back to article Want to hack a hole-in-the-wall cash machine for free dosh? It's as easy as Windows XP

ATM machines are vulnerable to an array of basic attack techniques that would allow hackers to lift thousands in cash. This according to researchers at Positive Technologies, who studied more than two dozen different models of ATMs and found (PDF) nearly all would be vulnerable to network or local access attacks that would …

  1. Borg.King

    Re: "ATM machine"

    Is that where you enter your Personal Identification Number number?

    Then you can get your hands on all that cash money.

  2. Goldmember

    Re: "ATM machine"

    Believe it or not, earlier this year I got a letter from Natwest which stated that the "PIN Number" for my new card was on its way.

    It seems the term has become de facto (or maybe they got the intern to write the letters that week).

  3. JBFromOZ

    Re: "ATM machine"

    at last... someone asking the IMPORTANT questions

  4. arctic_haze Silver badge

    The banks don't care

    It is peanuts for them and they are most probably insured, anyway.

  5. Glen 1 Bronze badge

    Re: The banks don't care

    Re: insurance

    It is the insurer's job to not pay out if they legally can.

    "Did you know about these faults"

    Comes under the same heading as

    "Did you give anyone else your pin"


    "Did you pack these bags yourself"

  6. Ken Moorhouse Silver badge

    Re: insurance

    I used to use the automatic deposit machines in bank branches to deposit cheques.


    I got a letter from the bank asking me to check whether deposits I had made on a specific date had appeared as such in my account. They hadn't, so I rang the bank to ask why not. Turns out that the bank had been robbed that day after my visit.

    I was told to contact the payees and get them to send me the cheques again. "Are you kidding? It took a lot of effort to get one or two of those customers to write those cheques out the first time, let alone again."

    "Surely you are insured against this kind of thing, in any case?"

    Apparently not, or that was what I was told.

    In the end they compromised by agreeing to write to my customers on my behalf.

    After that experience: no more using the automated deposit machines.

    (I did succumb once, since then, queuing up one day I was persuaded to use one of their super-duper new machines which printed images of the payments onto the receipt slip which proves the deposit has been made. How could they possibly get that wrong?

    Would you believe it but the slip I received showed the deposit had been made at a different branch to the one I was in?! There was a day's delay before that credit appeared on my account - which I complained about).

  7. Roland6 Silver badge

    Re: insurance

    >"Surely you are insured against this kind of thing, in any case?"

    Apparently not, or that was what I was told.

    Makes sense, given the banks are also insurance brokers.

    What is the likelihood of an ATM being attacked and if it is compromised: how long before someone (at the bank) spots it, what is the potential loss and who's loss is it?

  8. ICPurvis47

    Re: insurance

    Soon after we were married, and were very hard up, we went to the local supermarket (Bishop's) and bought the absolute minimum amount of food to get us through. The checkout came to £10 approximately, so I wrote a cheque and we took our shopping back to the car park and thence home. A few days later, I received a letter from Bishop's telling me that they had been robbed, and that my cheque was in the cash bag that had been stolen. They then asked me to re-issue the cheque to cover their loss. I replied that I would not do so, as I had completed the transaction in good faith, and that I was not responsible for what they did (or did not do) with that cheque subsequently. I posed the question that, if I had been mugged in the car park, and our £10 worth of groceries had been stolen, would they have expected to allow me to replace those stolen goods for free? I think not. The cheque was never presented, and we never heard any more about the matter. My only regret was that it was only £10, if I had known, I would have kited a lot more.

  9. whileI'mhere

    Re: insurance

    "Makes sense, given the banks are also insurance brokers."

    No. No it does not. Brokers are agents - they sell insurance but do not write it. They do not underwrite or carry third party risk. Conversely, for many risks that you might assume they would insure against, they may choose to self-insure (i.e. just take the risk and suffer the loss). The fact that banks sell some forms of insurance to customers has no link to why they may or may not be insured by a insurer for acts of theft or criminal damage.

  10. entfe001

    About the article picture...

    This does not look like an ATM at all. It actually is identical to a Barcelona tramway ticket machine. I would even dare to say the picture was taken at Wellington tram stop.

  11. Ken Moorhouse Silver badge

    Re: the picture was taken at Wellington tram stop.

    That machine is notorious for taking a long time to boot up.

  12. TheWeddingPhotographer

    Same story different year

    The real eye opener is that this is not new news

    It's the same for lots of critical systems... hospital scanners etc etc

  13. HWwiz

    Physical security.

    I work in UK banking, and yes almost all cash machines in the UK that are major bank operated are still generally Windows XP embedded.

    They have no internet connection, and they are not generally permanently pinned up. They all use ISDN2e to call up huge arrays of modems generally in Banking DC's.

    They only real way to crack them is physically via a USB attack or such like. So you need to gain access to the unit within the locked cage itself.

    Also lots of people mentioning NHS computers. Ive also done alot of NHS work in the past, and again "Generally" the machines that are still running XP are on which is an internal mpls network which does not have any external access. Only the internal Intranet.

  14. spold Bronze badge

    Combined attack

    Other than hacking the machine and convincing it to spew spondooly, then a physical attack might be simpler. However (and I've no idea if it is connected) anything you could do to disable any dye pack trigger would also be great. Then you can just hack it with a pickaxe or something.

  15. HildyJ

    They never should have abandoned OS/2

  16. jake Silver badge

    Who is "they", Kemosabe?

    "We" haven't abandoned OS/2. See and/or for more.

  17. silks

    Security by obscurity there! #OS/2

  18. Richard Lloyd

    Knock once for reboot...

    The coin deposit machine in my local HSBC branch runs XP - I know because it spectacularly crashed with virus-like red stripes on the screen just as it finishing totalling my coin deposit (luckily, I got the receipt just as it died completely).

    An assistant knocked once on the wall and the machine rebooted with the XP logo in clear view. Yes, I initially thought they'd cleverly installed a reset switch in the wall, but it turns out that there was a back office behind the wall and when someone knocks on the wall, a human operator does a reboot (probably a power cycle?) because it obviously crashes so often.

  19. NiceCuppaTea

    First sentence pissed me off more than it should

    ATM Machine? WTF that's almost as bad as PIN Number.

    Automated teller Machine Machine and Personal Identification Number Number

    grrrrr....... that is all.

  20. Martin 59

    Re: First sentence pissed me off more than it should

    It's called RAS syndrome, if it gives you a headache I recommend some NSAID drugs.

  21. Christian Berger Silver badge

    One has to consider that such systems are somewhat different in the US

    In Europe one central idea is to have the computer itself inside physical protection, so you shouldn't be able to get to any ports.

  22. jake Silver badge

    Re: One has to consider that such systems are somewhat different in the US

    And that's different from the boxes in the US ... how, exactly?

  23. Ken Moorhouse Silver badge

    Secure boxes

    I got involved in the building and commissioning of a jewellery store some years ago. I happened to be on site when the display cases arrived. The builders were saying "FFS be careful, don't want any dents in these!" The member of staff showing me around smiled and said he thought there wasn't much chance of that happening as they were designed to withstand an armed robbery.

  24. Obesrver1

    Thieves don't care...

    they just: ~

    # Pump in some gas then ignite it and it blows the ATM out of the wall;

    # Tie a rope around it and then to their 4WD four wheel drive and rip it out dragging it from the shopping mall;

    # Stick a false front on it and collect your pin and card info then rip off your & other peoples money in the accounts;



POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018