMs. The ATM's keypad is a "secure keypad". There is a DES chip built into the keypad. When the ATM software calls for PIN entry, the PIN is encrypted in DES and then given to the software.

However, if you compromise the ATM application software, then obviously anything is possible.

As per the article, this wasn't the case and any PIN information captured by the malware would have been encrypted (at least DES or even 3DES).

Re:I call BS, mostly (2, Informative)

Peter Simpson (112887) | more than 5 years ago | (#28210729)

From TFR:
"Additionally, the malware harvests what is believed to be key or PIN data, saving the
information in a file C:\WINDOWS\kl."

So, they waffle on whether the PIN is captured. The filename "kl", does imply "KeyLogger", though.

Perhaps Eastern European ATMs are built differently that those in North America...maybe "saving a bit of money" by doing the encryption of the PIN in the PC, instead using an encrypting secure keypad.

Or, since the same keypad is used for PIN entry and regular input, perhaps the control signal that tells the keypad whether to encrypt or pass keypresses through has been tampered with...so the entered PIN comes through as normal keypresses, and is encrypted by the malware and passed on after logging to the file?

Or, maybe it's just a guess on the part of the author.

Re:I call BS, mostly (1)

sysgeek01 (866290) | more than 5 years ago | (#28210917)

If you tamper with the software or the hardware of the pinpad, it goes belly up and has to be replaced. At which time you also have to load new encryption keys into the ATM.

The top 10 ways computer security list (2, Funny)

lwriemen (763666) | more than 5 years ago | (#28210595)

10. Don't always run as root
9. Don't open attachments from unknown sources
8. Don't run Windows!
7. Don't run Windows!
6. Don't run Windows!
5. Don't run Windows!
4. Don't run Windows!
3. Don't run Windows!
2. Don't run Windows!
1. Don't run Windows!

Re:The top 10 ways computer security list (5, Insightful)

Canazza (1428553) | more than 5 years ago | (#28210937)

Using Windows on the Internet is like having a unprotected sex with a member of the opposite sex you met in a club. Looks good enough for you, does what you need it to, but the risk of infection is high.
Using Linux on the internet is like having unprotected sex with a cow. It's harder to catch a compatible infection, but it's ugly and unlikely to play any of the games you'd like it to.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...