Windows-based ATM machine hacked, gets Painted
By Darren Murph 
posted February 25th 2007 9:05PM
posted February 25th 2007 9:05PM
[Via Digg]
posted February 25th 2007 9:05PM
A look back on popular stories from today in a specific year.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
What kind of dumb bank uses an atm based on windows?!
they are just BEGGING for problems.
Just as bad, the Commerce banks here in downtown Philly use Windows 98 for their bankers' workstations. They often leave the computers on in plain sight when you walk by the window afterhours.
That just seems like it's asking for trouble (hopefully they don't use WiFi as well)
US Bank for one. If it wasn't for the fact that I have about 6 accounts here I would go somewhere else. Windows\Mac\Linux. I don't give a crap who it is. I want ATM's to run a proprietary OS that isn't documented up the ass in the hacker world. I'm not advocating security by obscurity but damn it, you don't have to have your pants dropped for all the world to see. What this boils down to is the fact that a bank doesn't want to spend the time, effort, or money to code and integrate a proprietary OS into their network. Lazy cheap asses.
The Automated Teller Machine Machine?
You talking about the one on Walnut on the first floor of the Rittenhouse Claridge?
what's worse, they were apparently hacked by some sort of pokemon lover
I'll take my Windows hackers however they come, thank you.
Chris
Keep in mnd that Mew is also an amazing band...not just a pocket monster.
yes it may be many other things, but we all know, deep in our hearts, that it's a pokemon ;)
Anyway, that's awesome. If I was able to hack into it, I would make it so the home screen is normal, but when you press something it shows a funny picture of some sort...
perhaps something like this:
http://www.explosm.net/merch/images/ch_lolfag.jpg
Actually, I believe this is just a ticket retrieval machine. It is located at a Regal operated theater in Santa Cruz, California. I'll check it out tonight because I'm going to see Reno 911.
Yep, it totally is just for buying tickets. No cash in this thing.
That's at cinema 9!? Wow, i'm going to have to go play with that soon! Hehe, i love local hacks from worldwide web pages. :)
-Taylor
does anybody else remember that almost all atms are videotaped? i have a feeling that the bank is the one who will be doing the pwning.
This is true, but the camera in the ATM is only activated when someone inserts their card. They don't record 24/7. If someone were to "hack" into one, I seriously doubt that they would need an ATM card to do so.
What do you mean hacked? How is it possible when your input is limited? The ATM input is the card and keyboard, the card reader reads within limited range, if your data on the magnetic strip does checksum then bam, rejected. The keyboard input is limited also. The machine should be wifi-ed at all and the backend should have a security process, in batches before its sent to the main system. The bank can on their end add graphics, menus, whatnot to their liking.
Start->Programs->Accessories->Accessibility->On Screen Keyboard
So you can type just fine, but you are correct, there would most certainly be a lot more back-end security.
Absolutely SHOTT3R. They've got to do a better job with these automated ATM machines. They make such a big deal out of picking a personalized PIN number, then they drop the ball.
Automated ATM Machines?
Isn't that a bit redundant.
Look at the picture seriously... That is NOT an ATM no matter how much you wish it was so you could laugh saying "windows powered ATM's how insecure, they should run linux!!"
Look at the output, looks like a ticket system of some sort.
Anyways, the big question is really how the picture was drawn, there is no input system besides a keypad so either it was an inside job (member of staff opened it up, perhaps a debug kit was used to connect mouse and keyboard) or someone really clever managed to somehow get that image on a somewhat closed system..
Anyways, I usually love Engadget for its quality news, this is just a bad attempt by an uneducated team member to attack "Windows" yet they dont even know what an ATM means.
Actually... it looks like a touch-screen which would explain why the letters look like they were drawn with finger paint.
The other non bank managed atms, some are hooked into a system that uses satellite transmitions. They are supposed to have encrypted transmitions. Still, the chips on board are supposed to limit the type of input data it'll process.
Yeah, this was probably just set up. If by some crazy chance a customer managed to put in the debug code, they might have used the touchscreen to draw that picture. A lot of ATMs have touchscreens now. And above all, if someone managed to get into Windows, it's not like there's a program on there that says "FREE CASH FOR HAXXORZ." Any sensitive information wouldn't be stored directly on the ATM.
LOL @ "what's worse, they were apparently hacked by some sort of pokemon lover"
True, I was thinking the same thing. "Mew", the ultra-rare Pokemon monster in the game/card series comes to mind.
Also - "Keep in mnd that Mew is also an amazing band...not just a pocket monster."
Never heard of "Mew" the band, but even if it was, the Pokemon version is much more well known.
Believe it or not, Bank of America uses Windows NT 4.0, Windows 2000, and Windows XP on most of their ATMs. However, they are locked down to the bare minimum and it’s only able to run their software and nothing else. My wife used to do security work at The Bank of New York at one of their data centers in NJ. Lot’s of NT machines and AS/400’s
Majority, if not all atms run nt/xp. They used to all be os2 though...
Doesn't MS sell stripped down features of Windows for machines like this? I mean, isn't the purpose of Windows CE so you can avoid this problem?
This is what I ran into a couple of weeks ago in my home city, Amsterdam.
http://troep.pith.us/DSC00080.jpg
I'm not that experienced with Windows, but it looks like Windows 95 to me.
I'll take your word for it Jesse and everyone else who are familiar with this machine:
H-O-A-X...
Slow news day.
Misleading headline. It never mentions anything about any hacking going on in the actual context. What is up with that? The machine was NEVER hacked! So why would you put that in the title to bash windows? It clearly states on the original reference page that "There was some cheap ATM machine touch screen thing at Cinema 9, but it was blank cept for a gray line at the bottom.". So when the machine booted up, the ATM software probably was not loaded properly and the windows interface was exposed. It is probably a movie-ticket ATM and not a real bank ATM anyhow. Yes, those are called ATMs as well.
I was at the local Loews cinema the other day and two of the ticket machines were down with some kind of error msgs showing. When they rebooted them, a windows xp logo appeared. They were running WinXP with the movie ticket software running coded in Java. It was that program that had failed (printer was out of paper and hence the software failed to load). Anyways, my point being, dont always bash windows, its not their fault for whatever software you put on the machine.
Bank ATMs do not run windows, as they run their own whatever-bank-OS-like-software. This is a pretty useless news post.
Not true. My local bank ATM runs Windows - I tried to get some cash out one day and the damned thing rebooted on me and stole my card. Natwest, in Mold, North Wales.
Yup. That's the one.
Their computer screens even face Walnut Street in plain sight (vagrants sleep in the ATM lobby after-hours so apparently nobody pays attention to the bank).
From the report, it sounded like someone happened upon a app-crashed system with an exposed start menu, and loaded up MSPaint. No hacking was really suggested.
I've seen a few crashed ATM machines. I even have a picture of one auto-rebooting after a BSOD - it cycled through the Win2K splash screen and then error'd out :P
http://img149.imageshack.us/img149/4301/dsc1973by2.jpg
this is got to be funniest shit from this site I've ever see
Windows 95 is still used by some banks here in Ireland.
Many ATMs are Windows based, everybody that had one crash on them can confirm that. I had several crash on me on various occasions. Once it happened when I was on holiday and it ate my CC. I was really lucky to have a second card at hand. It just shows how much the banks really care for their customers' data/card safety.
Whatever machine it is it could have been running Windows XP Embedded, although that flavor is supposed to be pretty robust.
My local bank still uses Windows 95, and it's a major bank. (Rhymes with Tommerce)
Actually, at least on Diebold ATMs, the camera does indeed record 24/7.
LMAO.
Wow... if this really is an ATM, the company in charge of developing the software that runs over Windows doesn't know what they are doing. If the UI runs over Windows, there are ways to specify your shell to be that specific application and to restart the application in case it gets closed somehow. Also, if you use Windows embedded, you can specify the exact modules of the OS you want loaded on the machine, so there is no need to have Paint in there.
Definitely, an amateurs job (in regards of the original application running on that device).
god you're slow. Try reading the reference post and see that it is a joke.
Yes, this is definitely a movie ticket machine, not an ATM.
Interesting side note however, the automated check-out machines at all wal-mart stores use windows XP Pro, im pretty sure its embedded though.
And sometimes the machines that the cell phone salesbooths run on windows 2000 embedded.
We used to mess around on them when I worked there.
Lol, I know that one well. I've decided not to walk into the vestibule a few times because a homeless guy was standing inside (probably nothing to worry about of course, but man, it is supposed to be a bank).
I wonder if the flute-lady still sits outside playing.
Commerce bank is pretty sweet though - free Coinstars, open 7-days a week. Wish we had it back here in California!
Actually, it doesn't even always take much "hacking", sometimes a bit of chance is all that's needed. One time I went to my local AmSouth ATM inside a food court to withdraw some cash, the machine was sitting wide open booted to the Windows desktop, with a keyboard and mouse tray + mouse pulled out, and nobody in sight. The guy apparently went back to his truck for some reason, or perhaps took a potty break, without bothering to lock the thing back up. I was very tempted to launch Solitaire and leave it running to freak him out, but someone with more nefarious intentions could have fairly easily plugged in a USB Wifi dongle and launched a VNC server to get back in at their leisure. If I had taken a picture of the scene, I'm pretty sure I could have gotten the guy fired.
This machine doesn't look like it prints reciepts, it would have slots for both cash and receipts if it was an ATM. I agree with the earlier post that this is probably an automated ticket seller at a movie theater, with that the ticket stub is the receipt.
Ha ha... Freakin hilarious. They're lucky it wasn't something worse...
SHOTT3R,
RE: The Automated Teller Machine Machine. Another good one is ordering your food: "With Au-Jus Sauce." It's the same as saying "With With Juice Sauce."
My mom used to work at the IT department for a bank in B.C for many years i told her this and she wasn't surprised. She actually said "I was wondering when it would happen, If you knew how simple these machines you'd be suprised."
The actual blog post
It was really only meant to be funny, not 0mgHax0r. You know, one of those Oh hey look! I'm gonna play with this!
Oops.
http://melissatogo.blogspot.com/2007/02/multimedia-message.html
There.