Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Develops ATM Rootkit

CmdrTaco posted more than 4 years ago | from the well-that-doesn't-make-me-feel-better dept.

Security 181

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

cancel ×

181 comments

Sorry! There are no comments related to the filter you selected.

Change your password every day (3, Funny)

For a Free Internet (1594621) | more than 4 years ago | (#32110136)

This will stop the Hackors from using your money. Personally I have no problem, because I gave all my money to Obama so he could give it to my bank so it could not be bankrupt so we could all RECOVER and HOPE for CHANGE with WAR WAR WAR WAR!!!!!!!!

My friend is a Linux hacker... (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32110362)

...and he told me the universal pin code that opens anyone's account and lets you take money out. We haven't used it yet though.

Re:My friend is a Linux hacker... (4, Funny)

Yvan256 (722131) | more than 4 years ago | (#32110722)

So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:My friend is a Linux hacker... (0)

Anonymous Coward | more than 4 years ago | (#32110792)

HEY ! I'm not an idiot, I just have some memory troubles !

Re:My friend is a Linux hacker... (0)

Anonymous Coward | more than 4 years ago | (#32111068)

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!

OK, That's It! (5, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#32110138)

I'm stuffing all my cash under my mattress from now on. If you can't trust a Deibold ATM, what can you trust?

Re:OK, That's It! (5, Funny)

MiniMike (234881) | more than 4 years ago | (#32110544)

If you can't trust a Deibold ATM, what can you trust?

Weren't they voted as the #1 ATM?

Re:OK, That's It! (5, Funny)

Rogerborg (306625) | more than 4 years ago | (#32110648)

If you can't trust a Deibold ATM, what can you trust?

Weren't they voted as the #1 ATM?

By 107% of the respondents.

Re:OK, That's It! (0)

Anonymous Coward | more than 4 years ago | (#32111610)

Yes they were, but the votes were taken on Deibold voting machines.

Lawsuit? (3, Interesting)

_PimpDaddy7_ (415866) | more than 4 years ago | (#32110152)

Can the banks file a lawsuit at him?

I can't stand companies not taking security seriously.

Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

Re:Lawsuit? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32110214)

is this true?

contrary to europe, i've seen a lot of in-store ATM's in the US. which obviously didn't have leased lines. so any malicious store manager could see the transactions? MITM anyone?

Re:Lawsuit? (1)

vegiVamp (518171) | more than 4 years ago | (#32111806)

No encryption does not necessarily mean no authentication.

Re:Lawsuit? (4, Insightful)

Capt James McCarthy (860294) | more than 4 years ago | (#32110232)

Can the banks file a lawsuit at him?

I can't stand companies not taking security seriously.

Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.

Everyone should know that a lock can be picked. It's just a matter of return for a thief. Making the lock so time consumable to pick that it's not worth it. So the ATM manufactures have to create security that is not worth the criminals time. Now if these hacks are easy, then I think the consumers have a right to hold the banks accountable.

Re:Lawsuit? (4, Insightful)

_PimpDaddy7_ (415866) | more than 4 years ago | (#32110252)

Don't you remember Verizon and other companies SUED people when they showed their websites were UNSECURE?

Re:Lawsuit? (1, Informative)

Anonymous Coward | more than 4 years ago | (#32110304)

Did they win?

Re:Lawsuit? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32110818)

Yes, they did. Ever heard of "No More Free Bugs"?

Re:Lawsuit? (4, Informative)

MBGMorden (803437) | more than 4 years ago | (#32110522)

Don't recall that one. Depends on the circumstances though. I remember a ton of other cases where the "showing they were insecure" part included hacking into the network in question. That's illegally accessing a computer system.

It'd be akin to you telling your neighbor that his lock sucks and him just dismissing your idea.

One of two possible scenarios then play out:

a. You show at the next town meeting that your neighbor - John Q. Noob, is using a Lockatron LT-200 front door lock, and then proceed to show pictures, diagrams, and and example lock and how to pick it.

b. He comes home the next day, and you're standing in his living room yelling "I TOLD YOU THE LOCK WASN'T ANY GOOD!!!!".

A is fine. He'll get pissed and change his lock. B is trespassing. Too often in computer security terms people consider them the same action, and they aren't.

Re:Lawsuit? (4, Interesting)

Bakkster (1529253) | more than 4 years ago | (#32110930)

The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.

One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...

Re:Lawsuit? (4, Insightful)

hrieke (126185) | more than 4 years ago | (#32111620)

No, the real reason is liability.
If you sell the machine and believe it to be secure and sell it as such with out the review & audit, and then it's proven to be insecure, fine, unknown bug.
If you audit the machine with white hat hackers, they tell you of issues, you sell the machine anyways, it's hacked, you're on a very big hook.

Re:Lawsuit? (0, Troll)

ClosedSource (238333) | more than 4 years ago | (#32111622)

Or the white-hats could just mind their own business and avoid a catch-22 situation.

Re:Lawsuit? (1)

VIPERsssss (907375) | more than 4 years ago | (#32111718)

How difficult is it to imagine that he's a site admin testing security on his or his company's own equipment.

Re:Lawsuit? (3, Informative)

baKanale (830108) | more than 4 years ago | (#32110474)

Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.

Re:Lawsuit? (2, Funny)

halcyon1234 (834388) | more than 4 years ago | (#32110858)

Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.

Not a chance. To get the cash to pay the fines, he'll just break into a bunch of ATMS.

"Here's your $100,00, in $20 and $50s."

Re:Lawsuit? (3, Interesting)

Lumpy (12016) | more than 4 years ago | (#32110872)

No it doesnt, you point out the flaws without any info about you attached. I.E. Publish all the info outside the country.

Honestly it blows my mind that any Computer nerd tries to do the white hat thing and tell a company about a problem. Simply send it in a letter that is untraced and say, "I'm publishing this in 90 days. you are getting a heads up because I'm a nice guy"

Then in 90 put it on the net.

They cant sue you if they have no idea who you are. Problem is most of these white hats are looking more for street "cred" and getting their name out than actually being a good guy.

Re:Lawsuit? (3, Insightful)

HungryHobo (1314109) | more than 4 years ago | (#32111454)

In the case of academics getting their names on the publications is more than an ego thing- it actually influences their chances of staying employed.

Re:Lawsuit? (1)

mjwalshe (1680392) | more than 4 years ago | (#32110528)

but selling the gear to do it to the genernal public isn't

Re:Lawsuit? (3, Insightful)

Daley_G (1592515) | more than 4 years ago | (#32110604)

As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with. I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.

Re:Lawsuit? (2, Insightful)

Capt James McCarthy (860294) | more than 4 years ago | (#32110718)

As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with.

I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.

Very good point. So how do you deal with that concerning your customers? Do you warn them with a signed statement that says there is a risk of theft on atm systems? Or are banks willing to eat the cost of a break in (reimbursement) when it happens and not warn customers.

Re:Lawsuit? (0)

Anonymous Coward | more than 4 years ago | (#32111206)

Wouldn't a break in at an ATM be effectively the same thing as a bank robbery and therefore the consumer be protected by FDIC or NCUA anyway?

Re:Lawsuit? (1)

bws111 (1216812) | more than 4 years ago | (#32111636)

The FDIC and NCUA do not insure banks against robbery, they insure the depositors (you) against the failure of the bank. Anyway, yes it would basically be the same thing, and the loss would be covered by the banks insurer.

Re:Lawsuit? (1)

Capt James McCarthy (860294) | more than 4 years ago | (#32111778)

The FDIC and NCUA do not insure banks against robbery, they insure the depositors (you) against the failure of the bank. Anyway, yes it would basically be the same thing, and the loss would be covered by the banks insurer.

So why would anyone be upset by the presentation then if the security flaws are already covered by the FDIC and NCUA? Could it be that then the cost of protection starts to eat away profits?

Re:Lawsuit? (1)

vegiVamp (518171) | more than 4 years ago | (#32111834)

Regardless of anything else, if you break into an ATM you're not gonna take the time to extract the money from victim accounts, you just tell it to start spitting bills.

Re:Lawsuit? (0)

Anonymous Coward | more than 4 years ago | (#32110750)

Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.

Of course. There are usually two strategies:
1. Get a judge to prohibit the publication of anything the researcher found, so the conference presentation cannot be held.
2. Intimidate them into oblivion. Companies don't have to win a lawsuit or even start one. The threat alone is enough because no individual (or group) can afford to spend as much money on a bogus lawsuit as any of these companies. It doesn't matter if the one who found the vulnerability has the law on their side in the end. Companies can drag out lawsuits so it never gets to that point.

A year ago or so there were students who wanted to hold a speech on how easily they hacked some transportation company's bus/subway tickets. The result was, the company in question buried them in legal threats and injuctions. They got intimidated and only held a redacted talk and published very little. Not sure if a law suit was filed but the threat alone obviously was enough.

Re:Lawsuit? (2, Informative)

evilandi (2800) | more than 4 years ago | (#32110974)

The threat alone is enough because no individual (or group) can afford to spend as much money on a bogus lawsuit as any of these companies

Perhaps, in America. But civilised countries have systems of taxpayer-funded legal aid for those unable to mount their own defence, or have strict rules about misuse of court process. This kind of tomfoolery simply doesn't happen in the UK, for example; the most recent attempt being some chiropractors who tried to sue a British science journalist for proving their profession was bunkum. The chiropractors suffered the judicial equivalent of having flaming oil poured over them.

Re:Lawsuit? (1)

somersault (912633) | more than 4 years ago | (#32111526)

Even if we didn't have legal aid, I'm pretty sure the "loser pays" system would get rid of most spurious lawsuits.

Re:Lawsuit? (0)

Anonymous Coward | more than 4 years ago | (#32111854)

... eventually.

Singh has still had a monumental fight on his hands to get to that point.

Andy

Re:Lawsuit? (1)

mapkinase (958129) | more than 4 years ago | (#32111018)

Let's make off-line analogy:

Ominpresent part of off-line security system nowadays is a security camera. Suppose you know that a particular building has blind spots that could be used by perpetrators to avoid identification during their physical approach to the building before or after attack.

Would it be ethical to publicize those blind spots?

Re:Lawsuit? (1)

zeroshade (1801584) | more than 4 years ago | (#32111366)

Entirely ethical. Once you've publicized them, it becomes the responsibility of the owner/person in charge of security to fix the blind spots. If they do not fix them, then they obviously decided that the risk was acceptable. Think about it in terms of risk versus reward. If you only tell them and don't publicize it, the risk is very small. If you publicize the blind spots, then a lot more people know about them and thus the risk is much higher. If the new, higher risk is more than the cost of fixing the blind spots, then they'll fix them.

Re:Lawsuit? (0, Redundant)

ClosedSource (238333) | more than 4 years ago | (#32111592)

"Why? For pointing out security flaws?"

Yes, that is the standard excuse, but it doesn't wash. There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock.

Re:Lawsuit? (2, Insightful)

Yvanhoe (564877) | more than 4 years ago | (#32110388)

Can the clients of the banks file lawsuits at them ? I can't stand companies not taking security seriously.

Re:Lawsuit? (2, Interesting)

bws111 (1216812) | more than 4 years ago | (#32111478)

On what grounds? If you have been the victim of a fraud, and the bank didn't correct it, you can probably sue them. If you haven't been the victim of a fraud, but you just think their security is too lax, then don't use them. Kind of hard to rail at someone else for not taking security seriously when by definition you yourself aren't taking security seriously if you trust someone you consider non-trustworthy.

Re:Lawsuit? (4, Interesting)

Ubergrendle (531719) | more than 4 years ago | (#32110502)

It would depend upon the nature of hte hack. The promotional materials for his speech are light on details. Is this a top end ATM from NCR, or a white label generic ATM which are little more than PCs with a cash handler attached? What level of physical access does he need to the cabinet? Is this an internal exploit (implying you get your software/rootkit installed as part of a distribution) or he looking an something more subtle?

I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.

Re:Lawsuit? (2, Insightful)

crow_t_robot (528562) | more than 4 years ago | (#32110638)

File a lawsuit? For publishing information on security weaknesses in critical financial infrastructure that is already known by malicious individuals? Do you know how silly this is? By publishing he is forcing these companies to get their acts together. If he doesn't publish, this information will remain in the realm of people who will use it for theft without any corrective action taken by the ATM manufacturer. Don't try to fool yourself by thinking this is the only guy on the planet that has figured out these weaknesses.

Re:Lawsuit? (5, Interesting)

evilandi (2800) | more than 4 years ago | (#32110868)

Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?

The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.

Re:Lawsuit? (3, Informative)

ClosedSource (238333) | more than 4 years ago | (#32111678)

Perhaps you're thinking of a night deposit box which isn't an ATM. There were no ATMs in the 1950s.

hmm... (2, Interesting)

Pojut (1027544) | more than 4 years ago | (#32110162)

I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

Re:hmm... (2, Insightful)

Ephemeriis (315124) | more than 4 years ago | (#32110234)

I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

I'm sure he can.

Which is stupid.

Because if he knows this stuff he probably isn't the only one. And just the news that these machines can be hacked is going to have other people trying to figure out what he knows, even if he doesn't say anything. So whether he opens his mouth or not really isn't going to change how secure these machines are.

All it will do, hopefully, is scare the manufacturers into improving their security.

Re:hmm... (0)

thegrassyknowl (762218) | more than 4 years ago | (#32110240)

I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

What pisses me off is that he is publishing this. Others probably know about it and are silently exploiting it. The banks don't care. They want to present an illusion of security because fixing security would cost them more money than it currently saves. They'll only do something about it when it becomes really widespread and starts actually costing serious green.

Re:hmm... (2, Insightful)

GrahamCox (741991) | more than 4 years ago | (#32110634)

They'll only do something about it when it becomes really widespread and starts actually costing serious green

And that will be a good thing. Which the publishing will help bring about. I don't follow your argument, unless it's that you don't want this published widely so *you* can personally exploit it.

Re:hmm... (1)

Inda (580031) | more than 4 years ago | (#32111626)

Green? Phew!

Our money is blue, brown, purple and red!

Re:hmm... (2, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#32110684)

What pisses me off is that he is n't publishing this.

FTFY, considering the tone of the rest of your comment.

You want him to publish so the banks have to fix it, not have him keep it secret and leave the rest to exploit it.

Re:hmm... (4, Insightful)

plover (150551) | more than 4 years ago | (#32110900)

What pisses me off is that he is publishing this.

Why does that make you mad?

Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes.

The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them.

So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)

Re:hmm... (1)

kz45 (175825) | more than 4 years ago | (#32111558)

"Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes."

It's foolish to think that banks will be able to fix these holes instantly. Even if they knew about it today, it could take months to fix these flaws.

Releasing it to the world may push the banks to fix it. But it could also result in innocent people getting their money stolen because the banks couldn't fix it fast enough.

"The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them."

Would it be okay if your money got stolen using one of these flaws and you couldn't get access to it for months while they were investigating? You would probably blame the banks.

It's irresponsible for these guys (or anyone) to release these types of flaws without first telling the banks and allowing them enough time to fix the problem.

"So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)"

I have to LOL at this. This is similar to: The government should be able to search your private home without a warrant. If you don't agree to this, you MUST have something to hide.

Re:hmm... (4, Insightful)

plover (150551) | more than 4 years ago | (#32111736)

His talk is a year old already. You don't think he's disclosed it to the banks long ago? No, they've had all the warning they need. Now it's time to prove they've fixed their equipment.

Seriously, if he never releases his info, it will never get fixed. You can talk to the I.T. staff for a year about the problems and nothing will get done. The banks can even have a guy inside I.T. shouting "we gotta fix this!!" and he'll be ignored.

Post it on the internet, deliver it to a roomful of blackhats, THEN something will get done. Until then, however, we're all still vulnerable to the bad guys who are already exploiting this kind of crap.

Re:hmm... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32111374)

I don't know about banks but credit unions care about security and keeping their ATMs up to date. Unfortunately, they are at the mercy of the ATM manufacturers, vendors and whoever provides the maintenance. I suppose banks could have different maintenance contract due to their size but normally software updates are part of the annual support contract.

Re:hmm... (1)

bws111 (1216812) | more than 4 years ago | (#32111598)

If people are exploiting some hole and the banks are absorbing the loses (ie it is not affecting account balances), then they are not 'presenting an illusion of security', they are providing security.

Re:hmm... (1)

Mister Whirly (964219) | more than 4 years ago | (#32111614)

I know how to rob a bank. I think just about anybody else could figure it out. So if I tell someone "All you need to do is get a gun, go in the bank, demand money, and leave." does that make me guilty of any crime? Hell no. Knowledge by itself isn't illegal. Robbing a bank with said knowledge is. Until you actually commit the action, knowing how to do it doesn't matter.

Re:hmm... (1)

Abcd1234 (188840) | more than 4 years ago | (#32110504)

I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

I would think only if he shows himself, either in pre-recorded video or live, actually performing the hack on a real ATM. At that point, he could be charged under the computer fraud and abuse act. But simply doing a presentation on the topic, with details of the hacks? No, I don't think there's any law, yet, that makes *that* illegal, and any such law would likely be unconstitional in any case (pesky first amendment and all that).

Re:hmm... (1)

JasterBobaMereel (1102861) | more than 4 years ago | (#32110632)

Probably yes ...

    Any case would be trying to prove he used protected information illegally or actually hacked an ATM for gain ..... ...he can't be prosecuted for publishing known information (freedom of the press)

Re:hmm... (1)

Opyros (1153335) | more than 4 years ago | (#32111414)

Ask Dimitri Sklyarov [wikipedia.org] .

ATM machine (5, Funny)

Anonymous Coward | more than 4 years ago | (#32110164)

You almost made it through the whole summary without saying it.

Re:ATM machine (0)

Anonymous Coward | more than 4 years ago | (#32110224)

His code runs on the JVM virtual machine using IP protocol, too.

Re:ATM machine (0)

Anonymous Coward | more than 4 years ago | (#32110444)

Of course he does. How else is he going to process your PIN number?

Re:ATM machine (1)

Nadaka (224565) | more than 4 years ago | (#32111470)

But is it his personal PIN number?

Re:ATM machine (0)

Anonymous Coward | more than 4 years ago | (#32111146)

...brought to you by the department of redundancy department

...how to hack an OS/2 ATM ? (1)

martiniturbide (1203660) | more than 4 years ago | (#32110198)

Let's see if at the conference he says how to hack an OS/2 ATM !!!

Why can't the ATM suppliers just... (5, Funny)

drc003 (738548) | more than 4 years ago | (#32110200)

...just get a deal going with McAfee? Then there systems would be completely safe and always online!

Re:Why can't the ATM suppliers just... (0, Redundant)

Anonymous Coward | more than 4 years ago | (#32110442)

...just get a deal going with McAfee? Then there systems would be completely safe and always online!

except that one time when they sent out a new DAT update...

Pick one (2, Funny)

Anonymous Coward | more than 4 years ago | (#32110688)

...just get a deal going with McAfee? Then there systems would be completely safe or always online!

Fixed that for you.

Re:Why can't the ATM suppliers just... (0)

Anonymous Coward | more than 4 years ago | (#32110880)

Symantec got there first! So their systems are completely unsafe and always online!!!

Re:Why can't the ATM suppliers just... (0)

Anonymous Coward | more than 4 years ago | (#32111812)

Ob ref:
http://xkcd.com/463/ [xkcd.com]

There's always a paper trail (0)

Maarek Stele (7770) | more than 4 years ago | (#32110202)

If you didn't like to talk to a teller before, now's the time. The receipt you receive is sometimes more then what's given back from the ATM. You can stuff it into your file cabinet until the money is spent. Your money is secure up to $250k, so if you have more, then start creating different accounts or start investing the money into something else.

I can go on and on or better yet someone else will add to my comments.

There is NOT always a paper trail (2, Insightful)

hAckz0r (989977) | more than 4 years ago | (#32110798)

May I ask how using a live teller keeps someone else from empting out your bank account electronically? After all, you can't prove a negative. You simply can't prove you did not use a machine unless you are lucky enough to be out of town at the time your account was emptied out. But even that does not work if the transaction was electronic and from somewhere other than a physical ATM. We are talking about rootkits on ATM's that by definition have a direct connection into your banking system, and no doubt have a way to export whatever information they want from it.

Granted, the fact that the ATM will not be given the opportunity to capture your personal pin code is a step in the right direction, but having a corrupt hacker on the inside of your banking network cant be good for your bottom line either. There are security vulnerabilities in ALL computer systems and if a hacker has a foothold inside the network proper the rest of the system can fall like dominoes if the bank is naive enough to think they are safe from such an exploit.

Re:There is NOT always a paper trail (2, Insightful)

Rockoon (1252108) | more than 4 years ago | (#32111198)

None of my accounts have an ATM/DEBIT card attached to them.

"But don't you want a debit card?" asks the bank manager when opening the account.

"Nope. I use a credit card."

Yes, my bank account can be raided electronically, but I have very plausible deniability. Can't say that I used my ATM card to withdraw the funds, or my debit card to buy all that junk.

Re:There is NOT always a paper trail (1)

Inda (580031) | more than 4 years ago | (#32111724)

"You simply can't prove you did not use a machine"

A lot of ATMs in the UK take a picture. The lens is clearly visible.

You know us, cameras everywhere and that's the way we like it!

Re:There's always a paper trail (1)

Lumpy (12016) | more than 4 years ago | (#32110938)

ATM? Teller? Who uses those anymore?

direct deposit -> wire transfer to account.

Credit card -> wire transfer to merchant.

I haven't used an ATM in 3 years. I haven't used a teller in 7.

Cash? Who carries cash anymore? I Know it's a slippery slope to a cashless society where everything can be taxed multiple times, but I like not having cash on me.

Come on Taco, more imagination! (4, Funny)

Dystopian Rebel (714995) | more than 4 years ago | (#32110212)

"from the well-that-doesn't-make-me-feel-better dept."

Where's the zip, the punch in your writing? This is the news business! If Larry Wall can be funny AND write Perl code, so can you!

Suggestions:

"from the All Your ATM Are Belong To Us dept"

"from the Who Says Cybercrime Doesn't Pay dept."

"from the Your Money Is In Good Hands -- NOT dept"

"from the Can We Have Human Tellers Again dept"

"from the It'll Be The Debit Of Me dept."

Did anyone else read it as saying..... (-1)

Anonymous Coward | more than 4 years ago | (#32110228)

Hacker Develops Ass To Mouth Robot, or is that just me?

Re:Did anyone else read it as saying..... (3, Funny)

ProfMobius (1313701) | more than 4 years ago | (#32110456)

It is just you. I know a good specialist if you want.

Same hack that was used on diebold voting systems? (1)

Joe The Dragon (967727) | more than 4 years ago | (#32110238)

Same hack that was used on diebold voting systems?

Re:Same hack that was used on diebold voting syste (1)

Rogerborg (306625) | more than 4 years ago | (#32110682)

Same hack that was used on diebold voting systems?

Same hack that was used on diebold voting systems.

Operating System specific? (2, Interesting)

tecker (793737) | more than 4 years ago | (#32110414)

The title says it is multi-platform but doesnt mention that anywhere in the article. So is this one that runs on CustomFW, Windows and Linux based ATMS?

To me it would seem better to create a system that would raise the "your-not-with-OUR-bank-so-we-can-stiff-you" charge (charge em 3.50 for the transation then send 2 back to the bank per normal). Slow but would make money over time if EVERY atm had your code.

Re:Operating System specific? (2, Insightful)

IBBoard (1128019) | more than 4 years ago | (#32110482)

You get charged for using ATMs that aren't from your own bank? What weird kind of economy is that? The only way you generally get charged in the UK is a) if you're using a credit instead of a debit card (and then it is your card company charging you "cash advance" fees), b) if you're using one of those "convenience" ATMs that are in a pub etc or c) if you're not in the UK, at which point it is to "cover" international fees and talking with other banks in other countries (apparently).

Re:Operating System specific? (0)

Anonymous Coward | more than 4 years ago | (#32110782)

For non-UK people LINK [wikipedia.org] is how it works. Much like PLUS [wikipedia.org] internationally, but I guess they charge.

ATM Machines (4, Funny)

ThrowAwaySociety (1351793) | more than 4 years ago | (#32110512)

Can anyone determine if these are Automated ATM Machines?

I'd better be careful entering my personal PIN number into these from now on.

Re:ATM Machines (1, Funny)

mutube (981006) | more than 4 years ago | (#32110802)

Yes, they're Automated Automated Teller Machines. It's the extra level of automation that is really insecure.

I remember when things were only automated once. Simpler times.

(Your question was so daft I'm half waiting for a 'Whoosh!')

Re:ATM Machines (0)

Anonymous Coward | more than 4 years ago | (#32110878)

Sorry, the whoosh was so high it was in lunar orbit and there wasn't enough gas to propagate the soundwaves back to earth.

Re:ATM Machines (1)

Splab (574204) | more than 4 years ago | (#32111730)

No, it's automated automated teller machines machines.

Re:ATM Machines (1)

TJamieson (218336) | more than 4 years ago | (#32110906)

Ugh, no kidding. That's one of my biggest language pet peeves. (sig related)

What OS? (4, Insightful)

AlecC (512609) | more than 4 years ago | (#32110660)

As far as I can tell, all ATMs are based on data processing OSes - either ones with a desktop heritage then multi-processing and networking added on (Windows) or with a data processing/networking heritage with desktop added on (*nix families). It seems to me that they ought to be based on real-time control OSs, such as those used in the automotive and aerospace industry, I don't see how an ATM is any more complicated than a Digital Engine Control system, especially for state-of-the art engines. People who design such systems know about reliability, which can include security in a limited function machine. The problem with general-purpose machines is that they have generalized functionality, just hidden away. Such systems can be subverted and the extra functionality exploited. Machines built from the ground up to do only what they have to do do not have the functionality to be subverted.

I see no reason why such fixed-function machines should be much more expensive that those based on general purpose machines. There is an up-front cost in getting started, probably compensated by reduced security testing later. Wat will be harder is all the dreams the marketing people will have, of using the ATM to do other things, such as sell insurance. It will do only what it is built to do. Inflexible, but secure.

Re:What OS? (1, Informative)

Anonymous Coward | more than 4 years ago | (#32110754)

I used to repair Wincor-Nixdorf ATMs a few years ago (2006) Its basically a PC runnign winXP with some usb peripherals attached, and a few serial ones. Very simple electronics inside. Having a dedicated OS would be the best for security.

Re:What OS? (5, Informative)

Miser (36591) | more than 4 years ago | (#32110850)

Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.

If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.

I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.

The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.

NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.

-Miser

Re:What OS? (1)

Cumanes-alpha (1050258) | more than 4 years ago | (#32111120)

Seconded as well... There are sooo many troubles with ATMs this days, and not only with weak configured OSs (or weak/inappropiate ones) but with other technical issues as the underlying app that manages the transaction with the "host" system and the ways it communicates, and the banks internal processes regarding the handling of the ATMs (a non-technical issue, but a MAJOR one).

In some cases you can plain and simple obtain all the data needed to clone cards, and you should think that by sniffing it out off the wire (which is possible in a lot of cases) but no, you only need to look on a plain-text file for the data you need and goodbye misissippi!. Ok but you need local access... no problem, chances are that the poorly-built door which guard the pc inside the atm is open (or with the key attached to the lock), or attack it remotely (common is windows xp, cant be very hard), usually because the patch management unit of the bank are excluding the atms because they're not servers or workstations..and so on.

There are several ATMs that runs on OS/2 as well, they're NOT more secure than the winxp ones, just almost the same kind of vulnerabilities (the vast majority coming out of the app that handles the transaction).

It's a fun world out there on the finnancial channels (POS, WEB and alternative channels and dispensers included), and is always good to know of these efforts on bringing the truth to the surface...in despite of my fears about the potentials bad consequences it may have.

Not Sarah, John This Time! (3, Funny)

Scholasticus (567646) | more than 4 years ago | (#32110670)

John Connor did this way back in '91 ... which means the machines ... oh shit.

MITM? (2, Insightful)

ArcCoyote (634356) | more than 4 years ago | (#32110714)

I'm wondering if this is more of a Man-in-the-Middle attack on the ATM's communication with the EFT network.

The ATMs I've seen that aren't stuck right in a bank building's wall use some form of dial-up, be it a land line or a GSM modem.

Great way to get money out of ATMS (4, Interesting)

Rogerborg (306625) | more than 4 years ago | (#32110734)

Threaten to disclose the vulnerabilities, get paid hush money to pull your presentation (again). Rinse, repeat.

I hope (2, Funny)

pjbgravely (751384) | more than 4 years ago | (#32110864)

I hope they didn't use my hack where I type in 790 and get all the money I want.

ATM Security (2, Insightful)

MC68040 (462186) | more than 4 years ago | (#32110960)

I live in Europe, during my time having all sorts of cards that works in ATM's I've came to the conclusion that.. Most of them seem to run Windows (I've seen more BSOD's than its decent to mention).
I'm not wanting to get in to a debate about Windows security here; rather the point that there are plenty of rootkits for any given platform on the go today.

The interesting point would be the actual attack vector; getting in to a bank's internal network to access the ATM nodes would mean (from my point of view) that the ATM's are pretty uninteresting, however what else might lurk on the bank's network would be worth a lot more? On the other hand, if you could perform the "hack" quickly with just regular customer access to the machine, that'd be interesting... (thinking of terminator movie here...) ;)

According to my bank balance that is my... well, I've no cents left, damn recession!

Oh, John Connor does it AGAIN... (1)

Cumanes-alpha (1050258) | more than 4 years ago | (#32111270)

... bringing his ATM trick to the masses, always making us believe he`s the mankind`s savior.

A SERIOUS question: In your countries, are not the banks obliged by law to pay your money back in case you're a victim of an ATM/POS fraud???
In Venezuela at least, they are, unless you can`t bring your credit/debit card with you at the time you make your claim.

On a side note: Interesting presentation, hope it changes the way banks and ATMs providers think about the security measures they have in place for those devices.

Again with the security through obfuscation... (1)

al0ha (1262684) | more than 4 years ago | (#32111768)

All this attempted security through obfuscation by these companies is ridiculous, this talk will fill the room at the conference this year and with good reason. Hopefully, but unlikely, the ATM manufacturers have been talking with Barnaby over the past year so that the exploits he will unveil are remedied.

By the way people, though the banks are the front, the ultimate responsibility for ATM device security lies in the manufacturer.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?