Cybercriminals Refine ATM Data-Sniffing Software

BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."

DES

[bluefoxlucid]

DES doesn't really mean "Designed Extremely Secure" ....

Re:

[hey]

You'd think the "cybercriminals" would be more security-aware and use a better encryption algo.

Re:DES

[sopssa]

Just to note, ATM running Windows XP doesn't mean its less secure and that it could be exploited. If you've used ATM's, theres no really way to just run your programs on it or exploit it somehow. But when criminals have access to the hardware physically, there is no difference if its windows, linux or whatever else OS. That is how its probably been working here aswell, they get some insiders to give them access or they social engineer their way in. You cant exploit windows bugs in them because you cant connect to them from the internet.

Like said, when people get good physical access to the hardware, game is usually lost, no matter what the OS is.

Re:

[stokessd]

True, that it's game over if you have physical access. But there still is a downside to using windows. If you have physical access and also a working knowledge of the OS and it's functions/vulnerabilities then you are miles ahead of having physical access and a WTF OS in front of you. I could be logged in as root on a linux box and set my wife down and ask her to do some damage; she is harmless because she is lost. On her native computer she can do some damage though.

I'd think ATMs would use some sort o

Re:

[plover]

Because of advanced forms of fraud (and because networks are much more reliable than the dialups of yestermillenia) ATMs no longer work if the network goes down. They shut themselves down. They don't hand out cash when they're offline, because they have no way of authenticating your PIN, your card, or your account.

If it were possible, criminal organizations would have people trying a bad card in a different ATM every hour of every day of every week. Once they "luck" into an offline terminal, it's payo

Re:

[mcgrew]

You don't need a rootkit, as I found out several years ago.

A woman I was seeing (for twenty dollars a pop) watched as I put the PIN number in. She then stole my checkbook, my debit card, and spare car keys. I think it's chronicled in one of my journals somewhere (there's a brief account in my latest, which I just posted a couple of hours ago, but there's a detailed one in an older one).

Any way, she wrote some bogus checks and withdrew money from the ATM. The bank made good on the checks, but not the debit c

Re:DES

[Anonymous Coward]

Several years ago, there was a home-invasion robbery that made local headlines for a few days. The robbers stole ATM cards and forced the PINs out of the residents at gunpoint, threatening to come back and rape them if they gave the wrong PIN. In this case, the residents were obligated to give the correct PIN, since they could have been tied up and forced to wait for the robber to return with the cash.

My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.

Why not do this with ATMs? I would not be surprised if ATMs already had GSM-monitored burglar alarms for obvious reasons, and it wouldn't be that hard to have a secondary PIN that sends a duress signal.

Of course, that's useless against shoulder surfing.

Re:

[Muad'Dave]

I've said this since ATM cards came out way back when. I suggested the regular PIN backwards, to make it easy to remember.

Funny thing is, I think it started an internet rumor that it'd really work.

Re:

[ls671]

My PIN is 7117, what then?

Re:DES

[vertinox]

My home burglar alarm has a duress code. If someone should ever force me to disarm it at gunpoint, I use a secondary code that will act in the exact same manner as the normal code, while it silently sends a duress signal, and hello SWAT team.

I think it would be just as easy to create a "Zero balance" code to show the assailant you are broke when you are not.

Some of us don't need that though.

Re:

[justinlindh]

This idea already did the rounds in the form of an Internet rumor a couple of years back: http://www.snopes.com/business/bank/pinalert.asp [snopes.com]

The Snopes page mentions why something like this hasn't been implemented:

No one in the banking industry seems to want the technology. The banks argue against its implementation, not only on the basis of cost but also because they doubt such an alert would help anyone being coerced into making an ATM withdrawal. Even if police could be summoned via the keying of a special "alert" or "panic" code, they say, law enforcement would likely arrive long after victim and captor had departed. They have also warned of the very real possibility that victims' fumbling around while trying to trigger silent alarms could cause their captors to realize something was up and take those realizations out on their captives. Finally, there is the problem of ATM customers' quickly conjuring up their accustomed PINs in reverse: Even in situations lacking added stress, mentally reconstructing one's PIN backwards is a difficult task for many people. Add to that difficulty the terror of being in the possession of a violent and armed person, and precious few victims might be able to come up with reversed PINs seamlessly enough to fool their captors into believing that everything was proceeding according to plan. As Chuck Stones of the Kansas Bankers Association said in 2004: "I'm not sure anyone here could remember their PIN numbers backward with a gun to their head."

Re:

[mindbomb2323]

I am an ATM repair tech. and I can tell you that you are correct about the duress codes for people admining and there are several different ways that it can be done. I have never seen any type of gps tracker used because you would have to put it somewhere that they couldn't remove it and that would be in the vault but if you put it in there then how could you get reception. As far as using the duress code I don't think i would ever use it for the simple fact that it is a guaranteed way to become a hostage

Re:

[jDeepbeep]

If they have your PIN number, they're automatically authorized to use the card, even after it's reported stolen!

Well, there is a difference between reporting a card as stolen, and telling the bank to disable the card because of fraudulent use, no? Even so, if reported quickly enough, the bank ought to be able to credit your account back for any transactions that clear, and send you affidavits to sign in the mail afterwards.

Re:DES

[BlackSnake112]

Sneakier way that I have seen. The bad guys slide this metal piece into the ATM slot. This catches your card bit will not release it. Some even let you make your transaction but still keep the card. Usually one of the bad guys is around the ATM watching. They walk up pretending to help. They ask you to enter in you pin again or ask for your pin so they can enter the pin. Either way they now have your pin. Nothing works of course. You go away, they take out the piece of metal with your card. Now they have your pin and your card.

I read about this. I have so far taken 4 pieces of metal out of the ATM card slot at 3 different location around the Washington DC area. All 4 times, someone very quickly left the scene. I did report it to the each bank when they were open again. All 4 times happen to be after 9PM.

Look at the ATM slot before you put your card in. If it looks like there is a extra thin piece of metal, either go to a different ATM, or see if you can take it out. I used the trusty paperclip to remove the metal. Not that hard.

Re:

[Zaurus]

What you are describing is called a "Lebanese Loop"

http://en.wikipedia.org/wiki/Lebanese_loop [wikipedia.org]

Re:

[PitaBred]

Next time you see a piece of metal in an ATM you should lean up against the wall a few steps away and call the cops, see if they want to catch someone in the act of trying to scam an ATM. If it's a slow night, you might get an officer to respond.

Re:

[account_deleted]

Comment removed based on user account deletion

ATM != desktop computer

[Smelly Jeffrey]

An ATM is not a desktop computer. WTF is an ATM doing running Windows?

Re:ATM != desktop computer

[PrescriptionWarning]

but how else is Microsoft supposed get Office 2009 - ATM edition to market? And just think, Clippy could be a money clip instead of a paper clip! The bottom line is it's win-win in this rough riding tsunami wave of data mining nugget pack of wolves devouring economy for today's business-ready customer driven shim-sham!

Re:

[abigsmurf]

Why run Windows? Linux? DOS? etc.

ATMs need an OS of some sort. More advanced OS' make it easier to have the software display videos and animations, have more complex functionality and better compatibility with modern software. So long as the firewalls are properly configured to sandbox the unit, vulnerabilities are irrelevant.

Re:

[EXrider]

More advanced OS' make it easier to have the software display videos and animations.

As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.

Re:ATM != desktop computer

[TJamieson]

As if we (end users) actually need any of this annoying shit, just keep your advertisements elsewhere and let me have my damn money in a convenient and secure fashion! Serves 'em right, greedy advertising whores.

THANK YOU! I remember several years ago, I stopped at my local ATM and noticed the screen was now in color. Hey, that's neat, I thought. Since I had just pulled up, it was displaying a picture of the bank. So I began to use the machine - wait, what the hell? The interface is still the exact same monochrome it has been since 1985! Why would they order a color screen? Then, as I completed my transaction and waited for my receipt, the reason came up -- a full-color ad for buying their shitty mortgage services.
Nevermind the fact that a good 30% of the time said ATM was "Temporarily unable to dispense cash" (read: empty).

Re:ATM != desktop computer

[NES HQ]

Why shouldn't an ATM run Windows? Cue the standard Windows-bashing, but a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

Also, anyone with any network design sense would vlan & firewall the ATMs off of the rest of the network.

Yes, it's Windows. But without crazy Aunt Judy trying to install her cat screensavers Windows should be fine for the task.

Re:ATM != desktop computer

[internerdj]

Presuming that the network designer had some sense then this type of hack happens at the physical location because a network update would set off far too many alarms: meaning it really doesn't matter what OS is running because the hackers are gaining physical access to the hardware. If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

Re:

[WillKemp]

If they were losing more in stolen money (that they had to repay) or business than it costs to actually secure the ATM they would make the proper changes in security, it would already be fixed.

Yeah, of course they would. Bank managements are well known for being sensible and never doing stuff that loses money.

Closed Network

[relguj9]

Plus firewall, 'nuf said. The problem is when people break into the back of a machine and physically install malware on it... if you have people breaking in or social engineering their way into the back of a physically locked machine then you are going to have problems. I don't care if it's running some logic flow on an EEPROM, it's still going to be hacked.

Re:

[Anonymous Coward]

RE: "a decently hardened copied of XP is more than sufficient for the minimal work"..

That's the problem...it's more than sufficient. When designing something to be secure, you want the system to sufficient, nothing more. ATMs shouldn't even run Windows, linux, DOS, or any other general purpose OS. They should run the minimal set of programs required to perform banking transactions. There are levels of "security". While a hardened general purpose platform is better than an unhardened one, it is not a go

Re:

[Phroggy]

a decently hardened copied of XP is more than sufficient for the minimal work that an ATM has to do.

It's the precise nature of the "more than" that has us worried.

Re:

[goodmanj]

Mod parent up. A standard security mantra is, if you use a bigger hammer than necessary, you increase the chances of smashing your thumb.

The more complex the software tool, the more likely it is to have some sort of security hole in an obscure feature you don't care about and aren't aware of.

Re:

[sjames]

Because ATMs are very high value targets and there's no practical way to fully audit XP. Because XP is designed to do anything and everything while security calls for a fully audited system that can only do what it is supposed to do. Consider, the malware has to hook in somewhere. The less somewheres there are, the harder it is to do that. ATMs are an embedded application, it's silly to run a desktop OS on them.

Linux would be a better choice since it's design allows for it to be stripped down to the essenti

Re:

[Muad'Dave]

Dugg for using 'cue' (correctly) instead of 'queue'. 8-)

Re:

[Captain Hook]

I read the receipt printing trick as not needing an insider, hacker just goes up to the ATM, enter a special code/card and it prints out a DES encoded string of characters on the built-in printer which normally provides the cash withdrawal receipt.

Re:

[91degrees]

Ultimately it comes down to "why not?" ATMs need an OS. The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development. Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer. It's easier to develop for windows that to develop for a custom devkit.

Re:ATM != desktop computer

[99BottlesOfBeerInMyF]

Ultimately it comes down to "why not?"

It costs a licensing fee. It has more security liability than pretty much any other choice.

The cost of a Windows XP licence is trivial compared with that of the hardware and custom software development.

Linux costs nothing to license. BSD costs nothing to license. Windows costs something. That's an added, unneeded cost.

Might as well go for one that has lots of development tools for which the software can be run on a normal desktop computer.

Because there aren't lots of dev tools for Linux that run on a normal desktop computer?

. It's easier to develop for windows that to develop for a custom devkit.

How is it easier to develop an ATM on Windows than on Linux? They both have tons of tools and myriad experienced developers and companies. Linux is probably better optimized for appliance uses and has a larger share of the appliance market than Windows, making it easier to find companies to work on it.

In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

Re:

[lxs]

How is it easier to develop an ATM on Windows than on Linux?

Windows devs are a dime a dozen and therefore cheap to hire.

Re:ATM != desktop computer

[99BottlesOfBeerInMyF]

Windows devs are a dime a dozen and therefore cheap to hire.

Are you talking about Windows developers with experience creating user interfaces and coding for appliance style devices that don't use the normal inputs and only have fullscreen displays?

There are a lot more Linux people qualified to create such devices than Windows people from my experience in the industry. If, however, you're talking about developers with no experience and without the proper skills, sure you can find more Windows developers, but that sure isn't going to save you money.

Re:

[WillKemp]

Crap Windows devs are a dime a dozen and therefore cheap to hire.

There, fixed that for you.

Re:

[sjames]

If you pay peanuts, you get monkeys.

Re:

[91degrees]

Bad Linux programmers are more expensive than bad Windows programmers.

The problem, if anything, is the programmers. Not the platform they're developing for.

Re:ATM != desktop computer

[iamhigh]

I'll second your argument, and I could be considered an MS fanboy by this crowd's standard. But there is no reason to have an ATM running windows, the most used, most exploited OS on something like an ATM. I wouldn't even use Linux, but probably recommend a custom OS, as you can control the hardware used. Then the attackers have to hack some pretty much unknown system, that can easily be built from the ground up to use software and hardware security measures.

Re:

[91degrees]

It costs a licensing fee. It has more security liability than pretty much any other choice.

As far as I know though, most of this is via the browser and email applications and IIS. XP can be pretty secure if you disable all unneeded services.

In short, I don't buy your arguments at all. Using Windows on an ATM is a sign someone in management somewhere is an incompetent buffoon.

I'd have thought Linux would be cheaper, but for all we know, they did a thorough analysis, discovered there were suitable s

Re:

[Lonewolf666]

Even Unix won't save you if the attacker gets physical access to the machine. I learned how to "crack" SCO Unix 10 years ago in an administration course by booting from floppy and resetting the password file.
If you can prevent that, it should be possible to secure Windows with a firewall that blocks all ports except the one your ATM application uses.
This said, Linux may actually be easier/cheaper to secure. But I don't consider a Windows based ATM an automatic security risk if the developer does his homewor

Re:

[cptdondo]

Take a lesson from the gambling industry. They have to audit all of their machines regularly. The entire OS, including the bootloader, sits on SD cards. You can yank the SD card, audit it, and stick it back in. It's much more difficult to hack these on a long-term basis as the SD card audit will catch it. There are no keyboad ports. (Assuming, of course, the auditor is honest and the lock on the machine is secure. No joy if the person refilling the machine has access to the guts of the machine.)

Anyon

Re:ATM != desktop computer

[CopaceticOpus]

This is a perfect chance to call your bank:

YOU: "I've been reading online about ATMs which are based on Windows XP being attacked by cybercriminals, and I'm worried. Are your ATMs running on Windows?"

THEM: "I'm not sure about the particular technology used in our ATMs, but we've had no security issues thus far."

YOU: "THEN YOU'D BETTER GO CATCH THEM!" Tee hee-hee! (click!) Snicker, snicker, snort, snicker...

Re:

[ILongForDarkness]

Hehe. We have a large Sun/Storage Tek tape library at my work. The SL300000 http://www.sun.com/storagetek/tape_storage/tape_libraries/sl3000/ [sun.com] . It runs Win2k. The question is what is a new $120k device (~70k but then that is before you get the drives for the library :-)) from an old school UNIX vendor doing running an out of support version of Windows :-) . We also have microscopes that are controlled by windows but the GUI is in Linux (they come with both computers in one case). It all comes down to what t

Re:

[Thaelon]

Probably acting as a general purpose OS to allow ATM manufacturers to do less work since they only have to write software for a common OS.

Re:

[pilgrim23]

entry to the system is the big stumbling block; "open box, insert USB or other media close box". Every vending machine I have ever encountered has some code that puts it into a "service mode". I would not be at all surprised that if you say: Punch "Use English" twice then savings account then some other button then slide in a "special" card and do the service voodoo. Now given such a "service personnel only" HOLE and I am SURE its there, it would be trivial to program a basic overflow on a ATM card to

Re:ATM != desktop computer

[twistah]

They run XP embedded, which allow you to customize which components are used much more so than regular XP. That is not to say I don't see your point -- we've broken into plenty of Diebold XP ATMs during authorized penetration tests using regular Windows exploits. After that, it's game over with the software this product mentions. Then again, regular OS's have been running on ATMs for a long time, and many still run OS/2.

Re:ATM != desktop computer

[Ethanol-fueled]

I'm waiting for the ATM that runs Mac OS X!

They already have those in San Francisco. They're called "gAyTMs"

Re:ATM != desktop computer

[Spazztastic]

I'm waiting for the ATM that runs Mac OS X!

They already have those in San Francisco. They're called "gAyTMs"

A2Ms?

Re:

[truthsearch]

"And I'm a PC."

Re:

[Anonymous Coward]

You have to multitouch move an on-screen representation of your money to the trashcan in order to get the ATM to eject it into your hand.

Credit card companies need to wise up

[gurps_npc]

They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective. There are superior methods out there to verify credit card information, we don't need to use the same method that was used 50 years ago.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[truthsearch]

They have to understand that 'eating the loss', while it may make sense from a short term financial perspective does nto make sense for a longer term perspective.

Actually, it does. There will always be fraud. And companies have a threshold which they consider acceptable (IIRC MasterCard's was generally 2% back when I worked for them). The cost of rolling out advanced security tech is huge, and compared to a small reduction in fraud it's simply not worth it to these companies.

Most fraud is not done through cloned plastic. So even completely eliminating this risk may not be cost effective.

(As a customer I want all fraud gone. I'm just explaining the corporate per

Windows XP?

[Anonymous Coward]

..."on ATMs running Microsoft's Windows XP operating system..."

Let me be the first to say "ur doin it wrong."

Re:

[abigsmurf]

Yeah, clearly they should keep using Operating systems that no one has used on desktops since the late 80's.

I'm sure that would make general maintenance and updating the software easier.

At least it's not Vista . . .

[PolygamousRanchKid]

"Are you sure you want to withdraw this money?"

"Will you spend it wisely?"

"You don't seem to have much left, have you planned for an emergency?"

. . . etc. . . .

Re:

[Anonymous Coward]

Do you realize that would actually be a fantastic improvement?

Re:

[PitaBred]

I concur. Especially after having read Not Always Right [notalwaysright.com] lately [notalwaysright.com].

Re:

[WillKemp]

Of course they're doing it wrong - they're a bank, that's what they do.

Stupid stupid users

[Anonymous Coward]

When your ATM asks if you want to install an ActiveX control, you always say "no."

How many years do I have to keep telling them that?

How come?

[Anonymous Coward]

I RTFA (yes, yes... I know) but I couldn't find the answer to the most obvious question... how does the rootkit get installed?
If no physical access to the real PC inside the ATM is needed.. that's really cool!
But if you need to plug an usb drive in, this actually reduces the field of the potential thieves by several orders of magnitude...

M

Re:

[dbcad7]

I imagine it's physical access, but I suppose it could be done other ways.. If it was more widespread than "mostly eastern european countries" then it would probably be more likely done remotely. In many of these countries corruption and bribery are just acceptable and sometime admired ways of life. It's pretty simple to investigate who has access to particular machines and figure it out, but it will probably take something extreme like the card companies refusing to do business in that country to force inv

Windows?

[grahamsaa]

Why a bank's IT / security team would feel it appropriate to operate ATMs that run Windows is completely beyond me. I mean, if bankers were really that stupid the world economy would probably have crumbled by now. Oh, wait. . .

Free gas courtesy of Mircosoft!

[Anonymous Coward]

Once I found a gas station near my work that the pumps where running a version of Windows back around 1999-2000. If you swiped your card and pulled the nozzle at the same time the little LCD screen showed a BSOD and you got free gas. I fill up there for 1 week until they closed the station and changed the pumps. Never got charged a cent!

Re:Free gas courtesy of Mircosoft!

[Anonymous Coward]

The gas wasn't free, you stole it.

Re:

[ArsenneLupin]

The gas wasn't free, you stole it.

Yeah, the same way as "the pre-installed Windows isn't free, they just stole the license fee from the buyer". But, now go and try to complain about such a shop to the police...

Same way here: you can bet that if this was indeed theft, that the petrol station's operator wouldn't have hesitated to take the surveillance camera's footage to police, with more severe consequences to the poster. Yes, even in 1999-2000, petrol stations already had cameras.

So yes, taking advantage of poor business choices is not th

Re:

[Paradise Pete]

Agreed, Seeing as most stations have slews of cameras, he's rather lucky not to be caught.

The chances of being caught have nothing to do with the fact that it's theft. If the risk of being caught determines how you act then you should rethink your principles. It's easy to do the right thing when you'll get noticed. It's when you know that you could get away with it that reveals your true character.

We've had this already...

[omuls are tasty]

There were already news of something similar in March [slashdot.org].

Judging by the currencies the malware operates with, it seems the "Eastern European countries" are Ukraine and Russia. Does anyone know if it's Diebold again?

And putting aside the incredibly logical choice of the OS, any idea on how this gets installed on the ATMs in the first place?

Simple but effecitve compliance law/rule

[erroneus]

To run any "public financial transaction device" certain compliances are required and many of these are related to physical security, data security and communications security standards. Clearly, the presence of malware on ATM core software indicates that the ATM security standards are either not being met or are terribly inadequate.

It occurs to me that one rule that might go a long way to making machines like ATMs (or even voting machines) more secure against corruption is a requirement that the system software should be stored in a read-only format such as CD/DVD or ROM chips. CD/DVD ROMs would probably be the most flexible method and various self-check measures could help ensure that the CD/DVD ROM was genuine. (Say, for example, a validation black-box device of some sort.)

With enough engineering and hacking, even this method could be thwarted I am sure but it would certainly raise the bar significantly beyond "crack the machine open, connect the system drive to a USB adapter, insert additional code, close up" which is the method of entry I suspect is most used. If there was limited to no local storage and ROM-based operating systems and software combined with solid verification technologies, it would take some serious knowledge to compromise such machines.

This sort of method would make running Windows XP as the operating system considerably more difficult, but if they are hard-set on running Windows, I am sure they would find a way to comply if it were required.

Re:

[Maximum Prophet]

But then the banks couldn't upgrade all their machine remotely. They have to send a tech to each and every ATM in order to add new features like the "Send All Your Money to a Criminal" button.

Re:

[erroneus]

This is a good thing. It adds the opportunity for a verified in-person inspection of the machine at the same time any software/firmware update is performed. And the chain of responsibility and accountability can be more easily verified. When the variables of security are in flux, being able to trace back the path at some point is the most important thing. This is why it is so important that digital election machines provide a complete audit trail that cannot easily be forged or manipulated.

Re:

[sysgeek01]

The problem with making the ATM storage read only is that you have to configure the device. There are a lot of configuration settings that have to be changed out of the box, with some of them specific to the ATM itself and to the processing company that it's using to process transactions through.

The ATM also keeps a electronic journal of all of the ATM's activity. It's kind of like a flight data recorder (black box). You have to have writable storage for that.

I go along the lines that ATM security sta

Re:

[bzzfzz]

That will work great, because you can't just go out and buy blank recordable CD/DVDs or EPROMs. Oh, wait...

Re:

[erroneus]

Going ROM based is not "Trusted Computing" but yes, Trusted Computing is about running signed or otherwise verified code. The problems with trusted computing are many and as long as an OS is updatable by software means, there is also going to be a vector for compromise. Signed ROMs are another matter... the OS code isn't modifiable and more reliably verifiable. Software updates performed by a physical act means there is a chain of accountability to follow as well.

Not much of details

[140Mandak262Jamuna]

Despite all that scare flags the linked article is triggering, basically it does not say how the ATM is compromised. Can any ATM be compromised by the hacker without any inside help? Or does it require some help from the maintenance people who open the machine provide access to the innards? Unless the method works on the ATM without any inside help it might not be as scary as it sounds.

Re:

[Canazza]

Maybe they're causing a stack overflow with code on a cards strip/Chip...

ATMs in the UK

[Canazza]

there are many ATMs in the UK that use Windows XP as their OS of choice. Having personally seen crash screens and machines caught in a restart loop.

Why they are using windows, I don't know to be honest. Why they'd be using a Linux distro, I don't know. The banks probably don't know either, as far as I'm aware they get their ATMs from companies like NCR or IBM (or Diebold, as we've seen before) who are the companies who supply the software. It just so happens that the software they write is written for Windows Operating System. Remember, the cost of hiring someone who can programme for Windows is significantly less for someone who can programme for Linux (As they will likely also be able to programme for Windows, thus, with a larger skill-set they'll demand more money) And a bulk licence for Windows where they're churning out 1,000+ ATMs boils down to next to nothing.

The cheapest programmer, the cheapest hardware, a slightly costly OS. Something has to be a weak link, and the exploiters exploit it.

Re:

[Canazza]

I found this flickr pic on an NCR ATM [flickr.com]
This blog entry detailing a NationWide (UK Bank) ATM [craigmurphy.com]
and a Youtube video of an ATM on a boot cycle [youtube.com]

ATMs...

[EddyPearson]

...are probably one of the few devices that most Slashdotters would agree should definitely be running proprietary, private software.

I had no idea there were ATMs out there running Windows. Given access to the software/a machine running it, I can't see how this would have been difficult to pull off. This is a serious WTF? moment.

Re:

[EddyPearson]

And as an idealist, I'm there with you. But as a pragmatist, this was a total fuckup.

Looking at it from a malicious perspective, if i knew a certain ATM brand ran Windows, I'd have a field day.

Why? Look online, anybody can learn to code for an XP machine, all the nooks and crannies where you can hide malware are easy to research, methods for bypassing anti-virus software are all public domain.
The ways INTO a windows machine are well known (we can assume this is running on standard hardware), be it v

Re:

[EddyPearson]

By the way I agree entirely with you on the subject of voting machines, and on probably 99.9999% of other devices, but I understand the fraud "community" better than many others here, and while it would be nice to have openness, we're talking about motivated people who know what they're doing.

They don't give a shit about your idealism, they see weakness, they exploit it.

There are very few known ATM scams out there apart from skimming, that didn't require fairly intimate knowledge of the systems involv

Another view via el reg & trustwave

[auric_dude]

A reasonable report via http://www.theregister.co.uk/2009/06/03/atm_trojans/ [theregister.co.uk] and something slightly more technical http://regmedia.co.uk/2009/06/03/trust_wave_atm_report.pdf [regmedia.co.uk] via trust wave.

The top 10 ways computer security list

[lwriemen]

10. Don't always run as root
9. Don't open attachments from unknown sources
8. Don't run Windows!
7. Don't run Windows!
6. Don't run Windows!
5. Don't run Windows!
4. Don't run Windows!
3. Don't run Windows!
2. Don't run Windows!
1. Don't run Windows!

Re:The top 10 ways computer security list

[Canazza]

Using Windows on the Internet is like having a unprotected sex with a member of the opposite sex you met in a club. Looks good enough for you, does what you need it to, but the risk of infection is high.
Using Linux on the internet is like having unprotected sex with a cow. It's harder to catch a compatible infection, but it's ugly and unlikely to play any of the games you'd like it to.

Withdraw my money?!

[TreyGeek]

"which would potentially allow criminals to clone the card in order to withdraw cash. "

Heh... the joke is on the hacker. I have no money in my bank account to withdraw!

True Story

[ohnotherobots]

A friend of mine had his atm card in a Bank of America machine to withdraw money when the power went out. When it came back on a few seconds later, he was greeted with the Windows XP Embedded splash screen before the atm interface came up. The machine didn't realize it still had his card, so he couldn't get it back. (This is especially funny since he is a MS fanboy.)

How do you trust an ATM?

[goodmanj]

This brings up a serious question. You need some cash in an unfamiliar state or country, and you come across an ATM. How do you know if you can trust it?

Given the number of people who've been scammed by everything from bolt-on ATM card skimmers [snopes.com] to oldschool fake night deposit boxes [securityinfowatch.com], this is worth worrying about.

The standard security mantra is, "only use trusted hardware to authenticate yourself", but that can't happen here.

Anyone have any ideas for an ATM authentication system that will both prove to the bank that I am who I say I am, and prove to me that the ATM isn't stealing my authentication keys?

The only solution I can think of involves trusted hand-held devices like cell phones or keychain password tokens.

Re:

[goodmanj]

To clarify my question, there are tons of ways in which an ATM can be untrustworthy:

* It has additional hardware bolted on to steal card numbers
* Its software has been tampered with
* The bank running it is corrupt
* It's not actually an ATM, just a box that steals card numbers and hands out cash without talking to my bank.

Re:

[PPH]

* It's not actually an ATM, just a box that steals card numbers and hands out cash without talking to my bank.

I've been on the lookout for one of these.....with my library card in hand.

Re:

[Spectre]

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Well, the USA for one. 1 debit card and 2 credit cards in my wallet right now. Everyone is chip-less, the electronically readable information is in the mag stripe on the back, old-fashioned raised numbers and letters for the imprinting machines are on the front.

Granted, they're all issued from the bank, but it is one of the largest in the USA, not some mom-and-pop outfit.

Re:

[u38cg]

Most of them? Is there anywhere that doesn't continue to issue mag stripes as a precaution against chip failures (~1% per annum)?

Re:

[langelgjm]

I actually looked into getting a credit card with a chip in the U.S., and couldn't find a single provider that offered one. I think American Express offered one a while ago, but discontinued it when I was looking.

Ther reason I wanted one was because one time, I was in a French rail station trying to buy a ticket from an automated machine. The machine was broken, and refused to take bills; I didn't have enough change; and all the teller windows were closed. I was going to use my credit card, but the machine

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gstoddart]

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Well, Canada and the US for example.

Cheers

Re:

[xaxa]

I was disappointed that I was asked to sign both times I used my UK Visa Debit card in a shop in Germany at the weekend. I don't know if this was ignorance (e.g. the shop staff thinking my card wouldn't work) or incompatibility.

Re:but how?

[jafiwam]

Read the summary again and it's obvious.

Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.

There doesn't need to be an exploit beyond "Eastern European Country" involved.

Re:

[delire]

Eastern European Countries have this problem. Home of Russian mafia expansion, home of corrupted and weak police forces, home of guys who make so little a couple hundred bucks in bribe works well, home of scammer's money laundry operations, etc.

Certainly there is plenty fo corruption in the Eastern European countries, however it's not like other countries are spared the same problems; American TV producers can't seem to get enough of the Good Cop / Bad Cop diametric, as though heaven and hell had a street a

Re:

[Peter Simpson]

From TFR:
"Additionally, the malware harvests what is believed to be key or PIN data, saving the
information in a file C:\WINDOWS\kl."

So, they waffle on whether the PIN is captured. The filename "kl", does imply "KeyLogger", though.

Perhaps Eastern European ATMs are built differently that those in North America...maybe "saving a bit of money" by doing the encryption of the PIN in the PC, instead using an encrypting secure keypad.

Or, since the same keypad is used for PIN entry and regular input, perhaps the co