Card-Sniffing Malware On Diebold ATMs 143
angry tapir writes "Diebold has released a security fix for its Opteva automated teller machines after cyber-criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software. Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program. Arrests have reportedly been made."
In Soviet Russia... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2, Funny)
the banks hold up you.
I thought for that joke there was supposed to be a reversal in there somewhere?
On Soviet Slashdot (Score:2, Funny)
Re: (Score:2)
Obligatory WHOOSH.
Wrong part of the map (Score:2)
In USSA banks rob you.
Re: (Score:2)
Yup, in the same context that Eve didn't FORCE Adam to eat the fucking apple !
Credit + US Citizen == Carrot + Donkey
Re: (Score:2)
No, you're wrong. The banks said "If you want, you can borrow some money." It's the people who jumped all over themselves to spend more than they make.
Re:In Soviet Russia... (Score:4, Insightful)
Umm, no ... the banks said something more akin to ...
Want some money, we got lots of money, want more money that you can afford, no problem, we'll give you 10 times your salary, even though the recognised multiplier is just 3.
And with low low interest rates, what could possibly go wrong ? Also, while you're here, would you like to borrow more money for a car, and a holiday, and that 80" flatscreen TV ? How about a new kitchen ? We can also give you credit cards with more spending power than God.
And what the heck if the sum total of all your credit comes to 5 times more than you can conceivably earn in your lifetime, this is the American Way (TM).
Re: (Score:1, Insightful)
The government controlling every bit of people's lives isn't going to cure stupid.
Re: (Score:2)
The government controlling every bit of people's lives isn't going to cure stupid.
Then it's a good thing no one is suggesting that the government should control every bit of people's lives, huh?
Re: (Score:2)
Why do people insist that advertising doesn't have any real effect on people's decision? I assume you saw the same giant flashing text, screaming used-car-salesmen commercials (from BANKS!!!) that I did. I'm smart enough to see through the bullshit, you're smart enough to see through the bullshit, but you damn well know that MANY people aren't. Someone in a suit telling everyone how easy and great is it to get some money, and in fact that it is THE RESPONSIBLE THING (yes, they said that) to get these loa
Re: (Score:2)
>>>Credit + US Citizen == Carrot + Donkey
This is the same kind of thinking Democrats & Socialists use to justify larger government - "You are too stupid to think for yourself, so we the government will do it for you. Just turn-over 60-70% of your money to us, and we'll take care of the bills." The sad part is that about 20% of Americans* and 40% of Europeans** agree with that idea - yes government should provide more services (i.e. take our money and run our lives).
* Zogby Poll
** made-up
Re: (Score:2)
I don't think it's necessarily that Democrats & Socialists think that people are too stupid to think for themselves, it's more like:
I can't be an expert on everything. I have no idea what a credit default swap is, or what good debt vs bad debt is. I don't know if my doctor is wasting my money or doing a potentially lifesaving test. I have no idea if the ad is true, false, or what. etc.
I also can't afford (and most people I know cannot afford) to hire an expert in every field to be on hand for every deci
Re: (Score:2)
Sure, because hard-hacking an ATM with electronic devices and putting a file on a memory card demonstrate the same level of security planning, right? Right?
Track record? (Score:2)
Re:Track record? (Score:5, Insightful)
Does it really matter, when their customers are allowing the bad guys to physically work with the machines? Bad guys who get to touch system like that have a real leg up. Machines that - even if the user allows the bad guy to play with the hardware - could withstand a serious onslaught by organized Russian techie criminals would probably be substantially more expensive for the average [Insert Name of Russian 7-11 here] or their banking vendor to deploy.
Re: (Score:1)
Why would an ATM allow access to anything but the needed functions?
I couldn't imagine an ATM that ran a consumer OS.
Comment removed (Score:5, Insightful)
Re:Track record? (Score:5, Insightful)
the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around
Why? Are you trying to say that something about the Windows Operating system is causing this ATM to fail? I hope not, because it would be foolish to assume that without more data. A lot can go wrong with an ATM. From faulty hardware to sloppy programming.
It's far more likely that in this case the benefit comes from simplicity in the hardware and software design, not anything to do with OS/2. From your description, the whole design is much older. Whatever bugs that may be present in the software or the operating system don't interfere with the machines day to day operation, so from the standpoint of a casual observer, it's perfect.
Using this single (biased) example as an endorsement for using OS/2 isn't insightful, it's just stupid.
Re: (Score:2)
It's far more likely that in this case the benefit comes from simplicity in the hardware and software design
This is true. Something like an ATM doesn't even need an OS but it makes it a lot easier to produce, not to mention redesign and upgrade.
Re:Track record? (Score:4, Insightful)
You're thinking like an engineer. Think like a marketroid. You know...
"...If it ran Windows, we could put advertisements on it. And not just text ads like 'walk around the corner and ask for a loan', I mean full-screen animated ads of cute families overjoyed because they have credit cards, you know, like TV, and the customer would have to watch the ads, because if they walk away during the 5-second interstitial ad, they don't get the $100 they're trying to withdraw!"
CAPTCHA: "annoyed". Once again, Slashdot imitates life. Or at least, the fucking ATM going "ding" (with the same DING.WAV that's been in Windows since 3.1, what a dead giveaway as to what OS they're running) that I used this afternoon.
Anyways. Fucktards. Fucktards one and all. It's St. Paddy's day, and I'm finally drunk enough to take my engineering hat off and put my marketroid hat on. Fortunately, I'll be sober in the morning. Unfortunately, the marketroids will still be running the show.
Re: (Score:2)
No mod points today or else you'd get +1 Most-Insightful-Drunken-AC-Post-Ever
Re: (Score:2)
Just for the record, I'm living in Russia and I've never had any adverts on ATMs here.
Re: (Score:2)
You know, that has been bugging me, along with a general WTF? when it comes to why they are using a consumer OS on these machines in the first place. The stupidest part by a country mile is the fact that they have a VERY secure and reliable OS for these things that have years of real world use: OS2.
My banks have the OS2 machines(I think Diebold) and frankly they are built like tanks. They are always running 24/7(you think I'm joking but the bank down the street has the pretty Windows ATMs and there is some guy out there working on the damned thing every time you turn around) and it frankly just works. Is it pretty? Nope, just a blue and black screen with very basic function buttons. But it is a ATM. It doesn't NEED to be pretty. It just needs to be secure and work. And since eComstation still sells OS2 licenses I honestly don't see why they just don't stick with old reliable OS2. If it ain't broke, don't fix it.
Hah, please tell me someone copy-pasted this from a Slashdot thread circa 2001.
If not, your ATM runs Microsoft OS/2 1.3, btw.
Re: (Score:1)
Re:OS/2 or Windows (Score:1)
Pretty becomes an issue when you gain revenue displaying motion picture advertising and providing additional "value added" features.
It isn't just Diebold. I work with a few different brands of ATMs and they all seem to be moving in the same direction.
Re: (Score:2)
Re: (Score:2)
Because you HAVE to upgrade!
OS2 wont support the latest video card, sound card, or any of my usb devices!!!!
OMG! I would just die if my ATM did not use my webcam and ipod!
many times it's because bank executives are making the decision. windows based ATM's exist because some retarded moron of a bank executive asked for it.
Re: (Score:1)
Re: (Score:1)
Re:Track record? (Score:5, Interesting)
Many older ATMs used to run OS/2 and were rock solid dependable. It also helps that IBM was a key player in developing the crypto hardware in those machines and they had the expertise to ensure everything was locked down and tamperproof.
What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.
Re:Track record? (Score:5, Interesting)
I did some work for a local bank, and their ATM's were running Windows XP (not embedded), IIS (can't remember the version), and IE. This was to allow them to serve "rich content" (movies, images, animations, etc), without having to write it all themselves. The ATM just had IE talking to IIS, and displaying the results in "kiosk mode". The buttons on the sides of the screen were mapped to keys on the keyboard (I think), and that's how it ran.
I specified a full set of ports that needed to be accessible to the ATM controllers, and that was all that was supposed to be accessible from the network.
However, if you can get access to the back of the machine, it has a second monitor, keyboard and mouse, and you can access the OS, and do whatever you want to do. I *THINK* that the keyboard and mouse were locked away in the vault (or at least behind a door), but the hardware itself is pretty standard PC, so I don't imagine that it would be particularly difficult to add a USB keyboard or mouse and gain access when rebooting the device. Maybe even boot from a USB disk or similar.
The reality is that if you have physical access to practically anything, it is game over.
Personally, I would have been a lot happier to see a stripped down Linux kernel + minimal OS, BIOS passwords, bootloader passwords, etc than the entire Windows stack. Less to verify == more security.
Re: (Score:2)
That's actually a fairly clever design. I would not want to even begin implementing UI-embedded video on a microcontroller-based ATM. But so long as the user's input capabilities are severely limited, it really would be possible to use the capabilities of a web app without sacrificing too much security.
Re: (Score:2)
Care to elaborate a little?
What do you consider a "proper OS"?
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Breaking in into a bank through the ATM machine is probably the worst idea ever. Banks (or at least the banks I worked at) have a motion detector in the room behind the ATM. Only once I saw a bank that had an ATM removed and just covered up with plywood from the outside while the motion detector was disabled in that room. Triggering the ATM alarm is worse than the premises alarm because the premises alarm gets triggered sometimes from cleaning personnel or other employees but for the ATM room you need a spe
Re: (Score:1)
What Diebold has now? I wouldn't be surprised if they were using VB and the Jet DB for critical functions.
I don't know about Diebold ATMs. For voting machines, here's a quote from this Slashdot [slashdot.org] story (March 03, 2009):
Except that Diebold didn't make these machines. Premier Election Systems made them, and then was bought up by Diebold. - DrLang21 (900992)
Re: (Score:2)
As far as ATM venders go, how does Diebold rank in security?
Does it really matter, when their customers are allowing the bad guys to physically work with the machines?
Yes it does matter; security is a chain as strong as its weakest link. Proper encryption and authentication systems could/should have been used here to harden the weak link of physical access. As for cost of deployment, well, security organisations (including banks and Diebold) live on their reputations to keep things out of the hands of criminals. If they fail to do this, their security suffers. We're talking about Diebold here, not some two-bit Russian ATM provider.
Re: (Score:1)
Re: (Score:2)
They have physical access and are sniffing cards. How do you think you can prevent that by adding encryption or authentication?
If it's malware, then they have gotten into the system's software somehow - it's not a physical card sniffing attack. Obviously physical access helps the attacker, but can still be secured against; think encrypted volumes, and a decent authentication system to stop uninvited guests accessing the system when it's running.
Maybe there could be gov. regulation of ATM design (Score:5, Interesting)
That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.
Re: (Score:2)
Re: (Score:1)
I wouldn't put my card in one of those. What company, so I can never bank with them?
Re: (Score:2)
Money under the matress much?
Re: (Score:3, Informative)
Ages ago in the past, OS/2 was the ATM platform of choice. Now, its either Windows 2000 Pro, or XP Embedded.
As for Windows 98, I can see that being used, but the ATM would require a watchdog card. This is a special hardware card that automatically resets the machine should the watchdog driver not send pulses after a certain period of time, or if a certain application is not present and running. This case, Windows 98 can be used, because if the ATM's app crashes, the card will reset the machine to a hopef
Re: (Score:2)
Re:Maybe there could be gov. regulation of ATM des (Score:5, Insightful)
over 99.9% of the vulnerabilities you are counting require physical access. You can't insert a flash drive, jack in a keyboard, put in a floppy, or even get TCP/IP access to an ATM normally, so those security problems don't count.
If a system has a vulnerability that cannot be exploited, it doesn't make it any less secure.
Re: (Score:1)
Just so you know, the ATMs of the largest retail bank in my country has keyboard at them.
Re: (Score:2)
ATMs struck by the W32/Nachi worm (Score:2)
That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.
'Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi [infoworld.com] wo
Re: (Score:2)
That may have been true until they 'upgraded' ATMs from OS/2 and moved communications from dedicated lines to the Internet.
The ATMs run on their own encrypted (VPN) network, a bit like a darknet. Just because they're using the internet doesn't make that an easy vector. It's like saying your company's internal network isn't secure if your offices are connected with a VPN. As long as the exterior doors are secure, internal security is irrelevant.
That worm was probably due to the fault of some ATM engineer
Re: (Score:2)
If an ATM is on a TCP/IP network that is VPN'ed to another network that has access to the net. Then that ATM is effectively connected to the network. Sure they can block all ports and protocols but what they need. But I have seen so few companies employ an "allow whitelist only" for network or VPN.
Further the worm W32.Welchia.Worm (as stated by the previous poster spreads over the network looking for two different vulnerabilities. Which tells me it wasn't an infected flash drive
http://www.symantec.com/se [symantec.com]
Re: (Score:2)
You've watched D.A.R.Y.L. [wikipedia.org] one too many times.
Re: (Score:2)
Yes, I believe that to be the idea as presented... In fact, the exploit this article talks about is an example of that very concept.
I know that's not exactly what you're talking about, but consider that ANY input device is an input stream that can theoretically have any pattern (even those beyond design specs, like over-voltage) send down it. Steps can be taken to mitigate any threat of course, but taking for granted that those steps have been taken is too optimistic a view as far as I'm concerned. There
I saw one (Score:2)
No citation provided, but I saw one running Windows 98 in the touristy district of the Spanish city of Santiago de Compostela [google.com] (right near the cathedral).
I wasn't game enough to trust my debit card with it, but a passerby used it, and boy was it slow. You could see the individual images redrawing on the screen. It's been so long since it was last updated that the CRT monitor has the text burnt into its screen. (Although I thought modern CRTs were supposed to be immune to burn-in.)
Re: (Score:1)
There is a Diebold ATM machine in Brazil, São Paulo state, that regularly crashes. When it crashes, you can see that it is running Microsoft Windows 98. That amazes me. It seems that even someone with very little understanding would not use an OS that is known to have literally thousands of vulnerabilities.
waaait a second. so people actually put a atm running windows 98 in the middle of russia and expected it NOT to get immediately hijacked?
Obviously a product of the LAUSD (Score:3, Funny)
Since when is Sao Paulo, Brazil in the middle of Russia?
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
A Diebold ATM in my hometown was found crashed; apparently running XP. With an open DOS window and a flashing prompt. There was some dotNet class dump gobbledygook scrolled up in that window. I could enter numbers with the keypad, and the enter button would return "bad command or file name".
I found it that way in the morning, and when I drove past later that afternoon, it was still sitting in that state. Scary.
Uh...why are they running Windows? (Score:1, Redundant)
Still, it's a trojan (has to be put on individual ATMs) - and criminals would have to gain physical access to the computer inside the ATM, which would mean br
Re: (Score:2)
Re: (Score:1)
IBM told them that OS/2 was dead.
Re: (Score:3, Interesting)
One of the best scams in the world was to buy a used atm and then put custom software on it to harvest info and then plop the whole thing in a mall. come back in a week and you got a CRAPLOAD of cards and pins.
Simply program it to act normal but it cant connect to the bank and spit the card back out.
Honestly I am sure this will still work today. Back in the lat 90's they caught a group of guys around Detroit doing this.
Re: (Score:2)
Re: (Score:2)
True, but the banks might turn around and sue diebold for damages if the hackability was a breach of diebold's warranty...
AND diebold didn't be a sleaze and put "your exclusive remedy is a full refund and we disclaima ll warranties" such and such...
Sounds like the banks are going to get ripped off. Poetic justice perhaps but diebold should still eat the dogfood it served.
Re: (Score:2, Insightful)
You get what you pay for. In the case of security-critical technology I'd have hoped people would pay for something good. How naive of me.
Maybe an attempt to prove incompetence? (Score:5, Insightful)
From the last few US presidential elections where statistics where typically very different for electronic voting (Diebold) and paper ballots, a common conclusion was that either:
1. Diebold fixed the elections (a)
or
2. Diebold is completely incompetent (b)
But then.. People would argue that #2 is invalid because Diebold has atms all over the world that count money.. and they never have problems - so something as simple as voting should be easy.
Maybe Diebold is just trying to prove that they can be incompetent too? Which would give us a new set of alternatives:
3. Diebold is fabricating their own incompetence (c)
or
4. Diebold is really incompetent (d)
(d) = (b)
so..
((a) or (b)) and ((c) or (d))
so..
((a) or (b)) and ((c) or (b))
so..
((a) and (c)) or (b)
which translates to:
Why the fuck do we trust Diebold with anything?
Re: (Score:2)
Diebold got into voting because it was testing the water and made a product down a price point.
If states wanted good voting machines they should have thought of that in the contracts.
A bit like toxic paints on toys or plastics in food.
Next time ask for quality and spell out exactly what you want.
Re: (Score:2)
You'd think that counting "one vote for party A" as "one vote for party A" without losing any would be a basic feature of a voting machine, regardless of the quality specified in advance. Maybe Diebold don't inhabit the same universe as the rest of us, maybe they live in "politico-world" along with the rest of the crooks we vote for. I didn't know they did ATMs until I read this article, now I'm wary of my own ATM.
Ain't an ATM well named for recycling money? Ass To Mouth also describes that same process.
Re: (Score:2)
Why the fuck do we trust Diebold with anything?
Who is this 'we'? If I see a Diebold ATM, I try to find another one. No joke. I've gone into banks and told them I won't use the ATM because I don't trust the company that has been proven to miscount votes to build anything else, either. (They love me. I also tell the bitches at Wells Fargo that I love my Credit Union because the money stays in the community when they ask me to open an account - which they do every month when I go pay my rent with cash, direct into my landlord's account. I'm not sure why th
Should of not droped OS/2 For windows on the ATMs (Score:2, Redundant)
Should of not droped OS/2 For windows on the ATMs. Also was the administrative passwords set to the default like the other ATM's that got hacked?
Is the locked-down version of Windows that Diebold provides to locked down for some banks use? Locked in to Diebold for getting the windows updates? Vs being able to do it on your own / use your own WSUS system?
Are diebold voting machines just as easy or easier to hack?
obligatory xkcd link (Score:5, Funny)
http://xkcd.com/463/ [xkcd.com]
Windows? (Score:5, Insightful)
"...its ATM customers using the Windows operating system.
OK, stop. Did I just read what I think I just read? What...the...hell? Windows?
As if we don't have enough problems with the crooks that run the banks...
Re: (Score:1)
"using the Windows operating system" (Score:5, Insightful)
That line really wasn't needed. The crime requires physical access to the box. A linux,mac,whatever box is just a vulnerable in that situation.
Re: (Score:2)
Re: (Score:1)
The Swiss are notorious for their precision.
Re: (Score:2)
No, he's thinking about the product sold in America under the name "Swiss cheese". This is not to be confused with the foodstuff popular in Europe that is also, confusingly, called cheese.
"Swiss cheese" is a waxy, rubbery, flavourless chemical solid that differs from regular "cheese" only in the fact that it has holes in. There are persistent rumours that it may be edible.
(Oh, and Emmental is a Swiss cheese. It gets made in France too, but then Cheddar, an English cheese, gets made all over the world, so
Re: (Score:2)
Re: (Score:2)
After letting the two large dogs and other families children have a sniff and look at the flashing lights, they would have to extract and study the code.
A week later, they would be out looking for a windows ATM, thankful that everybody studied banking at Moscow U and learned windows.
whatever is just a vulnerable .. (Score:2)
You wouldn't use a desktop OS in such a situation. A small embedded obfuscated encrypted OS performing a small set of dedicated functions. Not a modified Windows OS that could be compromised using a few DLL redirects
'The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code [sophos.com] t
NSF (Score:4, Funny)
MONEY_LESS_OR_EQUAL
Y2K... (Score:5, Funny)
Somewhat OT, but my wife was one of the early recipients of a credit card which expired after 1999. She used to crash gas pumps whenever she tried to pay at the pump.
Re: (Score:1)
Did the gas pumps really hang? Were the staff able to reset them?
Re: (Score:2)
From what I remember, they'd crash and auto-reboot, but it would take awhile, so she'd go inside to pay.
Re: (Score:1)
Parent is funny? where?
Re: (Score:2)
I think we were living in So Cal back then.
Diebold card skimming detection technology (Score:2)
It would have been more technologically secure to not use magnetic strips in the first place and design a machine that only worked with authorized hardware. Someth
Diebold and ATM message protocols .. (Score:3, Interesting)
'IFX is far more flexible than NDC and 911/912, which are "single monolithic pieces of code," NCR's Risto said. "With IFX, you're taking states-and-screens away and replacing each piece with an inherent application. Each function is broken out and handled separately."'
'The move to IFX requires a smaller leap of technology than the switch from an OS/2 to Windows operating system, Risto said. "Once you've made the move to Windows [gokis.net], IFX is going to be a far smoother and more intuitive move."'
Re: (Score:2)
'The advanced Windows-based ATMs [windowsfs.com] coming into use now mean the ATM is technologically close to the Internet banking channel, since both use client/server applications, TCP/IP, and other modern computing methods'
Top 10 Reasons for Using Microsoft Windows on ATMs [microsoft.com]
'unlike Linux, the Windows OS features systems management, security, and software distribution tools within the OS kernel, easing integration with a bank's existing infrastructure while obviating
dangers of running native x86 code .. (Score:2)
'Google Chrome is implementing support to run native x86 code [ezinearticles.com] from within the browser'
UK ATMs (Score:2)
I know a fair few banks in the UK use Windows in their ATM's. the Halifax/Bank of Scotland for one, i've seen their ATM's with windows ok/cancel error boxes rendering them totally useless, i've also seen a Lloyds TSB machine stuck on the Windows XP boot screen.
I don't know who makes their ATM's (i'm guessing NCR as they have/had a big factory in Dundee) but Windows on ATMs isn't rare.
The inmates are in control of the asylum (Score:1)
Re: (Score:1)
I may be wrong... (Score:2, Funny)
Re: (Score:2)
Well yes and no, it's like safe building. You can get a very, very, very expensive safe that will take the best man in the world 100 hours to break through or you can get a cheaper one thta my only take a reasonably skilled person 12 hours to open. But the bigger question about these ATMs is why do they need so much hardware? They should be little more then a microcontrolelr then encrypts and decrypts data to and from a mainframe. No fancy videos, hard drives, high speed internet links. if they break i
Re: (Score:1)
I thought all Diebold ATMs ran Windows
There are probably some older supported Diebold ATMs out there running OS/2. Just like IBM is still supporting OS/2 use by some banks.