How hackers break into ATMs

[Kevin Lancaster]

How hackers are breaking into ATMs, stealing money

Kaspersky Lab and Interpol warn that infected ATMs around the globe are giving away millions of dollars through cyber attacks

 

[mercurial]

 

[adsl2]

This is insane!

 

[AstroTurf]

lol, doubt it will work here, our atm's are bomb resistant

 

[Baxteen]

mmm maybe I need to get a donkey and a copy of the malware... for science....

 

[Nerfherder]

A unique digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang can accidentally profit from the fraud.

I love it !

No robin hood over here.

 

[Compton_effect]

This is what banks can do to mitigate the risk:

1. Review the physical security of their ATMs and consider investing in quality security solutions.
2. Replace all locks and master keys on the upper hood of the ATM machines and ditch the defaults provided by the manufacturer.
3. Install an alarm and ensure it is in good working order. The cyber-criminals behind Tyupkin only infected ATMs that had no security alarm installed.
4. Change the default BIOS password.
5. Ensure the machines have up-to-date antivirus protection.

Ok. Number 2 is a bit extra cost. But really? Number 4 - default passwords?
The first thing I make sure is done on any server I take ownership of - change the damn passwords. (Ok, there was the one time the idiot of a sysadmin forgot to write it down and we had a world of hurt fixing that mess)

 

[FaSMaN]

I'll just leave this here....

[video=youtube;PW5ELKTivbE]http://www.youtube.com/watch?v=PW5ELKTivbE[/video]

 

[Icko]

"First, they get physical access to the ATMs and insert a bootable CD to install the malware"

How do they do this at first place???

 

[mercurial]

"First, they get physical access to the ATMs and insert a bootable CD to install the malware"

How do they do this at first place???

I would like to know as well.

 

[Compton_effect]

I would like to know as well.

Seems the banks never replaced the keys to the ATM case with new ones. It still had the manufacturer default.
And really - I know its a glorified pc, but you'd expect them to have the points of access locked down. USB ports and CD Rom disconnected. Only have on USB port left working, behind its own lock.

 

[Vegeta]

CD's how old school... USB drive to expensive to waste?

 

[Compton_effect]

CD's how old school? USB drive to expensive to waste?

Most ATM's still run XP embedded...
A major headache for Microsoft - they had to promise to support it for another 2 years.

 

[Fingolfin]

One by one, to a precise schedule, the last bastions of access to anonymous cash are abandoned to banditry. The smear campaign against 'gateway phase' technology continues, enabling the eventual closing of the gate. When that happens...will you be on the inside, or the out?

 

[koeksGHT]

I don't see the OS as the problem, the actual ATM software which connects to the controllers for the dispenser seems to have the issue. Seems like some inside knowledge is needed(well access to an atm)

 

[w1z4rd]

Ok. Number 2 is a bit extra cost. But really? Number 4 - default passwords?
The first thing I make sure is done on any server I take ownership of - change the damn passwords. (Ok, there was the one time the idiot of a sysadmin forgot to write it down and we had a world of hurt fixing that mess)

Windows has a CD you can boot off to reset the password and Linux just requires a small change to the bootloader. What OS where you guys running ?

 

[Petec]

Barnaby Jack demo'd this years ago. Also on many other electronic devices.
The man had him killed, but Jack's work will carry on, exposing these vulnerable systems.

 

[gregmcc]

Awesome trick. You would have thought they wouldnt use default bios password and at least disable the CD in bios.

 

[Grant]

Barnaby Jack demo'd this years ago. Also on many other electronic devices.
The man had him killed, but Jack's work will carry on, exposing these vulnerable systems.

old skool jackpotting

 

[zamicro]

Unfortunately, working for big companies, I have seen too many times that security is not top of the list during development. This does not surprise me one bit.