Cash machines hacked to spew out card details

Source: New Scientist

What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street.
...
After months poring over the Windows-based software in the bank's ATMs, Henwood and his team were astonished. They found a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe. In a PC, this helps the Microsoft operating system cache session data - so users don't have to re-enter their passwords every time they get a new email, for example.
...
Once installed, the malware implements a "card data harvesting" routine, SpiderLabs said in an alert to banks issued at the end of May. When a customer inserts their card, the malware records to hard disc its account number, start date, expiry date and three-digit security code, as well as the PIN entered.
...
Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves.
...

Read more: http://www.newscientist.com/article/mg20227135.700-cash-machines-hacked-to-spew-out-card-details.html?full=true

---

:wow:

Since they have 1/10 the security of ATM's

It says it all depends on them getting access to the machines to install the programs. You also wonder whether the banks would say "well, you must have told someone your PIN - this is your fault, so we're not going to pay for it" to anyone who is hit by it.

I knew that something like this would happen, because the lazy programmers would use Windows which can be easily hacked.

On the other hand, I once found a clutch of Disney's IT people and asked what their elaborate fingerprint-reading entry terminals used - Windows or Linux. They said "machine language." They programmed something that would be very difficult to hack.

I would have expected the ATM manufacturers to do something like this, but I guess they are as lazy and corrupt as the people who make touch-screen voting machines.

Talk to the execs of Diebold and IBM about how that deign decision was made before you accuse the programmers of laziness.

-Holler

Where people go to pay their electric bill.

(by an id theft ring operating out of HP and using insider info to do so) the police told me there are 3 major groups trying to do the sort of thing above: the regular mafia, the russian mafia and al qaeda. It's just a matter of time...

sledge hammer). Never more.

out of HP is a country code?

I heard a review of this on Steve Gibson's "Security Now" podcast and its seems like it had to be an inside job to load the original lsass.exe-disguised trojan onto each system. Probably a technician employed by the company that services the machines.

When the trigger card is inserted, the ATM will crash.

But if computers all disappeared tomorrow, I suspect most of the world would be better off, excepting those who work in the computer / IT industries.

...and I've said as much to my acquaintances, and they look at me like I'm from fookin Mars.

If computers disappeared tomorrow, yeah, it'd take a lot of the fun stuff out of the current version of my lifestyle, but the world might be better off.

because they're right -- the real security question is how they got access to install that malware.

...

Though somehow the claim in this story from March that the attacks were limited to Russia and the suspects had been apprehended doesn't quite match up with the current New Scientist account of a more widespread attack that is expected to expand to the US and Asia.

http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1351256,00.html

Diebold ATMs in Russia targeted with malware
By Marcia Savage, Features Editor, Information Security magazine
18 Mar 2009

Diebold Inc. issued a security update for its Windows-based ATMs after criminals attacked a number of them in Russia and installed malware designed to steal sensitive data.

North Canton, Ohio-based Diebold alerted customers about the break-ins and the security update in January. The attacks, which were isolated to Russia, involved physical access to ATMs and were not a network-level security compromise, the company said in its notice. The suspects in the case have been apprehended, according to Diebold. . . .

Vanja Svajcer, a principal virus researcher at UK-based antivirus supplier Sophos Plc., this week discovered the malware that targeted the Diebold ATMs. . . .

While Sophos researchers can't test the malware on an ATM, Cluley said it appears that the malware tried to copy an ATM user's card and PIN numbers and then waited until a member of the criminal gang inserted a specially crafted card into the machine. The software would recognize the card and print out the stolen card and PIN numbers onto the paper ATM receipt.

Cash back equals ATM fee.