Card-Sniffing Malware On Diebold ATMs

angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."

Maybe there could be gov. regulation of ATM design

[Futurepower(R)]

There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98.

That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.

Re:Track record?

[wiredlogic]

Many older ATMs used to run OS/2 and were rock solid dependable. It also helps that IBM was a key player in developing the crypto hardware in those machines and they had the expertise to ensure everything was locked down and tamperproof.

What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.

Re:Track record?

[Gollum]

I did some work for a local bank, and their ATM's were running Windows XP (not embedded), IIS (can't remember the version), and IE. This was to allow them to serve "rich content" (movies, images, animations, etc), without having to write it all themselves. The ATM just had IE talking to IIS, and displaying the results in "kiosk mode". The buttons on the sides of the screen were mapped to keys on the keyboard (I think), and that's how it ran.

I specified a full set of ports that needed to be accessible to the ATM controllers, and that was all that was supposed to be accessible from the network.

However, if you can get access to the back of the machine, it has a second monitor, keyboard and mouse, and you can access the OS, and do whatever you want to do. I *THINK* that the keyboard and mouse were locked away in the vault (or at least behind a door), but the hardware itself is pretty standard PC, so I don't imagine that it would be particularly difficult to add a USB keyboard or mouse and gain access when rebooting the device. Maybe even boot from a USB disk or similar.

The reality is that if you have physical access to practically anything, it is game over.

Personally, I would have been a lot happier to see a stripped down Linux kernel + minimal OS, BIOS passwords, bootloader passwords, etc than the entire Windows stack. Less to verify == more security.

Diebold and ATM message protocols ..

[rs232]

'ATM message protocols such as NCR's NDC and Diebold's 911/912 are based on ISO 85/83, a 20-year-old standard that industry observers agree looks pretty creaky in the age of Internet standards like XML'

'IFX is far more flexible than NDC and 911/912, which are "single monolithic pieces of code," NCR's Risto said. "With IFX, you're taking states-and-screens away and replacing each piece with an inherent application. Each function is broken out and handled separately."'

'The move to IFX requires a smaller leap of technology than the switch from an OS/2 to Windows operating system, Risto said. "Once you've made the move to Windows [gokis.net], IFX is going to be a far smoother and more intuitive move."'

Re:Track record?

[Carlosos]

Breaking in into a bank through the ATM machine is probably the worst idea ever. Banks (or at least the banks I worked at) have a motion detector in the room behind the ATM. Only once I saw a bank that had an ATM removed and just covered up with plywood from the outside while the motion detector was disabled in that room. Triggering the ATM alarm is worse than the premises alarm because the premises alarm gets triggered sometimes from cleaning personnel or other employees but for the ATM room you need a special key that not everyone has.

I'm also not sure that you can easily go into debug mode without anyone noticing (assuming some employee let you in that room) because the ATM technicians have to call Diebold before doing anything with the machine. They will know if someone unauthorized is using the ATM and restarting with a live CD won't work because that will also trigger an alarm.
I'm guessing it was an Diebold employee that installed the malware since he would have been the only who could have gotten that much access to it.

Re:Uh...why are they running Windows?

[Lumpy]

One of the best scams in the world was to buy a used atm and then put custom software on it to harvest info and then plop the whole thing in a mall. come back in a week and you got a CRAPLOAD of cards and pins.

Simply program it to act normal but it cant connect to the bank and spit the card back out.

Honestly I am sure this will still work today. Back in the lat 90's they caught a group of guys around Detroit doing this.