Question - how did they manage to load malware onto the ATM in order to compromise it?
Cops find ATM spewing cash, car with dodgy plates, stack of $20 bills and hacking kit inside
US authorities have arrested a pair suspected of being involved in a recent wave of Automatic Teller Machine "jackpotting" heists. The crimes came to light in late January 2017 when ATM-makers Diebold and Nixdorf warned banks to be on the lookout for jackpotters in the US. The US Secret Service weighed in with its own news …
COMMENTS
-
-
-
Tuesday 6th February 2018 13:18 GMT JeffyPoooh
"...ATM's are just PCs..."
In a lovely tropical country that I have visited on several occasions, the PC was itself visible through a window. Wires and things were connected to the "ATM" shaped User Interface hardware. It looked like somebody had used the front of an old ATM and a PC to build a homemade ATM.
To their credit, it worked.
-
Tuesday 6th February 2018 11:40 GMT phuzz
The previous article explained in some more depth, but generally they make a hole in the casing so they can plug cables or devices straight into the pc running the ATM.
Even the best secured machine will be in trouble if an attacker can get physical access to the hardware, and not all ATMs are particularly secure. Some of them run Windows XP embedded ffs.
-
Tuesday 6th February 2018 13:19 GMT Antron Argaiv
XP Embedded
Some of them run Windows XP embedded ffs.
Which I happen to know, has autorun enabled by default on USB drives.
CSB: Where I work, we did a job for a client, using WinXP Embedded. Client comes back a while later, complaining that the system isn't working right. We take a look at what's on the USB stick he gave us, and yup, autorun malware -- our antivirus pops up and tells us.
So we go back to the client and ask: you used only the USB sticks we gave you to dump data, right?
Nope. They had misplaced them and borrowed one.
Re-image machine, jump through appropriate hoops to shut OFF default autorun, return to client.
We now use Linux for embedded stuff. Microsoft licensing was excruciatingly painful.
-
-
-
-
-
-
Tuesday 6th February 2018 15:01 GMT 404
Re: I believe...
Drive a nice grandpa/senior citizen type car too - they're known for taking up to 20 minutes to complete an ATM transaction. Often I wonder if they're doing hostile corporate takeovers or stock trades whilst waiting because I just don't get what in bloody hell they're doing up there...
-
Tuesday 6th February 2018 15:15 GMT Tigra 07
Re: I believe...
OAPs don't use ATMs. They get their money from the Post Office, converted into pennies, and then go to Tesco to spend it, creating massive queues and therefore creating cashier jobs in the local economy.
The rest of their time is spent in IKEA taking advantage of the free refills on Tea and Coffee and stealing little packets of sugar (speaking from personal experience).
-
-
Tuesday 6th February 2018 15:33 GMT Anonymous Coward
Re: I believe...
> Just find a slightly concealed ATM and bring a small concealable battery powered drill,
> a USB stick, and a balaclava. Easy
Bonus points for them if they bring a plastic hole-plug that they can later cover the hole with. Even more Bonus points if it has the bank's logo on it, to make it look official. Hmm, I wonder how many times they could jackpot the same ATM like that before someone caught on? Err, wait a moment....maybe I shouldn't post this!
-
-
-
Tuesday 6th February 2018 14:45 GMT DougMac
COTS?
It blows me away that ATMs (and cash registers) are now COTS windows PC's, networked to the Internet with about as much firewalling as a typical enterprise has.
I would have thought that with all the engineering experience, that fairly custom extremely hardened designs would be de-rigor, especially now-a-days. No USB ports with auto-run on them behind some panel with virtually nothing to prevent intrusion.
I remember when the original crypto cards for ATM transactions came out, with all the layers of anti-tampering on them (eg. critical battery traces potted in above the data traces). But now-a-days, it seems like COTS wins the day, and instead of up front engineering, they just spend it on after-the-fact cover up and throw money at covering their loses instead of putting it up front.
The real scary attacks described on Krebs are the ones that infiltrate the whole bank's network, and can upload malware remotely, and have it jackpot any given ATM on demand.
-
Wednesday 7th February 2018 07:11 GMT Anonymous Coward
Re: COTS?
We are taking about Diabold here; analysis of there voting machines showed that that either they didn't care about making them secure or just didn't know how to implement security.
They might use COTS but we don't (custom ARM boards with tamper protection baked in), running dual signed software packages on a cut down secure Linux distro.
Don't assume all payment companies are stupid as Diabold/Nixdorf.. but probably cheaper to use COTS if you want to write code using cheap developers. At a wide guess, these guys are not even using Win10 with UAC, and probably writing code in VB or .NET.
In nothing else, they deserve to lose PCI certification if they are running code from a non secure source like USB.
Anon obviously, as I work for a competitor.