Print 29 comment(s) - last by Visual.. on Jan 6 at 2:33 PM

  (Source: AMC)
The amount of money in the ATM is then displayed by denomination, along with options for withdrawing the amount they want

Thieves are using USB drives to infect European ATM cash machines and draw out cash by denominations. 

According to a new report from BBC News, the criminals have been cutting holes in ATMs in order to insert their USB drive -- which holds malicious code -- and turns the ATM into a zombie.

Once the USB stick is plugged in, the malicious code is transferred to the ATM and the thieves patch up the holes. From there, all they have to do is type in a 12-digit code to activate the special interface.

The amount of money in the ATM is then displayed by denomination, along with options for withdrawing the amount they want.

But before the cash can be taken out, a second code must be entered. This was implemented as a way of ensuring that anyone within the crime circle doesn't take a USB drive and run off on their own with it.

The second code is unique each time, and to obtain it, the person at the ATM must call another member of the circle. Once the person at the ATM receives it from another member, they can pull the cash. If they don't receive this code within three minutes, the interface disappears and the ATM appears normal again.

The bank in which the ATMs belong is being kept secret for now, but employees started noticing the thefts in July when several ATMs were turning up empty despite proper transactions. Also, the safes used to keep the cash protected were unharmed. 

The technique behind the hacks was revealed at the Chaos Computing Congress in Hamburg, Germany.

Source: BBC News

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

There are other ways
By Monkey's Uncle on 12/31/2013 3:55:20 PM , Rating: 3
About 30 years ago I used to program ATM machines and their controllers for one of the large Canadian banks. It would have been a really simple matter for me to insert backdoor code into every single ATM machine owned by that bank ---"if (card # == my card) go to myBackdoorInterface" since I did all the coding, testing and implementation all code going into these machines.

The problem is that I was one of two people working for that particular bank that knew how to program these systems. If the daily accounting found missing money in these machines, everybody from the bank president on down knew who to look at as the culprit (Yikes!!).

For the bank in this article, the culprits are either current or former employees with intimate knowledge of that banks implementation of these machines. It won't take them long at all to track down who is doing this.

RE: There are other ways
By Myrandex on 12/31/2013 4:13:24 PM , Rating: 2
You programmed them yet you call them ATM Machines?

I worked for one of the largest producers of ATMs in the world (in the top 3) for over 7 years. I couldn't stand it when people said ATM Machines or PIN Number there.

Part of my responsibility there was working on ATM security. There were some neat attecks that I had learned about similar to this that I had read about. A number of years ago we pushed modifications to block all USB devices other than specific ones on a whitelist to prevent this very sort of attack.


RE: There are other ways
By Monkey's Uncle on 1/1/2014 11:30:13 AM , Rating: 3
Hi Jason.

That's right. I programmed them 30 years ago - for over 10 years. I call them ATMs and the 4-digit code you key in a PIN. So what?

What does what I call them have to do with my experience or ability in programming them? I was doing this back at a time when most visitors at DT (possibly including yourself) were still in grade school.

Oh and FYI - the only ATM vendor at that time was IBM . And the only subhost supplier was IBM . Competitors like NCR, Siemens and Diebold came along later - and I worked with many of those as well, particularly the NCRs.

Now I am retired. That means I have well over 30 years of experience (though only the 1st 10 years having to do with ATM/Subhost) under my belt. Can you say the same?

RE: There are other ways
By Camikazi on 1/1/2014 12:26:16 PM , Rating: 3
He was talking about calling them "ATM Machines" and "PIN Number" since the "M" means Machine already and the "N" in "PIN" means Number, it is redundant.

RE: There are other ways
By Monkey's Uncle on 1/1/2014 1:27:41 PM , Rating: 3
Again, So What?

Adding a redundant "Machine" or "Number" in a post like this says absolutely nothing at all about the depth of my ATM MACHINE knowledge. Knowledge that he called into question by his comments.

I doubt this guy even has a clue what a CIGEN, CPGEN or FCL is.

RE: There are other ways
By slunkius on 1/2/2014 1:16:26 AM , Rating: 2
that is no the point. issue is how can you decipher "ATM machine"? automatic teller machine machine? or as a super-duper specialist you have other explanation?

RE: There are other ways
By Monkey's Uncle on 1/2/2014 11:05:12 AM , Rating: 2
It seems you are the one that didn't get the point. That jackass made an attack against my technical expertise based on poorly used ACRONYM GRAMMAR. Ok, the word "MACHINE" is redundant if the acronym already implies the word as the most common meaning of the acronym ATM implies. But the point is ATM is an ACRONYM. And numbnuts is using the poor use of the most common definition of ATM as an attack on my expertise.

That I will not stand for.

Now, if you really want to be a grammar nazi about it, there are several things ATM can stand for that still can be thought of as an automated way to work with your money...

All Time Money (think of this as a possible brand of ATM)
Advanced Teller Module
Automatic Transaction Mode
Automated Transaction Manager
Account Transaction Management

There are all kinds of others you can come up with that you can append the word "Machine" to. PICK ONE. But Again I will challenge you how the poor use of an acronym, any acronym, is an indicator of anyone's technical credibility.

So Jason, where are you. When are you going to come in and answer for this attack? Or are you going you let these guys do your answering for you?

RE: There are other ways
By apspeedbump on 1/2/2014 2:58:31 PM , Rating: 2
Just playing the part of Switzerland here, but I re-read Jason's reply a few times and I don't any overt attack against your technical expertise in his comment.

Depending on how you interpret the words, he COULD be calling you out, or he could just be expressing his incredulousness at your terminology, given his own pet-peeve, with no intended slight against your own technical proficiency in the area.

RE: There are other ways
By Monkey's Uncle on 1/2/2014 6:13:35 PM , Rating: 2
Nice diplomacy there ;)

Perhaps he should be the one saying this for himself rather than having folks like you and me guess at what his meanings are.

I've made my own interpretation clear. If he meant something else, all he had to do was come in here and clarify himself.

RE: There are other ways
By troysavary on 12/31/2013 4:27:28 PM , Rating: 3
I used to work for a company that made video slot machines. We had to sign an agreement to not play our machines at any casinos since we could potentially have coded backdoors into the machines to guarantee winning. I always found that ironic. If I was going to code in a cheat, the agreement I signed wouldn't have stopped me from playing.

RE: There are other ways
By mmatis on 1/1/2014 8:45:36 AM , Rating: 2
A safe bet is that any worthwhile machine is "watched" continuously. If your cheat was good but they had not made you sign that agreement, it would have been very difficult for them to do anything to you. That agreement, however, was a legal contract and as such was enforceable in a court of law. ESPECIALLY in any state with a significant gaming industry. Of course, there was nothing to stop you from coding a cheat and sharing it with someone else...

RE: There are other ways
By Schrag4 on 1/3/2014 1:56:02 PM , Rating: 2
I read the reply thread, and I'll stand by you, Uncle - the fact that you typed "ATM machine" really has nothing to do with your knowledge of ATMs. I see people with a lot of firearms experience calling magazines "clips" all the time - that's arguably a far worse offense, but I don't doubt their knowledge either.

When I read the article, I too thought this probably is the result of an inside job. This means that even if you white-list certain USB sticks, you're still vulnerable to an inside job, although arguably somewhat less vulnerable. Either way, I agree that they shouldn't have too much trouble narrowing down a pool of suspects by looking at employment records.

RE: There are other ways
By Visual on 1/6/2014 2:33:14 PM , Rating: 2
Today's ATMs are nothing like what you used to program 30 years ago. No custom controllers, no low-level programming. It is just a standard PC running windows and set to run the banking app on startup, likely as a replacement shell. No internal info was needed for the attack other than the guess that removable drive autorun was probably left enabled. Perhaps physically finding where the USB port is located was the hardest part, but even that does not require internal knowledge, just one time vandalism against one ATM.

By MrBlastman on 12/31/2013 11:44:22 AM , Rating: 3
Once the person at the ATM receives it from another member, they can pull the cash. If they don't receive this code within three minutes, the interface disappears and the ATM appears normal again.

... Except for the hole cut in the side of it.

RE: Well...
By hughlle on 12/31/2013 11:50:05 AM , Rating: 3
Or if you had read the article you'd have read that they patch the holes up.

RE: Well...
By MrBlastman on 12/31/2013 12:37:07 PM , Rating: 2
A patched hole still looks like a hole was made there. :P

That is, unless they buff it and paint match it, which I doubt they do.

RE: Well...
By Flunk on 12/31/2013 12:51:15 PM , Rating: 2
You'd be surprised how authentic this stuff ends up looking, they don't always look the same as unmodified machines but they always look legitimate. They could use epoxy resin or plastic plugs but they will go to great lengths to prevent being detected.

RE: Well...
By MrBlastman on 12/31/2013 1:22:05 PM , Rating: 2
Plug or not I want to shoot at some zombie ATMs!

I wonder what they say...

"Coinnssss... Mmmmmhmmmmm! Cooiiinnnnnsss... COOIIIINNSSSSSSS!"

After that, well, then we plug them. Plug them with 5.56 mm. :)

Okay, seriously though, I'd be impressed if they could pull of making them look good as new in an open area without being detected visually or making noise loud enough to be heard.

RE: Well...
By Schrag4 on 1/3/2014 1:57:20 PM , Rating: 2
Agreed. They probably left it looking like the plug was supposed to be there.

RE: Well...
By jimbojimbo on 12/31/2013 2:16:14 PM , Rating: 2
Or if you're crafty at all you'd know to cut at the seams where it's not really noticeable even without fixing up.

RE: Well...
By Argon18 on 12/31/2013 12:55:16 PM , Rating: 1
Yeah but their patch job can't be perfect. ATM's use painted steel panels. Just like the body on a car. The thieves aren't physically moving the ATM's to their workshop, they're doing this in place. So whatever tools and materials they are using, must certainly would not make for a seamless undetectable repair.

RE: Well...
By Monkey's Uncle on 12/31/2013 4:02:49 PM , Rating: 2
The patched spot doesn't have to be perfect. The hole is made either on the side or the back of the ATM's I/O area (usually covered by painted sheet metal but may be a thick plastic/fiberglass composite).

The bank is going to look for the patched spot only if that ATM had dumped its contents. The security guards that load the cash & take the daily accounting reports from it won't bother to look for patches anywhere except the ATM's safe (the money compartment) unless there is a discrepancy in the report.

By that time the thief has already made off with their cash.

Childs Play for the NSA
By TacticalTrading on 12/31/2013 4:43:41 PM , Rating: 2
Imagine if the crooks ever got their hands on the toys invented and used by the NSA....
Oh wait, they just published all that stuff didn't they.

So is bitcoin still secure?

RE: Childs Play for the NSA
By MadMan007 on 1/1/2014 12:08:35 AM , Rating: 2
Secure, yes, but worthless once additional governments outlaw the exchanges or outlaw it outright. When China closed their exchange it dropped Bitcoin prices by 40%+.

RE: Childs Play for the NSA
By ritualm on 1/1/2014 11:46:27 PM , Rating: 2
Outlawing exchanges won't do a damned thing but make the conversion from digital currency to real currency harder for a majority of people. If you're already well invested in coin mining, it's a small inconvenience that you can't convert your capital gains as easily as 1-2-3.

RE: Childs Play for the NSA
By Darkk on 1/3/2014 11:12:16 PM , Rating: 2
Actually they have a ATM machine that will depense money from bitcoins. Imagine that!

"excuse me, I need to cut a hole here please!"
By sparkuss on 12/31/2013 4:46:26 PM , Rating: 2
After surveillance was increased, the bank discovered the criminals were vandalising the machines to use the infected USB sticks.

So basically they were able to go around cutting holes in ATMs without anyone ever noticing? I had expected most ATMs were already either in surveilled kiosks or were at least in public surveilled areas.

For you Techs above, was this access point so easy to reach in a public place? The article doesn't say if they finally saw these guys doing the deed or they finally found the USB sticks.

By Camikazi on 1/1/2014 12:27:51 PM , Rating: 3
It's amazing what people will ignore if you just wear something that looks remotely like a uniform :)

By Monkey's Uncle on 1/1/2014 1:32:19 PM , Rating: 2

A lot of the vandalized ATMs are simple kiosk-type machines put into public places. All it takes is a couple guys in security guard uniforms working around it to make people eyes focus elsewhere and those uniforms are pretty easy to fake.

"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki