back to article What weighs 800kg and runs Windows XP? How to buy an ATM for fun and profit

Weighing in at 800kg secondhand, freestanding ATMs - a “safe with a computer on top” - are a logistical nightmare to own and research, security boffin Leigh-Anne Galloway warned delegates at the BSides Manchester infosec conference yesterday. b sides manchester talk on ATM. scrren grab from video Security boffin Leigh-Anne …

  1. John Smith 19 Gold badge
    Unhappy

    Is anyone surprised.

    These boxes have a very long life.

    That said tracking who accesses them should be easy as the list should be quite short.

    But probably is not as short as people think, or as well maintained as they expect.

    1. 2460 Something

      Re: Is anyone surprised.

      Part of their security is limiting access of them to known people, but any of the 'mobile' ones in random shops would still have a higher number of people who have physical access to the box, and I'm sure given enough time....

    2. Charlie Clark Silver badge

      Re: Is anyone surprised.

      Any device that can be access without 2FA should have its insurance cover revoked.

      Of course, as modern devices have got more secure the crooks have gone low tech and now just blow them open. Hence, the banks none too subtle attempts to put people off cash. Because contactless payment systems can't be hacked…

  2. hatti

    Second picture?

    Is he using stray cats as a cheaper alternative to £20 notes to test the ATM, I sincerely hope not.

    1. Pascal Monett Silver badge
      Coat

      The cat is the sidekick, secretly reprogramming the ATM by night when nobody is watching in order to ensure the Rise of the Feline Race.

      All bow before IronClaw the 1st !

      1. Nolveys Silver badge

        The cat is the sidekick,

        Isn't the cat the security researcher?

        1. ZanzibarRastapopulous

          *sigh*

          Even cats have better jobs than me...

        2. LDS Silver badge

          Isn't the cat the security researcher?

          Of course not, but you can also modify the ATM to deliver cat biscuits and then let the cat discover the way to obtain them...

      2. WolfFan Silver badge

        The cat is the sidekick, secretly reprogramming the ATM by night when nobody is watching in order to ensure the Rise of the Feline Race.

        Feh. Cat are too lazy to write code.

        All bow before IronClaw the 1st !

        Cats already expect this. They were, are, and will continue to be, severely dissapointed.

        1. Jonathan 27 Bronze badge

          You say that, but I caught my cat the other day writing JavaScript in a vain attempt to develop an automatic cat food ordering bot. If his spelling wasn't so bad I'd be up to my neck in cat food by now.

          1. Francis Boyle Silver badge

            JavaScript?

            Nonsense. Everybody knows cats only code in Purrl.

            1. TRT Silver badge

              Re: JavaScript?

              The cat is saying "Dis is computeh, so where is mouse?"

              1. arctic_haze Silver badge

                Re: JavaScript?

                >>The cat is saying "Dis is computeh, so where is mouse?"<<

                The mouse is clearly visible left of the keyboard. That leads to two conclusions:

                (a) you are clearly distracted by cats,

                (b) the lady researcher is left handed.

        2. Brad Ackerman

          Feh. Cat are too lazy to write code.

          They prefer to acquire humans to do it for them.

      3. x 7

        Back in Windows 98 days, at Time Computers, we once had a customer tell the call centre that his cat had FDISKed and FORMATed his hard drive.

        The tech offered the cat a job........."because it probably knows more than most of our staff"

    2. WolfFan Silver badge

      Re: Second picture?

      That pic is the lead-off to a new Microsoft ad campaign: "Windows, so easy to use that even a cat can use it."

    3. DNTP

      Feed me a stray cat

      Oh my god, what are you doing, stop that.

    4. Korev Silver badge
      Coat

      Re: Second picture?

      It's a cat scan, like an X-ray, but cheaper

    5. jeffdyer

      Re: Second picture?

      He?

      1. Mycho Silver badge

        Re: Second picture?

        That may actually be a war kitteh

    6. anothercynic Silver badge

      Re: Second picture?

      She. The researcher is a she.

      1. Mycho Silver badge

        Re: She. The researcher is a she.

        Some people get that completely distracted when they see a cat...

      2. Brewster's Angle Grinder Silver badge

        Re: Second picture?

        "She. The researcher is a she."

        So is the cat.

  3. Christian Berger Silver badge

    She could have put it in a public place...

    ... with a modified software that asks the user for the amount of money and the PIN.... and then just make a transfer without spitting out any money. An error message on the screen could erase any suspicion.

    1. Anonymous Coward
      Anonymous Coward

      Re: She could have put it in a public place...

      I saw some program a while back that did exactly that. They set up a fake ATM in the middle of the high street, with someone just sat inside it. People went up to it, they "cloned" the card and then spat the card out with an error on the screen.

      People were then shown how it was done.

      The idea was to not trust any old ATM

      1. edge_e
        Happy

        Re :I saw some program a while back that did exactly that

        this one by any chance?

        https://www.youtube.com/watch?v=T23gOh8ByUI

  4. samzeman
    Unhappy

    This is exactly the type of thing that causes me to not have enough money to buy this type of thing.

  5. Anonymous Coward
    Anonymous Coward

    "A trailer for Galloway’s talk, [...]"

    For a second thought they were offering a way for anyone who wants to take it away.

  6. WolfFan Silver badge

    What weighs 800kg and runs Windows XP?

    The main fire-control computers on HMS Queen Lizzie after BAE 'improved' a ThinkPad?

  7. mark l 2 Silver badge

    I remember an episode the 'The Real Hustle" from a few years ago where they set up a fake ATM consisting of a laptop connected to a card reader and keypad housed inside a large box on a busy street and the amount of people who would just come along and put in their card and pin and when it threw up an error just walk away and go to use another.

    There are even companies that turn up to festivals and other pop up events with trucks with a load of ATMs in the back, I whenever possible just use the ATM at the banks and no these little ones in shops, especially as they usually charge to use.

    1. Hans Neeson-Bumpsadese Silver badge

      I remember that episode of TRH. The crazy thing was at least one person saw the guys setting the fake ATM up, including seeing the girl climb inside with her laptop...then just politely asked when the machine would be switched on because they wanted to get some cash out.

    2. 2460 Something

      Unless absolutely stuck somewhere, I won't use an ATM unless it is fixed into the side of a building (preferably a bank). These freestanding ones just seem too accessible to ne'er-do-wells. If I have had to use one I am constantly checking my account for suspicious activity.

      1. DasWezel
        Devil

        "...too accessible to ne'er-do-wells"

        You mean banks?

        1. TRT Silver badge

          Re: "...too accessible to ne'er-do-wells"

          There was a warehouse in a large town to the northwest of London where ATMs of all make, size and model were simply dumped outside at the back. I used to walk past it on the way to the train station every day and every night. No security to speak of, just a sensor light.

          I wrote to the company pointing out how easy it would be to obtain a genuine machine front for doctoring for nefarious purposes and asked if they felt any responsibility for the wave of ATM crime at the time. No response.

          So I wrote to the council. No response.

          So I wrote to the police and enclosed a photograph of the area, of the whole in the chainlink fence made with bolt croppers by the look of the cut ends and of a broken machine front where someone had unsuccessfully tried to remove one. Within a month the yard was cleared of all but the skips full of scrap metal and the whole site had CCTV, IR alarms and a dog patrol.

          1. Wayland Bronze badge

            Re: "...too accessible to ne'er-do-wells"

            That was a bold way to make your point. You were obviously confident that you would not get caught. Well done.

    3. TheElder

      Why use an ATM?

      I just get some cash when I buy groceries. I never use an ATM. Why should I? I always carry enough cash in my pocket to buy what I will most likely need the next week or so. When the lights go out I can still buy essentials. Local or even grid failures have happened before and will happen again.

      I do not carry a wallet either. I carry an antimagnetic credit card holder with only the absolutely necessary ID and one credit/debit card, plus some tightly folded $100 bills. That in is a front pocket where it is far more difficult for a pickpocketer to pick my pocket.

      I am trying to imagine a picture of a pocket with a picture of a pickpocketer taking a picture of a pickpocketer pickpocketing the pocket of a pickpocketer taking a picture of a picture of a pickpocketer picpocketing my pocket. Now, in the other pocket....

      1. psychonaut

        Re: Why use an ATM?

        cash? eeeerrr. it makes me feel dirty, i have people to carry that for me.

      2. Flocke Kroes Silver badge

        Re: TheElder

        Next time you buy groceries, take a look at the cash register. Over here, there is a box with a card reader and a numeric key pad. The box connects to the cash register through a wire. The wire goes behind the register - presumably through a hidden key logger - before connecting to register somewhere dark and hard to examine.

        The only way to be sure is a specialised payment device (not a phone / camera / music / video / torch / game / thermometer / web browser / Geiger counter / cat toy / address book / diary / taxi finder). The specialised device needs a display to show who is getting paid, how much (and if possible, what for) and a key pad (not a severed finger or eyeball scanner - even if almost every thief knows that a live finger is required.) The device needs a network connection, but minimal storage so there is no excuse for the TLAs to demand your pin.

  8. Aladdin Sane Silver badge
    Trollface

    What weighs 800kg and runs Windows XP?

    Your mum.

    1. Hans Neeson-Bumpsadese Silver badge

      Re: What weighs 800kg and runs Windows XP?

      Genuine LOL moment there - thanks for that. Have an upvote

    2. WolfFan Silver badge

      Re: What weighs 800kg and runs Windows XP?

      Your mum.

      Mum wants a word with you, she's sensitive about her weight and you look like a harp seal. https://polarbearsinternational.org/education-center

      1. Aladdin Sane Silver badge

        Re: What weighs 800kg and runs Windows XP?

        But she's totally cool with running XP?

        1. Charlie Clark Silver badge
          Happy

          Re: What weighs 800kg and runs Windows XP?

          But she's totally cool with running XP?

          Ever since she got a machine with Windows 8 on it!

    3. Anonymous Coward
      Anonymous Coward

      Re: What weighs 800kg and runs Windows XP?

      This ones for all the mothers,

      https://www.youtube.com/watch?v=7_rBidCkJxo

    4. Snorlax
      Happy

      Re: What weighs 800kg and runs Windows XP?

      @Aladdin Sane:"Your mum"

      The single downvote was obviously from his mum.

    5. Paul Herber
      Devil

      Re: What weighs 800kg and runs Windows XP?

      "Your mum."

      Ha. Your dream robo-girlfriend who you know is so far beyond your reach!

      1. Aladdin Sane Silver badge

        Re: What weighs 800kg and runs Windows XP?

        Lies. My dream robo-girlfriend runs on RISC OS.

  9. Anonymous Coward
    Anonymous Coward

    Correction

    The security researcher’s house lair is a converted warehouse.

    FTFY. Sounds so much cooler that Cat Lady's "lair" is a warehouse.

  10. JaitcH
    WTF?

    Me? Not Surprised at All!

    Way, way, back I worked for a Canadian company who manufactured ATM sub-assemblies and accessories.

    As the production supervisor I had a Master Key that would unlock all manner of these ATMs. In fact I ended up with several Master Keys (as they were emphasised in paperwork). I found a bunch of them a while back, when I was unpacking my imported personal goods.

    When I returned to Canada for a brief visit, I took these Master Keys with me. Believe it or not, decades after they were first installed THEY STILL WORKED! (Opening the locked panel door is a No-No as there is an alarm microswitch attached to detect door opening.)

    So not only is the software ancient, so is the hardware!

  11. Potemkine! Silver badge

    So Mr Darmore, girls are not fit for IT?

    Bollocks!

    1. Anonymous Coward
      Anonymous Coward

      Re: So Mr Darmore, girls are not fit for IT?

      But straw men still seem to go far.

      1. Anonymous Coward
        Anonymous Coward

        Re: So Mr Darmore, girls are not fit for IT?

        Nope, neither. They run Windows even for systems and applications where they don't need to. Grown up companies have realised this, the NHS hasn't.

    2. TheElder

      Re: So Mr Darmore, girls are not fit for IT?

      That was not the assertion by Mr. Darmore and not by me either. The question is who is more likely to be good at IT. We are all different.

      Think of it this way. How many people know how to change the oil in an auto or put in new brake pads? Not many women know how to use an angle grinder but some do. Some are very good at it too. Same applies to men but the proportions are different.

      1. TheElder

        Re: So Mr Darmore, girls are not fit for IT?

        I am testing to see how many women are reading this.

        So far it appears to be less than 10 percent, including previous comments. I studied psychology at Berkeley.

        1. toxicdragon
          Mushroom

          Re: So Mr Darmore, girls are not fit for IT?

          You want comments from women? OK. Fuck off, you don't speak for me.

          1. psychonaut
            Joke

            Re: So Mr Darmore, girls are not fit for IT?

            theelder....clearly the wrong time of the month to ask that question there...

            toxicdragon its a joke! fuck! a joke. look at the icon. dont kill me please!

    3. patrickstar

      Re: So Mr Darmore, girls are not fit for IT?

      Probably troll, but I'll bite...

      For your information, as well as anyone else reading this, he has at no point claimed anything even remotely similar to that.

      If you think I'm wrong (presumably because you read it in some "trustworthy" publication), please feel free to point out exactly where in the memo he claims that - it's online at https://firedfortruth.com/

      1. Mycho Silver badge

        Re: So Mr Darmore, girls are not fit for IT?

        Here's a better article that makes his main point, which is one of supply and demand.

        I’m An Ex-Google Woman Tech Leader And I’m Sick Of Our Approach To Diversity!

        Trigger warning: She's teaching her preteen daughter Python!

  12. TheElder

    Money

    Can buy almost anything. It makes no difference how strong the box is. The easiest thing to buy is people.

    Would you sleep with me for a million dolllars?

    (Hesitant... ) Yes.

    How about 50 dollars?

    What!!!??? What do you think I am????

    We have already established that. We must negotiate the price.

    1. Floydian Slip
      Holmes

      Re: Money

      OK Mr Churchill - that's the great war leader not the f'ing fake dog "oh yes"

    2. TheElder

      Re: Money

      Somebody has a guilty mind. I did not mention gender.

      More data points for my testing.

  13. Anonymous Coward
    Anonymous Coward

    What weighs 800kg and runs Windows XP?

    My knob.

    1. Aladdin Sane Silver badge

      Re: What weighs 800kg and runs Windows XP?

      It's riddled with bugs and malware?

      1. Mycho Silver badge

        Re: What weighs 800kg and runs Windows XP?

        Virus protection is needed!

        1. TheElder

          Virus protection is needed!

          There are something like 10^10 viruses per litre of seawater.

          More than 7.5 billion humans. We are teaching children how to code.

          It does not seem promising...

          1. psychonaut

            Re: Virus protection is needed!

            isnt that something to do with all the Seamen?

  14. malle-herbert Silver badge
    Trollface

    Or...

    You can make it run Doom ...

  15. TRT Silver badge

    800kg? What's that in Reg units?

    Or pounds. Or would that be confusing?

    1. Mycho Silver badge

      Re: 800kg? What's that in Reg units?

      It's almost 0.9 great white sharks.

      Converter

  16. Kevin McMurtrie Silver badge
    Thumb Up

    Yep, that's a hacker

    Hulking steel computer powered up in the rain, in a puddle, with live animals, but on a piece scrap wood for safety.

  17. Anonymous Coward
    Anonymous Coward

    Scare story

    The reality is;

    * very few ATM have an active USB port that can be accessed by cutting a hole in the front.

    * Embedded XP is still supported by Microsoft

    * The cut down nature of XPE also vastly reduces attack vectors

    * XPE can be locked down much harder than regular XP, including booting from read only filesystem.

    I've seen many people discredit their security credentials (including now it seems Leigh-Anne Galloway) by assuming XP and XPE are the same beast. Sure, they can be, but usually they are VERY different indeed.

    A minimal XPe can be less than 100mb runtime and boot from read-only storage filtering out writes using a filter driver.

    I'm not saying XPe is secure, but it could slot more secure than a fully patched windows10 system in certain situations.

    1. Anonymous Coward
      Anonymous Coward

      Re: Scare story

      Downvote as while you may be 100% correct, I doubt any of those attack vectors are the ones the criminals will use!

  18. Unicornpiss Silver badge

    ATMs are for life..

    When she's done with it, she can always play Doom:

    Doom on ATM

    1. Dan 55 Silver badge

      Re: ATMs are for life..

      She'd need two more ATMs to play on the LAN against the cats.

  19. Anonymous Coward
    Anonymous Coward

    Sorry, I didn't manage to get past the first photo as I'm the product of millions of years of evolution where primates that didn't notice what an arrow was pointing to got eaten and produced no offspring, and she's wearing two huuge girt big arrows pointing to her juicy bits.

  20. harmjschoonhoven
    Holmes

    First gas, now TNT to open ATMs

    Just saying

    Dutch criminals for years used gas explosions to lay their hand on the contents of ATMs. Now these are better protected, they are starting to use TNT and other high-explosives. Articles in Dutch, the photos speak for themselves.

    https://www.nrc.nl/nieuws/2017/07/20/eerst-gas-toen-tnt-politie-en-plofkrakers-spelen-kat-en-muis-12139639-a1567270 Police and criminals play cat(!) and mouse.

    https://nos.nl/artikel/2162190-plofkraken-met-pentriet-tnt-of-een-zelfgemaakte-bom.html

  21. Fruit and Nutcase Silver badge
    1. WolfFan Silver badge

      Re: QED

      Arkansas chicken-farmers are only imitation rednecks. (Remember always, Slick Willy Clinton was from Arkansas...) True Rednecks(tm) use pickup trucks. http://www.nola.com/crime/index.ssf/2017/08/3_accused_of_ramming_stolen_pi.html

      http://wnep.com/2017/07/18/crooks-steal-atm-from-deli-in-monroe-county/

      http://www.wmcactionnews5.com/story/24109393/police-men-smash-pickup-truck-into-gas-station-steal-atm

      Texans are True Rednecks(tm), just incompetent ones. (Remember always, Boy George Bush was from Texas...)

      http://dfw.cbslocal.com/2017/07/27/pair-tries-steal-atm/

      http://www.khou.com/news/crime/burglars-crash-truck-into-montrose-gas-station-steal-atm/431241579

      They broke the truck while stealing the ATM!

  22. Anonymous Coward
    Anonymous Coward

    Leigh-Anne Galloway, gosh! Why is there nobody this hot and intelligent at where I work? Oh... I remember why, because I work at home, alone, in my pants!

  23. DrM
    WTF?

    Oh no!! Old software!!!!!!! OMG!!!!!!!!

    Oh no! Old software!!!! They are running WIN-XP!!!!! How can anyone use /old/ software, you /must/ have the new version!

    Can the IT crowd who specialize in always-defective SW always in need of repair ever understand fixed function appliances? These will be working perfectly as ATM's running XP till they crumble to dust.

    There is *no* reason to change to the newest OS, none. They are on VPN's and not on the Internet. They don't need to support some new application or anything new. They run as ATM's, period.

    Look at the attacks on ATMs, the compromises in the article? Any have anything to do with XP?

  24. Aunty Dan

    Even Windows XP is too advanced for some banks

    About 6 or 7 years ago now, here in darkest Southern California, I was waiting in line for an ATM from a major American retail bank chain. The person in front of me appeared to be having problems and walked away in disgust. As they did so I could see the ATM had crashed and was rebooting.

    At the time, never having worked in banking, I had naively assumed a modern ATM would just be a thin terminal of some kind with a custom hardware link to the cash dispensing machinery. However not only could I see this was a regular PC from the BIOS POST but that the OS it was booting was not any version of Windows at all, XP or otherwise. It was running IBM OS/2. It was not even OS/2 Warp!

    This floored me for a minute until I understood the sheer brilliance of this. Whilst I don't doubt there are plenty of vulnerabilities in this dinosaur oddity of an OS where would go to you get hacking tools for it? Could you even setup a OS/2 VM to test against it on a modern hypervisor?

  25. Toasted

    I worked for Siemens in the late 90's and early 00's and they won a contract to supply ATM's for Barclays. The safe is damn strong, but the PC that operates the rest is readily accessible. Pretty flimsy lock and the whole backside opens and not really much security for the important bit. The PC unlocked with a few torx screws and could be removed in less than minute. I was also entrusted to make sure the various anti vandal systems worked. This involved me tapping a tack hammer on the keypad, camera/card guard, to ensure the robustness against the criminal hordes. I got through a lot of keypads, cash flaps, screens and was eventually told to cease tests....Apparently I was too heavy handed. A real criminal wouldn't resort to such measures...... I still see a few in service from time to time, so pushing 16 to 17 years old now. Probably still running NT and a Pentium III.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019