ATM Jackpot

Clever bit to dress as ATM technicians.

I hope this does not shock you too much: almost all ATMs do run Windows Embedded (at least here in Norway, and probably neighboring countries). They used to run OS/2, but when that died they had to switch to something else. Today most of them run Windows XP Embedded, some run win7 Embedded. On top of that is a Java platform on which the banks put their software.

Now, the ATMs in this country has almost everything inside the safe; exceptions are (obviously) the screen, keypad and cables for power and communications. So it would be hard to find a place to attach a cable to inject malware / remote control the ATM. Example: the communications between the keypad and the machine is encrypted. The ATM itself have various anti-tamper measures; if tampering is detected an alarm is sent, and the ATM sets itself out of service. If a technician is doing service on an ATM, the security company (the one that refills the ATM with cash) has to come along; they are the only ones who can open the safe.
 
We had a severe storm 2-3 years ago that knocked out power to my ATM and when I went to it to withdraw $$$ was surprised to see it had rebooted to an XP logo. I thought it would at least be running Linux.
 
I might think the banks distrust exposed source software, but then it was mentioned that they also use java. So, it maybe is rather that the MS commercial realm did a pretty good marketing job on them. I was surprised by the XP claim as well. In the POS (point of sale) world, DOS reigned high in the eighties, so it was natural for them to migrate to Windows rather than Linux.

I saw a news report mention that about $1 million was stolen in a couple days. Suppose it's higher now.
 
https://fossbytes.com/windows-xp-atm-hack-shift-key/
One wonders why an ATM has a full (in other words, complete) PC keyboard.

Snurg said:
One thing why banks hesitate to upgrade is that it would cost them more money than it would save them.
This is true, so very true. As with credit card fraud / misuse; as long as the loss is "acceptable" to the banks involved, they don't do anything with the problem. Only when the cost becomes unacceptable do they react.
 
They (the banks) are willing to take incredibly high losses: $200B in last year. It's because the crooks have gotten so many personal account details via data breaches, that they can spread their plunder over millions of accounts, where any one account theft is not worth going after. Plus, I suspect a substantial amount of insider related losses are occurring.
 
They (the banks) are willing to take incredibly high losses: $200B in last year. It's because the crooks have gotten so many personal account details via data breaches, that they can spread their plunder over millions of accounts, where any one account theft is not worth going after. Plus, I suspect a substantial amount of insider related losses are occurring.
This is a high number. Can you point to some reference, please?
I guess the ATM losses are a small fraction of these losses only...
 
This is a high number. Can you point to some reference, please?
I guess the ATM losses are a small fraction of these losses only...

I don't remember the source, but did a quick search for another one. This one is a little older (2015) and I think there's been an uptick since then. Probably not all of the loss is from banks, per se, and figures vary depending on where they come from. I seriously doubt there is a very accurate source for this information. For one thing, banks (and other entities) don't like to admit it.

https://www.forbes.com/sites/stevem...st-year-and-what-to-do-about-it/#7a9062f52b65
 
Back
Top