back to article German ATM displays bank’s network config data to infosec bod

A chance finding by a German security researcher has revealed ATMs run by German Bank Sparkasse leaked potentially sensitive information during a software update. Benjamin Kunz-Mejri, chief exec and founder of Germany based security firm Vulnerability Lab, came across the problem when he unsuccessfully attempted to use his …

  1. John G Imrie Silver badge

    Golden rule of ATM's

    The keyboard and buttons on the front of an ATM must only be usable during normal operation for specified known functions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Golden rule of ATM's

      The user terminal(s) and the system console should be separate pieces of hardware. Maintenance should only be possible in single user mode from the system console. The system console should be located in a physically secure location.

      Unix boxes had all this figured out at least 100 years ago.

      1. GX5000

        Re: Golden rule of ATM's

        Let's not get carried away here, 1973 was not over a hundred years ago....

        Happy Friday !

    2. BillG Silver badge
      IT Angle

      Re: Golden rule of ATM's

      In the Windows-based ATMs I'm familiar with, system functions are only available from interfaces on the back of the unit, never on the customer side.

      However, as I understand it, there are custom ATM systems (not Windows or Linux) that violate this rule.

    3. big_D Silver badge

      Re: Golden rule of ATM's

      That is too technical for thieves over here, in Germany. They just fill the ATMs up with gas and let them blow up, then they run off with the money...

      Somewhere around 70 attacks this year, I think (report on German TV on Wednesday).

      They are now starting to upgrade the machines with dye packets, to colour the money in the event of an explosion...

  2. TechnoTechno
    Joke

    Dollars?

    From a German ATM?

    When did the bailout happen...!

    1. BlartVersenwaldIII
      Coat

      Re: Dollars?

      It was actually reporting denominations in Thalers rather than dollars, as an NTP exploit setting the system year back to 1857 has clearly been used.

      I'm going to run the same attack against a UK machine and I'll get me a groat.

  3. Your alien overlord - fear me

    Didn't know ATMs had a ctrl, alt and Del button? Is that German bank specific?

  4. Anonymous Coward
    Anonymous Coward

    Hold them accountable

    It's imperative that technicians be held accountable for these serious security breaches. A slap on the wrist is unacceptable punishment and not a real deterrent to other techs who through their negligence expose millions of people to security issues.

    1. Dan 55 Silver badge

      Re: Hold them accountable

      Whoever said there was no money for that kind of stuff should be held accountable.

      The problem is that's going to be the analyst who wrote the document, not the manager he talked to in the corridor.

  5. Doctor Syntax Silver badge

    "Bank Sparkasse has reportedly pushed out updates that fix the issue"

    Presumably they became vulnerable again during the update.

  6. Valeyard

    front screen diags

    there is actually also a rear screen to ATMS (a small lcd afffair, usually for hardware peripheral checks though) and a separate full qwerty keyboard.

    and since it's an actual PC, a monitor port

    there shouldn't be anything not related to performing basic actions on an account that should show on the front screen

    but i worked in a bank and performed a lot of daily ATM duties, and i've seen how this wasn't exactly a consideration

  7. Jonathan Knight
    Happy

    Has the Euro been replaced?

    I notice that this German ATM machine appears to be handing out $100 bills. Has the Euro crashed completely while I've been at work?

    1. Mpeler
      Paris Hilton

      Re: Has the Euro been replaced?

      No, actually it's the US Dollar that has crashed, leaving it with such little value that it's cheaper than the cleaning tissues they would normally use.....

      Paris, because it looks like she's overdrawn either way..... (gets me coat and instant teller card).....

      1. fidodogbreath Silver badge
        Devil

        Re: Has the Euro been replaced?

        > No, actually it's the US Dollar that has crashed

        President Trump will build a wall between the Euro and the dollar, and he'll make you furriners in Yurp pay for it, and you'll be happy to do it because he makes the best deals.

    2. fidodogbreath Silver badge
      Facepalm

      Re: Has the Euro been replaced?

      Perhaps the spark-a$$ banks have caused another financial crisis.

  8. JoeF

    I had to laugh at the "Bank Sparkasse" term. That shows that the writer of the piece at SecurityWeek has never lived in Germany.

    Sparkasse is a generic term and means "Savings and Loans". German S&Ls are generally locally-owned organizations loosely organized under an umbrella group.

    So, each city has one or more different Sparkasse organizations. There is no one "Bank Sparkasse."

  9. 404 Silver badge

    Crazy...

    Who/why would somebody design an ATM like that? Even my godforsakenly secure CF-53 Toughbook won't say 'Boo!' without a BIOS/hard drive password*. Mebbe Panasonic should make voting machines & ATMs...

    *Sad torrid story concerning my 5-year-warranteed baby, a $100 4GB RAM upgrade at a 'Panasonic Authorized Service' computer store, a suddenly missing owner, suddenly missing money, a deputy sheriff handing me my partially disassembled Toughbook, a bag of parts, a 2 month possession of half the dining room table, eventual successful assembly, encountering lockout, overnighted box from Panasonic NSC, and week later evening phone call requesting $800+ to finish RAM install. Final chapters not written yet, have a phone call to make, maybe several. /sigh

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019