First 'Jackpotting' Attacks Hit US ATMs (krebsonsecurity.com) 101
Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
Re: Windows XP in ATMs (Score:2, Insightful)
You clearly don't have anything useful to contribute to this discussion. The issue isn't that the ATMs are running Windows, but rather that they're running old and unmaintained software. Running an old unsupported version of Linux is going to be just as vulnerable. Linux users bashing Windows is a lot like Donald Trump's obsession with Hillary Clinton. For desktops, a focus on bringing better applications to Linux would do far more to increase market share than bashing Windows. Instead, you come across as p
Re: Windows XP in ATMs (Score:5, Funny)
Linux users bashing Windows...
Wait. I thought it was Microsoft that bashed Windows with Ubuntu.
Re: (Score:2)
The issue isn't that the ATMs are running Windows, but rather that they're running old and unmaintained software. Running an old unsupported version of Linux is going to be just as vulnerable. Linux users bashing Windows is a lot like Donald Trump's obsession with Hillary Clinton.
Are you implying that Hillary Clinton is old and unmaintained? :-)
Re: (Score:3, Informative)
Windows XP is no more childish or retarded than Linux or any other OS. If someone has physical access to a computer it makes no difference what operating system it is running.
Re: (Score:2, Interesting)
Windows isn't really 'deterministic'. You can do a lot of things much cleaner with a RTOS.
The problem here is that most of the big reputable companies don't have any decent programmers. Therefore, you can expect some crappy software at VB level on top of a 'not too reliable' OS.
A clever 13-year old computer kid could do a much better job. Marketing - and thus the big blenders in suits - always wins, however.
Re: Windows XP in ATMs (Score:1, Interesting)
The OP's point is still invalid. I agree that you want a slim OS with a reduced attack surface for that purpose. There are versions of Linux for exactly that purpose. And there's also a version of Windows for that purpose, now called Windows IoT, formerly Windows Embedded. Those ATMs probably aren't running consumer versions of Windows XP, but Windows XP Embedded. If they pay Microsoft for extended support beyond the EOL for XP, and continue to apply updates, the OS may not be that big of a problem. The iss
Re: Windows XP in ATMs (Score:5, Interesting)
Yeah, we used Windows Embedded for years in an industrial product. There were two drivers. The first was a well-tested library that we needed was most commonly used in Windows. The vendor was willing to build for Linux, but we would be the first users and didn't like the risk. The second driver was, believe it or not, USB thumbdrive support. At the end of the 90s, floppies were too small, so we transitioned to superdrives (compatible with floppies, but capacity was up to 120MB). Only one vendor made these drives, though, and soon they were end of life. The only good alternative was to support thumbdrives. But Linux back then was very hit-or-miss for thumbdrive support. Windows worked with nearly everything our customers threw into it.
Ironically (or not), the USB support is where we've had virus problems with Windows Embedded.
Linux USB support is now just fine, so we've transitioned to Linux. But Windows Embedded was fine - it let you only install the services you needed, so the vulnerability profile was much smaller than "kitchen sink" Windows.
Re: (Score:2)
Yes, there's no argument you can do a lot of things much cleaner with a bare-bones RTOS.
Then a few years pass and your boss needs to:
Re: (Score:2)
Then your bare-bones RTOS isn't looking so hot. Who knows what shit-tastic GUI library or HID parsing they wrote for it. Meanwhile your boss's boss's boss is wondering why the hell we can't update these things
These are not OS issues. If the company building the ATM can't afford to pay for decent SDK libraries for their chosen OS, then you have to write them from scratch, but don't blame the RTOS for that.
Re: (Score:1)
A key item both of you left out was patents. Patents are why Linux ATMs are like Sasquatch. Sure, you could put together a RTOS to run your ATM hardware but you wont be able to interface with any ATM processor until your hardware appears as an established ATM terminal type or you pay a lot of money to each ATM processor to accept your new terminal type. Most ATM manufacturers choose the established ATM terminal type path, pay the licensing fee, and are then provided Windows API files.
Re: (Score:2)
Check this out: From Qt 5.9 onwards, the Green Hills Software INTEGRITY Real-Time Operating System (RTOS) is a supported platform. [doc.qt.io]
The Green Hills INTEGRITY Real-Time Operating System (RTOS) is widely used in safety- and security-critical systems.
This means you got a lib with Unicode, left to right, upside down writing, i18n as simple as breaking the egg and layout management. All the elements fall in place automatically, regardless of screen size and you can
Re: (Score:3)
Consumer level multi-purpose OS's in single use devices is a bad idea.
This includes having ATM running, Windows 10, Windows Server 2012, Mac OS X, OS/2, Linux distributions like Ubuntu/Mint...
The Multi-purpose OS's has way too much stuff enabled by default. Allowing for possibilities of breaking in.
Re: (Score:2)
This could easily be Windows XP Embedded. It's not even EOL yet.
Re: (Score:2)
Ideally, an ATM should be running a secure, embedded OS. Not "secure" as in a mainstream OS, but secure as in an OS designed from the ground up, like QNX, Tock, Wind River, INTEGRITY, or similar. A desktop OS is not needed, because an ATM doesn't need much of the functionality (and attack surface) a general purpose OS provides, other than being able to drive a graphical touch screen so the designers can have their spring/fall fashions. There are secure hypervisor OSes out there which is useful since this
Re: (Score:2)
The Multi-purpose OS's has way too much stuff enabled by default. Allowing for possibilities of breaking in.
You're talking out of your ass. None of the jackpotting attacks have anything to do with the OS.
The normal attack involves updating the firmware on the machine via a USB port, which is protected only by a key that is common across many ATMs. The attacker gets the key, opens the service panel on the ATM, and inserts the USB drive containing the new (unsigned) firmware. At no point is the OS involved.
Many ATMs are also vulnerable to remote attack - they are typically on dial-up for remote maintenance: guess
Re: (Score:2)
Why is this modded down?
I'm running XP at the house and still get security updates because, via registry hack [pcworld.com], the computers think they are ATMs or POS.
The hack, as reported by ZDNet, fools Microsoft into thinking the system is running Windows Embedded POSReady 2009, a variant of XP that's used by ATMs and cash registers. Those systems will keep getting security updates until 2019.
Lots of ATMs still run XP [cnn.com].
95% of bank ATMs face end of security support (2014).
chase bank has ADT/tyco key pads inside them (Score:2)
chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.
Re: (Score:2, Informative)
chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.
The sketchy looking ATMs in stores are the primary target. The criminals can get their hands on them and fuzz them all day to develop the attack.
Re: (Score:2)
Bunch of pussies. In the UK, they dig the damn thing out with a backhoe http://www.bbc.co.uk/news/av/u... [bbc.co.uk]
LOL.. Here in the US they just chain them to the back of a stolen 4W Drive SUV or large pickup truck and yank them out through the front of the store. So the backhoe thing seems a bit slow to me. Who needs a backhoe and 10 min when you have a 5,000 LB SUV and a logging chain?
Re: What are criminals in the US coming to? (Score:2)
Using a backhoe is old school now. Real criminals just insert a tube, squirt some gas inside and then literally blow the ATM up. Gets you instant access to the cash, and it happens too fast for the dye to make the bank note unusable.
slot machines make it hard to open with out settin (Score:5, Funny)
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
Re: (Score:2)
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
They don't. I suspect that a lot of these attacks are inside jobs
Re:slot machines make it hard to open with out set (Score:4, Interesting)
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.
Re: (Score:3)
Re: (Score:1)
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.
porously designed
Re: (Score:1)
Diebold. Not NCR. NCR hasn't been targeted by recent hacks.
I'm sure you wouldn't want someone to confuse your name with someone else's who got endoscoped and dumped his bowels without removing his pants.
Voting machines (Score:2)
Is that the same Diebold that makes the voting machines?
Ah! But the voting machines are designed to be hackable.
Re: (Score:3)
slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?
The security in an ATM is mostly focused on protecting the cash box from physical attack, and from the maintenance tech. ATMs thus have two layers of security: something simple to allow maintenance of the "computer parts" of the ATM to be done cheaply, plus a much more robust inner layer to protect the cash from anyone but the guards from the armored car company. It's just old-school thinking about security.
It's also worth noting that there are still people who can open a slot machine, replace the ROM chi
Re: (Score:2)
Re: (Score:3)
People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around. If Rust is so much better, start fundraising for a startup! i'm sure you'll be rich in no time.
Re: (Score:3)
People were saying the same thing about Ada 20 years ago -- Don't see a ton of Ada software around.
Maybe if there was, we wouldn't have so many exploits. :p
Re: (Score:2)
Ada sucked balls. It required 2 to 3 times the lines of code to match C. It was very inefficient.
Ada was "C for a life-safety domain". It really wasn't any more code than you'd need to do C right for that domain, and it regularized a bunch of stuff to make it easier to review. E.g., when you declared an int you'd declare the legal range of values for that int. Assuming the int was an array index, this neatly solved all the bounds-checking problems in a way that made it obvious what to review. Everything in the language is like that. Sure, it's a real pain in the ass, but that was going to be true
Deja Vu! (Score:3, Informative)
Pro tip from Europe...
Culprits are Romanians. they are born with a propensity for card crime. they are filthy animals.
That's super weird, bro because I recently got a similar warning from home.
Pro tip from Vulcan...
Culprits are Humans. They are born with a propensity for crime, violence and other illogical behavior. They are filthy animals.
Re:Pro tip from Europe... (Score:4, Insightful)
1) You meant to say 'Romani', a distinct ethnic group that isn't actually bound to the nation of Romania.
2) Still racist. Yep, there's higher crime rates with the Romani, probably because they're not particularly interested as a cultural group in integrating into their larger community. Which may be due to racists like you, who discriminate against them and remove the opportunity from many of those who would integrate if they could. Chicken and egg.
3) People who describe other people as 'filthy animals' are rarely the best of humanity. You're dehumanizing others as a justification for treating them like shit. Aren't you a wonderful person?
Re: (Score:2)
Don't think he did [google.com].
Re: (Score:2)
Interesting. Though it's difficult to weigh the relative prejudice of calling one group vs. another 'filthy animals', there's at least more diversity among Romanians overall making it even more ill-informed to choose them. And there's less pre-existing prejudice against them making it more difficult to understand (not forgive) as a product of upbringing.
Re: (Score:2)
Why is it ill-informed? Not all Romanians are card-skimmers and not all card-skimmers are Romanian, but they're still vastly overrepresented in this form of crime relative to their percentage in the population.
Re: (Score:2)
Culprits are Romanians.... they are filthy animals.
Found the Bulgarian.
Re: (Score:2)
Aren't they the lettuce people?
But why?? (Score:4, Funny)
So, if I have physical access to the machine, I can install software that lets me loot the machine.
Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software install.
I'm failing to see this as a serious new threat to ATM's....
Re:But why?? (Score:4, Informative)
What makes you think you can take money out of the machine without the software install?
Cracking safes, quickly and quietly with no one noticing is really hard. Sticking a USB stick with some malware on it into a port and leaving, without anyone noticing is pretty trivially easy.
Re: (Score:3)
And so is designing a machine without an externally accessible usb port.
Just ask Apple.
Re: (Score:2)
What idiot would build a cash machine with a USB port on the OUTSIDE?????
Re: (Score:1)
Okay, you have physical access to the machine, and you use that to take all the money out. And then the next person who tries to use the ATM notices that there's no cash in the ATM and calls the bank. (Or the ATM does that by itself.)
Or you install the software that allows you to take cash out as often as you want until the bank realizes what's happening and cycles that particular ATM out or unplugs it/puts an "Out of Order" sign on it.
The first method, you get cash once, and it's probably far more obvious
Re:But why?? (Score:4, Insightful)
I imagine you need an 'inside man' - maybe the person who reloads the cash dispenser and unloads the collection bin, but maybe not if the computer hardware is secured in a separate lock box. Anyway, you need somebody with physical access to compromise the machine.
THEN you go and use the ATM to get cash... but remember you're on camera, and your transactions are logged, right? So what you probably want is the ability to have the machine spit out extra money when you enter a particular code (which hopefully you can do with a camera watching the suspicious activity) during an otherwise perfectly legitimate transaction.
And you want to time it so you do it immediately after the machine has been reloaded, so you have the maximum possible time before the machine runs out of cash before it should and an investigation starts. And then you want to never hit that ATM again, or your risk of getting caught skyrockets.
So you need two conspirators and you get one payout that needs to be limited so you don't get caught. You're going to clear a few hundred with a single attempt or maybe have it 'accidentally' slip you an extra bill over many visits. Certainly you're not going to make enough to justify the risks - the inside man is risking their presumably steady legitimate employment in addition to jail.
So who is doing this and why?
Re: (Score:2)
There is a whole lot of "it depends" here. The malware could be installed and lie in wait for weeks or months. Long enough that it is no longer clear which ATM tech installed the malware. A little Googling suggests that most ATM's are capable of holding up to $200k, but with the average amount stocked in the machine being around $35k. Enough for a decent payday, even with multiple conspirators. The article suggest this hasn't been done in the US until very recently, and they are targeting specific mode
Re: (Score:2)
>the average amount stocked in the machine being around $35k. Enough for a decent payday, even with multiple conspirators.
$17.5K/ea less any expenses for a two-man crew. That would NOT be worth it to me to even daydream about... in Canada the sentence for a conviction of Theft over $5000 is a max of 10 years... $1,750 per year (not indexed to inflation!) that you may not get to keep, though I suppose you do get free room and board.
Re: (Score:2)
Good point, but your average criminal does not always weigh the consequences of getting caught, and often think they have the system beat. The evening news is filled with examples of stupid criminals robbing convenience stores for the $500 in the register. The cases of jackpotting that I have heard about are usually coordinated enterprises, with folks recruiting (blackmailing?) the inside man, and multiple people hitting the machines for small amounts over a short period of time. Like a lot of criminal g
Re: (Score:2)
$17.5K/ea less any expenses for a two-man crew. That would NOT be worth it to me to even daydream about... in Canada the sentence for a conviction of Theft over $5000 is a max of 10 years... $1,750 per year (not indexed to inflation!) that you may not get to keep, though I suppose you do get free room and board.
People who turn to a "life of crime", even highly intelligent ones, don't think like "most people", and seldom think that they might get caught. A single $15,000 payout might be very enticing, even if it actually takes a whole lot of work to get it.
http://articles.latimes.com/20... [latimes.com]
Why Drug Dealers Live With Their Moms
If you had a job paying $3.30 an hour, you'd be bunking at home too.
April 24, 2005|Steven D. Levitt and Stephen J. Dubner |
During the crack cocaine boom of the 1990s, the image of the millionai
Re: (Score:2)
So who is doing this and why?
Mexican gangs, from how I understand the article. They figure out a way to attack an ATM machine type, then train some low-level goons to perform the attack, then send them across the country looking for ATM machines of that type.
Re: (Score:1)
Because the case is inside yet another safe within the main ATM. It is far easier to trick the machine into handing out the cash, then attempt to break into the inner safe that actually contains the cash. Plus, it doesn't sounds like they are opening the ATM itself, just using a endoscope to find and attach a USB cable through a small crack or opening. Actually opening an ATM is very difficult without the combination (both layers). For an example, check out https://www.youtube.com/watch?v=08EXOjZgxf0 wh
Re: (Score:2)
The standard argument seems to be it's a safe on the inside, you can't crack it easily or without setting off alarms.
To which I reply, why not steal the entire ATM? This limits you to a subset of all ATMs -- mainly freestanding models, but I can see potential ruses for thieves who make like they're doing an intentional swap of a machine, slightly broadening the potential number of machines and reducing the need for brute force thefts of the machines.
With the entire ATM at your disposal, you have much more
Re: (Score:2)
To which I reply, why not steal the entire ATM? This limits you to a subset of all ATMs -- mainly freestanding models,
People have literally broken into banks just so that they could punch holes in the wall so they could run a chain through the holes... and around the ATM. That lets them pull the ATM out of the wall with a truck, at which point it can be loaded onto the truck with a crane or a liftgate (or just four big guys.)
Re: (Score:2)
Just having access to the ATM might not be enough to get money out of it. ...
In Germany, the ATM often is in the front floor, the money is in the basement. Without credentials or exploiting a software bug most maintenance guys have no access to the money
So, like in this scenario, they try to get malware installed on the machine.
Re: (Score:2)
So, if I have physical access to the machine, I can install software that lets me loot the machine.
Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software installhttps://www.youtube.com/watch?...
Ahh, First World countries... (Score:2)
...at least in Europe and in the US thieves are sofisticated enough to hack the ATMs. In my country, they explode them [nydailynews.com]. It's a security nightmare in smaller towns with insufficient police forces.
Re: (Score:1)
...at least in Europe and in the US thieves are sofisticated enough to hack the ATMs. In my country, they explode them [nydailynews.com]. It's a security nightmare in smaller towns with insufficient police forces.
You should never link to NY Daily News. They're lying bastards. They aren't even good liars, either. They try to blame my ad-blocker for preventing the loading of their articles when I see the whole article load and then get covered up by this page suggesting that there is some software bug in the ad-blocker.
Re: (Score:2)
that isn't them, it's liveleaks.com that something on the page refers.
Re: (Score:2)
my geek autism was triggered reading that article, claiming "TNT" being put in ATM when in fact it is dynamite that they're using. Dynamite is a trinitroglycerol gel
Re: (Score:2)
You should never link to NY Daily News. They're lying bastards. They aren't even good liars, either. They try to blame my ad-blocker for preventing the loading of their articles when I see the whole article load and then get covered up by this page suggesting that there is some software bug in the ad-blocker.
Sorry about that. It was the first article in English that I've found (most Slashdot users don't speak Portuguese, I suppose) about a well-known problem in Brazil.
Re: (Score:2)
Time for an "ATM within an ATM" (Score:1)
Hmm, maybe instead of reloading ATMs with cash, just have a "module" that is the real ATM that is drop-in-replaced into the "outside box" as needed.
The "outside box" would just handle the user interface and provide additional physical security.
The "module" would be very tamper-resistant. It would be taken to a controlled location to be reloaded. It would also have a time lock on it so it could not be accessed before it unlocked without causing obvious physical damage.
This wouldn't stop ATM thefts but it w
I wonder (Score:2)
easy money (Score:2)
with my atari profilo!