Texting ATMs For Cash?
ATMs running Windows XP can be controlled remotely by hackers with smartphones, according to a top Internet security firm. Just send the right text message to an ATM and it will start spewing cash. An estimated 80 percent of U. S. ATMs are still running XP, so should we worry? Here's the story...
ATMs Running Windows XP
If you've been reading my stuff for a while, you know I have an offbeat sense of humor. Last year on April 1st, I published a spoof titled ALERT: Internet Taxes Due Today! which ruffled a few feathers.
But today's article is no April Fools joke. At least, the folks behind the alarming headlines didn't mean it that way. Let me explain...
By now, everyone concerned knows that all support for Windows XP will end on April 8, 2014. That means no more security patches, leaving stubborn XP users increasingly vulnerable to hackers and malware as new holes in the ancient operating system are discovered. Microsoft and the media have done all they can to warn XP users. I've published my advice about XP's demise in Windows XP: Game Over.
But there’s one XP user you probably can’t avoid: your local automated teller machine (ATM). Now, just days before the end of XP security patches, the press is getting around to milking this prime source of FUD (Fear, Uncertainty, and Doubt) for a few last page-views.
It is true that about that 80 percent of ATMs in the USA are are running XP. It's also true that Symantec, maker of the popular Norton Internet Security products, published a blog post on March 24th entitled, Texting ATMs for Cash Shows Cybercriminals’ Increasing Sophistication.
It's also true that a ZDNet reporter picked up the story, tying the scare to the impending death of XP. "With the end of Windows XP support looming, ATMs worldwide are left vulnerable -- and cyberattackers are taking advantage of the fact." (Why does ZDNet, a technology news website, have someone who is a "medical anthropologist and freelance photographer" writing about computer security, anyway?)
Can a Text Message Really Make an ATM Spew Cash?
The gist of the story is that a variant of a hack known as Backdoor.Ploutus enables crooks to send a text message to an ATM that forces it to spew cash. Symantec blithely says, “It may seem incredible but this technique is being used in a number of places across the world at this time.” Upon reading that, I thought “Well, yes, it does seem incredible. Name one of the places where it’s happened, please.”
But the blog post just ignored me, moving quickly to another incredible statement: “The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM.” Hmmm… “And how does the criminal get his phone inside of the ATM?” I wondered.
“There are multiple ways to connect a mobile phone to an ATM,” Symantec assured me. For the rest of the blog post, it was assumed that the crook plugged his phone into an ATM’s USB port. You’ve never seen a USB port on an ATM, have you? That’s because the USB port is locked inside of the ATM. How a crook gets access to it is left to the reader’s imagination, which Symantec is busy enflaming.
The post is long and dense, full of technical, geeky details that lend it authority. There’s even an entertaining video of an ATM being forced to spew cash… in Symantec’s lab. But critical details like, “How, exactly, does a crook pull this off?” are omitted. Symantec just assumes the cybercrooks are all-powerful evil geniuses and the bankers who operate ATMs are hapless idiots.
The post concludes with recommendations for protecting ATMs, about half of which involve buying Symantec products. The rest assume that ATM manufacturers and owners are idiots who don’t already provide physical security for ATMS, including video surveillance; lock down the ATM’s BIOS so that USB sticks cannot be used to boot them; or encrypt their ATMs’ hard drives.
But Wait, There's Less!
Oh, and the really important point that Symantec and ZDNet both missed is this: The "embedded" versions of Windows XP that run inside ATMs are supported by Microsoft through the end of 2016! So while it *IS* important that people using XP take steps to move to a more modern and secure platform, there's just no reason to believe that masked men with smartphones are roaming the streets, gleefully scooping up cash from ATM machines.
While I am perfectly willing to believe that some bankers are idiots, I don’t see any text-message ATM fraud happening in the real world. It's just too easy to hook up a big chain to the ATM, and drag it off with a pickup truck. Which actually does happen on occasion.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 1 Apr 2014
|For Fun: Buy Bob a Snickers.
Free Online Backup and Software Options
The Top Twenty
Geekly Update - 02 April 2014
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Texting ATMs For Cash? (Posted: 1 Apr 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved