May 25, 2012 - 05:16 PM EDT — AAPL: 562.29 (-3.03, -0.54%) | NASDAQ: 2837.53 (-1.85, -0.07%)

Hackers attack Microsoft Windows-based ATM network; steal PIN codes and net millions

Wednesday, July 2, 2008 · 2:53 pm · 41 Comments

“Hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record,” Jordan Robertson reports for The Associated Press.

“The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals,” Robertson reports.

“The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem,” Robertson reports.

“Hackers are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet,” Robertson reports.

“A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn’t been answered publicly,” Robertson reports. “All that’s known is they broke into the ATM network through a server at a third-party processor, which means they probably didn’t have to touch the ATMs at all to pull off the heist.”

Full article here.

[Thanks to MacDailyNews Reader "HMCIV" for the heads up.]

ATM IT Doofus #1: “Let’s make an ATM network based on the world’s most insecure OS, okay?” ATM IT Doofus #2: “Sounds like a plan!”

— — —

Peter explained, “Um, the 7-Eleven, right? You take a penny from the tray.”

Joanna asked, “From the crippled children?”

Peter replied, “No, that’s the jar. I’m talking about the tray, the pennies for everybody.”

Later…

Joanna, “You’re just this penny-stealing… wanna-be criminal… man.”

Peter, “Yeah, well, that may be. But at least I never slept with Lumbergh.”

Categories: All Sites, News

Thank You for supporting MacDailyNews!

♥ Adobe Photoshop CS6 Extended for Mac - Student and Teacher Edition DVD (65171323) only $249!
♥ Blowout: Apple 15.4" MacBook Pro i7/4Core/2.0GHz/4GB/500GB (MC721LL/A) only $1,549.99 + Free Shipping from MacMall
♥ Mac Madness Save 25% on Parallels Desktop 7!
♥ 15% Off Compatible Ink. 10% Off All Others (excludes OEMs). Free Shipping over $55. Coupon: 123BLOSSOM, Expires 6.18.12
♥ Save up to 60% at the Hammacher Schlemmer Special Values Sale-While supplies last.
♥ Dragon Dictate for Mac 2.5 - New! Simply Smarter Speech Recognition
♥ Up to 30% OFF Accessories from Verizon Wireless
♥ Limited Time Offer: Get free ZAGGsmartbuds when you buy a ZAGGsparq!

Comment Feed

41 Comments

« Previous 1 2 3 Next »

Predrag

Wednesday, July 2, 2008 - 4:31 pm · Reply

For many years, ATMs (and, in NYC, MetroCard vending machines for the NY subway system) used to run OS/2. If you haven’t heard of it, this was IBM’s rock-solid desktop and server OS. Much better, more stable and secure than Windows NT (and subsequently, 2000). IBM officially abandoned development in 2001; yet many banks are still using it in their ATMs, especially in Europe. I have never ever seen an screen error message on an OS/2 ATM. In my neighbourhood, there are many banks with ATMs. Several have moved ATMs to Windows. How do I know? I oftentimes see a Windows error message on the screen (with ‘OK’ to continue).

These people should better bring back the old OS/2. It just worked.
Cubert

Wednesday, July 2, 2008 - 4:47 pm · Reply

GD!!! I was going to send MDN this link this morning but couldn’t find an article that definitely linked to flaw to Winblows.

GD!!!
Cubert

Wednesday, July 2, 2008 - 4:54 pm · Reply

Another Winblows Sucks Story:
The computers at the 4 site clinic system that I work at were hosed last week by a virus that got into the server system and started chewing things up. Not good when you use an electronic medical record and not a paper chart in sight!
jarrettdailynews

Wednesday, July 2, 2008 - 4:59 pm · Reply

Dave, you are an idiot…
G4Dualie

Wednesday, July 2, 2008 - 5:20 pm · Reply

If hackers can figure this out why can’t Microsoft? !!
mr_matalino

Wednesday, July 2, 2008 - 5:41 pm · Reply

@Dave

“Apple is no different. It was super easy to hack the iPhone which is based on OSX”

Night and day difference. Night and day…
TwoCents

Wednesday, July 2, 2008 - 6:16 pm · Reply

If someone thinks OSX is just as vulnerable as Windows, consider that it isn’t just the OS we have to worry about. In my opinion, it’s the code hackers out there who grew up working with Windows, cut their teeth on Windows and the wide availability of exploitable flaws (especially in the hacker community) that pose a greater threat than the OS being used. By this I mean, as long as the enterprise (and we know Apple does nothing to push OSX in the enterprise) continues to use Windows, there will be individuals and criminal organizations that throw money at hackers to hijack windows OS’s. So as long as MS maintains the huge enterprise market share it has, it will be the OS with the biggest bulls-eye on it.

I have many friends who are very sharp at coding for Windows who haven’t near the ability for OSX if at all… and funny thing is, they all have the same attitude, why target OSX when there are more Windows machines available to hijack?
demenas

Wednesday, July 2, 2008 - 7:09 pm · Reply

If you read the article it doesn’t say how they broke into the network, nor if that was a Windows machine. They might have just guessed a poor password.
@two cents

Wednesday, July 2, 2008 - 7:14 pm · Reply

I agree. MDN, your takes sucks. If 90%+ of the world used an OS worth hacking into, they would be doing it to whatever it is.

So as you cheer for increased market share, cheer for increased hacking and viruses as well…
shen

Wednesday, July 2, 2008 - 10:41 pm · Reply

not to be the party popper here, but I have been looking into this all day now, and there seems to be no proof yet that windows had any part in the break in. They are just not releasing the data. The only ones saying it is a windows hole are pundits, and they have yet to show any facts.

Don’t get me wrong, building a “secure” system on windows is an oxymoron, but it might yet turn out that they got in another way.

Kinda like when the cops show up after a break in and note that the doors where not locked. OK, but the crooks may have not known, and instead come in the open window……
macbones

Wednesday, July 2, 2008 - 11:35 pm · Reply

hmm. Well, I wonder if Apple would be willing to license OSX for atms?
richb

Thursday, July 3, 2008 - 1:33 am · Reply

most of the atm’s around here still run OS/2. unfortunately banks are very big users of windows. Bad idea. Doesn’t look like that will change anytime soon either.
Ade Clarke

Thursday, July 3, 2008 - 3:48 am · Reply

mumble, mumble, mumble… stupid Windows… mumble, mumble… set the building on fire…
John C. Randolph

Thursday, July 3, 2008 - 3:56 am · Reply

I wonder if Apple would be willing to license OSX for atms?

Not likely, and there’s not much point to it. Anyone who wants to write a secure ATM application has any number of decent choices, from vendors who specialize in embedded operating systems.

Basing an ATM on windows is sheer laziness.

-jcr
Andy

Thursday, July 3, 2008 - 4:33 am · Reply

The ‘increased marketshare means you’ll get picked on, too!’ mantra isn’t actually true. The reason being that OS X is built from the ground up with security in mind, whereas Windows is a patchwork of ‘good enough’ fixes. The other factor? Only the user can explicitly authorize changes on an OS X system, and possibly won’t even have the permission to alter the system root itself.

On Windows, going by my experience on XP, routinely altered the system whether installing software, or downloading stuff from the ‘Net. Windows allowed anyone open door access into my computer, even with the supposedly firewall features and what have you working!

Why yes, sure, there will be hackers who try to break into OS X if only for the challenge, but they actually have to hoodwink the USER first! And yes I know AirPort and Safari, and even Quicktime have been ‘broken into’ – but, none of those hacks altered the registry, or even took control of the system.

And not only that, but barely days after those exploits? Apple patched them up!
Quebuenoestaesto

Thursday, July 3, 2008 - 7:38 am · Reply

A few years back Apple showed the cluster that Visa and Master Card uses and it runs OsX. So far no break ins.
ken1w

Thursday, July 3, 2008 - 8:31 am · Reply

There goes a few more morons spouting off about the market share myth again. Hackers target Windows because its easy. Criminals are lazy. They go after the low hanging fruit, and that fruit is not Apple. As long as there are profitable ways to exploit Windows, why bother with trying to hack Unix-based Mac OS X.

Even if Apple’s OS market share grew to 50%, hackers will still target Windows. BECAUSE WINDOWS IS EASY and MAC OS X IS HARD
NCIceman

Thursday, July 3, 2008 - 10:43 am · Reply

Most of the medical software out there is running on windows too. Take a good look at those terminals in every hospital room nowadays. Scary…
derekcurrie

Thursday, July 3, 2008 - 2:11 pm · Reply

Andy sez: “… And yes I know AirPort and Safari, and even Quicktime have been ‘broken into’ – but, none of those hacks altered the registry, or even took control of the system.”

Indeed. But one correction: Mac OS X does not have, in fact no version of UNIX has, a ‘registry’. That bad idea is entirely Microsoft’s responsibility.

My very favorite quote from Bill Gates is:

“Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.”
– Bill Gates talking to NewsWeek magazine January 2007

In fact the exact opposite is the case. No Mac has ever been zombied. (Please don’t bother quoting lies to the contrary). Meanwhile Windows boxes are zombied hundreds if not thousands of times a day. What wacky thing will Big Brother Bill say next?! Thus Bill Gates is retiring.

Nonetheless there have been plenty of vulnerabilities found in Mac OS X and related technologies. The most insecure Apple technology has turned out to be QuickTime. But Apple have been diligent repairing it.

There are yearly attempts to crack Macs as well as PCs at various white and black hat meetings and conventions. The Mac has been broken into twice at such events. But never was it possible to take over the operating system. And both successful break-ins required the ASSISTANCE of someone with a user account on the Mac. These break-ins were of course not credible indictments of Mac security. One unconfirmed other break-in occurred, or so the tale is told, using a third party WiFi card with drivers installed in a PCMCIA slot on a Mac OS X PowerBook. Controversy remains as to whether this actually happened. But the general consensus is that it did; however, the security fault is blamed on the third party software driver. Nonetheless, security vulnerabilities were found and patched in Apple’s own Airport driver. Again, no take over of the Mac was found to be possible.
derekcurrie

Thursday, July 3, 2008 - 2:21 pm · Reply

macbones sez: “I wonder if Apple would be willing to license OSX for atms?”

It is certainly possible. But Darwin, the CLI core of Mac OS X, is Open Source. Anyone can use it for free in any computer device. It is hardware platform independent with relatively minor tweaks to the OS kernel. You have to DIY the GUI however. Apple won’t ever by licensing that. (And this is not the make fruitless arguments to the contrary).

The most secure operating systems available are well known to be OpenBSD and FreeBSD (upon which Darwin and Mac OS X are based). They are also Open Source and have free GUIs available.

But these days there has been a lot more experience using Linux for such purposes, and it also has free GUIs. Linux has a very good security record. (No, not better than BSD UNIX, including Mac OS X. Sorry).