I was surprised to learn that they run full Windows. In fact, one of the projects I was on had a requirement that we upgrade the OS from XP to Windows 7 for security reasons.
Regardless though, you can make an ATM do whatever you want if you have enough time and access to it. One of our low level debugging tools allowed you to effectively control every aspect of the device, so it could spit out whatever denominations you liked without talking to the banks mainframe.
We used to have fun printing out ATM receipts showing our fake balances of millions of dollars etc.
This article states that other manufacturers using Kal's software can be targeted as well with some alteration to the code. How possible could that be?
And want to know something else? The UI layer was html + javascript and some funky css that ran on a custom modified version of ie6.
Beneath that, to handle fetching of data, comms, navigation, window management and other business logic etc, we used good old .Net and C#.
It was a bizarre setup from a dev perspective but once you got used to it you could crank out new features incredibly quickly as you had a heavily regimented workflow (Usability trumps _everything_ with these machines).
If you open up an ATM you will find your standard run of the mill beige PC inside it and in fact in many of the older machines they _literally_ stuff an _entire_ PC case in there simply laid on it's side.
There is also an extra monitor back there with a little keyboard attached.
The only impressive aspect of ATM's is the engineering that goes into all of the supporting hardware and peripherals such as the stackers, the cash acceptors, the cheque validators, the printers, the recycling cash canisters, the electronic pin pads, the various fraud detection features etc. I found that stuff much more interesting than the dev work I did day to day.
If you, like me, were wondering what the Secret Service (widely recognized for their duties as presidential bodyguards) has to do with ATM fraud, there's a comment below the article from the author:
> I didn’t mention it in the story, but perhaps I should have: The original mission of the Secret Service when it was created in the 1800s was to safeguard the U.S. currency from counterfeiters. Only after a few presidents were assassinated did their mission grow to include protection of the president and other dignitaries. Both are their dual roles today.
I found it interesting that this was not widely known. I am from the UK and was fully aware that this was their other role but it seems many in the US are unfamiliar with this information. I am pretty sure that I have just picked up that information from US film/TV which is why it is surprising to me.
Really? When reminded, I know that I learned this at some point, but US film/TV is definitely responsible for the perception that the Secret Service is entirely around to protect the President.
I knew that they existed at least partially to protect the currency, but I had thought their mission had expanded the other way. I thought their original goal was VIP protection and they somehow got roped into currency protection
If you deposit more than 10k in cash, a bank is obligated to inform the Secret Service's money laundering division per the PATRIOT Act. Secret Service has jurisdiction in a few places you wouldn't expect.
FTL:
"Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, and file reports of cash purchases of these negotiable instruments of more than $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities."
“In 1984, the US Congress passed the Comprehensive Crime Control Act, which extended the Secret Service's jurisdiction over credit card fraud and computer fraud.”
The Secret Service is the law enforcement branch of the Treasury Department, like the FBI is the law enforcement branch of the Justice Department and ICE is of the Dept of Homeland Security. The President-protecting stuff is the weird part of their duties, not the other way around :)
If you ever open up an ATM you'll realise that the majority of things are controlled by serial interfaces (upto 6 of them) for all the motors and pneumatic hardware.
If the operating system becomes hardened enough, you'll eventually have people interface with the serial ports directly to manipulate the cash-drawers directly.
I'm not sure why this hasn't really been done in practice but it shouldn't be to difficult to figure out how to do correctly.
In most ATM's the computer hardware and interface connectors are also all housed in the top (mostly plastic or low-quality cast metal) shrouds (as opposed to the currency locked in a safe). Traditionally wafer locks were also used to secure this section however they are slowly migrating to higher security locks like Abloys.
ATM manufacturers may want to take a look at slot machine manufacturers for clues on how to harden machines against tampering.
I've read (though have no first hand experience) that slot machines have better security and better vetting than electronic voting machines do so I'm not surprised either.
In Nevada the source code for gaming devices is required to be provided to the state gaming commission.
(c) In the case of a gaming device, a copy of all executable software, including data and graphic
information, and a copy of all source code for programs that cannot be reasonably demonstrated to have
any use other than in a gaming device, submitted on electronically readable, unalterable media;
But only for "programs that cannot be reasonably demonstrated to have any use other than in a gaming device".
Makes one imagine what kind of political trench wars probably went on behind the scenes about this regulation.
Edit: On second thought, this seems awfully easy to circumvent. What stops me from making a rigged PRNG and then refusing to make the source code available on the grounds that there are lots of non-gambling applications for PRNGs?
The gaming commission also regulates how much each machine must pay out over a given period with a given take. Any machine not in compliance is removed, and the casino can be fined. Continued non-compliance can result in the termination of the casino gaming license.
This was true even before electronic slot machines.
Sounds better but still defeatable. I could track individual players throughout the casino (which is already common practice, I think) and decide on payout depending on how much money I already made through them.
E.g., if someone already dumped a lot of money into other games, I can give them above-average odds of winning and be sure I still make a profit (and they make a loss), otherwise I'll give them below-average odds.
If I tune this right, the average outcome over all players will still look "fair".
Or I simply give the above-average play sessions to strawmen.
Except that that is not allowed. It's individual machines tested in isolation that should perform exactly as legally mandated. The only kind of remote interaction there is is logging to make sure they can prove that the machine performed as advertised and to know when to empty the coin box.
Modern slot machines don't use just local rngs, they essentially obtain lottery tickets from a central computer. That's how you get building-wide jackpots.
But that's the point. If the provision lets me withhold part of the source code from inspection, there is no way to actually verify that I don't do that.
I could hide the above manipulations in some component I don't have to expose and have the machine play nice under testing conditions. (See certain automakers for examples)
You could make a rigged PRNG but the front-end software of the system (different applications) have to display extremely detailed statistics on every function and variable (payouts, money in, number of wins, probabilities etc) and that code will have to be open source. The only upside to interfering with the PRNG would be being able to predict the winning moves based on whats on-screen (assuming whats on-screen is derived from the PRNG).
The actual slot machines themselves are unexpectedly secure. But the back-end environment is usually a total mess. The aim of the admins is to make sure no-one gets to the back-end environment and that's achieved through heavy use of CCTV and port-security on switches.
I remember like 20 years ago on the internet there was a lot of cool video/audio tech always being created and it was funny because it didn't really make sense at the time given bandwidth - but everyone joked it was the porn industry pushing all that money/development (fk, even my dad said that once - ok ok I think I turned out ok). It's funny how we get where we get.
There are easily multiple locks that could be put in place internally.
Encrypt the signal from the host to cash dispenser, have a debugger process that is connected to the host process that also stores the encryption keys and or talks to an HSM. Mitigates tampering of a live system, makes flashing new firmware problematic.
Physically limit the cash dispenser from outputting k bills over n seconds. Have those limits be session based, again signaled by main host process. Would require a full login/logout cycle for k bills.
Most likely, the systems are left wide open internally to ease development and mask bugs.
My ending blanket statement is that finance people know how to be cheap, they can optimize along one axis, replacing a 5$ with a 2$ part, but the really good ones optimize the whole system over a long time horizon.
Your comment is coming from a good place but it’s rooted in ignorance. Most ATM machines are made by NCR and not financial institutions. Majority are also quite old (runnning windows XP old).
NCR is focused on profits not security, even though they sell POS (point of sale), ATM machines, and airport kiosks.
From my personal dealings with NCR, I can confirm that they care very little for security, regardless of what their corporate line.
To put this in perspective: if you go to a grocery store, restaurant, or quick service (fast food) establishment and use a credit card then your full account number, name, and exp is recorded in their system. This information is accessible by anyone with store level admin (not windows admin, but think a manager with manager card).
This violates PCI but hey, fuck PCI, hard sending the system takes resources and who wants to do that?
On HN, folks keep talking about security and other such nonsense, however, anyone who has seen the other side isn’t very optimistic. Between ease of use, profit margins, and no pushback on insecure systems, all loses are just write offs.
On a less concrete note, my bank switched from Diebold to NCR and the difference is very apparent to the ATM user. The design is overall clean and bright, and it's much faster. The Diebold has long UI pauses for no apparent reason where the NCR seems not.
Their losses are just write offs...until they aren't, and something major happens. Maybe it will take a company completely going out of business due to poor security standards for others to wake up.
As one of the engineers initially responsible for achieving PCI compliance on these ATMs, this isn’t strictly true - of course it needs to know your account info, but it’s sent to your bank - it’s not stored on the machine at all - certain digits of your card number are written to a paper log but it’s never written in full - can’t speak for POS machines, but would imagine it’s the same
They should probably hire some people from microsoft's xbox department, or sony's playstation department.
A lot of money has gone into locking this hardware down, and I think for the xbox 360, which was released in 2005(!) there is still only one hack they couldn't solve with a software update, and that's soldering to the CPU and glitching it on a specific compare instruction.
I would bet, this "sophisticated malware" is a lot more trivial than glitching the CPU on one specific intruction and having to take a soldering iron to the ATM, then fiddling trying to get the timing exactly right.
Building a chain of trust and authenticate commands to the cash dispenser really shouldn't be an issue.
Really, just put a fucking xbox in these ATMs. Lots of people attacking those while being able to do whatever they want to the hardware with limited to no success. (I don't think anyone has managed to open up the xbox one?)
The problem with hardware lockdown is that at the end of the day x-boxes and PlayStations are only interacting with a screen to display media.
ATMs on the other hand are designed to interact with physical hardware that sucks money up and spits it out. Locking down the operating system is easy, but if the hardware is controlled by serial interfaces then you've got a weak point there unless the serial interfaces are encrypted (spoiler, they are not!). To encrypt them you'd need to put something at the OS side and something at the hardware (pneumatics/motors) side and ensure they aren't accessible (ie, located inside the safe part of the ATM). Its not impossible to do, but I somehow doubt they'll do it anyway.
No, it's not. Look at pretty much every console ever made except for the xbox 360/one.
> unless the serial interfaces are encrypted (spoiler, they are not!)
Yeah and that's obviously a problem. Nitpick though, the interface doesn't need to be encrypted, messages just need to be authenticated. Confidentiality of these messages isn't really important since you'll see the cash comming out, and you actually probably need some kind of challenge/response protocol to avoid replay attacks.
But you want them authenticated by a key that is very difficult to get out of the thing controlling the cash dispenser/serial/whatever. Which is why I said put a gaming console inthere, millions of dollars have already been spent, and are still being spent making sure nobody is getting secret keys out of them, even with full access to the hardware.
> To encrypt them you'd need to put something at the OS side and something at the hardware (pneumatics/motors) side and ensure they aren't accessible (ie, located inside the safe part of the ATM). Its not impossible to do, but I somehow doubt they'll do it anyway.
Well no, that's the point. You only need to make sure the pneumatics/motors only take authenticated commands, and that nobody can mess with those. For the OS side you piggy back off console security.
Microsoft and Apple have put a lot of thought into the security architectures of their consumer hardware. I've made this exact argument before -- just put the ATM app into a console title. It's the most secure hunk of readily available computing hardware, right off the shelf at Target.
But breaches happen, and lead to lawsuits, and I can just imagine trying to impress a jury about the security of your ATM while the other side cracks jokes about gold coins in Super Mario and speculates about your low Halo ranking.
The attackers typically use an endoscope so they can attach a cord to the computer and install malware. This makes ATM remotely controllable!
In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash.
Embedded software is easy to hack. Spend quite a bit of money getting access to the binary running a common ATM platform. Reverse engineer it. Find a vulnerability. Trigger it. Done!
The age of (common) embedded system exploitation is finally upon us.
It doesn't help that almost all the fascia locks on each vendor's machines are a standard key. With that standard key, you have full access to the computer or embedded device drive.
Nowadays the communication link to the dispenser is encrypted, making swapping the hard drive useless. The real problem is the machines aren't replaced very often so there are quite a few old models out in the field that are susceptible to these sort of attacks.
You're thinking of Secure Boot as it's typically used, where firmware on the motherboard verifies that the kernel is signed by whoever wrote the kernel, e.g. Microsoft. But there's no reason you couldn't have the motherboard OEM load, say, the ATM manufacturer's public key, and have Secure Boot verify that the kernel has been signed by the ATM manufacturer. Then the motherboard will refuse to boot an OS which wasn't signed by the ATM manufacturer, even if it's otherwise "pure".
I also remember seeing a report that was aired on UK TV by Channel 4 back in the 1990s that showed how easy ATM fraud was. I can't seem to find the clip, but if anyone has better luck than me I'd be interested to see it again. The only other clue I can think of was that I believe the report was presented by Krishnan Guru-Murthy, but I think it might have been on a different show than the Channel 4 News.
I remember the programme .. was on Janet Street Porters 'yoof' entertainment show Network 7, and involved puttjng VHS tape on the back of a debit card.
How does it work with posting short scenes from a movie on YT, and possibly monetising? Is it just a case of the Studio not reacting or there's a grey area where you're able to do it?
>"The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack."
You'd be surprised how many things are running Windows. I always wonder if the manufacturer just hires cheap contractors that haven't seen anything apart from Windows in their entire life, or if there is an actual reason it can't run on linux.
Yes and no. OpenBSD always had far fewer exploitable bugs than Windows, so it presents a smaller attack surface. And far fewer people bothered to develop exploits. Windows has always been the big juicy target, with exploits easily available.
I'd challenge that. Given that there are serious security architecture differences between Windows XP and OpenBSD systems.
For starters, Windows XP has always optimized for "plug random hardware in and it Just Works" while OpenBSD aims more at "what is the minimal number of services we can have running in the base image."
Sure, OpenSSL vulnerabilities found in the intervening time will still affect both, but we're still talking orders of magnitude difference in RCE vulnerabilities.
The same with most point-of-sale machines. I worked for a point-of-sale vendor for a while that had both Windows and Linux versions of our software. All but one retailer chose the Windows version because they felt it was much easier to manage 10,000 Windows machines than 10,000 Linux machines.
BTW, that one retailer that used the Linux version? They replaced it with the Windows version on their next hardware refresh.
I was in Munich main train station and saw an advertisement display showing a OS X Desktop and a crash report. Like, why exactly would you use a Mac for this..
"The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack."
According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM — either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.
ATMs need to be more physically secure, like bank safes, if they are to be resistant to such attacks. The software part is mostly immaterial here, IMHO --- it doesn't matter what the software is, if you can get access to the physical money.
I used to work with various ATMs and the cash dispenser _is_ a hardened safe, with a combination lock and all. If you are to steal an ATM, you will still need to open the safe and the simplest option would indeed be to try and persuade it to just dispense the money.
The thing is that ATMs from larger vendors (IBM, NCR, Bull, Siemens, etc.) have layer upon layers of protection features. For example, you can configure a secondary combination for the safe which will open it and also send an emergency alert. This is for the cases when someone is being forced to open the safe at gunpoint. There are batteries for secondary power supply. There are options for physical lock-down in case of a power loss. Tilt and movement sensors. Redundant communication options, including exotics like x.28 radio.
I mean that all of this was readily available even 20 years ago. ATMs are not designed by amateurs. The issue is that all these are _options_. They need to be bought first and then they also need to be properly configured and enabled, which falls on the banks or their IT service providers to do. The smaller the bank, the less willing they are to spend even more money on configuring secondary stuff and setting up an infrastructure for it, so many of these options will remain off even if they are available.
There have been several cases of stolen construction equipment (fork lifts, wheel loader, etc.) being used to steal ATMs. For example: https://www.youtube.com/watch?v=K05LT-WpN5I
Achieving 100% physical security is going to be hard.
In the UK at least it's common for ATMs at banks and supermarkets to be built into the wall. You still have freestanding ones too (including in bank branches), but if the solution to this issue is to get rid of the freestanding ones, it's not likely to be a major inconvenience, especially as many stores offer cash back on request (e.g. buy a pack of gum on card, request £30 cash back, get charged for the gum and the cash, resulting in obtaining £30 cash taken from the till).
There are ~20 ATMs within a 5 block radius of my apartment (NYC), all in small shops that have no place for an in-wall ATM, and this is in a relatively low ATM density area of the city; there are thousands more like this across the 5 boroughs.
In aggregate these small freestanding ATMs are a huge business, it's unlikely they will harden their whole fleet by building in-wall installations.
Not too many walls will stand up to being rammed by a Bobcat or other small skid loader, and those can be easily transported by a pickup truck and a trailer.
The ATMs built into walls tend to be larger / heavier than the standalone ones. You gonna fit a crane / forklift truck on that pickup truck / trailer too?
The till probably has under £500 in, probably less. The ATM probably 20 times that.
By offering cash back you're reducing the amount of cash kept in store, reducing the chance of being robbed (less worthwhile). By putting an ATM in store you're increasing the cash on premises, and in your tills (as people use the ATM rather than cash back)
Then either the ATM had 20x too much cash in it, or the store will be unable to satisfy 19/20 requests for cash back?
People withdrawing cash from the ATM (often incurring a non-trivial fee) to pay in the same store, rather than just paying on card, seems to be a marginal case and indeed inferior to card payment.
ATMs are often refilled only every day or two, whereas the store's registers are replenished periodically, often at shift changes or when demand increases. Perhaps more importantly the register also takes _in_ cash as unrelated customers pay with cash.
Cash in an ATM is orders of magnitude safer than cash in a till, most significantly for the store staff as less cash invites fewer (traumatising, dangerous) robberies.
When I worked in a convenience store 20 years ago, we’d dump cash into a safe through a mail slot every time the cash in the till rose over a certain amount (the register computer would show a red bar with a message to this effect), and we’d routinely have to turn down requests for all but trivial amounts of cash back for this reason.
The store usually has nothing to lose. In most cases, the ATM in small stores isn't owned by the store: the ATM owner pays them a fee for having it there.
Several years ago, I've had an ATM crash and reboot after pressing one of the screen side buttons when the machine was waiting for PIN entry via the numeric pad. It rebooted, and I could see that it was running MSDOS, not even Windows. Luckily, after the reboot completed and the ATM frontend program started, it spit out my card again.
With one of offices of my bank being nearby (to be able to block my card if I couldn't get it back), I tried it two more times, just to check that it wasn't a random occurrence.
While it was probably nothing that could further be escalated into gaining access without additional hardware, it gave me a chuckle (and a bit of fear for my card, initially).
I'd rather have a ATM running MS-DOS than Windows. At least the attack surface is small. God nows how many ATM's are running Windows 98 and XP, which contain major security holes which will never be patched.
One of the first unethical “hacker” things I did was to attempt to change the bill output to larger bill. I got so incredibly nervous when I went into the debug screen that I power walked out of the corner store when the clerk noticed I had been at the machine for several minutes and had not inserted a card.
You find a lot of these ATMs that are even more insecure than the larger WinXP machines. Those little kiosks are perfect for skimmers, manipulation, or just fucking around with.
I just read through the comments and was VERY surprised to see noone call this out:
> At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.
Realize what this means. The ATMs are connected directly to the internet, with a VPN (hopefully...) sitting over the top of that. The ATM can still call out to the internet directly!!
That is, honestly, shocklingly insecure. I'm stunned.
I read https://news.ycombinator.com/item?id=16250498 and how ATMs have different options for security, but "allow anything except the VPN software access to the NIC default route" doesn't sound like something _anything_ should be able to disable.
I mean... I know nothing about networking, and I was able to configure this exact behavior on FreeBSD - which I'd never used before - in a day. I set it up so a torrent program was physically incapable of doing DNS/anything outside of the VPN tunnel interface.
When I read that part, I figured that the crooks were using their own mobile Internet connection on the laptop or mobile device that they had connected to the ATM.
That configuration only works if the attacker can't re-configure the system, but considering they're suggesting that many ATMs are still running Windows XP, I'm guessing that finding a privilege escalation exploit is not that hard.
I assume this will end with there being fewer ATMs. That they will become more expensive to run in due to costs of hardened physical devices and insurance. If they become too rare it could result in a reduction of cash usage, maybe significantly.
Good luck with that, outside of a handful of Nordic oddballs, cash is still king in most of the world (US included). We have a massive unbanked population that isn't going to start using banks or digital payments anytime soon, no matter what politicians or economists may desire.
The way that Sweden did it was in small steps, some which other nations has already done.
Encourage companies to only pay employees through banks by making it practically impossible to pay through cash. Expand money laundering laws so that banks are liable if they give out or take in physical cash, with short and hard limits to ATM's. Make it acceptable to have police confiscate money if a person carry more than a few hundred dollars. Just to give examples of those, a person was stopped by a routine police stop when they saw $350 and confiscated it on the concept that such huge amount of money was a sign of money laundering. A few further months ago a elderly couple (70+) had sold their car but could not put the 10 grand into the bank since the sale papers (including government signed transfer) was not enough to prove definitively that the money was still not part of any money laundering. Sweden invalidated all bills and coins made before 2015, forcing everyone to have them exchanged or put it in the bank which was why the elderly couple needed to put the money in the bank.
Add to that a heavy joint campaign between banks and government to paint any physical cash transaction as putting employees at stores at risk and that its a moral responsibility that everyone only use banks, and a strong decline in the availability of bank offices that handles cash.
I actually think this is fundamentally an attack on the right to transact anonymously. Trends towards the confiscation of large sums of cash, increasing restrictions on moving money relating to KYC/AML, and the further emphasis on digital forms of payment give governments and, more worryingly, banks the ability to exert incredible influence over the day-to-day lives of individuals.
Here's a good Canadian example - banks now refuse accounts to "high risk" businesses like money services (currency conversion etc.) under the guise that the KYC/AML requirements involved make it too risky for the bank to service them. And yet, our major banks have huge currency conversion businesses - so in essence these laws are being used to stifle competition.
For merchants, credit cards and debit were originally billed as items that would improve their sales - so who cares if interchange fees add up to a whopping 3% on transactions? But now with almost everyone demanding that stores accept credit/debit, merchants are hit with what is essentially a non-government tax on their revenues. Every "cash back" or "rewards" card is basically funded at the expense of merchants.
In the USA also, there is a not-small number of hard-core Christians that would view mandated digital payments as "the mark of the beast" and refuse on that basis.
Yeah I'd also like to see that, especially with the number of banks continually shrinking (e.g. less than half as many exist as did in 1980), giving consumers fewer and fewer options to shop around.
Then the other half of my brain is like "you're expecting the gov't that gave you Operation Chokepoint to do a 180 and suddenly be benevolent?" and "the reason banking is congealing into an oligopoly in the first place is because of the staggering amount of banking regulations churned out by the gov't every year, significantly raising barriers to entry" ¯\_(ツ)_/¯
Yeah, I hear you. At least it's more robust there than it is in Canada... our Schedule I banks (there are 5 major ones) are protected by law from foreign competition. I don't see a move towards the type of deregulation that might lead to real competition, so the only plausible solution I see is more legislation. Hah. It makes my inner libertarian cry.
Banks want it because credit card transactions are significant (almost infinitive) more profitable than distributing physical money around and having bank offices open for customers. Especially in Sweden where the population/km2 can take a very sharp dive and the distance between banks and ATM's can be far.
Many large companies also wants it. Mass transit want that people get a subscription so that the only one buying tickets is tourists that then can pay tourism prices. Supermarkets want that people user the membership card that is linked to a credit card.
If the purpose was only to do crime prevention then the solution would look very different. Instead what we have is the mixing of multiple interests of strong parties against the interest of everyone else.
The US isn't exactly a leader in banking technology. While I agree that cash is here to stay for the time being, the introduction of contactless payments in the UK has made the conversation around dropping cash seem realistic (with he lower fees almost everywhere now accepts contactless, and unlike chip and pin, transaction times are faster than using cash...)
There is a huge push in SE Asia to get these people banked asap. Startups like Grab are leading the way. I don't think it will be long as much of the other low hanging fruit is already picked. This is literally one of the last untapped markets.
Interestingly you start seeing cash back at big chains in some European countries where the concept used to be completely foreign.
With a combination of new online banks that have no physical presence, credit and debit card fees capped by EU laws, and businesses who are happy to pay those fees to get rid of cash, it makes a lot of sense.
I am guessing the pulled an unencrypted hard drive from the ATM, analyzed it and the commands.
Found the one that spits out cash.
They pop in one with modified code and reboot it to read the new drive.
Only similar ATM I can guess in Canada would already be suspect, in convenience stores, clubs, weed shops, strip clubs lol... The none bank name brand.
Had one bluescreened after taking money from account but before outputting money.
Was running Windows.
Didn't give any money, but kept the money from the account.
Overeheared a smalltak about something similar in croatia couple days ago . I tought guy was drunk and bs-ing the waitress . Now I hope I bump into him again ;)
Why should it? Its function is to spit out money and it functions well enough for that.
Obviously they do add features, like topping up phone credit or bill paying. But I would guess nowadays the bankers would rather pay smartphone app developers rather than the ATM developers...
If $X million is stolen every year by thieves, but it would cost[0] $2X to upgrade ATMs to prevent it then there might be a rational justification for the status quo. Or at least, one that the person(s) making the decision might use to rationalize it to themselves.
[0]depending whether you do (or even consciously don’t) include indirect costs such as law enforcement and knock-on effects such as funding other areas of crime with the proceeds
> The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.
I would argue that Windows isn‘t at all the right OS for this.
What is? And do you have an OS that you are comfortable calling "secure"? Remember security through obscurity as enjoyed by Mac and Linux doesn't apply here because there is actual money and hence incentive to find vulnerability at stake.
It should be much easier to secure a small OS targeted at the job at hand rather than a general purpose OS that supports everything from mouse drivers to webcams which gives it a huge attack surface.
I don't think I've heard anyone make that Linux relies on security through obscurity in at least 15 years or so. Linux pretty much won in the server market, and if you consider the volume of e-commerce transactions by the big players on Linux alone... ATMs seem like the small stuff in comparison.
The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.
Yup, you'd probably be surprised how much of that is still out there. At this point I'd rather have that than XP which has lots of well known exploits.
I people didn't need cash this problem would go away. I think of this occasionally when I visit our local bagel shop, which like many bagel shops in the area does not take cards and has an atm onsite.
I strongly hope that paper money is not completely replaced by electronic payments because it may be convenient as long as it works but I would like to still be able to buy food even when the service stops working.
We had this in Austria a few months ago where one if the biggest providers for electronic payment terminals stopped working for 1 1/2 days
The vast majority carry an internet connected gps tracker with microphone, Wifi, Bluetooth, sms and email all in one place with them at all times, and bank accounts, sms, emails are already accessible to the state on the server side. Shops are using facial recognition and Bluetooth to advertise and track customers. So I honestly think privacy in what you purchase is a ship that has sailed, this data will be recorded in future.
What we should be agitating for is proper control over the use of this info, not trying to limit ways to collect it.
In Europe, the General Data Protection Regulation supposedly does just this. There is a notable exception for “national security”, but it does at least help move in the right direction.
All of that can be turned off or circumvented, or you could even just leave the phone at home.
But laws are tightening on cash payments, a lot of countries have already made cash transactions over a certain amount illegal. At the moment only for services, you can still exchange cash with your friends, but you may get a lot of scrutiny if you wish to deposit said cash into your bank account.
Yes you can, but nobody does, because the inconvenience outweighs the advantages of increased privacy.
Cash is doomed by the same problem - it's inconvenient, and also pretty insane to carry around paper tokens when we could carry digital ones.
Even if you do manage to evade some tracking (e.g. by using cash) cameras are tracking you everywhere, we have facial recognition improving rapidly, car number plate tracking etc etc. At some point it will be possible to track your entire life with ease simply from following your movements, and it will be very difficult to circumvent without laws to control that sort of information.
I do think it's more important to control the use of extensive personal information and tracking than to try to limit it, because limiting it simply won't work, and can be easily bypassed.
I was surprised to learn that they run full Windows. In fact, one of the projects I was on had a requirement that we upgrade the OS from XP to Windows 7 for security reasons.
Regardless though, you can make an ATM do whatever you want if you have enough time and access to it. One of our low level debugging tools allowed you to effectively control every aspect of the device, so it could spit out whatever denominations you liked without talking to the banks mainframe.
We used to have fun printing out ATM receipts showing our fake balances of millions of dollars etc.