ATM malware makes it dispense cash without a card

[Chicog]

All I can say is Hmmmmmmm.

How much would a low-paid bank clerk accept to boot a CD in an ATM when no-one is looking?

(Added: There is no sound on the Youtube video).

Security experts have revealed how they managed to hack into a cash machine and order it to dispense wads of money.

Members of Kaspersky Lab's Global Research and Analysis Team, at the behest of a financial institution, said they undertook a “forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe” earlier this year.

Scroll down to see a video of how it's done

They found that a piece of malware on the machines calledBackdoor.MSIL.Tyupkin – which at the time numbered at least 50 ATMs – allowed hackers to withdraw 40 notes without needing a debit or credit card.

The team believes that the malware has actually now spread from Eastern Europe to financial institutions in the US, France, China and India.

“The malware uses several sneaky techniques to avoid detection,” the team said in a blog post.

“First of all, it is only active at a specific time at night. It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

“When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.”

https://www.youtube.com/watch?v=QZvdPM_h2o8

It is believed that the cyber attackers were able to install the malware via a bootable CD.

A YouTube video showing how the experts managed to overcome the system has been posted online.

Kaspersky Labs said increased public and official awareness on card skimming operations by fraudsters had meant that they had to adapt and try new ways of targeting the cash machines.

According to the BBC, Interpol has alerted countries that may have been affected and is conducting an investigation.

At the end of their explanation, the experts wrote a list of recommendations for businesses, including making sure the ATM security alarm actually works because the hackers appeared to have targeted ones whose alarms didn’t.

“Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals,” they said.

Edited October 8, 2014 by Chicog

[RichCor]

Maybe if the ATM didn't run on Microsoft Windows XP...

I have a debit card that if used in a Laos Bank ATM machine will cause their ATM to crash to the Windows desktop, display it's IP and transaction authentication info, and eventually reset. It also eats the card in the process. I've done it 4 times in two years. The bank doesn't care, they just say, "Don't use that card". Windows XP? Really?

Just yesterday I watched some ATM service personnel working on a front-load ATM and using the service menu to test cash dispersal from the cartridges. Looked just like the screenshots from that article.

[wilcopops]

Isn't this because they are still using Windows XP which is no longer updated by Microsoft?

[Chicog]

Isn't this because they are still using Windows XP which is no longer updated by Microsoft?

Updates are still available if you are willing to pay for them.

Perhaps the victims were trying to do it on the cheap.

[sometimewoodworker]

Isn't this because they are still using Windows XP which is no longer updated by Microsoft?

Updates are still available if you are willing to pay for them.

Perhaps the victims were trying to do it on the cheap.

The win XP updates are still free for ATMs for 5 more years.

[Don Aleman]

Personally, in the interest of overhead, I find peanut butter with a smidge of strawberry jam, though sticky, does the trick.

[Chicog]

Personally, in the interest of overhead, I find peanut butter with a smidge of strawberry jam, though sticky, does the trick.

Erm........

[lucifer666]

If you lose a ATM card, Natwest in the UK can give you a code to type in that will dispense cash. I'm guessing that it will only work on dedicated Natwest machines though, but you never know !

[Danhig]

Personally, in the interest of overhead, I find peanut butter with a smidge of strawberry jam, though sticky, does the trick.

Erm........

It's an Urban legend.

Sticks the notes together when injected into the dispenser. You get the stuck together notes instead of just one.

Complete <deleted> of course.

[Greg Nixon]

Would you be willing to go to jail in Thailand for $1300.00 ? hahahaha . 40 x 1000 THB = 40,000 THB about $1300.00 . How about $20,000.00. Would you be willing to go to jail for 5 years in a Thai jail for that ? hahahahaaha. I make more than that in a year.