Iris Scanners Allow Access to Bank Accounts Without Pin or Card

We all hear about how we need to keep our accounts safe, but who remembers all their passwords to all their different accounts? Who can say that they haven’t used the same password for several websites before? Even with password managers apparently making passwords redundant according to GCHQ, we still use them for everything from logging into your phone to filing your bank returns. So what about when it comes to your money? A four digit pin? Why not use an iris scanner to access your bank account.

Jordan is the first country to deploy iris scanning technology, with help from the United Nations Refugee Agency (UNHCR), to help users access their bank accounts, with the system being used to help refugees access their bank accounts without a bank card or pin. With around 23,000 families using the system to receive aid, the system is working well.

By removing the need for a person to check details before handing out the cash the UNHCR feels like this is a step in the right direction, giving both the refugees and the UNHCR a feeling of control and freedom. With the hopes that the system could be deployed to all of UNHCR’s current cash assistance programmes, you have to wonder how long before typing in a password becomes a thing you’ll tell your grandchildren about.

Russian Anti-Virus Company Firebombed by Angry VXers

Malware creators have firebombed the offices of an anti-virus company after it refused to delist its reverse engineered analysis of an ATM skimmer. A group calling itself “The Syndicate” sent threatening letters to Dr Web, demanding that it took down the ATM malware exposé, otherwise it would “destroy” the company’s offices.

“You have a week to delete all references about ATM skimmers … otherwise Syndicate will stop cash-out transactions and send criminals for your programmers’ heads,” read the first letter. A follow-up letter added, “If you don’t delete all references about ATM skimmer viruses from your products and all products for ATM (sic), the international carder syndicate will destroy Doctor Web’s offices throughout the world.”

Dr Web refused to bow to terrorism and kept its ATM skimmer article online. Soon after, its St. Petersburg laboratory was firebombed twice. The fire cause minimal damage, but the subsequent water used to quell the blaze was said to have harmed computer systems more.

Dr Web remains defiant. “Dr Web considers its duty to provide users with the ultimate protection against the encroachments of cybercriminals,” the company said in a statement. “Consequently, efforts aimed at identifying and studying ATM threats are in progress as is work to improve Dr Web ATM Shield.”

Thank you The Register for providing us with this information.

Green Dispensing Malware to ATM Machines

A downside of technical innovation lies in the unfortunate ability to hack devices with the aim of stealing information and scamming consumers out of their savings. ATM’s are not immune to this threat and a new breed of malware has the ability to allow an attacker the option to drain the ATM’s cash vault before erasing the evidence.

The malware in question is coined “Green Dispenser” and it implements an out of service message on the ATM, but, all is not well as attackers with access to the correct pin codes can then drain the ATM’s cash vault and erase Green Dispenser using a deep delete process, leaving little if any trace of how the ATM was robbed. Let’s take a look at the deployment and operation process of this greedy piece of malware.

Deployment and Operation

The only way this malware can be installed is via physical access to the machine, therefore it is not possible to walk up to an ATM which is situated in a shop or sunk into a bank wall and attempt to install such code, therefore this raises the option of a compromised employee with access to said machines. Green Dispenser has the ability to target “ATM hardware from multiple vendors using the XFS standard. It achieves this by querying for peripheral names from the registry hive before defaulting to hardcoded peripheral names”.

An operational functionality in the coded run date is “2015” with the month being earlier than September. This suggests to analysts that Green Dispenser was employed in a limited operation and designed to deactivate itself to avoid detection. A second layer which the attackers have implemented with the aim of hiding their activities lies in the authentication using a hardcoded pin which is then followed by a second pin which this time is dynamic.

It is believed the attacker in question derives this second PIN from a QR code which is displayed on the screen of the infected ATM, which is then read by an application that can be scanned onto a smart phone. Think of this as similar to logging into your favourite website, you input in a password before using a second two factor authentication method to unlock your account, by implementing this method it makes it more secure so that only the person in question can use the malware, provided they have the correct authentication.

Once the malware is run it attempts to verify if the month is earlier than September and the current year is 2015, if it finds the year to be say 2014, it simply shuts down. If the details are correct, Green Dispenser “creates a second desktop environment on the ATM called “dDispW” and creates a window in the second desktop called “Dispenser”. This is with the aim of overlaying an “Out Of Order” message within the ATM screen; it is worth noting that the message has appeared in Spanish as well as English.

Below is the QR code screenshot, “If the dispense cash option is selected, Green Dispenser attempts to query the registry location “HKEY_USERS\ .DEFAULT\XFS\LOGICAL_SERVICES\class=CDM” to find the peripheral name for the cash dispenser. If not found, it defaults to “CurrencyDispener1” which is the cash dispenser peripheral name on specific ATMs. It then makes a call to WFSExecute with the command set to “WFS_CMD_CDM_DISPENSE” and a timeout of 12000 to dispense cash”.

As you can see, it’s a complex piece of malware which aims to offer the option to take as much money as you would like, which is good, (Disclaimer – please don’t take as much money as you want, it may sound good but it is not) Manufactures and banks would need to work together to counteract these threats with updated modern security upgrades, if not, expect these methods to become a standard in attacks against machines.

Thank you proofpoint for providing us with this information.

Image courtesy of hacer

BMW i3 Turn ATM

It’s not every day you hear of a car being made into a mobile ATM, the whole idea of an ATM is to take the human interaction out of getting you money; now you need a driver to deliver money to you.

It is currently being used to roam the streets of Warsaw to aid pedestrians in urgent cash withdrawals via a mobile app. The mobile app sends data to the driver, who then drives to that person to offer the service; today I find that I am never more than 100 meters from an ATM, so this would be pointless especially in a city environment. The idea could work well for more rural areas where ATM’s are few and far between.

I see one serious flaw with this, the BMW i3 isn’t exactly an understated car and with an ATM and branding all over it; it is sure to get some attention. What if a group of thieves decide they want to make a withdrawal in a lesser part of town, easy pickings. Yes, the app might be monitored, but how easy could it be to steal a phone, pressure someone to do it for them or even buy a cheap phone with an alias and get it that way.

In all honesty, I’m surprised anyone still uses physical money, the last time I used cash to buy anything was around 6 months ago. How do you think this would end up if it was implemented where you live? Let us know in the comments

Thieves Attempted to Use An iPod nano to Take Credit Card Information

We’ve all been warned of the many ways thieves can take our card information from ATMs. There’s all the elaborate card readers, cameras and other devices that criminals secretly attach to cash machines in an attempt to take our card information. Never have we seen one like this though.

Greater Manchester Police have shared details of a plot by thieves involving an iPod nano taped to the top of a cash machine. The 5th generation of the nano came with a tiny camera on its rear – something the criminals thought would be useful in snatching card numbers as people used the machine.

They taped up the iPod in a small box and attached it to the top of the machine. With the video recording, anyone that used the machine would expose their details to the camera, allowing the thieves to snatch the information.

The iPod in question is now in the possession of Greater Manchester Police and is being used to warn the public about this type of activity.

Source: Engadget

24-Hour Bitcoin ATM Installed in Utah

Online retailer overstock.com has installed a 24-hour Bitcom ATM at its headquarters in Cottonwood Heights, Utah. Being a virtual currency, actual Bitcoins will not be withdrawable from the machine, but users will be able to convert currency from Bitcoins to US Dollars, and vice-versa.

The ATM, manufactured by CoinOutlet Inc., has bank-grade security and only one of four such machines operating within the US.

Patrick M. Byrne, CEO of overstock.com, said, “Moving cryptocurrencies out of the realm of geeks and into the realm of the rest of us requires making changes at all levels of the financial ecosystem. An important part of this effort is making it easier for people to convert their digital money to cash, and vice versa.”

The company started accepting Bitcoin as legitimate tender a year ago, and has since made $3 million in sales from the currency. Employees of overstock.com even have the option to be paid in Bitcoin since the installation of the ATM.

Source: KUTV

Bitcoin ATM’s Pop Up Around Melbourne, Australia

A few months ago, there was one currency on everyone’s lips – Bitcoin. People were scrambling to make their own Bitcoin mining machines, Reddit users developed their own currency called Dogecoin and our parents and grandparents become more technology-confused than  ever before.

Since the hype has died down, I’ve just received reports from a friend of mine that Bitcoin ATM’s have just started popping up in the Central CBD of Melbourne, Victoria, Australia. The image you’re looking at above is taken from the famous “Melbourne Central” shopping center and train station, allowing users to exchange, buy and sell Bitcoin all from a handy kiosk located in the middle of the hustle-and-bustle. Unfortunately a higher resolution image became impossible when Facebook Messenger was utilized as the method of communication.

We’ve seen more Bitcoin payment options pop up around the globe, with SpendBitcoins.com being developed solely to support new-age business’ supporting this advancement in technology. Some of the companies notable from this list include that of NewEgg and Expedia.

Will we see this type of currency make it into the ‘mainstream’ market? It’s really hard to say. But it’s certainly nice to see a ‘global currency’ give it a red hot go. Exchange rates are the bane of any well-traveled business person or backpacker.

Have you seen a Bitcoin ATM around your area? Let us know, we’d love to start tracking them!

Source: TweakTown.

Hackers Want to Make You Play ‘Doom’… on an ATM!

Normally when you hear about hackers and ATMs, you think of someone attempting to steal your credit card details or make the machine spit-out some bills. This time however, it is more fun than drama, since you can get to see how a game can be played on an ordinary ATM.

An Australian hacker named Ed Jones, who also goes by the name of Aussie50, has posted a YouTube video which shows how he is kicking off in ‘Doom’ on the ATM machine. He is stated to give some credit to his partner, Julian, who is said to have sorted out “the software, wiring and logic side”.

There are a lot of questions surrounding the achievement, such as where did he acquire the actual ATM from or, most commonly, will we able to play games on ATMs in the future. Nobody has those answers at present, but the real question is: Does it matter? No, mainly due to the fact that you don’t get to see this everyday. I mean, who doesn’t want to play Doom on an ATM?

[youtube]https://www.youtube.com/watch?v=PW5ELKTivbE[/youtube]

There have been discussions on Ed’s YouTube channel about turning the PIN pad into a controller and using the side panel to select weapons, while also discussing about making the receipt printer into a high-score note to keep after you finish your game session.

When talking about modern games, such as Minecraft for example, Ed pointed out that it is physically impossible to get them running on ATMs, mainly due to the fact that it lacks the performance needed to run them. While he can ‘upgrade’ his customized ATM if he wanted to, that would mean he would have to change about every OEM component found in the ATM.

“I could upgrade the hell out of it and play modern games, but that defeats the purpose of using all of its OEM (original equipment manufacturer) hardware with minimal modification. It lacks a PCI-E slot, so a subtle video card and RAM upgrade is not possible,” Ed stated.

Ed is stated to be thinking of introducing a coin mech below the card reader, which wouldn’t be such a bad idea. A ‘re-invention’ like this could make old games such as Doom popular again and accessible almost everywhere. Julian and Ed are not at their first wacky invention yet. They have been stated to have made Doom available previously on a LED billboard.

[youtube]https://www.youtube.com/watch?v=PxIGuMif1Nk&list=UUlSOZJ7swsJqRadXieu1nlQ[/youtube]

Thank you Mashable for providing us with this information

New ATM Skimmer Found in Europe Extremely Difficult to Detect


Cybercriminals are becoming inventive in their methods to compromise companies and users, and that includes using skimmers at ATM machines and point-of-sale terminals.

The European ATM Security Team (EAST) recently noted the drastic rise of mini-skimming technology, stealing data after being located inside of card readers.  Traditional ATM skimmers are typically designed to sit on top of existing card slots, so they are easier to locate – but these miniaturized devices are especially problematic.

Specifically designed for NCR-made cash machines, it uses a skimmer paired with a small camera that records customer PIN numbers as entered.  It’s unknown what country was impacted, but ATM skimming is becoming a more common practice at banks throughout Europe.

Old skimmers are easier to find, but the new skimmers are miniaturized and can be found in the card reader throat.

Despite the use of chip & pin technology, supposedly harder cards to duplicate, ATM skimmers remain a significant problem throughout Europe.  The United States still hasn’t transitioned to chip & PIN yet, and financial institutions are being pressured to make changes to help better protect customers.

Security experts recommend ATM visitors cover the PIN pad when entering numbers on the keypad.

Thank you to Krebs on Security for providing us with this information

Image courtesy of Krebs

Windows XP Still Installed In 95% Of ATMs Around The World

Bloomberg reports that around 95% of ATMs around the world still run on Microsoft’s 12 years old operating system, which is going to be discontinued in April. Though update support will still be available until 2015, they will still be susceptible to a variety of malware and viruses.

Still, ATMs run on a stripped version of Windows XP called “Embedded”, which is said to be less vulnerable to malware. But since we are talking about Microsoft Windows, nothing is that safe, especially with it being discontinued. And we are not talking about an information machine or coffee maker here, ATMs are extremely important devices which contain currency! A few weeks ago we saw a few cash machines infected with viruses with the help of a USB drive. Imagine what an outdated operating system in ATMs will be like to hackers.

The more bad news comes from Aravinda Korala, CEO at ATM software provider KAL, who states that he expects only 15% of ATMs in the US to be upgraded by the time Microsoft terminates support for Windows XP. Though Microsoft can sell custom support agreements for devices such as ATMs, the cost can soar quickly, to the extent that can lead to a much higher price than upgrading them altogether.

The cost to upgrade a single ATM to Windows 7 can range from a few hundred dollars if its hardware is adequate, to thousands of dollars if new components are required, according to Dean Stewart, executive at ATM maker Diebold. Although not all ATMs can be upgraded by the April deadline, they will still be able to operate, only with a greater risk of malware infection than before. However, customer balances are said to be safe under the standard protections banks offer to ATM users against fraud.

Thank you Bloomberg for providing us with this information

Cash Machines Infected With Malicious Software Via USB Drive

A recent presentation at the hacker-themed Chaos Computing Congress in Hamburg, Germany has detailed how several cash machines were infected with software that allowed thieves to withdraw the cash multiple times before being discovered. The machines were vandalised to allow the insertion of a USB flash drive to the underlying computer, the drive then installed software on the system that runs the cash machine, and the hole was patched up so that it wasn’t obvious that the machine had been compromised.

The thieves were then able to return to the machine at any time and enter a 12 digit code, this brought up a special interface that they had installed which listed the total number of each note, then allowing them to extract the most amount of money in the shortest amount of time.

The intrusion was discovered in July after the lender involved noticed that several machines were being emptied, but that their safes were unharmed. Surveillance was increased and the banks discovered the sneaky tactics that were being used. Interestingly the thieves setup a system to prevent them betraying each other (return to the machine alone). This involved a second prompt that required the user to phone another member of their gang, who would give them the decrypt code based on the numbers displayed on the cash machine.

Despite their efforts, extensive knowledge of the ATM hardware and software, and the great lengths they went to to disguise the hardware intrusion, they still named the file they installed on the system “hack.bat”, which obviously stood out from the usual file names.

Thank you BBC for providing us with this information.

Google Announces The Availability Of Google Wallet Debit Cards

It looks like the Google Wallet Card has been officially released. The prepaid debit card lets Google Wallet users make payments with their Wallet balance at ATMs, banks, and any business that accepts MasterCard Debit. You can request your own card as long as you’ve verified your identity, and Google says it should arrive within 10 to 12 days. Shipping is free, and there are no activation fees to get started with the card. From there, the Google Wallet Card can be used for purchases both online and in physical stores just like any other debit card, and you’re also able to withdraw cash from ATMs nationwide.

Your Wallet security PIN doubles as the debit card’s PIN when buying things, and Google has set a maximum limit of spending per day to $5,000. The Google Wallet Card was rumored to arrive earlier this year, but reports say that the project was put on hold by CEO Larry Page.

Thank you The Verge for providing us with this information
Images courtesy of The41st

New Malware Targeting ATMs of Major U.S. Banks

A new malware called “Dump Memory Grabber” is found that has been collecting information about credit/debit card information from ATM and point-of-sale systems from major U.S. banks.

This malware is reported by a Russian-based security company called “Group IB” and it seems that the author who made this malware is affiliated with a Russian based cyber crime gang. The security company pointed out that the malware has already stolen multiple data of credit and debit cards from Major U.S. banks such as Chase, Capital One, Citibank and Union Bank of California. Currently Group IV has been working closely with VISA, U.S. banks and U.S. law enforcement agents by sharing its findings about the Dump Memory Grabber malware.

The “Dump Memory Grabber” malware collects and transfers Track 1 and Track 2 data which are encoded into the magnetic stripe of the credit/debit cards. These information includes first and last name, expiration and the bank account number. With this information, one can create a cloned physical debit card.

The malware is written using C++ without any additional libraries which adds itself to the system’s registry and runs automatically whenever the system is on. The malware then creates a txt file which contains memory dumps and stolen data, which is then transferred to a remote server via FTP. It was found that it is a Russian based as the IP address of the remote server originates from a Russian based ISP called “Selectel”, and it was associated with a domain name “CISLAB” which is a Russian company.

It was found that a Boston’s Blanchard’s Liquors also had their POS affected by a malware over the weekend and reports of some customers who have been charged for no reason. After notifying its other customers, they have taken down their credit card machines. Its not clear if they have been affected by the same malware.

Andrey Komarov, CTO of CERT-GIB who is affiliated with Group IB said pointed out they have also found one of the C&C (Command and Control) servers, but many POS and ATMS were infected, and the issue is currently under investigation.

Source: Security Week