Jump to content
Manx Forums - A Discussion Board & Classifieds for the Isle of Man

Thieves Use Malware To Rob Cash Machines

3v0

By 3v0
in International News

Recommended Posts

3v0 Newbie

3v0

Posted
Posted

http://www.cbronline.com/news/tech/software/malware/usb-drives-used-to-rob-cash-machines-311213-4153778


I know we're not supposed to like thieves and I'm sure as a "criminal gang" these lot do some other deplorable things but there's something I find quite endearing about clever people stealing money from banks. I know I shouldn't and if they were stealing from me I'd be furious, which of course makes me a massive hypocrite but meh.

It would be pretty handy having a 12 digit code that would make cash machines spit out free money for you. You'd be well popular on nights out!

Link to comment
Share on other sites
MikeW Newbie

MikeW

Posted
Posted

Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble!

Link to comment
Share on other sites
3v0 Newbie

3v0

Posted
  • Author
Posted

Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble!

 

Yes, the USB port surprised me as well. I'm guessing it's not going to be around for much longer!

Link to comment
Share on other sites
thommo2010 Veteran

thommo2010

Posted
Posted

Must admit at a time when banks try every new trick in the book to rip off the world there's now a little bit of karma coming back. Not enough but it's worth a smile.

 

 

The thing is the banks will recover the money through insurance which means peoples premiums go up or by charging the customers. The bank wont lose out

Link to comment
Share on other sites
Blade Runner Mentor

Blade Runner

Posted
Posted

Anyone who has watched "Terminator" knows that it is possible to empty a cash machine with a small laptop,a switch card and short length Ribbon Cable......

 

No need to start hacking your way in through the fascia, just follow what John Connor (the child) does, Simples.................................

Link to comment
Share on other sites
AcousticallyChallenged Mentor

AcousticallyChallenged

Posted
Posted

Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble!

Remember how much easier and cheaper it'd be if software updates can be done via USB by an engineer, as the dial up links tend to be quite slow.

Also, you'll probably be surprised to know that many cash machines run a cut-down version of Windows (Windows Embedded).

 

The two-factor authentication was wise, because they probably didn't want to arouse too much suspicion as much as anything else.

Link to comment
Share on other sites
woolley Grand Master

woolley

Posted
Posted

http://www.cbronline.com/news/tech/software/malware/usb-drives-used-to-rob-cash-machines-311213-4153778

 

 

I know we're not supposed to like thieves and I'm sure as a "criminal gang" these lot do some other deplorable things but there's something I find quite endearing about clever people stealing money from banks. I know I shouldn't and if they were stealing from me I'd be furious, which of course makes me a massive hypocrite but meh.

 

It would be pretty handy having a 12 digit code that would make cash machines spit out free money for you. You'd be well popular on nights out!

It is worrying because the banks are not at all confident about their system security with very good cause and they tend to protect themselves pretty well to the detriment of the customer. Say the money had disappeared from your own bank account. No doubt you would take a less sanguine view of the theft. You might even be devastated when the bank insisted that because you are protected by password security and all manor of clever technological safeguards, you MUST have had the money. There is NO WAY that it could have been taken by anyone else unless of course you gave them you access details. But what if you didn't? You can't prove it.

 

Another typical example of how the banks look after number one was the introduction of chip and pin cards. Did you believe what they said about how they were doing it to protect you? Well if they were, they would have brought it in in addition to the signature authorisation. Instead they did away with the signature. So whilst before you could challenge a transaction by demanding they produce your signature, now they just tell you that it was "correctly authorised by chip and pin". And that's foolproof. Isn't it?

Link to comment
Share on other sites
mbx Newbie

mbx

Posted
Posted

Also, you'll probably be surprised to know that many cash machines run a cut-down version of Windows (Windows Embedded).

Some machines actually run OS/2 warp. Now there's a blast from the past.

One high street bank is readying itself to upgrade all it's installed machines to Windows 7.

Depending on the make & model of machine some banks have the USB port disabled in the OS so that this sort of attack can't be used.

Engineers have a USB key to "authorise" key diagnostic routines and these USB keys have been fettled (SafeNet Sentinel keys) so that they don't appear as mass storage devices but allow maintainer authentication.

The article doesn't mention which make or model of machine has this USB port close to the facsia but I would guess that it's more likely to be a "convenience machine" like you would get in a club/pub or grocery store.

Link to comment
Share on other sites
Slim Newbie

Slim

Posted
Posted

Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble!

 

The full (and rather awkward!) presentation is here:

 

http://30c3.ex23.de/CCC/30C3/mp4/30c3-5476-en-Electronic_Bank_Robberies_h264-hq.mp4

 

Remarkable how simple it was, shows just how shitty the older atms are set up, an old hirens boot cd with a mini xp recovery image, force it to reboot and run 'hackme.bat' in the autorun.

Link to comment
Share on other sites
AcousticallyChallenged Mentor

AcousticallyChallenged

Posted
Posted

You also have to remember with banks and any financial institution is that software security isn't one of their strongpoints. They still are in the firm belief that securing access (i.e putting the USB port behind the facade) should be enough. Signed boot images etc. shouldn't be needed as in theory, only a tech can gain access.

 

Remember, banks still rely on verifying everything multiple times rather than software-based security. The assumption is that this system should be flawless.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...