Re: "ATM machine"
Is that where you enter your Personal Identification Number number?
Then you can get your hands on all that cash money.
ATM machines are vulnerable to an array of basic attack techniques that would allow hackers to lift thousands in cash. This according to researchers at Positive Technologies, who studied more than two dozen different models of ATMs and found (PDF) nearly all would be vulnerable to network or local access attacks that would …
I used to use the automatic deposit machines in bank branches to deposit cheques.
I got a letter from the bank asking me to check whether deposits I had made on a specific date had appeared as such in my account. They hadn't, so I rang the bank to ask why not. Turns out that the bank had been robbed that day after my visit.
I was told to contact the payees and get them to send me the cheques again. "Are you kidding? It took a lot of effort to get one or two of those customers to write those cheques out the first time, let alone again."
"Surely you are insured against this kind of thing, in any case?"
Apparently not, or that was what I was told.
In the end they compromised by agreeing to write to my customers on my behalf.
After that experience: no more using the automated deposit machines.
(I did succumb once, since then, queuing up one day I was persuaded to use one of their super-duper new machines which printed images of the payments onto the receipt slip which proves the deposit has been made. How could they possibly get that wrong?
Would you believe it but the slip I received showed the deposit had been made at a different branch to the one I was in?! There was a day's delay before that credit appeared on my account - which I complained about).
>"Surely you are insured against this kind of thing, in any case?"
Apparently not, or that was what I was told.
Makes sense, given the banks are also insurance brokers.
What is the likelihood of an ATM being attacked and if it is compromised: how long before someone (at the bank) spots it, what is the potential loss and who's loss is it?
Soon after we were married, and were very hard up, we went to the local supermarket (Bishop's) and bought the absolute minimum amount of food to get us through. The checkout came to £10 approximately, so I wrote a cheque and we took our shopping back to the car park and thence home. A few days later, I received a letter from Bishop's telling me that they had been robbed, and that my cheque was in the cash bag that had been stolen. They then asked me to re-issue the cheque to cover their loss. I replied that I would not do so, as I had completed the transaction in good faith, and that I was not responsible for what they did (or did not do) with that cheque subsequently. I posed the question that, if I had been mugged in the car park, and our £10 worth of groceries had been stolen, would they have expected to allow me to replace those stolen goods for free? I think not. The cheque was never presented, and we never heard any more about the matter. My only regret was that it was only £10, if I had known, I would have kited a lot more.
"Makes sense, given the banks are also insurance brokers."
No. No it does not. Brokers are agents - they sell insurance but do not write it. They do not underwrite or carry third party risk. Conversely, for many risks that you might assume they would insure against, they may choose to self-insure (i.e. just take the risk and suffer the loss). The fact that banks sell some forms of insurance to customers has no link to why they may or may not be insured by a insurer for acts of theft or criminal damage.
I work in UK banking, and yes almost all cash machines in the UK that are major bank operated are still generally Windows XP embedded.
They have no internet connection, and they are not generally permanently pinned up. They all use ISDN2e to call up huge arrays of modems generally in Banking DC's.
They only real way to crack them is physically via a USB attack or such like. So you need to gain access to the unit within the locked cage itself.
Also lots of people mentioning NHS computers. Ive also done alot of NHS work in the past, and again "Generally" the machines that are still running XP are on nhs.net which is an internal mpls network which does not have any external access. Only the internal nhs.net Intranet.
Other than hacking the machine and convincing it to spew spondooly, then a physical attack might be simpler. However (and I've no idea if it is connected) anything you could do to disable any dye pack trigger would also be great. Then you can just hack it with a pickaxe or something.
The coin deposit machine in my local HSBC branch runs XP - I know because it spectacularly crashed with virus-like red stripes on the screen just as it finishing totalling my coin deposit (luckily, I got the receipt just as it died completely).
An assistant knocked once on the wall and the machine rebooted with the XP logo in clear view. Yes, I initially thought they'd cleverly installed a reset switch in the wall, but it turns out that there was a back office behind the wall and when someone knocks on the wall, a human operator does a reboot (probably a power cycle?) because it obviously crashes so often.
I got involved in the building and commissioning of a jewellery store some years ago. I happened to be on site when the display cases arrived. The builders were saying "FFS be careful, don't want any dents in these!" The member of staff showing me around smiled and said he thought there wasn't much chance of that happening as they were designed to withstand an armed robbery.
they just: ~
# Pump in some gas then ignite it and it blows the ATM out of the wall;
# Tie a rope around it and then to their 4WD four wheel drive and rip it out dragging it from the shopping mall;
# Stick a false front on it and collect your pin and card info then rip off your & other peoples money in the accounts;
Biting the hand that feeds IT © 1998–2018