Malware steals ATM accounts and PIN codes

it is portrayed that windows is such a loose shit that making ugly face infront of ATM camera will also cause a buffer overflow. what ever garbage code inside the few KB data on card is, the machine either finds info or rejects the card, ATM wont say ooo there is a C/C++ code on the card, lets compile and run it. There is dirty picture too it must be hot, lets open it too... Bang! Microsoft GDI+ JPEG buffer overflow vulnerability .... Brrr Brrr all cash out. transfering funds from captured ATM info prev users.

The better way to do it is to sniff the network between the ATM's and the central server. Doesn't matter what software they are running then, everything turns into packets and the encryption within is now breakable. So why go to the effort to infect a single ATM (not an easy job), when you can sniff ALL of them from one central location. The telecommunications box running the lines in some remote or obscure location is also less likely to get the attention of others as well..

Most companies enjoy “security” insofar as they haven’t been targeted yet, or suffered a human error resulting in a catastrophic exposure . We practice Disaster Awareness, Preparedness and Recovery (DAPR). Basically, best practice dictates that you first strive to prevent disaster (awareness, preparedness) – and have things in place for any contingencies (recovery). DR sounds – and is - reactive. DAPR's principles state that "In the realm of risk, unmanaged possibilities become probabilities."
Under this statement, any IT leader can then show risk to business, and make the logical case to Business (that is, IT Governance) for some measure of budget. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has a great chapter on security, and also reinforcing elements in many other chapters. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. Once awareness is in place, prevention is leveraged to the degree that you achieve an accrual of returns: Much more effort and budget can go for contingencies. We were naked before we found this book.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome.

You must point out that there are genuine services in Windows with those names too.

You know, the first thing users do is to look at their task manager to learn if they have these "viruses" running.

So a few years ago I was standing at a Well Fargo ATM here in darkest Southern California and the woman in front of me was clearly having issues. She pulls her card out and stomps away. As I step up to the evidently faulty machine I can see it going through a POST. So my first surprise was that it was actually a PC in there and not a dumb terminal (Which is what I had always assumed ATMs were.)

However my initial surprise was frankly made to feel utterly inferior by my subsequent surprise, nay, astonishment, to see what OS it was booting.

Yes, for the first time since circa 1995 I could see an honest-to-goodness OS/2 boot loader running.

For a few seconds, ATM card in hand, I seriously considered how I could be entrusting my (admittedly meager) life savings to a bank running such an antiquated OS.

But then the genius of it struck me full on. Who in our modern world of iPhones, WiFi, Bluetooth, Hulu, "Yes we can" and five new Will Ferrell movies a month would have the first clue how to hack this thing, even if you left a keyboard hanging right out of the cash slot? Does it even have a buffer to be overflowed? Can it even run a web browser that supports cross site scripting?

it looks like the Banks have been stealing everyone`s money for years and it`s the Banks that create money scarcity. Now there`s malware that`s giving them some competition?

When they all ran OS/2, you barely have anything like this happen. Now look what happens when you all loaded with Windows? Windows crash screen & BSOD are everywhere, on ATMs, trains, undergrounds, vending machines...

If only I don't do software contracting for the banks you might actually sell me this crap. This is not and cannot be vulnerability in XP its a hole in a specific ATM code that runs on XP combined with lack of physical security, nicely demonstrated by a complete lack of info how an "EXE gets loaded into the ATM memory from card" that has 3 low density 6bit and 4bit encoded stripes (which means you cant even carry a full byte range needed for an executable, d'oh). At best this is caused by ATM manufacturer hiring cheap incompetent labour from god knows where and providing a management control jack unsecured and accessible to outside.

But be afraid, be very afraid, blame XP and lack of security, go moan at the bank and give them excuse to hire more incompetent CISM/CISSP guys, like there aren't enough of them wasting money as it is.

So actually, if one would control ATM's in such a way i'd able to have billions dissapear to untraceable bank accounts ?

More then a few months back i heard an ATM in belgium start with windows-music, even rings the windows bell after each transaction, huhuh.

Felt stumped for months, the total lack of sense. Running a desktop-os on what should be an secure-embedded application.

Anyone can build these things these days ?

@Minotaur

You're either an idiot, or a genius.

Something tells me the latter would have kept his mouth shut, collected his winnings, and flown to the Caribbean... so that leaves the former.

First of all, it's no small task to simply 'inject' yourself between any given ATM and whatever central server it's talking to, but even if you manage to splice into a good cable line somewhere, this 'encryption within is now breakable' bit is pretty bollocks too. All encryption (save for maybe a good one-time pad) is 'breakable', but even someone as obviously talented as yourself would have one hell of a time recovering even a plain old https session key with your best machines running full-on-distributed attacks on collected ciphertext before the client and/or server renegotiated their handshake and produced a new key.

There is a reason for protocols like this. If SSL was a broken protocol, we'd have a hell of a lot more to worry about than ATM data. RC4, DES and the like may be on their last legs now days, but luckily for anyone who isn't an idiot, every decent SSL-capable server software has a laundry list of ciphers to choose from, as well as key lengths.

Something tells me your souped up VAIO isn't going to be recovering a 128-bit Triple-DES key in under an hour or two while you're sitting in the mud somewhere spliced into an underground backbone. Getting the session key for *one ATM before renegotiation would be impressive, implying that you can simply 'get them all' is hilarious.

Even if you do, what are you gonna sniff out? PINs aren't even sent in the clear on a majority of ATMs, they're generally sent as an HMAC in a DES or Triple-DES block, I'm gonna guess it's much the same for any other sensitive information as well in most cases.

I do know one thing with absolute certainty though, you damn sure can't packet sniff cold hard cash.

The biggest risk associated with ATM or debit cards is identity theft done by way of stolen PINs. I think to access our bank accounts, identify thieves typically have several ways of obtaining our PIN.

atmsecurity.com