Card-Sniffing Malware On Diebold ATMs

angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."

In Soviet Russia...

[Pyrus.mg (1152215)]

the banks hold up you.

Re:

[zonky (1153039)]

only if windows has actually been activated [englishrussia.com]

Re:

[Anonymous Coward]

the banks hold up you.

I thought for that joke there was supposed to be a reversal in there somewhere?

On Soviet Slashdot

[pisto_grih (1165105)]

joke reverses you!

Re:

[daveime (1253762)]

Yup, in the same context that Eve didn't FORCE Adam to eat the fucking apple !

Credit + US Citizen == Carrot + Donkey

Re:

[WhatAmIDoingHere (742870)]

So, fat people were FORCED to eat McDonalds simply because it was there?

No, you're wrong. The banks said "If you want, you can borrow some money." It's the people who jumped all over themselves to spend more than they make.

Re:In Soviet Russia...

[daveime (1253762)]

Umm, no ... the banks said something more akin to ...

Want some money, we got lots of money, want more money that you can afford, no problem, we'll give you 10 times your salary, even though the recognised multiplier is just 3.

And with low low interest rates, what could possibly go wrong ? Also, while you're here, would you like to borrow more money for a car, and a holiday, and that 80" flatscreen TV ? How about a new kitchen ? We can also give you credit cards with more spending power than God.

And what the heck if the sum total of all your credit comes to 5 times more than you can conceivably earn in your lifetime, this is the American Way (TM).

Track record?

[Tubal-Cain (1289912)]

As far as ATM venders go, how does Diebold rank in security?

Re:Track record?

[ScentCone (795499)]

As far as ATM venders go, how does Diebold rank in security?

Does it really matter, when their customers are allowing the bad guys to physically work with the machines? Bad guys who get to touch system like that have a real leg up. Machines that - even if the user allows the bad guy to play with the hardware - could withstand a serious onslaught by organized Russian techie criminals would probably be substantially more expensive for the average [Insert Name of Russian 7-11 here] or their banking vendor to deploy.

Re:

[squidinkcalligraphy (558677)]

As far as ATM venders go, how does Diebold rank in security?

Does it really matter, when their customers are allowing the bad guys to physically work with the machines?

Yes it does matter; security is a chain as strong as its weakest link. Proper encryption and authentication systems could/should have been used here to harden the weak link of physical access. As for cost of deployment, well, security organisations (including banks and Diebold) live on their reputations to keep things out of the hands of criminals. If they fail to do this, their security suffers. We're talking about Diebold here, not some two-bit Russian ATM provider.

Re:Track record?

[hairyfeet (841228)]

You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.

My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.

Re:Track record?

[Jamie's Nightmare (1410247)]

the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around

Why? Are you trying to say that something about the Windows Operating system is causing this ATM to fail? I hope not, because it would be foolish to assume that without more data. A lot can go wrong with an ATM. From faulty hardware to sloppy programming.

It's far more likely that in this case the benefit comes from simplicity in the hardware and software design, not anything to do with OS/2. From your description, the whole design is much older. Whatever bugs that may be present in the software or the operating system don't interfere with the machines day to day operation, so from the standpoint of a casual observer, it's perfect.

Using this single (biased) example as an endorsement for using OS/2 isn't insightful, it's just stupid.

Re:Track record?

[Anonymous Coward]

But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work.

You're thinking like an engineer. Think like a marketroid. You know...

"...If it ran Windows, we could put advertisements on it. And not just text ads like 'walk around the corner and ask for a loan', I mean full-screen animated ads of cute families overjoyed because they have credit cards, you know, like TV, and the customer would have to watch the ads, because if they walk away during the 5-second interstitial ad, they don't get the $100 they're trying to withdraw!"

CAPTCHA: "annoyed". Once again, Slashdot imitates life. Or at least, the fucking ATM going "ding" (with the same DING.WAV that's been in Windows since 3.1, what a dead giveaway as to what OS they're running) that I used this afternoon.

Anyways. Fucktards. Fucktards one and all. It's St. Paddy's day, and I'm finally drunk enough to take my engineering hat off and put my marketroid hat on. Fortunately, I'll be sober in the morning. Unfortunately, the marketroids will still be running the show.

Re:

[IntlHarvester (11985)]

You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.

My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.

Hah, please tell me someone copy-pasted this from a Slashdot thread circa 2001.

If not, your ATM runs Microsoft OS/2 1.3, btw.

Re:Track record?

[wiredlogic (135348)]

Many older ATMs used to run OS/2 and were rock solid dependable. It also helps that IBM was a key player in developing the crypto hardware in those machines and they had the expertise to ensure everything was locked down and tamperproof.

What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.

Re:Track record?

[Gollum (35049)]

I did some work for a local bank, and their ATM's were running Windows XP (not embedded), IIS (can't remember the version), and IE. This was to allow them to serve "rich content" (movies, images, animations, etc), without having to write it all themselves. The ATM just had IE talking to IIS, and displaying the results in "kiosk mode". The buttons on the sides of the screen were mapped to keys on the keyboard (I think), and that's how it ran.

I specified a full set of ports that needed to be accessible to the ATM controllers, and that was all that was supposed to be accessible from the network.

However, if you can get access to the back of the machine, it has a second monitor, keyboard and mouse, and you can access the OS, and do whatever you want to do. I *THINK* that the keyboard and mouse were locked away in the vault (or at least behind a door), but the hardware itself is pretty standard PC, so I don't imagine that it would be particularly difficult to add a USB keyboard or mouse and gain access when rebooting the device. Maybe even boot from a USB disk or similar.

The reality is that if you have physical access to practically anything, it is game over.

Personally, I would have been a lot happier to see a stripped down Linux kernel + minimal OS, BIOS passwords, bootloader passwords, etc than the entire Windows stack. Less to verify == more security.

Re:

[Gollum (35049)]

Care to elaborate a little?

What do you consider a "proper OS"?

Re:

[L4t3r4lu5 (1216702)]

HURD.

Re:

[Carlosos (1342945)]

Breaking in into a bank through the ATM machine is probably the worst idea ever. Banks (or at least the banks I worked at) have a motion detector in the room behind the ATM. Only once I saw a bank that had an ATM removed and just covered up with plywood from the outside while the motion detector was disabled in that room. Triggering the ATM alarm is worse than the premises alarm because the premises alarm gets triggered sometimes from cleaning personnel or other employees but for the ATM room you need a spe

Maybe there could be gov. regulation of ATM design

[Futurepower(R) (558542)]

There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98.

That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.

Re:

[zonky (1153039)]

I've certainly seen a number of ATM's running Windows 2000 Professional, but windows 98! *shudder*

Re:

[mlts (1038732)]

Ages ago in the past, OS/2 was the ATM platform of choice. Now, its either Windows 2000 Pro, or XP Embedded.

As for Windows 98, I can see that being used, but the ATM would require a watchdog card. This is a special hardware card that automatically resets the machine should the watchdog driver not send pulses after a certain period of time, or if a certain application is not present and running. This case, Windows 98 can be used, because if the ATM's app crashes, the card will reset the machine to a hopef

Re:Maybe there could be gov. regulation of ATM des

[v1 (525388)]

over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.

If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.

ATMs struck by the W32/Nachi worm

[rs232 (849320)]

'over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems do't count'

That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.

'Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi [infoworld.com] wo

Re:

[RMH101 (636144)]

...which I can guarantee is not hooked up to the PS2 port on the ATM PC. Your point?

Re:

[L4t3r4lu5 (1216702)]

Exploit an ATM from the card reader?

You've watched D.A.R.Y.L. [wikipedia.org] one too many times.

I saw one

[Jeremy Visser (1205626)]

No citation provided, but I saw one running Windows 98 in the touristy district of the Spanish city of Santiago de Compostela [google.com] (right near the cathedral).

I wasn't game enough to trust my debit card with it, but a passerby used it, and boy was it slow. You could see the individual images redrawing on the screen. It's been so long since it was last updated that the CRT monitor has the text burnt into its screen. (Although I thought modern CRTs were supposed to be immune to burn-in.)

Re:

[L4t3r4lu5 (1216702)]

If only it were one specific banking establishment. Diebold sell ATMs to all banks.

Money under the matress much?

Re:

[pgn674 (995941)]

Wow, especially considering extended support retired in July 2006 [microsoft.com].

Obviously a product of the LAUSD

[Amazing Quantum Man (458715)]

Since when is Sao Paulo, Brazil in the middle of Russia?

Maybe an attempt to prove incompetence?

[brxndxn (461473)]

From the last few US presidential elections where statistics where typically very different for electronic voting (Diebold) and paper ballots, a common conclusion was that either:

1. Diebold fixed the elections (a)
or
2. Diebold is completely incompetent (b)

But then.. People would argue that #2 is invalid because Diebold has atms all over the world that count money.. and they never have problems - so something as simple as voting should be easy.

Maybe Diebold is just trying to prove that they can be incompetent too? Which would give us a new set of alternatives:

3. Diebold is fabricating their own incompetence (c)
or
4. Diebold is really incompetent (d)

(d) = (b)

so..

((a) or (b)) and ((c) or (d))

so..

((a) or (b)) and ((c) or (b))

so..

((a) and (c)) or (b)

which translates to:

Why the fuck do we trust Diebold with anything?

Re:

[AHuxley (892839)]

Diebold makes good cash machines because there is revenue stream, making a product as good as banks request them.
Diebold got into voting because it was testing the water and made a product down a price point.
If states wanted good voting machines they should have thought of that in the contracts.
A bit like toxic paints on toys or plastics in food.
Next time ask for quality and spell out exactly what you want.

Should of not droped OS/2 For windows on the ATMs

[Joe The Dragon (967727)]

Should of not droped OS/2 For windows on the ATMs. Also was the administrative passwords set to the default like the other ATM's that got hacked?

Is the locked-down version of Windows that Diebold provides to locked down for some banks use? Locked in to Diebold for getting the windows updates? Vs being able to do it on your own / use your own WSUS system?

Are diebold voting machines just as easy or easier to hack?

obligatory xkcd link

[squidinkcalligraphy (558677)]

http://xkcd.com/463/ [xkcd.com]

Windows?

[geekmux (1040042)]

"...its ATM customers using the Windows operating system.

OK, stop. Did I just read what I think I just read? What...the...hell? Windows?

As if we don't have enough problems with the crooks that run the banks...

"using the Windows operating system"

[Anonymous Coward]

That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation.

Re:

[camperdave (969942)]

If it's running windows, the criminal may have only need communication access to the box. Windows security was designed by the same people who brought you Swiss Cheese.

Re:

[Haeleth (414428)]

No, he's thinking about the product sold in America under the name "Swiss cheese". This is not to be confused with the foodstuff popular in Europe that is also, confusingly, called cheese.

"Swiss cheese" is a waxy, rubbery, flavourless chemical solid that differs from regular "cheese" only in the fact that it has holes in. There are persistent rumours that it may be edible.

(Oh, and Emmental is a Swiss cheese. It gets made in France too, but then Cheddar, an English cheese, gets made all over the world, so

Re:

[AHuxley (892839)]

If it was "linux,mac" they would have to steal the whole unit and take it back to the small shared apartment.
After letting the two large dogs and other families children have a sniff and look at the flashing lights, they would have to extract and study the code.
A week later, they would be out looking for a windows ATM, thankful that everybody studied banking at Moscow U and learned windows.

whatever is just a vulnerable ..

[rs232 (849320)]

'That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation'

You wouldn't use a desktop OS in such a situation. A small embedded obfuscated encrypted OS performing a small set of dedicated functions. Not a modified Windows OS that could be compromised using a few DLL redirects ..

'The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code [sophos.com] t

NSF

[castorvx (1424163)]

A problem has been detected and windows has shut down to prevent damage to your bank account.

MONEY_LESS_OR_EQUAL

Y2K...

[rthille (8526)]

Somewhat OT, but my wife was one of the early recipients of a credit card which expired after 1999. She used to crash gas pumps whenever she tried to pay at the pump.

Diebold card skimming detection technology

[rs232 (849320)]

'Diebold, .. releases its new Advanced Skimming Detection technology [thomasnet.com] for automated teller machines (ATMs). This fraud-deterrence technology .. is the most effective method to guard against card skimming, the act of retrieving consumers' account information from their ATM card magnetic strips via a fraudulent device illegally attached to an ATM'

It would have been more technologically secure to not use magnetic strips in the first place and design a machine that only worked with authorized hardware. Someth

Diebold and ATM message protocols ..

[rs232 (849320)]

'ATM message protocols such as NCR's NDC and Diebold's 911/912 are based on ISO 85/83, a 20-year-old standard that industry observers agree looks pretty creaky in the age of Internet standards like XML'

'IFX is far more flexible than NDC and 911/912, which are "single monolithic pieces of code," NCR's Risto said. "With IFX, you're taking states-and-screens away and replacing each piece with an inherent application. Each function is broken out and handled separately."'

'The move to IFX requires a smaller leap of technology than the switch from an OS/2 to Windows operating system, Risto said. "Once you've made the move to Windows [gokis.net], IFX is going to be a far smoother and more intuitive move."'

dangers of running native x86 code ..

[rs232 (849320)]

I wonder would Chrome have prevented such a hack [sophos.com]?

'Google Chrome is implementing support to run native x86 code [ezinearticles.com] from within the browser'

Re:

[AndrewNeo (979708)]

CE is not a consumer OS, it's meant to be embedded.. a better question is why are they running 98, instead of CE, when you get full source for CE and the licenses are cheaper, too. Though maybe they get an OEM discount for buying and building x86 machines bundled with Windows? (Or they were just stripping Dells? *shudder*)

Re:

[Lumpy (12016)]

One of the best scams in the world was to buy a used atm and then put custom software on it to harvest info and then plop the whole thing in a mall. come back in a week and you got a CRAPLOAD of cards and pins.

Simply program it to act normal but it cant connect to the bank and spit the card back out.

Honestly I am sure this will still work today. Back in the lat 90's they caught a group of guys around Detroit doing this.

Re:

[shentino (1139071)]

True, but the banks might turn around and sue diebold for damages if the hackability was a breach of diebold's warranty...

AND diebold didn't be a sleaze and put "your exclusive remedy is a full refund and we disclaima ll warranties" such and such...

Sounds like the banks are going to get ripped off. Poetic justice perhaps but diebold should still eat the dogfood it served.

Re:

[Anonymous Coward]

Windows programmers are much cheaper than Linux programmers.

You get what you pay for. In the case of security-critical technology I'd have hoped people would pay for something good. How naive of me.

Re:

[MadnessASAP (1052274)]

Well yes and no, it's like safe building. You can get a very, very, very expensive safe that will take the best man in the world 100 hours to break through or you can get a cheaper one thta my only take a reasonably skilled person 12 hours to open. But the bigger question about these ATMs is why do they need so much hardware? They should be little more then a microcontrolelr then encrypts and decrypts data to and from a mainframe. No fancy videos, hard drives, high speed internet links. if they break i