back to article Data-sniffing trojans burrow into Eastern European ATMs

Security experts have discovered a family of data-stealing trojans that have burrowed into automatic teller machines in Eastern Europe over the past 18 months. The malware logs the magnetic-stripe data and personal identification number of cards used at an infected machine and provides an intuitive interface for retrieving the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Bastard

    "the targeted ATMs ran on the Windows XP operating system."

    Windows XP? *faints*

  2. Henry Wertz Gold badge
    Thumb Down

    Here's why ATMs shouldn't run Windows

    Title says it all.

  3. Adam
    Thumb Down

    XP!

    ok, i have seen them run on NT4 as well....... all these ATM's have to pay the microsoft tax?

    sainsburys's EPOS also run on windows 2000 again... microsoft tax?

    That is all

  4. JassMan
    Coat

    Diebold, Diebold

    Haven't I heard that name somewhere before. Somewhere like those ultra secure voting stations that could be made to return any result the politicians wanted.

    My coat is the one with someone else's credit card in the pocket. If I have to use one of these ATMs it won't be my ID they steal.

  5. Destroy All Monsters Silver badge
    Flame

    OMG! Grody to the max!

    Don't say these machines do not currently have integrity checks on their installed software?

    Probably one of those ATM series running "Windows for ATMs" which can sometimes be spied when BSOD or impromptu menu bar show up.

    Due diligence? High assurance? We have heard of it.

    Lawyers please.

  6. Goat Jam
    Thumb Down

    Why

    Why run Windows on an ATM. I mean really, why?

    A full featured consumer OS which is known for it's security flaws running on a machine that has it's sole function that of accepting input from a dozen buttons, checking the account details over the network and then starting the cash dispenser mechanism as required.

    Surely such a simple process could be done using a purpose written micro os running soley from non-volatile firmware? How hard could that be?

    What a bunch of fucking cretins.

  7. Tom

    So if your card gets skimmed

    It will be your fault because you must have told someone your pin.

    I bet they outsource the development to the lowest price shop they could find in India or Eastern Europe.

  8. Moss Icely Spaceport
    Alert

    Ye Gods

    "The SpiderLabs report said only that the targeted ATMs ran on the Windows XP operating system."

    Ahhh, I'm starting to see a pattern forming....

  9. Anonymous Coward
    Anonymous Coward

    PES

    Who says embarrassing news goes on the Diebold name so that Premier Election Solutions can trade with a clean reputation?

    If you want to steal cash and account details, Asus will tell you "It's better with windows".

  10. Rich

    Enough, really

    "A secondary menu also allows the person to force the machine to dispense all its cash."

    I mean, isn't that enough without all the fluffing around.

  11. Mark

    Figures

    Diebold, Windows. WTF? Which retard in the banks decided this was a good purchase?

  12. John Smith Gold badge
    Thumb Down

    so don't put your card into *any* ATM in Eastern Europe

    I guess Eastern European banks are'nt worred.

    None of theit local customers probably has an ATM card.

    They still don't quite get the whole trusted financial institutions idea.

  13. John Chadwick

    More interesting would be...

    How they managed to insert the trojans, rather that the fact they had, I suspect that bank IT departments do not update their Windows ATMs, each time Microsoft releases a security patch, as the regression testing required, and the possible downtime every couple of weeks, might well be unacceptable, as might the cost. I doubt that ATMs are on the normal bank networks, and I would assume they use an encrypted IP connection, so one wonders how the trojan was inserted, corrupt IT staff, or do Eastern European banks do somethink daft, like connect ATMs to the Internet.

    I hope ours don't.

  14. This post has been deleted by its author

  15. Maverick
    Thumb Down

    so why the hell . . .

    . . . migrate from OS/2 to XP?

    and which account gets charged when they empty all of the cash from a machine?

    I just hope nobody cross-breeds these guys with our MPs - Cashy Jaqui anyone?

  16. Anonymous Coward
    Anonymous Coward

    Sigh...

    Yes, ATMs run Windows, it used to be OS/2, but IBM stopped making that. Usually it is workstation grade Windows (NT4/2k/XP) not usually in a domain, or if it is a separate 'atm only' domain. The fact that the vast majority of people don't know that ATMs run Windows suggests it does a good job. I've only ever seen an ATM rebooting once and one with a dialogue reporting a DLL error.

    This sounds like a clear case of developers from a bank or a supplier to banks developing malware which specifically targets the bespoke software run on ATMs, then having it distributed via the people who "feed and water" the ATMs - ie: have intimate access to do anything to them. This could almost certainly happen with any other OS, it's not a Windows issue.

  17. Anonymous Coward
    Black Helicopters

    Systems are only as secure and we are prepared to pay to make them

    Recently had a withdrawnal made on my card from LJUBLJANA.

    When I contacted the Bank they told me my card must have been cloned when I used it. When I told them I never used the card and I could prove this because my statements show there had never been a withdrawal/swipe on this card, they said well you obviously disposed of the card in a unsecure manner or shared the details with somebody else. No i haven't and I can prove that, can you prove your systems are that secure.

    So you see systems are only as secure as the bank are prepared to pay to make them.

    Anon obviously, because Big Brother is watching us not the crooks

  18. Cameron Colley

    Why the fuck are they running Windows?

    Must be that the banks are using the "lowest bidder" system to decide who supplies them with ATMs because there is no way that an ATM should be using Windows (or Ubuntu, Redhat, OSX, ...) heck they shouldn't even need an operating system they only run one application!

  19. Anonymous Coward
    Alert

    tax on top of tax

    Not only the Microsoft tax. Since it get labeled as a PC the security policies of the banks mean it needs anti-virus and state monitoring which also have license fees. Think of all their support people, outsourced to lowest cost supplier, with domain admin access....

  20. Lionel Baden
    Joke

    so i guess

    if my internet at home goes down i should be able to go to my local atm and start browsing ??

    i wonder if they are wireless too :D

  21. Mike Kamermans
    Thumb Up

    How to get your trojan on

    Two words: "ATM key". These things are typically stuck in the wall with simple triangular/square slotting keys. They may set you back as much as 5 pounds. If you can find an ATM that isn't CCTV-ed (I'm looking at you, all of eastern Europe) then messing with one is just a matter of walking over to one at 3 in the morning.

    Getting into an ATM is quite a lot easier than breaking into your own house.

  22. Jimmy

    ATM - Ask The Monkeys

    With the technical ingenuity demonstrated by these budding capitalist entrepreneurs it clearly wouldn't matter which operating system was being used, provided that they could gain one-time physical access to install a hardware dongle in the machine.

    Their main problem is to identify the most vulnerable individual among those who have authorised access to the innards of the ATMs. Step forward Mr. Security Guard who would be the guy with the lowest pay and the most responsibility for replenishing the empty cash containers. He may also have a poor credit rating, an ambitious wife, and a demanding girlfriend. Gotcha.

    If 640 overpaid and under-performing parliamentary monkeys can be bribed with unaudited expense accounts why would Joe Bloggs want to resist temptation.

  23. Cameron Colley

    @James, Fraser, Jimmy

    But an ATM shouldn't be a PC, where physical access automatically means root access. An ATM should, as has been mentioned above, use a custom OS on read-only firmware -- if the person replacing the money can update the OS then they're not secure. The cash inside them is, frankly, irrelevant and inconsequential compared to the value of the data that people enter into them.

    I have been given the impression that the ATM network is accessible from the bank's intranet and that the internet is also accessible from the bank's intranet -- doesn't that mean that they are, effectively, attached to the internet?

  24. Andy Silver badge

    Re: so i guess

    I've seen a Siemens ATM in Paris displaying the full Windows desktop -- including the icons for IE and Outlook Express. Really useful for an ATM, but I suppose they are "integrated" into the O/S.

    -A.

  25. Keith Williams
    Coat

    Standalone ATMs

    We have a lot of non-bank ATM machines, pretty much anyone can buy one, set it up in their convienience store/gas station/bingo hall and charge people money for using it. Don't want the bother of looking after it your self? Others will put one in for you, and pay you 50 cents/transaction for the the privilege. AFAIK, they have a simple phone connection to their hosts.

    I don't suppose it would be any more difficult to write capture code for a *nix based machine than it is for windows, or even OS/2 if you can get access to the machine itself.

    Mine's the one with the ATM built into the wall of the Bank, since I don't like paying 3rd party ATM fees

  26. Steven Hunter
    Alert

    Amusing way to pass some time...

    Do a Google Image search for "bluescreen ATM" (w/o quotes of course).

  27. Martin Edwards
    Stop

    STOP THIS NONSENSE FORTHWITH

    Judas Priest, this has **** all to do with Windows, OK. Other than perhaps that it's easier to write software for Windows than for some custom ATM platform. Physical access is physical access. You're talking like this thing got in by itself through some unpatched buffer overflow condition in Paint.

  28. Anonymous Coward
    Anonymous Coward

    @Cameron Colley

    Physical access to *any* machine means the potential abillity to get root/admin access, custom OS or not. What you are arguing for is security by obscurity. This is not to say that you just stick a CD into an ATM and press a big red button to update, it's way more secure than that, offen the updates are sent remotely these days anyway. All it takes is a few corrupt people on the ATM team of a bank, or supplier of software.

    I don't know who told you that ATMs had access to intranet and therefore were accessible to the internet, but they were wrong. An ATM network is highly encrypted and firewalled off from anything except the machines in a DMZ which it needs to speak to, in order to get to the back end systems that tell it how much cash to dole out.

  29. Anonymous Coward
    Thumb Up

    And we are surprised about this?

    "For a long time it puzzled me how something so expensive, so leading edge, could be so useless. And then it occurred to me that a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are, in short, a perfect match." - Bill Bryson

    The bank (these days) has zero incentive to actually make or offer a good product - all they need is a cheap product that appears to work - any problems that appear after installation can simply be swept under the carpet and the person responsible promoted or booted to another bank with a golden handshake. Just look around and tell me this isn't true...

    Twenty years ago a bank was like your mother - she looked after your interests and you paid her a small fee for the service. Today a "bank" is like a crack whore offering free blow-jobs - sure, you know there's a catch but the "free" sounds like such a good deal that you use them anyway and ignore the risks. ATM's are the glory-holes of the banking world.

  30. Cameron Colley

    @Fraser

    My point was more that an ATM shouldn't be able to run anything but the grab a number/encrypt/communicate/dispense routine -- this could be done with a single super-glued chip. Of course a malicious _owner_ could put anything in their machine, including a young lady, but if the machine was designed properly it wouldn't need updating at all.

    I've not had chance to find my sources but it was an article like this one:

    http://www.zdnet.com.au/news/software/soa/Windows-based-ATMs-an-easy-touch-for-hackers/0,130061733,339286496,00.htm

    If a machine that has access to the VPN that the ATMs run on is compromised by an internet attack it would become a router, surely?

  31. Jimbob
    Flame

    Struggling to believe this...

    Wait a minute. I'm struggling to believe something here. So...the software gets written, approved, tested, then rolled out WITH A TROJAN?!? To ATMs?

    No, someone is pulling my leg surely.

  32. Edward Miles

    obligatory xkcd reference...

    http://xkcd.com/463/

    just $_~s/Voting Machine/ATM/;

  33. Scott
    Thumb Down

    Great

    I'm going on s tag do to Eastern Europe this weekend and was going to get some cash out if i needed it throught the ATM's, think i'll just pay for the strippers on my credit card now.

  34. Jimmy

    @ Cameron Colley

    It's hard to disagree with your assertion that a more obscure, proprietary OS would raise the bar in terms of security, but given the obvious intelligence and skills of the attackers combined with the potential rewards to be gained it certainly would not be an insurmountable obstacle.

    The main vulnerability in the design and implementation of security and safety systems is our age-old friend - human frailty. The same frailty that is so easily exploited by those who are determined to breach the defences. We have all heard the old adage "We can make it foolproof but we cant make it idiot proof." which can also be rendered as "We can make it foolproof but we cant make it gangster proof."

    The bigger the prize, the greater the effort that is expended.

  35. Anonymous Coward
    Anonymous Coward

    @Cameron

    I see your point, but an ATM needs to be far more complex, these days at least. The services that are offered change over time for instance the DDA (disabillity discrimination act) requires that all ATMs have a compliant typeface, not possible with a single fixed chip. The move over to chip and pin couldn't have been dealt with by a single chip system. ATMs are being phased in which take pictures of the users and upload them into the bank's central networks. ATMs are available where you can charge the credit on your phone, some banks offer a service whereby if you card is stolen you can turn up at a nominated ATM and it will spit cash out at you (while you are on the phone!) all of these things weren't available five or six years ago, so updates are required. Again a single fixed chip can't copy with updates to encryption/decryption algorythms/keys.

    Also, with the single fixed chip, you merely move the place where the software is run to a central point, at a guess the central point would be just as easy for dodgy staff to roll software out to to, if not easier.

    It is highly unlikely that an ATM could ever be compromised from the internet, there is no direct path from internet to ATMs. You'd be trying to compromise many firewalls to achieve this task and why bother when you can hire a JCB for a few quid?

  36. Eirik Iverson

    Lack of Daily Physical Access Doesn't Mean Safe for Windows

    I've noticed in several different industries that run ATMs or PoS devices on Windows based systems that their administrators seem to perceive these devices differently, as they would a laptop. Evidently, they seem to regard them as considerably more secure because they are not physically accessible to ordinary people (I hope you know what I mean in the case of ATMs) or used for general purpose computing (at least, not supposed to be). Like a laptop, these systems need to be locked down, and they need to be protected by more than just a signature-based product using technology invented over a decade ago. Below are older posts that make the rest of my point:

    http://www.blueridgenetworks.com/securitynowblog/endpoint_security/signature-based-antivirus-and-hips-technologies-poor-endpoint-protection

    http://www.blueridgenetworks.com/securitynowblog/endpoint_security/secunia_report_signature-based_antivirus_misses_most_unknown_malware

  37. foo_bar_baz
    Boffin

    @Martin Edwards

    Your assertion is demonstrably wrong - hardware can prevent running unauthorized or modified sw, see xbox 360.

  38. Gavin Keighren
    Stop

    @Cameron, Fraser, et al.

    Bank main-frames which are responsible for the validation of your PIN use tamper-proof hardware security modules (HSMs) such as the IBM 4758 (http://www-03.ibm.com/security/cryptocards/pcicc/overproduct.shtml) and the keypad on any half-decent ATM will be part of a similar device. Furthermore, the network interconnects between an ATM and the bank's mainframe contain similar devices.

    Their aim is to ensure that your PIN number, etc cannot be discovered *even if the host machine is infested with malware*. However, this does not prevent the mag-stripe data from being copied since that info is not considered sensitive. It would therefore seem that the goal of this scam is to clone the mag-stripe of cards and use them in "card not present" frauds.

  39. Anonymous Coward
    Linux

    @Gavin Keighren

    A skimmed card is used in real purchases in shops.

    This can even be in the UK as there is a magstripe fallback. in most shops on chip failure.

    (I hate the chips. I have two cards. One is not chipped and the other is. The chipped one takes longer to read in the ATM than the non-chipped one)

  40. Anonymous Coward
    Thumb Down

    Gavin Keighren: used to use tamper-proof security modules.

    No, ATMs used to use tamper-proof security modules in the keypads in order to prevent malware obtaining PINs. Unfortunately, I think they've gone a bit lax...

This topic is closed for new posts.

Other stories you might like