ATM exploits - Was Re: Modern hw-killing virus feasible

[Jerry Carrell <JERRYCTX () AOL COM>]

In a message dated 3/7/01 10:38:23 PM Central Standard Time
jono () MICROSHAFT ORG wrote:

> For example, some free standing ATM machines actually dial-up (yes, you
> can hear the modem dial and the connection hiss) connections to the
> network. An ATM technician even told me that the line from the wall to the
> ATM, which is usually protected, was a T-1. When asked if someone could
> just pull it and hook back in, he stated that it would send an alarm to
> the CO, but a bridge would work fine.
>
> Does anyone have more information about these devices and what kind of
> risk we may actually be exposed to?

I haven't worked with ATMs for several years but I doubt that any use a T-1.
A standard leased line can handle the maximum traffic from several dozen
ATMs. Also never worked with dial up although there was a proposed project
for a ship-board ATM using ship-to-shore telephony.

The ATM network I worked for did suffer significant losses to wire-taps. The
thief would select an ATM in a strip mall because the telephone junction box
was usually unprotected on the back of the building near a telephone pole
with a tell-tale large metal conduit.

The thief (we believe) would back a van to the junction box. Using a device
from Radio Shack he could easily identify the digital signals of the data
line. He used one or two PCs in the back of the van to (a) respond to the
polls from the host so the network did not sense a problem (except possibly a
brief interruption when he switched to the PC) and (b) talk to the ATM.

The PC program that serviced the ATM was sophisticated in some ways ... for
example, it changed the "welcome" screen to "out of service" so customers
would not attempt to use the ATM. However, it didn't handle error conditions
which prevented him from cleaning out an ATM in several cases. There were
many other changes to the ATM configuration but basically, he requested a
withdrawal and the PC approved the transaction.

The total loss was never announced but I'm sure it was well over $100,000
because a couple of dozen ATMs were hit. The investigation was turned over to
the Secret Service. So far as I know, no one was charged but one rumor around
the office was they knew who did it but had no proof.

That network installed MAC boards in all their ATMs and is no longer
vulnerable to that form of attack. That was about ten years ago and I don't
know what security features are used in current ATMs. I still see some ATMs
from that era in use and some of them may be vulnerable.

This is off-topic but my favorite "security" story from the banking industry
is low tech:

The thief got a rent-a-cop uniform and a wicker basket. He painted a sign
that said "Out of service. Please use basket". After hours he went to the
night depository at a bank, set the basket on the floor, taped the sign to
the wall and stood there looking official. Supposedly, many people left their
deposits and no one called the police. Told to me by a tech from the company
that makes most night depositories (and ATMs, for that matter). If its true,
the thief deserves the money for sheer chutzpah. :=)