back to article It's 2015 and ATMs don't know when a daughterboard is breaking them

Carders have jackpotted an ATM by inserting a circuit board into the USB ports of an ATM, tricking it into spitting out cash. The technique was thought to have emulated the cash dispenser of the ATM so the brains of the machine thought everything was normal, buying additional time for the brazen crooks to make off with the …

  1. Fihart

    First rule

    Only use ATMs within bank branches -- more likely that bad guys would be spotted fiddling with the machine.

    1. Anonymous Coward
      Anonymous Coward

      Re: First rule

      If you're in the branch, why not just walk up to the human behind the counter and have a chat while you withdraw some cash?

      1. Arbee

        Re: First rule

        Mostly because it's a waste of everyone's time - yours, the cashiers, and everyone behind you in the queue.

        1. AndrueC Silver badge
          Thumb Up

          Re: First rule

          Mostly because it's a waste of everyone's time

          I agree but I've taken that a bit further and hardly ever use cash(*). At a guess I have to get some twice or maybe three times a year. Even then I usually get it from colleagues by offering to put the Friday lunch bill on my plastic if they give me their paper :)

          (*)That was a problem for a while because I almost completely ran out of coins to put in parking meters but then someone invented pay by phone and now that doesn't matter(**).

          (**)Although I wish they'd agree on a single app for all car parks to use and there is small additional charge for the service.

          1. Alan Brown Silver badge

            Re: First rule

            (**)Although I wish they'd agree on a single app for all car parks to use and there is small additional charge for the service.

            You'll be happy to know that in Brent (North London), there's a 25% discount for using pay-by-phone (and a 03 number to call), which shows the hollowness of the "costs extra to use the service" mentality (which is hypocritical given that I've run into a number of council carparks in east london where the walk-up terminals are all dead and the ONLY way to pay is by phone, on 087 numbers with an added "convenience charge")

      2. John Sager

        Re: First rule

        I went into my bank (Barclays) before Christmas to discover those nice people behind the counter had morphed into a row of terminals along the wall. This is the main branch in a decent-sized town. It is possible to talk to a real human to effect some transactions, but no longer to get hold of real folding stuff, it seems. I think my local country town branch still has real human tellers but for how long?

        1. Chris G Silver badge

          Re: First rule

          Braclay's Bonk only have humans in the branch to tell people how to use the machines, they never liked people anyway ( their money is OK though) so expect to see less and less humans in their branches other than customers

          1. Fred Dibnah Silver badge

            Re: First rule

            Have an upvote for the Spike Milligna reference :-)

          2. Amorous Cowherder
            Facepalm

            Re: First rule

            The same "Braclay's" that in 2015 still insist you fill in a paying in slip for any amount or type of deposit! The same "Braclay's" that bought Woolwich, a typical building society that let you walk in and simply deposit money using your bank card well over 15 years ago!

            Consistency in service and customer ease-of-use, yeah we've heard of them.

            1. Number6

              Re: First rule

              The same "Braclay's" that in 2015 still insist you fill in a paying in slip for any amount or type of deposit!

              That must be branch-related. Last time I deposited a cheque (might even have been late 2013), I just handed over the cheque and they got the account details from my ATM card.

            2. Anonymous Coward
              Anonymous Coward

              Re: First rule

              No, not the same one. It must be a different "Braclays" because the one I think you meant doesn't.

              Though of course if you choose to fill one in, most banks will still take it from you.

          3. Number6

            Re: First rule

            Most of what I need from a bank I can do on-line, the only times I've been in a UK bank branch over the past five years were to pay in a cheque (which I could probably have put in the post) and to close an account ("Leaving the country" is a real good reason to give and stops most customer-retention pitches in their tracks).

      3. Gunnar Wolf

        Re: First rule

        In Mexico, if you make a withdrawal for less than your daily ATM allowance, a commission is charged.

        Of course, I'd be happier if that commission was bonified to the poor sod-behind-the-counter's salary, which I don't expect to be very big.

    2. Anonymous Coward
      WTF?

      Re: First rule

      Good idea....now a) can you tell me what branches are open at 8pm on a Sunday and b) can you give me the cash for the petrol and parking to get to my nearest branch in the next town, 5 miles away?

    3. Anonymous Coward
      Anonymous Coward

      Re: First rule

      Really?

      I'm afraid not. I've attended plenty of calls with branch machines that have been compromised.

    4. Alan Brown Silver badge

      Re: First rule

      "Only use ATMs within bank branches -- more likely that bad guys would be spotted fiddling with the machine."

      I can recall several instances of foyer ATMs being tampered with overnight and the bad guys removing the stuff in the morning. (Blurry) CCTV footage being posted to try and identify the culprits.

      Just because they got spotted doesn't mean they didn't get away with it.

  2. Tchou
    WTF?

    ATM have USB ports open to everyone?

    1. Adam 1 Silver badge

      No, but the level of protection around the section housing the computer innards is nowhere near the safe/cash drawer.

      Search on YouTube for Barnaby jack. He demonstrates a walkup attack.

      1. Adam 1 Silver badge

        Hey, I am not defending them, just pointing out the real world problem. I am sure the newer machines have some sort of counter measures (like how server class machines have alarms that record when the case is open, wouldn't be too hard to do the same when the service door was opened).

        My guess is that the bean counters figured that the countermeasures would cost more to retrofit than they will lose to these sort of scams.

        1. Alan Brown Silver badge

          " I am sure the newer machines have some sort of counter measures"

          The older (1980s) OS/2 or older-hardware machines had alarm switches on all doors and a set of trembler switches.

          Most of these attacks aren't on bank-style ATMs, they're on the cheap'n'nasty freestanding devices used in convenience stores, etc. The only security they have for the electronics is a thin plastic sheet and even the cash security is a fairly low-grade safe (filled by shop employees at the start of the day, not security guards)

    2. tony2heads
      WTF?

      indeed WTF

      It is perfectly possible to disable USB on a computer, so why not do that??

      1. Phil W

        Re: indeed WTF

        Likely because the USB is sometimes needed for update/diagnostic purposes.

        However I'm sure it would be quite practical to make sure it is positioned in such a way as not to be so readily accessible for instance to the rear of the machine which is often inside a secure room where the refilling is done.

        1. theOtherJT

          Re: indeed WTF

          But then you have a technician with some sort of secure login credentials for the machine who can turn the things back on again as needed.

          I mean isn't basically the first step in secure systems "Disable / remove _everything_ you don't absolutely need" ?

          1. Anonymous Coward
            Anonymous Coward

            Re: indeed WTF

            Re: disabling USB

            My understanding is that the USB port is used by a technician to do maintenance/diagnostics on the ATM. Disabling the port may turn all ATM repairs into "swap unit and return to base for repair".

            1. Anonymous Coward
              Anonymous Coward

              Re: indeed WTF

              My understanding is that the USB port is used by a technician to do maintenance/diagnostics on the ATM. Disabling the port may turn all ATM repairs into "swap unit and return to base for repair".

              That actually may not be such a silly idea for stand-alone units. Wheel a new machine in, swap the cash drawer over, wheel the old machine out. The downside to this is it'll add to the cost of maintenance.

              It's still a problem for in-wall mounted units however. Really these are machines that should not have wide-open USB ports: at the very least they should only be enabled when in maintenance mode, and even then, restricted in what kinds of device can be connected.

              The fact that they are so wide open, and the fact they often run ancient consumer OSes (once upon a time, OS/2, today Windows NT 5.0/5.1) tells me they're not serious about tackling the security problem.

              Thankfully, my bank account is old enough to have a reasonably secure and old-fashioned alternative: a passbook. I'll just use that until such time as circumstance forces me to change.

    3. Steve Graham
      Devil

      Yes! And they run Windows XP! (usually)

  3. Ashton Black

    How come...

    USB? Why not a proprietary connection? I know it's not totally secure, but at least it's not "universal." Additionally, surely it's only authorised repair / maint people who connect to this? If so, why not white list their hardware IDs?. Again, not totally secure, but it's a start.

    1. JimmyPage Silver badge
      FAIL

      Re: How come... USB ~?

      Because it's cheap ?

    2. Tchou
      Joke

      Re: How come...

      Are you saying Apple got it right?

      1. TitterYeNot
        Coat

        Re: How come...

        "Are you saying Apple got it right?"

        Introducing the Apple iATM.

        Totally secure, because nothing else can connect to it.

        So simple to use. The 30% transaction fee hurts a bit, but you're worth it...

        1. BristolBachelor Gold badge
          Joke

          Re: How come... Re: Apple iATM

          "So simple to use. The 30% transaction fee hurts a bit, but you're worth it..."

          Yes, with only 3 options because they don't believe that the users will be able to know what they are doing or be capable of making decisions:

          1. Give me cash (Withdrawl of £1000; no need to enter a quantity)

          2. Change my pin (To a number chosen by the machine; no need to decide on a number)

          3. Automatically pay all my bills (Pays all of them; no need to say which. Guesses your supplier references so you don't have to enter them; tough if it pays your neighbours' bills)

          If the options that they have deigned to give you are not to your tastes; then your taste is wrong.

      2. Anonymous Coward
        Anonymous Coward

        Re: How come...

        Firewire is DMA, great for performance but worse for security.

    3. Adam 1 Silver badge

      Re: How come...

      If the alternative is FireWire then USB is definitely more secure (can't bypass OS and read all RAM directly)

  4. Helena Handcart
    Childcatcher

    Outdated stereotypes

    No wonder ATM security is poor if the head of security pictures criminals as fat, cigar-smoking, kingpins calling themselves Mr Big who talk like 1930s gangsters. Now, where's my Tommy gun?

    1. Ashton Black

      Re: Outdated stereotypes

      "Hey yous guys, ged oudda here or I'll plug ya full a lead!"

      1. Crisp Silver badge
        Coat

        Re: Outdated stereotypes

        Frankie, ya broke the unwritten law. Ya ratted on your friends. You do that, Frankie, your enemies don't respect ya. You got no friends no more. You got nobody ...

  5. foxyshadis

    It's hard to feel sorry for the victims

    In this case, it really is like a drunk man walking down a seedy neighborhood waving money around, only in this case he blindfolded himself and covered his ears. It's not like banks don't have any money to upgrade and secure their systems, they just don't care, so neither do I.

    1. Badvok

      Re: It's hard to feel sorry for the victims

      You should care, like in 99% of business, it is you the consumer who actually pays the price, not the bank.

    2. Amorous Cowherder

      Re: It's hard to feel sorry for the victims

      You realise any losses the bank incurs are recouped one way or another through you being a customer?Something as simple as creaming off a small percentage from the interest they earn from your deposits, interest that should in your pocket. Just keep the interest rate down enough on the accounts so when they do incur some stupid fine or loses from dodgy equipment like ATMs, they'll just cream it off what they'd pay their customers.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's hard to feel sorry for the victims

        "You realise any losses the bank incurs are recouped one way or another through you being a customer?"

        To an extent. Or they just get the government to bail them out, and keep paying the obscene bonuses typical in financial disservices.

        But when the banks' crooked City gamblers repeatedly get fined billions by regulators for an ever changing kaleidoscope of new and novel frauds, and they then repeatedly stuff customers, shareholders, or the state with all the losses, they don't need to change their rancid, thieving culture, so why worry about a few tens of millions in ATM or card fraud?

  6. JimmyPage Silver badge

    2014 - our most cashless year ever ?

    Brief chat with MrsJP, and we *think* the last time we "got any cash out" (i.e. cashback !) was a month ago. We still have the remains of it in our wallets. The only thing it gets used for nowdays is the Friday night chippy meal (and I suspect they take switch, if you ask - just nobody does).

    Bad news for charity bucket slingers, I'm afraid.

    Anyway, back to the story ... I'd be fascinated to know (but not so fascinated I actually Google it) whether cashpoint use in the UK is increasing, declining, or steady. Especially since banks must really hate them when they aren't replacing staff.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2014 - our most cashless year ever ?

      I find I'm using more and more cash. I suppose I'm getting a bit more paranoid about being tracked in this day and age. not having a phone with GPS also helps sty under the radar a bit more.

      Every electronic transaction leaves a footprint behind. With cash, you are anonymous like this post.

    2. Anonymous Coward
      Unhappy

      Re: 2014 - our most cashless year ever ?

      Until you have TWO, yes TWO cards cloned at the same chain of petrol station 3 miles apart

  7. Jagged

    Beer Tokens

    I still make regular and frequent use of beer tokens.

    ps: anyone know if its possible to get banks to disable payment-by-bonk on your card?

    1. sabroni Silver badge

      Re: anyone know if its possible to get banks to disable payment-by-bonk on your card?

      I asked for a card without it and they told me very politely to fuck off, so I doubt it.

      1. Steve Davies 3 Silver badge

        Re: anyone know if its possible to get banks to disable payment-by-bonk on your card?

        There are RFID Blocking Wallets available you know. Otherwise wrap the card in cooking foil until you want to use it.

    2. DainB Bronze badge

      Re: Beer Tokens

      Just hold it over the light and cut printed antenna tracks.

    3. Martin-73 Silver badge

      Re: Beer Tokens

      No but you're able to disable the feature if you don't trust your inebriated self not to use it

    4. Siberian Hamster

      Re: Beer Tokens

      I received a new card from Barclays Blank a year or so ago with the contact-less payment on so toddled off to my local branch where the conversation went something like this;

      <me> I'd like a replacement card without the contact-less payment please.

      <zombie> I'm sorry sir all our cards will be having these from now on.

      <me> I'd like to close my account please.

      <zombie> Let me see what I can do sir.

      (returns after ~5 mins)

      <zombie> We can help you out sir.

      <me> Excellent, thanks.

      <zombie> We can turn your account into a restricted one and issue you with a new card without the contact-less payment.

      <me> I'd like to close my account please.

      <zombie> (returns after 2 mins) We can issue you with a replacement card sir.

      <me> Thanks bye.

    5. techmind

      Re: Beer Tokens

      Lloyds Bank were very happy to provide me with a card without NFC. I just walked into my branch and asked; a few days later it arrived.

    6. Anonymous Coward
      Anonymous Coward

      Re: Beer Tokens

      > ps: anyone know if its possible to get banks to disable payment-by-bonk on your card?

      Depends on the bank.

      I have one with a well known credit card company - think about a sidekick called Boff. I've asked for sans-bonk and they've refused - so I've pointed out to them that I don't, and won't ever, carry it. It gets used occasionally for online purchases but nothing more. I made a point of stating that their "guarantee" was in fact worthless - I know someone who had a card cloned and the "guarantee" certainly didn't mean he didn't have to live for a month with no money because the crooks had emptied his account up to max overdraft just after payday, and it certainly didn't mean he didn't have to "prove" it wasn't him who made every disputed transaction.

      On the other hand, I have a card with another bank. Now there's a tale of inefficiency and waste ! They detected fraudulent transactions, contacted me*, determined it wasn't me and cancelled the card. I asked about staying sans-bonk but they couldn't do it - not outright. So I got a new card with-bonk, followed a few days later by a replacement sans-bonk card. So I had to push it, it was a load of hassle, a lot of waste on their part - but I got it.

      * And that's another one.

      What f***ing clueless retard of a security officer allows a supposedly reputable bank to call up customers and expect the customer to give up their security details to the cold caller ? The caller did get the message when I told them that I will not be giving them one bit of information unless they prove who they are, and no I won't calling back any f***ing number you give me ! Not the first time I've had to complain about this sort of asinine behaviour. Without giving up enough information to be "useful" to criminals, they wouldn't even tell me what it was about.

      So I called the bank back (using the number on the back of one of my cards), and it took "a while" to find out which account it related to and what it was about.

      1. Will Godfrey Silver badge

        Re: Beer Tokens

        Seem to be lots of variations.

        When I got sent a new card I went into my branch of Barclays and simply told them I wanted a non NFC and they issued it straight away.

    7. Alan Brown Silver badge

      Re: Beer Tokens

      "anyone know if its possible to get banks to disable payment-by-bonk on your card?"

      2-4 seconds in the microwave will do the trick.

  8. Dale 3

    Free-standing ATM

    Gotta love the concept of a free-standing ATM. No need to break into the machine, just nick the whole machine and open it at your leisure. This was done a good many years ago in South Africa, involving an ATM inside the police headquarters of all places. I imagine a couple of guys with yellow jackets walked in and wheeled it out without anyone asking any questions.

    1. Ralara

      Re: Free-standing ATM

      well they have tracking devices in them now.

      1. Doctor Syntax Silver badge

        Re: Free-standing ATM

        "well they have tracking devices in them now."

        Good idea! It makes it easier to recover them so they can be refilled.

    2. Fiddler on the roof

      Re: Free-standing ATM

      There's a great episode of Breaking Bad where this happens :)

  9. J.G.Harston Silver badge

    Errr.... surely this depends on the crims being able to jemmy open the ATM case without anybody noticing.

    1. Amorous Cowherder

      Or the money ( or said crim ) get sprayed with indelible dye!

  10. Anonymous Coward
    Anonymous Coward

    Why do......

    People still use cash? It's 2015. What do you need cash for?

    A: Pay by card at the till

    B: Bank transfer via mobile app or bonk if applicable

    C: Online payments for goods / services

    Fuck, even my window cleaner takes his £4 visit via bank transfer.

    1. DavCrav Silver badge

      Re: Why do......

      "Fuck, even my window cleaner takes his £4 visit via bank transfer."

      Mine takes his £2.50 by cash only. Although if I gave him £4 like you do he might be fine with Faster Payments...

  11. Geoffrey Thomas

    Contactless crap

    HSBC sent my wife a replacement bonk card, immediately phoned up and said we don't want it and cancel the one you're about to send me and send two normal cards, please. Surprisingly easy, new non-bonk cards in the post within a few days. Very rarely am I amazed, these days.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019