Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ATM Hack Gives Cash On Demand

samzenpus posted more than 3 years ago | from the one-card-bandit dept.

Security 193

angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."

cancel ×

193 comments

Interesting Hacks... (5, Interesting)

nosferatu1001 (264446) | more than 3 years ago | (#33067160)

Originally delayed to let the companies patch. Interested to see if he can live up to his claims to be able to find similar issues in other brand ATMs as well.

Re:Interesting Hacks... (0, Flamebait)

NJRoadfan (1254248) | more than 3 years ago | (#33067306)

Funny, this really wasn't a problem when all the ATMs were running OS/2.

Re:Interesting Hacks... (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#33067418)

TFA isn't exactly heavy on the details(PCWorld, detail light? Shocking.); but the class of vulnerability being described, a vulnerable remote management program listening to a modem(if the number isn't in the phone book, it is super-secret, right?), seems pretty OS agnostic. Same with the ghastly corner-cutting on making keys not unique per-device.

It is conceivable that fewer corners were cut back in the day, or that a substantially greater percentage of ATMs were on bank premises, not being connected over public phone lines; but it would be surprising if OS/2 alone would save you from those design mistakes.

Re:Interesting Hacks... (2, Funny)

RMS Eats Toejam (1693864) | more than 3 years ago | (#33067452)

... all the ATMs were running OS/2.

There was never a time when all ATMs ran OS/2. Besides, OS/2 had its own problems [wikipedia.org] .

Re:Interesting Hacks... (4, Interesting)

silentcoder (1241496) | more than 3 years ago | (#33068258)

That reminds me. A couple of Christmas's ago I was visiting my sister in a small rural town where she lived at the time. Wanted to go draw cash at one point so walked down the main road to the town's only ATM - run by local bank ABSA (yeah - not afraid to mention it). My own bank not having an ATM in town this was the only choice available.

As I stepped up to it... the interface was obscured by a warning message:
F-Secure Anti-Virus for Windows has detected a virus in file ...

Floating around.

Being aware that
1) This bank's ATM's run windows
2) They use F-Secure for virus protection
3) It obviously is connected in such a way that it can still GET infections

I turned around, bummed cash of my sister and paid her bank online - there was just no way I was going to stick my card in that ATM. I am also really glad I'm not a customer of that bank - and despite the nearest ATM to my house being run by them - never use their ATM's - I would rather spend the bit of extra fuel and drive to my own bank (which may not be better - but at least I haven't seen with my own eyes that it's THAT bad). Besides the service charge saving I suspect outweighs what I spend on fuel so it's worth it either way.

Re:Interesting Hacks... (3, Funny)

Zerth (26112) | more than 3 years ago | (#33068828)

AV on machines that shouldn't need them? yay...

Relevant xkcd [xkcd.com]

Re:Interesting Hacks... (1)

silentcoder (1241496) | more than 3 years ago | (#33068988)

The worst AV in history on the most insecure OS in history on machines that have access to my bank account ?

Number 4 (2, Informative)

SuperKendall (25149) | more than 3 years ago | (#33069066)

4) It had a virus ALREADY INSTALLED as per the message you saw, so malign in fact that even F-Secure could recognize it (which goes back to point #2).

Re:Interesting Hacks... (1)

mark72005 (1233572) | more than 3 years ago | (#33068782)

And people complained about diebold...

Re:Interesting Hacks... (2, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#33067334)

Unless he chose the two he purchased purely based on underground buzz about their weakness(possible; but you'd hope that a security researcher would go for novelty.), going 2 for 2 suggests that overall industry standards might not be that high...

Patchless ATM "hack" (3, Insightful)

mcgrew (92797) | more than 3 years ago | (#33067540)

There is no patch for social engineering except user education. Here's a way to "hack" any ATM. This "hack" doesn't require any computer skills, and the bank is not out any money -- the bank's customer is.

This procedure was used on me. Education can be expensive.

Here's how it works: simply watch someone enter the PIN number, then steal their card. If they're drinking, tired, or simply thinking about some problem on their mind it's easy to get their PIN.

When I was victimized, the theif also stole checks, and forged and cashed them. The bank reimbursed me for the obviously forged checks, but if someone has you PIN, no matter how they get it, they are authorized to use the card!

I no longer use a debit card. Nowdays I use cash whenever possible.

Re:Patchless ATM "hack" (3, Insightful)

rtaylor (70602) | more than 3 years ago | (#33067744)

They stole your card so they can probably steal your cash which will also not get refunded by the bank.

Better to use a debit card and keep a low value of funds in the account that it can access. Top up as necessary from a different account or a different bank entirely which is not accessible in any way through the card.

Now you get a bit of added security the card offers over cash but you also limit your losses in the event of theft because it is treated like cash (balance limited to typical daily use).

Re:Patchless ATM "hack" (1)

NJRoadfan (1254248) | more than 3 years ago | (#33067846)

Use a credit card for larger purchases and only keep small sums of cash with you. Credit cards are technically not cash, and the consumer protections are generally stronger in cases of fraud. A charge back for fraud on a credit card results in no money leaving your bank account compared to a debit card.

Re:Patchless ATM "hack" (1)

kevinmenzel (1403457) | more than 3 years ago | (#33067764)

What the heck is wrong with most banking regulation? If someone who isn't me makes debit transactions on my account, no matter what the amount, even if they use my card and my PIN, the fraud department at my bank (TD Canada Trust) is happy to reimburse me (especially if I'm fairly confident about the location and amount of my last transaction). And they have, even if someone is making small purchases over a period of time, which happened once (over a period of two months, someone had made a copy of my card, and was using it to make small purchases, less than $20 each time, I finally noticed the transactions, went in to the branch, and got refunded the... I think it was about $60 or $70 with in a month...

Re:Patchless ATM "hack" (1)

John Hasler (414242) | more than 3 years ago | (#33068762)

What the heck is wrong with most banking regulation? If someone who isn't me makes debit transactions on my account, no matter what the amount, even if they use my card and my PIN...

How the hell are they to know it isn't you? Just because you say so? You know that there are people who would lie to defraud them. I don't see why the bank should be responsible for your loss of control of your card and PIN any more than they are for your loss of control of your cash.

Re:Patchless ATM "hack" (0)

Anonymous Coward | more than 3 years ago | (#33067836)

Yeah, ALWAYS lean right in and cover the PIN pad with your other hand. I assume there could be a hidden look-down camera installed and try to make it hard to see what my PIN is even then.

Also:
- Swipe the slot with your finger before you insert the card to try and find card-catcher devices
- Consider having a withdrawal limit set on your account. That way, if everything else fails the damage is limited. These days you really don't ever need to withdraw large amounts of cash, unless you have a substantial coke habit or suchlike ...

Re:Patchless ATM "hack" (1)

iserlohn (49556) | more than 3 years ago | (#33067992)

For 4 digit PINs, there is a 0.3% chance of an attacker randomly entering the PIN and succeeding. So is a 0.3% chance of losing all your money in your debit card account acceptable (which can be partially mitigated using EMV smartships on debit cards)?

Re:Patchless ATM "hack" (1)

iserlohn (49556) | more than 3 years ago | (#33068000)

Sorry.. I meant 0.03%

Re:Patchless ATM "hack" (1)

John Hasler (414242) | more than 3 years ago | (#33068852)

The chance of losing all your money in your debit card account is not .03%. It is .03% times the probability of a thief acquiring possession of your card and using it before you discover that it is gone and cancel it.

I see what you did there... (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#33067172)

This is clearly just a slashvertisement for Microsoft's expansion of their "Cashback" promotion from Bing to WinCE "The Product that Needs it More Than Bing"...

Editorial standards these days... I ask you...

The tip of the iceberg (3, Insightful)

tedgyz (515156) | more than 3 years ago | (#33067180)

Wait until they can hack payment-enabled smartphones.

All your cash are belong to us

Re:The tip of the iceberg (1)

necro81 (917438) | more than 3 years ago | (#33067496)

All your cash are belong to us

Worse than that, since the smartphones don't actually have any physical cash.

All your bits-that-provide-access-and-represent-money-in-an-account-that-is-itself-just-a-representation-of-cash-you-could-have-in-your-hand are belong to us. Much more fungible than cash.

Re:The tip of the iceberg (1)

rickb928 (945187) | more than 3 years ago | (#33067806)

It has begun [hackaday.com] .

Really? (3, Insightful)

TwiztidK (1723954) | more than 3 years ago | (#33067182)

"After experimenting with two machines he purchased"

Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats [xkcd.com] .

Re:Really? (2, Interesting)

Netshroud (1856624) | more than 3 years ago | (#33067222)

I presume they're just very expensive. Even more so if you have to secure them and connect them up to a banking network. Anything can be bought with enough money... like the bank itself.

Re:Really? (1)

paradxum (67051) | more than 3 years ago | (#33067324)

They are not that expensive when there are tons of failed bank auctions around, a couple hundred will get you one. (You must remove though)

Re:Really? (3, Informative)

tomhudson (43916) | more than 3 years ago | (#33067488)

They're not that expensive. Look at the "white label" ATMs you'll see in restaurants and bars.

Here's one of the machines in question [flextouch.ca]

esigned and assembled with pride in the USA, the RL1600's innovative configuration--including an embedded PC-based platform, Microsoft® Windows® CE 5.0 operating system with Triton's X2 technology--makes it as powerful as it is affordable and reliable. It has a large storage capacity for journaling, and is expandable to meet future compliance and application needs.

They can be configured for either phone or ip network, and they're not that expensive, especially if you buy it used at a bar or restaurant bankruptcy.

Re:Really? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33067906)

Reliable my ass. I keep seeing BSOD-ed or out-of-memory ATMs around these parts, running what seems to be Windows XP (Embedded? At least, I hope it's XP and not Windows ME); even better are those with the "you may be a victim of software piracy" WGA notice. Closed my account at that bank after seeing that ("in what otther areas do they habitually and epically fail?")

Re:Really? (1)

melstav (174456) | more than 3 years ago | (#33068734)

ATMs can be had for ~$2k on ebay [ebay.com]

Hell, there are even ebay listings for companies that'll ship you an ATM for free, have somebody come out and fill it with money, and give you a percentage of the surcharges they collect from cardholders.

Re:Really? (2, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#33067244)

I assume that large purchasers, like banks, can easily enough commission "private label" versions of ATMs(based more or less closely on a manufacturer's available models, doing mechanical engineering much beyond the 'paste on a logo and some colored trim' level probably isn't cost effective; but running firmware tailored to them and their systems) that are for their exclusive order; but the generic ones you see in crummy convenience stores and the like are just appliances.

Because(like commercial scales, and gas pumps) they are appliances used in commerce, there may well be one or more state, or local authorities who want to take a look and put their sticker on it before it goes into use; but if some guy wants to buy a used one, I see no reason why that would be uncommon or controlled. If they are used for fraud or theft, that is just as illegal as any other flavor of the same; but there are loads of common and wholly legal tools that have potential in that area.

Re:Really? (5, Interesting)

Pharmboy (216950) | more than 3 years ago | (#33067322)

There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

Re:Really? (2, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#33067480)

True enough. I suspect that that has to do with their use for sinful, wicked, dirty gambling, which tends to draw legislative fire.

Since the gambling in the financial sector tends to be concentrated well away from the retail level, I'd suspect that ATMs would be safe.

Re:Really? (2, Insightful)

alexo (9335) | more than 3 years ago | (#33068636)

There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free.

Yet another example of a bad law.

Not most states, about 7 of them (2, Informative)

name_already_taken (540581) | more than 3 years ago | (#33068758)

There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

I'm not so sure about them being illegal in "most states".

The list of states banning slot machine ownership I found is: Alabama, Connecticut, Hawaii, Indiana, Nebraska, South Carolina, and Tennessee.

I have a slot machine. It accepts quarters or tokens, and I can adjust the payout ratio.

I paid $160 for it at the flea market, at the county fairgrounds one county over. There were Sheriff's deputies everywhere and they didn't give the slot machines a second look.

Re:Really? (2, Informative)

skgrey (1412883) | more than 3 years ago | (#33067558)

You would be absolutely correct. I used to work for one of the largest ATM manufacturers, and I'm still very close with the people that designed most of the ATM's you see in banks and convenience stores. It's really just a branding thing, and even then there isn't much they do besides slapping a plastic faceplate on the ATM. You have to be one of the larger banks and have a very large exclusivity contract before they'll even start considering a design specific for your bank - I only saw one in five years of working there.

Re:Really? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33067246)

best xkcd ever!

Re:Really? (2, Informative)

91degrees (207121) | more than 3 years ago | (#33067258)

The sort you find in convenience stores can be purchased without too much difficulty. They're just automated machines that put a charge on your card and dispense money, so they're not that different from a till and card reader.

I imagine the heavy duty ones that banks use are a little more tricky to get hold of.

Re:Really? (1)

yumyum (168683) | more than 3 years ago | (#33067286)

Re:Really? (1)

Lumpy (12016) | more than 3 years ago | (#33067752)

Shipping costs is gonna be a bitch on that one.

Yup, they can. (3, Informative)

Cyberax (705495) | more than 3 years ago | (#33067288)

ATMs are sold 'over the counter'.

They aren't even that expensive, it's possible to get a new ATM for about $2000 (though realistically a good ATM costs about $5000).

Re:Really? (2, Informative)

KarrdeSW (996917) | more than 3 years ago | (#33067398)

Well... Bank of America may be a bit angry if you have one of their ATMs in your living room, but getting one of the mass produced brands that companies set up at street events or in convenience stores isn't very difficult.

The regulation isn't so much on who can have one as on the manufacturers to keep the data of the people using it secure, and even they aren't required to do much.

Re:Really? (1)

skgrey (1412883) | more than 3 years ago | (#33067638)

It's not a matter of having a "Bank of America" or "FirstMerit" ATM in your living room, they don't make the ATM's. Banks buy ATM's to interface with their own network. If you would buy an ATM you'd need a banking entity, so you'd typically set up the account with the ATM manufacturer or a partner. For example, Triton sells those dinky little ATM's you see at gas stations. The gas station has an account with Triton, where Triton is the "banking entity" which is allowed to reach out into your bank's account, fills the ATM with money, collects the fees, etc.

Re:Really? (4, Interesting)

zigziggityzoo (915650) | more than 3 years ago | (#33067432)

I know of a couple of restaurants that have their own ATMs with a "cash only" policy for acceptable payments. Anyone without cash is directed to the ATM they own. Instead of it costing them a percentage to accept cards, they make money off the ATM.

Re:Really? (1)

CeruleanDragon (101334) | more than 3 years ago | (#33067568)

I once saw a "How-to" video on how to acquire your own ATM. Just need a strong 4x4 truck, a long, strong chain, and a couple of friends...

Re:Really? (0)

Anonymous Coward | more than 3 years ago | (#33067924)

"Can people just buy ATMs? I figured that they would put some sort of restrictions on them...unlike lab coats [xkcd.com]."

Sure. And it's only the first one that's "expensive". After that, money is no object. Think of it as an investment.

BoA (2, Interesting)

Anonymous Coward | more than 3 years ago | (#33067190)

I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.

T2 (1)

bakamorgan (1854434) | more than 3 years ago | (#33067234)

I wonder if he can do something like a young john conor did in the movie T2? This sounds like a neat hack. Also I have read in the 2400 magazine/pamplet/book or whatever it is that yea people buy this type of stuff just to hack it. Also they buy cash registers and CC machines. Godo reading material while your on the pot.

Re:T2 (0)

Anonymous Coward | more than 3 years ago | (#33067468)

Yeah, those guys at 2400 really know their stuff. I love their 64 pages of letters from 12 year olds asking how to hack thier schools computer systems and cheat codes for MW2. The last time I read it there was an article in it by a hacker named David Lightmen that recommended checking for a paper with the schools passwords attached to a desk's sideboard. Very insightful.

Re:T2 (0)

Anonymous Coward | more than 3 years ago | (#33068252)

Sounds like a step up from that old 2600 magazine that used to be some whiney bitches that sounded like a greyer version of the FSF :D

Re:T2 (0)

Anonymous Coward | more than 3 years ago | (#33068448)

You might be laughing now but my brothers friend said he hacked something called the Gibson that way. He was almost caught but the feds could not match the sheer speed and agility provided to him by his inline skates.

MSFT Fanboys HURRY! (-1, Troll)

newdsfornerds (899401) | more than 3 years ago | (#33067236)

Hurry up and bring us a long list of reasons why it's NOT Microsoft's fault!

Re:MSFT Fanboys HURRY! (1, Funny)

Anonymous Coward | more than 3 years ago | (#33067284)

Only need one: he didn't hack the OS, only the applications running on top of the OS.

Re:MSFT Fanboys HURRY! (1)

dimethylxanthine (946092) | more than 3 years ago | (#33067422)

he didn't hack the OS, only the applications running on top of the OS.

Hacking the OS would be too easy and not worthy of a Black Hat ;-)

Simple is beautiful (and secure) (0)

Anonymous Coward | more than 3 years ago | (#33067238)

If your idea of simple includes Windows CE (or Linux for that matter), you should not make engineering decisions.

Pretension (5, Funny)

aliddell (1716018) | more than 3 years ago | (#33067250)

Exploiting bugs in two different ATM machines

'ATM machines'? Really?

Re:Pretension (4, Funny)

Spad (470073) | more than 3 years ago | (#33067352)

And he didn't even need a PIN Number

Re:Pretension (5, Funny)

RulerOf (975607) | more than 3 years ago | (#33068550)

Rumor has it that if the hacker can find the MAC controller address for the NIC card in the ATM machine, he can use specially crafted TCP/IP protocol and also expose your SSN number.

Re:Pretension (2, Funny)

Darth_brooks (180756) | more than 3 years ago | (#33067390)

Yeah, ATM Machines. Those things that you put your PIN Number into.

Re:Pretension (-1, Redundant)

Thanshin (1188877) | more than 3 years ago | (#33067502)

I think he was referring to the double use of "machine".

Automated Teller Machine Machine.

woosh! (1)

ArsenneLupin (766289) | more than 3 years ago | (#33067564)

..."double use of number", in case you wonder what is making this strange sound...

Re:Pretension (1)

oodaloop (1229816) | more than 3 years ago | (#33067566)

Into which you put your Personal Identification Number Number. Whooooosh!

Re:Pretension (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33067606)

wooooooooooosh

Re:Pretension (0, Offtopic)

alx5000 (896642) | more than 3 years ago | (#33067750)

One of the best whooshes of all times. Thank you!

Re:Pretension (1)

WaroDaBeast (1211048) | more than 3 years ago | (#33068018)

Yeah, ATM Machines. Those things that you put your PIN Number into.

I got a friend who once made a presentation on the PC at uni, and some of his lines were about "CD and DVD disks." Other than that, the only acronym I can think of is MCB (Mauritius Commercial Bank), as I've often heard people say "MCB bank."

Re:Pretension (0)

Anonymous Coward | more than 3 years ago | (#33068398)

>> Other than that, the only acronym I can think of is MCB (Mauritius Commercial Bank)

That was the first thing I thought of too.

Re:Pretension (2, Informative)

tag (22464) | more than 3 years ago | (#33067448)

Submitter clearly has a case of RAS syndrome [wikipedia.org] .

Re:Pretension (2)

davidbrit2 (775091) | more than 3 years ago | (#33067476)

It's a machine that operates the ATM for you. It also goes by the name Automated ATM.

Re:Pretension (1)

AndrewNeo (979708) | more than 3 years ago | (#33067936)

So it's an Automated ATM machine Machine?

Re:Pretension (2, Funny)

davidbrit2 (775091) | more than 3 years ago | (#33068056)

I think that would be the machine operating the machine that's operating the ATM. It brings the level of automation to where you only have to subconsciously think of money, or anything that rhymes with money in order to make a withdrawal.

Re:Pretension (1)

noidentity (188756) | more than 3 years ago | (#33067592)

No need to make fun of people who suffer from PNS syndrome [wikipedia.org] .

Re:Pretension (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33067664)

Don't discount the good folks who work tirelessly at the Anal-to-Mouth Machine plant.

Re:Pretension (1)

AC-x (735297) | more than 3 years ago | (#33067740)

What, you never used an Automated Teller Machine Machine before? Where do you think banks get their ATMs from? Queue up in the store? I think not!

Re:Pretension (1)

DoofusOfDeath (636671) | more than 3 years ago | (#33067784)

'ATM machines'? Really?

Good call. He should have gone with the better known, "AT Machines".

Re:Pretension (1)

camperdave (969942) | more than 3 years ago | (#33068092)

'ATM machines'? Really?

Well, to be fair, ATM could be a brand name. Is saying "IBM machines" wrong?

Redundancy (-1, Redundant)

PHPNerd (1039992) | more than 3 years ago | (#33067256)

Exploiting bugs in two different ATM machines at Black Hat...

Really? Automated Teller Machine machines?

Re:Redundancy (2, Funny)

betterunixthanunix (980855) | more than 3 years ago | (#33067302)

Something has to build the ATMs! Clearly, this hacker has discovered that the robots that build ATMs also create money.

Re:Redundancy (1)

prionic6 (858109) | more than 3 years ago | (#33067354)

But who makes the ATMMs?

Re:Redundancy (4, Funny)

prionic6 (858109) | more than 3 years ago | (#33067368)

But who makes the ATMMs?

It's machines all the way down!

Re:Redundancy (-1, Redundant)

MistrBlank (1183469) | more than 3 years ago | (#33067588)

Is it wrong that I enjoyed the fact that a posting on redundancy is redundant?

Re:Redundancy (2, Funny)

TheRaven64 (641858) | more than 3 years ago | (#33068198)

Since the post above you says exactly the same thing, I couldn't decide whether you should be moderated redundant or funny.

Monopoly (1)

Wowsers (1151731) | more than 3 years ago | (#33067276)

You passed Go, please collect $ from bank, where $ = Amount Input.

I should hope there's a patch soon (-1, Flamebait)

krzysz00 (1842280) | more than 3 years ago | (#33067294)

I would really hope that this gets fixed quickly. Otherwise, this (having been posted on Slashdot), will spawn a website listing hackable ATMs and the banks will lose another $X million dollars and Obama will have to bail them out again.

Re:I should hope there's a patch soon (1)

sheph (955019) | more than 3 years ago | (#33069000)

I don't know if that should be classified as flamebait. It is plausible based on past experience. As much as I hate Obama's policies I'll point out that he wasn't the first one to think bail outs were a good idea.

MISSING (1)

Azmodan (572615) | more than 3 years ago | (#33067364)

So where's the download link?

no wonder (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33067380)

Note the manufacturers. The big 3 of ATMs are Wincor, Diebold, and NCR. Check the ATM for pretty much any financial institution and you'll see one of those logos somewhere. When one of them gets hacked it's a big deal. When a white-label gets hacked it's just another day.

Re:no wonder (1)

Anonymusing (1450747) | more than 3 years ago | (#33067478)

Well, I do remember this [infosecuri...gazine.com] ...

scrooge? (2, Interesting)

circletimessquare (444983) | more than 3 years ago | (#33067438)

he should have called it robin hood

right subject matter (wealth redistribution), wrong direction (down to the lower classes: robin hood, not up to the higher classes: scrooge)

Re:scrooge? (2, Funny)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#33067530)

A good rootkit tries to blend in with its environment...

WTF is an 'ATM machine'? (-1, Troll)

Noose For A Neck (610324) | more than 3 years ago | (#33067506)

Ass-to-mouth machine? Why would it have cash? Do people pay for that??

open source shot (1)

grumling (94709) | more than 3 years ago | (#33067528)

Quote from TFA: "Criminals could find vulnerable ATMs by using open-source 'war-dialling' software"

Nice. Because closed source software could never be used for criminal activity, right?

Re:open source shot (1)

Lumpy (12016) | more than 3 years ago | (#33067788)

Nope. all the closed source war dialing apps have a list of all phone numbers to all the ATM's and refuse to dial them. They also have regular popups that ask you to confirm that you are not wardialing to do illegal activities...

Microsoft Bob was re purposed for this use. Microsoft BobDialer 6 is the most popular in the in crowd of casual wardialing.... Ohh BRB Mine has found a fax machine for me to listen to!

Re:open source shot (0)

Anonymous Coward | more than 3 years ago | (#33068128)

All closed source war dialing apps follow RFC 3514n [ietf.org] , ATMs simply firewall all incoming packets with the evil bit set.

Re:open source shot (1)

Spad (470073) | more than 3 years ago | (#33067810)

It's something that seems to be getting more and more common in a subset of security-related articles. With my less cynical hat on I'm tempted to believe that they're trying to imply that the software is free and freely available and thus has a low barrier to entry for people who want to try and replicate the exploit, however, my less cynical hat doesn't fit me very well.

re ATM hack (1)

chentiangemalc (1710624) | more than 3 years ago | (#33067590)

That's nice and beautiful he hacked the ones he bought. But he still has to get remote access #'s, and if that's easy to get I think that's even a bigger security issue. Also "war-dialling" tactics to find a Windows CE based ATM may take a while, majority of ATMs now run Windows XP embedded, not Windows CE. Also I'm not sure about this, but I would hope ATM implemented call-back security on in-production devices.

Easy! (1)

tripmine (1160123) | more than 3 years ago | (#33067692)

Easy Money!

video from the talk (2, Informative)

AmElder (1385909) | more than 3 years ago | (#33067706)

Security Week posted has some videos of the presentation [securityweek.com] that they uploaded to youtube.

confused! (1)

cheap.computer (1036494) | more than 3 years ago | (#33067828)

Advocates of closed source software claim that by their source being closed, adds more security to their products... now I am confused...

Why go through all that trouble of hacking? (3, Interesting)

qazwart (261667) | more than 3 years ago | (#33067956)

The types of ATMs being talked about are the non-bank machines that you see in many smaller stores in New York City. They're installed and sold by third party vendors to connect to the main banking networks.

A salesman goes into a store, and tells the owner that if they had an ATM in their store, their sales will go up because people will stop in to get cash. The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

'M' is for Machine (3, Funny)

ricosalomar (630386) | more than 3 years ago | (#33068338)

The summary refers to 'ATM machines.'

I haven't read TFA article, but I wonder if you need a PIN number, or if the exploit uses a VM machine?

Has someone notified the federal FBI bureau?

Great.. this will make ATM thievery worse (1)

tacktick (1866274) | more than 3 years ago | (#33068376)

I'm all for security research but publicly displaying these exploits will bring ATM mischief to the next level. Why use skimmers and mini cameras when you can just hack the ATM remotely and have an accomplice stand there and get the cash that comes out? If proof-of-concept code gets out on the net, watch out! A lot of little banks and vendors are going to be sorry. And good luck trying to patch all the millions of machines around the world.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...