This blog has featured stories about a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine.
The story comes from O Estado de S. Paulo (“The State of São Paulo“), a daily newspaper in Brazil’s largest city. According to the paper, late last month a crook approached an ATM at the Bank of Brazil and somehow removed the security camera from the machine. Apparently, the camera was a USB-based device, because the thief then was able to insert his own USB stick into the slot previously occupied by the camera. As you can imagine, a scene straight out of Terminator 2 ensued.
The attacker was then able to connect a folding keyboard to the ATM’s computer and restart the machine. The newspaper story isn’t crystal clear on the role of the USB device — whether it served as a replacement operating system or merely served to connect the keyboard to the machine (it’s not hard to imagine why this would be so easy, since most ATMs run on some version of Microsoft Windows, which automatically installs drivers for most USB-based input devices).
At any rate, after the thief rebooted the ATM’s computer, he was reportedly able to type the value of the currency notes that he intended to withdraw. According to the story, the thief started by removing all of the R $100 bills, and then moved on to the R $50 notes, and so on.
As clever as this hack was, the crook didn’t get away: The police were alerted by the central bank’s security team, and caught the thief in the process of withdrawing the funds. Brazilian authorities said they believe the man was being coached via phone, but that the guy they apprehended refused to give up the identity of his accomplice. My guess is the one coaching the thief had inside knowledge about how these machines operated, and perhaps even worked at a financial institution at one point.
These kinds of attacks make traditional ATM skimmer scams look positively prehistoric by comparison. But the sad part is that even really crude skimming devices can be very lucrative and go undetected for months. I was reminded of this last week, when, for the third time in as many months, authorities discovered ATM skimmers at hospitals within a few miles of here. Local police believe the same thieves are responsible for planting all of the fraud devices, which are relatively unsophisticated but nonetheless enabled the theft of thousands of dollars over a period of several weeks.
According to Fairfax County Police, one was discovered on the same ATM located near the lobby gift shop at Inova Fairfax Hospital on Tuesday, November 27. A hospital employee noticed that the input slot for the card was loose and wobbly; when she inserted her bank card, the device fell off.
A second device was discovered on a machine located in the Inova Fair Oaks Hospital lobby adjacent to the cafeteria on Wednesday, November 28 around 1 p.m. A hospital security guard discovered the device after being notified of the prior incident.
In September, Fairfax police recovered a remarkably similar skimmer from that very same ATM in front of the Fairfax hospital gift shop. I popped by the hospital today and snagged a picture of the cash machine in question (at left, and sadly, I did not discover another skimmer).
Interestingly, the police said that none of these bank machines are either owned or “monitored” by Inova staff; while they are are located on hospital property, the banking institutions that own them are responsible for their maintenance and management.
I doubt these skimmers would have gone undiscovered for weeks a time had they been attached to ATMs at actual bank branches. These incidents are a good reminder that, whenever possible, stick to ATMs located at bank branches. And, as always, keep a close eye on your bank statement for fraudulent charges.
We are all eager to learn about what was on that stick. That it was possible to take over the ATM by some means certainly points to a security flaw: a need for extra authentication when rebooting, perhaps. Might have to be implemented at the hardware/firmware level. But whatever the difficulty, we now know it’s necessary.
I’ve been around ATM’s a long time and have never seen one with a security camera attached to the terminal.
Every security camera I’ve seen on an ATM (if they even have one) is connected to its own DVR. So all you would get would be video.
I wonder if this is one of the new full function ATM’s with deposit and check cashing ability. I’ve never seen an ATM with hardware strong enough to handle storing video. Most can only handle small jpeg images only.
Um caixa eletrônico do Banco do Brasil teve mais de R$ 80.000 furtados na noite de ontem, após as 22h na cidade de São Paulo por um sujeito que espetou um pendrive USB no local da câmera do caixa (câmera USB) e provocou o reboot com uma combinação de teclas.
O reboot foi feito através de uma imagem Linux Debian preparada para esta finalidade internamente pelo próprio setor de TI, departamento de manutenção, do BB com a finalidade de servir à manutenção emergencial de equipamentos travados ou corrompidos.
Atualização(18:27h): Este é o segundo caso este mês envolvendo o mesmo modo de operação.
Durante a manobra, o sujeito recebia instruções do passo-a-passo através de celular vindas de outro sujeito, funcionário do BB responsável pela facilitação e vazamento dos procedimentos e software.
Sabemos que para a queda do software nas mãos do criminoso houve a participação de pelo menos mais um indivíduo, membro da equipe de manutenção externa do BB, terceirizado. Ele porta o software em pendrive e sem levantar suspeitas forneceu por minutos seu pendrive de campo para ser copiado quando estava em serviço.
Sign in our inteligence services
Translation by translate.google.com:
An ATM of the Bank of Brazil had more than $ 80,000 stolen last night, after 22h in São Paulo by a guy who stuck a USB stick at the camera location of the box (USB camera) and caused the reboot with a combination of keys.
The reboot was done through a Debian Linux image prepared for this purpose internally by the IT sector, the maintenance department, the BB in order to serve the emergency maintenance equipment locked or corrupted.
Updating (18:27 h): This is the second case this month involving the same operating mode.
During the maneuver, the subject received instructions step-by-step through cell came from another subject, the BB official responsible for facilitating and leak procedures and software.
We know that for the fall of the software in the hands of the criminal was attended by at least one individual member of the maintenance team outside of BB, outsourced. It port the software on pendrive without arousing suspicion minutes provided by your pendrive field to be copied when it was in service.
Hi guys, thanks for this. Can you paste the source of this story that mentions the Debian Linux version on the USB?
Hi Mr. Krebs.
The source of information is our company working in the area of infosec, cybernetics intelligence and counter-intelligence.
Oh, I see. I notice that your site wanted $60 to read your story. That might be a little steep for me. Can you tell us how you know that this was a Debian Linux installation? Thanks!
Hi Mr. Krebs.
The source of information on using Debian Linux is an insider in the bank. Fully trust this person and their information.
If the OS was hardened properly the USB device attack would have FAILED.
This flaw has ZERO to do with the Windows OS. Anyone with a strong “TECHNICAL KNOWLEDGE” of the Windows OS knows you can restrict USB device access via policy.
FAIL ON THE BANKS ATM Security Pros – more like amatuers in this case!!!
Hrm. Hard enough to prevent the system from being restarted and booted into another OS? I doubt it. Seems to me the real fail is using a USB camera that could be so easily accessed, but there are still important details about this crime that aren’t clear.
The real fail is that peripheral device technology is a share-all architecture where a port for a camera can subvert an entire machine. The designer should be able to build in limits. We are just now seeing that feature as IO-MMU (Intel VT-d) in modern chips. OS and driver designs also contribute to the problem in that they usually give such code too much leeway. Microkernel OS’s like QNX or INTEGRITY minimize their privilege, as well.
I thought I did posted a reply …
Locking down a computer so it take more then “just” a reboot to boot from an external USB is not too complex. But buying Hardware that does not come from the cheapest supermark might have been a good idea…
The whole point is to ensure that even with internal knowledge, it would have taken more time than the time for the Security forces to turn up… but this increases the maintenance cost also …
Security & Lean are not the best mate unless REALLY well done
All a quick search finds is http://inteligencia.bsrpar.com/, the linked page is missing though.
After the Black Hat ATM attacks, it was only a matter of time before criminals tried doing the same. I wonder if the accomplice was inspired by such work. The camera trick was smart.
Side note: one of the victim ATM company personnel relates their thoughts and experiences about the Black Hat event.
Barnaby started looking into ATMs in *response* to criminals jackpotting ATMs. Criminals almost always get to this type financial fraud first, since they have significant incentives to do so.
Perhaps I should have said “more criminals.” It’s more in line with what I was thinking at the time.
During my CISSP training, one also raised the concern around Camera’s picking up passwords especially in the case of Army or Bank staff having to type Strong Passwords on a regular basis to do some privilege actions… while themselves being monitored by a Camera.
That part of the camera shot had to either be blurred or …
Same could be applied to the Hospital / 4 stars hotel’s lobby / … were those ATM are usually considered as better monitored & safer … but bottom line pin-codes are also type in front of camera’s 🙂
Clearly thieves have often a good time spotting the weakest link
Skimmers at hospitals? I could easily see that.
In the land of Sentara, it seems that all the ATMs are in areas that are less traveled and somewhat hidden from people who want to use them. As the commissary is pretty expensive, I could see the need for the ATMs. But the ATM I started to use, but decided not to go thru with, is not located any where near the commissary. Its location provides an easy vantage point for thieves who want to “watch” it.
The commissary would be the ideal spot for the thief to grab some coffee, sit down with their laptop, and remotely download from the device without being noticed.
In other areas, that type of activity might be noticed or frowned upon, as electronics such as cell phones and wireless cards are seen to adversely affect the telemetry used to monitor patients.
Brian – Your picture of the two machines at the Fairfax Hospital: The machine on the left is not an ATM, it is a RepTrax machine that prints temporary access badges or stickers for vendor representatives. The machine on the right appears to be an ATM and may even have a card slot that matches the card-skimming device shown above.
Thanks for the indirect reminder to email my daughter about using ATM machines in NJ.
Just NJ Dennis? 🙂
As a side not, there was an ad for Kevin Mitnik Security Awareness Training at the end of the article. Kind of ironic since this sound liek something he would have loved doing!
Have they released the make and model of the ATM? One could certainly make assumptions on how it failed if one had this data.
The ATM is the same type of this pics:
Thanks, but I was hoping for the actual manufacturer/model number, which I can’t make out, nor does it look like a make/model I am specifically familiar with having seen the casing (and the image that can be made larger only gives away the display manufacturer). At a minimum it might be a good idea to choose another make/model if given the option (truly, bad design decisions on the hardware maker’s part).