Is anyone surprised.
These boxes have a very long life.
That said tracking who accesses them should be easy as the list should be quite short.
But probably is not as short as people think, or as well maintained as they expect.
Weighing in at 800kg secondhand, freestanding ATMs - a “safe with a computer on top” - are a logistical nightmare to own and research, security boffin Leigh-Anne Galloway warned delegates at the BSides Manchester infosec conference yesterday. b sides manchester talk on ATM. scrren grab from video Security boffin Leigh-Anne …
Any device that can be access without 2FA should have its insurance cover revoked.
Of course, as modern devices have got more secure the crooks have gone low tech and now just blow them open. Hence, the banks none too subtle attempts to put people off cash. Because contactless payment systems can't be hacked…
The cat is the sidekick, secretly reprogramming the ATM by night when nobody is watching in order to ensure the Rise of the Feline Race.
Feh. Cat are too lazy to write code.
All bow before IronClaw the 1st !
Cats already expect this. They were, are, and will continue to be, severely dissapointed.
I saw some program a while back that did exactly that. They set up a fake ATM in the middle of the high street, with someone just sat inside it. People went up to it, they "cloned" the card and then spat the card out with an error on the screen.
People were then shown how it was done.
The idea was to not trust any old ATM
I remember an episode the 'The Real Hustle" from a few years ago where they set up a fake ATM consisting of a laptop connected to a card reader and keypad housed inside a large box on a busy street and the amount of people who would just come along and put in their card and pin and when it threw up an error just walk away and go to use another.
There are even companies that turn up to festivals and other pop up events with trucks with a load of ATMs in the back, I whenever possible just use the ATM at the banks and no these little ones in shops, especially as they usually charge to use.
There was a warehouse in a large town to the northwest of London where ATMs of all make, size and model were simply dumped outside at the back. I used to walk past it on the way to the train station every day and every night. No security to speak of, just a sensor light.
I wrote to the company pointing out how easy it would be to obtain a genuine machine front for doctoring for nefarious purposes and asked if they felt any responsibility for the wave of ATM crime at the time. No response.
So I wrote to the council. No response.
So I wrote to the police and enclosed a photograph of the area, of the whole in the chainlink fence made with bolt croppers by the look of the cut ends and of a broken machine front where someone had unsuccessfully tried to remove one. Within a month the yard was cleared of all but the skips full of scrap metal and the whole site had CCTV, IR alarms and a dog patrol.
I just get some cash when I buy groceries. I never use an ATM. Why should I? I always carry enough cash in my pocket to buy what I will most likely need the next week or so. When the lights go out I can still buy essentials. Local or even grid failures have happened before and will happen again.
I do not carry a wallet either. I carry an antimagnetic credit card holder with only the absolutely necessary ID and one credit/debit card, plus some tightly folded $100 bills. That in is a front pocket where it is far more difficult for a pickpocketer to pick my pocket.
I am trying to imagine a picture of a pocket with a picture of a pickpocketer taking a picture of a pickpocketer pickpocketing the pocket of a pickpocketer taking a picture of a picture of a pickpocketer picpocketing my pocket. Now, in the other pocket....
Next time you buy groceries, take a look at the cash register. Over here, there is a box with a card reader and a numeric key pad. The box connects to the cash register through a wire. The wire goes behind the register - presumably through a hidden key logger - before connecting to register somewhere dark and hard to examine.
The only way to be sure is a specialised payment device (not a phone / camera / music / video / torch / game / thermometer / web browser / Geiger counter / cat toy / address book / diary / taxi finder). The specialised device needs a display to show who is getting paid, how much (and if possible, what for) and a key pad (not a severed finger or eyeball scanner - even if almost every thief knows that a live finger is required.) The device needs a network connection, but minimal storage so there is no excuse for the TLAs to demand your pin.
Way, way, back I worked for a Canadian company who manufactured ATM sub-assemblies and accessories.
As the production supervisor I had a Master Key that would unlock all manner of these ATMs. In fact I ended up with several Master Keys (as they were emphasised in paperwork). I found a bunch of them a while back, when I was unpacking my imported personal goods.
When I returned to Canada for a brief visit, I took these Master Keys with me. Believe it or not, decades after they were first installed THEY STILL WORKED! (Opening the locked panel door is a No-No as there is an alarm microswitch attached to detect door opening.)
So not only is the software ancient, so is the hardware!
That was not the assertion by Mr. Darmore and not by me either. The question is who is more likely to be good at IT. We are all different.
Think of it this way. How many people know how to change the oil in an auto or put in new brake pads? Not many women know how to use an angle grinder but some do. Some are very good at it too. Same applies to men but the proportions are different.
Probably troll, but I'll bite...
For your information, as well as anyone else reading this, he has at no point claimed anything even remotely similar to that.
If you think I'm wrong (presumably because you read it in some "trustworthy" publication), please feel free to point out exactly where in the memo he claims that - it's online at https://firedfortruth.com/
Here's a better article that makes his main point, which is one of supply and demand.
Trigger warning: She's teaching her preteen daughter Python!
Can buy almost anything. It makes no difference how strong the box is. The easiest thing to buy is people.
Would you sleep with me for a million dolllars?
(Hesitant... ) Yes.
How about 50 dollars?
What!!!??? What do you think I am????
We have already established that. We must negotiate the price.
The reality is;
* very few ATM have an active USB port that can be accessed by cutting a hole in the front.
* Embedded XP is still supported by Microsoft
* The cut down nature of XPE also vastly reduces attack vectors
* XPE can be locked down much harder than regular XP, including booting from read only filesystem.
I've seen many people discredit their security credentials (including now it seems Leigh-Anne Galloway) by assuming XP and XPE are the same beast. Sure, they can be, but usually they are VERY different indeed.
A minimal XPe can be less than 100mb runtime and boot from read-only storage filtering out writes using a filter driver.
I'm not saying XPe is secure, but it could slot more secure than a fully patched windows10 system in certain situations.
Dutch criminals for years used gas explosions to lay their hand on the contents of ATMs. Now these are better protected, they are starting to use TNT and other high-explosives. Articles in Dutch, the photos speak for themselves.
https://www.nrc.nl/nieuws/2017/07/20/eerst-gas-toen-tnt-politie-en-plofkrakers-spelen-kat-en-muis-12139639-a1567270 Police and criminals play cat(!) and mouse.
Forklift icon please.
Arkansas chicken-farmers are only imitation rednecks. (Remember always, Slick Willy Clinton was from Arkansas...) True Rednecks(tm) use pickup trucks. http://www.nola.com/crime/index.ssf/2017/08/3_accused_of_ramming_stolen_pi.html
Texans are True Rednecks(tm), just incompetent ones. (Remember always, Boy George Bush was from Texas...)
They broke the truck while stealing the ATM!
Oh no! Old software!!!! They are running WIN-XP!!!!! How can anyone use /old/ software, you /must/ have the new version!
Can the IT crowd who specialize in always-defective SW always in need of repair ever understand fixed function appliances? These will be working perfectly as ATM's running XP till they crumble to dust.
There is *no* reason to change to the newest OS, none. They are on VPN's and not on the Internet. They don't need to support some new application or anything new. They run as ATM's, period.
Look at the attacks on ATMs, the compromises in the article? Any have anything to do with XP?
About 6 or 7 years ago now, here in darkest Southern California, I was waiting in line for an ATM from a major American retail bank chain. The person in front of me appeared to be having problems and walked away in disgust. As they did so I could see the ATM had crashed and was rebooting.
At the time, never having worked in banking, I had naively assumed a modern ATM would just be a thin terminal of some kind with a custom hardware link to the cash dispensing machinery. However not only could I see this was a regular PC from the BIOS POST but that the OS it was booting was not any version of Windows at all, XP or otherwise. It was running IBM OS/2. It was not even OS/2 Warp!
This floored me for a minute until I understood the sheer brilliance of this. Whilst I don't doubt there are plenty of vulnerabilities in this dinosaur oddity of an OS where would go to you get hacking tools for it? Could you even setup a OS/2 VM to test against it on a modern hypervisor?
I worked for Siemens in the late 90's and early 00's and they won a contract to supply ATM's for Barclays. The safe is damn strong, but the PC that operates the rest is readily accessible. Pretty flimsy lock and the whole backside opens and not really much security for the important bit. The PC unlocked with a few torx screws and could be removed in less than minute. I was also entrusted to make sure the various anti vandal systems worked. This involved me tapping a tack hammer on the keypad, camera/card guard, to ensure the robustness against the criminal hordes. I got through a lot of keypads, cash flaps, screens and was eventually told to cease tests....Apparently I was too heavy handed. A real criminal wouldn't resort to such measures...... I still see a few in service from time to time, so pushing 16 to 17 years old now. Probably still running NT and a Pentium III.
Biting the hand that feeds IT © 1998–2019