Are we surprised?
Even OECD and the accountants have noticed the availability of the tools... http://www.oecd.org/ctp/crime/ElectronicSalesSuppression.pdf
Audacious crooks have infected hundreds of shopping tills and cash machines with malware to swipe sensitive debit and credit card data, we're told. Researchers at Russian security firm Group-IB said the software nasty is called Dump Memory Grabber, which targets computers running Microsoft Windows. It can swipe information …
Given that these are all apparently tills and ATMs why the monkeys do they have full internet access?
> then uses FTP to upload the account numbers, names, card expiry dates and other details to a server under the control of unidentified swindlers.
Surely they should only have access to whitelisted hosts - Bank gateway, Stock control (internal?) and vendor software updates (could be mirrored internally)
I think this is why they mention "trusted INsiders" - good security protocol would indeed ask for contained networks, but all you need is a machine somewhere on that platform with 2 network cards (or a card and a WiFi link) and your hard shell protection is gone, or a hack of one of the routers to set up a VPN or join an extra machine onto the VLAN. About the only way you can fix this is to hard burn code into the machines, but that gets fantastically costly in terms of maintenance.
I'd go and train some people in micro expressions and then start going through whoever had access to the network infrastructure, physically and electronically..
Whitelists, gateways, contained networks, VPN, hard shell protection, routers, VLAN.
Your average corner store with a POS terminal does not have a clue about any of this. All they want is "plug this in here and that computer has all your sales and stock levels. You can then use it to order more stock and update your levels". If they start using whitelists then they need a relatively expensive firewall and they need to pay somebody to configure it. Every time they change supplier they need the whitelist updated. Every time their supplier changes their web pages you need to update the whitelist (just because you type in www.acme.com does not mean that all the scripts, images and pricing information on the page comes from acme.com). These are small businesses with very narrow margins and the cost of paying for an IT professional to maintain the network is not something they can afford.
A trusted insider could be anyone, including the person operating the till making $8/hr.
Are these machines locked down? Not always. Do they have a USB port? Usually. Is the version of windows updated to disable autorun from USB devices? Probably not.
All you would have to do is plug in a USB key. Give it a few seconds and pull it back out. Doesn't exactly take a whole lot of computer know how.
A conversation could easily go like this: " I want you to plug this USB key into that till. I'll pay you $100 to do it. No one will know. ". Heck, you might get away with a simple $20.
Or, as a lot of these machines are easily accessible from the wrong side of the counter, just plug it in yourself.
Yes, there will be some failure rate; but it wouldn't be that high.
You're spot on - they're called zappers (as opposed to phantomware, which is the built in stuff) and you can read all about them courstesy of the OECD - linked in my first post above... the sheer scale of the criminality is staggering. The manufacturers know about this stuff, and far from whitelisting acceptable addresses, they're the ones writing in the hookey code - and even training the operators in how to use it...
"I wouldn't mind so much if they were stealing from big faceless corporations rather than innocent members of the public."
I think you actually meant "I wouldn't mind so much if they were stealing from innocent members of the public by causing big faceless corporations to pass on the costs of fraud".
1) "Any shit OS like Windows shurely will be enough for that application"
2) "Reviews and software audits?" We have heard of them.
3) Secure practices? That's when you use condoms, right?
4) Yeah, this ATM will just FTP out. Doe the requirements forbid it? No. so it's ok.
5) Independent Verification and Validation? We are not NASA.
6) We always buy Diebold as they also make voting machines
The "financial industry". Only good at lending out more money than it actually owns. At interest.
> The malware is written in C++
Counts as Mad Skillz in 2013.
"isn't that what PCI-DSS is for ?!?!"
No. PCI DSS is a very minimal set of standards, and you could be fully compliant and still affected by this and other nasties (until and if ever your virus scanner database catches up, at any rate). AIUI the encryption requirements refer to storage, so has no relevance to an attack that grabs the contents of RAM.
Note that the financial serices sector are only to happy to serve crooks - how often do you see spam for counterfeit or illegal stuff that accepts payment via Mastercard of Visa? The card networks could crack down on that, and effectively kill a good percentage of global spam simply by cutting off the cash flow. But they can't be bothered (or it makes too much money for them). Likewise, most of the world don't travel globally at the drop of a hat, yet their card providers issue geographically unrestricted cards that postively encourage fraud. Regular travellers could have that - I don't need it, or the risk, and the few exceptions to international payments by non-travellers could be whitelisted if obvious enough, or subject to 2FA by the card provider.
However, until the banking system effectively locks down those nations that allow their banks to launder ill gotten gains without traceability, higher security standards are merely a leapfrog game with the crims. If that means cutting off the whole of the Republic of Baksyedistan because of a few hundred thousand laundered for fake blue pills, then let it happen as far as I care.
Biting the hand that feeds IT © 1998–2019