If you, like me, were wondering what the Secret Service (widely recognized for their duties as presidential bodyguards) has to do with ATM fraud, there's a comment below the article from the author:
> I didnāt mention it in the story, but perhaps I should have: The original mission of the Secret Service when it was created in the 1800s was to safeguard the U.S. currency from counterfeiters. Only after a few presidents were assassinated did their mission grow to include protection of the president and other dignitaries. Both are their dual roles today.
If you ever open up an ATM you'll realise that the majority of things are controlled by serial interfaces (upto 6 of them) for all the motors and pneumatic hardware. If the operating system becomes hardened enough, you'll eventually have people interface with the serial ports directly to manipulate the cash-drawers directly.
I'm not sure why this hasn't really been done in practice but it shouldn't be to difficult to figure out how to do correctly.
In most ATM's the computer hardware and interface connectors are also all housed in the top (mostly plastic or low-quality cast metal) shrouds (as opposed to the currency locked in a safe). Traditionally wafer locks were also used to secure this section however they are slowly migrating to higher security locks like Abloys.
ATM manufacturers may want to take a look at slot machine manufacturers for clues on how to harden machines against tampering.
The details:
The attackers typically use an endoscope so they can attach a cord to the computer and install malware. This makes ATM remotely controllable!
In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash.
Jackpotting it is.
Embedded software is easy to hack. Spend quite a bit of money getting access to the binary running a common ATM platform. Reverse engineer it. Find a vulnerability. Trigger it. Done!
The age of (common) embedded system exploitation is finally upon us.
Wow, I always thought the ATM scene from Terminator 2 seemed unrealistic, but now people are literally doing that:
>"The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack."
I had no idea ATMs ran Windows!
The Reuters article is very low on detail. https://krebsonsecurity.com is much more informative.
first? the late Barnaby Jack did it in 2010 :)
According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM ā either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.
ATMs need to be more physically secure, like bank safes, if they are to be resistant to such attacks. The software part is mostly immaterial here, IMHO --- it doesn't matter what the software is, if you can get access to the physical money.
Several years ago, I've had an ATM crash and reboot after pressing one of the screen side buttons when the machine was waiting for PIN entry via the numeric pad. It rebooted, and I could see that it was running MSDOS, not even Windows. Luckily, after the reboot completed and the ATM frontend program started, it spit out my card again.
With one of offices of my bank being nearby (to be able to block my card if I couldn't get it back), I tried it two more times, just to check that it wasn't a random occurrence.
While it was probably nothing that could further be escalated into gaining access without additional hardware, it gave me a chuckle (and a bit of fear for my card, initially).
One of the first unethical āhackerā things I did was to attempt to change the bill output to larger bill. I got so incredibly nervous when I went into the debug screen that I power walked out of the corner store when the clerk noticed I had been at the machine for several minutes and had not inserted a card.
You find a lot of these ATMs that are even more insecure than the larger WinXP machines. Those little kiosks are perfect for skimmers, manipulation, or just fucking around with.
I just read through the comments and was VERY surprised to see noone call this out:
> At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.
Realize what this means. The ATMs are connected directly to the internet, with a VPN (hopefully...) sitting over the top of that. The ATM can still call out to the internet directly!!
That is, honestly, shocklingly insecure. I'm stunned.
I read https://news.ycombinator.com/item?id=16250498 and how ATMs have different options for security, but "allow anything except the VPN software access to the NIC default route" doesn't sound like something _anything_ should be able to disable.
I mean... I know nothing about networking, and I was able to configure this exact behavior on FreeBSD - which I'd never used before - in a day. I set it up so a torrent program was physically incapable of doing DNS/anything outside of the VPN tunnel interface.
I assume this will end with there being fewer ATMs. That they will become more expensive to run in due to costs of hardened physical devices and insurance. If they become too rare it could result in a reduction of cash usage, maybe significantly.
I guess diebold makes their atms just like their voting machines. https://www.unhackthevote.com/
I am guessing the pulled an unencrypted hard drive from the ATM, analyzed it and the commands. Found the one that spits out cash.
They pop in one with modified code and reboot it to read the new drive.
Only similar ATM I can guess in Canada would already be suspect, in convenience stores, clubs, weed shops, strip clubs lol... The none bank name brand.
Had one bluescreened after taking money from account but before outputting money.
Was running Windows.
Didn't give any money, but kept the money from the account.
Had to call my bank.
> To carry out a jackpotting attack, thieves first must gain physical access to the cash machine.
Ok, like breaking the machine open, but that's cheating, and hasn't got a lot to do with software security.
Overeheared a smalltak about something similar in croatia couple days ago . I tought guy was drunk and bs-ing the waitress . Now I hope I bump into him again ;)
It seems the ATM has not evolved very much over the past 20 years. Any ideas why?
> The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.
I would argue that Windows isnāt at all the right OS for this.
The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.
I think this applies, mutatis mutandis: https://xkcd.com/463/
fiat wallets hacked. this is good for bitcoin.
I people didn't need cash this problem would go away. I think of this occasionally when I visit our local bagel shop, which like many bagel shops in the area does not take cards and has an atm onsite.
I worked for Diebold on their ATM's for a while.
I was surprised to learn that they run full Windows. In fact, one of the projects I was on had a requirement that we upgrade the OS from XP to Windows 7 for security reasons.
Regardless though, you can make an ATM do whatever you want if you have enough time and access to it. One of our low level debugging tools allowed you to effectively control every aspect of the device, so it could spit out whatever denominations you liked without talking to the banks mainframe.
We used to have fun printing out ATM receipts showing our fake balances of millions of dollars etc.