ATM
Latest
Biometric ATMs coming to rural India
Considering all the ATM hacking that's been going on of late, it's not all that surprising to see those "uber-secure" fingerprint readers hitting mini-banks in Japan and Columbia, and now a pilot program is getting set to install 15 biometric ATMs at "village kiosks in five districts across southern India." The fingerprint-reading machines are expected to serve around 100,000 workers, primarily farmers and other laborers, who will finally be able to withdraw funds directly from a machine rather than suffering through the corrupt hand-me-down process that often steals money away from already poor workers. AGS Infotech, who is supplying the first batch of systems for the trial, is interested in seeing if the system actually works out, as many villagers have trouble interacting with any type of computing interface, and because many villages have their own dialects, making a UI that can communicate to everyone is difficult. Of course, there are individuals who suggest that these systems will only incite crime, as thieves look to new methods (read: hacking a thumb or two) to extract funds, but proponents of the system say that this is no different than armed criminals forcing someone to give up their PIN number at gunpoint. Nevertheless, the trial is slated to start soon, and there's quite a few outsiders watching intently to gauge its eventual success or failure, as analysts predict that "over 100,000 ATMs" could be necessary to handle India's booming economy in the next few years.
ATM PINs vulnerable to cracking, Israeli researchers say
Everyone relies on their ATM cards pretty frequently -- after all, there's no better (or, often, more necessary) way to start your evening than with a $40 quickdraw from your favorite local money machine. Well, you may want to think twice (that is, if you're among the paranoid security-minded types) next time you whip out that thin piece of plastic. A group of researchers at Algorithmic Research (ARX), an Israeli security firm, published a paper two weeks ago describing a very serious flaw inherent in most ATMs. Apparently, between the time that you input your PIN and the time that the machine spits out your cash, a dataset containing your PIN and account number is encrypted and decrypted a few times while being routed along the banking network -- and somewhere along that point, it's conceivable that those numbers could be intercepted. MSNBC reports that while no attacks using this method have been detected, the US Secret Service is already on the case, and that while Visa and the American Bankers Association are acknowledging the problem, both are dismissing the hacking scenario as being unlikely. Still, we might consider busting out that money belt sometime soon, getting the USSS on the job means it could be big. [Warning: PDF link][Via MSNBC]
Manchester man uses DAP to siphon cash from ATMs
While sniffing out ATM info has been used by tricksters criminals for years, a Manchester-based bloke was trafficking private bank information from various cards to illegally purchase goods -- with the help of DAPs, no less. Although your evil twin could manage to reprogram an ATM to disperse 300 percent more cash than it really should, this fellow secretly attached an (unsurprisingly anonymous) "MP3 player" to the backs of free-standing cash machines in "local bars, bingo halls, and bowling alleys." The device recorded the tones from transactions, which were then decoded and "turned into information used to clone new credit cards." The fellow learned his savvy computing skills from "a friend in Cambridge," and was oddly not caught jacking cash or throwing down on a new HDTV; rather, police caught on to his scheming when they located a counterfeit bank card in his vehicle during a routine traffic stop, which led them back to his presumably disclosing home. While we applaud the ingenuity, the motives are certainly below traditional moral standards, but this certainly isn't the first (nor the last) criminal offense involving DAPs.
Tactile passwords thwart snooping, facilitate old-fashioned muggings
Okay, we'll admit it: we're definitely not "tough guys" around here, and when we need to use the ATM after dark (heck, even before dark), we're looking over our shoulder every two seconds to make sure no one is scoping our easy-to-guess PIN or lying in wait to snatch that fresh stack of twenties out of our RSI-plagued hands. Well computer engineers at Queen's University Belfast in the UK are trying to make those late-night ATM runs just a little less terrifying, with a new system for password entry that uses tactile feedback combined with on-screen cues instead of the old ten button method we're used to. The whole process centers around a modified computer mouse with sixteen moving pins under both the index and middle fingers; different pin patterns are known as tactons. To enter a password, the user must manipulate the mouse so that a cursor moves through nine different boxes on the display, with each box sending a different, random tacton back to the mouse. Once the user feels the proper tacton correlating to the first element of his/her password, he/she then clicks the mouse button in the appropriate box and proceeds to repeat the process until the requisite number of codes have been entered. While subjects in a study felt more secure with this technique and were able to remember their tacton sequences even after several weeks of non-use, the biggest downside here is that testers needed an average of 38 seconds to negotiate all those boxes and get all their clicks in. So while the tactile system seems to do a good job thwarting nosey parkers, those 30+ seconds of staring at the screen give crooks plenty of time to sneak up behind you and force you to hand over your life savings (or $500 -- gotta love those daily limits).
ATM hack uncovered, financial freedom abounds?
You're probably familiar with the Virginia Beach trickster who reprogrammed an ATM to shoot out 300% more money than was debited from his account, but now it seems his "discovery" might have been widely available all along. Dave Goldsmith, a computer security researcher at Matasano Security, began to dig a little deeper once the news broke, and thanks to the oh-so-disclosing CNN video, secured the machine's model and maker: a Tranax Mini Bank 1500 series. Reportedly, he then acquired a (legal) copy of the ATM's user's manual, which conveniently spelled out "how to enter the diagnostic mode, default passwords, and default combinations for the safe." Once the cash-spewing gizmo is in "Operator" mode, the only thing standing between you and illegitimate funding (aside from your conscience) is a password, and since default passwords are plainly listed in the manual, it's up to the installation crew to actually insert a more secretive alternative. While we assume Tranax has been hastily sending memos to stores who (currently, at least) use its machines, you'll probably notice the unmodified machines by the insanely long lines preceding them (or a mysterious lack of cash available to disperse).Update: It looks like Tranax Technologies is stepping to the plate and planning a "software update" that forces installers to change the default password before it goes into service. The company has stated that the patch should be ready "in a matter of weeks," but it can't "force operators of currently installed ATMs to install it". [Via Wired Blogs]
ATM reprogrammed to disperse extra cash
Although ATM trickery has been going on for some time now, it typically deals with some sly guy jacking your data when you least expect it and withdrawing massive (or not) quantities of cash from your checking account. 'Twas not the case at all, however, in a recent reprogramming effort at a Virginia ATM, where a clever individual somehow fooled the computer into thinking it was dispersing five-dollar bills while it actually shot out twenties. Essentially, the suspect's balance was only debited for the amount he requested, yet he gleefully received four times that amount from the helpless machine. It was stated that the ever-joyous trickster couldn't resist returning only minutes after his first bonus score to give it another go, but he won't be going back anytime soon: now he's got the boys in blue tracking him down. One of the more ingenious acts of programming we've seen lately (it's a shame Intel's not hiring), it still was a loophole not to be exploited, so if you see a fellow in Virginia Beach throwing down on 4:1 odds, stay sharp.
UK's ATM cards thoroughly trounced by ID thieves
Alright, this is getting out of hand. We were a little wary at the first when we heard about tying RFID so closely to our monies, and that Chase Bank blink card of ours has been collecting dust ever since it showed up in the mail, but the latest failings of RFID "security" have us running for the hills -- tin foil hat in tow. Apparently some UK scoundrels teamed up with a crooked gas station attendant to nab credit card numbers from RFID smart card-enabled credit cards. They then stashed this info on the magnetic strips of phone cards, and flew over to India to make withdrawls. Since Indian ATMs don't require the double identification of RFID smart card and magnetic strip, just the strip, they were able to manage quite a bit of cash before a vigilant security guard spotted them making withdrawls from multiple cards in succession. The gang of four men were caught with $14,000 and 116 credit cards. To make things worse, the UK Cyber Crime Unit wasn't even aware of the existence of RFID chips, (makes sense, since the cards don't use such technology) and we're not sure what's to stop another group of clever hackers making off with another set of credit cards and forever ruining any hope of security we've managed to hold onto so far.UPDATE: Turns out there was some serious misinformation floating around, since UK cards don't even use RFID, but instead operate with smart cards that require physical contact. This makes roughly 95% of our ranting completely irrelevant, but the heist is disconcerting all the same.[Via Boing Boing]
Wells Fargo's new Envelope-Free ATMs scan your deposits
400 of Wells Fargo's WebATMs in northern California (Contra Costa, Alameda and Santa Clara counties) are in the process of getting a technological makeover that will allegedly cut down on the time it takes to make a deposit, increase security and eradicate those pesky bank errors, which unlike in Monopoly, hardly ever seem to be in your favor. The Envelope-Free system, which is similar to a system currently being used by Bank of America, allows you to insert stacks of up to 30 bills and 10 checks at a time which are promptly scanned, counted, displayed and printed to a receipt. While cellphone ATM access would be nice, other improvements like same day check clearance might make free lollipops your only motivation to set foot in a real bank.[Via CBR]
