3v0 Posted December 31, 2013 Share Posted December 31, 2013 http://www.cbronline.com/news/tech/software/malware/usb-drives-used-to-rob-cash-machines-311213-4153778I know we're not supposed to like thieves and I'm sure as a "criminal gang" these lot do some other deplorable things but there's something I find quite endearing about clever people stealing money from banks. I know I shouldn't and if they were stealing from me I'd be furious, which of course makes me a massive hypocrite but meh.It would be pretty handy having a 12 digit code that would make cash machines spit out free money for you. You'd be well popular on nights out! Link to comment Share on other sites More sharing options...
MikeW Posted December 31, 2013 Share Posted December 31, 2013 Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble! Link to comment Share on other sites More sharing options...
3v0 Posted December 31, 2013 Author Share Posted December 31, 2013 Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble! Yes, the USB port surprised me as well. I'm guessing it's not going to be around for much longer! Link to comment Share on other sites More sharing options...
Lxxx Posted December 31, 2013 Share Posted December 31, 2013 Must admit at a time when banks try every new trick in the book to rip off the world there's now a little bit of karma coming back. Not enough but it's worth a smile. Link to comment Share on other sites More sharing options...
thommo2010 Posted December 31, 2013 Share Posted December 31, 2013 Must admit at a time when banks try every new trick in the book to rip off the world there's now a little bit of karma coming back. Not enough but it's worth a smile. The thing is the banks will recover the money through insurance which means peoples premiums go up or by charging the customers. The bank wont lose out Link to comment Share on other sites More sharing options...
Max Power Posted December 31, 2013 Share Posted December 31, 2013 I hate theft but as already said, bankers are thieving scumbags themselves. Link to comment Share on other sites More sharing options...
Blade Runner Posted December 31, 2013 Share Posted December 31, 2013 Anyone who has watched "Terminator" knows that it is possible to empty a cash machine with a small laptop,a switch card and short length Ribbon Cable...... No need to start hacking your way in through the fascia, just follow what John Connor (the child) does, Simples................................. Link to comment Share on other sites More sharing options...
AcousticallyChallenged Posted January 1, 2014 Share Posted January 1, 2014 Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble! Remember how much easier and cheaper it'd be if software updates can be done via USB by an engineer, as the dial up links tend to be quite slow. Also, you'll probably be surprised to know that many cash machines run a cut-down version of Windows (Windows Embedded). The two-factor authentication was wise, because they probably didn't want to arouse too much suspicion as much as anything else. Link to comment Share on other sites More sharing options...
woolley Posted January 1, 2014 Share Posted January 1, 2014 http://www.cbronline.com/news/tech/software/malware/usb-drives-used-to-rob-cash-machines-311213-4153778 I know we're not supposed to like thieves and I'm sure as a "criminal gang" these lot do some other deplorable things but there's something I find quite endearing about clever people stealing money from banks. I know I shouldn't and if they were stealing from me I'd be furious, which of course makes me a massive hypocrite but meh. It would be pretty handy having a 12 digit code that would make cash machines spit out free money for you. You'd be well popular on nights out! It is worrying because the banks are not at all confident about their system security with very good cause and they tend to protect themselves pretty well to the detriment of the customer. Say the money had disappeared from your own bank account. No doubt you would take a less sanguine view of the theft. You might even be devastated when the bank insisted that because you are protected by password security and all manor of clever technological safeguards, you MUST have had the money. There is NO WAY that it could have been taken by anyone else unless of course you gave them you access details. But what if you didn't? You can't prove it. Another typical example of how the banks look after number one was the introduction of chip and pin cards. Did you believe what they said about how they were doing it to protect you? Well if they were, they would have brought it in in addition to the signature authorisation. Instead they did away with the signature. So whilst before you could challenge a transaction by demanding they produce your signature, now they just tell you that it was "correctly authorised by chip and pin". And that's foolproof. Isn't it? Link to comment Share on other sites More sharing options...
mbx Posted January 2, 2014 Share Posted January 2, 2014 Also, you'll probably be surprised to know that many cash machines run a cut-down version of Windows (Windows Embedded). Some machines actually run OS/2 warp. Now there's a blast from the past. One high street bank is readying itself to upgrade all it's installed machines to Windows 7. Depending on the make & model of machine some banks have the USB port disabled in the OS so that this sort of attack can't be used. Engineers have a USB key to "authorise" key diagnostic routines and these USB keys have been fettled (SafeNet Sentinel keys) so that they don't appear as mass storage devices but allow maintainer authentication. The article doesn't mention which make or model of machine has this USB port close to the facsia but I would guess that it's more likely to be a "convenience machine" like you would get in a club/pub or grocery store. Link to comment Share on other sites More sharing options...
Slim Posted January 3, 2014 Share Posted January 3, 2014 Two things surprise me about this story. The first being that as they used some form of two factor authentication and had to call back to base every time the exploit was used it shows that there clearly is no honour amongst thieves. The second being that there was a USB port hidden just behind the plastic façade! That's just asking for trouble! The full (and rather awkward!) presentation is here: http://30c3.ex23.de/CCC/30C3/mp4/30c3-5476-en-Electronic_Bank_Robberies_h264-hq.mp4 Remarkable how simple it was, shows just how shitty the older atms are set up, an old hirens boot cd with a mini xp recovery image, force it to reboot and run 'hackme.bat' in the autorun. Link to comment Share on other sites More sharing options...
x-in-man Posted January 9, 2014 Share Posted January 9, 2014 I once found a manual for a cash machine in a skip. Current model at the time, with full 'exploded view' diagrams, spare part numbers etc etc. Could have made my millions back then. Link to comment Share on other sites More sharing options...
AcousticallyChallenged Posted January 9, 2014 Share Posted January 9, 2014 You also have to remember with banks and any financial institution is that software security isn't one of their strongpoints. They still are in the firm belief that securing access (i.e putting the USB port behind the facade) should be enough. Signed boot images etc. shouldn't be needed as in theory, only a tech can gain access. Remember, banks still rely on verifying everything multiple times rather than software-based security. The assumption is that this system should be flawless. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.