With any luck, this might convince the banks (and ATM owners) to take security a bit more seriously, since this is hard to blame on a user with a claim of "sharing their pin/password"
Easily picked CD-ROM drive locks let Mexican banditos nick ATM cash
Lax security at Mexican banks has allowed cybercriminals to put their own malware-ridden CDs into ATM machines in order to gain control of the easily-compromised cash machines. The Ploutus malware was installed after "criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it". The ruse was possible …
-
This post has been deleted by its author
-
Friday 11th October 2013 16:27 GMT Xamol
BIOS Password
I wonder if these ATMs were configured to only boot from HDD and had a BIOS password set up? If they did, then they can start looking for service engineers with extra CDs in their bags - I'd probably start there anyway...
There are better defences against this kind of attack (white listing type software) and they're already available from the ATM manufacturers. Maybe more banks will start using them but I doubt it.
At least what they steal this way comes directly from the banks and not from a customer's account.
-
Friday 11th October 2013 16:29 GMT Lee D
Re: BIOS Password
I thought this was the exact kind of thing that TPM and Secure Boot and signed software was designed to block.
The tools are there, to remove CDROMs, and to stop them being used to boot ATM's into anything other than the official ATM software - the fact that they are not used has everything to do with crappy IT and nothing to do with the inability to actually secure such devices quite easily.
-
Friday 11th October 2013 18:19 GMT Charles 9
Re: BIOS Password
But then how do you update the machines when security patches are mandated? That's probably why the CD drives are there: to facilitate updating. That being said, the drives should not be bootable. The ATM software should be the one in charge of the updates and should insist on signed code from the CD-ROM before updating.
Based on what I'm hearing, I don't know if these are official offsite bank ATMs being hacked. I suspect these are more second-tier ATMs like those I see in a mom-and-pop store.
-
Monday 14th October 2013 12:42 GMT Captain Scarlet
Re: BIOS Password
"I thought this was the exact kind of thing that TPM and Secure Boot and signed software was designed to block"
I would have thought the majority of these devices would be really old anyway, most places with those stand alone ATM's have been in place for more than 10 years and some even still use dial up modems in the UK :S
-
-
Friday 11th October 2013 18:44 GMT Flocke Kroes
Backwards
I thought the sensible plan would be to remove the hard disk and set the BIOS to boot only from a CD ROM. That way, turning the machine off an on again wipes out any remotely installed malware. If someone has the ability to change the CD, then they also have the ability to swap in a new CDROM, or a new hard disk. BIOS restrictions on the type of boot device are not a significant barrier to anyone with physical access.
-
Friday 11th October 2013 19:11 GMT Charles 9
Re: Backwards
No, because booting from a CD-ROM would break a chain of trust., as there's no way to verify the CD-ROM is official from the BIOS. The hard drive can initially be set in the factory and sealed in the box (note the crooks have access to the FACE of the CD-ROM, NOT the internals of the machine; drive housings can be bolted down with one-way screws so they can't be removed) so that any further updates have to be signed before they're accepted.
-
Monday 14th October 2013 10:41 GMT Mayhem
Re: Backwards
If its anything like the Wincor Nixdorf machines we used to work on - once you have access to the top half of the machine, you have access to all the hardware.
The ATM controller is simply a little windows embedded PC, usually a Beetle, which you can swap components out in relatively easily (dead PSUs were not uncommon). Occasionaly we'd yank the whole PC and drop in a replacement. You can do anything via diagnostics once it is opened - change the value of cash bins, spit out notes, send test comms up the chain etc. It is all logged though, which uploads remotely, and you can't clear the logs easily.
However this is a complete fail from an operational point of view - the controller section is totally separate to the cash drawer below, requiring a different pair of keys to open - one we held and one the security guards who load the machine hold. Also, every time we did any work on the box, we had to have a security guard present - precisely because of the potential for cash to be dispensed.
(Or most often, we'd have to pull out the cash bins to extract the remains of several hundred dollars in bills chewed up in the mechanisms - that goes in a sealed back back to the bank)
If anything I think the above poster is correct - we're probably talking about the dodgy little third party machines that charge for transactions - they are built to a significantly lower standard than the top line bank models.
-
-
-
-
Friday 11th October 2013 16:46 GMT Mark 85
So it's limited cash from the machine or the entire bank...
So the door that opens for the CD drive isn't the same one for the cash bin? And not as secure? The CD-ROM drive isn't secure. One would think that the door would be actually stronger and the CD-ROM disabled by default in that accessing the ATM's computer would give access to the bank's entire customer base as well as any partner banks. On the other hand, methinks the crims aren't thinking far enough outside the box. The cash in the machine is limited. The funds available by accessing every account in the bank is virtually unlimited.
-
Friday 11th October 2013 21:25 GMT Anonymous Coward
Re: So it's limited cash from the machine or the entire bank...
Most likely- It's possible that the technician servicing the ATM is different than the person that fills/empties/services the cash dispenser. (this way, the service tech can work on the machine and doesn't necessarily have to be trusted that they won't clean the machine out, because they don't have the key for the cash dispenser)
In any case, it just shows that once physical access is obtained to the computer, it's only a matter of time before it's compromised.
FWIW, Commanding the cash dispenser to spit out a set number of bills is actually somewhat trivial- some of the machines I've worked on had a diagnostic section for technicians that has the magic pass code, pin, or key to command the bill dispenser to spit out whatever combination of currency was in the machine at the time. Kinda neat watching them work on it.
-
-
-
-
Monday 14th October 2013 06:17 GMT Hans 1
Re: Bad Banks Better?
> "after all there is no way windows malware will run on OS/2"
Ever heard of the Windows OS/2 subsystem ?
> "I very much doubt the script kiddies know how to write anything that would work there."
Just because you don't know does not mean they don't - when there is cash to be had, you find ways ...
-
-
-
-
Friday 11th October 2013 19:58 GMT Henry Wertz 1
"I worked for a major American bank a few years back. They were using OS/2 v.2 for their ATMs. It would not surprise me if they still do. Banks are extremely change-averse. They talk a good game when it comes to security, but many (at least) don't walk the walk."
OS/2 would actually HELP their security. No extraneous services, OS/2 was quite secure by design, and (as a practical matter) an OS that old doesn't have many people researching it and looking for exploits.
The main issue I've seen are ATMs which are running Windows with all kinds of irrelevant services running, and clearly poor security practices. Frankly, the ATM industry should straight up follow procedures similar to what casinos follow for slot machines. THOSE are some secure machines. I've seen one boot, it ran a stripped BIOS, which checked the "normal" BIOS before executing it. This checked the checksum on a bootloader *and* the Linux kernel it loaded, the bootloader checked itself, the BIOS, the kernel, and the software before loading the next step (this software was I think in a ramdisk, so there was no chance of it missing "extra" software on the system). The software then checked the bootloader, kernel, and itself before proceeding to run the rest of the software in the ram disk. Finally, i think the system ran an extra check that would cause the system to immediately halt if any unauthorized software was running on the system (i.e. if something managed to bypass ALL THOSE CHECKS, the system would then kick off and die anyway.)
-
-
-
Friday 11th October 2013 21:40 GMT ecofeco
Re: Ah, Mehico
Oh but they did and then some. You should research on how all the large banks are connected world wide. But the US gov/corp also sent money directly to European financial companies and as well through back channels and swap deals.
No, I really did mean the future US. But I see what you're saying and I'm pretty sure we're saying the same thing.
-
-
-