Card-Sniffing Malware On Diebold ATMs 143
angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."
Re:Track record? (Score:5, Insightful)
Does it really matter, when their customers are allowing the bad guys to physically work with the machines? Bad guys who get to touch system like that have a real leg up. Machines that - even if the user allows the bad guy to play with the hardware - could withstand a serious onslaught by organized Russian techie criminals would probably be substantially more expensive for the average [Insert Name of Russian 7-11 here] or their banking vendor to deploy.
Maybe an attempt to prove incompetence? (Score:5, Insightful)
From the last few US presidential elections where statistics where typically very different for electronic voting (Diebold) and paper ballots, a common conclusion was that either:
1. Diebold fixed the elections (a)
or
2. Diebold is completely incompetent (b)
But then.. People would argue that #2 is invalid because Diebold has atms all over the world that count money.. and they never have problems - so something as simple as voting should be easy.
Maybe Diebold is just trying to prove that they can be incompetent too? Which would give us a new set of alternatives:
3. Diebold is fabricating their own incompetence (c)
or
4. Diebold is really incompetent (d)
(d) = (b)
so..
((a) or (b)) and ((c) or (d))
so..
((a) or (b)) and ((c) or (b))
so..
((a) and (c)) or (b)
which translates to:
Why the fuck do we trust Diebold with anything?
Re:Maybe there could be gov. regulation of ATM des (Score:5, Insightful)
over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.
If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.
Windows? (Score:5, Insightful)
"...its ATM customers using the Windows operating system.
OK, stop. Did I just read what I think I just read? What...the...hell? Windows?
As if we don't have enough problems with the crooks that run the banks...
"using the Windows operating system" (Score:5, Insightful)
That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation.
Comment removed (Score:5, Insightful)
Re:Track record? (Score:5, Insightful)
the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around
Why? Are you trying to say that something about the Windows Operating system is causing this ATM to fail? I hope not, because it would be foolish to assume that without more data. A lot can go wrong with an ATM. From faulty hardware to sloppy programming.
It's far more likely that in this case the benefit comes from simplicity in the hardware and software design, not anything to do with OS/2. From your description, the whole design is much older. Whatever bugs that may be present in the software or the operating system don't interfere with the machines day to day operation, so from the standpoint of a casual observer, it's perfect.
Using this single (biased) example as an endorsement for using OS/2 isn't insightful, it's just stupid.
Re:Track record? (Score:4, Insightful)
You're thinking like an engineer. Think like a marketroid. You know...
"...If it ran Windows, we could put advertisements on it. And not just text ads like 'walk around the corner and ask for a loan', I mean full-screen animated ads of cute families overjoyed because they have credit cards, you know, like TV, and the customer would have to watch the ads, because if they walk away during the 5-second interstitial ad, they don't get the $100 they're trying to withdraw!"
CAPTCHA: "annoyed". Once again, Slashdot imitates life. Or at least, the fucking ATM going "ding" (with the same DING.WAV that's been in Windows since 3.1, what a dead giveaway as to what OS they're running) that I used this afternoon.
Anyways. Fucktards. Fucktards one and all. It's St. Paddy's day, and I'm finally drunk enough to take my engineering hat off and put my marketroid hat on. Fortunately, I'll be sober in the morning. Unfortunately, the marketroids will still be running the show.
Re:Uh...why are they running Windows? (Score:2, Insightful)
You get what you pay for. In the case of security-critical technology I'd have hoped people would pay for something good. How naive of me.
Re:In Soviet Russia... (Score:4, Insightful)
Umm, no ... the banks said something more akin to ...
Want some money, we got lots of money, want more money that you can afford, no problem, we'll give you 10 times your salary, even though the recognised multiplier is just 3.
And with low low interest rates, what could possibly go wrong ? Also, while you're here, would you like to borrow more money for a car, and a holiday, and that 80" flatscreen TV ? How about a new kitchen ? We can also give you credit cards with more spending power than God.
And what the heck if the sum total of all your credit comes to 5 times more than you can conceivably earn in your lifetime, this is the American Way (TM).
Re:In Soviet Russia... (Score:1, Insightful)
The government controlling every bit of people's lives isn't going to cure stupid.