Lax security at Mexican banks has allowed cybercriminals to put their own malware-ridden CDs into ATM machines in order to gain control of the easily-compromised cash machines. The Ploutus malware was installed after "criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it". The ruse was possible …
With any luck, this might convince the banks (and ATM owners) to take security a bit more seriously, since this is hard to blame on a user with a claim of "sharing their pin/password"
With any luck?
You're joking, right? This is Mexico we're talking about, man!
You have to laugh.
Yes, someone should have listened to the security officer - but, as a German colleague of mine often liked to say, "I bet they saved a lot of money." :)
Re: You have to laugh.
One, too cheap of a lock.
Two, incorrectly configured BIOS and connected/enabled CDROM.
I'd offer to help them out, but they couldn't afford me, as their entire savings would be expended in my compensation package.
I wonder if these ATMs were configured to only boot from HDD and had a BIOS password set up? If they did, then they can start looking for service engineers with extra CDs in their bags - I'd probably start there anyway...
There are better defences against this kind of attack (white listing type software) and they're already available from the ATM manufacturers. Maybe more banks will start using them but I doubt it.
At least what they steal this way comes directly from the banks and not from a customer's account.
Re: BIOS Password
I thought this was the exact kind of thing that TPM and Secure Boot and signed software was designed to block.
The tools are there, to remove CDROMs, and to stop them being used to boot ATM's into anything other than the official ATM software - the fact that they are not used has everything to do with crappy IT and nothing to do with the inability to actually secure such devices quite easily.
Re: BIOS Password
"At least what they steal this way comes directly from the banks and not from a customer's account."
I'd imagine the criminals could easily record many card and PIN details on a Friday night and duplicate the cards for use later to drain a customer's account.
Re: BIOS Password
But then how do you update the machines when security patches are mandated? That's probably why the CD drives are there: to facilitate updating. That being said, the drives should not be bootable. The ATM software should be the one in charge of the updates and should insist on signed code from the CD-ROM before updating.
Based on what I'm hearing, I don't know if these are official offsite bank ATMs being hacked. I suspect these are more second-tier ATMs like those I see in a mom-and-pop store.
I thought the sensible plan would be to remove the hard disk and set the BIOS to boot only from a CD ROM. That way, turning the machine off an on again wipes out any remotely installed malware. If someone has the ability to change the CD, then they also have the ability to swap in a new CDROM, or a new hard disk. BIOS restrictions on the type of boot device are not a significant barrier to anyone with physical access.
No, because booting from a CD-ROM would break a chain of trust., as there's no way to verify the CD-ROM is official from the BIOS. The hard drive can initially be set in the factory and sealed in the box (note the crooks have access to the FACE of the CD-ROM, NOT the internals of the machine; drive housings can be bolted down with one-way screws so they can't be removed) so that any further updates have to be signed before they're accepted.
If its anything like the Wincor Nixdorf machines we used to work on - once you have access to the top half of the machine, you have access to all the hardware.
The ATM controller is simply a little windows embedded PC, usually a Beetle, which you can swap components out in relatively easily (dead PSUs were not uncommon). Occasionaly we'd yank the whole PC and drop in a replacement. You can do anything via diagnostics once it is opened - change the value of cash bins, spit out notes, send test comms up the chain etc. It is all logged though, which uploads remotely, and you can't clear the logs easily.
However this is a complete fail from an operational point of view - the controller section is totally separate to the cash drawer below, requiring a different pair of keys to open - one we held and one the security guards who load the machine hold. Also, every time we did any work on the box, we had to have a security guard present - precisely because of the potential for cash to be dispensed.
(Or most often, we'd have to pull out the cash bins to extract the remains of several hundred dollars in bills chewed up in the mechanisms - that goes in a sealed back back to the bank)
If anything I think the above poster is correct - we're probably talking about the dodgy little third party machines that charge for transactions - they are built to a significantly lower standard than the top line bank models.
Re: BIOS Password
"I thought this was the exact kind of thing that TPM and Secure Boot and signed software was designed to block"
I would have thought the majority of these devices would be really old anyway, most places with those stand alone ATM's have been in place for more than 10 years and some even still use dial up modems in the UK :S
So it's limited cash from the machine or the entire bank...
So the door that opens for the CD drive isn't the same one for the cash bin? And not as secure? The CD-ROM drive isn't secure. One would think that the door would be actually stronger and the CD-ROM disabled by default in that accessing the ATM's computer would give access to the bank's entire customer base as well as any partner banks. On the other hand, methinks the crims aren't thinking far enough outside the box. The cash in the machine is limited. The funds available by accessing every account in the bank is virtually unlimited.
Re: So it's limited cash from the machine or the entire bank...
Most likely- It's possible that the technician servicing the ATM is different than the person that fills/empties/services the cash dispenser. (this way, the service tech can work on the machine and doesn't necessarily have to be trusted that they won't clean the machine out, because they don't have the key for the cash dispenser)
In any case, it just shows that once physical access is obtained to the computer, it's only a matter of time before it's compromised.
FWIW, Commanding the cash dispenser to spit out a set number of bills is actually somewhat trivial- some of the machines I've worked on had a diagnostic section for technicians that has the magic pass code, pin, or key to command the bill dispenser to spit out whatever combination of currency was in the machine at the time. Kinda neat watching them work on it.
> Schoolboy errors made the self-service ATM-pwning tactic all too easy for Mexican crooks.
So that's the problem.
What the feck are these guys doing using school kids to build their ATMs?
...using school kids to build their ATMs
Because this way the ATM is still safer than a Diebold one?
Bad Banks Better?
I worked for a major American bank a few years back. They were using OS/2 v.2 for their ATMs. It would not surprise me if they still do. Banks are extremely change-averse. They talk a good game when it comes to security, but many (at least) don't walk the walk.
Re: Bad Banks Better?
That must be a good thing then, after all there is no way windows malware will run on OS/2 and I very much doubt the script kiddies know how to write anything that would work there.
Re: Bad Banks Better?
> "after all there is no way windows malware will run on OS/2"
Ever heard of the Windows OS/2 subsystem ?
> "I very much doubt the script kiddies know how to write anything that would work there."
Just because you don't know does not mean they don't - when there is cash to be had, you find ways ...
Automated Teller Machine Machines?
The post is required, and must contain letters.
Re: Automated Teller Machine Machines?
Redundant acronym syndrome syndrome.
Meanwhile on YouTube,,
Check out the recent DEFCON presentations about "JackPotting" certain varieties of stand-alone ATM machines typically found in conveniance stores, gas stations & bars. The speed of the intial hands on hack to compromise the machine simply beggars belief.
"I worked for a major American bank a few years back. They were using OS/2 v.2 for their ATMs. It would not surprise me if they still do. Banks are extremely change-averse. They talk a good game when it comes to security, but many (at least) don't walk the walk."
OS/2 would actually HELP their security. No extraneous services, OS/2 was quite secure by design, and (as a practical matter) an OS that old doesn't have many people researching it and looking for exploits.
The main issue I've seen are ATMs which are running Windows with all kinds of irrelevant services running, and clearly poor security practices. Frankly, the ATM industry should straight up follow procedures similar to what casinos follow for slot machines. THOSE are some secure machines. I've seen one boot, it ran a stripped BIOS, which checked the "normal" BIOS before executing it. This checked the checksum on a bootloader *and* the Linux kernel it loaded, the bootloader checked itself, the BIOS, the kernel, and the software before loading the next step (this software was I think in a ramdisk, so there was no chance of it missing "extra" software on the system). The software then checked the bootloader, kernel, and itself before proceeding to run the rest of the software in the ram disk. Finally, i think the system ran an extra check that would cause the system to immediately halt if any unauthorized software was running on the system (i.e. if something managed to bypass ALL THOSE CHECKS, the system would then kick off and die anyway.)
This sounds like someone's own money is on the line.
Funny, you just described how SecureBoot works. Sounds like that slot machine company can sue Microsoft, what with prior art and all that.
Except secure boot is not a Microsoft thing, it's the whole industry.
The future US. But without the nuclear bombs.
Re: Ah, Mehico
I assume you are trying to say US will be the future Mexico instead. Perhaps but at least they don't have to bail out Southern Europe. The US at least got to play with goodies of running up the credit card. Northern Europe not so much, they just had to pay the bill.
Re: Ah, Mehico
Oh but they did and then some. You should research on how all the large banks are connected world wide. But the US gov/corp also sent money directly to European financial companies and as well through back channels and swap deals.
No, I really did mean the future US. But I see what you're saying and I'm pretty sure we're saying the same thing.
The banks/ATM owners will use this as a way to increase the transactions fees on the ATM's to pay for the security they should have had to begin with. So it won't cost the banks/ATM owners anything.
RIP Barnaby Jack :)