A startling percentage of the world's automated teller machines are vulnerable to physical and remote attacks that can steal administrative passwords and personal identification numbers to say nothing of huge amounts of cash, a security researcher said Wednesday. At the Black Hat security conference in Las Vegas, Barnaby Jack, …
New laws required
I knwo that hackers are just trying to show vulnerabilities but this is out of hand. If I had a cheap lock on my door and a burglar broke in they would be guilty of break and enter, if I have weak security and a hacker breaks in they should be prosecuted immediately. The fact that these laws are not in place or were slow to be put in place means that hackers are very sophisticated and that they think they are above the law and providing a service.
Just my two cents worth....
WTF are you talking about?
The bad guys already know about this stuff, probably, and the ATM-vendors have basically taken a year to get the most fixes in place.
In the meantime, you (the customer) have been fronting all the losses, together with the losses incurred by ATM-card skimmers etc.
If there were no talks like the one mentioned in the article, vendors could still deny the existence of the problem!
Like the law would stop them
It's not breaking the lock that is the crime (well...it's not robbery, that's criminal damage), it's not entering your property that's the crime (not everywhere has laws on trespass), it taking your stuff (or causing fear etc) that's the crime! You can have as many laws as you like, but people will still do it. They have chosen to ignore (break) the law.
Why not leave your door open and just have a sign out front that says "Dinnae take my stuff, it's illegal!", see how far that gets you.
It is beholden on these companies (they have a duty of care to their customers, and those customers [banks] have a duty of care to me) to ensure their stuff is as secure as is reasonable practical. Seems like they have been sitting on their laurels.
The usual response in cases like this is to attack the person demonstrating the flaw rather than fixing the bloody flaw. This would akin to you suing the person who point out that you have no locks and only a flimsy sign to guard your valuables...
Re: New laws required
If someone breaks into your house, they will be prosecuted already. There are laws covering that sort of thing all over the world. What you're advocating is a new set of laws to protect companies whose shoddy designs aren't fit for purpose, and people who knowingly use defective security systems (hello, DOD) and expect compensation for their own stupidity.
If you use a known-insecure system to protect your property, your insurers will laugh at any claims you might try to make (but I had a sign saying 'no burglars'! they shouldn't have tried to get in!) and quite justifiably so.
ATM manufacturers are clearly avoiding security best practises... or even security *minimum* practises and have done so for such a long period of time that this sort of publicity is the only way that is ever going to shake them out of their complacency.
Hold your horses, dude.
Better that the stuff is presented at Black Hat and fixed than used quietly round the world by real black hats, don't you think? It's a fine deal, really. Companies usually /pay/ for penetration testing, and these lucky folks got something useful without even asking. Would you call the police if a harmless, well-meaning person knocked on your door and politely informed you that the lock you use to keep your motorcycle chained to a post is flimsy and easily defeated with a tack hammer?
The guys who /tell/ you that kind of thing are not the ones you should worry about!
Do you think that your silly knee-jerk ideas about outlawing what these researchers did would do a damned thing to stop the people who would do such things to exploit them for profit? Are you just blissfully unaware of the multibillion-dollar underground trade of stolen bank credentials and such? If a real cybercriminal were reading your post, I wonder if he'd laugh or just smirk in quiet amusement at your misdirected, impotent wrath (while he pilfered your bank credentials via some security flaw whose very investigation you would like to be illegal.)
Already a law for this
In the US the DMCA pretty much does this.
The title is required, and must contain letters and/or digits.
"I knwo that hackers are just trying to show vulnerabilities but this is out of hand. If I had a cheap lock on my door and a burglar broke in they would be guilty of break and enter, if I have weak security and a hacker breaks in they should be prosecuted immediately."
But if someone buys the same door that you have on your house, then takes the door he bought and shows that the lock will fall open if you jiggle the handle, he has done nothing wrong.
In fact, not only has he not broken into your house, if you're paying attention he may even have shown you that perhaps you need to buy a new lock.
The person who gave this lecture bought, with his own money, the two ATMs that he discovered the security flaws in. He did not hack someone else's ATM; it's the equivalent of him buying a door and then showing that the lock on the door is crap.
"If I had a cheap lock on my door and a burglar broke in they would be guilty of break and enter"
Look at your insurance policy. You get a cheaper one if you tell your insurance people your door is locked with a five leaver lock, you have a burglar alarm, etc. Tell them you have a sign reminding the burglar its illegal and you leave your door ajar won't get you anything from the insurers.
Fine, the burglar will get prosecuted if caught, but he might not get caught. He might get caught and have already sold you TV for a bit of blow. You'll never get the money back.
If you can make a cash machine spew money from your neighbours wifi and have your mate walk past with a sack at the time, chances of getting caught and prosecuted are very low.
1990 says Hi
Signed executables - hasn't that been a pretty basic pretty basic security measure for the last decade?
“jackpotting” - Theres an App for that ....
ATM passwords are rudimentary at best.
It's ridiculous that ATM machines are still using 4 number password after all these years.
There's a reason for that
If they required longer PINs, people on average would be more likely to either write them down, or choose something easily guessable e.g. their phone number or date of birth.
Well - not it isn't, not really. You may think that having a 12 digit PIN code would be 100000000 times more secure as there would be 100000000 times as many possible combinations - but the fact is that the machine will still eat your card after 3 or 5 incorrect attempts.
No-one is going to be able to test all 10000 possible combinations of your 4 digit PIN number to break into your account if they get your card.
Security costs money
Call me a cynic but until it starts costing banks MORE money in lawsuits, recovering stolen money and loss of customer confidence they won't significantly increase their effort in securing the ATM's.
At the end of the day all they care about is the money in their vaults, the rest is semantics and marketing BS.
I'm sure that any big ATM manufacturer could increase the security of their machines dramatically, but how do you convince a bank to spend millions on replacing their infrastructure on strength of a few isolated incidents?
Look at HSBC - their online banking system is positively 19th century and it's not as if they lack the funds to invest in development.
I think it all boils down to human nature, as they say in Russia - 'Пока гром не грянет, мужик не перекрестится' which can be loosely translated as 'until the thunder strikes a peasant won't cross'
You're absolutely right that it's all about the money.
An $X loss is justifiable if it costs >$X to repair. But over time it generally makes sense to fix the leak. Considering that the banks haven't eliminating the biggest flaw in banking for several decades now, static CC numbers, it's readily apparent they don't think security is a priority.
"Considering that the banks haven't eliminating the biggest flaw in banking for several decades now, static CC numbers, it's readily apparent they don't think security is a priority."
With credit cards, the situation is actually a bit different. The banks actually PROFIT from credit card fraud.
Let's say that your credit card is stolen and used. You'll get your money back; the banks will not hold you responsible for fraudulent charges.
What a lot of folks don't know is that they don't cover those losses themselves. They will charge back the merchants who the criminals bought goods from. And then, to add insult to injury, they will charge those merchants a "chargeback fee," which varies from $35 to $90 for each fraudulent charge.
So the merchants lose twice: they lose the goods that the criminals bought on the stolen credit cards, then they get hit with chargeback fees as well.
I recall reading a report a couple years back that suggested that for maximum possible profitability, the best-case scenario for banks is if every one of their customers has their credit cards stolen and maxed out about once every twelve months or so.
It's important to realise that these ATMs are not the sort that you see in a bank, certainly in the UK /EU, rather they are the ones run by private companies and stuck into pubs or corner shops.
The ATMs run by banks never use internet or dialup and are always on dedicated leased lines. Furthermore their physical security is significantly higher.
Re: Banks never use...
You mean like that well-lighted booth outside the local supermarket that has "Bank of America" blaring from the light box on top and nothing but a pair of wall banks inside?
Like I said UK/EU, not America... But we have some bank ATMs outside in train stations, supermarkets, etc, they are all 'proper' ATMs, big and built into a wall or shipping type container with high levels of physical and network security (leased lines etc). Very occasionally you see free standing machines, but again they are obviously of much higher security and a more quality machine. They certainly aren't the sort of ATM discussed here, where dialup or Internet connections are used back to a company. These machines do exist in UK/EU, but they are generally operated by a non-bank company and charge you an arm and a leg to get at your cash. They are typically installed where an exclusive contact can be sought by the owners (and no cash-back is allowed on the premises), such as music festivals, motorway service stations, night clubs etc. etc.
Another fail for security by obscurity
As evidenced by this report, obscurity is not security.
Open code review = more good guys looking at the code = fewer trivial vulnerabilities.
If the code cannot be made public, at the very least use proven cryptography. While we're at it, quit outsourcing all the jobs and hence all the expertise which is needed to develop robust products in the first place.
Some cash machines DO run on Windows (I think)
speaks of "Windows Extensions for Financial Services".
Yes, i've seen an ATM local to me that displayed a Windows 2000 screen when it fell over
Worse than Windows
A number of years ago I saw one displaying what looked like a DOS batch error message.
A couple of years ago I crashed an ATM. I watched it reboot DOS . it kept my card.
It gets worse
Guy I know said he saw one running Windows 3.1.
I strongly suspect the "DOS" ATM was actually OS/2 and that the Win 3.1 was WinNT 3.51, if anything.
win 2k atms - me too
What's the big deal - they are pretty closed systems with restricted modes of access. I bet more money gets taken by the brute force method of driving a bulldozer into them and towing them away. Even running on linux wouldn't help there
Has autoerotic premature jackpotulation syndrome.
He attacked NO NAME and STAND ALONE cash machines (which I would NEVER use) ... then said EVERY MACHINE HE LOOKED AT was WEAK ...
Wonder how many BANK style ATM's he looked at ?
Sorry laddie, you're likely to lose on that one.
See, my IT work use to take me inside banks and I've seen the insides of the boxes they put those systems in. NT 4.0 at the time as it was "the only security certified networked os" at the time. All the standalone systems I've seen are just as secure, possibly more so since more people are likely to be in the area around the standalone machine.
Correct me if I'm wrong
But wasn't NT 4 only certified as secure when not connected to a network?
Or was that NT 3.5?
I always thought that was a bit of a disadvantage for a network OS.
You are correct. The machines demonstrated here are not your high street banks machines, but the standalone type that charge you £1.80 per withdrawal at motorway service stations, corner shops and casinos etc.
The ATMs in your high street communicate over dedicated network.
There's ATMs and there's ATMs
A lot of UK bank ATMs (i.e. NCR ones) run OS/2, which is both very stable and (in so much as it isn't a fallacy) secure by obscurity. US Diebold ones are pretty solid too, and altogether different to the nasty built-down-to-a-price MDF monsters that live in dark corners of garages and convenience stores.
IMHO the main vulnerabilities of proper bank ATMs are inside jobs and JCB attacks.
I didn't NCR ATMs running on OS/2 are not supported anymore by NCR, and haven't been supported since 2000 (they wouldn't guarantee that they were year 2K compliant). I very much doubt whether any NCR ATMs in the UK are running OS/2 anymore.
The NCR Aptra machines are all windows based - Either running Win2K, Windows XP.
@ Randall Shimizu
Four-digit PINs are not universal rule. Mine is 12 digits long right now, at Royal Bank of Canada.
Bank staff did warn me, though, that if I travel, I'd have to change my PIN to a short one because many ATMs outside Canada simply won't accept a 12-digit PIN. I'll cross that bridge when I come to it.
I know of one ATM manufacturer who employ IT Security professionals to test the security of their cash machines - but they make the big chunky bank ones.
I've also noticed that some standalone ATMs are operated by Alliance & Leicester / The Post Office.
AC due to NDAs with said ATM manufacturer.
Heh, appropiate story
As this morning I tried to withdraw some money and was told that both £10 and £20 weren't multiples of £200. I only wanted a tenner so I didn't continue to try.
A little disconcerting for a bank, really. (And yes, it was a 'real' cashpoint in a 'real' bank)
Did you tell them?
Did you/will you tell them that there is a bug in their software?
Surely it's the banks' decision
The altruistic concern of the hackers for the banks' wellbeing is very laudable I'm sure, but surely it's up to the banks themselves what level of security they are comfortable with for their ATMs (or credit card systems)? They're the ones who take the loss.
It's a bit different if other people's property is under threat (eg. personal data) but in the case of pureless financial loss like this unless the hacker had the bank's permission to test the system it's quite unjustified to break into their systems just to prove a point or boost his ego. As an earlier poster noted, it's exactly analogous to breaking and entering into someone's home or office to illustrate how weak their security is.
(And banks do of course take security very seriously. There are all kinds of threats that they continuously watch out for and protect against, some more obvious than others.)
RE: Surely it's the banks' decision
> ... but surely it's up to the banks themselves what level of security they are comfortable with for their ATMs (or credit card systems)? They're the ones who take the loss
Well yes and no. If the banks alone took the loss then you'd be right. But, when there's a problem and the bank disagrees with the customer then they usually expect the customer top **prove** the bank is wrong against authoritative statements that the bank systems are **fully secure**. So if someone manages to hack an ATM so it gives them a load of cash but the machine says it came from your account - the bank will assume that you withdrew it or you gave someone the card and pin. How are you going to **prove** that their so called secure device isn't as secure as they claim ? Until you do, you won't get the missing money credited back to your account.
The burden of proof is actually with the bank, the law was clarified late last year (or maybe early this year) to make this crystal clear.
but what about...
the picture for this article on the home page denotes a slot machine with a pretty nice payout, but it is NOT a jackpot. I am quite familiar with that model and several variations thereof.
Anon because being a dick draws fire...
ATM vs JCB
Bet they haven't patched against the Irish hack
Good article that responds to this hype
According to Andrew Plato, the annual Black Hat convention advocates vulnerability research hype that hurts the enterprise risk management process.
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Three offers free US roaming, confirms stealth 4G rollout
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED