back to article Revealed: Malware that forces weak ATMs to spit out 'ALL THE CASH'

Thieves are sneaking malware dubbed Tyupkin into ATMs to force them to cough millions of dollars, we're told. The crims don't need to use stolen or cloned cards. Instead, fraudsters infect the ATM's on-board PC, and later type a special combination of digits on the PIN keypad to drain the machine of banknotes – that's …

  1. Hans 1
    Windows

    I am pretty sure most of the ATM's can be owned by a specially crafted icon on a usb drive, no need to load a CD ... I do not think they update the OS on them regularly.

    1. Anonymous Coward
      Anonymous Coward

      To be fair

      Many ATM's were designed/installed before this kind of sophisticated hacking was so common.

      That said it's no excuse for the sloppy design they seem to have adopted.

      Banks are so quick to point the finger of blame at a customer when their car details are compromised, I wonder if they will turn that glare on themselves over this???

      1. Anonymous Coward
        Anonymous Coward

        Re: To be fair

        And yet just this weekend I had my bank ring me up unsolicited and start the conversation with "Before we proceed I just need to ask you some security questions".

        Of course I would not proceed until I had asked them some security questions first.

        1. Anonymous Coward
          Anonymous Coward

          Re: To be fair

          > Of course I would not proceed until I had asked them some security questions first.

          Such as, what is the combination to your safe?

      2. Anonymous Coward
        Anonymous Coward

        Re: To be fair

        > Banks are so quick to point the finger of blame at a customer when their car details are compromised

        That's exactly what I told the plod when I was pulled for driving without plates.

        Didn't quite work. :(

    2. jonathanb Silver badge

      If you have physical access to the machine that allows you to connect external media and reboot it, it doesn't matter how secure the operating system or software is

      1. Steven Jones

        Physical access to the machines control system doesn't give you access to the money cassettes. That's totally different. Bank staff, for instance, will have access to some parts of the machine to recover things like "swallowed" cards. What they won't have is access to the hardened money "safe".

        It's far easier to gain access to the control panels than the money safe. The real issue is that it is so easy to "infect" a machine with malware.

        1. Michael Wojcik Silver badge

          Physical access to the machines control system doesn't give you access to the money cassettes

          No, but if it'll boot from external media, then it's probably game over. I doubt most ATMs use hard-drive encryption or Secure Boot. Or prevent the BIOS from being flashed. Or a hardware loggers from being physically added to the card reader. And so on.

  2. Simple Si
    Terminator

    Cyberdyne Systems

    Still not as slick as John Connor with his Atari Portfolio in Terminator 2.

    1. Crisp

      Re: Cyberdyne Systems

      Easy money.

  3. AIBailey

    Holy cow, it's amazing just how advanced "hacking" scams have got now. The whole "speak to the boss to obtain the unlock code" checks are a scarily impressive touch to allow scum higher up the chain to ensure that nobody is taking cash without their approval.

    Obviously the most difficult part is getting physical access to the computer inside the ATM.

    It is a little crazy IMO however that one precaution is to ensure your ATM has up to date AV software. Are there any ATM's that run bespoke Operating Systems these days?

    1. Tom Wood

      Seems like the software the criminals install on the ATMs is, in a way, more secure than the original ATM...

    2. DrXym Silver badge

      "It is a little crazy IMO however that one precaution is to ensure your ATM has up to date AV software. Are there any ATM's that run bespoke Operating Systems these days?"

      Obscurity might be an effective defence for some random machine on the internet which nobody is especially interested in. But these are ATMs filled with cash. Even if it ran some esoteric OS, there is still a strong incentive for thieves to hack them to steal money.

      That said, using Windows as an OS seems to be an invitation to disaster.

      As usual the idea is to employ defence in depth - numerous physical, software and hardware safeguards which are hard to circumvent without leaving clues:

      - full logging with signature checks to detect tampering

      - tamper evident seals / ties on boards and service ports

      - special locks on outside and for access to innards

      - mother boards with all non-essential ports masked or snipped off

      - proprietary screws securing components

      - sensors on cabinet doors and for tilt / motion

      - multi stage booting with signature tests at each stage

      - audible / visible alarms

      - customized OS with all non-essential services turned off

      - full client / server authentication using forwards only encryption and two way authentication

      - various physical features to prevent shoulder surfing, skimming etc.

      - etc.

      Doubtless it's incredibly difficult to do all this perfectly and I bet some ATMs get nowhere close.

      1. Bod

        "That said, using Windows as an OS seems to be an invitation to disaster."

        Makes no difference what the OS is. If they can reboot the ATM with a CD, they can install whatever they like or just run their own cloned ATM software bypassing the OS itself.

        The flaw here is simply vulnerability through physical access. It shouldn't have a CD drive, or a USB port (which most apparently do have). Simply needs a dedicated port that uses a secure key at the hardware level to ensure only authorised devices can connect to it to talk to the ATM to do updates etc. Plus a BIOS that doesn't let the machine boot of any connected media, or better not use a standard BIOS at all but roll their own proprietary system.

        1. Mayhem

          So I don't know about NCR machines like in the screenshot, but I do know that last time I was in one, the Wincor Nixdorf ran a version of XP embedded on their beetles - the ATMs used extremely primitive interfaces, so you needed ISA slots.

          That being said - the upper part of the machine has a separate key to the lower cash bins, and access to it in the countries I was in required the tech to be met by a security guard from the cash company, who had access to the bins. Generally local bank staff didn't have access to either section, unless they were a particularly large branch who refilled their own bins.

          The physical access is the key point - the malware users are most likely to have to have compromised a staff member somewhere along the line - we had a large keyring as the ATMs didn't have that many common keys. I don't remember if it was different per branch or machine, only that it was bloody heavy!

          But once you have physical access to the inside, you don't even need malware to dispense from the bins. The internal software will let you do it. What they've done is managed to avoid the logging aspect of the system so that they can hit the same machines over again, and more importantly using a cheap mule from the front panel, which is usually locked down to a very small subset of functionality.

          I'm pretty sure it will turn out to be a class of machines affected, and all they needed to do was suitable bribe or extort one of the support techs to install the malware as part of a regular checkup. It is almost always the human element that is the weak link, especially in countries like Mexico.

        2. Robert Helpmann?? Silver badge
          Childcatcher

          ...or better not use a standard BIOS at all but roll their own proprietary system.

          The problem with this is that banks tend to value stability over everything else. My experience has been that given a working system, they would rather make incremental changes to improve security, functionality, et cetera than to replace an entire working system. To back this up, I point to the fact that banks were responsible for OS/2 being kept alive well beyond the point that IBM pulled the plug simply because many banks were using it in ATMs and for other purposes, too.

          1. Tom 13

            @ Robert Helpmann??

            I will definitely confirm that stability angle. I started life as a DTP specialist. I got pissed off about a job and applied to the husband of a coworker for a tech position. For illogical reasons he hired me. This was back around the time 16x CD drives were just hitting the market. The very first week on the job (very first day IIRC) we got a call from one of his clients on the other side of DC. It was a bank and their Federal Funds PC had died the previous evening. For a bank this is a really big deal. By law they need to settle up with the Feds at least once every two business days and they'd already missed their first day. Boss says no problem. Calls up a supplier requests a courier drop of an IDE drive to the affected bank and asks the branch manager to call us after he gets delivery. Shipment came in the early afternoon and we headed over. Branch manager takes us to the machine. I looked at the case and commented that it looked really old. Baked white paint on heavy gauge metal old. We moved the monitor off it and confirmed it was an IBM style AT case. We opened it up. First thing we had to do was peel off a layer of dust from the inside of the machine. It lifted off just like a bed sheet. And that's when despair struck. It was and IBM AT with a 286 processor and a genuine MFM hard drive. There were no PCI slots to drop in an IDE drive controller. And the floppy was a genuine 5.25 low density floppy. Somehow or another we managed to rig a 3.5 floppy to it boot from the floppy and copy the data from the MFM to floppies. When we fdisked the drive it came back to life and we were able to transfer the data back to the drive. The bank made their Fed Transfers that night. We also told the bank manager he needed to replace the system pronto because you couldn't get MFM hard drives anymore. I understand this was no small prospect because the key component of the system was an encrypted modem card that cost more than the brand new IBM computer did when it was originally purchased.

        3. Tom 13

          @Bod

          Wow, so much garbage such little useful information.

          Yes, the OS does matter. The point of this particular malware is to leave the machine operational so it gets restocked and hit it at random times. Probably uses a different install crew than pickup crew.

          The whole point of an ATM kiosk is to be a COTS solution. That means either a CD or a USB port and no custom rolled BIOSes. Yes the machine should be physically secure and it should have video coverage of access to the locks on the ATM as well as cams on the front.

          The only actually useful bit is that the BIOS should be properly configured to require booting from the installed OS device which probably ought to be a hard-drive, and it should require a password to modify. Of course those precautions are pretty much straight out the window if the thieves have physical access to the device anyway.

          The big problem here is that these systems are typically installed on a lowest cost basis. It's been more than a decade since I did support work for a local bank. At the time their ATMS were running an almost out of date version of Windows with no expectation they'd be replaced soon. I can't remember anymore whether it was 95 or if they'd at least used NT4, but I'd bet it was 95. In theory the ATMs were secure because the access door was on the inside of the bank. This particular chain didn't have any kiosks in shopping malls or grocery stores.

      2. itzman

        I would make em ROM only. No flash, and burn new PROMS to upgrade

        Mind you, I suppose if you can attach a CD player, you can change the ROM as easily.

        1. Kevin McMurtrie Silver badge

          ROM sockets

          I used to service vending machines. All ROMs in all devices were in sockets so that they could be quickly upgraded in-place. PRAM was in sockets too so that you could swap motherboards and preserve a custom configuration.

          The one and only security mechanism making the machine impossible to open without people noticing.

      3. Curtis

        Not that hard

        - full logging with signature checks to detect tampering

        - tamper evident seals / ties on boards and service ports

        >hologrammed adhesive foil

        - special locks on outside and for access to innards

        >tubular locks

        - mother boards with all non-essential ports masked or snipped off

        >how about just proprietary motherboards with the ports never put on in the first place?

        - proprietary screws securing components

        >doesn't matter, you can create a matching driver with putty

        - sensors on cabinet doors and for tilt / motion

        >pinball machines have had these for 20 years.

        - multi stage booting with signature tests at each stage

        - audible / visible alarms

        >again, look to the arcade industry

        - customized OS with all non-essential services turned off

        - full client / server authentication using forwards only encryption and two way authentication

        - various physical features to prevent shoulder surfing, skimming etc.

        >doable, but not done because it's unattractive/more expensive

        1. Michael Wojcik Silver badge

          Re: Not that hard

          - full logging with signature checks to blah blah blah

          Surround each ATM with armed security guards; kill anyone who manages to get too much cash out of the machine, or tampers with it. Or just get rid of the ATMs altogether and make everyone go to a human bank teller.

          Security is about threat models, and that includes cost/benefit analysis. A shopping list of security features is just intellectual masturbation without the context of a reasonable model.

    3. James O'Shea

      "Obviously the most difficult part is getting physical access to the computer inside the ATM."

      Not necessarily. Here in Deepest South Florida, Computer Crime Capital of the US, there is or was a nice simple scam going on:

      1 one member of the gang goes to an ATM inside a connivence store or a pharmacy or some such; CVS pharmacies were apparently prime targets. He fiddles with the machine, then goes to the clerk and reports a problem with the ATM. The clerk says that there's nothing he can do, contact the bank which owns the ATM, usually Chase in a CVS. Gang member departs. One or more additional gang members might show up over the next day or two, and also report problems. They make sure to note who's on duty at particular shifts.

      2 another gang member calls the store, using a phone rigged to display 'Chase Bank' or some such on its callerID. He identifies himself as being from Chase tech support, and says that they've got complaints about the ATM at the store. Can the clerk verify? When the clerk report that there have problems (he'd be one of those who was there when the previous gang members reported trouble, because the gang made sure of who was on duty when they called) the 'Chase' guy says that they're sending over a tech, naming the tech and giving an ID number. They ask the clerk to have the tech call in to a number they provide when the tech arrives.

      3 another gang member shows up, with a Chase Support ID badge with the name and number mentioned on the phone. He asks to call in to the boss. The clerk lets him. The 'support' guy opens up the ATM and spends time fiddling inside. Because the gang has at least one member who actually used to be a Chase tech guy, they know what to do inside to drop their payload. They have complete and total physical access to the ATM right there in broad daylight in front of God and everyone and can do whatever they please. And do.

      4 later on, some other members of the gang come around and milk the machine for whatever the traffic will bear.

      Yes, it takes a bit of effort to set up, but once it has been set in motion, it is quick and easy money until someone at Chase notices that there's a problem. And as it's Chase, that usually takes a few days to a few weeks. Allegedly two gang members have been arrested holding onto a million and a half in 20s.

      1. Gene Cash Silver badge

        > holding onto a million and a half in 20s

        Sorry... I wouldn't be able to resist. I'd be rolling in that on my living room floor going WHEEE! YIPPEEE!! YAAYYYY!! YAHOOO!

        "'scuse me sir, we have a noise compl--- oh wait..."

    4. John Tserkezis

      "It is a little crazy IMO however that one precaution is to ensure your ATM has up to date AV software."

      It won't work. AV software is targeted towards the average domestic consumer, not specialty software designed from the ground up.

      The ATMs are appliances, yes they're constructed out of a PC, but they're still appliances, and more importantly, the bank's customers see them as such. Can you imagine what would happen to a bank's reptuation when the AV software borks ALL of their machines at the SAME TIME?

      When the pill kills the patient, you don't have to worry about the disease anymore, do you?

  4. M7S

    Simple three letter code used to empty ATMs in parts of the UK

    JCB

    usually also only used at night, but I'm not sure it is restricted to Sunday and Monday.

  5. Adam 1

    How is this any different to what Barnaby Jack demonstrated at blackhat in 2010?

    http://en.wikipedia.org/wiki/Barnaby_Jack

    http://youtu.be/v-dS4UFomv0

    1. Michael Wojcik Silver badge

      How is this any different to what Barnaby Jack demonstrated at blackhat in 2010?

      It's a similar attack mode (to one of Jack's attacks, which required physical access; the other was over the network); what's newsworthy is it's being carried out extensively, and the malware has additional features to make it more useful for real-world theft.

  6. Anonymous Coward
    Anonymous Coward

    Eh?

    It strikes me as utterly barking that physical access to the relevant bits of the machine is not well and truly locked down, with an audit trail of who has access and preferably when. I can understand that bank staff would have to fill the things, but surely that can be done without allowing software to be loaded. Am I missing something here?

    1. Destroy All Monsters Silver badge
      Devil

      Re: Eh?

      I guess you are missing Bad"Best-of-Breed" Practices and Use of Industry Standard Software.

      this ensures the boss's money-collecting mules are unable to carry out the scam alone – they need help in converting the random numbers into unlock keys.

      If that would happen in the open industry, you would get menaces from the union.

    2. Anonymous Coward
      Anonymous Coward

      Re: Eh?

      Because it's out in the open. Worse comes to worse, a crowbar can defeat most locks, if for no other reason than they can bend the cabinet itself beyond workability. It's like leaving a locked safe out in the open. Eventually, someone's gonna come along with a thermite charge or a cutting torch...or simply a truck bed and enough strength to lift it wholesale and carry it away. Or they could infiltrate the service crew and find enough details to clone the access keys.

      1. big_D Silver badge

        Re: Eh?

        But you can only do that once AC. If they manage to get access to the internals without anyone knowing, they might get away with emptying the machine on several occasions, before the bank notices and takes action - although each repeat visit increases the risk of getting caught.

    3. Anonymous Blowhard

      Re: Eh?

      "Am I missing something here?"

      What you're missing is the level of violence employed by Mexican criminals; physical access is locked down and the machines are probably compromised by bank staff using standard criminal persuasion techniques:

      Gangster: "Put this USB stick into every machine you service this week; or else we'll kill all your family, and then kill you and then ask your replacement to do it".

      ATM Technician: "OK!"

  7. Destroy All Monsters Silver badge
    Holmes

    "32-bit Windows-powered ATM"

    No further questions, your honour!

    1. Amorous Cowherder
      Facepalm

      Re: "32-bit Windows-powered ATM"

      Just to cap it off...

      "...and ensuring cash machines have up-to-date antivirus protection..."

      What an age we live we live in!

      1. Anonymous Coward
        Anonymous Coward

        Re: "32-bit Windows-powered ATM"

        In this case the problem is the banks, not Microsoft. Windows XP based ATMs aren't actually a problem. You can disable most of the Windows services on an ATM so that the attack surface is dramatically reduced. On top of that there are good security products available from ATM vendors that will lock down the system further (HDD encryption, USB lockdown, AV (whitelist), encrypted comms to sensitive devices (i.e. cash dispenser) etc). All of these solutions are available on the ATM shown in this attack.

        The root of the problem is the banks reluctance to spend on these security solutions.

        1. John G Imrie

          Re: "32-bit Windows-powered ATM"

          Obviously the crooks aren't stealing enough to make it worthwhile for the banks to tighten their security.

          1. This post has been deleted by its author

          2. Lush At The Bar

            Re: @ John G Imrie

            Nail on the head there mate. Why spend £X (and a heck of a lot of time) on securing and upgrading, when the losses are much less and you can just write them off?

            It's the same with council's in the UK and their roads. Why blow the budget on fixing potholes when it's cheaper just to reimburse the few people who actually can be bothered to jump through the myriad of hoops needed to get some compensation for wheel balancing, punctures etc.

            Once again, the bottom line wins out. </sigh>

      2. xenny

        Re: "32-bit Windows-powered ATM"

        I think I'd rather have no network connection and out of date AV signatures. One less way in for thieves.

        1. Charles 9 Silver badge

          Re: "32-bit Windows-powered ATM"

          "I think I'd rather have no network connection and out of date AV signatures. One less way in for thieves."

          Unfortunately, ATMs REQUIRE some form of callback access; otherwise, they can't link back to the banks to verify transactions. That's why ALL ATM's require at least a telephone line.

    2. Bod

      Re: "32-bit Windows-powered ATM"

      Would be just the same vulnerability had it been running 64-bit Linux, or whatever you like.

      But besides that it's a robust Embedded Windows running most of them, and has been for a long time. Since XP at least in fact as most are, yes, running Windows XP Embedded. And that is still supported by Microsoft while ATM vendors migrate to another solution.

      Anti-virus, not required as they run on their own private network, with no link to the Internet, and the theory was that there was no physical access to ports on the machine to load anything onto it without permission. That's where the vulnerability actually lies when the criminals have found they can get physical access and get away with modifying the machine and keep it in service without anyone noticing. The flaw there is in the physical security, and utterly down to the ATM vendors & banks and absolutely nothing at all to do with Microsoft.

      1. Anonymous Coward
        Anonymous Coward

        Re: "32-bit Windows-powered ATM"

        Sorry Bod but most ATMs don't run embedded Windows. They run full XP Pro under an embedded licence.

        The rest of the post is a good summary of what banks based their decision making on but as we see has turned out to be an erroneous belief.

      2. Mayhem

        Re: "32-bit Windows-powered ATM"

        Bod is right - AV software is not installed as the machines aren't internet accessible, it is a private network between bank and terminals, and half the time it is via a dial up modem. Like any bank would trust a third party product *monitoring their system* without signoffs up the wazoo.

        A standard ATM controlling PC is literally a swap out and replace component, any repair tech will have 2-3 in the boot of the car. The security guard standing next to you while you do it is expensive, so the faster you do the job the happier the bank is. You spend around 5 min running through the basic config and you're out of there. Often the cash bins are refilled at the same time since it saves paying for the security guy to come out twice, plus you probably spent 10min cleaning torn fragments of notes out of the distribution mechanisms as part of the spot check.

        1. Anonymous Coward
          Anonymous Coward

          Re: "32-bit Windows-powered ATM"

          @Mayhem - Most ATMs actually do have standard off the shelf AV on them because the banks IT department won't allow a 'Windows PC' to be installed without it. This is actually one of the blockers for getting something more suitable installed. Standard AV is a pain in the proverbial on an ATM - it's not designed for an unattended device but it is an 'approved' solution from the IT department and they don't want to approve something different.

          1. Mayhem

            Re: "32-bit Windows-powered ATM"

            @AC

            You must have been looking at a different brand of ATM to mine.

            Mine definitely had no A/V - they basically booted a very stripped down Windows then went straight to the app. From memory it was all about the old tech - they didn't even support usb mice & keyboards, only PS2.

            IIRC they only had 512Mb -1GB of ram - there wouldn't have been enough memory to run much else - every so often they'd lock up with a memory leak and the bank would need to flip the power switch for the whole unit. Thinking back, half of them were still Windows 95 too.

            We would run occasionally run A/V on the unit, but only back at home base where we would be running diagnostics for the controller PC or replacing faulty components. Usually we would just yank and reimage the drive from master, guaranteed it would be clean.

            I only dealt with the larger hole in the wall style or the big 1m2 4bin free standing ones though, not the little 2bin pocket atms you see today wedged in everywhere in the UK.

            1. Anonymous Coward
              Anonymous Coward

              Re: "32-bit Windows-powered ATM"

              @Mayhem

              Sounds like the ATM you're referring to is one of the first to have used Windows after the switch from OS/2. You won't find many of that vintage and configuration now (although there are some OS/2 ones around). The ones running Windows are easier to upgrade so *most* will be running XP and will have AV now.

              There's a big push to upgrade to Win7 at the moment; that coupled with these types of attack may mean that banks will actually take the opportunity to install decent security.

              1. Number6

                Re: "32-bit Windows-powered ATM"

                I think they should go back to using OS/2, then all the hackers would have to sit down and learn something new.

      3. Destroy All Monsters Silver badge
        Holmes

        Re: "32-bit Windows-powered ATM"

        How does the juxtaposition of "Embedded" and "Windows" even make sense? It's like a wheelchair submarine.

        absolutely nothing at all to do with Microsoft

        Correct though. It has to do with a decision process that concludes that something from a company that writes consumer-grade desktop bloaty wobbly into a system that should be rather tamper-proof and minimalistic and manageable is actually a good fit.

      4. Tom 13

        Re: they run on their own private network, with no link to the Internet

        In the vendor's literature maybe. In practice?

        ...

        Not so much.

    3. Adam 1

      Re: "32-bit Windows-powered ATM"

      >"32-bit Windows-powered ATM"

      > No further questions, your honour!

      Lucky that there is no bash or openSSL in sight ;p

  8. William Donelson

    Yet Wall Street crooks can steal $8 Trillion and not a single one is in jail.

    A new IMF report says the world economy is unlikely to ever recover from this theft.

    1. Destroy All Monsters Silver badge
      Holmes

      They do not steal. Your government prints up the money. Which means you get taxed through the backdorr.

      > unlikely to ever recover from this theft.

      Of course it will "recover" eventually. However, there is the little problem of a megamammut of unpayable "social promises" and debt to be absorbed first, which are only no problem in progressives' fantasies. Get ready.

  9. heyrick Silver badge

    Facepalm?

    I agree with previous posts - sensitive machines handling transactions of this nature need to have the firmware burned into ROM with no USB or CD or otherwise interfaces and a system that can be compromised so easily.

    1. Charles 9 Silver badge

      Re: Facepalm?

      Then how do you UPDATE them when exploits appear, which they ALWAYS will no matter which OS you use (remember, some of the nastiest bugs have been on UNIX-based systems)? Being forced to replace the hardware can be too costly, for example, and perhaps too labor-intensive depending on how it's built.

  10. David Gosnell

    Alarming

    "The masterminds behind Tyupkin only infected ATMs that had no security alarms"

    Hey, I guess it's only money. Help yerself.

    1. Charles 9 Silver badge

      Re: Alarming

      Bet the next step will be making alarms too inconvenient by finding ways to "invisibly" trip repeated false alarms all over the place. Alarms won't be able to do much when they cry wolf all the time.

  11. Cookieninja

    Every cloud has a silver lining

    The more common these methods become the less interest there is in my individual card and bank account, giving me less to worry about.

    I got no worries about any banks going bust, because my "riches" are lower than the amount guaranteed by the Bank of England. I'd like to think the government would get a grip before it became big enough to effect the country's economy.

    1. Adrian 4 Silver badge

      Re: Every cloud has a silver lining

      I'd like to think the government would get a grip, too.

  12. Josco

    In Broad Daylight

    A little while back I had a temporary job changing the signage on a well known UK banks ATMs. I would arrive in broad daylight with a bag of tools, wait my turn if it was busy, and then 'attack' the machine stripping it of external parts to access the signs and logos. No-one ever batted an eyelid nor made any remarks. Police would stroll by and not even glance at what I was doing....

    Only once did an elderly lady who was waiting to use the machine comment that she would go halves on whatever I got out!

  13. sisk

    Baffled

    To this day I remain astounded that ATMs don't run some proprietary system, or at the very least some obscure OS that no one knows very well like MinuetOS. I realize that obscurity on its own is terrible security, but surely obscurity plus mediocre security practices would be far better than everyone-knows-its-holes Windows plus mediocre security practices.

    1. Tom 13

      Re: Baffled

      The vendors do enable proper security. The banks just fail to implement them.

      A couple of posters have noted "proprietary networks" and that's the way it OUGHT to run. But all too often a bean counter says "we're paying for high speed internet in that office, why can't we just use that." And an IT guy starts talking about VLANs and firewalls so it gets approved. Because that proprietary network at slower speeds will cost as much or more than the connection they already pay for.

      Likewise the logging and the access controls. I think I was only ever called to work on an ATM machine a couple of times. But I was never required to log my access to the system. Yes, I did my work while an authorized bank agent watched. But they really had very little clue about what I was doing. If I slipped in a USB drive to run an authorized update and the USB had a silent trojan installer they never would have known. Worse, they wouldn't have been able to trace it. Fortunately I'm an honest sort of person.

  14. Mark Eaton-Park

    Given that they had full access then the OS means nothing at all

    As in the previous comment, techs have replacement motherboards and no doubt with a quick download of any onboard cryto firmware they could have just put in a new board with the malware onboard with maybe radio controlled cash payout. EM Shielding means nothing when you can add a handy aerial outside of cage

    The security problem here is access to the ATM and the hardware, even if they improved any onboard crypto thieves need only ramraid to see the new generation of atm board.

    Personally I would have everything controlled by the back end with seperate remotely controlled hardware for cash dispension but this would just return the thieves to credential capture and again the onus would be on the account holder to prove they were not implicated. Other than moving all the crypto hardware to the bank card then the ATM are always going to be the weakest link

    Ultimately whilst there is easy money to be made then expect more of the same until the insurance companies stop buffering the banks

  15. Anonymous Coward
    Anonymous Coward

    Physical Fraud Devices

    One of the main scams is where criminals physically attach fraudulent devices to the ATMs.

    (These are otherwise known as "banks".)

    1. ecofeco Silver badge

      Re: Physical Fraud Devices

      I see what you did there.

      Upvoted.

  16. Anonymous Coward
    Anonymous Coward

    Risk VS Cost

    It is possible to create a ATM that virtually impossible to crack, but if a bank losses X to ATM exploits and it cost 2X (or more) to stop it - why spend the money?

    1. Arachnoid

      Re: Risk VS Cost

      I guess only if the loss exceeds maybe 10 or 100 times amount of a tellers wage would the bank employ and actual person rather than a machine..........now theres a novelty why don't we have humans dispense the cash instead and make some jobs in the economy.

  17. Stevie Silver badge

    Bah!

    %s/Release (Wads_Of_Cash)/Release (Cloud_Of_Phosgene)/g

  18. ecofeco Silver badge

    Well what did they expect?

    This is what happens when you pay your tech support people peanuts and the crooks offer enough money to move to another part of the world and live at least better than where they are now. Of course it's going to be an inside job.

    It's also what happens when you keep using XP on your ATMs.

  19. Herby

    Maybe the entire ATM universe needs a refit!

    Sounds to me like a Raspberry Pi can probably do the trick. Night need a USB hub to connect the cash dispenser touchscreen, and keypad. After that, a nice version of software would work nicely. Then add tamper switches that require a proper USB key to confirm proper access. If not inserted in a certain time things might not work correctly until things are more validated.

    The software CAN'T be that hard. If they make it open source, it might be peer reviewed and be even better.

    Like "military intelligence", "windows embedded" is a true oxymoron!

    1. Richard 12 Silver badge

      Re: Maybe the entire ATM universe needs a refit!

      They'd just swap the SD card.

      The OS and hardware isn't the problem, it's the physical access.

  20. PipV

    What!!!

    'If the thief doesn't know how to calculate the unlock key from the random seed, he or she can phone a crime boss who knows the algorithm and does the maths'

    Sure there must be an App for that?

  21. JaitcH
    Happy

    Many, many, many moon phases ago I worked for a company ...

    that landed a contract, or rather a subcontract, to fabricate metal boxes for ATMs that had a electrical distribution harness built in to them. It was really done as a favour to the bank in question, as the company also provided other electronic equipment for them.

    As QC manager, I had certain functions that required me to unlock the finished enclosures using a serialised key that had been given to myself and a couple of others.

    After bashing out many thousands of these 'boxes' the contract was completed and we carried on to other work.

    But no one ever bothered to collect these keys! The other two that had them returned them to me and I simply left them in the stores department.

    Long story short, I still have my key on my key ring even today. Sometimes, when I happen past one of this US banks ATM's, under lt's blue, green and white coloured logo, I discretely insert my key and see if I can just torn the lock.

    The last time I tried this, late last year, it still worked! So, after the passing of 29 years this nameless bank with the blue-green-white logo still has never changed it's key combinations. Worse yet, this ATM was in Europe. Imagine the potential!

    1. YetAnotherLocksmith

      Re: Many, many, many moon phases ago I worked for a company ...

      Notable security failure though that is, that doesn't actually get you access to the cash without hacking the software/hardware further. Once opened up by that key, the cash machine has a secure safe inside that houses the cash, with proper steel walls and proper locks.

      That said, the last one I played with took me under 11 minutes to open and "empty" by picking the locks. It also ran OS/2!

      I'm still annoyed it got thrown away.

      1. JaitcH
        Meh

        Re: Many, many, many moon phases ago I worked for a company ...

        @YetAnotherLocksmith:

        I know exactly what is inside - the model was an early one and the separation between the electronics and the cash cassettes very weak. We could, if you knew the technique, open the cash cassette area. We did have a complete mechanical sample in our premises.

        The point I wanted to make is that many of these machines have the very same key combination after all these years. I don't know if my key was a 'master' or not - but I do know it opens the lock.

        I never lifted the cover as there is likely an alarm under it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Many, many, many moon phases ago I worked for a company ...

      There are some Russians who would give you a million in untraceable cash for that key I think.

  22. Nuno trancoso

    Nice new spin...

    First off, it's nothing "outrageous". I still hold dear something i once read that i cant quote verbatim but went along the lines of "If they have physical access, you don't own the box anymore". Oh so true.....

    What i thought hilarious was that the thieves seem to have a lot more foresight than the banks. They actually had what amounts to proper planning.

    Limiting the withdrawal time windows to some days on some hours meant that even if someone went "rogue", they couldn't hit everywhere and blow the cover. Also made the problem look more like a system glitch. Also lets the malware sleep lot more, thus laying low under the radar.

    But the icing on the cake was the "phone you boss" feature. I mean, it's...priceless. The malware wants ThePowersThatBe to confirm it's clear to go. Now, wouldn't it be nice if the ATM BIOS/OS was as concerned? A nice lill message as in "I detected something new, please enter confirmation code or i brick the ATM".

    Ah well, as someone pointed, banks won't care much. Their overall profit margin is good enough to cover these "glitches". Would cost more to do a proper job than to write off the loss.

  23. tony2heads

    In South Africa

    They just blow them up.

    http://www.iol.co.za/dailynews/news/atm-bomb-spree-accused-in-court-1.1756346#.VDar-XV53UY

    "You were only supposed to blow the bloody doors off!"

  24. Unhandle

    It's Windows. What do you expect?

    No surprise here. Why are they using any OS from Microsoft?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020