How safe is Microsoft Windows? After all, the list of malware that has caused major headaches worldwide over the last 15 years is long – viruses, worms and Trojans have forced computers to shut down, knocked South Korea offline and even overloaded Google’s servers. Now, how safe do you feel knowing that cash machines across the world run Microsoft Windows? An exploit has been discovered, apparently spread across Russia, India, and China, whereby cash machines can be turned into a free money vending machine. The hack requires re-starting the cash machine – essentially a Windows terminal – from a prepared CD that injects malware into the system to circumvent the security. At set times of the week, a unique code is generated and given to a “mule” who would approach the machine, enter the code, and withdraw up to 40 notes, anonymously and without trace. From skimming to hacking Attacks on ATMs (those more sophisticated than removing the cash machine and cutting into its safe) started around 10 years ago with card reader devices containing a tiny integrated camera and card reader. As a user withdraws cash, the device reads the account details from the card’s magnetic stripe and videos the pin number entered into the keypad. Earlier generations of ATM machines were often built around computer terminals running IBM’s OS/2 operating system (which started life as a joint IBM-Microsoft venture, and which somewhat ironically spawned Microsoft’s Windows NT, the grandparent of modern Windows, and IBM’s OS/2 when that project collapsed). Due to its more esoteric and rare nature there are far fewer attacks for OS/2, but now it is standard builds of Windows, potentially vulnerable to all the usual malware and exploits, that run modern ATMs. So it is not surprising that intruders have started to find ways inside the ATM’s card processing and cash dispensing systems. Malware that can offer external control to an ATM have been reported for some years, allowing attackers to dispense cash, record and print out card details and PIN numbers. Under the hood This latest malware is Backdoor.MSIL.Tyupkin, which while running continuously will only listen for commands on a Sunday and Monday night. The criminal gangs operating the malware generate a random, unique, six-digit keycode that activates the program, which is given to the “mule” who is withdrawing the money. Like previous efforts to crack into ATMs, the malware requires physical access to the ATM, typically by booting the ATM from a CD prepared to install the malware. At present the malware has been active on at least 50 ATMs in Russia and Eastern Europe, but also in the US, China and India. The malware is the file ulssm.exe, which is copied into the c:\windows\system32 directory and which is protected and maintained on the system between reboots by modifying the Windows registry (a database of configuration settings) so that Windows automatically runs the program at startup. The program then interacts with the ATM through the Extension for Financial Services (XFS) library, MSXFS.dll. To avoid detection it will only allow access controller commands on Sunday and Monday evenings. This shows an example of malware installing itself onto a system, updating the Windows registry to autorun when started (at 25:20), and then going into hiding. Playing catch up The threat of re-booting machines from CDs or bootable USB sticks in order to install malware and abusing Windows autorun feature to sustain the program in memory, is an exploit that has been common for over a decade. It seems few lessons have been learned in terms of securing physical access to the device, and also in the privileged rights that malware can gain. Even as companies focus on improving and securing the user interface, often the debugging and diagnostic side can provide further routes into a system. Versions of Windows used in embedded control systems are now sufficiently secure, but as ATM manufacturers use standard installations of Windows they are opening themselves up to further problems – not least because it allows hackers the opportunity to simulate and craft their malware on well-known versions of the operating system. However, at the core of this attack – as with those before it – is the need for physical access to the device, which implies an insider working in the bank. That means with monitoring of who has access to the cash machine, this can be prevented. The key lesson is that the ATM operating system is a weak link in the chain which needs to be closed. *This article originally appeared on The Conversation.
Changes to how credit card transactions are handled at point-of-sale will come into effect in Australia this Friday, August 1. Magnetic stripe and signatures will no longer be the primary method for verification – instead, a chip-enabled card and PIN will be required. In order to support the new types of credit cards, merchants are required to upgrade their hardware or look at an alternate solution. There are still some situations where the customer isn't required to provide a PIN: Contactless payments under $100 in value (i.e. payWave, PayPass) Any payments $35 or under in value The credit card has been issued by an overseas bank. In this situation they will be able to sign for their purchases. Europe is already on chip and pin, however, the USA is still using magnetic stripe, but this looks to be changing. One benefit for merchants to invest in the upgrade is that the card schemes (Visa, Mastercard, AmEx) will cover the merchant for any chargebacks associated with a chip and PIN based transaction. There have been some reports industries such as hospitality are concerned about the impact this change will have on other parts of their business, like tipping. Ben Fuller from point-of-sale provider ImPOS sees an opportunity for new software systems to improve these parts of the business. “Those saying it is the death of tips for wait-staff, haven’t made themselves aware of how the transition has been successfully handled in other countries. With our POS solution we're leaving a space for the customer to ‘sign-off’ on the tip at the bottom of the bill. It is simple and if carried out correctly with the right dialogue, will result in more tips, not less,” Fuller says. Stolen at the shop, spent on the web Building a more secure payments infrastructure with chip and PIN is a positive step. However, according to the Australian Payments Clearing Association (APCA), roughly 70% of Australian credit card fraud occurs in a card-not-present environment (i.e. online, phone or mail credit-card transactions). Generally, credit cards are stolen at an ATM or checkout, then illegally used online, where a PIN is not required. These regulatory advancements may result in more fraud being driven towards contactless cards and online transactions. Software-based solutions At Pin Payments we're seeing a segment of small businesses ditching their hardware terminals in favour of our simple software-based solution. Businesses processing a small number of transactions each month can find the up-front cost and long contract terms associated with hardware card terminals don't make financial sense. Software solutions like this on the market offer a way to process card transactions on a pay-as-you-go basis, with the transaction fee being the only cost to merchants. When it comes to risk, for merchants using our mPOS at markets, pop-up stores and similar, we always recommend they take steps to reduce risk of fraud. A simple tool can be to ask for photo identification that matches with the name on the credit card provided. The move to chip and PIN is welcome, and it has the ability to significantly reduce the incidence of card “skimming” in retail environments. Skimming is the term used to describe the illegal harvesting of card details from modified ATMs and checkout terminals. Web and mobile software tools provide a larger opportunity to protect consumers, potentially eliminating sensitive card details from transactions entirely. Progressive businesses such as Clipp are using a secure card-on-file method to allow bars and restaurants to charge customers through a mobile app. Uber are doing the same for taxis and limousines. With chip and PIN hardware, skimming can be reduced. With software, skimming can be eliminated. If credit card or bank details don't need to be handled at the time of the transaction, then there's no useful information for thieves to harvest. Australia is moving ahead of some other markets (such as the US) in consumer protection practices, and these new regulations around point-of-sale hardware will benefit consumers. Still, there remains plenty of room for improvement as payments continue to go online and mobile. Chris Dahl is from Pin Payments, an Australian start-up providing businesses with simple new ways to get paid.
Online payments company Stripe is running a trial with US customers that allows them to accept bitcoin payments, but there is no definite date as to when this will be available in Australia. Still a controversial currency, bitcoin has slowly been gaining traction in Australia, with a Bitcoin Barcamp held recently and the first bitcoin ATM being installed in Sydney – at a pastry shop in Roseberry. If Stripe’s trial proves successful, they plan on making bitcoin payments available in Australia and other countries. It will be the first major online payments platform to support bitcoin. Stripe recently opened up to Australian merchants in private beta, setting up a presence here led by entrepreneur and venture capitalist Susan Wu. Stripe cofounder and president John Collison told StartupSmart the inclusion of bitcoin as a payment option won’t have an immediate impact, with some education around bitcoin still needed in the community. "People selling online aren't going to shift all their sales to bitcoin overnight, or even in the next few months,” he says. “There's some education needed on what accepting bitcoin means and what the advantages are.” He says Stripe will need to make the consumer buying experience better. “That'll take time, but we're pretty excited about this addition,” Collison says. “Breaking down economic barriers is one thing both Stripe and bitcoin have in common." According to Re/Code, once implemented, merchants who decide to use Stripe to accept bitcoin payments will automatically be paid out in the local currency of their choice. They set the price for their product or service in a local currency and Stripe automatically calculates for their customers what that will cost in bitcoin. Neither Stripe nor its customers will hold onto the bitcoin, meaning the businesses that accept bitcoin will not be subject to the volatility of its price. Local Stripe competitor Pin Payments currently has no plans to implement Bitcoin. Pin Payments Founder Grant Bissett says Bitcoin doesn't solve a real problem for their customers. "In the longer term it's likely that we would consider using Bitcoin - or one of the many other emerging cryptocurrencies, but not as a customer-facing product, " he told StartupSmart. Bissett says sites like Coinjar have a great product and are already providing Bitcoin support for local merchants. "In the relatively conservative banking environment in which Pin Payments operates, we feel that maintaining a moat between regulated and unregulated payment activities will benefit all participants in the local payments industry, in turn improving the offerings for businesses and consumers in the region," he says.
US-based start-up Pebble has confirmed it will begin shipping its ‘smartwatch’ on January 23, eight months after it smashed its $100,000 Kickstarter goal and raised more than $15 million.
The founder of drive-through coffee franchise Muzz Buzz insists there’s no difference between coffee and car washing, after announcing plans to grow the brand by way of a car wash service.
A new recycling “ATM” will take an old mobile phone and pay an agreed price on the spot, taking the concept of bartering to a new level.
I see so many start-ups that simply waste money, unintentionally (I've invested in them).
Start-ups have been urged to reassure consumers of the security of their sites, after a report revealed 95% of consumers would terminate their relationship with a company if it mishandled their data.
Eftpos Australia has applauded a move by the RBA Payments System Board, which has raised concerns about multi-network debit cards, and is calling for a voluntary agreement on the issue.
Westpac is the latest of the big four banks to launch a mobile payments app, Westpac Mobile PayWay, for small businesses. But how does it measure up to its rivals?
An LA bakery called Sprinkles has installed the world’s first cupcake ATM, answering the prayers of consumers who crave a late-night sugar hit.
The Commonwealth Bank has become the latest bank to target small businesses with its newly launched payments app, which offers near-field capabilities but is limited to iPhone users.
New research reveals more Australians do their banking online rather than visiting a branch, although industry experts say face-to-face service still resonates with small business customers.
A new report has revealed that investors are seeing increased potential in the ATM market, prompting a renewed call for a cap on ATM fees.
Eftpos fraud has almost tripled in the last financial year due to skimming and electronic forgery, according to new figures from the Australian Payments Clearing Association.
Start-up businesses could soon be provided a greater choice in their banking options following a proposed expansion by Australia Post into the financial services industry. The Future Fund is reportedly in talks with the government about rolling out new ‘financial supermarket’ services in a bid to prop up ailing Australia Post branches. David Murray, the Future Fund chairman, has been quoted as saying that Australia Post could provide services including deposits and loans, processing of financial transactions, an ATM network and even superannuation products. The potential move will be watched closely by small businesses, which have consistently complained about a lack of choice and competition in the banking market. The situation has become particularly acute in the last three years, with many lenders refusing to back start-up businesses. Although lending by the ‘big four’ banks has increased, a number of other funding sources has dried up, leaving fledgling entrepreneurs short of options in securing finance. Council of Small Business of Australia chief executive Peter Strong told SmartCompany that he broadly supported the proposal. "We've got to see the detail, but I would be supportive of that measure because it would create something new, and competition in this area is a good thing. We've mentioned our support for the portable account number before, and this is a good example of a situation where you could use it." "In some parts of cities, you still need to drive to the bank and the parking is quite bad, it's too far away from your other destinations and so on. But if you have an alternative post-office nearby, which could even be a smaller venue, you may find that it's easier for you to go there." "I also think it will make it easier for some SMEs in rural areas where there isn't a lot of competition. On terms of ease of access, this will make it much easier for a lot of SMEs."
The Greens will continue to push for new regulation on banks to place caps on savings account charges and ban $2 ATM fees.
The post-election wash-up has continued, with small business advocates demanding a seat at the tax summit table.