back to article Cops find ATM spewing cash, car with dodgy plates, stack of $20 bills and hacking kit inside

US authorities have arrested a pair suspected of being involved in a recent wave of Automatic Teller Machine "jackpotting" heists. The crimes came to light in late January 2017 when ATM-makers Diebold and Nixdorf warned banks to be on the lookout for jackpotters in the US. The US Secret Service weighed in with its own news …

  1. Anonymous South African Coward Bronze badge

    Question - how did they manage to load malware onto the ATM in order to compromise it?

    1. Anonymous Coward
      Anonymous Coward

      Modern ATM's are just pc's with a cardreader and a few other bits of hardware attached...

      Some of them even have hidden USB ports !

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Where are the USB ports?

        Or can you load a chip card into them with a special "upload this!" chip on it?

        Also

        > all that ingenuity and lust for free money

        > not becoming bankers

        1. jtuomi

          You can find information on jackpotting here:

          https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

      2. JeffyPoooh
        Pint

        "...ATM's are just PCs..."

        In a lovely tropical country that I have visited on several occasions, the PC was itself visible through a window. Wires and things were connected to the "ATM" shaped User Interface hardware. It looked like somebody had used the front of an old ATM and a PC to build a homemade ATM.

        To their credit, it worked.

    2. phuzz Silver badge

      The previous article explained in some more depth, but generally they make a hole in the casing so they can plug cables or devices straight into the pc running the ATM.

      Even the best secured machine will be in trouble if an attacker can get physical access to the hardware, and not all ATMs are particularly secure. Some of them run Windows XP embedded ffs.

      1. Antron Argaiv Silver badge
        Thumb Up

        XP Embedded

        Some of them run Windows XP embedded ffs.

        Which I happen to know, has autorun enabled by default on USB drives.

        CSB: Where I work, we did a job for a client, using WinXP Embedded. Client comes back a while later, complaining that the system isn't working right. We take a look at what's on the USB stick he gave us, and yup, autorun malware -- our antivirus pops up and tells us.

        So we go back to the client and ask: you used only the USB sticks we gave you to dump data, right?

        Nope. They had misplaced them and borrowed one.

        Re-image machine, jump through appropriate hoops to shut OFF default autorun, return to client.

        We now use Linux for embedded stuff. Microsoft licensing was excruciatingly painful.

        1. wayward4now
          Linux

          Re: XP Embedded

          Screw Windows with something blunt. Can I get an amen??

    3. Tigra 07
      FAIL

      RE: ASAC

      I once waited in queue for a few minutes to get to an ATM only to discover the message "Windows is shutting down" and had to requeue for the next ATM.

      It appears a lot of modern ATMs still run Windows 98, which explains the insecurity.

      1. Sureo

        Re: RE: ASAC

        "...still run Windows 98 ..."

        The ones I worked on some years ago ran OS/2.

        1. Tigra 07
          Pint

          Re: RE: ASAC

          The local shop has one of those ATMs with the typical sign: "staff don't have access to the money drawer"...Lies... I've seen the owner refilling the drawer with £10 notes on a few occasions.

  2. Anonymous Coward
    Anonymous Coward

    Diebold ?

    So they can 'jackpot' US Voting machines as well ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Diebold ?

      yes... but only the politicians get the spewing $20 bills

    2. Antron Argaiv Silver badge
      Thumb Up

      Re: Diebold ?

      Yes, and look how well it worked!

      // ugh...

  3. msknight

    I believe...

    ...the location of the USB ports are known, so simply drill a hole in the front plate with the right kind of bit and you've got access.

    1. tony2heads

      Re: I believe...

      Wouldn't somebody notice you drilling into an ATM? Don't most now have cameras?

      1. SimonC

        Re: I believe...

        I'm sure they'd get a nice 20 second shot of a bloke dressed in all black wearing a balaclava

      2. Tigra 07

        Re: I believe...

        Just find a slightly concealed ATM and bring a small concealable battery powered drill, a USB stick, and a balaclava. Easy

        1. 404

          Re: I believe...

          Drive a nice grandpa/senior citizen type car too - they're known for taking up to 20 minutes to complete an ATM transaction. Often I wonder if they're doing hostile corporate takeovers or stock trades whilst waiting because I just don't get what in bloody hell they're doing up there...

          1. Tigra 07
            Pint

            Re: I believe...

            OAPs don't use ATMs. They get their money from the Post Office, converted into pennies, and then go to Tesco to spend it, creating massive queues and therefore creating cashier jobs in the local economy.

            The rest of their time is spent in IKEA taking advantage of the free refills on Tea and Coffee and stealing little packets of sugar (speaking from personal experience).

        2. Anonymous Coward
          Anonymous Coward

          Re: I believe...

          > Just find a slightly concealed ATM and bring a small concealable battery powered drill,

          > a USB stick, and a balaclava. Easy

          Bonus points for them if they bring a plastic hole-plug that they can later cover the hole with. Even more Bonus points if it has the bank's logo on it, to make it look official. Hmm, I wonder how many times they could jackpot the same ATM like that before someone caught on? Err, wait a moment....maybe I shouldn't post this!

      3. Anonymous Coward
        Anonymous Coward

        Re: I believe...

        The cameras are no deterrent. People attach card trappers and fiddle with the cash dispensing conveyer (after forcing the shutter open with a large screwdriver) in broad daylight. Even with someone inside the ATM room banging on the wall to get them to fark off!

  4. Anonymous Coward
    Anonymous Coward

    USB

    The gift that keeps on giving!

    I am rather proud of the vast collection of "unusual" USB devices that I own.

    Hacked U3 enabled flash drives of yesteryear, modified Teensy's, a few HID/USB Rubber Ducky's, USB Kill, etc, etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: USB

      Don't forget the USB-enabled dildos that could have "remote execution" enabled. The USB port would give access to a wi-fi link...

      ... that could, quite literally, screw the user, remotely.

  5. DougMac

    COTS?

    It blows me away that ATMs (and cash registers) are now COTS windows PC's, networked to the Internet with about as much firewalling as a typical enterprise has.

    I would have thought that with all the engineering experience, that fairly custom extremely hardened designs would be de-rigor, especially now-a-days. No USB ports with auto-run on them behind some panel with virtually nothing to prevent intrusion.

    I remember when the original crypto cards for ATM transactions came out, with all the layers of anti-tampering on them (eg. critical battery traces potted in above the data traces). But now-a-days, it seems like COTS wins the day, and instead of up front engineering, they just spend it on after-the-fact cover up and throw money at covering their loses instead of putting it up front.

    The real scary attacks described on Krebs are the ones that infiltrate the whole bank's network, and can upload malware remotely, and have it jackpot any given ATM on demand.

    1. Anonymous Coward
      Anonymous Coward

      Re: COTS?

      Totally agree with the COTS assessment.

      As to infiltrating the network: if you can do that, aren't there higher payoff and less risky ways to steal from them at that point?

    2. Anonymous Coward
      Anonymous Coward

      Re: COTS?

      We are taking about Diabold here; analysis of there voting machines showed that that either they didn't care about making them secure or just didn't know how to implement security.

      They might use COTS but we don't (custom ARM boards with tamper protection baked in), running dual signed software packages on a cut down secure Linux distro.

      Don't assume all payment companies are stupid as Diabold/Nixdorf.. but probably cheaper to use COTS if you want to write code using cheap developers. At a wide guess, these guys are not even using Win10 with UAC, and probably writing code in VB or .NET.

      In nothing else, they deserve to lose PCI certification if they are running code from a non secure source like USB.

      Anon obviously, as I work for a competitor.

  6. adam 40 Silver badge

    ... still run windows...

    Nuff said.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like