European ATMs struck by hacksploitation movie plot.

04 June 2009

When manufacturers of ATMs started using Windows to run them, you just knew that no good would come of it.

Eastern European banks discovered this the hard way when the security companies Sophos and SpiderLabs discovered strains of malware tailored for automated teller machines that record the second data track of banking cards inserted into the reader slot along with the PIN entered by the machine's user. That's really all you need to make a copy of the card and loot the account. As if that's not enough, the malware also makes it possible for anyone carrying a specially encoded card to walk up and assume command of infected machines. After walking up to an infected machine and authenticating with the special card a menu of commands is displayed that makes it possible to edit the unit's logs to make it look un-compromised, uninstall the malware agent, reboot the ATM, and print the data it's captured. As if that's not enough, the agent also contains a feature which turns on the cash dispenser mechanism to empty the ATM's vault. One would think that whomever is behind this scam has considerable inside information because they understand the drivers of the ATM's subsystems well enough to write code to manipulate them in arbitrary ways. I also have to wonder how the dropper got onto the ATMs in the first place, it isn't as if you can just walk up to an ATM and jack into a serial port.. then again, the ATMs were manufactured by Diebold and we all know how much they care about security. Maybe they were infected at the warehouse or the factory; maybe just after installation by a field service tech on the take. Maybe someone compromised the banks' ATM-to-HQ networks and are infiltrating the ATMs that way.

I don't know how long it'll be before this sort of thing starts happening in the States, but I'll definitely be thinking twice before using an ATM in the forseeable future.

Incidentally, it's actually not that difficult to get hold of a suitable card to write arbitrary stripe data onto - Dell and Starbucks gift cards are perfect for this. So are copier cards from Staples.