30
May 14

Thieves Planted Malware to Hack ATMs

facebooktwittergoogle_plusredditpinterestlinkedinmail

A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come.

Two men arrested in Macau for allegedly planting malware on local ATMs.

Two men arrested in Macau for allegedly planting malware on local ATMs (shown with equipment reportedly seized from their hotel room).

Authorities in Macau — a Chinese territory approximately 40 miles west of Hong Kong — this week announced the arrest of two Ukrainian men accused of participating in a skimming ring that stole approximately $100,000 from at least seven ATMs. Local police said the men used a device that was connected to a small laptop, and inserted the device into the card acceptance slot on the ATMs.

Armed with this toolset, the authorities said, the men were able to install malware capable of siphoning the customer’s card data and PINs. The device appears to be a rigid green circuit board that is approximately four or five times the length of an ATM card.

According to local press reports (and supplemented by an interview with an employee at one of the local banks who asked not to be named), the insertion of the circuit board caused the software running on the ATMs to crash, temporarily leaving the cash machine with a black, empty screen. The thieves would then remove the device. Soon after, the machine would restart, and begin recording the card and PINs entered by customers who used the compromised machines.

The Macau government alleges that the accused would return a few days after infecting the ATMs to collect the stolen card numbers and PINs. To do this, the thieves would reinsert the specialized chip card to retrieve the purloined data, and then a separate chip card to destroy evidence of the malware. Here’s a look at the devices that Macau authorities say the accused used to insert the malware into ATMs (I’m working on getting clearer photos of this hardware):

Five of the devices Macau police say the thieves used to insert the malware and retrieve stolen data.

Five of the devices Macau police say the thieves used to insert the malware and retrieve stolen data.

Here is a side-view look at the circuit board device:

Source: Yahoo! News

Source: Yahoo! News

And finally, a close-up of one end of the skimming board itself:

Image: orientaldaily.on.cc

Image: orientaldaily.on.cc

ATM attacks that leverage external, physical access to install malware aren’t exactly new, but they’re far less common than skimming devices that are made to be affixed to the cash machine for the duration of the theft. It’s not clear how the malware is being delivered in this case, but in previous attacks of this sort the thieves have been able to connect directly to a USB port somewhere inside the ATMs.

Late last year, a pair of researchers at the Chaos Communication Congress (CCC) conference in Germany detailed a malware attack that drained ATMs at unnamed banks in Europe. In that attack, the crooks cut a chunk out of the ATM’s chassis to expose its USB port, and then inserted a USB stick loaded with malware. The thieves would then replace the cut-out piece of chassis and come back a few days later, and enter a 12-digit code that launched a special interface that displayed the amount of money available in each denomination — along with options for dispensing each kind.

In December 2012, I wrote about an attack in Brazil in which thieves swapped an ATM’s USB-based security camera with a portable keyboard that let them hack the cash machine. In that attack, the crook caused a reboot of the ATM software by punching in a special combination of keys. The thieves then were able to reboot into a custom version of Debian Linux designed to troubleshoot locked or corrupted ATM equipment.

Tags: , ,

78 comments

  1. I think Banks should consider placing ATMs more consistently under the IT division rather than under operations. While Operations may understand the logistics of the couriers and the physical security of the cash, they seldom have enough of a sense of how vulnerable the computers inside are to attacks.

    Besides the fact that a significant number of ATMs still run on the no-longer-supported Windows XP, banks tend to not understand that physical security of the computer is just as important as physical security of the cash inside the ATM box.

    Add on to that that smaller banks will often neglect software patching or will utilize USB Thumb drives to patch ATMs rather than utilizing a network connection and the hits just keep coming.

    • While I agree fully with your point about the physical security of the computer in ATMs, I’m not sure I’d agree that workflow shifts inside banks would improve things. Seems to me that manufacturers of these systems are the ones who’d have to get onboard with providing the same level of security for the electronics as for the cash. They’d want to physically “vault” the electronics (so as to prevent the sort of cut-away physical compromise described above) as well as get the developers to tighten code up more so that inputs like the long green board with the malware doesn’t happen.

      I think many small and midsized banks just purchase ATM systems turnkey, don’t they? If that’s the case, I’d say onus should be as much on the manufacturers as on the banks themselves to demand it.

      • In the US at least, Banks don’t own any of the ATMS, even at Branches, They are owned by DIEBOLD or NCR or …. whatever. Those are the companies who also make the very vulnerable voting machines known from the 2000 Elections.

        Many ATMs used to run OS/2, now XP Embedded, there’s a lot of crap out there that’s vulnerable.

        How this works is simply genius though.

        Use a card adaptor to emulate a keyboard, send keystrokes and code down the neck of ATM and voila! instant chaos.

        • Uhh…no.

          Diebold and NCR (among others) manufacture and service ATMs, while the banks themselves own the hardware. Third-party leasing companies may partner with ATM manufacturers but to my knowledge neither of the two you named are directly involved in the hardware-as-a-service business model.

          • Can we all at least agree that the *manufacturers* of the ATMs are ultimately responsible for designing a physically secure solution, regardless of who owns or leases the ATM?

            • In the beginning (1970-2000), the processor card cage was located in the secure chest with the cash. The change to move the processor to the non-secure upper cabinet was driven by the banks themselves. The thing is, the banks want all the non-cash parts of the ATM outside the secure chest as it simplifies servicing. You see, physical access to the secure chest (where the money is) is a big deal and usually the branch personnel cant open it. It takes a call to either a 3rd party cash servicing company or someone at the bank with the rights to open the chest.

              You have to remember for the banks this is all about risk management. If the processor is in the secure chest, then their servicing costs go up. They balance that against the cost of fraud. In the US at least, service costs greatly outweigh the risk of fraud. Remember, in the US at least, the most common ATM crime is a mugging or robbery, not sophisticated fraud.

        • I was astounded recently to actually see a Diabold ATM running a Windows product with all its issues. I had assumed it was running a secure OS such as a dedicated Unix or Linux kernel.

          I find it interesting that the card reader I/O recognizes & allows something other than just the card read data.

          • Well i can give almost 100% sure that NCR and Wincor do not allow more then the card reading … he expect x amount of commands and only work if the card is trap under a metal device that is shut down if the card is too long or not trapped(cut from outside access) the device just do not read the card at all.

    • Don’t confuse XP-consumer with XP-embedded, the latter of which is supported until at least January 2016.
      http://support.microsoft.com/lifecycle/default.aspx?LN=en-us&x=10&y=8&p1=3220

      All ATMs should be moved into buildings with humans watching, e.g. bank lobbies and grocery stores (next to customer service), where it will be much more difficult for thieves to physically attack them.

      • Thanks for clarifying on the difference between XP versions.

        I believe moving ATMs indoors would not be seen as a valid suggestion to most banks and most consumers. The idea of an ATM is to have to have it conveniently available 24 hours per day. I go to the ATM to avoid going into the lobby.

        I believe the answer is that the manufacturers need to secure the electronics and I believe this push will be driven by banks asking for that as they face increased loss from compromised machines.

  2. Brian – In your opinion, does this type of physical hack suggest that the designers have a source inside the specific ATM manufacturer or that the manufacturer’s networks has been hacked so that an external party can get the technical specs of the machines?

    • It’s pretty clear that the people who devised this scheme had access to a functional ATM for many days. Specifications might speed things up, but an actual ATM would be necessary for testing.

      Sounds like it is time for ATM vendors to add some defensive measures, for example, if an ATM reboots, network access to it is immediately halted until a repairman can investigate.

      • Isn’t investigating an unexpected reboot an IT fundamental?
        It is where I come from….

        • Yes, of course, but go back and read the important point about “network access to it is immediately halted” by the system with which the ATMs communicate. If this is done, someone cannot commandeer the ATM as Brian described because it will be out-of-order.

          • 1. externally, you would see a connection drop, thats about it. one could guess it’s from a reboot, but that is behavior bases, so could be spoofed.

            2. The malware could put up any customer front end they want, including asking for your pin, and dispensing cash.

            3. a dos attack becomes easier… the miscreants could knock out the entire system by causing them all to just reboot, which turns any flaw which causes a reboot into a systematic and large scale event as each reboot is investigated and cleared.

            4. this is just a fancy version of paper scissors, rock.

            • Brian wrote: “the insertion of the circuit board caused the software running on the ATMs to crash, temporarily leaving the cash machine with a black, empty screen. The thieves would then remove the device. Soon after, the machine would restart, and begin recording the card and PINs entered by customers who used the compromised machines.”

              Lee Church gave us four points which I address below:
              1) The connection would not drop for a few seconds; it would drop for the time an ATM takes to completely reboot. I’m guessing that amount of time exceeds a minute. Having the network exclude an ATM which had been unavailable for more than one minute would not cause a systemic problem, especially given that if a non-hacked ATM continues to reboot due to hardware errors, it should be overhauled. And the bank should sent a repairman ASAP.

              2) I assumed that ATM designers build the hardware to shutdown if the network is unavailable. Perhaps I am mistaken.

              3) Please expound on the amount of time it would take for cyber-thieves to attack just one system. Then multiply that by the number of ATMs in an area. Don’t forget to include risk factors, e.g. being seen in the act.

              4) That is why I believe that all ATMs must be moved into manned areas.

              • i like the reasoning in your post.

                the rebooting doesn’t have to be slow, as one can boot a smaller os such as linux pretty quick. but nonetheless all the remote end would see is there isn’t a connection. that could be telecom, etc. the point is one can see the connection dropped and that’s about it. if one really knows what they are working with one can guess, but thats all it is. for example, i once moved a call center to a backup switch because while i was walking through the call center i heard ‘hello, hello’, and ‘are you there?’ from several operators in increasing frequency across a bunch of different trunks. the switch crashed soon after. the post mortem was a memory leak which was going parabolic. so i agree that one can deduce and guess…but that ends up becoming a weakness because that guess can be gamed.

              • assuming it’s rebooting under the hac kers control, any such lockouts would be tough. imagine the machine does not boot without network, and network is turned off if down for too long.

                you end with a network outage taking out the atm with a race condition. there may be switch in the network rebooting which then escalates to atms knocked out. that’s just one scenario, but there are many. in general default to offline leads to less availability.

              • 3)i’m going to skip your request for blueprint, no offense.

                • #2 is the more interesting one.

                  I once worked on an autonomous vehicle project. We used an RTE instead of a typical OS, so we were forced to write everything. I was the one who wrote the logic that would result in the vehicle stopping if unforeseen events intervened — and it worked perfectly throughout the years of the project. This is why I have no sympathy for ATM designers who release products which can be hacked so easily.

                  • i agree with the default fail safe design.

                    the basic problem is that there isn’t any mechanism for grandma to verify hat ghe system isn’t hacked. a super chip, pin, and display on the card would allow grandma to see ene to end confirmation before entering her pin…all the brainstorming solutions i’ve heard seem to skip allowing the user to authenticate the system they are accessing.

                    sorry about the terse replies, i’m not a fan of on screen keyboards,yet.

                    • At some point you gotta wonder how far it is worth to outsource this job from being done by a real person…

              • there was an atm in the dominican republic that was hacked, it would double up your withdrawl. it was inside the bank.

                a manned machine sounds nice, but it is back to trusting that ‘man’. and another round of paper scissors rock all over again.

                that ‘man’ needs to make more stopping the theft than he would make from allowing it, or doing it.

                all of this is just moving the risk around, it’s not allowing the user to authenticate the system.

                when you harden the hard targets, you just soften the soft targets.

              • What about all the ATM’s that have dial-on-demand access back to base?

                Ever notice that sometimes ATM’s (or eftpos machines in stores) take ages to approve a transaction? Thats usually the ATM using ISDN to dial back to base, negotiate the PPP, then probably the IPSEC into the bank, the processing the transaction.

                Many ATM’s sit idle and isolated from the network for a very long time.

                Network providers have outages – should a bank have to roll a truck everytime Verizon has a hiccup?

                Power outages happen all the time, again, does the bank need to physically inspect an ATM after that?

                • “What about all the ATM’s that have dial-on-demand access back to base?”

                  I’m not in the banking business, so I assumed those were gone by now. Given the current hacking danger, I think it is time to give all ATMs a constant connection, even at a low speed. Landlines are cheap.

                  As for rolling trucks, Jamie Dimon of Chase has earned around $20 million per year for the past few years, even though the London Whale debacle occurred on his watch. I think banks have plenty of money to roll trucks; they just need to divide it more equitably.

                  As for power outages, include a battery backup. Power outages generally do not last for more than five minutes, so the battery required will not be more expensive than in a cheap (less than $100) UPS.

                  It sounds like the entire ATM system needs a redesign.

                  • That’s a bit of a first world centric view. Third world / developing nations often struggle with iffy power and telecommunications. Its not uncommon in rural India and China for there to be daily extended power outages. Obviously there is different ATM hardware for different markets (solar powered / low power ATMs are offered by the big vendors), but its unrealistic to think that a constant comm connection can be a requirement for a device whose sole function is to offer unattended services. Pretty soon its going to be cheaper to just let the rural 3rd world populations remain unbanked.

                  • It will always be a tradeoff… At some point the cost of triple redundant hardware, networking, surveillance, and maintenance becomes higher than just hiring some tellers to work late.

      • Well manufactures have defensive layers, the shutter (“door”) of the card reader only accept commands or even read the chip if the card is trap inside device if you have a device like that you would have to somehow…someway override the firmware bypass all sensors of the device (card reader) force the reading of the chip or circuit with that green device, then ask the firmware to unplug(assuming that the card reader is a usb connected) the device (disable) then unable again install a specific driver and then firmware home made by the attackers that send something else to the OS after a reading of the chip. Do you have any ideia of how remote almost impossible this is… well i love krebs post’s but this is almost not like him to believe in something like this .

    • I don’t know about attackers, but notable researchers have purchased machines so they can examine, reverse and test against them without any limitations (e.g. the late Barnaby Jack and his ATM ‘jackpotting’ attack).

      • It’s safe to assume that if it exists in the marketplace (white, gray or black) then bad actors have obtained the technology and use it for purposes of attack surfacing.

        Remember this, security folks: eBay’s (not always) your buddy – especially if proprietary or regulated technology somehow falls off the delivery truck and ends up for auction.

  3. This reminds me of a customer of mine back when I was in sales. This person worked in “correctional facilities” (i.e. prisons). She noted that there was consistently a depressingly sizable class of inmate who had remarkable intelligence, but always chose to bend it 100% towards circumventing whatever rules and structure were in place around them. My customer’s stated belief was that if those inmates would bend their notable intelligence towards constructive, legal pursuits, they’d be every bit as successful if not more so than they were doing crime. But they *chose* to act the way they did, and that mindset manifested in their day to day acts in prison.

    That sort of feels like a cliché of an incarceration professional. It’s what I regarded it as at the time, but it seems to me that her point – an almost maddening desire to circumvent as opposed to contribute constructively – has been proven time and time.

    What does that have to do with this? Pretty much what she intimated: It’s amazing just how hard and total some people bend their abilities towards 1. “Hacking” (i.e. malicious subversion of systems) and 2. Criminal activities. You get the impression that some of these folks would be successful in IT had they not found greater satisfaction – and even joy – in security subversion. The particular ATM “hacks” here aren’t all that complicated; in the one, cutting away at an ATM doesn’t post intellectual challenge beyond studying the construction. But they DO appear symptomatic of people who just have a desire to compromise, subvert, and “hack” things.

    There are likely easier ways to steal money; choosing to do so in the ways noted here must be motivated by something beyond mere desire to steal. At least that’s my thesis, seeded by that customer’s observation from decades past.

    • According to Willie Sutton, he never actually said that he robbed banks because “where that’s the money is”. Here’s what he did say in his autobiography: “Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life.” Substitute “network” or “just about any digital entity” for “bank,” and you have a pretty good definition of a career criminal hacker.

      • Sorry for the typo. The famous quote erroneously attributed to Willie Sutton should read “that’s where the money is.”

        • true enough.

          first, though the reference is valid, it’s self-referential, willie talking about willie. so it’s confirmation of what he said, not whether what he said was accurate.

          the saying of ‘when the words and actions don’t match, look at the actions for the truth’ may apply to old willie.

          it may be that he felt those things, but’s also true he seemed to be at places that had a lot of money. he did not rob bums on the street…as far as we know.

          i suspect it’s just the psychology of rationalization his actions to himself that are behind those quotes. he needs to believe it, or he has to acknowledge that he wasn’t a very good person.

          much is the same with the modern day miscreants who blame their victims, and/or rationalize their bad behavior.

          anyway, i agree with you, but even if willie believed what he said, i don’t believe him.

  4. It would make sense if the computer that runs these machine were physically placed way from the money itself, perhaps in the banks safe or an encrypted server.

    • Well, you can’t exactly put the card reader inside there, which is what the device seems to be targeting.

    • How would that have prevented it from loading/running the malware or them skimming the card reader?

  5. This sounds different from the physical hacks like sawing a hole in the machine to find maintenance ports. This sounds like a card can be loaded with malware and infect the machine as it reads the card’s mag strip, a “code injection” attack against poorly written software.

  6. I am continually amazed at not only the incredible expertise and competence of these crooks, but also, given their talents, why they don’t use their talents to do honest work? Surely the payoff is better than a prison sentence?

    • “Surely the payoff is better than a prison sentence?”

      It would be if they were all caught and convicted. The sad reality is that the vast majority of them will not suffer the consequences.

  7. I work in IT Security for a bank. We have one person who is the liason between Security Operations and the Electronic Banking people. They have weekly meetings (which include at least one representative from the ATM vendor as well) and share information daily. Sec Ops does risk assessments and provides guidance and management on how to configure the firewalls, IPS, and AV for the individual ATMs.
    Both departments have been working closely for nearly 15 years and we are all on a first name basis with our assigned resources from the vendor. I imagine any mid to large sized bank has something similar in place.

  8. TheOreganoRouter.onion.it

    Wow, Krebs is on fire this week with the real interesting articles .

  9. It would be nice if these reports named names. Who made the ATM that could be hacked by sticking a dongle in the card slot? Would enough customers call their bank and say “I see you’re using Acme ATMs and they have been compromised in these ways. What are you going to to do about it?” How many calls like that would prompt the bank to consider replacing their ATMs? Or at least getting the manufacturers to tighten the security?

  10. Buddies, I come from Hong Kong and this case is interesting enough because in Macau and Hong Kong, there is no such trick made to deploy malware, in fact, I believe the criminals are very familiar with the design.

    They are given 2000 EUROS for such operation, the reward is relatively small. :-)

  11. Maybe if the owner cards didn’t use the magnetic strip. I think it’s time for banks to issue cards with chips. I really don’t understand them but I was told the pin and personal data aren’t given with a chip. But they will wait until it’s too late as is the way with everything. Wait til the banks CEO gets ripped off then you will see something done.

    • Spacely Sprockets

      The way it is now the banks cover the losses at least in the good ole USA. Reg E is very explicit on this and covers the consumer. Once the new EMV chip cards are required the burden shifts from the banks to retailers and consumers. The banks want the card chips, its the retrailers that are delaying the implamentation. You think Target wants to be responsible if another data breach was to happen? They (retailers i.e. Wallmart, Target) will prolong the EMV cards for as long as they can.

      • Earthly Gears

        That’s not entirely fair or accurate. EMV is not the panacea it’s being portrayed as. There are several papers on proof of concepts breaking the security, and even attacks in the wild. http://www.nfc.cc/2012/09/14/emv-hacked-again-unpredictable-numbers-are-predictable/

        Why would any sound minded retailer want to spend millions on hardware and software upgrades only to not only make the system no more secure, but also accept all liability?

        EMV isn’t the answer, point to point/end to end encryption is. The retailers are happy to invest in full loop encryption, and speaking on behalf of my company, I don’t have an issue with accepting fraud liability once such a system is implemented, as the possible attacks, attack surface are minimal and make sound business sense.

        The retails do not have a voice or a seat at the big boy table when it comes to making these decisions. That’s the way the banks want it, and that’s the way the banks like it. Seems as though there are more bankers than retailers on this board, I challenge the bankers to put themselves in the retailers shoes vs simply painting us as the bad guy in all of this.

    • The picture shows a smart card reader and several smart cards, so it is safe to assume that they are using chip cards – most of the world other than the US does.
      The device looks similar to one that I built to intercept the APDU traffic to and from the card. The hack is most likely a typical buffer overflow caused by sending a very long APDU. Since the spec limits APDU buffers to (IIRC) 128 bytes, it is very common to use fixed length buffers and no checking.

    • The picture shows a smart card reader and several smart cards, so it is safe to assume that they are using chip cards – most of the world other than the US does.
      The device looks similar to one that I built to intercept the APDU traffic to and from the card. The hack is most likely a typical buffer overflow caused by sending a very long APDU. Since the spec limits APDU buffers to (IIRC) 128 bytes, it is very common to use fixed length buffers and no checking.

      • That’s the most plausible explanation that I have seen so far.

        But it just goes to show you how careful you need to be these days. Both from the standpoint of using ATM machines, and also when developing software.

      • I was thinking the device was being used to overwrite Flash Memory to perform the functions they wanted.

      • Dear Ted,

        So the explanation is good but… NCR, Diebold, Wincor do not support smart card reading while the card is on the open (lets say not trapped inside the device) for that and for the card reach the reading phase you need to pass by the 1.door and after the shutter closes he will forward the card to a smaller “space” and shut another door, only then the card get’s to the reading phase and the software (firmware) is waiting for a specific response i would believe that you somehow could just overwrite that in good very good security bug(BOF for example) but that is invalid since they were using a device that kept the shutter open.

  12. “Macau …this week announced the arrest of two Ukrainian men”, so foreign nationals arrested in Communist China for committing a financial crime. They are so toast! This morning I had a feeling that today was going to be a good day and, so far, I am correct. Thanks Brian!

  13. These hackers are really getting so much smarter. What is the best way for people to avoid becoming a victim of this problem?
    Also, a little sketchy that they couldn’t release which bank it was… makes me a little nervous.

    • Use banks in the following manner, prioritized with #1 being the most preferential:
      1) Go into a bank and transact with a human
      2) Use ATMs in a bank branch staffed by humans
      3) Use ATMs in a building where the employees will notice someone inserting long devices or cutting holes in the side

      Only use ATMs which are outside and unmonitored if you have a cash emergency and only after you try to pull off every part of it to ensure that it has not been modified. And always cover the keypad with your non-typing hand to hinder prying eyes.

      The 24-hour lifestyle is so over-rated.

      • I find myself doing this at every ATM or gas pump I visit now. Variously pulling, tugging, and wiggling every exposed part of it to (hopefully) verify that it is a legit part of the machine, not some glued-on skimmer device. Maybe its just whistling in the dark, but at least I feel a little better about it…

  14. Hi. Found a HK video in Youtube with this, from Bastille Post:

    https://www.youtube.com/watch?v=qwwnJARvAXM

  15. Ukrainian ATM maintenance men wear very odd work clothes, these namby pamby’s would make better house painters than engineers. They probably got shipped off to Macau because they didn’t have the hankerin’ to join in the fight like a good Hessian would. I’m a guessin’ these bow-legged varmints didn’t expect to get caught so soon or at all. Now their a gonna be spendin some quality time with other galoots there in Macau. All I can say is what a couple of idgits.

    They’re never getting out of this country for these crimes. The Macau Law Enforcement mean business. This is the new ‘Midnight Express’

  16. Anyone know how to STOP notifications from this page?

  17. Richard Steven Hack

    This reminds me of the scene in Terminator 2 where the young John Connor inserts a device into an ATM which attached to what appeared to be an Atari computer which allows him to siphon money out of the ATM. :-)

  18. The card interceptor is still widely used here in Indonesia but not as regularly as before. It’s as if they have said to themselves, “We will wait for a while and lull the public into thinking we have gone away” and then attack again sporadically for a few days. Stupidly most get caught which mystifies me.

  19. All internal USB ports should be equipped with door covers and security locks. The card port should have motion detectors that lock out and send an alarm if they sense someone jiggling it. All low tech and effective.

  20. So , putting masks on the bad guys is now the Clinton/Obama/Mooch political correct thing to do so there feelings oh-oh-oh fee—lings, aren’t hurt. Bad men are just that! Ask the good guys about hunting down bad guys.
    Let’s hear about their criminal record and movements over the past 5 years.
    Big Sally is mad as hell as is on the move

    • Given that Macau is one of the two Special Administrative Regions of China, with the other being Hong Kong, and that China and the U.S are not playing nice anymore (see URL below), we can safely conclude that “Clinton/Obama/Mooch” have nothing to do with it.
      http://www.reuters.com/article/2014/05/31/us-asia-security-idUSKBN0EB03520140531

    • It seems to be the law in much of the developed world outside the U.S. that a criminal defendant’s identity cannot be publicized unless and until he is found guilty in court. I’m sure that’s something your buddy George Zimmerman would have appreciated.

  21. Brian provides an invaluable service to InfoSec pros with his reports. That said, commenters like @PCCobbler need to remember that no business should pay for controls that outweigh their benefit. ATMs process literally trillions of $ of transactions safely, and loss levels are minute. And any consumer losses are covered by the bank. Moving all ATMs inside is just … stupid.

    • Commenters like @CrowChaser need to remember that mindless infatuation with libertarianism leads to situations like China where the land, rivers, and lakes are highly polluted.

      “64% of groundwater in 118 Chinese cities is ‘severely polluted’” (www.usatoday.com/story/news/world/2013/02/20/china-polluted-rivers/1933187/)
      “Pollution from China travels in large quantities across the Pacific Ocean to the United States” (www.foxnews.com/health/2014/01/21/china-pollution-wafting-across-pacific-to-blanket-us-report-shows/)

      “no business should pay for controls that outweigh their benefit”

      And who decides what the value of that benefit is? We used to allow companies to dump anything into the air and waters. The benefit of preventing toxic wastes from leaving their factories *for them* was very small, but the benefit to society was huge.

      “And any consumer losses are covered by the bank”

      And then passed on to the consumer.

      • another round of paper,scissors, rock.

        first,moving atm’s isjust that; just moving the problem.

        second, the compartmentalized view, as you pointed out, just shifts risk around as well. in fact they encourage shifting those risks in time, and to folks who are less capable of defending themselves.

        as i’ve pointed out in the past, the entire authentication process is on authenticating access, which is only half the equation. the users, consumers, and grandma, can’t authenticate the system they are putting their card into. they are reduced to looking for whether it’s suspicious, outside, etc. but no authentication of the system.

        as another poster pointed out above, the emv shifts risks, so is favorable to the banks, and less so for grandma, who still isn’t able to authenticate the system being accessed.

        i think we can all agree it’s a mess.

  22. A lot of work went into the development of this scheme – creating hardware from scratch, creating the right kind of malware, multiple visits to the ATM, cutting a hole in the side of the chassis to insert USB, etc etc… At some point, isn’t it just easier to cut open the chassis and remove the canister with the cash in it? Dead simple, right? I mean, I know that its bolted down, and supposedly well secured, but at what point does it become easier to just cut it out? Plus once you hit the machine once, you never have to come back, risking capture… I know I’ve heard anecdotal stories of someone just making off with the whole ATM.

  23. How do they inject the malware??? It is absolutely not clear, it sounds like clouds and flowers…

  24. Some interesting elements:
    1) 5 devices and 2 men caught? Hmmmm
    2) Why the AA battery? And with one, they would have to boost the voltage, furthering the complexity of the circuit, why not just use 3xAA? USB and the smart-card socket provide 5V, why not utilize that? Did the PCB connect through an intended debug interface, or was there one (JTAG, USB, RS232, whatever) that just happened to be accessible *through* the card slot?
    3) Why so many batteries and cell phones?
    4) Why so many cutouts on the professionally-constructed PCB? This just cuts strength for no seeming benefit
    5) That is a very odd-sized soldering iron, more for glassmaking rather than circuit work
    6) There are a lot of what seem to be SIM cards
    7) If Macau is on chip-and-pin, then where did they program the stolen data? I thought one couldn’t program a chip-and-pin card. Were ATMs locally falling back on the magnetic stripe?
    8) Why the thin bare wire down the side of the device, that seems to extend past the front? An antenna? Something to fish it back out?

    This is all very bizarre.
    9) Evidently there are multiple revisions/iterations of the device, and some hand soldered improvements/corrections had been made.


Read previous post:
True Goodbye: ‘Using TrueCrypt Is Not Secure’

The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this...

Close