nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Forget malware, crooks are cracking ATMs the old-fashioned way – with explosives

Silver badge

Jake

Whatever happened to the good old tried and true JCB and a Tranny pick-up?

For those not of a British building trade background, JCBs are usually referred to as Jakes.

3
0
Silver badge

Re: Jake

For those of us not of a British background, should we assume JCB is JC Bamford?

3
0
Anonymous Coward

Re: Jake

>a Tranny pick-up

Ooh kinky.

14
0
Windows

Re: Jake

Indeed you should. Furthermore if your background has not made you familiar with the Ford Transit van, you should also take care to interpret “Tranny” in context…

I’m British and I have not once heard of a JCB being called a “Jake”. Then again, I’m not a builder (don’t like tea). I imagine that outside the trade, the term “backhoe loader” is not widely known either.

Jake (https://jakefood.com/) is a European Soylent-alike. A daft name which I assume they picked for no reason other than to rhyme with “shake”.

Nonetheless, refreshing to see that the actual threats faced by cash machines are nothing to do with some perceived risk (on a standalone computer, in a locked box, connected to the outside world by nothing more than a phone line, as part of a worldwide system with millions of device-hours of fault-free operation) solely because its operating system is closed-source and more than a couple of hours old…

2
0
Silver badge

Re: Jake

@Ellipsis - I was with you until, "nothing to do with some perceived risk", 28 ATM logical attacks is not nothing, and it rose from 5 the previous year. It's small compared to the ATM physical attacks, and the physical attacks are lower than the ATM fraud, but "nothing" is a very specific quantity.

1
0
Thumb Up

Re: “nothing”

Mmm, fair point. “Less to do with…” would have been better. It would indeed be dangerously complacent to assume there’s no threat whatsoever of attack via a software vector. Just as long as the risk assessment is a bit more substantial than “O NOES ITS RUNNING MICRO$OFT WINDOZE XP”…

3
0
Anonymous Coward

Re: Jake

John Deere every time for me

http://www.bbc.co.uk/news/uk-england-lincolnshire-37503874

1
0
Silver badge

Re: Jake

And for our American Readers, the Ford Transit is what you call a Panel Van but has a strong Chassis.

Generally, the goto vehicle for commercial users in many parts of the world.

The Chassis is also used for all sorts of other vehicles such as

- Mini Busses

- Cement Mixers

- Builders Tip up vehicles and general behicles

- Car recovery transporters

- Ambulances

- etc, etc, etc.

Oh, and one was modified to run the Nevada Desert Classic this year to compete in the 150mph class.

I spent a summer working at the old Transit Plant in Southampton many years ago, UK. Production moved to Turkey a few years ago (from memory).

2
1
Anonymous Coward

Feh!

Brazilians have been doing that for years! https://www.youtube.com/watch?v=VkOkKwFtNsg

0
0
Silver badge
Thumb Up

How to reduce the amount lost

Put less cash in the machines but have more machines where they're needed. A bit of extra capital expense to the banks, sure, but if the losses are less. That's a big thumb up surely?

0
0
Silver badge

Re: How to reduce the amount lost

As stated damage to buildings usually would be more than the cash lost, so the opposite should actually be true, more cash in less places (since that reduces the amount of machines they can hit)

5
0
Stop

Re: How to reduce the amount lost

You’re joking, right? Cash machines cost banks a fortune to operate. As with pretty much most of retail banking, I suspect they’d rather not bother, except that hoi polloi tend to complain when they can’t get their beer tokens.

As for the losses: while banks might not enjoy having their (depositors’) money stolen, €27m is surely: (a) a rounding error in total turnover; and (b) either budgeted for or insured against in any case…

8
1

This post has been deleted by its author

Silver badge
Meh

Re: How to reduce the amount lost

"...extra capital expense to the banks..."

So not happening.

0
0
Silver badge

Re: How to reduce the amount lost

>As stated damage to buildings usually would be more than the cash lost,

So the solution would be to make the machines out of plastic so that less explosive is needed and there is less damage to the building.

If you were to 3d print the machines you could probably get a silicon roundabout digital community catalyst innovation startup special unicorn not-at-all-a-grant to pay for them.

Or you could pack the front panels of the machines with 200lb of ball bearings and roofing nails to give the thieves a real surprise when they fill it with propane.

4
0
Silver badge
Meh

Re: How to reduce the amount lost

> "So the solution would be to make the machines out of plastic so that less explosive is needed and there is less damage to the building."

That might lead to JD's going at them with saws and bats. Better to just leave the money in big piles under a rain cover, with a banner reading "Come 'n git it!"

Personally I'd go with an automated active defense, like the Depelter Turbo...

2
0
Silver badge
FAIL

Obviously their own fault

To apply the logic often used in the comments with regard to electronic break-ins: it's obviously the fault of the ATM manufacturers and building crews for not securing their premises against this simple and obvious form of attack. They're criminally incompetent and should clearly not be allowed to own or operate a bank machine.

10
1
Silver badge
Facepalm

Re: Obviously their own fault

Seriously?

How about I ram your datacenter and pull away with your HP server in tow, buster?

1
2
Anonymous Coward

Re: Obviously their own fault

I've read some stupid comments on here but yours sir, takes the biscuit.

Comments on electronic break-ins where the manufacturer or software company is blamed are usually not a loss to the company but to the people using that companies software/hardware or service.

This is the banks own loss so they are responsible for it, therefore it is the criminals that are to solely to blame as they are breaking the law.

In the first instance not only are the criminals breaking the law but it should also be that company that is strung up. To try and blame banks for criminals blowing up ATM's is ridiculous but to blame companies for the sloppy handing of customer information or crap hardware security is fair game because it is not just them that suffer though it never works out that way.

I really am at a loss as to how anyone could not make that distinction.

2
4
Anonymous Coward

Re: Obviously their own fault

Actually, I'm going to go ahead and agree with this compared logic for the better of society. Thanks for getting me to think :-)

Banks make more than enough money to put an armed guard at every one of their ATMs 24/7. One armed guard per ATM would result is a serious drop in these explosive thefts, armed robbery at ATMs and create thousands of jobs. Seriously, the thinking of "too costly" put us where we are today, let's get back to creating jobs.

8
1
Silver badge

Re: Obviously their own fault

I believe Mr Mangrove is being sarcastic.

It is common for banks to blame the victim when funds are stolen. He's merely appyling the same logic when the banks are robbed.

16
0
Silver badge
Go

Re: Obviously their own fault

Good, good . . . give in to your hate. Pick up your weapon and strike me down.

4
0
Silver badge
Facepalm

Re: Obviously their own fault

Whoosh!

3
1

Time to close cash machines, and let all shops offer free cash back with any transaction.

0
2
Silver badge

Many shop keep low tills to deter robbery. That's why they don't do cash back or limit it. And Legal Tender laws allow stores discretion when faced with large bills/notes.

2
0

Legal Tender laws have nothing whatsoever to do with payments in shops. Legal tender will not necessarily be accepted by shops: http://www.royalmint.com/aboutus/policies-and-guidelines/legal-tender-guidelines

0
0
Silver badge

Actually they do because tender is required to complete a transaction if you don't use barter. It only gets dicey when a debt is involved, but normal store transactions don't normally constitute debts. Anyway, there are no laws in America that require someone to accept a bill unless a debt is involved (thus the words "Legal Tender for all debts, public and private").

In the UK, legal tender laws specifically list exceptions such that stores, city councils, and the like get relief from pester payments. You're expected to pay your dues with a reasonable spread of coinage and/or notes. In general, notes are always welcome unless they're too ungainly (say a £100 to buy £2 worth). Pound coins, again, are good in general. Pence coins, OTOH, tend to limit you to no more than certain amounts at a time for various coinage denominations.

1
2

> a £100 to buy £2 worth

Here in Switzerland I’ve seen somebody hand over a 200-franc note to pay for a single 3-franc item in a small supermarket. The cashier made change without even batting an eyelid.

Beats the usual, “Have you got nothing smaller?” from grumpy shopkeepers in Blighty when you try to pay with a £20 note, which is all you’ve got because it’s the only thing the cash machine dispenses…

5
0
Silver badge

>Here in Switzerland .. a 200-franc note to pay for a single 3-franc item in a small supermarket

Normally shops are wary because it's a common way for crooks to launder counterfeit or stolen large notes.

In Switzerland I assume the equivalent would be for crooks to come in with a train load of Nazi gold to buy a 3-franc item.

4
0

Even then the shop would only get suspicious if the train weren’t on time…

7
0
Silver badge
Coat

Alternatively they could just be...

...trying to use Samsung devices to hack them.

7
0
Silver badge

£170m is a tiny sum

compared to the bank losses racked up by crooked bankers in 2008; so why do they make such a fuss ?

7
0
Silver badge

Old line

"You're only supposed to blow the bloody doors off!"

10
0

At the risk of of getting on everybody's watch list is there a breakdown for the type of solid explosives used. Are we talking 'fell off the back of a tank' military grade or anarchists 'stir & count fingers' cookbook?

6
0
Anonymous Coward

If it's solid, unless it's black powder (sulfur, saltpetre, charcoal), odds are it's homemade ANFO via fertilizer bomb, The only trick is renaturing explosive ammonium nitrate out of common fertilizer, but Oklahoma City proved it possible. If the criminal ring is more sophisticated, they could theoretically get access to stuff like RDX which can then be made in a wide variety of explosives.

2
0
Anonymous Coward

That the article mentions gas is IMHO the clue.

A gas explosion on the outside of an ATM would be so much less effective than one inside it, and so much harder to set up or control. I guess they find a crack or make a small hole at the bottom of the ATM, pipe in gas and light it when it come out the top. Like filling a paint can with gas, the flame at the top will get drawn in at an explosive ratio in the container, causing an explosion in the confined space. A can of butane, a lighter, and somewhat of a death-wish would likely be enough (now THIS is how you get comments deleted from the internet - pontificate openly).

I guess the use of solid explosives has been from the inside too? In which case a firework might be enough.... though getting that in the machine might be hard. The right amount of explosive on the latches and lock mechanism might work, I s'pose there might be some kind of "law enforcement" sticky bombs for opening locks out there?

Gas is probably the better approach.

1
0
Anonymous Coward

You'd go from the bottom if you used methane. But butane might be easier to come by, not from lighter fuel but rather camp stove or heating torch fuel; both come in portable canisters and share a common connection and hosing system. Butane's heavier than air so you need to fill it from the top and use a different hole for the flame.

1
0
Silver badge

Usually not solid explosives but gas. Propane, butane, LPG, whatever. Plus a roll of gaffer tape/duct tape to seal the ATM housing.

I hear you can tell the guys who use a lighter from the guys who use some sort of remote trigger by the singe marks.

2
0
Silver badge

Theorectical?

Nitric acid, sulphric acid and cotton wool will render a large enough quantity of nitro cellulose and ALL are available on your favourite tat bazzars for less than 20 quid. Chances of losing a finger?

Practically nill provided care is taken and temps kept low.

Wanna knock it up a notch? Pentaerythritol, again, readily available in "hobby" quantities.

Want to guess what 5oz of PETN will do to a cash machine? Just about blow it to pieces is what.

There's no longer any need to "aquire" military explosives when they can be readily made at home.

Go on fleabay / Amacon now, salt petre, acids, PET, sulphur, glycerin, AN and charcoal are ALL available.

Mix em up in particular orders and you have an explosive arsenal capable of great destruction.

0
0
Anonymous Coward

Re: Theorectical?

Isn't PETN notoriously unstable, though, which is why it's usually only the purview of the skilled and the crazy? As for guncotton, that's a solid explosive and more difficult to pack into a space with limited ingress, not to mention it's trickier to set off in such a confined space. Especially if you are or have access to a farmer, you probably have an easier time getting the materials for homemade ANFO (both fertilizer and diesel are regularly used by farmers and can probably be acquired in quantities too small for them to notice--Oklahoma City used homemade ANFO in a truck, and IIRC one of the bombers owned a farm). And farmers are one of the few people who would have a legitimate use for excavation charges (the worst school massacre in American history was committed by a farmer using his excavation charges).

Lastly, I think it's cheaper to just buy a camp stove or torch bottle, which on this side of the water runs about $8 a bottle. And since people regularly use blowtorches and camp stoves...

0
0
Silver badge
FAIL

Bang!

My Czech friends told me a "funny" story. There was a party at an architects modern, mostly glass, house. The house plan was U shaped with the open part of the U facing a downhill slope. Some idiot had purloined a military thunderflash, unfortunately it was the type that simulates a shell exploding. The numpty armed it (I don't know how you actuate these things) and rolled it down the sloping lawn. BOOM! There was no more glass in any of the windows. Party over :(

2
0

Scanned headline, text, and comments for the phrase..

..'brute force attack'.

Leaving disappointed.

1
0
Silver badge
Coat

Recycle that phone

Just in time, a use for all those Samsung Note 7s. Grab the bills before they burn!

The one with the smoking pocket.

0
0

Nothing compares to a good old explosion :d

0
0
Silver badge
Mushroom

There are very few problems that cannot be solved by a suitable application of high explosives

7
0
Mushroom

"The majority were explosive gas attacks"

I'm intrigued as to how you'd make that work. Obviously, I know about gas explosions - but they require a reasonable volume of gas which must be hard to arrange near an ATM and aren't directional. Thoughts? Drill a hole and pipe in oxygen/acetylene? (Or ethyne, as I believe the young people call it nowadays)

0
0
Anonymous Coward

You forget that you can use methane or butane as long as you get the mix right. But if you place a flame on the opposite end of the enclosure, you'll get there eventually (proof: the MythBusters did it with a port-a-potty), plus it gives you time to clear the blast zone. As for directionality, the ATM housing is enclosed; there's your directionality. The trick to remember is that methane is lighter than air (so pipe from the bottom) and butane is heavier (pipe from the top).

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing