USB Sticks Used In Robbery of ATMs 252
First time accepted submitter JeffOwl writes "BBC is reporting that thieves are infecting ATMs with malware using USB sticks. The malware creates a backdoor that can be accessed at the front panel. The thieves are damaging the ATM to access a USB port then patching it back up to avoid notice. This indicates that the crew is highly familiar with the ATMs in question. Once the ATM is infected, the thieves use a 12 digit code to bring up the alternate interface. The thieves, not wanting their crew to go rogue, have built a challenge-response access control into their software and must call another member who can generate the response for them."
Barnaby jack jackpotting ATMS (Score:5, Informative)
Google the subject, he performed this attack live at both Blackhat and Defcon 18. It was definately an eye opener, and one of the reasons I tend to avoid those rental ATM's you see in mom and pop stores, and restaurants/bars...
yes I realize that even the major Bank ATM's are susceptible, but at least with a major bank you have some recourse if you have issues.
Re:Moral of the story (Score:5, Informative)
In the UK you cannot access the internals of the ATM unit without either accessing the rear of the machine, which is locked away in the safe that they mention, or by cutting into the fascia of the external face, which is what they did here.
You cannot gain access to the ATM simply by using a key bought off of the internet.
And yes, most ATMs in the UK have a video camera on them to help identify fraudsters, but that does NOT help prevent the fraud from occurring because someone would have to watch it in real time and intervene. Infact they identified just how this hack was occurring by watching the CCTV footage to see just how the money was going missing, because it wasn't triggering any other alarms.
Re:Barnaby jack jackpotting ATMS (Score:4, Informative)
How do we prevent this? (Score:5, Informative)
Dev: "Hey we need to spend some time on security, for example the USB ports are not disabled, if we wan't to use them for service we should put authentication on them."
Project Manager: "Well, you have a point but none of our competitors focus on security either and were also behind on the project. It will be fine and we can fix it next time"
As a embedded dev I have had that conversation.
Re:That's what you get (Score:5, Informative)
That's what you get from running Windows on ATMs, lol.
No, it really isn't. I've seen this demo'd at a security conference, and the OS has nothing at all to do with the attack. ATMs have a USB port which can be used to replace the firmware. The port is behind a simple lock, not in the vault with the money.
This attack replaces the OS on the ATM with the image the attacker provides. What the OS was before the attack really isn't all that relevant. The fact that images aren't signed or anything is.
Re:That's what you get (Score:5, Informative)
I'd be very surprised if the "alternative interface" isn't installed by rebooting the machine off the USB stick. The Diebold voting machines were configured to preferably boot off a USB, and Diebold is still the largest manufacturer of ATMs in the US.
Re:That's what you get (Score:5, Informative)
Because that part of the atm is heavily protected, whereas the usb port is behind a plastic panel.
Re:That's what you get (Score:4, Informative)
Say it ain't so...
Software security in finance is surprisingly low (Score:5, Informative)
I used to write financial software for a living, including ATM driving software.
I realized, after a while, that I had certain preconceived notions about the sort of software and hardware that is running on these sorts of high profile, high risk systems. Obviously, the software will have been made highly secure; redundant checks on every action, code signing, etc. It'd likely be running a custom operating system that was built from the ground up and booted off a (P)ROM. The case would be just as impenetrable, with a separate compartment for the computer itself, requiring specialty equipment so that could only really be opened at the point of origin or in a manner certain to destroy the innards - and certainly not in the field.
Right? I mean, any of us can think up a set of reasonably secure basic premises from which we could build a system like this out of.
Imagine my surprise when I found out that half of the ATMs out there are just running off the shelf windows desktops, with the original demo software still installed. There's no real optimization, no cleanup, no limited boot, nothing; it's just a desktop machine jammed in a vending machine with a custom card & cable for driving the mechanics of the ATM. Sometimes they're even in the original manufacturer's case (though usually they're just the board). I've also done some work on vending machines, and I can tell you that they're often better made!
As a software developer, one of the things I was shocked to see was that security for ATMs was almost entirely focused on the physical. There's little to stop someone from hooking up an external line and sending approvals or just do basic proxying - most of the data is sent in the clear, just skim it, or to update the system with a cd or usb if you pull the front cover of the ATM off. Many times, you'll find someone left a keyboard and mouse behind in the unit because it's a pain to always carry your own when doing updates or what have you.
This follows the same basic trend in the rest of the financial systems I've seen; physical security is very high, software security is relatively low. When it comes down to it, most companies place a focus on tracking transactions rather than securing them, and rely on constant manual review by staff to detect problems (that's why banks close so early - the folks who don't run the registers are in the back doing the day's reconciliation.
Re:That's what you get (Score:4, Informative)
Windows doesn't do that anymore either. It gives the user an option to invoke autoruns, but doesn't trigger them.
Attacks on USB tend to target the drivers these days, not the OS.
Re:That's what you get (Score:4, Informative)
It's CRIMINALLY STUPID for the USB port to provide any other kind of access by default.
Remember: This feature was brought to you by the same company who thought it was a good idea to execute .exe files attached to emails without even asking you.
Re:That's what you get (Score:5, Informative)
The USB port is enabled to write the Electronic Journal when Brinks or whoever comes by to refill the ATM. The copy of the journal is then given to the institution responsible for the ATM.