Sign up for our Technology Newsletter 
Some ATMs Still On XP
Cyber-criminals have been cutting holes into European cash machines in order to infect them with malware.
The holes were cut so that the hackers could plug in USB drives that installed their code onto the ATMs. Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.
The thefts came to light in July after the lender involved noticed several its ATMs were being emptied. The bank discovered the criminals were vandalising the machines to use the infected USB sticks. Once the malware had been transferred, they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.
The attackers could take the highest value banknotes in order to minimise the amount of time they were exposed. Interestingly the software required the thief to enter a second code in response to numbers shown on the ATM’s screen before they could release the money and the thief could only obtain the right code by phoning another gang member and telling them the numbers displayed. This stopped the criminals going alone.
ATM Malware Found In Mexico
A malicious software program identified in ATMs in Mexico has been improved and translated into English, which suggests it may be used elsewhere, according to security vendor Symantec.
Two versions of the malware, called Ploutus, have been discovered, both of which are engineered to empty a certain type of ATM, which Symantec has not identified.
In contrast to most malware, Ploutus is installed the old-fashioned way — by inserting a CD boot disk into the innards of an ATM machine running Microsoft Windows. The installation method suggests that cybercriminals are targeting standalone ATMs where access is easier.
The first version of Ploutus displays a graphical user interface after the thief enters a numerical sequence on an ATM’s keypad, although the malware can be controlled by a keyboard, wrote Daniel Regalado, a Symantec malware analyst, on Oct. 11.
Ploutus is programmed for a specific ATM model since it assumes there is a maximum of four cassettes per dispenser in the ATM. It then calculates the amount of money that should be dispensed based on the number of bills. If any of the cassettes have less than the maximum number of 40 bills, it releases whatever is left, repeating that process until the ATM is empty.
Kevin Haley, director of Symantec Security Response, said in an interview earlier this month that the attackers have deep knowledge of the software and hardware of the particular ATM model.
“They clearly know how this machine worked,” he said.
The source code of Ploutus “contains Spanish function names and poor English grammar that suggests the malware may have been coded by Spanish-speaking developers,” Regalado wrote.
In a new blog post, Regalado wrote that the attackers made Ploutus more robust and translated it into English, indicating the same ATM software can be exploited in countries other than Mexico.
The “B” variant of Ploutus has some differences. It only accepts commands through the keypad but will display a window showing the money available in the machine along with a transaction log as it dispenses cash. An attacker cannot enter a specific number of bills, so Ploutus withdraws money from the cassette with the most available bills, Regalado wrote.
Symantec advised those with ATMs to change the BIOS boot order to only boot from the hard disk and not CDs, DVDs or USB sticks. The BIOS should also be password protected so the boot options can’t be changed, Regalado wrote.
PayPal Unveils New Payment System
PayPal has unveiled a mobile payment product for customers that doesn’t require near-field communication (NFC) technology inside smartphones.
The system relies instead on using smartphones and other mobile devices to scan product bar codes and to authorize payments through PayPal mobile accounts. Shoppers will also be able to use credit-card scanning terminals commonly seen in grocery stores: The user inputs a phone number and PIN on the terminal’s keypad instead of swiping a credit or debit card.
PayPal President Scott Thompson laid out the basics of the plan in a blog posted Wednesday. In the blog, he also took a swipe at competitors, including Google, MasterCard, Visa and others, who are working with NFC in smartphones for a mobile wallet.
“Let’s be clear about something — we’re not just shoving a credit card on a phone,” Thompson said in his blog.
PayPal is already a major global force in online payments, with 100 million customers. While PayPal’s new payment technologies don’t rely on NFC, they do propose making in-store payments possible from any device and support GPS-based offers, according to Thompson’s blog. PayPal will even allow for customers to set up payments on credit after they’ve checked out.
Dozens of merchants got a sneak peak of the technology Wednesday at an event PayPal sponsored. The event was covered by All Things D, which was not allowed to take photographs, but posted a story. In addition to the payment methods shown in the PayPal video, that story said PayPal will allow customers to continue using plastic cards, issued by PayPal, for payment.
In an interview posted on AllThingsD, Thompson said the PayPal approach doesn’t require merchants to install new terminals, nor does it require customers to buy a new smartphone.