
Thieves Planted Malware to Hack ATMs - ca98am79
http://krebsonsecurity.com/2014/05/thieves-planted-malware-to-hack-atms/
======
ChuckMcM
Interesting physical attack using specially made printed circuit boards that
slide into the card reader slot. Designing a robust ATM has got to be up there
in terms of safety platform engineering.

~~~
bediger4000
I had a few problems with the circuit-board-in-credit-card-slot part of it.
Why would an ATM designer allow more than a few discreet signals (card
inserted, card withdrawn, magsstripe data ready) and the magstripe data itself
from the card reader into the ATM computer? It would cost a lot of money to
make a card reader that can do more than that, wouldn't it? You'd also have to
spend money on the device driver software to do more fancy stuff.

~~~
mschuster91
Because people aren't using the fucking magstripes anymore, thank god (at
least if you're outside the US, where chip+pin is basically not existing!).

Everyone sane is using the smartcard interface because usually the chips
cannot be cloned whereas a magstripe writer sets you back $150 and about 10
cents for a blank card. Just for the lulz: many payment terminals allow you
for reading the WHOLE RAW STRIPE DATA by a command... so you hack the PoS
software to issue a CardSwipe command before issuing the payment command.
Unsuspecting store clerk will follow the instructions on the terminal: 1)
swipe the card, 2) see the terminal saying again "Please swipe card", 3) think
the first swipe failed 4) swipe again and do the normal payment. This is
trivially done with any ZVT or OPI-based payment terminal. And it fucking
works. (If anyone is interested, drop me an email. I develop PoS software and
can send you a demo video)

The smartcard interface is the thing where the problems lie: PC/SC is a quite
easy API, but most of the software will be written in C and suffer from the
usual bugs: boundary checks done wrong, overflows, missing sanity checks...
this uber-long PCB is essentially not needed at all. You could entirely
implement everything on e.g. a BasicCard ($10 apiece for the high-memory+RFID
card) or any other programmable smart card.

Edit: I've been asked by email by some people for the demo video. It'll be
ready by Tuesday, I'll also submit it to HackerNews.

~~~
iancarroll
If you work for companies building Point of Sale software, please hire someone
to fix the UI...

~~~
mschuster91
I build my own! And yes, UI is a big, big sales point for us... stay tuned :)

~~~
iancarroll
Interesting. A shop I work for had to go with a really bad piece of software
because alternatives only had monthly fees.

~~~
mschuster91
Actually my system is open-source, with monthly fees being hardware rental and
support. Sure, buying a system is possible too, but these systems must be
continually updated e.g. to reflect changes in regulation, bugfixes etc.

------
j_s
I had some issues loading the article; here is the Google cache:

[http://webcache.googleusercontent.com/search?q=cache:YOzSV2s...](http://webcache.googleusercontent.com/search?q=cache:YOzSV2s1hQ8J:krebsonsecurity.com/2014/05/thieves-
planted-malware-to-hack-atms/+&cd=1&hl=en&ct=clnk&gl=us)

------
volatile
Inspired by John Conner with this Atari Portfolio and a ribbon cable in
Terminator 2? [http://imgur.com/5AVTMHV](http://imgur.com/5AVTMHV)

