Not An ATM From Which I'd Want To Be Getting Cash



  • I dropped by an ATM machine because I was low on cash today, and on its
    screen, rather than the usual "please insert card" prompt, it had a
    text display of the contents of the processor registers.



    What was most amusing was that the last line on the screen read "The system has recovered..."



    I should have written down the contents of the registers... maybe it was the last person's card and PIN number ;-)



  • Well, if you get really sick and then you "recover," shouldn't there be
    some cool off time before you get back to real work? I think the ATM
    was following a similar principle. Perhaps if you return an hour later
    it'll be back on its feet and ready to serve you.




  • @Brendan Kidwell said:

    Well, if you get really sick and then you "recover," shouldn't there be some cool off time before you get back to real work? I think the ATM was following a similar principle. Perhaps if you return an hour later it'll be back on its feet and ready to serve you.

    <FONT face="Courier New" size=2>the atm was out all night again, drinking with its buddies.  they all went out to a strip club, and the atm leaned over and said to the girl, "hey, check this out, baby!" and spewed a few dozen $20 at her feet.</FONT>



  • This reminds me of an account statement printer nearby:



    http://www.ulm.ccc.de/projekte/bankomat/index.html



    (Sorry it's German, but just click on the first picture and then loop through the gallery. Pictures tell more than words.)



    cu



  • Boy... I wish the ATM at my bank would play chess with me...



  • @DonMcNellis said:



    I should have written down the contents of the registers... maybe it was the last person's card and PIN number ;-)




    Not possible. I programmed ATMs at my last job, and the ATM software
    actually never gets to see the PIN. The PIN pad is bundled together
    with encryption hardware and what the ATM actually does is send the
    request data to that hardware, which encrypts it and the PIN that was
    entered and returns the result, which is then sent over the network.



  • @brazzy said:



    Not possible. I programmed ATMs at my last job, and the ATM software
    actually never gets to see the PIN. The PIN pad is bundled together
    with encryption hardware and what the ATM actually does is send the
    request data to that hardware, which encrypts it and the PIN that was
    entered and returns the result, which is then sent over the network.




    Oh, how I wish security in desktop computers and networks made that
    kind of sense. Look at all the web application login screens that are
    nothing but an HTML form with no encryption in the page, and no SSL
    connection. Up until recently, if I wanted to log into the Cingular
    (mobile phone provider) web site to pay my bill, I was REQUIRED to have
    a four letter password--no more, no less--it was probably SSL
    protected, but four letters does not consitute a challenge! Behind this
    four letter password, I could view my call history.




  • @Brendan Kidwell said:

    Up until recently, if I wanted to log into the Cingular
    (mobile phone provider) web site to pay my bill, I was REQUIRED to have
    a four letter password--no more, no less--it was probably SSL
    protected, but four letters does not consitute a challenge!




    Well, an ATM PIN is a four number
    password, which is much, much weaker. It's sufficient because you get
    no more tries after three failed attempts. If the webapp did the same,
    it would be perfectly adequate.



    As for ATM security, it's not all that great either. A lot of banks are
    still not done switching from DES encryption (nowadays considered
    insufficient) to triple DES (probably insufficient in a few years).



  • @Brendan Kidwell said:

    @brazzy said:


    Not possible. I programmed ATMs at my last job, and the ATM software
    actually never gets to see the PIN. The PIN pad is bundled together
    with encryption hardware and what the ATM actually does is send the
    request data to that hardware, which encrypts it and the PIN that was
    entered and returns the result, which is then sent over the network.




    Oh, how I wish security in desktop computers and networks made that
    kind of sense. Look at all the web application login screens that are
    nothing but an HTML form with no encryption in the page, and no SSL
    connection. Up until recently, if I wanted to log into the Cingular
    (mobile phone provider) web site to pay my bill, I was REQUIRED to have
    a four letter password--no more, no less--it was probably SSL
    protected, but four letters does not consitute a challenge! Behind this
    four letter password, I could view my call history.






    What else did you have to enter? An account number?



  • @brazzy said:

    @DonMcNellis said:


    I should have written down the contents of the registers... maybe it was the last person's card and PIN number ;-)




    Not possible. I programmed ATMs at my last job, and the ATM software
    actually never gets to see the PIN. The PIN pad is bundled together
    with encryption hardware and what the ATM actually does is send the
    request data to that hardware, which encrypts it and the PIN that was
    entered and returns the result, which is then sent over the network.




    Interesting...



    Though, I was just trying to make a joke, hence the ;-) 






  • @brazzy said:

    It’s sufficient because you get no more tries after three failed attempts. If the webapp did the same, it would be perfectly adequate.

    No, it would be silly, because then any joker could purposefully enter a random number thrice to lock someone else out of their account… [:)]



  • @Aristotle Pagaltzis said:

    @brazzy said:
    It’s sufficient
    because you get no more tries after three failed attempts. If the
    webapp did the same, it would be perfectly adequate.

    No, it would be silly, because then any joker could purposefully enter a random number thrice to lock someone else out of their account… [:)]


    True, but only if they get the users card, or have the ability to create their own cards, and can find out the users card number.    Both are cases where a bad guy has the ability to steal money given enough time to guess the pin, so you want to lock the account.  

     Note that card numbers are related to, but not the same as account numbers, so this implies some backdoor into the bank as well - the thief would use the card to avoid getting caught in the banks audit after the fact.    PINs should be encrypted all the way, so there is no way to know what it is by looking at the database.   The thief could change the pin, but that would show up in the audit log, and increase the chance of getting caught.

    Of course all the assumes that the banks are doing security like they should be.   I suspect that there are several banks that are failing on several of the above steps.




  • @hank miller said:


    Of course all the assumes that the banks are doing security like they should be.   I suspect that there are several banks that are failing on several of the above steps.

    <FONT face="Courier New" size=2>i recently read about some guys that made a fake numberpad that was glued on top of the atm's numpad, and there was this card reader attached to the normal card slot.  the device recorded the card's information and the pin, without the user knowing what was going on.  (except for of course, the glue wearing down and the fake pad sliding off the thing, which is how this thing was discovered).  </FONT>



  • @hank miller said:

    @Aristotle Pagaltzis said:
    @brazzy said:
    It’s sufficient
    because you get no more tries after three failed attempts. If the
    webapp did the same, it would be perfectly adequate.

    No, it would be silly, because then any joker could purposefully enter a random number thrice to lock someone else out of their account… [:)]


    True, but only if they get the users card, or have the ability to create their own cards, and can find out the users card number.    Both are cases where a bad guy has the ability to steal money given enough time to guess the pin, so you want to lock the account.


    I think he meant the webapp case, not the bank, and for that he is correct, since in webapps, other users' login names are often publically available. I forgot about that problem. It can be solved by making the displayed name different from the login name.



  • @emptyset said:

    @hank miller said:


    Of course all
    the assumes that the banks are doing security like they should
    be.   I suspect that there are several banks that are failing
    on several of the above steps.

    <font face="Courier New" size="2">i recently read about some guys that made a fake numberpad that was glued on top of the atm's numpad, and there was this card reader attached to the normal card slot.  the device recorded the card's information and the pin, without the user knowing what was going on.  (except for of course, the glue wearing down and the fake pad sliding off the thing, which is how this thing was discovered).  </font>



    This is a very common problem that's been around for years, in a number variations, at least here in Germany. An alternative to the glued-on pinpad is to install a camera that records the PIN as it is entered on the real pinpad. Yet another variation is to install a pinpad and piggyback cardreader in front of the the cardreader that acts as a door-opener for the ATM foyer. Many people will enter their PIN there without hesitation. The older, low-tech version relied on a device that let the card enter the ATM but prevented it from being ejected or retracted. The criminals would spy in person on the customer entering the PIN and when they would leave after cursing the ATM for swallowing the card, the criminals could retrieve the card via the device.

    This has become such a big problem that banks are forced to implement a number of technical countermeasuers as well as educating their customers. ATMs nowadays try to half-retract cards before using them and, if that fails, abort without asking for the PIN because it indicates the presence of a card-capturing device. Card readers take in and return the cards in an irregular, shaky rather than smooth motion in order to prevent simpler piggyback card reader from reading it.
    Additionally, bank foyers sport warnings, urging customers to never enter their PIN at the door-opener and to block cameras or onlookers from spying their PIN by holding something over the pinpad while entering it.



  • And in sweden the banks have started to put nails (like those punk
    rockers wear all over.) around the cardslot on the ATMs. And once in a
    while you're told to not use ATMs that doesnt have these as they might
    have cardreaders installed.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.