Forgot your password?
typodupeerror
Security Crime The Almighty Buck

Remote ATM Attack Uses SMS To Dispense Cash 150

Posted by timothy
from the $$$-rofl-omg-$$$ dept.
judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."
This discussion has been archived. No new comments can be posted.

Remote ATM Attack Uses SMS To Dispense Cash

Comments Filter:
  • by Forbo (3035827) on Tuesday March 25, 2014 @10:46AM (#46574443)
    "The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

    Really? This stuff isn't being done to begin with?
    • by Lumpy (12016) on Tuesday March 25, 2014 @10:55AM (#46574537) Homepage

      Banks barely do anything. They make insane profits but the scumbags refuse to spend a dime on security or maintenance.

      The difference between a bank and organized crime is that you know what to expect from organized crime.

      • Banks are protected by law enforcement, insurance, etc. They have well established loss rates due to theft, fraud, etc. and they take appropriate measures to address those loss rates.

        I, personally, would not want to pay a surcharge on my ATM card or other bank accounts to supplement the current security with "overkill" measures that cost more than they benefit, just for the satisfaction of knowing that crooks can't steal from MY bank.

        • by Anonymous Coward

          Overkill such as following standard security protocols and networking and IT basics? Or using 2 decade old smart-card technology that EUROPE has used for 20 years? The solution is to go back to strict bank regulation. They obviously cant be trusted to operate on their own.

        • In this case, overkill like a $4.95 locking doorknob?

          • No, more like management oversight, design review, and other bureaucratic steps to ensure that the proper locking doorknob is selected and properly installed. Even if the committee selected a $4.95 knob as proper (which, after examining the situation they probably wouldn't), the overhead costs of all that would amount to thousands of dollars per doorknob effectively installed.

        • by sjames (1099)

          So how do you like paying for the added burden on law enforcement to track the crooks down and get the money back?

          • Better than I would like for paying for theoretical "perfect" security on the banking system.

            Besides, everybody knows the cops can catch bank robbers, and those same cops actually protect my home - if they weren't out there getting a rep. with hold up artists, people might be more inclined to B&E on private residences.

            • by sjames (1099)

              Nobody is asking for perfect. At this point, some sign of actually trying would be a step in the right direction.

      • What do banks have to do with ATM design? They just buy/lease them from ATM providers.
      • Re: (Score:3, Interesting)

        by operagost (62405)

        Banks don't make ATMs. Blaming banks for poor ATM security is, for the most part, like blaming someone who was in an accident because their defective ignition switch shut off the car. Banks need to make sure their ATMs are physically protected and maintained. They do this, for the most part.

        Firms like Triton and Diebold build ATMs. That's where change will really have an impact.

    • by Joce640k (829181)

      Really? This stuff isn't being done to begin with?

      Why would they? It's in a locked steel box. People aren't using it to surf the web.

      • Actually, they do surf the web (or did. I sure hope they fixed it). That is one of the problems with ATMs. The connection with the bank may be secured, but the devices are still attached to the big bad internet. So if you replace a device driver (or add your own piece of hardware), all communication channels are just waiting for you to be abused.
        • by SQLGuru (980662)

          The 7-11 I used to frequent had a ethernet jack near the soda dispensers......this jack was where the nearby ATM was plugged in. It would have been quite easy for me to insert any sort of device between the ATM and the jack. There was enough space between the jack and the ATM and there was also a valid reason for me to be in the area that it wouldn't look like I was doing anything with it. While it wasn't an official bank ATM (unaffiliated), I still could have been malicious had I wanted to. [I also nev

          • ATM's make heavy use of encryption. Sensitive data (eg customer PIN) is encrypted so that you can not decode it. Unencrypted data is not sensitive (eg the dollar amount of the transaction). Each packet sent to the bank host is digitally signed. Each packet received from the host is also checked for its digital signature. The digital signatures have the time as part of the generation algorithm, so replay attacks don't work. If you monitored traffic on that cable then you would get a log of who took out mone
            • by SharpFang (651121)

              Actually, that sounds like info muggers would find pretty valuable.

            • Note that the cable might be ethernet,

              So there's your attack vector. Note that you may heavily encrypt the output of all the input devices, but with your own device drivers or added hardware there is little you can do about replaying the input signals themselves. Or from "swallowing" the cards and transmitting all the PIN codes.

    • by gstoddart (321705)

      Do you know how many times I've seen an ATM with the Windows Blue Screen of Death on it?

      Not hundreds, but over 30. I have *long* suspected these things are exceedingly vulnerable computers being used when they shouldn't be.

      I've been airports and seen the arrivals/departures board showing NT errors. I have seen stuff in shop windows and other stuff showing similar stuff. A lot of medical devices can't be upgraded because the company never certified it beyond a certain level of Windows.

      I usually make a poi

      • by JDG1980 (2438906)

        I once went to a BB&T ATM and when I tried to use it, it crashed with an Internet Explorer script error.

      • I've seen genuine guru meditation errors on screen from the local public access channel in the last 5 years. Think about that. An Amiga still in daily use.

      • by SharpFang (651121)

        "Please enter the amount."

        700

        "The amount entered is not divisible by 0. Please select:
        [650]
        [750]
        [other]
        [cancel]"

        I choose "Cancel" just in case it applies similar mathematics to my actual payout.

    • by AmiMoJo (196126) *

      Banks usually make an effort to have physical security, but not so much all the random supermarkets and shops that have an ATM inside.

      What is more interesting is that the cash draw is physically secure. The attackers don't bother trying to open it. Instead they attack the control hardware, and you would think they could make that equally secure. It seems that the desire to load firmware updates, or more specifically new advertising on to machines via a simple and largely unprotected USB connection was too m

  • Physical access? (Score:5, Insightful)

    by Vlado (817879) on Tuesday March 25, 2014 @10:47AM (#46574455) Homepage

    So, this method requires quite a bit of physical access to the ATM. You have to attach a phone (why smartphone, by the way?) to the actual ATM controller.

    In my opinion this begs a whole set of other security questions first....

    • by Anonymous Coward

      In my opinion this begs a whole set of other security questions first....

      No, it doesn't. It raises questions.

      "Begs the question" means something entirely different than what you meant. Please don't misuse this term.

      http://begthequestion.info/ [begthequestion.info]
      http://public.wsu.edu/~brians/... [wsu.edu]

    • by CastrTroy (595695) on Tuesday March 25, 2014 @11:13AM (#46574683) Homepage
      Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.
      • by Anonymous Coward

        ...AFTER drilling a hole in the physical device...

        There's a joke somewhere in there; complete the phrase "Any 'remote' exploit which involves drilling..."

    • by Joce640k (829181)

      (why smartphone, by the way?)

      It probably connects to a serial port or something.

      ATM machines have ports where you can plug in a diagnostic computer. One of the diagnostic functions will be "test the cash dispenser".

      The SMS trigger is just there so they can do it at night and make sure somebody's standing there to grab the money.

      • by Splab (574204)

        Wrong century... ATMs of today are running on off the shelf hardware, with "special" (as in special needs) operating systems (Windows). They have exposed USB ports under the hood and to make it completely idiotic, the only thing locked behind high security is the money. The motherboard is quite often found just under the keypad, which can be accessed by standard keys.

        See these guys http://www.youtube.com/watch?v... [youtube.com] (Unfortunately the actual hack is poorly recorded, but still quite interesting).

        • by mlts (1038732)

          I'm pretty sure that the rationale for slack physical security (other than the cash box) is that the store clerk or the camera pointed at it will discourage people from drilling holes in the CPU.

          As per a previous /. article, maybe ATM makers moving to a new OS and PC might help matters. Linux is a good candidate. No AutoRun/AutoPlay capability present for starters (although Windows can have it easily turned off as well.)

          Ideally, what might be best is to move to a motherboard that is designed from the grou

    • Seems to me that it needn't be a smartphone, any device with the proper digital interface can probably do the trick - but it makes better press to say "Force the ATM to dispense cash using SMS..."

      I suppose it might make it easier for the crooks to blend in while they take away the loot - just send the SMS while you act like you are doing a legitimate transaction and then walk away with $400. Come back later and do it again, and again... Get a lot of "theft rush" and exposure to potential arrest for your e

    • by hankwang (413283)

      "So, this method requires quite a bit of physical access to the ATM. "

      I did once peek over the shoulders of a guy servicing one of those in-store ATMs (i.e., one that looks like a stand-alpne cabinet, not one that's integrated into a wall). Apparently, it's not all that tightly locked down, hardware-wise. The guy told me that only the compartment that contains the banknotes and the counting mechanism have heavy physical security, and that he couldn't access that part. That was why he was allowed to service

  • by gnick (1211984) on Tuesday March 25, 2014 @10:48AM (#46574457) Homepage

    I'd like to announce my new app for sale - Free after using the $200 rebate redeemable at a nearby ATM.

  • Diebold (Score:2, Interesting)

    by Anonymous Coward

    How's Diebold for a guess? Those fuckers are vulnerable to just about everything.

    • Okay. Let me amend the article summary for you . . .

      "Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines . . . because Diebold already has a bad enough reputation with it's e-voting machines.

      Better?

    • by nwf (25607)

      That was my first guess. My bank uses them, and they are absolutely amazing in terms of completely uninformed user interface design. They've upgraded them over the years and are a little better, but they are just terrible to use physically and electronically. Not really related to hacking, other than by the fact they just don't care about making a quality product.

  • by Anonymous Coward on Tuesday March 25, 2014 @10:52AM (#46574505)

    after whatsapp.

    • by Anonymous Coward

      In soviet russia SMS pays yo... wait, that doesn't make sense since this is about the USA.

  • by clovis (4684) on Tuesday March 25, 2014 @10:58AM (#46574561)

    This is a physical access attack and therefore not very interesting.
    To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port (or in older versions, a USB stick, or keyboard). They recommend upgrading the OS and securing the hard drive. How about putting epoxy in the computer's device ports?

    • by iggymanz (596061) on Tuesday March 25, 2014 @11:06AM (#46574625)

      or you could cut the ATM open at the point where the cashbox is installed

      to say this attack is "just not interesting" is an understatement

      • by mlk (18543)

        I'd assume the box that the money is in is secured and had paint or the like that will trigger when it is opened.

        Plus you can only do it once and it is very noticeable. Chopping a small hole in the box and secretly installing a small phone you could exploit time and time again without drawing attention from passers by.

        • by iggymanz (596061)

          look up how they're made, you won't be "chipping a small hole" in anything to access its system and you will set alarm off

      • As I said above, you can get the access and look like a maintenance tech, then button it up and walk away with big bulges in your pockets.

        Come back later, looking innocent, and take a few hundred bucks per transaction. It makes machines that are protected by highly public physical location (most ATMs) more vulnerable to attack in plain sight by innocent looking people.

        Sure, you could cut out the cash box and haul ass in a big pickup truck, but somebody would probably notice that something isn't right about

    • If you have physical access, why not grab the money directly?

      • by Russ1642 (1087959)

        The money is locked in a hardened steel enclosure similar to a safe. Apparently the computer is not. This attack is probably one of the easier ways to get at the money.

      • by CastrTroy (595695)
        Because this way, assuming they didn't notice the actual hardware in there, you could dispense cash for a long period of time, and get more money. Taking all the cash at once and they would probably notice it. Take $20 once a day, and they might just attribute it to the machine miscounting the bills.
        • The machine might report cash being taken out; very unfortunate if that happens while you stand there shoving piles of bills into your pockets. Better to install the device and come back at night, with a hoodie over your face, grab all the cash, and run.

          These machines rarely miscount, and if it happens once a day, the bank will probably take notice. There was a weird little trick on certain ATMs a while back that let you tease an extra note from the machine, but the banks caught on very quickly.
        • In the early days of ATMs (1980s) I used to get "overcounts" about 5% of the time at certain machines... that doesn't happen (to me) as much anymore, but I'm mostly plastic based now, so maybe it still does.

          You could probably spit out several hundred dollars per "pull" with the phone-hack and not raise suspicion - a really good hack would falsify the expected balance, too, so they don't notice the missing cash, but you'd think the guy changing the cash box would notice the thing stuck in the USB port, event

          • by PRMan (959735)
            I remember way back in the old days (80s), an ATM that I went to dispensed my cash twice. I took it inside and let them know that I had gotten $80 when the machine told me that I got $40. They had released new ATM software the night before. It was 9 AM and I was the first person to bring it to their attention.
            • I should also mention that I got one or two "undercounts" during that era... my ATMs were all remotely located from the branches, so reporting wasn't exactly convenient. I figured it all worked out in the end, but I might have come out $20 to $30 ahead, overall.

              The swipe your ATM card to checkout at the grocery also failed to process a couple of the earliest transactions (there really was a free lunch, those days...), I waited months and months looking for them to show up on the statements, but they never

          • by dryeo (100693)

            In the early days of ATMs (1980s) I used to get "overcounts" about 5% of the time at certain machines... that doesn't happen (to me) as much anymore, but I'm mostly plastic based now, so maybe it still does.

            I'm quite surprised how well the ATMs handle the plastic money, especially during this transition phase when it is a mix of paper and plastic. As a human, I have trouble correctly counting the plastic money, it's thinner and sticks to neighbouring bills.

    • by redmid17 (1217076)
      Probably because they need to be able to upgrade the the OS and apply security patches.
    • by gstoddart (321705)

      To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port

      Which, apparently, might not be as difficult as we think.

      Security is only as good as its weakest link, as they say. And if one of these things is in a place where you could get in and out without being observed (because, say, you've got a clone of the key or know how to bypass the lock) ... well, then this is going to happen.

      Free money is worth someone spending time working these thin

    • by u38cg (607297)
      Well, not so much. Physical attacks are extremely difficult on ATMs as they are difficult to move or access and usually have dye bombs. The usual approach in the UK is to steal a JCB and van and remove the whole thing. So something like this is definitely an improvement for the attacker.
    • by malvcr (2932649)
      Let me explain what happen with the ATM devices.

      The ATM has a computer having the operating system and a basic bootstrap software. In fact, the configuration itself it is not located in the ATM but when the ATM is turned on, it is sent to it from the Bank. One important reason is that when somebody steal the ATM, will lost all the configuration including many different types of keys, making the task of opening it or to learn more about the ATM's network behaviour a difficult task.

      When the security e
    • by Obfuscant (592200)

      This is a physical access attack and therefore not very interesting.

      This. Everyone knows all you have to do is play some music on the keypad and the ATM will give you money. "Take me down to the basement, fill the buckets with cheese..."

      "And we won't, won't pay for this song 'cause it's pub-lic domain!"

  • USB port? (Score:2, Insightful)

    by Anonymous Coward

    How does anyone access the USB port of the computer that controls the ATM, without breaching enough physical security that they might as well just grab the money? Sounds like this could only work if an insider at the bank in question smuggles in a phone and hooks it to the computer. You can't just pull up to an ATM and do this.

  • And they make election equipment, to count votes. Sheeesh! ATMs I am less worried about because I get my money back when they screw up... If the theft amount gets too painful, the banks will look a better vendor. And switch to Linux...
  • by OcabJ (13938)

    "Anyway, anyway, guys guys guys, come on. I'm in this computer, right. So I'm looking around, looking around, you know, throwing commands at it, I don't know where it is or what it does or anything. It's like, it's like choice, it's just beautiful, okay. Like four hours I'm just messing around in there. Finally I figure out, that it's a bank. Right, okay wait, okay, so it's a bank. So, this morning, I look in the paper, some cash machine in like Bumsville Idaho, spits out seven hundred dollars into the midd

  • At least most modern mobile plans give you unlimited SMS.
  • Does anyone find fault with the phrase "Windows XP Based ATMs"?

    Regardless of whether this exploit requires an insider for access to the physical machine, securing $10k-$20k worth of cash with one of the most commonplace operating systems on the planet seems beyond asinine to me.

    • by Kalriath (849904)

      XP Embedded. It's a slightly different beast from XP Home. And either way, you shouldn't have physical access, so it's irrelevant whether it runs Windows, Linux, FreeDOS, or even frigging BeOS.

  • Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines.

    Gotta be Diebold. Yes, they changed their name. No, those thieves should never be allowed to remove the albatross of crooked voting machines from their scrawny, corrupt necks.

    • by drinkypoo (153816)

      Yeah, that was my response too. Diebold is well-known to do a shit job with ATM security.

  • FWIW, the magic number '5449610000583686' mentioned in the article passes the Luhn Algorithm [wikipedia.org], and is therefore valid as a credit card number. The BIN indicates the card was/would be issued by the following bank, transcribed from this site [bindb.com]:

    Bin: 544961
    Card Brand: MASTERCARD
    Issuing Bank: HSBC BANK (PANAMA) S.A.
    Card Type: CREDIT
    Card Level: PLATINUM
    Iso Country Name: PANAMA
    Iso Country A2: PA
    Iso Country A3: PAN
    Iso Country Number: 591

  • ...if you want an ATM open, you smash it on a methhead's head.

  • Fill up the ATM with propane gas through the money slot.
    Set up a fuse.
    Pick up money and run.
    Some photos [google.pl].

    Quite impressive, though the success ratio isn't too high.

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...