Forgot your password?
typodupeerror
Security The Almighty Buck

Card-Sniffing Malware On Diebold ATMs 143

Posted by kdawson
from the atm-russia-you-do-the-math dept.
angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."
This discussion has been archived. No new comments can be posted.

Card-Sniffing Malware On Diebold ATMs

Comments Filter:
  • by Pyrus.mg (1152215) on Tuesday March 17, 2009 @11:46PM (#27236963)
    the banks hold up you.
    • by zonky (1153039)
      only if windows has actually been activated [englishrussia.com]
    • Re: (Score:2, Funny)

      by Anonymous Coward

      the banks hold up you.

      I thought for that joke there was supposed to be a reversal in there somewhere?

    • In USSA banks rob you.

  • As far as ATM venders go, how does Diebold rank in security?
    • Re:Track record? (Score:5, Insightful)

      by ScentCone (795499) on Tuesday March 17, 2009 @11:52PM (#27237017)
      As far as ATM venders go, how does Diebold rank in security?

      Does it really matter, when their customers are allowing the bad guys to physically work with the machines? Bad guys who get to touch system like that have a real leg up. Machines that - even if the user allows the bad guy to play with the hardware - could withstand a serious onslaught by organized Russian techie criminals would probably be substantially more expensive for the average [Insert Name of Russian 7-11 here] or their banking vendor to deploy.
      • Why would an ATM allow access to anything but the needed functions?

        I couldn't imagine an ATM that ran a consumer OS.

        • Re:Track record? (Score:5, Insightful)

          by hairyfeet (841228) <bassbeast1968@gma i l . com> on Wednesday March 18, 2009 @01:39AM (#27237605) Journal

          You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.

          My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.

          • Re:Track record? (Score:5, Insightful)

            by Jamie's Nightmare (1410247) on Wednesday March 18, 2009 @03:40AM (#27238151)

            the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around

            Why? Are you trying to say that something about the Windows Operating system is causing this ATM to fail? I hope not, because it would be foolish to assume that without more data. A lot can go wrong with an ATM. From faulty hardware to sloppy programming.

            It's far more likely that in this case the benefit comes from simplicity in the hardware and software design, not anything to do with OS/2. From your description, the whole design is much older. Whatever bugs that may be present in the software or the operating system don't interfere with the machines day to day operation, so from the standpoint of a casual observer, it's perfect.

            Using this single (biased) example as an endorsement for using OS/2 isn't insightful, it's just stupid.

            • by batquux (323697)

              It's far more likely that in this case the benefit comes from simplicity in the hardware and software design

              This is true. Something like an ATM doesn't even need an OS but it makes it a lot easier to produce, not to mention redesign and upgrade.

          • Re:Track record? (Score:4, Insightful)

            by Anonymous Coward on Wednesday March 18, 2009 @03:58AM (#27238243)

            But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work.

            You're thinking like an engineer. Think like a marketroid. You know...

            "...If it ran Windows, we could put advertisements on it. And not just text ads like 'walk around the corner and ask for a loan', I mean full-screen animated ads of cute families overjoyed because they have credit cards, you know, like TV, and the customer would have to watch the ads, because if they walk away during the 5-second interstitial ad, they don't get the $100 they're trying to withdraw!"

            CAPTCHA: "annoyed". Once again, Slashdot imitates life. Or at least, the fucking ATM going "ding" (with the same DING.WAV that's been in Windows since 3.1, what a dead giveaway as to what OS they're running) that I used this afternoon.

            Anyways. Fucktards. Fucktards one and all. It's St. Paddy's day, and I'm finally drunk enough to take my engineering hat off and put my marketroid hat on. Fortunately, I'll be sober in the morning. Unfortunately, the marketroids will still be running the show.

            • by neomunk (913773)

              No mod points today or else you'd get +1 Most-Insightful-Drunken-AC-Post-Ever

            • by Kijori (897770)

              Just for the record, I'm living in Russia and I've never had any adverts on ATMs here.

          • You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.

            My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.

            Hah, please tell me someone copy-pasted this from a Slashdot thread circa 2001.

            If not, your ATM runs Microsoft OS/2 1.3, btw.

          • by zMaile (1421715)
            I dont know much about it, but perhaps price is an issue? Is the Windows solution cheaper? I would understand why a bank would choose that option, even if I dont agree with it.
          • Pretty becomes an issue when you gain revenue displaying motion picture advertising and providing additional "value added" features.

            It isn't just Diebold. I work with a few different brands of ATMs and they all seem to be moving in the same direction.

            • by hairyfeet (841228)

              But mine with the good old OS2 machines have that now too! How? They just mounted a cheap little flat panel screen and speaker above the ATM. It is actually quite nice, with the pretty music and pointing out extra features and services you can choose from. And most importantly when it goes down the ATM still works.

              As an old greybeard who ran BeOS and OS2 during the 90s(I think I still have my Warp discs in a storage crate in my mom's attic somewhere) I can say without a doubt that the best OS lost. BeOS ra

          • by Lumpy (12016)

            Because you HAVE to upgrade!

            OS2 wont support the latest video card, sound card, or any of my usb devices!!!!

            OMG! I would just die if my ATM did not use my webcam and ipod!

            many times it's because bank executives are making the decision. windows based ATM's exist because some retarded moron of a bank executive asked for it.

          • by L3sPau1 (1503477)
            Good call on OS2, it's right under their noses. Like you said WTF. BTW, I've bookmarked an interesting video with Avi Rubin on e-voting machine security that kinda sorta relates. http://tinyurl.com/dehz2q [tinyurl.com]
        • No imagination required! Visit your local ATM today!
        • Re:Track record? (Score:5, Interesting)

          by wiredlogic (135348) on Wednesday March 18, 2009 @02:35AM (#27237883)

          Many older ATMs used to run OS/2 and were rock solid dependable. It also helps that IBM was a key player in developing the crypto hardware in those machines and they had the expertise to ensure everything was locked down and tamperproof.

          What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.

          • Re:Track record? (Score:5, Interesting)

            by Gollum (35049) on Wednesday March 18, 2009 @03:02AM (#27237989)

            I did some work for a local bank, and their ATM's were running Windows XP (not embedded), IIS (can't remember the version), and IE. This was to allow them to serve "rich content" (movies, images, animations, etc), without having to write it all themselves. The ATM just had IE talking to IIS, and displaying the results in "kiosk mode". The buttons on the sides of the screen were mapped to keys on the keyboard (I think), and that's how it ran.

            I specified a full set of ports that needed to be accessible to the ATM controllers, and that was all that was supposed to be accessible from the network.

            However, if you can get access to the back of the machine, it has a second monitor, keyboard and mouse, and you can access the OS, and do whatever you want to do. I *THINK* that the keyboard and mouse were locked away in the vault (or at least behind a door), but the hardware itself is pretty standard PC, so I don't imagine that it would be particularly difficult to add a USB keyboard or mouse and gain access when rebooting the device. Maybe even boot from a USB disk or similar.

            The reality is that if you have physical access to practically anything, it is game over.

            Personally, I would have been a lot happier to see a stripped down Linux kernel + minimal OS, BIOS passwords, bootloader passwords, etc than the entire Windows stack. Less to verify == more security.

            • That's actually a fairly clever design. I would not want to even begin implementing UI-embedded video on a microcontroller-based ATM. But so long as the user's input capabilities are severely limited, it really would be possible to use the capabilities of a web app without sacrificing too much security.

          • What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.

            I don't know about Diebold ATMs. For voting machines, here's a quote from this Slashdot [slashdot.org] story (March 03, 2009):

            Except that Diebold didn't make these machines. Premier Election Systems made them, and then was bought up by Diebold. - DrLang21 (900992)

      • As far as ATM venders go, how does Diebold rank in security?

        Does it really matter, when their customers are allowing the bad guys to physically work with the machines?

        Yes it does matter; security is a chain as strong as its weakest link. Proper encryption and authentication systems could/should have been used here to harden the weak link of physical access. As for cost of deployment, well, security organisations (including banks and Diebold) live on their reputations to keep things out of the hands of criminals. If they fail to do this, their security suffers. We're talking about Diebold here, not some two-bit Russian ATM provider.

        • They have physical access and are sniffing cards. How do you think you can prevent that by adding encryption or authentication?
          • They have physical access and are sniffing cards. How do you think you can prevent that by adding encryption or authentication?

            If it's malware, then they have gotten into the system's software somehow - it's not a physical card sniffing attack. Obviously physical access helps the attacker, but can still be secured against; think encrypted volumes, and a decent authentication system to stop uninvited guests accessing the system when it's running.

  • There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98.

    That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.
    • by zonky (1153039)
      I've certainly seen a number of ATM's running Windows 2000 Professional, but windows 98! *shudder*
      • I wouldn't put my card in one of those. What company, so I can never bank with them?

        • If only it were one specific banking establishment. Diebold sell ATMs to all banks.

          Money under the matress much?
      • Re: (Score:3, Informative)

        by mlts (1038732) *

        Ages ago in the past, OS/2 was the ATM platform of choice. Now, its either Windows 2000 Pro, or XP Embedded.

        As for Windows 98, I can see that being used, but the ATM would require a watchdog card. This is a special hardware card that automatically resets the machine should the watchdog driver not send pulses after a certain period of time, or if a certain application is not present and running. This case, Windows 98 can be used, because if the ATM's app crashes, the card will reset the machine to a hopef

        • by dargaud (518470)
          I'm currently trying to used a hardware watchdog on a card design... but the watchdog proves less reliable than the main hardware itself ! Kind of defeats the purpose... C:-(
      • by v1 (525388) on Wednesday March 18, 2009 @12:37AM (#27237237) Homepage Journal

        over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.

        If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.

        • Just so you know, the ATMs of the largest retail bank in my country has keyboard at them.

          • by RMH101 (636144)
            ...which I can guarantee is not hooked up to the PS2 port on the ATM PC. Your point?
        • 'over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems do't count'

          That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.

          'Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi [infoworld.com] wo
          • by v1 (525388)

            That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.

            The ATMs run on their own encrypted (VPN) network, a bit like a darknet. Just because they're using the internet doesn't make that an easy vector. It's like saying your company's internal network isn't secure if your offices are connected with a VPN. As long as the exterior doors are secure, internal security is irrelevant.

            That worm was probably due to the fault of some ATM engineer

            • by G00F (241765)

              If an ATM is on a TCP/IP network that is VPN'ed to another network that has access to the net. Then that ATM is effectively connected to the network. Sure they can block all ports and protocols but what they need. But I have seen so few companies employ an "allow whitelist only" for network or VPN.

              Further the worm W32.Welchia.Worm (as stated by the previous poster spreads over the network looking for two different vulnerabilities. Which tells me it wasn't an infected flash drive
              http://www.symantec.com/se [symantec.com]

      • No citation provided, but I saw one running Windows 98 in the touristy district of the Spanish city of Santiago de Compostela [google.com] (right near the cathedral).

        I wasn't game enough to trust my debit card with it, but a passerby used it, and boy was it slow. You could see the individual images redrawing on the screen. It's been so long since it was last updated that the CRT monitor has the text burnt into its screen. (Although I thought modern CRTs were supposed to be immune to burn-in.)

    • by Denihil (1208200)

      There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98. That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.

      waaait a second. so people actually put a atm running windows 98 in the middle of russia and expected it NOT to get immediately hijacked?

    • by pgn674 (995941)
      Wow, especially considering extended support retired in July 2006 [microsoft.com].
    • by shirque (1335717)
      You don't need Windows however to have Microsoft crash your cash dispenser - about ten years ago, I saw an ATM in Florence display A)nnulla, R)iprova, T)ralascia, E)limina? - which is of course the Italian equivalent of MS DOS's notorious yet futile Abort, Retry, Ignore, Fail? option menu upon hardware failure...
    • by jafac (1449)

      A Diebold ATM in my hometown was found crashed; apparently running XP. With an open DOS window and a flashing prompt. There was some dotNet class dump gobbledygook scrolled up in that window. I could enter numbers with the keypad, and the enter button would return "bad command or file name".

      I found it that way in the morning, and when I drove past later that afternoon, it was still sitting in that state. Scary.

  • Windows CE, XP, whatever, an ATM shouldn't be running a consumer OS for a variety of reasons (security holes, stability, error rate). Why not use either a very trimmed down Linux distro or roll your own OS? I mean, there is a bit of investment having to make the drivers and all- but surely it can't be too expensive to do (not with what is at stake).

    Still, it's a trojan (has to be put on individual ATMs) - and criminals would have to gain physical access to the computer inside the ATM, which would mean br
    • by AndrewNeo (979708)
      CE is not a consumer OS, it's meant to be embedded.. a better question is why are they running 98, instead of CE, when you get full source for CE and the licenses are cheaper, too. Though maybe they get an OEM discount for buying and building x86 machines bundled with Windows? (Or they were just stripping Dells? *shudder*)
    • by lwriemen (763666)

      IBM told them that OS/2 was dead.

    • Re: (Score:3, Interesting)

      by Lumpy (12016)

      One of the best scams in the world was to buy a used atm and then put custom software on it to harvest info and then plop the whole thing in a mall. come back in a week and you got a CRAPLOAD of cards and pins.

      Simply program it to act normal but it cant connect to the bank and spit the card back out.

      Honestly I am sure this will still work today. Back in the lat 90's they caught a group of guys around Detroit doing this.

  • by brxndxn (461473) on Wednesday March 18, 2009 @12:24AM (#27237183)

    From the last few US presidential elections where statistics where typically very different for electronic voting (Diebold) and paper ballots, a common conclusion was that either:

    1. Diebold fixed the elections (a)
    or
    2. Diebold is completely incompetent (b)

    But then.. People would argue that #2 is invalid because Diebold has atms all over the world that count money.. and they never have problems - so something as simple as voting should be easy.

    Maybe Diebold is just trying to prove that they can be incompetent too? Which would give us a new set of alternatives:

    3. Diebold is fabricating their own incompetence (c)
    or
    4. Diebold is really incompetent (d)

    (d) = (b)

    so..

    ((a) or (b)) and ((c) or (d))

    so..

    ((a) or (b)) and ((c) or (b))

    so..

    ((a) and (c)) or (b)

    which translates to:

    Why the fuck do we trust Diebold with anything?

    • by AHuxley (892839)
      Diebold makes good cash machines because there is revenue stream, making a product as good as banks request them.
      Diebold got into voting because it was testing the water and made a product down a price point.
      If states wanted good voting machines they should have thought of that in the contracts.
      A bit like toxic paints on toys or plastics in food.
      Next time ask for quality and spell out exactly what you want.
      • You'd think that counting "one vote for party A" as "one vote for party A" without losing any would be a basic feature of a voting machine, regardless of the quality specified in advance. Maybe Diebold don't inhabit the same universe as the rest of us, maybe they live in "politico-world" along with the rest of the crooks we vote for. I didn't know they did ATMs until I read this article, now I'm wary of my own ATM.

        Ain't an ATM well named for recycling money? Ass To Mouth also describes that same process.

    • by drinkypoo (153816)

      Why the fuck do we trust Diebold with anything?

      Who is this 'we'? If I see a Diebold ATM, I try to find another one. No joke. I've gone into banks and told them I won't use the ATM because I don't trust the company that has been proven to miscount votes to build anything else, either. (They love me. I also tell the bitches at Wells Fargo that I love my Credit Union because the money stays in the community when they ask me to open an account - which they do every month when I go pay my rent with cash, direct into my landlord's account. I'm not sure why th

  • Should of not droped OS/2 For windows on the ATMs. Also was the administrative passwords set to the default like the other ATM's that got hacked?

    Is the locked-down version of Windows that Diebold provides to locked down for some banks use? Locked in to Diebold for getting the windows updates? Vs being able to do it on your own / use your own WSUS system?

    Are diebold voting machines just as easy or easier to hack?

  • by squidinkcalligraphy (558677) on Wednesday March 18, 2009 @12:41AM (#27237269)
  • Windows? (Score:5, Insightful)

    by geekmux (1040042) on Wednesday March 18, 2009 @12:44AM (#27237295)

    "...its ATM customers using the Windows operating system.

    OK, stop. Did I just read what I think I just read? What...the...hell? Windows?

    As if we don't have enough problems with the crooks that run the banks...

    • Really, Windows was good enough for voting machines, shouldn't it work just as well for ATMs? Or maybe Diebold should just stick with the voting machine business!!!!
  • by Anonymous Coward on Wednesday March 18, 2009 @12:49AM (#27237331)

    That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation.

    • If it's running windows, the criminal may have only need communication access to the box. Windows security was designed by the same people who brought you Swiss Cheese.
      • by maxume (22995)

        The Swiss are notorious for their precision.

    • by AHuxley (892839)
      If it was "linux,mac" they would have to steal the whole unit and take it back to the small shared apartment.
      After letting the two large dogs and other families children have a sniff and look at the flashing lights, they would have to extract and study the code.
      A week later, they would be out looking for a windows ATM, thankful that everybody studied banking at Moscow U and learned windows.
    • 'That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation'

      You wouldn't use a desktop OS in such a situation. A small embedded obfuscated encrypted OS performing a small set of dedicated functions. Not a modified Windows OS that could be compromised using a few DLL redirects ..

      'The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code [sophos.com] t
  • NSF (Score:4, Funny)

    by castorvx (1424163) on Wednesday March 18, 2009 @01:05AM (#27237413)
    A problem has been detected and windows has shut down to prevent damage to your bank account.

    MONEY_LESS_OR_EQUAL
  • Y2K... (Score:5, Funny)

    by rthille (8526) <{gro.tagnar} {ta} {todhsals-bew}> on Wednesday March 18, 2009 @01:08AM (#27237435) Homepage Journal

    Somewhat OT, but my wife was one of the early recipients of a credit card which expired after 1999. She used to crash gas pumps whenever she tried to pay at the pump.

  • 'Diebold, .. releases its new Advanced Skimming Detection technology [thomasnet.com] for automated teller machines (ATMs). This fraud-deterrence technology .. is the most effective method to guard against card skimming, the act of retrieving consumers' account information from their ATM card magnetic strips via a fraudulent device illegally attached to an ATM'

    It would have been more technologically secure to not use magnetic strips in the first place and design a machine that only worked with authorized hardware. Someth
  • by rs232 (849320) on Wednesday March 18, 2009 @08:07AM (#27239341)
    'ATM message protocols such as NCR's NDC and Diebold's 911/912 are based on ISO 85/83, a 20-year-old standard that industry observers agree looks pretty creaky in the age of Internet standards like XML'

    'IFX is far more flexible than NDC and 911/912, which are "single monolithic pieces of code," NCR's Risto said. "With IFX, you're taking states-and-screens away and replacing each piece with an inherent application. Each function is broken out and handled separately."'

    'The move to IFX requires a smaller leap of technology than the switch from an OS/2 to Windows operating system, Risto said. "Once you've made the move to Windows [gokis.net], IFX is going to be a far smoother and more intuitive move."'
  • I wonder would Chrome have prevented such a hack [sophos.com]?

    'Google Chrome is implementing support to run native x86 code [ezinearticles.com] from within the browser'
  • I know a fair few banks in the UK use Windows in their ATM's. the Halifax/Bank of Scotland for one, i've seen their ATM's with windows ok/cancel error boxes rendering them totally useless, i've also seen a Lloyds TSB machine stuck on the Windows XP boot screen.
    I don't know who makes their ATM's (i'm guessing NCR as they have/had a big factory in Dundee) but Windows on ATMs isn't rare.

  • This kind of reminds me of the Denver International Airport baggage handling fiasco of a few years ago. They tried to implement a very complex, distributed, real-time baggage handling system using Windows NT. Needless to say, it failed and the entire system was scrapped after incurring costs in the $100s of millions of USD. Anyone who uses Microsoft operating systems for hard real-time or high-security applications are totally out of their minds and deserve whatever happens to them - like getting run over b
    • That failure was due to a fault NIC on a non-switched networks causing the whole network to feck'up
  • I may be wrong, but isn't this also the company that manufactured the voting machines that had been tampered with in the 2004 election? The name Diebold is awfully familiar to me, and I know I have read about them in the news before... and I am pretty sure it was for nothing good.

Luck, that's when preparation and opportunity meet. -- P.E. Trudeau

Working...