Cybercriminals Refine ATM Data-Sniffing Software 257
BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."
How come? (Score:4, Interesting)
I RTFA (yes, yes... I know) but I couldn't find the answer to the most obvious question... how does the rootkit get installed?
If no physical access to the real PC inside the ATM is needed.. that's really cool!
But if you need to plug an usb drive in, this actually reduces the field of the potential thieves by several orders of magnitude...
M
Re:ATM != desktop computer (Score:2, Interesting)
Closed Network (Score:3, Interesting)
ATMs in the UK (Score:4, Interesting)
there are many ATMs in the UK that use Windows XP as their OS of choice. Having personally seen crash screens and machines caught in a restart loop.
Why they are using windows, I don't know to be honest. Why they'd be using a Linux distro, I don't know. The banks probably don't know either, as far as I'm aware they get their ATMs from companies like NCR or IBM (or Diebold, as we've seen before) who are the companies who supply the software. It just so happens that the software they write is written for Windows Operating System. Remember, the cost of hiring someone who can programme for Windows is significantly less for someone who can programme for Linux (As they will likely also be able to programme for Windows, thus, with a larger skill-set they'll demand more money) And a bulk licence for Windows where they're churning out 1,000+ ATMs boils down to next to nothing.
The cheapest programmer, the cheapest hardware, a slightly costly OS. Something has to be a weak link, and the exploiters exploit it.
Another view via el reg & trustwave (Score:4, Interesting)
Re:but how? (Score:3, Interesting)
Certainly there is plenty fo corruption in the Eastern European countries, however it's not like other countries are spared the same problems; American TV producers can't seem to get enough of the Good Cop / Bad Cop diametric, as though heaven and hell had a street address. Why is it popular? Because it's a hot topic: people know corruption in the police sector is rampant in America.
What of banks? You can almost be sure that banks in the West, now famous for their abusive secrecy and gambling, would not dare let their customers know the same thing was happening at an ATM near you.. Having lived in both 'sides' of Europe, I wish you luck with those Reagan-era East/West generalisations.
Re:ATM != desktop computer (Score:4, Interesting)
They run XP embedded, which allow you to customize which components are used much more so than regular XP. That is not to say I don't see your point -- we've broken into plenty of Diebold XP ATMs during authorized penetration tests using regular Windows exploits. After that, it's game over with the software this product mentions. Then again, regular OS's have been running on ATMs for a long time, and many still run OS/2.
Re:DES (Score:5, Interesting)
Several years ago, there was a home-invasion robbery that made local headlines for a few days. The robbers stole ATM cards and forced the PINs out of the residents at gunpoint, threatening to come back and rape them if they gave the wrong PIN. In this case, the residents were obligated to give the correct PIN, since they could have been tied up and forced to wait for the robber to return with the cash.
My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.
Why not do this with ATMs? I would not be surprised if ATMs already had GSM-monitored burglar alarms for obvious reasons, and it wouldn't be that hard to have a secondary PIN that sends a duress signal.
Of course, that's useless against shoulder surfing.
Re:DES (Score:5, Interesting)
Just to note, ATM running Windows XP doesn't mean its less secure and that it could be exploited. If you've used ATM's, theres no really way to just run your programs on it or exploit it somehow. But when criminals have access to the hardware physically, there is no difference if its windows, linux or whatever else OS. That is how its probably been working here aswell, they get some insiders to give them access or they social engineer their way in. You cant exploit windows bugs in them because you cant connect to them from the internet.
Like said, when people get good physical access to the hardware, game is usually lost, no matter what the OS is.
Re:DES (Score:5, Interesting)
Sneakier way that I have seen. The bad guys slide this metal piece into the ATM slot. This catches your card bit will not release it. Some even let you make your transaction but still keep the card. Usually one of the bad guys is around the ATM watching. They walk up pretending to help. They ask you to enter in you pin again or ask for your pin so they can enter the pin. Either way they now have your pin. Nothing works of course. You go away, they take out the piece of metal with your card. Now they have your pin and your card.
I read about this. I have so far taken 4 pieces of metal out of the ATM card slot at 3 different location around the Washington DC area. All 4 times, someone very quickly left the scene. I did report it to the each bank when they were open again. All 4 times happen to be after 9PM.
Look at the ATM slot before you put your card in. If it looks like there is a extra thin piece of metal, either go to a different ATM, or see if you can take it out. I used the trusty paperclip to remove the metal. Not that hard.
How do you trust an ATM? (Score:3, Interesting)
This brings up a serious question. You need some cash in an unfamiliar state or country, and you come across an ATM. How do you know if you can trust it?
Given the number of people who've been scammed by everything from bolt-on ATM card skimmers [snopes.com] to oldschool fake night deposit boxes [securityinfowatch.com], this is worth worrying about.
The standard security mantra is, "only use trusted hardware to authenticate yourself", but that can't happen here.
Anyone have any ideas for an ATM authentication system that will both prove to the bank that I am who I say I am, and prove to me that the ATM isn't stealing my authentication keys?
The only solution I can think of involves trusted hand-held devices like cell phones or keychain password tokens.
Re:DES (Score:4, Interesting)
My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.
I think it would be just as easy to create a "Zero balance" code to show the assailant you are broke when you are not.
Some of us don't need that though.
Re:At least it's not Vista . . . (Score:3, Interesting)
Re:ATM != desktop computer (Score:3, Interesting)
Take a lesson from the gambling industry. They have to audit all of their machines regularly. The entire OS, including the bootloader, sits on SD cards. You can yank the SD card, audit it, and stick it back in. It's much more difficult to hack these on a long-term basis as the SD card audit will catch it. There are no keyboad ports. (Assuming, of course, the auditor is honest and the lock on the machine is secure. No joy if the person refilling the machine has access to the guts of the machine.)
Anyone here actually programmed one of these? I built an embedded box on the hardware, and the bootloader-on-the-SD-card made me ask what it was for.
Re:DES (Score:3, Interesting)
Because of advanced forms of fraud (and because networks are much more reliable than the dialups of yestermillenia) ATMs no longer work if the network goes down. They shut themselves down. They don't hand out cash when they're offline, because they have no way of authenticating your PIN, your card, or your account.
If it were possible, criminal organizations would have people trying a bad card in a different ATM every hour of every day of every week. Once they "luck" into an offline terminal, it's payout time. They'll use the opportunity to withdraw that sucker dry before it comes back online. And they'll call their buddies up and tell them to try the other ATMs in the neighborhood, and drain those too. Or if such a feat were possible, they'd just cut the network wire (with an axe or a chainsaw at the pole in the parking lot) and then empty it.
This is a different scenario than an offline cash register, where the machine can still scan barcodes and print receipts when it's offline, and you have a (semi-)trusted employee scanning the carton of milk and handling the change.