Entries Tagged "ATMs"

Page 1 of 4

North Korea ATM Hack

The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide:

This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme­ — referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”

The level of detail is impressive, as seems to be common in CISA’s alerts and analysis reports.

Posted on September 1, 2020 at 6:17 AMView Comments

Jackpotting Attacks Against US ATMs

Brian Krebs is reporting sophisticated jackpotting attacks against US ATMs. The attacker gains physical access to the ATM, plants malware using specialized electronics, and then later returns and forces the machine to dispense all the cash it has inside.

The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert.

At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.

Lots of details in the article.

Posted on February 1, 2018 at 6:23 AMView Comments

Clever Physical ATM Attack

This is an interesting combination of computer and physical attack:

Researchers from the Russian security firm Kaspersky on Monday detailed a new ATM-emptying attack, one that mixes digital savvy with a very precise form of physical penetration. Kaspersky’s team has even reverse engineered and demonstrated the attack, using only a portable power drill and a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. And though they won’t name the ATM manufacturer or the banks affected, they warn that thieves have already used the drill attack across Russia and Europe, and that the technique could still leave ATMs around the world vulnerable to having their cash safes disemboweled in a matter of minutes.

“We wanted to know: To what extent can you control the internals of the ATM with one drilled hole and one connected wire? It turns out we can do anything with it,” says Kaspersky researcher Igor Soumenkov, who presented the research at the company’s annual Kaspersky Analyst Summit. “The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.”

Posted on April 5, 2017 at 6:29 AMView Comments

Preplay Attack on Chip and PIN

Interesting research paper on a bank card chip-and-PIN vulnerability. From the blog post:

Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card.

When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the transaction. Part of this transaction is a number that is supposed to be random, so as to stop an authentication code being generated in advance. However, there are two ways in which the protection can be bypassed: the first requires that the Chip and PIN terminal has a poorly designed random generation (which we have observed in the wild); the second requires that the Chip and PIN terminal or its communications back to the bank can be tampered with (which again, we have observed in the wild).

Posted on May 20, 2014 at 2:01 PMView Comments

Hacking Consumer Devices

Last weekend, a Texas couple apparently discovered that the electronic baby monitor in their children’s bedroom had been hacked. According to a local TV station, the couple said they heard an unfamiliar voice coming from the room, went to investigate and found that someone had taken control of the camera monitor remotely and was shouting profanity-laden abuse. The child’s father unplugged the monitor.

What does this mean for the rest of us? How secure are consumer electronic systems, now that they’re all attached to the Internet?

The answer is not very, and it’s been this bad for many years. Security vulnerabilities have been found in all types of webcams, cameras of all sorts, implanted medical devices, cars, and even smart toilets — not to mention yachts, ATM machines, industrial control systems and military drones.

All of these things have long been hackable. Those of us who work in security are often amazed that most people don’t know about it.

Why are they hackable? Because security is very hard to get right. It takes expertise, and it takes time. Most companies don’t care because most customers buying security systems and smart appliances don’t know enough to care. Why should a baby monitor manufacturer spend all sorts of money making sure its security is good when the average customer won’t even notice?

Even worse, that consumer will look at two competing baby monitors — a more expensive one with better security, and a cheaper one with minimal security — and buy the cheaper. Without the expertise to make an informed buying decision, cheaper wins.

A lot of hacks happen because the users don’t configure or install their devices properly, but that’s really the fault of the manufacturer. These are supposed to be consumer devices, not specialized equipment for security experts only.

This sort of thing is true in other aspects of society, and we have a variety of mechanisms to deal with it. Government regulation is one of them. For example, few of us can differentiate real pharmaceuticals from snake oil, so the FDA regulates what can be sold and what sorts of claims vendors can make. Independent product testing is another. You and I might not be able to tell a well-made car from a poorly-made one at a glance, but we can both read the reports from a variety of testing agencies.

Computer security has resisted these mechanisms, both because the industry changes so quickly and because this sort of testing is hard and expensive. But the effect is that we’re all being sold a lot of insecure consumer products with embedded computers. And as these computers get connected to the Internet, the problems will get worse.

The moral here isn’t that your baby monitor could be hacked. The moral is that pretty much every “smart” everything can be hacked, and because consumers don’t care, the market won’t fix the problem.

This essay previously appeared on CNN.com. I wrote it in about half an hour, on request, and I’m not really happy with it. I should have talked more about the economics of good security, as well as the economics of hacking. The point is that we don’t have to worry about hackers smart enough to figure out these vulnerabilities, but those dumb hackers who just use software tools written and distributed by the smart hackers. Ah well, next time.

Posted on August 23, 2013 at 6:00 AMView Comments

Really Clever Bank Card Fraud

This is a really clever social engineering attack against a bank-card holder:

It all started, according to the police, on the Saturday night where one of this gang will have watched me take money from the cash point. That’s the details of my last transaction taken care of. Sinister enough, the thought of being spied on while you’re trying to enjoy yourself at a garage night at the Buffalo Bar, but not the worst of it.

The police then believe I was followed home, which is how they got my address.

As for the call: well, credit where it’s due, it’s pretty clever. If you call a landline it’s up to you to end the call. If the other person, the person who receives the call, puts down the receiver, it doesn’t hang up, meaning that when I attempted to hang up to go and find my bank card, the fraudster was still on the other end, waiting for me to pick up the phone and call “the bank”. As I did this, he played a dial tone down the line, and then a ring tone, making me think it was a normal call.

I thought this phone trick doesn’t work any more. It doesn’t work at my house — I just tried it. Maybe it still works in much of the UK.

Posted on July 30, 2013 at 7:33 AMView Comments

1 2 3 4

Sidebar photo of Bruce Schneier by Joe MacInnis.