back to article Bank card-slurp nasty 'infects tills, ATMs', corrupt staff fingered

Audacious crooks have infected hundreds of shopping tills and cash machines with malware to swipe sensitive debit and credit card data, we're told. Researchers at Russian security firm Group-IB said the software nasty is called Dump Memory Grabber, which targets computers running Microsoft Windows. It can swipe information …

COMMENTS

This topic is closed for new posts.
  1. J P

    Are we surprised?

    http://www.accaglobal.com/en/discover/news/2013/03/zapper-treasury.html

    Even OECD and the accountants have noticed the availability of the tools... http://www.oecd.org/ctp/crime/ElectronicSalesSuppression.pdf

  2. Elwell
    Facepalm

    Why no whitelist firewall

    Given that these are all apparently tills and ATMs why the monkeys do they have full internet access?

    > then uses FTP to upload the account numbers, names, card expiry dates and other details to a server under the control of unidentified swindlers.

    Surely they should only have access to whitelisted hosts - Bank gateway, Stock control (internal?) and vendor software updates (could be mirrored internally)

    1. Anonymous Coward
      Anonymous Coward

      Re: Why no whitelist firewall

      I think this is why they mention "trusted INsiders" - good security protocol would indeed ask for contained networks, but all you need is a machine somewhere on that platform with 2 network cards (or a card and a WiFi link) and your hard shell protection is gone, or a hack of one of the routers to set up a VPN or join an extra machine onto the VLAN. About the only way you can fix this is to hard burn code into the machines, but that gets fantastically costly in terms of maintenance.

      I'd go and train some people in micro expressions and then start going through whoever had access to the network infrastructure, physically and electronically..

      1. Anonymous Coward
        Anonymous Coward

        Re: Why no whitelist firewall

        Whitelists, gateways, contained networks, VPN, hard shell protection, routers, VLAN.

        Your average corner store with a POS terminal does not have a clue about any of this. All they want is "plug this in here and that computer has all your sales and stock levels. You can then use it to order more stock and update your levels". If they start using whitelists then they need a relatively expensive firewall and they need to pay somebody to configure it. Every time they change supplier they need the whitelist updated. Every time their supplier changes their web pages you need to update the whitelist (just because you type in www.acme.com does not mean that all the scripts, images and pricing information on the page comes from acme.com). These are small businesses with very narrow margins and the cost of paying for an IT professional to maintain the network is not something they can afford.

      2. jai

        Re: Why no whitelist firewall

        do you mean, interrogate the people who have physical and electronic access to the infrastructure? or to physically and electronically "interrogate" them :)

        eitherway, I'm sure Dr Cal Lightman will be happy to assist

      3. chris lively

        Re: Why no whitelist firewall

        A trusted insider could be anyone, including the person operating the till making $8/hr.

        Are these machines locked down? Not always. Do they have a USB port? Usually. Is the version of windows updated to disable autorun from USB devices? Probably not.

        All you would have to do is plug in a USB key. Give it a few seconds and pull it back out. Doesn't exactly take a whole lot of computer know how.

        A conversation could easily go like this: " I want you to plug this USB key into that till. I'll pay you $100 to do it. No one will know. ". Heck, you might get away with a simple $20.

        Or, as a lot of these machines are easily accessible from the wrong side of the counter, just plug it in yourself.

        Yes, there will be some failure rate; but it wouldn't be that high.

        1. J P
          Black Helicopters

          @chris lively

          You're spot on - they're called zappers (as opposed to phantomware, which is the built in stuff) and you can read all about them courstesy of the OECD - linked in my first post above... the sheer scale of the criminality is staggering. The manufacturers know about this stuff, and far from whitelisting acceptable addresses, they're the ones writing in the hookey code - and even training the operators in how to use it...

  3. Anonymous Coward
    Anonymous Coward

    I wouldn't mind so much

    I wouldn't mind so much if they were stealing from big faceless corporations rather than innocent members of the public.

    1. Gavin King

      Re: I wouldn't mind so much

      You do realise that there is a touch of irony in saying that as AC?

    2. Phil O'Sophical Silver badge
      FAIL

      Re: I wouldn't mind so much

      And who do you think those "big faceless corporations" get their money from, idiot? It's just like shoplifting, you aren't stealing from Tesco, you're stealing from all the people who have to pay the extra costs that Tesco add to their prices to cover "shrinkage".

    3. Chemist

      Re: I wouldn't mind so much

      "I wouldn't mind so much if they were stealing from big faceless corporations rather than innocent members of the public."

      I think you actually meant "I wouldn't mind so much if they were stealing from innocent members of the public by causing big faceless corporations to pass on the costs of fraud".

  4. Destroy All Monsters Silver badge
    Mushroom

    Total and utter failure of any secure process at ATM building and installing

    1) "Any shit OS like Windows shurely will be enough for that application"

    2) "Reviews and software audits?" We have heard of them.

    3) Secure practices? That's when you use condoms, right?

    4) Yeah, this ATM will just FTP out. Doe the requirements forbid it? No. so it's ok.

    5) Independent Verification and Validation? We are not NASA.

    6) We always buy Diebold as they also make voting machines

    The "financial industry". Only good at lending out more money than it actually owns. At interest.

    > The malware is written in C++

    Counts as Mad Skillz in 2013.

  5. Cameron Colley
    Joke

    When I said "Windows is a POS."

    I didn't mean for you to attach a bloody credit card reader to it!

  6. Tim Russell
    Facepalm

    Common denominator....

    ...lUsers and Windoze...

    ..but seriously POS information on Windows architecture in an unencrypted format... isn't that what PCI-DSS is for ?!?!

    No one likes having their money fiddled with!

    1. Ted Treen
      Facepalm

      Re: Common denominator....

      "...lUsers and Windoze..."??

      WTF have users of Apple products got to do with Windows on ATMs?

    2. Anonymous Coward
      Anonymous Coward

      Re: Common denominator....

      "isn't that what PCI-DSS is for ?!?!"

      No. PCI DSS is a very minimal set of standards, and you could be fully compliant and still affected by this and other nasties (until and if ever your virus scanner database catches up, at any rate). AIUI the encryption requirements refer to storage, so has no relevance to an attack that grabs the contents of RAM.

      Note that the financial serices sector are only to happy to serve crooks - how often do you see spam for counterfeit or illegal stuff that accepts payment via Mastercard of Visa? The card networks could crack down on that, and effectively kill a good percentage of global spam simply by cutting off the cash flow. But they can't be bothered (or it makes too much money for them). Likewise, most of the world don't travel globally at the drop of a hat, yet their card providers issue geographically unrestricted cards that postively encourage fraud. Regular travellers could have that - I don't need it, or the risk, and the few exceptions to international payments by non-travellers could be whitelisted if obvious enough, or subject to 2FA by the card provider.

      However, until the banking system effectively locks down those nations that allow their banks to launder ill gotten gains without traceability, higher security standards are merely a leapfrog game with the crims. If that means cutting off the whole of the Republic of Baksyedistan because of a few hundred thousand laundered for fake blue pills, then let it happen as far as I care.

This topic is closed for new posts.