Physical access
Now there's ya problem!
Cash machines in the US are being hacked to spew hundreds of dollar bills – a type of theft dubbed "jackpotting" because the ATMs look like slot machines paying out winnings. A gang of miscreants have managed to steal more than $1m from ATMs using this attack, according to a senior US Secret Service official speaking to …
"dollar bills" ?
This might be read as you thinking that US ATMs actually contain $1 bills, as opposed to larger denominations. I know what you meant. It just parses wrong(ish) in Americanese, which I can comprehend.
Does the phrase "Pound Note" mean one UK Pound, or does it include fifty pound notes?
Does the phrase "Pound Note" mean one UK Pound, or does it include fifty pound notes?
I'm from the UK and a "pound note" can only have a value of one pound*. Same idea for "dollar bill" and I had the same reaction as you to the article wording.
* However, I am old enough to remember their withdrawal 30 years ago, which may or may not be relevant.
Agreed, I would tend to use Sterling notes to denote a variety of higher bills. But then I live in Scotland where no fewer than 4 different bill types circulate. My wallet currently contains one bill from the Clydesdale and one from BoS.
When we vote for Indy we could decide to keep the paper bills as they are, would certainly be cheaper. We just tell the banks that instead of depositing £1 in electronic funds for every £ issued in Threadneedle Street they have to deposit it in the Edinburgh Treasury instead. Then we just have to worry about the coinage. To help we could persuade RBS to reissue the £1 note.
R-ADF noted, "a 'pound note' can only have a value of one pound....withdrawal 30 years ago..."
Mike Brewer from Wheeler Dealer in an episode several years ago offered "pound notes" when buying an old car for Edd China to fix. I took it to imply "cash", as opposed to actual one pound notes.
In North America, a "dollar bill" is a $1 bill. I've not heard it used to mean "cash".
Physical access that requires switching of the machine, replacing the hard drive which requires "internal" physical access, then rebooting the machine all the while being unnoticed by anyone.
Something is weird here, either their are bank employees, Siemens Nixdorf employees or security guards who have the keys involved here, How the hell does the average Joe get access to the internals of the ATMs, nost of which are behind brick walls....?
My thought too, unless the risky outlets in supermarkets for example are exposed in standalone format.
In any case, particularly in Mexico, why not just wait until the bank staff come to refill the machine? A swift crack on the head and no computer skills required. AND you get all of the dough instead of what must take ages to spew out of the slot.
Needless to say I am merely hypothesising, opposed to violent crime etc etc
"In any case, particularly in Mexico, why not just wait until the bank staff come to refill the machine? A swift crack on the head and no computer skills required. AND you get all of the dough instead of what must take ages to spew out of the slot."
Rob a man once and you're paid for a day, siphon off his paycheque and you're paid for the rest of your life. Armed robbery will get you a one-off payment; hacking an ATM to pay out on command will let you keep taking money every time it gets refilled. It will also be much more difficult to figure out who actually did anything or when they did it, as well as likely carrying a lesser penalty if someone actually gets caught.
I watched the Barnaby Jack video years ago. It's well worth your time if for no other reason than to appreciate the mindset of someone determined to get into one.
From memory*, he pointed out how the threat model was understood to be a case of protect the cash safe and not enough thought was given to protecting the PC itself which was accessible with a pretty simple key. A bit of social engineering would make your farting about non suspicious. Have two of you there, wear something resembling a uniform and bring a lanyard, and call the manager of the store an hour before you get there telling them that there has been an alert which requires a technician. Ask the manager to call some number when they arrive and when they leave "for security".
*at least I think it was that video, apologies if it was another.
You're thinking of the ones inside the store's walls with just the front of the machine available. It's the front they go through which most of the time isn't inside the store. There really isn't any "armor" on these things.
I've also seen more than a few machines that stand alone out by the parking lot or bank drive through. On those, I recall that a couple of guys were using a wrecker to pick up the machine and drive off with it.
"
Physical access that requires switching of the machine, replacing the hard drive which requires "internal" physical access, then rebooting the machine all the while being unnoticed by anyone.
"
The cash is behind armour plating, the PC is not. Breaking into the ATM's cash safe would take too long (unless you can remove the ATM and take it somewhere to work on undisturbed). Using a thermal lance to get into the cash safe quickly is no good, it would destroy most or all of the money, and mechanical cutting tools would take you all night.
But you can break into the PC compartment relatively quickly using a glorified can-opener, power down & swap the HDD, then boot into your hacked software which immediately instructs the mechanics to spew out all the money. I would hope that ATM's have some sort of tamper alarm, but a thief may know how to cut or break into the PC compartment without triggering it.
> What is interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught,
High risk of who being caught? Some gang foot soldier who got in to deep and is "paying off" their debt. Paraphrasing Lord Farquaad "some of you may get caught, but that's a risk that I'm willing to take".
To be honest, given the relative ease with which it could be done now, I am surprised there aren't more points in the money-go-round where note serial numbers get recorded.
You'd think with the previous mania for "big data" that there would have been some use for that data set.
But at the very least, a list of nicked notes would have given investigators a bit more to go on than they had before.
Or is that just my idea ?
But then you need a system for reading serial numbers when they're spent, otherwise the closest you'll get is finding out a week later when a shop takes it's cash into the bank that some of the stolen notes were used in a particular shop at some point in the last 24 hours (at least).
It's entirely possible that serial numbers are recorded when cash is loaded into the ATM, but unless you can track where it's spent it's not much use as evidence.
Dress like workmen and "service" the ATM during the day so its not suspicious that it is being opened up and the hard drive replaced. Those people need to be slick talkers in case someone at the location knows the "regular" service guy. Then you have a confederate come back in the middle of the night to "jackpot" it.
I would think that ATMs have some sort of tamper indication, but maybe that's easily bypassed. Maybe the firmware should call home if it detects the hard drive has been changed...
"Maybe the firmware should call home if it detects the hard drive has been changed..."
Or even some form of active monitoring so the owners know which of their machines are running low on cash, powered down, unexpectedly rebooting, system crashes etc.. You know, the normal stuff a sysadmin would be expected to do when looking after a fleet of computers.
They do know when they're running low on cash, and presumably the other stuff. I just wonder if they're worried about esoteric (at least at the time they were designed) attacks like breaking into it to replace the hard drive so they don't check for it. I'm sure they'd receive an alert when it is rebooted as part of the hard drive swap, but they probably ignore those alerts because 99% of the time they are from power outages or other stuff that had nothing to do with the ATM.
Here in Deepest South Flori-duh, we have _professionals_.
Step 1: a gentleman shows up at an ATM machine inside a premesis such as a drug store (Walgreens, CVS, I’m looking at _you_) or on the wall outside a supermarket or similar (Publix, Winn-Dixie, that’s _you_) and fiddles around with a debit card. Then goes to the manager of the establishment and says that there seems to be something wrong with the ATM. Manager says that it’s not his problem, it’s the bank’s (Chase, Wells-Fargo, that’s _you_) problem.
Step 2: the manager gets a phone call from, allegedly, the bank or whatever which owns the ATM. The call asks if anyone has reported a problem with the ATM. The manager, of course, says yes. The voice on the call says that they’ll send techs around to fix the issue, and asks the manager to be on the lookout for John Smith (or, as this _is_ Deepest South Flori-duh, Juan Diaz) with [bank] IT ID #12345678. And to call 305-555-SCAM when the tech arrives.
Step 3: Someone with a [bank] IT ID reading 12345678 shows up, asks the manager to call the office. ‘Tech’ opens up the ATM, fiddles around, tells manager that it’s fixed. Note: the ‘tech’ does NOT take out any cash. Nor does he swap out the hard drive, that’s alarmed.
Step 4: John Public uses the ATM. And the scanner installed inside it records the card info, complete with PIN, etc., and beams it back to the mothership.
Step 5: our heroes make copies of all the cards over a week or so and then roam wild for perhaps 24 hours before destroying the copies.
Step 6: do it again at a different ATM.
‘Jackpotting’ makes it obvious that that particular ATM is hacked. If you do it this way, you can milk many, many, MANY ATMs over a long period of time before the cops work out which ones are trapped, and by that time you’ve moved on to other machines. You don’t make as much at one time as with ‘jackpotting’, but you make a lot more over time. Slow and steady wins the race, boyz.
I just love Deepest South Flori-duh. I really do.
Why weren't ATMs designed with bespoke electronics? It's not like it needs much computing power, and a PC running Windows is complete overkill. An 8-bit CPU could handle everything required with ease (including a LAN driver), the hardware would cost a fraction of a PC motherboard despite being bespoke and the PSU would also be a fraction the cost of a PC PSU and it would be virtually unhackable. Heck, you could put the firmware onto a 32kB or 64kB OTP soldered-in ROM. In the unlikely event that you need to upgrade the firmware within the life cycle of the ATM, swap out the entire CPU card - the cost will be less than £20, absolute tops. If you must have a fancy VDU display capable of displaying videos, use something such as the Raspberry Pi.
...years ago my college had a freestanding ATM kiosk mounted on a steel pole near a road.
Two men decided to uproot it and drive away using a pickup truck and some steel cable. Secured cable only to the rear bumper. When the driver punched it the bumper fell off. In a panic, they left the scene... Leaving behind the bumped and license plate.