No. of Recommendations: 2
Both my wife and I are dinosaurs ... we both have never used an ATM from the time these machines made their first appearance. I’ve always thought that ATMs present high security risks and are vulnerable to attack by savvy techies, e.g., I would always have to be wary about people around me while using the machine, and the ATM could be accessed and rigged to copy my security inputs and steal $$$$ from my account. Several of my friends were assaulted and robbed while using ATMs located in supposedly safe downtown business districts. No thanks. Now I read this.

At the Black Hat security conference in Las Vegas, Barnaby Jack, who is director of research at IOActive Labs, made cash pour from a machine for minutes on end. After studying four different companies' models, he said, "every ATM I've looked at, I've found a 'game over' vulnerability that allowed me to get cash from the machine." He's even identified an Internet-based attack that requires no physical access.
(snip)
The hardware kit that he used in the demonstration cost less than $100 to make.
(snip)
... he demonstrated a way for a thief to gain physical access to the ATM made by Triton. The device's main circuit, or motherboard, is protected only by a door with a lock that is relatively easy to open (Jack was able to buy a key online). He then used a USB port on the motherboard to upload his own software, which changed the device's display, played a tune, and made the machine spit out money.

This is absolutely pathetic and inexcusable.

... by using a computer to call one phone number after another; he was able to locate numerous machines within a couple of hours by searching through a 10,000-number exchange. An attacker could then exploit the software vulnerability to install control software known as a rootkit. To withdraw money, the attacker would visit the ATM later with a fake card or steal information from other users=/tt=.

http://www.technologyreview.com/computing/25888/


Ray
Print the post Back To Top
No. of Recommendations: 8
<<At the Black Hat security conference in Las Vegas, Barnaby Jack, who is director of research at IOActive Labs, made cash pour from a machine for minutes on end. After studying four different companies' models, he said, "every ATM I've looked at, I've found a 'game over' vulnerability that allowed me to get cash from the machine." He's even identified an Internet-based attack that requires no physical access.>>



Thirty four years I've been using ATMs. Never a problem.

Of course, you are welcome to your worries and concerns.



Seattle Pioneer
Print the post Back To Top
No. of Recommendations: 0
Several of my friends were assaulted and robbed while using ATMs located in supposedly safe downtown business districts. No thanks. Now I read this.

Safe is relative. I know noone who has been assaulted or robbed at an ATM. Safety is dependent not only on the area, but also the location of the ATM on the building and time of day. I routinely use the same ATM, but only during daylight hours. In the very rare situation that I need to use an ATM after dark, I use one that is inside a grocery store.
Print the post Back To Top
No. of Recommendations: 3
I've haven't used an ATM in almost twenty years myself, but I don't get your reasoning. My car could be stolen from my driveway. I could even be killed in a car jacking. But I still own and drive a car.

xtn
Print the post Back To Top
No. of Recommendations: 1
... by using a computer to call one phone number after another; he was able to locate numerous machines within a couple of hours by searching through a 10,000-number exchange.

If true, this is inexcusable. No ATM should be accessible from the public switched telephone network. They should only be accessible from data lines controlled by the financial institution that owns the ATM. That wouldn't make it impossible to do a hacker attack, but it shouldn't be as simple as robotically walking through 10,000 telephone numbers to find the machines.

To my certain knowledge, some banks were connecting ATMS with private data circuits that aren't accessible from the PTSN as early as the 1980s. The idea probably goes back further than that.

There's technology, and there's stupid . . . and there's hoaxes and urban legends. You can't fix stupid, but this part sounds an awful lot like an urban legend.

Patzer
Print the post Back To Top
No. of Recommendations: 5
To put this in perspective, the Black Hat conference is a gathering of the best hackers in the world. While something may be possible, it does not mean they're actually employing these methods for evil.

In most cases, these exploits are "shown off" to peers after the exploits have been reported to companies who will need to patch holes in their systems.

The main purpose of the hacker community is not what most people think. While there are a small number of criminals in the hacker world, the majority are hobbyists or folks who work to collect a "bounty" on finding security flaws in systems for major corporations.

And as always, your funds are protected by the FDIC. You should worry more about dropping a wad of cash on the subway.
Print the post Back To Top
No. of Recommendations: 0
Hee hee hee hee hee hee hee hee!!!

Oh, SP, sometimes you just make me squee. :-)


--Booa
Print the post Back To Top
No. of Recommendations: 0
Why don't you use your debit card at the grocercy store checkout line and avoid the fee.
Print the post Back To Top
No. of Recommendations: 2
imuafool,

I imagine these are those newer ATMs that do things like print a copy of your deposited check and scan the check to OCR it to determine the deposit amount. I think these newer machines tend to use some version of Windows, such as WinCE. Older machines had relatively limited functionality and often a custom, proprietary OS and were difficult to hack mainly because they had relatively little code.

I imagine the recent installation of a profusion of new ATM models will come to a quick halt if hacking of ATMs becomes common place again. I say again, because I seem to recall stories about hackers breaking into ATMs back in the early '80s doing pretty much the same thing.

I think generally this is all a good thing. Any new technology like this needs to be shaken out for security venerabilities. And it was about time we started seeing some improvements in ATMs. These improvements help encourage customers to use ATMs, which cost the bank a lot less than paying a teller. And any losses from security breaches are not born by the depositors - they are generally born by the bank and its shareholders. At least that's true of these types of vulnerabilities.

Now ATM skimming is a different problem...

- Joel
Print the post Back To Top
No. of Recommendations: 3
Patzer,

You wrote, If true, this is inexcusable. No ATM should be accessible from the public switched telephone network. They should only be accessible from data lines controlled by the financial institution that owns the ATM. That wouldn't make it impossible to do a hacker attack, but it shouldn't be as simple as robotically walking through 10,000 telephone numbers to find the machines.

Personally I wouldn't have any problem with putting an ATM on a public network. ... As long as it uses appropriate security technology to authenticate the connection.

I'm not a security expert; but I've done a project or two that implemented encryption. If I were designing it, I'd opt for AES-256 (or similar) and some out-of-band method for exchanging a master key. AES-256 should be more or less unbreakable (from a computation standpoint) for several decades, which should make the connections secure - assuming you can find a way to physically secure access to both the machine and the data store containing each ATM's master key.

That seems to be the crux of the problem anyway. ATMs are physically vulnerable to attack simply because they must be in relatively public locations. The attack can be brute force or very sophisticated; but once the ATM has been compromised, preventing a crook from gaining access to the cash store would seem to be a pretty difficult problem whether the ATM is connected to a public network or not.

BTW, if today's ATM's have for instance, standard remote log-in support over a public phone system ... I'd agree, that's just stupid. I mean, most passwords are simply not that cryptographically secure and are therefore eventually guessable if you have extended access to the machine. And if they're being passed as plain-text over a phone-line or network connection that someone might be sniffing... Well, that's really stupid.

- Joel
Print the post Back To Top
No. of Recommendations: 3
401kinvestor,

You wrote, Why don't you use your debit card at the grocercy store checkout line and avoid the fee.

I'm confused.

I thought we were talking ATMs, not debit cards. I don't think vkg's post specifically said she was going to the store to shop - only that she used an ATM in a store for safety. (Stores are well lit, often have store security personnel and their ATMs are usually in view of store personnel.)

Also, just because an ATM is in a store doesn't mean you're going to be charged a fee. Banks around here often have branches inside stores and the ATMs for that branch are free to customers of that bank.

- Joel
Print the post Back To Top
No. of Recommendations: 0
Why don't you use your debit card at the grocercy store checkout line and avoid the fee.

There is no fee for using my ATM card at my bank's ATMs in grocery stores.

I don't use my ATM card as a debit card. Locally, grocery store card readers have been compromised by store employees.
Print the post Back To Top
No. of Recommendations: 1
I don't use ATMs or debit cards at all.

I've got a credit card on me at all times, along with enough cash to keep myself alive for at least an hour in case my credit card doesn't work.

xtn
Print the post Back To Top
No. of Recommendations: 1
I've got a credit card on me at all times, along with enough cash to keep myself alive for at least an hour in case my credit card doesn't work.

xtn


It is very difficult for me to actually go into bank during their normal business hours. I have given up using my ATM card as a debit card, but won't give up the ATM usage.
Print the post Back To Top
No. of Recommendations: 0
No ATM should be accessible from the public switched telephone network. They should only be accessible from data lines controlled by the financial institution that owns the ATM.

In that case there wouldn't be very many ATMs out there. Any ATM not located in a bank's physical location is either going to be connected to a phone line or an internet connection.

Anyway, there's no reason this has to be insecure. If ATM makers are relying on security by obscurity why should I care? It's their money, they decide how much security is necessary to protect it.
Print the post Back To Top
No. of Recommendations: 0
I avoid the $3 fee Wells Fargo charges at Frys for using their atm.

The credit union I belong to allows free atm use at most credit unions and avoid their fee.


The other credit unions I seen in the fee disclosure only allow withdrawals from their atm only or a few without penalty.
Print the post Back To Top
No. of Recommendations: 0
It is very difficult for me to actually go into bank during their normal business hours.

Understood. It's easy for me as I work just down the road from my bank. I just go by once every two months to deposit my paychecks and take some cash.

xtn
Print the post Back To Top
No. of Recommendations: 1
No ATM should be accessible from the public switched telephone network. They should only be accessible from data lines controlled by the financial institution that owns the ATM


*******

You are living in a dream land. Very few people use dedicated lines...and even for the dedicated one they usually are muxed onto a carrier's internal backbone at the switch level.
Print the post Back To Top
No. of Recommendations: 2
Any ATM not located in a bank's physical location is either going to be connected to a phone line or an internet connection.

Not true. Any ATM at a location that can get a phone line or an internet connection can get a private data line, and many did as early as the 1970's. There may be a business case that an internet connection or a phone line is more economical, net of losses to hacking; but a private data line is technically feasible anywhere that any wired connection to a public network is available. Note that by "private data line" I don't mean that the bank has to build it; these can be leased from the local phone company or probably from any company that offers internet connectivity to the desired location.

Joel already discussed the software security techniques to protect a phone line. Presumably an internet connection could be protected by using tunneling similar to what my employer uses for me to access the company intranet from home. My observation is that simply not having a connection to a network that the general public can access is a pretty easy to understand security precaution. The ATM doesn't need to talk to Google or Yahoo or TMF or my computer at home; it only needs to talk to the controlling bank's computers. Even non-technical executroids ought to be able to understand this.

Patzer
Print the post Back To Top
No. of Recommendations: 2
exeter17,

You wrote, You are living in a dream land. Very few people use dedicated lines...and even for the dedicated one they usually are muxed onto a carrier's internal backbone at the switch level.

My father used to lease a T1 line for his business. It used to be that a dedicated T1 or T3 was the only way to get any real bandwidth. It also provided security. Even now, ILECs will lease a dedicated T1 or T3 line to you.

My father was a Farmer's Insurance Agent until he retired a few years ago. At the time, Farmer's was requiring their agents to lease dedicated lines. It wasn't hard to set up and I think the charge was a few hundred/month. His T1 was probably routed through the carrier's switches - and at least concentrated onto a T3 to the home office in Austin - but the line was certainly not a "public switched" telephone line since it was an always-on dedicated connection to the home office.

It would have been extremely difficult for a hacker to connect to his systems through that line because there was no way to "dial in". They would have had to physically hack the ILEC's central office or install some kind of physical patch at his building. Certainly do-able; but a hacker would have to have a pretty good reason to go to so much trouble and risk exposing themselves that way.

- Joel
Print the post Back To Top
No. of Recommendations: 0
The credit union I belong to allows free atm use at most credit unions and avoid their fee.


The other credit unions I seen in the fee disclosure only allow withdrawals from their atm only or a few without penalty.


Lots of credit unions belong to the CO-OP network of ATMs. Good in all 7-11 stores!
http://www.co-opfs.org/public/locators/atmlocator/index.cfm

If you live on the East Coast or out of the U.S., you will have different options.

Vickifool
Print the post Back To Top
No. of Recommendations: 0
Any ATM at a location that can get a phone line or an internet connection can get a private data line, and many did as early as the 1970's. There may be a business case that an internet connection or a phone line is more economical, net of losses to hacking; but a private data line is technically feasible anywhere that any wired connection to a public network is available

Sure, it's feasible. At roughly 20x-25x the cost. Your local gas station and mini mart would never have an ATM if they needed more than a simple connection. As as you even point out, it takes nothing more than a VPN tunnel to secure an internet connection, a private data line is very close to useless.
Print the post Back To Top
No. of Recommendations: 2
maracle,

In response to Patzer you replied, Sure, it's feasible. At roughly 20x-25x the cost. Your local gas station and mini mart would never have an ATM if they needed more than a simple connection. As as you even point out, it takes nothing more than a VPN tunnel to secure an internet connection, a private data line is very close to useless.

This is probably picking nits; but I would argue that a conventional VPN tunnel might not be good enough for any communications channel tunneled over a public communications system that is relied on for a large number of banking transactions or can be used to gain physical access to a vault containing sizable quantities of currency.

A VPN connection obtains a cryptographically secure temporal key using the well-known Diffie-Hellman key exchange methodology. The method allows two parties to agree on a random cryptographic key without exposing the random numbers they used to reach that agreement, nor the agreed-upon number itself. Therefore an external observer cannot guess the temporal key from simple observation.

However, Diffie-Hellman does not address the man-in-the-middle problem. From a security standpoint, we assume the constants used to compute the temporal key are well-known, therefore, any hacker can stand between you and the end-device/server and participate in the key exchange process. This allows him to obtain a temporal key between you and his device and another between his device and the device you're trying to talk to. Once in the middle, his device can record all of the traffic.

All security protocols require something more than a Diffie-Hellman exchange to validate the connection in an attempt to thwart man-in-the-middle attacks. Usually it's some form of pre-shared key (PSK). The password you set up at your bank's website is an example. This key is not subsequently disclosed when you log in - it is only used to create a validation hash code. The hash-code is generally not computationally reversible, at least not in real-time. However, if the hacker has unrestricted access to the target device, PSKs present a serious problem - they usually lack enough entropy to circumvent a dictionary or other brute force attack. This is the real reason why websites and VPN systems usually lock out a user after a few failed log in attempts.

To try to increase the entropy in PSK systems, many add things like rotating passwords. I have an RSA token for my work's VPN. That token simply displays a 6-digit key that changes once/minute. However, the key is actually guessable. The token is simply rotating through a pre-determined sequence of codes. Should a hacker determine this sequence and at any point determine where you are in the sequence, he effectively has your password for all time.

The only truly secure methods for authenticating a connection require out-of-band authentication. That's where a token or some other method outside the regular communication channel is used to pass or validate a cryptographically secure (unguessable) master key between two devices. This key is then used in subsequent attempts to authenticate the temporal key. There are several ways to do this type of out-of-band authentication; but I'm not aware of any VPN systems that use any out-of-band authentication methods.

Most banks (and ATM manufacturers) would probably opt for a simple, out-of-the-box VPN; but I think that represents some risk for the ATM-owner. They make think the risk is acceptable; but I imagine the people making the decision probably aren't even aware of the issues...

BTW, All of this still assumes both devices themselves are not physically compromised... Once that happens, all bets are off.

- Joel
Print the post Back To Top
No. of Recommendations: 0
Most banks (and ATM manufacturers) would probably opt for a simple, out-of-the-box VPN; but I think that represents some risk for the ATM-owner. They make think the risk is acceptable; but I imagine the people making the decision probably aren't even aware of the issues...

There's no doubt a bit more than a simple VPN would be desirable. My last job was for a company that made smart cards. If every ATM had a smart card chip installed, and signed each transaction using the card, this would be a very secure way to handle this. It would require certificates to be set up for each machine, so a little bit of work would be involved in "issuing" the ATM. The chip itself would cost $1-5, plus the machine would need a smart card reader (I assume they're using off-the-shelf motherboards in these things, if it's proprietary their next board design could include a built in reader like the SIM card slot in your cell phone at a very low cost).

Banks actually use this exact system to secure transactions between branches and datacenters. I can't recally the name of the company, but we had customers that bought our cards to be used for their transaction security products they sold to banks. For small banks with low volumes of transactions a simple server with a reader, card, and their software package was all that was necessary. It takes a couple of seconds to sign something, but since an ATM is limited to one customer at a time it works well enough.

In general it seems to me that ATM theft and fraud must be very low, or mostly limited to hauling off the entire machine...the jokers that make them seem to barely consider security. The leading ATM maker is I believe Diebold and we've probably all read about their rediculous designs for voting machines which are probably not much different...
Print the post Back To Top
No. of Recommendations: 0
Joel,

Even a leased T1 muxes to a T3 carrier. Even if they say its private it still comes onto a shared backbone somewhere. Don't care if its Frame or ISDN or switched 56...at some point its shared unless you personally are an ILEC or someplace that can run its own lines.

Even the old x.25 lines were shared.
Print the post Back To Top