Forgot your password?
typodupeerror
Security IT Technology

ATM Hack Gives Cash On Demand 193

Posted by samzenpus
from the one-card-bandit dept.
angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."
This discussion has been archived. No new comments can be posted.

ATM Hack Gives Cash On Demand

Comments Filter:
  • Interesting Hacks... (Score:5, Interesting)

    by nosferatu1001 (264446) on Thursday July 29, 2010 @07:58AM (#33067160)

    Originally delayed to let the companies patch. Interested to see if he can live up to his claims to be able to find similar issues in other brand ATMs as well.

  • BoA (Score:2, Interesting)

    by Anonymous Coward on Thursday July 29, 2010 @08:01AM (#33067190)
    I was at a Bank of America ATM in NC not long ago and could not use it. It had a large Windows XP error dialog covering the whole screen. I really don't feel confident about even having a debit card with them.
  • Re:Really? (Score:2, Interesting)

    by Netshroud (1856624) on Thursday July 29, 2010 @08:05AM (#33067222)
    I presume they're just very expensive. Even more so if you have to secure them and connect them up to a banking network. Anything can be bought with enough money... like the bank itself.
  • Re:Really? (Score:3, Interesting)

    by fuzzyfuzzyfungus (1223518) on Thursday July 29, 2010 @08:09AM (#33067244) Journal
    I assume that large purchasers, like banks, can easily enough commission "private label" versions of ATMs(based more or less closely on a manufacturer's available models, doing mechanical engineering much beyond the 'paste on a logo and some colored trim' level probably isn't cost effective; but running firmware tailored to them and their systems) that are for their exclusive order; but the generic ones you see in crummy convenience stores and the like are just appliances.

    Because(like commercial scales, and gas pumps) they are appliances used in commerce, there may well be one or more state, or local authorities who want to take a look and put their sticker on it before it goes into use; but if some guy wants to buy a used one, I see no reason why that would be uncommon or controlled. If they are used for fraud or theft, that is just as illegal as any other flavor of the same; but there are loads of common and wholly legal tools that have potential in that area.
  • Re:Really? (Score:5, Interesting)

    by Pharmboy (216950) on Thursday July 29, 2010 @08:15AM (#33067322) Journal

    There is at least one precedent for making owning machines illegal. Slot machines are regulated and it is illegal to own one in most states, even if the coin mechanism is disabled to play for free. Of course, that is what makes them l33t to own for rich folks. Kinda like Coors beer in "Smokey and the Bandit", you want it because it is illegal.

  • by fuzzyfuzzyfungus (1223518) on Thursday July 29, 2010 @08:16AM (#33067334) Journal
    Unless he chose the two he purchased purely based on underground buzz about their weakness(possible; but you'd hope that a security researcher would go for novelty.), going 2 for 2 suggests that overall industry standards might not be that high...
  • Re:Really? (Score:4, Interesting)

    by zigziggityzoo (915650) on Thursday July 29, 2010 @08:27AM (#33067432)
    I know of a couple of restaurants that have their own ATMs with a "cash only" policy for acceptable payments. Anyone without cash is directed to the ATM they own. Instead of it costing them a percentage to accept cards, they make money off the ATM.
  • scrooge? (Score:3, Interesting)

    by circletimessquare (444983) <circletimessquare AT gmail DOT com> on Thursday July 29, 2010 @08:27AM (#33067438) Homepage Journal

    he should have called it robin hood

    right subject matter (wealth redistribution), wrong direction (down to the lower classes: robin hood, not up to the higher classes: scrooge)

  • Re:Really? (Score:1, Interesting)

    by Anonymous Coward on Thursday July 29, 2010 @09:19AM (#33067906)

    Reliable my ass. I keep seeing BSOD-ed or out-of-memory ATMs around these parts, running what seems to be Windows XP (Embedded? At least, I hope it's XP and not Windows ME); even better are those with the "you may be a victim of software piracy" WGA notice. Closed my account at that bank after seeing that ("in what otther areas do they habitually and epically fail?")

  • by qazwart (261667) on Thursday July 29, 2010 @09:24AM (#33067956) Homepage

    The types of ATMs being talked about are the non-bank machines that you see in many smaller stores in New York City. They're installed and sold by third party vendors to connect to the main banking networks.

    A salesman goes into a store, and tells the owner that if they had an ATM in their store, their sales will go up because people will stop in to get cash. The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

    There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

  • by silentcoder (1241496) on Thursday July 29, 2010 @09:47AM (#33068258) Homepage

    That reminds me. A couple of Christmas's ago I was visiting my sister in a small rural town where she lived at the time. Wanted to go draw cash at one point so walked down the main road to the town's only ATM - run by local bank ABSA (yeah - not afraid to mention it). My own bank not having an ATM in town this was the only choice available.

    As I stepped up to it... the interface was obscured by a warning message:
    F-Secure Anti-Virus for Windows has detected a virus in file ...

    Floating around.

    Being aware that
    1) This bank's ATM's run windows
    2) They use F-Secure for virus protection
    3) It obviously is connected in such a way that it can still GET infections

    I turned around, bummed cash of my sister and paid her bank online - there was just no way I was going to stick my card in that ATM. I am also really glad I'm not a customer of that bank - and despite the nearest ATM to my house being run by them - never use their ATM's - I would rather spend the bit of extra fuel and drive to my own bank (which may not be better - but at least I haven't seen with my own eyes that it's THAT bad). Besides the service charge saving I suspect outweighs what I spend on fuel so it's worth it either way.

  • by BrokenHalo (565198) on Thursday July 29, 2010 @11:15AM (#33069478)
    Debit and credit cards are OK so long as you are a bit careful about not where you use them and not letting them out of your sight (in order to to skim them), and check your accounts reasonably frequently. They are certainly better than cheques.

    Banks will often not even look at a signature on a cheque, let alone make any attempt to verify it. As an example, I once accidentally grabbed my wife's chequebook and used it (signing my own name) to purchase goods. I realised my mistake a couple of days later and attempted to go into the shop to replace my presumably dodgy cheque with cash, but the bank had already paid up on it. Now in this case, it was an honest enough mistake, but it has made me a lot more careful about where we store our chequebooks since.

    At least with credit cards, there is always the option of a chargeback.
  • Re:Really? (Score:3, Interesting)

    by blisteringsilence (1290138) on Thursday July 29, 2010 @12:02PM (#33070280)
    That's a big selling point when I go to place a machine. Instead of the location paying $2,500+ monthly to their credit card processor, they can just charge a $0.25 transaction fee, and make some money. One of my customers realized a net monthly gain of about $4,000. It's been really popular with liquor stores and bars.
  • by CaseM (746707) on Thursday July 29, 2010 @12:05PM (#33070326)

    Consumers are no more liable for debit/check card fraud than they are credit card fraud. This is a very common fallacy.

  • by SQLGuru (980662) on Thursday July 29, 2010 @12:59PM (#33071382) Journal

    In the early 90's, I had a 10 digit pin with Wells Fargo. It was great for security, but it was a pain when all of the POS terminals didn't expect it. They only allowed for 4 digit input.

    Also, my current bank (name withheld) offers the two account approach. One account has card access and the other has the money. You transfer periodically to cover the other. If your card is ever compromised, you stop the transfers and limit the losses. Of course, you still also get the protection you would normally get with your card.

  • by green1 (322787) on Thursday July 29, 2010 @01:01PM (#33071432)

    Let's start at the beginning. This hack requires that a machine be connected to the outside via phone. This is increasingly going away. I would guess that 40% of the machines I work on are connected via internet now, as opposed to 15% a year ago.

    But does that really help matters any? wouldn't being connected to the internet be even MORE risky? surely the same "dial-in" access is still there, just over TCP/IP instead of dialup, and with exposure to the internet you have even more capacity for abuse by millions of hosts.

    Now I work as a tech for a local telco, and the ATM machines I've worked with have mostly been connected by ADSL, but my understanding was that although it was still a TCP/IP connection, they were actually on a special logical connection back to the bank that kept their data away from the internet? wouldn't this make more sense? (from the stand point of a telco tech, these machines do not connect to our usual DHCP servers, and I believe their entire logical connection is separate, though what the end point is I don't know as I don't handle that end of the connection)

  • by Anonymous Coward on Thursday July 29, 2010 @01:13PM (#33071720)

    It's worse than that...

    The bank will have a LAN that is full of windows machines, probably a server room full of windows machines and its highly likely that all these machines will either be part of the same active directory domain, or have interconnecting trust relationships...
    And even if the important stuff is stored on a mainframe, chances are it will be accessed from a windows system that is part of a domain...
    If you plug into the main LAN of virtually any bank, someone remotely competent with a tool like metasploit could gain complete access to the domain in minutes, and then just keylog the appropriate windows workstations in order to get access to any non windows systems. Chances are noone will notice either unless you do something extremely stupid.

    Getting physical access to an ethernet port is the hardest bit, once you're on there the rest will be trivial.

  • by blisteringsilence (1290138) on Thursday July 29, 2010 @01:43PM (#33072366)

    But does that really help matters any? wouldn't being connected to the internet be even MORE risky? surely the same "dial-in" access is still there, just over TCP/IP instead of dialup, and with exposure to the internet you have even more capacity for abuse by millions of hosts.

    Maybe yes, maybe no. The first part of this answer is that when you're connected to the internet, you remove the bandwidth problem of a modem connection. AND, because you're not tying up a phone line anymore, you have more flexibility with your communications.

    So, machines that are hooked in via TCP/IP do not have the option to accept remote connections initiated from anywhere other than the machine. The communication HAS to start with the machine, and the data is encrypted 19 ways from Sunday. To start with, you have the master keys that allow the machine to communicate with the processor. After they are input, they're encrypted and stored in epoxy buried chips in the keypad, and any interruption of electrical power to those chips (which runs through fry wires from a battery also stored within the epoxy matrix) kills the keys.

    So your communication starts with the machine opening a connection with a dedicated IP server on one of 3 possible ports. During handshake and authentication a unique time-based one time key is transmitted back to the machine. This super-encrypts the keys, which are then sent, followed by the transaction information, and the transmission is closed out. These machines are also usually programmed to auto-connect every 15 or 30 minutes with a machine status update (thereby eliminating the need to dial in remotely).

    Now, as all this information is going out over the general internet, it's possible to intercept the packets, but I don't know what good they'd do for you, as there's no way to get to the original master keys assuming you could get past the super encryption, thereby securing the first level.

    Now I work as a tech for a local telco, and the ATM machines I've worked with have mostly been connected by ADSL, but my understanding was that although it was still a TCP/IP connection, they were actually on a special logical connection back to the bank that kept their data away from the internet? wouldn't this make more sense? (from the stand point of a telco tech, these machines do not connect to our usual DHCP servers, and I believe their entire logical connection is separate, though what the end point is I don't know as I don't handle that end of the connection)

    The machines that are located at gas stations and bars and whatnot use a standard internet connection. The only requirement is that the location has to have a static IP. You have to remember, these machines only cost $2K - $5K, and the owner only makes $100 - $500 per month on the machine. Not to mention, they're not doing that many transactions.

    Would the solution you propose make more sense? Absolutely. But it's cost prohibitive, and beyond the scope of 99% of the owners, and 75% of the service techs. If these proposals were to be codified, you'd see fees go through the roof to make up the difference.

    Also:

    ...and the ATM machines I've worked with...

    Pet peeve.

  • by green1 (322787) on Thursday July 29, 2010 @02:55PM (#33073844)

    when you're connected to the internet, you remove the bandwidth problem of a modem connection. AND, because you're not tying up a phone line anymore, you have more flexibility with your communications.

    and that's the problem, on a modem only one machine can attack you at a time, on the internet millions can have a go at once. the flexibility argument also cuts both ways...

    So, machines that are hooked in via TCP/IP do not have the option to accept remote connections initiated from anywhere other than the machine. The communication HAS to start with the machine,

    So, what you're saying is that dialup connected machines have the facility to receive calls, but internet connected machines only do outgoing connections? that seems odd. It would be just as easy to secure a dialup machine by simply telling it not to answer the phone. I have to believe that if the dialup machine is set to answer phone calls, the internet connected machine will be set to receive some form of incoming connection as well. otherwise it's not the communication medium that is adding the security, but the decision on whether or not to accept incoming communications.

    These machines are also usually programmed to auto-connect every 15 or 30 minutes with a machine status update (thereby eliminating the need to dial in remotely).

    there's no reason a dialup machine couldn't behave exactly the same, once again the security increase isn't in changing to TCP/IP, it's in not accepting incoming connections. In fact arguably the TCP/IP connection is still less secure than a similarly configured dialup connection due to increased chance of various MITM attacks, IP or DNS spoofing attacks, or simple protocol vulnerabilities in the OS that get found/exploited by the millions of bots that can be brought to bear on attacking a machine over the internet

    The machines that are located at gas stations and bars and whatnot use a standard internet connection. The only requirement is that the location has to have a static IP. You have to remember, these machines only cost $2K - $5K, and the owner only makes $100 - $500 per month on the machine. Not to mention, they're not doing that many transactions.

    The machines I've worked on have mainly been big bank branded ATMs, but located at gas stations, convenience stores, etc. And they have definitely not been "consumer grade" ADSL lines (we call them ADSL CWAN (Carrier Wide Area Networking) it's still an ADSL modem, but instead of connecting to our DHCP servers and getting a public IP, the machine is logically connected to the bank's network directly and either gets it's IP from their DHCP server, or hard-codes an IP (I've left before that config is done so I'm not sure which)). The "white label" ATMs I've worked with have never required me to do more than supply a phone jack, so you may be right about them using consumer grade ADSL connections.

    Would the solution you propose make more sense? Absolutely. But it's cost prohibitive, and beyond the scope of 99% of the owners, and 75% of the service techs.

    It changes nothing for the owner, and likely nothing for the service tech either (he doesn't care what IP he enters in to the config screen, as long as it's the one on his work order). The only differences are cost of the connection itself (so you may be right about it being prohibitive) and some routing at the server end, however the big banks are already set up for that sort of stuff, so it shouldn't be much effort to do it for the white labels as well.

    ...and the ATM machines I've worked with...

    Pet peeve.

    DOH! and I thought I'd been so careful about that too!

  • by blisteringsilence (1290138) on Thursday July 29, 2010 @03:58PM (#33074972)

    and that's the problem, on a modem only one machine can attack you at a time, on the internet millions can have a go at once. the flexibility argument also cuts both ways...

    I agree completely. However, at the end, if the customer (owner) doesn't want the product (the ATM), the ATM company goes out of business.

    So, what you're saying is that dialup connected machines have the facility to receive calls, but internet connected machines only do outgoing connections? that seems odd. It would be just as easy to secure a dialup machine by simply telling it not to answer the phone. I have to believe that if the dialup machine is set to answer phone calls, the internet connected machine will be set to receive some form of incoming connection as well. otherwise it's not the communication medium that is adding the security, but the decision on whether or not to accept incoming communications.

    OK, with regard to the ability to accept incoming communications, it's about customer convienence. With a machine connected through a standard phone line, 99% of the machine's I've installed get to share their phone line with the location's fax line. If the ATM is dialing out at set intervals, it is taking both the machine and the phone line out of service for 45 seconds to a minute every time it goes out. That's bad for business. The solution used to be (5 or so years ago) that the processor would call the ATM twice or so a day to check on it's health status, etc.

    Also, remember, most of my customers have this feature disabled.

    Now, however, with an IP based connection, the information transfer is instantaneous (or nearly so, as viewed by the customer). Therefore, it's not a big deal for the machine to contact the processor every 15 minutes or so with a status update. Therefore, as there is no need to remotely access the machine, they simply removed the functionality.

    In fact arguably the TCP/IP connection is still less secure than a similarly configured dialup connection due to increased chance of various MITM attacks, IP or DNS spoofing attacks, or simple protocol vulnerabilities in the OS that get found/exploited by the millions of bots that can be brought to bear on attacking a machine over the internet

    This is a fair point. However, the data that you're capturing with all of these attacks is super encrypted (not in the "super! thanks for asking" sense, but more in the they encrypt data that has already been encrypted using a different process), a MITM attack is going to log a bunch of gibberish packets. Assuming you can break the one time key established in handshake, you can't break the secure keys that are only known at the source and destination.

    The "white label" ATMs I've worked with have never required me to do more than supply a phone jack, so you may be right about them using consumer grade ADSL connections.

    In every bar/gas station/liquor store/bowling alley/porn store I've ever worked on an internet connected machine, it's jacked into a consumer ADSL or Cable connection. I've yet to see a dedicated connection for the ATM. That's part of the value proposition for the owner, he gets to eliminate a $75 a month phone line from his overhead by putting the machine online.

    The only differences are cost of the connection itself (so you may be right about it being prohibitive) and some routing at the server end, however the big banks are already set up for that sort of stuff, so it shouldn't be much effort to do it for the white labels as well.

    When I said cost prohibitive, I was indeed talking about the cost of the connection. You work for a telco, so let's be charitable. What do you figure a setup like this costs? $250 or $300 a month? For a machine that only costs $3000 and only makes the owner $300 a month? What's his business justification for that purchase? There's no way he's going to pay that.

    Like everything else in business, these little guys are 100% focused on the bottom line. They want to use that ATM to make money. Period. If the costs of keeping it going exceed the return, they're going to get out of it.

  • by moortak (1273582) on Thursday July 29, 2010 @04:02PM (#33075052)
    You should inform the FTC, it seems they aren't aware of that fact. http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm [ftc.gov] If you are slow to report it you are responsible with a debit card more than you are with a credit card.

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)

Working...