Windows-based ATM machine hacked, gets Painted
Although we wouldn't expect to find the latest release of Photoshop on your neighborhood ATM, it's not so far fetched to think that Paint would be left on a Windows-based ATM. We've seen a recent boost in cash machine hacking of late, and while this latest attempt doesn't siphon illegal coinage out of the slot, it does make for quite a laugh. Joining the pitiful array of other Windows-powered mishaps, a sharp cameraphone-toting individual spotted a local ATM that had a beautifully hand-crafted Paint message on the front screen in place of the typical "Insert your card to begin transaction," and while we've already said too much about a picture that speaks a million words, be sure to click on through to see how accessing an ATM's start menu can lead to all sorts of mischievous mayhem.
[Via Digg]


[Via Digg]






















Reader Comments (Page 1 of 1)
Mainframe @ Feb 25th 2007 9:13PM
What kind of dumb bank uses an atm based on windows?!
they are just BEGGING for problems.
Reginald @ Feb 25th 2007 9:23PM
Just as bad, the Commerce banks here in downtown Philly use Windows 98 for their bankers' workstations. They often leave the computers on in plain sight when you walk by the window afterhours.
That just seems like it's asking for trouble (hopefully they don't use WiFi as well)
John Doe @ Feb 25th 2007 11:36PM
US Bank for one. If it wasn't for the fact that I have about 6 accounts here I would go somewhere else. Windows\Mac\Linux. I don't give a crap who it is. I want ATM's to run a proprietary OS that isn't documented up the ass in the hacker world. I'm not advocating security by obscurity but damn it, you don't have to have your pants dropped for all the world to see. What this boils down to is the fact that a bank doesn't want to spend the time, effort, or money to code and integrate a proprietary OS into their network. Lazy cheap asses.
SHOTT3R @ Feb 25th 2007 9:20PM
The Automated Teller Machine Machine?
Foof @ Feb 26th 2007 3:27AM
You talking about the one on Walnut on the first floor of the Rittenhouse Claridge?
ryan @ Feb 25th 2007 9:25PM
what's worse, they were apparently hacked by some sort of pokemon lover
Chris M @ Feb 25th 2007 9:30PM
I'll take my Windows hackers however they come, thank you.
Chris
Jesse @ Feb 25th 2007 9:41PM
Actually, I believe this is just a ticket retrieval machine. It is located at a Regal operated theater in Santa Cruz, California. I'll check it out tonight because I'm going to see Reno 911.
Jesse @ Feb 26th 2007 3:06AM
Yep, it totally is just for buying tickets. No cash in this thing.
Taylor @ Feb 26th 2007 4:18AM
That's at cinema 9!? Wow, i'm going to have to go play with that soon! Hehe, i love local hacks from worldwide web pages. :)
-Taylor
Nick @ Feb 25th 2007 9:43PM
Keep in mnd that Mew is also an amazing band...not just a pocket monster.
2Perfect @ Feb 25th 2007 11:17PM
yes it may be many other things, but we all know, deep in our hearts, that it's a pokemon ;)
Anyway, that's awesome. If I was able to hack into it, I would make it so the home screen is normal, but when you press something it shows a funny picture of some sort...
perhaps something like this:
http://www.explosm.net/merch/images/ch_lolfag.jpg
a ham sandwich @ Feb 25th 2007 9:48PM
does anybody else remember that almost all atms are videotaped? i have a feeling that the bank is the one who will be doing the pwning.
D.B. @ Feb 25th 2007 10:20PM
This is true, but the camera in the ATM is only activated when someone inserts their card. They don't record 24/7. If someone were to "hack" into one, I seriously doubt that they would need an ATM card to do so.
Me @ Feb 25th 2007 9:54PM
What do you mean hacked? How is it possible when your input is limited? The ATM input is the card and keyboard, the card reader reads within limited range, if your data on the magnetic strip does checksum then bam, rejected. The keyboard input is limited also. The machine should be wifi-ed at all and the backend should have a security process, in batches before its sent to the main system. The bank can on their end add graphics, menus, whatnot to their liking.
kamokazi @ Feb 25th 2007 10:31PM
Start->Programs->Accessories->Accessibility->On Screen Keyboard
So you can type just fine, but you are correct, there would most certainly be a lot more back-end security.
Jake @ Feb 25th 2007 9:55PM
Absolutely SHOTT3R. They've got to do a better job with these automated ATM machines. They make such a big deal out of picking a personalized PIN number, then they drop the ball.
Daniel @ Feb 26th 2007 11:28AM
Automated ATM Machines?
Isn't that a bit redundant.
OKThen @ Feb 25th 2007 10:04PM
The other non bank managed atms, some are hooked into a system that uses satellite transmitions. They are supposed to have encrypted transmitions. Still, the chips on board are supposed to limit the type of input data it'll process.
Nimrod @ Feb 25th 2007 10:05PM
Look at the picture seriously... That is NOT an ATM no matter how much you wish it was so you could laugh saying "windows powered ATM's how insecure, they should run linux!!"
Look at the output, looks like a ticket system of some sort.
Anyways, the big question is really how the picture was drawn, there is no input system besides a keypad so either it was an inside job (member of staff opened it up, perhaps a debug kit was used to connect mouse and keyboard) or someone really clever managed to somehow get that image on a somewhat closed system..
Anyways, I usually love Engadget for its quality news, this is just a bad attempt by an uneducated team member to attack "Windows" yet they dont even know what an ATM means.
Ricky @ Feb 25th 2007 10:15PM
Actually... it looks like a touch-screen which would explain why the letters look like they were drawn with finger paint.
Dave @ Feb 25th 2007 10:15PM
Yeah, this was probably just set up. If by some crazy chance a customer managed to put in the debug code, they might have used the touchscreen to draw that picture. A lot of ATMs have touchscreens now. And above all, if someone managed to get into Windows, it's not like there's a program on there that says "FREE CASH FOR HAXXORZ." Any sensitive information wouldn't be stored directly on the ATM.
LiQuiD_FuSioN @ Feb 25th 2007 10:28PM
LOL @ "what's worse, they were apparently hacked by some sort of pokemon lover"
True, I was thinking the same thing. "Mew", the ultra-rare Pokemon monster in the game/card series comes to mind.
Also - "Keep in mnd that Mew is also an amazing band...not just a pocket monster."
Never heard of "Mew" the band, but even if it was, the Pokemon version is much more well known.
Scott S @ Feb 26th 2007 12:28AM
Believe it or not, Bank of America uses Windows NT 4.0, Windows 2000, and Windows XP on most of their ATMs. However, they are locked down to the bare minimum and it’s only able to run their software and nothing else. My wife used to do security work at The Bank of New York at one of their data centers in NJ. Lot’s of NT machines and AS/400’s
grub @ Feb 26th 2007 1:16AM
Majority, if not all atms run nt/xp. They used to all be os2 though...
Andrew Fong @ Feb 26th 2007 1:57AM
Doesn't MS sell stripped down features of Windows for machines like this? I mean, isn't the purpose of Windows CE so you can avoid this problem?
mark @ Feb 26th 2007 2:56AM
This is what I ran into a couple of weeks ago in my home city, Amsterdam.
http://troep.pith.us/DSC00080.jpg
I'm not that experienced with Windows, but it looks like Windows 95 to me.
Will @ Feb 26th 2007 3:21AM
I'll take your word for it Jesse and everyone else who are familiar with this machine:
H-O-A-X...
Slow news day.
Reginald @ Feb 26th 2007 12:35PM
Yup. That's the one.
Their computer screens even face Walnut Street in plain sight (vagrants sleep in the ATM lobby after-hours so apparently nobody pays attention to the bank).
Foof @ Feb 26th 2007 3:27AM
From the report, it sounded like someone happened upon a app-crashed system with an exposed start menu, and loaded up MSPaint. No hacking was really suggested.
I've seen a few crashed ATM machines. I even have a picture of one auto-rebooting after a BSOD - it cycled through the Win2K splash screen and then error'd out :P
http://img149.imageshack.us/img149/4301/dsc1973by2.jpg
duke @ Feb 26th 2007 3:39AM
this is got to be funniest shit from this site I've ever see
Fran @ Feb 26th 2007 4:14AM
Windows 95 is still used by some banks here in Ireland.
Guffy @ Feb 26th 2007 5:26AM
Misleading headline. It never mentions anything about any hacking going on in the actual context. What is up with that? The machine was NEVER hacked! So why would you put that in the title to bash windows? It clearly states on the original reference page that "There was some cheap ATM machine touch screen thing at Cinema 9, but it was blank cept for a gray line at the bottom.". So when the machine booted up, the ATM software probably was not loaded properly and the windows interface was exposed. It is probably a movie-ticket ATM and not a real bank ATM anyhow. Yes, those are called ATMs as well.
I was at the local Loews cinema the other day and two of the ticket machines were down with some kind of error msgs showing. When they rebooted them, a windows xp logo appeared. They were running WinXP with the movie ticket software running coded in Java. It was that program that had failed (printer was out of paper and hence the software failed to load). Anyways, my point being, dont always bash windows, its not their fault for whatever software you put on the machine.
Bank ATMs do not run windows, as they run their own whatever-bank-OS-like-software. This is a pretty useless news post.
zoara @ Feb 26th 2007 8:07AM
Not true. My local bank ATM runs Windows - I tried to get some cash out one day and the damned thing rebooted on me and stole my card. Natwest, in Mold, North Wales.
D. @ Feb 26th 2007 7:46AM
Many ATMs are Windows based, everybody that had one crash on them can confirm that. I had several crash on me on various occasions. Once it happened when I was on holiday and it ate my CC. I was really lucky to have a second card at hand. It just shows how much the banks really care for their customers' data/card safety.
strider_mt2k @ Feb 26th 2007 7:50AM
Whatever machine it is it could have been running Windows XP Embedded, although that flavor is supposed to be pretty robust.
My local bank still uses Windows 95, and it's a major bank. (Rhymes with Tommerce)
Eric Glassman @ Feb 26th 2007 8:39AM
LMAO.
Samuel McConnell @ Feb 26th 2007 9:35AM
Actually, at least on Diebold ATMs, the camera does indeed record 24/7.
Fidelio @ Feb 26th 2007 10:02AM
Wow... if this really is an ATM, the company in charge of developing the software that runs over Windows doesn't know what they are doing. If the UI runs over Windows, there are ways to specify your shell to be that specific application and to restart the application in case it gets closed somehow. Also, if you use Windows embedded, you can specify the exact modules of the OS you want loaded on the machine, so there is no need to have Paint in there.
Definitely, an amateurs job (in regards of the original application running on that device).
PDubNYC @ Feb 26th 2007 2:04PM
god you're slow. Try reading the reference post and see that it is a joke.
Zeb @ Feb 26th 2007 12:03PM
Yes, this is definitely a movie ticket machine, not an ATM.
Interesting side note however, the automated check-out machines at all wal-mart stores use windows XP Pro, im pretty sure its embedded though.
And sometimes the machines that the cell phone salesbooths run on windows 2000 embedded.
We used to mess around on them when I worked there.
Foof @ Feb 26th 2007 1:22PM
Lol, I know that one well. I've decided not to walk into the vestibule a few times because a homeless guy was standing inside (probably nothing to worry about of course, but man, it is supposed to be a bank).
I wonder if the flute-lady still sits outside playing.
Commerce bank is pretty sweet though - free Coinstars, open 7-days a week. Wish we had it back here in California!
patsy @ Feb 26th 2007 2:11PM
Actually, it doesn't even always take much "hacking", sometimes a bit of chance is all that's needed. One time I went to my local AmSouth ATM inside a food court to withdraw some cash, the machine was sitting wide open booted to the Windows desktop, with a keyboard and mouse tray + mouse pulled out, and nobody in sight. The guy apparently went back to his truck for some reason, or perhaps took a potty break, without bothering to lock the thing back up. I was very tempted to launch Solitaire and leave it running to freak him out, but someone with more nefarious intentions could have fairly easily plugged in a USB Wifi dongle and launched a VNC server to get back in at their leisure. If I had taken a picture of the scene, I'm pretty sure I could have gotten the guy fired.
ben @ Feb 26th 2007 2:35PM
This machine doesn't look like it prints reciepts, it would have slots for both cash and receipts if it was an ATM. I agree with the earlier post that this is probably an automated ticket seller at a movie theater, with that the ticket stub is the receipt.
vrknoise @ Feb 26th 2007 6:19PM
Ha ha... Freakin hilarious. They're lucky it wasn't something worse...
SHOTT3R,
RE: The Automated Teller Machine Machine. Another good one is ordering your food: "With Au-Jus Sauce." It's the same as saying "With With Juice Sauce."
kIicker @ Feb 26th 2007 9:01PM
My mom used to work at the IT department for a bank in B.C for many years i told her this and she wasn't surprised. She actually said "I was wondering when it would happen, If you knew how simple these machines you'd be suprised."
Mewissa @ Feb 27th 2007 11:36AM
The actual blog post
It was really only meant to be funny, not 0mgHax0r. You know, one of those Oh hey look! I'm gonna play with this!
Mewissa @ Feb 27th 2007 11:36AM
Oops.
http://melissatogo.blogspot.com/2007/02/multimedia-message.html
There.