January 15, 2014 No Comments-
In an age where everything has an internet connection, it’s easy to forgot that there are other ways to contract computer viruses. Just because CD, DVD and USB stick attacks are less popular than they once were, it doesn’t mean we should forget about them.
In fact, the humble USB stick – more closely associated with family photos and Word documents – can be a pretty efficient cyber weapon. In one advanced case, a bank witnessed thieves steal large sums of cash from ATMs using a simple pendrive.
How the ATM hackers did it
The most important part of conducting a computer hack using physical media – like a USB stick or a DVD – is getting access to the system. For home users, that means someone will have to enter their house and plug something into their computer.
Because most people aren’t into the habit of letting strangers walk into their homes and fiddling with their PCs, criminals need to be smarter. They need to convince innocent users to attach the malware for them.
One method is to simply “drop” USB sticks around a city, hoping that the people who find the USB sticks will be curious enough to plug them into their computer. When they do, the virus is unleashed. And because the malware will be installing itself from a USB stick, it could be a very large and nasty virus indeed.
For the ATM hackers, however, the solution to getting access was to simply cut through the outside of the ATM to gain access to its USB ports. ATM engineers use USB ports to update the software on the machines, so the hackers were trying the same thing with their own code.
Once the criminals had gained access to the USB ports, they inserted their USB sticks and uploaded a modification to the ATM software. This modification (or hack) allowed them to instruct the ATM to output all of its money, making the criminals pretty wealthy.
The thieves would always patch up the holes they made in the ATM casing, so outside observers couldn’t tell the machine had been tampered with. This meant they could repeat the process of drawing all of the money from the machine, leaving the bank’s security perplexed.
What does this tell us?
There are two messages that people concerned about their computer security can take from the ATM hack. The first is that physical media, like USB sticks and DVDs, can still contain files dangerous for our computer. Sure, they won’t make our PCs print money, but they might give away access to our online banks, or allow hackers to steal our identities. Therefore it’s still important to be careful what you plug into your system.
The other point is that if your computer is in a public location, where other people can access it when you’re not around, you should add password protection to your user account to prevent any unauthorised changes.
Norman Safeground Blogs Archive