Jackpotting
So everytime I've put my card in to one of those things and got money, you mean to say I haven't really won anything? Explains a few things...
Almost any cash machine in the world could be illegally accessed and jackpotted1 with or without the help of malware. Security researchers at Kaspersky Lab reached this conclusion after investigating real attacks on ATMs and assessments of the machines carried out for several international banks. The susceptibility of ATMs in …
ATMs are largely managed as static machines that occasionally need a maintenance engineer as well as some monitoring in the data-centre.
Unsurprisingly: many have had teamviewer, radmin etc. installed by staff at the network owners.
ATMs and other IoT devices should become much more dynamic and have the ability to upgrade. The current generations of hackers, developers etc. are being trained with Raspberry PIs etc. that are not that far off from the capabilities of the ATMs, and they will use the knowledge.
It will be interesting to see how the ATMs evolve.
while I can't speak for the rest of the world, here in Yankville, most (not all, but most) ATMs by "major" banks are "through the wall" where the user has no access to USB or network ports. I consider those highly tamper resistant and they are the only type I will use. The ones you have to be very wary of are those in convenience stores/chemists which are free-standing devices. In addition to the often exorbitant fees associated with those, you have no way of knowing who has accessed the innards and tampered with it. I avoid those except in dire cash emergencies. And given that my chip-and-pin debit card works almost everywhere, very little qualifies as a dire cash emergency.
Many "through the wall" ATM machines may be secure enough from the front, however the rear of them where the access to the "interesting" parts can be had is often not so well protected. Just behind a screen or in a box and often with nothing more than a standard "security" hex style bolt keeping the case closed. I've seen a few with vents where one can readily see more interesting parts.
Obviously tampering with an ATM inside a bank is risky, however so is tampering with one outside as they're often covered by CCTV. However what you've missed in the article is the fact that the ATM networks are often so insecure, that gaining access to one of them will give the successful attacker access to many more ATMs, so even if it appears to be physically secure, how about the one around the corner inside the bank or even another branch of the same bank?
If the bank is not using double controlled physical keys to the ATM they are doing it wrong. For those that need single person access, again it would be a physical key, with hopefully fully audited case intrusion (last person accessing etc, and printed on till receipts to prevent any software hack try to cover the footprints).
Any ATM with plain screws, even hex, will just get stripped for the metal panels quicker than anyone could even get to fill it with cash.
It's any possibility of hacks through the card reader/keyboard/pins shoved through gaps in the case that are a risk, as it's the low hanging fruit. Though hopefully far to complex and card skimming and ram raiding are all the thieves will aim for.
criminals can potentially install a specially programmed microcomputer (a so-called black box),
Without wishing to be too accusatory, this is The Reg. And you've published an article containing this gem. Do you think our average knowledge and intellect is somewhere around that of the average Daily Mail/Mirror reader?
My bank has replaced free standing ATM with through-the-wall ATM because thieves with backhoes were demolishing the boxes around them, and craning the ATM onto a trailer and away for leisurely looting. Much less sophisticated than hacking.
Now, they are stalling on EMV cards, because they will have to replace the ATM again, or replace and upgrade the card readers.
Correct, but this article doesn't even follow the threat model like a bank does.
1. The ATM and cash is insured, so any loss is not paid directly by the bank.
2. Insurance is a cost of business that is passed onto their customers as part of the fees.
3. Unless specific banks are more vulnerable than others, the insurance premiums will rise uniformly across all banks to cover it, that number gets crunched through Excel (or worse) and everyone's account fees or ATM fees or whatever raise by a few dollars over the year.
When the point is reached that replacing ATMs makes sense, some banks will realize that, do so, and the savings will allow them to avoid increasing fees on their customers - with the result that they steal customers from other banks meaning more profit for them (or, if customers are too stupid to comparison shop and they stick with their higher fee bank, the bank with the new ATMs will raise their fees to match even though they don't need to and make more money that way)
with the result that they steal customers from other banks meaning more profit for them
Retail banking customers are notoriously brand-loyal, though probably almost entirely from the costs (opportunity cost, labor of changing automatic withdrawals, etc) rather than from any sentimental attachment to their banks.
And in the US, price-conscious banking customers are probably using a credit union, and it's hard for a commercial bank to beat them on pricing. Leverage, yes; pricing, not so much.
if customers are too stupid to comparison shop and they stick with their higher fee bank, the bank with the new ATMs will raise their fees to match even though they don't need to and make more money that way
Possibly, but retail banking has poor margins - it's capital-intensive (all those branches, staff, dealing with people, etc) and is mostly the long-tail end of banking, so you have lots of small accounts and overhead is high relative to average profit. I suspect it'd take a while to realize a positive return on the investment in new ATMs, were it made solely for security reasons.
Now, when old ATMs have to be replaced for other reasons, upgrading to more-secure ATMs (should any be available - remember these are produced by companies like Diebold) might justify some additional price premium.
Yeah but cash registers are typically not used by anyone outside of company employees - which makes them a different problem compared to ATMs which are used by anyone.
Also, cash register issues are the problem of the company (as Target found out last year to its great detriment), and its customers, whereas ATM issues are everybody's problem.
Finally, cash registers are generally under more direct surveillance than ATMs (and have never been attacked by backhoes - yet). People standing around an ATM generally do not get noticed by passers-by, whereas Joe Hacker is not going to have much time to muck with a cash register before store security is standing next to him and asking questions.
But yeah, Target is a clear demonstration that cash registers are a weak point whose security depends more on luck than actual defences.
This one is not passed on so indirectly. It will go directly to banking and insurance fees. It may go indirectly via security measures offered to the public in general that they would like more attention from. However a big public bail out gives them a big red face, so might need a more subtle means.
I am not in the least surprised.
Bad enough that my bank STILL refuses to make passwords case sensitive, or allow "Special" characters.
This week though they trumped themselves with repeated messages on-line, in app, and even via Robo phone call "encouraging" me to make sure that both Android and the Banks' app on my phone were up to date.
My bank has never phoned me for anything, so I'm assuming that the app has the mother of all security holes in it.
If you are experiencing issues using the Android app on your mobile phone or tablet, you must install app version 16.3.0 or above, on a device operating with Android OS 3.0 or above.We are sending you this message because you have signed into our mobile app with a device requiring one or both of these updates. To continue using your mobile app:
If you haven't already done so, update your Android OS.
Update to the latest version of the Scotiabank Mobile Banking app. You can download Scotiabank's Android mobile banking app directly from Google Play on your device.
If you need help updating your device OS, please contact your wireless carrier or device manufacturer. If your device does not support the upgrade to the latest Android OS, please visit www.scotiaonline.com on your mobile device and Sign In to access your accounts.
Thank you for taking these steps to ensure you can continue to use the Scotiabank Mobile Banking app.
Everything on my phone is as up to date as possible, so I'm really left wondering.
If my account had any money in it I'd worry.
You can install fiddler on your PC then proxy your phone via that PC and fiddler will intercept the traffic for you.
Then you can see if they are encrypting the traffic itself. It is quite an eye opening* thing to observe and works for all apps. You can even mitm** yourself if they aren't pinning the certificates and inspect what they are encrypting. That can also reveal privacy breaches.
* not in a good way
** android will warn you that others can observe if you install the fake root certificate to permit this.
Bad enough that my bank STILL refuses to make passwords case sensitive, or allow "Special" characters.
That's a problem everywhere, and the sad thing is that I know why this is the case.
RACF has issues with non-alphanumeric characters due to ASCII/EBCDIC.
Many bank systems do RACF authentication. Therefore, bank password policies won't allow non-alphanumeric password.
Client-facing systems don't authenticate clients against RACF. Yet they're also saddled with the same password policies because having a single policy for everything is easier!
I can easily imagine that this ASCII/EBCDIC issue is going to take mountains of cash to change, meaning that we are going to be saddled with the problem for decades to come - or until the mainframes start failing (which, due to the mountains of cash already paid for their maintenance, ain't gonna happen anytime soon).
I can easily imagine that this ASCII/EBCDIC issue is going to take mountains of cash to change
Nah. Migrations from the mainframe to certain emulation environments, including converting to ASCII, can be done relatively cheaply, for the typical suite of banking apps. Let's say < $1M for hardware and software, six months of development time with existing staff. Minimal changes to application source. Compared to mainframe leasing costs...
Banks just tend to be conservative with their IT. Often where they try to achieve savings is in operations, which is why you have your NatWest-type failures. They're reluctant to do application lift-and-shift, or portfolio analysis, or other things that might save them money but require watching the sausages get made.
RACF has issues with non-alphanumeric characters due to ASCII/EBCDIC.
Many bank systems do RACF authentication. Therefore, bank password policies won't allow non-alphanumeric password.
True, but there's a trivial fix for this.
(And, technically, it's not RACF or even SAF that's at fault, but the matter of 8-bit code limitations and the proliferation of EBCDIC code pages. You'd have the same issue with ACF2 or Top Secret or a home-grown authentication mechanism that used text passwords on zOS. Not that it matters.)
Most of the computers we deal with in public places have either USB or serial ports for maintenance purposes. Guess what – get access to those and you pretty much own the machine.
However, the favourite method of cash extraction at the moment seems to be good old safe-cracking: blow the machine up or tow it away: low tech usually has the lowest opportunity cost.
Software hacks targeting the clearing system – recently in Bangladesh and elsewhere – are far more lucrative and alarming.
I suspect the banks relaxed attitude is premised on the decline of cash, plus the availability (in the UK certainly) of retailer cashback (which is a win win for retailer and bank). I'd wager most banks only see ATMs as a service in decline.
How many new anti-fraud initiatives have been developer for cheques (US:checks) in the past 10 years ?
Losses at ATMs due to so called jackpotting are a very small percentage of the total:
https://www.european-atm-security.eu/card-skimming-losses-continue-rise-outside-europe/
"In 2014 EAST began to collect statistics for ATM Malware after the first incidents were reported in Western Europe. 15 incidents were reported in 2015, down from 51 in 2014. These were all ‘cash out’ or ‘jackpotting’ attacks. Related losses of €743,000 were reported, down from €1.23 million in 2014."
Compare that with the total ATM fraud of 327 million Euros.
And all ATM fraud is completely dwarfed by Card Not Present / Remote Purchase fraud:
http://www.theukcardsassociation.org.uk/plastic_fraud_figures/index.asp
Those figures are just for UK issued cards.
I'm not sure why cash is still so prevalent. I usually carry a couple of £5 notes for unusual contingencies, but they are very seldom required. In the UK, I can do just about any transaction I want either electronically or by card. Even with a private sale, I can do an online transfer between my bank account and the other party's bank account using my laptop or phone. Cash is needed only for trivial transactions and children's pocket money. And of course when no record of the transaction is desired.
I was always disappointed that the Mondex system didn't gain appeal. It seemed to me to be a perfect substitute for cash, having all the advantages and less disadvantages as physical notes & coins.