
‘Jackpotting’ Attacks Hit U.S. ATMs - larrymcp
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
======
skc
I worked for Diebold on their ATM's for a while.

I was surprised to learn that they run full Windows. In fact, one of the
projects I was on had a requirement that we upgrade the OS from XP to Windows
7 for security reasons.

Regardless though, you can make an ATM do whatever you want if you have enough
time and access to it. One of our low level debugging tools allowed you to
effectively control every aspect of the device, so it could spit out whatever
denominations you liked without talking to the banks mainframe.

We used to have fun printing out ATM receipts showing our fake balances of
millions of dollars etc.

~~~
Someone1234
A full version of Windows or Windows Embedded ("Windows IoT")?

~~~
skc
Full version of Windows.

And want to know something else? The UI layer was html + javascript and some
funky css that ran on a custom modified version of ie6.

Beneath that, to handle fetching of data, comms, navigation, window management
and other business logic etc, we used good old .Net and C#.

It was a bizarre setup from a dev perspective but once you got used to it you
could crank out new features incredibly quickly as you had a heavily
regimented workflow (Usability trumps _everything_ with these machines).

If you open up an ATM you will find your standard run of the mill beige PC
inside it and in fact in many of the older machines they _literally_ stuff an
_entire_ PC case in there simply laid on it's side.

There is also an extra monitor back there with a little keyboard attached.

The only impressive aspect of ATM's is the engineering that goes into all of
the supporting hardware and peripherals such as the stackers, the cash
acceptors, the cheque validators, the printers, the recycling cash canisters,
the electronic pin pads, the various fraud detection features etc. I found
that stuff much more interesting than the dev work I did day to day.

------
ojosilva
If you, like me, were wondering what the Secret Service (widely recognized for
their duties as presidential bodyguards) has to do with ATM fraud, there's a
comment below the article from the author:

> I didn’t mention it in the story, but perhaps I should have: The original
> mission of the Secret Service when it was created in the 1800s was to
> safeguard the U.S. currency from counterfeiters. Only after a few presidents
> were assassinated did their mission grow to include protection of the
> president and other dignitaries. Both are their dual roles today.

[https://www.secretservice.gov/about/history/events/](https://www.secretservice.gov/about/history/events/)

~~~
_asummers
If you deposit more than 10k in cash, a bank is obligated to inform the Secret
Service's money laundering division per the PATRIOT Act. Secret Service has
jurisdiction in a few places you wouldn't expect.

~~~
DrJokepu
FinCEN is part of the Department of the Treasury, not the Secret Service
(which has been a part of the Department of Homeland Security since 2003).

------
ilikeATMs
If you ever open up an ATM you'll realise that the majority of things are
controlled by serial interfaces (upto 6 of them) for all the motors and
pneumatic hardware. If the operating system becomes hardened enough, you'll
eventually have people interface with the serial ports directly to manipulate
the cash-drawers directly.

I'm not sure why this hasn't really been done in practice but it shouldn't be
to difficult to figure out how to do correctly.

In most ATM's the computer hardware and interface connectors are also all
housed in the top (mostly plastic or low-quality cast metal) shrouds (as
opposed to the currency locked in a safe). Traditionally wafer locks were also
used to secure this section however they are slowly migrating to higher
security locks like Abloys.

ATM manufacturers may want to take a look at slot machine manufacturers for
clues on how to harden machines against tampering.

~~~
xg15
Somehow I'm not surprised that hardening is a higher priority for slot
machines than for ATMs...

~~~
mcny
I've read (though have no first hand experience) that slot machines have
better security and better vetting than electronic voting machines do so I'm
not surprised either.

~~~
EvanAnderson
In Nevada the source code for gaming devices is required to be provided to the
state gaming commission.

 _(c) In the case of a gaming device, a copy of all executable software,
including data and graphic information, and a copy of all source code for
programs that cannot be reasonably demonstrated to have any use other than in
a gaming device, submitted on electronically readable, unalterable media;_

[http://gaming.nv.gov/modules/showdocument.aspx?documentid=29...](http://gaming.nv.gov/modules/showdocument.aspx?documentid=2921)

~~~
xg15
But _only_ for "programs that cannot be reasonably demonstrated to have any
use other than in a gaming device".

Makes one imagine what kind of political trench wars probably went on behind
the scenes about this regulation.

Edit: On second thought, this seems awfully easy to circumvent. What stops me
from making a rigged PRNG and then refusing to make the source code available
on the grounds that there are lots of non-gambling applications for PRNGs?

~~~
da_chicken
The gaming commission also regulates how much each machine must pay out over a
given period with a given take. Any machine not in compliance is removed, and
the casino can be fined. Continued non-compliance can result in the
termination of the casino gaming license.

This was true even before electronic slot machines.

~~~
xg15
Sounds better but still defeatable. I could track individual players
throughout the casino (which is already common practice, I think) and decide
on payout depending on how much money I already made through them.

E.g., if someone already dumped a lot of money into other games, I can give
them above-average odds of winning and be sure I still make a profit (and they
make a loss), otherwise I'll give them below-average odds.

If I tune this right, the average outcome over all players will still look
"fair".

Or I simply give the above-average play sessions to strawmen.

~~~
jacquesm
Except that that is not allowed. It's individual machines tested in isolation
that should perform _exactly_ as legally mandated. The only kind of remote
interaction there is is logging to make sure they can prove that the machine
performed as advertised and to know when to empty the coin box.

~~~
fjsolwmv
Modern slot machines don't use just local rngs, they essentially obtain
lottery tickets from a central computer. That's how you get building-wide
jackpots.

------
sytelus
The details:

The attackers typically use an endoscope so they can attach a cord to the
computer and install malware. This makes ATM remotely controllable!

In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40
bills every 23 seconds. Once the dispense cycle starts, the only way to stop
it is to press cancel on the keypad. Otherwise, the machine is completely
emptied of cash.

Jackpotting it is.

------
rhexs
Embedded software is easy to hack. Spend quite a bit of money getting access
to the binary running a common ATM platform. Reverse engineer it. Find a
vulnerability. Trigger it. Done!

The age of (common) embedded system exploitation is finally upon us.

~~~
cjensen
The "hack" in question involves replacing the hard drive.

This isn't an embedded issue. This is a physical access to OS issue.

~~~
polishninja
It doesn't help that almost all the fascia locks on each vendor's machines are
a standard key. With that standard key, you have full access to the computer
or embedded device drive.

Nowadays the communication link to the dispenser is encrypted, making swapping
the hard drive useless. The real problem is the machines aren't replaced very
often so there are quite a few old models out in the field that are
susceptible to these sort of attacks.

~~~
colejohnson66
> It doesn't help that almost all the fascia locks on each vendor's machines
> are a standard key.

Interesting. Is there a source for this?

~~~
namibj
There is a defcon talk about jackpotting ATMs.

------
p1mrx
Wow, I always thought the ATM scene from Terminator 2 seemed unrealistic, but
now people are literally doing that:

[https://www.youtube.com/watch?v=3cfQKxUffqA](https://www.youtube.com/watch?v=3cfQKxUffqA)

~~~
shaunpud
How does it work with posting short scenes from a movie on YT, and possibly
monetising? Is it just a case of the Studio not reacting or there's a grey
area where you're able to do it?

~~~
ipince
The studio (content-owner) is who receives the proceeds of monetization, even
if they didn't upload the video themselves.

------
glaberficken
>"The Secret Service alert says ATMs still running on Windows XP are
particularly vulnerable, and it urged ATM operators to update to a version of
Windows 7 to defeat this specific type of attack."

I had no idea ATMs ran Windows!

~~~
vultour
You'd be surprised how many things are running Windows. I always wonder if the
manufacturer just hires cheap contractors that haven't seen anything apart
from Windows in their entire life, or if there is an actual reason it can't
run on linux.

~~~
Hendrikto
OpenBSD would be perfect for the job, wouldn‘t it?

~~~
luma
An OpenBSD machine still running unpatched from the XP era would be every bit
as vulnerable.

~~~
ams6110
Yes and no. OpenBSD always had far fewer exploitable bugs than Windows, so it
presents a smaller attack surface. And far fewer people bothered to develop
exploits. Windows has always been the big juicy target, with exploits easily
available.

But on the other hand, it only takes one.

------
herodotus
The Reuters article is very low on detail.
[https://krebsonsecurity.com](https://krebsonsecurity.com) is much more
informative.

~~~
dang
OK, we've changed to that from [https://www.reuters.com/article/us-cyber-atms-
usa/atm-makers...](https://www.reuters.com/article/us-cyber-atms-usa/atm-
makers-warn-of-jackpotting-hacks-on-u-s-machines-idUSKBN1FG0WU).

------
rapnie
first? the late Barnaby Jack did it in 2010 :)

[https://en.wikipedia.org/wiki/Barnaby_Jack](https://en.wikipedia.org/wiki/Barnaby_Jack)

~~~
speedie
And it seems to follow his suite. The "jackpot" part. Seeing those bells on
the atm gave me a good laugh ..

------
userbinator
_According to FireEye, the Ploutus attacks seen so far require thieves to
somehow gain physical access to an ATM — either by picking its locks, using a
stolen master key or otherwise removing or destroying part of the machine._

ATMs need to be more physically secure, like bank safes, if they are to be
resistant to such attacks. The software part is mostly immaterial here, IMHO
--- it doesn't matter what the software is, if you can get access to the
physical money.

~~~
eps
I used to work with various ATMs and the cash dispenser _is_ a hardened safe,
with a combination lock and all. If you are to steal an ATM, you will still
need to open the safe and the simplest option would indeed be to try and
persuade it to just dispense the money.

The thing is that ATMs from larger vendors (IBM, NCR, Bull, Siemens, etc.)
have layer upon layers of protection features. For example, you can configure
a secondary combination for the safe which will open it and also send an
emergency alert. This is for the cases when someone is being forced to open
the safe at gunpoint. There are batteries for secondary power supply. There
are options for physical lock-down in case of a power loss. Tilt and movement
sensors. Redundant communication options, including exotics like x.28 radio.

I mean that all of this was readily available even 20 years ago. ATMs are not
designed by amateurs. The issue is that all these are _options_. They need to
be bought first and then they also need to be properly configured and enabled,
which falls on the banks or their IT service providers to do. The smaller the
bank, the less willing they are to spend even more money on configuring
secondary stuff and setting up an infrastructure for it, so many of these
options will remain off even if they are available.

~~~
Tempest1981
You explain more about the x.28 radio, and its purpose? Communication between
where?

------
pferde
Several years ago, I've had an ATM crash and reboot after pressing one of the
screen side buttons when the machine was waiting for PIN entry via the numeric
pad. It rebooted, and I could see that it was running MSDOS, not even Windows.
Luckily, after the reboot completed and the ATM frontend program started, it
spit out my card again.

With one of offices of my bank being nearby (to be able to block my card if I
couldn't get it back), I tried it two more times, just to check that it wasn't
a random occurrence.

While it was probably nothing that could further be escalated into gaining
access without additional hardware, it gave me a chuckle (and a bit of fear
for my card, initially).

~~~
dtech
I'd rather have a ATM running MS-DOS than Windows. At least the attack surface
is small. God nows how many ATM's are running Windows 98 and XP, which contain
major security holes which will never be patched.

------
iFred
One of the first unethical “hacker” things I did was to attempt to change the
bill output to larger bill. I got so incredibly nervous when I went into the
debug screen that I power walked out of the corner store when the clerk
noticed I had been at the machine for several minutes and had not inserted a
card.

You find a lot of these ATMs that are even more insecure than the larger WinXP
machines. Those little kiosks are perfect for skimmers, manipulation, or just
fucking around with.

~~~
londons_explore
Hah - the old "swap the tray configs around" trick...

------
exikyut
I just read through the comments and was VERY surprised to see noone call this
out:

> _At this point, the crook(s) installing the malware will contact co-
> conspirators who can remotely control the ATMs and force the machines to
> dispense cash._

Realize what this means. The ATMs are connected directly to the internet, with
a VPN (hopefully...) sitting over the top of that. The ATM can still call out
to the internet directly!!

That is, honestly, shocklingly insecure. I'm stunned.

I read
[https://news.ycombinator.com/item?id=16250498](https://news.ycombinator.com/item?id=16250498)
and how ATMs have different options for security, but "allow anything except
the VPN software access to the NIC default route" doesn't sound like something
_anything_ should be able to disable.

I mean... I know nothing about networking, and I was able to configure this
exact behavior on FreeBSD - which I'd never used before - in a day. I set it
up so a torrent program was physically incapable of doing DNS/anything outside
of the VPN tunnel interface.

~~~
Anthony-G
When I read that part, I figured that the crooks were using their own mobile
Internet connection on the laptop or mobile device that they had connected to
the ATM.

~~~
exikyut
....Ah. That is a very real possibility. Thanks for pointing that out.

------
eikenberry
I assume this will end with there being fewer ATMs. That they will become more
expensive to run in due to costs of hardened physical devices and insurance.
If they become too rare it could result in a reduction of cash usage, maybe
significantly.

~~~
StudentStuff
Good luck with that, outside of a handful of Nordic oddballs, cash is still
king in most of the world (US included). We have a massive unbanked population
that isn't going to start using banks or digital payments anytime soon, no
matter what politicians or economists may desire.

~~~
belorn
The way that Sweden did it was in small steps, some which other nations has
already done.

Encourage companies to only pay employees through banks by making it
practically impossible to pay through cash. Expand money laundering laws so
that banks are liable if they give out or take in physical cash, with short
and hard limits to ATM's. Make it acceptable to have police confiscate money
if a person carry more than a few hundred dollars. Just to give examples of
those, a person was stopped by a routine police stop when they saw $350 and
confiscated it on the concept that such huge amount of money was a sign of
money laundering. A few further months ago a elderly couple (70+) had sold
their car but could not put the 10 grand into the bank since the sale papers
(including government signed transfer) was not enough to prove definitively
that the money was still not part of any money laundering. Sweden invalidated
all bills and coins made before 2015, forcing everyone to have them exchanged
or put it in the bank which was why the elderly couple needed to put the money
in the bank.

Add to that a heavy joint campaign between banks and government to paint any
physical cash transaction as putting employees at stores at risk and that its
a moral responsibility that everyone only use banks, and a strong decline in
the availability of bank offices that handles cash.

~~~
cal5k
I actually think this is fundamentally an attack on the right to transact
anonymously. Trends towards the confiscation of large sums of cash, increasing
restrictions on moving money relating to KYC/AML, and the further emphasis on
digital forms of payment give governments and, more worryingly, banks the
ability to exert incredible influence over the day-to-day lives of
individuals.

Here's a good Canadian example - banks now refuse accounts to "high risk"
businesses like money services (currency conversion etc.) under the guise that
the KYC/AML requirements involved make it too risky for the bank to service
them. And yet, our major banks have huge currency conversion businesses - so
in essence these laws are being used to stifle competition.

For merchants, credit cards and debit were originally billed as items that
would improve their sales - so who cares if interchange fees add up to a
whopping 3% on transactions? But now with almost everyone demanding that
stores accept credit/debit, merchants are hit with what is essentially a non-
government tax on their revenues. Every "cash back" or "rewards" card is
basically funded at the expense of merchants.

~~~
ams6110
In the USA also, there is a not-small number of hard-core Christians that
would view mandated digital payments as "the mark of the beast" and refuse on
that basis.

~~~
fjsolwmv
Cash money also has the mark of this beast, and the number of those fringe
wackos is small.

------
oldpond
I guess diebold makes their atms just like their voting machines.
[https://www.unhackthevote.com/](https://www.unhackthevote.com/)

------
sergers
I am guessing the pulled an unencrypted hard drive from the ATM, analyzed it
and the commands. Found the one that spits out cash.

They pop in one with modified code and reboot it to read the new drive.

Only similar ATM I can guess in Canada would already be suspect, in
convenience stores, clubs, weed shops, strip clubs lol... The none bank name
brand.

Had one bluescreened after taking money from account but before outputting
money.

Was running Windows.

Didn't give any money, but kept the money from the account.

Had to call my bank.

------
amelius
> To carry out a jackpotting attack, thieves first must gain physical access
> to the cash machine.

Ok, like breaking the machine open, but that's cheating, and hasn't got a lot
to do with software security.

------
speedie
Overeheared a smalltak about something similar in croatia couple days ago . I
tought guy was drunk and bs-ing the waitress . Now I hope I bump into him
again ;)

------
Simulacra
It seems the ATM has not evolved very much over the past 20 years. Any ideas
why?

~~~
netsharc
Why should it? Its function is to spit out money and it functions well enough
for that.

Obviously they do add features, like topping up phone credit or bill paying.
But I would guess nowadays the bankers would rather pay smartphone app
developers rather than the ATM developers...

~~~
chrischen
By that definition you can say it's doing it's job even better now!

------
Hendrikto
> The Secret Service alert says ATMs still running on Windows XP are
> particularly vulnerable, and it urged ATM operators to update to a version
> of Windows 7 to defeat this specific type of attack.

I would argue that Windows isn‘t at all the right OS for this.

~~~
gkgicccj
What is? And do you have an OS that you are comfortable calling "secure"?
Remember security through obscurity as enjoyed by Mac and Linux doesn't apply
here because there is actual money and hence incentive to find vulnerability
at stake.

~~~
speleding
It should be much easier to secure a small OS targeted at the job at hand
rather than a general purpose OS that supports everything from mouse drivers
to webcams which gives it a huge attack surface.

------
ScottBurson
_The Secret Service alert says ATMs still running on Windows XP are
particularly vulnerable, and it urged ATM operators to update to a version of
Windows 7 to defeat this specific type of attack._

I think this applies, _mutatis mutandis_ :
[https://xkcd.com/463/](https://xkcd.com/463/)

~~~
perl4ever
At least they aren't running OS/2 Warp.

~~~
the-dude
Actually, OS/2 has been used for ATMs ( I've seen them in the EU, long time
ago ).

~~~
xen2xen1
Yup, you'd probably be surprised how much of that is still out there. At this
point I'd rather have that than XP which has lots of well known exploits.

~~~
perl4ever
It appears that NCR and Diebold made the decision to migrate from OS/2 to Win
XP a while ago.

------
oculusthrift
fiat wallets hacked. this is good for bitcoin.

------
markbnj
I people didn't need cash this problem would go away. I think of this
occasionally when I visit our local bagel shop, which like many bagel shops in
the area does not take cards and has an atm onsite.

~~~
KozmoNau7
On the other hand, if you pay by card everywhere, your moments and spending
habits will be tracked and catalogued.

A lot of people are not comfortable with that.

~~~
grey-area
The vast majority carry an internet connected gps tracker with microphone,
Wifi, Bluetooth, sms and email all in one place with them at all times, and
bank accounts, sms, emails are already accessible to the state on the server
side. Shops are using facial recognition and Bluetooth to advertise and track
customers. So I honestly think privacy in what you purchase is a ship that has
sailed, this data will be recorded in future.

What we should be agitating for is proper control over the use of this info,
not trying to limit ways to collect it.

~~~
tomalpha
In Europe, the General Data Protection Regulation supposedly does just this.
There is a notable exception for “national security”, but it does at least
help move in the right direction.

[https://www.csoonline.com/article/3202771/data-
protection/ge...](https://www.csoonline.com/article/3202771/data-
protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-
facts.html)

~~~
grey-area
Yes I agree that's the correct approach.

