Neat!
There are some clever people out there...lucky for us they've decided to go into crime rather than getting jobs at GCHQ or the NSA.
Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash. The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net …
It's fast, and totally analogue. We had something similar happen around here. Someone drives down the street in a front end loader, and smashes into the bank, scoops the ATM, and dumps it in a pickup that just happened to be handy. It all happened in a blink, and they were never found.
Have to check the weight limits, but you might be able to do it with one of those rubbish lorries with the hydraulics for emptying the bins automatically. Ram, lift and away; all in one vehicle. As a bonus, you wouldn't have to break into the ATMs...just switch the compactor on for a cycle or two. Hmmm.....
I am quite sure that no matter what you attach to USB port, without OS support the worst it can do is pull too much current and shut itself down (and perhaps other devices on the same power bus). So yeah, OS is very much implicated into this. But I do agree that physical security of the port comes before it.
Heh. Been a while since my country appeared on El Reg, and I'm not quite surprised it came up with an ATM slurping malware bit. But it does confirm that I was properly annoyed when I realized they had switched from OS/2 to WinXP on ATMs … and I was thinking "geeze, we shouldn't be putting that OS on ATMs!"
Please use (very) custom hardware/software when you build ATMs. Oh, and please put in some logging features that do checksums of vital parts and report them back to "central". You don't need to verify them at the ATM, let your center do that and raise alarms.
p.s. Keep those $20 bills on coming! Baby needs a new pair of shoes!
Looks like using Windows for ATMs doesn't sound as bright right about now.
I have always been miffed at this, especially given that I have worked at certain banks (yes, MEXICAN banks) and most of them snub Windows for everything else. But the ATMs are on Windows, no surprise they're getting 0wn3d on the ATM side.
Oh well, beats having the whole ATM stolen, which happens every now and then.
Wow the banks have been complacent. I have to think that outsourcing and general wipe-out of IT salaries has had something to do with this. Why would ATMs require an active USB? To Pwn your own ATM?... Was this a deliberate added feature! Ditto for leaving active USBs on the walk-in self-service machines where crims can upload Malware 'while-you-wait' so to speak... And how did windows XP spread like a virus and find its way onto so many ATM machines?
I thought the banks used proprietary software precisely to defeat these types of attacks. I have to think again its cost control so the execs can get their bonuses at the expense of quality IT departments, many of which have been decimated. But clearly this is just the cost of doing business. If the banks were taking a hard enough hit, they would have to fix this fiasco..
Still its all good, overall I'm glad that the crims are targeting the banks directly though and not using those smarts to forge more attacks on Mom and Pop.... As someone else flippantly said, maybe its good that these people took the crim path and didn't take jobs for the Five Eyes.
While everybody loves hating Windows, true point is, a USB port? And the ATM is configured to boot from it as default? What could possible be wrong with that line of thought...
Even keeping the USB port, a much better idea would have been to have a custom BIOS that checked for existence of a flash drive connected to said USB port and then, if one existed, read a key from it and used it to decrypt a boot image off a hidden partition into the system partition. Right key? ATM back to a clean start state. Wrong key? Bricked ATM in need of hauling to repair shop. Assumes a tamper proof HD/SSD setup.
The cynical in me thinks this is just a setup for plausible denial. Whomever did the ATM's was probably "persuaded" (at point blank) to make them "somewhat insecure", not bad enough they'd look guilty, just clueless. Eventually loosing face is far better than immediately loosing (parts of) head...
That sounds like you're suggesting this was set up / organised long ago. IF that's the case, how come these "hacks" are only just coming to light now?
I think it was just downright stupidity. Not intentional - I say that reluctantly. XP was released in 2001. Why the machines were never upgraded, I'm thinking may have been / could have been intentional?
There are many questions that need to be answered here.
WinXP? Which maniac thought it was a good idea to put XP on ATMs? Even slot makers have the sanity to put Linux into their slots. Saw one Bally machine booting Linux (albeit an ancient 2.2 kernel) at a casino sometime back, when a service tech maintained the machine and then reboot.
Surely if Linux is good enough for slots, it would be good enough for ATMs?
"Which maniac thought it was a good idea to put XP on ATMs". Basically IBM as they gave up, lost the plot, so to say, for reasons I don't know. But again the way the OS was used and the way the "old" ATMs where designed, as the text goes "in the case of older cash machines still running (dead-man-walking OS) Windows XP" the problem would have been the same regardless of the OS. Nobody was then, long ago, prepared to back up Linux with any force, but with the same guys "designing" the ATMs the result would have been again the same. The fuck ups regarding Android is equally not because of Linux. There is nothing you cannot fuck up totally regardless of the OS.
And sheesh to my self but the damned logic is that if you hit your thumb with a hammer you may say sheesh but it would perhaps be silly to blame the hammer. Still you will probably rather throw the hammer in the drink than your self. Life is sometimes unfair for hammers windows and penquins.
Sorry, I configured loads of machines for a large high street bookies chain, all were using Windows XP, you did need a key to disable the tamper alarm, and another to open the front and another to unlock the cage the actual PC was in. Access to the USB slots and hard drive was not possible without disabling the alarm, opening the case and unlocking the PC cage. hard drives were imaged off the machine, then installed and configured. USB was not disable as the cash reader was connected via USB, You also needed a PS/2 keyboard and mouse to set them up as USB keyboards and mice were not recognised.