"the targeted ATMs ran on the Windows XP operating system."
Windows XP? *faints*
Security experts have discovered a family of data-stealing trojans that have burrowed into automatic teller machines in Eastern Europe over the past 18 months. The malware logs the magnetic-stripe data and personal identification number of cards used at an infected machine and provides an intuitive interface for retrieving the …
Haven't I heard that name somewhere before. Somewhere like those ultra secure voting stations that could be made to return any result the politicians wanted.
My coat is the one with someone else's credit card in the pocket. If I have to use one of these ATMs it won't be my ID they steal.
Don't say these machines do not currently have integrity checks on their installed software?
Probably one of those ATM series running "Windows for ATMs" which can sometimes be spied when BSOD or impromptu menu bar show up.
Due diligence? High assurance? We have heard of it.
Lawyers please.
Why run Windows on an ATM. I mean really, why?
A full featured consumer OS which is known for it's security flaws running on a machine that has it's sole function that of accepting input from a dozen buttons, checking the account details over the network and then starting the cash dispenser mechanism as required.
Surely such a simple process could be done using a purpose written micro os running soley from non-volatile firmware? How hard could that be?
What a bunch of fucking cretins.
How they managed to insert the trojans, rather that the fact they had, I suspect that bank IT departments do not update their Windows ATMs, each time Microsoft releases a security patch, as the regression testing required, and the possible downtime every couple of weeks, might well be unacceptable, as might the cost. I doubt that ATMs are on the normal bank networks, and I would assume they use an encrypted IP connection, so one wonders how the trojan was inserted, corrupt IT staff, or do Eastern European banks do somethink daft, like connect ATMs to the Internet.
I hope ours don't.
This post has been deleted by its author
Yes, ATMs run Windows, it used to be OS/2, but IBM stopped making that. Usually it is workstation grade Windows (NT4/2k/XP) not usually in a domain, or if it is a separate 'atm only' domain. The fact that the vast majority of people don't know that ATMs run Windows suggests it does a good job. I've only ever seen an ATM rebooting once and one with a dialogue reporting a DLL error.
This sounds like a clear case of developers from a bank or a supplier to banks developing malware which specifically targets the bespoke software run on ATMs, then having it distributed via the people who "feed and water" the ATMs - ie: have intimate access to do anything to them. This could almost certainly happen with any other OS, it's not a Windows issue.
Recently had a withdrawnal made on my card from LJUBLJANA.
When I contacted the Bank they told me my card must have been cloned when I used it. When I told them I never used the card and I could prove this because my statements show there had never been a withdrawal/swipe on this card, they said well you obviously disposed of the card in a unsecure manner or shared the details with somebody else. No i haven't and I can prove that, can you prove your systems are that secure.
So you see systems are only as secure as the bank are prepared to pay to make them.
Anon obviously, because Big Brother is watching us not the crooks
Must be that the banks are using the "lowest bidder" system to decide who supplies them with ATMs because there is no way that an ATM should be using Windows (or Ubuntu, Redhat, OSX, ...) heck they shouldn't even need an operating system they only run one application!
Two words: "ATM key". These things are typically stuck in the wall with simple triangular/square slotting keys. They may set you back as much as 5 pounds. If you can find an ATM that isn't CCTV-ed (I'm looking at you, all of eastern Europe) then messing with one is just a matter of walking over to one at 3 in the morning.
Getting into an ATM is quite a lot easier than breaking into your own house.
With the technical ingenuity demonstrated by these budding capitalist entrepreneurs it clearly wouldn't matter which operating system was being used, provided that they could gain one-time physical access to install a hardware dongle in the machine.
Their main problem is to identify the most vulnerable individual among those who have authorised access to the innards of the ATMs. Step forward Mr. Security Guard who would be the guy with the lowest pay and the most responsibility for replenishing the empty cash containers. He may also have a poor credit rating, an ambitious wife, and a demanding girlfriend. Gotcha.
If 640 overpaid and under-performing parliamentary monkeys can be bribed with unaudited expense accounts why would Joe Bloggs want to resist temptation.
But an ATM shouldn't be a PC, where physical access automatically means root access. An ATM should, as has been mentioned above, use a custom OS on read-only firmware -- if the person replacing the money can update the OS then they're not secure. The cash inside them is, frankly, irrelevant and inconsequential compared to the value of the data that people enter into them.
I have been given the impression that the ATM network is accessible from the bank's intranet and that the internet is also accessible from the bank's intranet -- doesn't that mean that they are, effectively, attached to the internet?
We have a lot of non-bank ATM machines, pretty much anyone can buy one, set it up in their convienience store/gas station/bingo hall and charge people money for using it. Don't want the bother of looking after it your self? Others will put one in for you, and pay you 50 cents/transaction for the the privilege. AFAIK, they have a simple phone connection to their hosts.
I don't suppose it would be any more difficult to write capture code for a *nix based machine than it is for windows, or even OS/2 if you can get access to the machine itself.
Mine's the one with the ATM built into the wall of the Bank, since I don't like paying 3rd party ATM fees
Judas Priest, this has **** all to do with Windows, OK. Other than perhaps that it's easier to write software for Windows than for some custom ATM platform. Physical access is physical access. You're talking like this thing got in by itself through some unpatched buffer overflow condition in Paint.
Physical access to *any* machine means the potential abillity to get root/admin access, custom OS or not. What you are arguing for is security by obscurity. This is not to say that you just stick a CD into an ATM and press a big red button to update, it's way more secure than that, offen the updates are sent remotely these days anyway. All it takes is a few corrupt people on the ATM team of a bank, or supplier of software.
I don't know who told you that ATMs had access to intranet and therefore were accessible to the internet, but they were wrong. An ATM network is highly encrypted and firewalled off from anything except the machines in a DMZ which it needs to speak to, in order to get to the back end systems that tell it how much cash to dole out.
"For a long time it puzzled me how something so expensive, so leading edge, could be so useless. And then it occurred to me that a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are, in short, a perfect match." - Bill Bryson
The bank (these days) has zero incentive to actually make or offer a good product - all they need is a cheap product that appears to work - any problems that appear after installation can simply be swept under the carpet and the person responsible promoted or booted to another bank with a golden handshake. Just look around and tell me this isn't true...
Twenty years ago a bank was like your mother - she looked after your interests and you paid her a small fee for the service. Today a "bank" is like a crack whore offering free blow-jobs - sure, you know there's a catch but the "free" sounds like such a good deal that you use them anyway and ignore the risks. ATM's are the glory-holes of the banking world.
My point was more that an ATM shouldn't be able to run anything but the grab a number/encrypt/communicate/dispense routine -- this could be done with a single super-glued chip. Of course a malicious _owner_ could put anything in their machine, including a young lady, but if the machine was designed properly it wouldn't need updating at all.
I've not had chance to find my sources but it was an article like this one:
http://www.zdnet.com.au/news/software/soa/Windows-based-ATMs-an-easy-touch-for-hackers/0,130061733,339286496,00.htm
If a machine that has access to the VPN that the ATMs run on is compromised by an internet attack it would become a router, surely?
It's hard to disagree with your assertion that a more obscure, proprietary OS would raise the bar in terms of security, but given the obvious intelligence and skills of the attackers combined with the potential rewards to be gained it certainly would not be an insurmountable obstacle.
The main vulnerability in the design and implementation of security and safety systems is our age-old friend - human frailty. The same frailty that is so easily exploited by those who are determined to breach the defences. We have all heard the old adage "We can make it foolproof but we cant make it idiot proof." which can also be rendered as "We can make it foolproof but we cant make it gangster proof."
The bigger the prize, the greater the effort that is expended.
I see your point, but an ATM needs to be far more complex, these days at least. The services that are offered change over time for instance the DDA (disabillity discrimination act) requires that all ATMs have a compliant typeface, not possible with a single fixed chip. The move over to chip and pin couldn't have been dealt with by a single chip system. ATMs are being phased in which take pictures of the users and upload them into the bank's central networks. ATMs are available where you can charge the credit on your phone, some banks offer a service whereby if you card is stolen you can turn up at a nominated ATM and it will spit cash out at you (while you are on the phone!) all of these things weren't available five or six years ago, so updates are required. Again a single fixed chip can't copy with updates to encryption/decryption algorythms/keys.
Also, with the single fixed chip, you merely move the place where the software is run to a central point, at a guess the central point would be just as easy for dodgy staff to roll software out to to, if not easier.
It is highly unlikely that an ATM could ever be compromised from the internet, there is no direct path from internet to ATMs. You'd be trying to compromise many firewalls to achieve this task and why bother when you can hire a JCB for a few quid?
I've noticed in several different industries that run ATMs or PoS devices on Windows based systems that their administrators seem to perceive these devices differently, as they would a laptop. Evidently, they seem to regard them as considerably more secure because they are not physically accessible to ordinary people (I hope you know what I mean in the case of ATMs) or used for general purpose computing (at least, not supposed to be). Like a laptop, these systems need to be locked down, and they need to be protected by more than just a signature-based product using technology invented over a decade ago. Below are older posts that make the rest of my point:
http://www.blueridgenetworks.com/securitynowblog/endpoint_security/signature-based-antivirus-and-hips-technologies-poor-endpoint-protection
http://www.blueridgenetworks.com/securitynowblog/endpoint_security/secunia_report_signature-based_antivirus_misses_most_unknown_malware
Bank main-frames which are responsible for the validation of your PIN use tamper-proof hardware security modules (HSMs) such as the IBM 4758 (http://www-03.ibm.com/security/cryptocards/pcicc/overproduct.shtml) and the keypad on any half-decent ATM will be part of a similar device. Furthermore, the network interconnects between an ATM and the bank's mainframe contain similar devices.
Their aim is to ensure that your PIN number, etc cannot be discovered *even if the host machine is infested with malware*. However, this does not prevent the mag-stripe data from being copied since that info is not considered sensitive. It would therefore seem that the goal of this scam is to clone the mag-stripe of cards and use them in "card not present" frauds.
A skimmed card is used in real purchases in shops.
This can even be in the UK as there is a magstripe fallback. in most shops on chip failure.
(I hate the chips. I have two cards. One is not chipped and the other is. The chipped one takes longer to read in the ATM than the non-chipped one)