Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network

⁨223⁩ ⁨likes⁩

Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ by ⁨Captainautism@lemmy.dbzer0.com⁩ to ⁨technology@lemmy.world⁩

https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-4g-enabled-raspberry-pi-in-bank-network/

source

Comments

Sort:hotnewtop
  • ObsidianZed@lemmy.world ⁨2⁩ ⁨days⁩ ago

    So they just plugged it directly into the same network switch the ATM is on? That sounds incredibly dumb. The only ATMs I’ve seen the inside of had the network switch locked inside with the vault.

    Also our bank had some kind of port security so if it wasn’t a recognized MAC address, the port just switched off.

    source
    • halcyoncmdr@lemmy.world ⁨2⁩ ⁨days⁩ ago

      Also our bank had some kind of port security so if it wasn’t a recognized MAC address, the port just switched off.

      And serious company will have this as basic security. It’s a fundamental function even available on your consumer grade router at home. While it’s overkill for that use, it’s basic security for a company.

      source
      • AreaKode@lemmy.world ⁨2⁩ ⁨days⁩ ago

        … Which financial company do you work for?

        A major one.

        source
        • -> View More Comments
      • pupbiru@aussie.zone ⁨2⁩ ⁨days⁩ ago

        i’d argue that any serious company wouldn’t really bother with MAC identification… they’re so easy to spoof that it adds to operational overhead far more than the benefit it brings

        more likely with these things you’d have a VLAN mapped to a physical port, and if that port were disconnected you’d instantly get a notification and send someone to check it out

        source
        • -> View More Comments
      • jubilationtcornpone@sh.itjust.works ⁨1⁩ ⁨day⁩ ago

        That’s why it’s not surprising at all that a bank didn’t bother to do that. Banks have some of the most egregious security issues.

        And really shitty auditors apparently. A good one would have at least spot checked for unsecured ports.

        source
      • Vinstaal0@feddit.nl ⁨2⁩ ⁨days⁩ ago

        You would be surprised how many companies don’t even have something fundamental like a custom SSID and password, or a backup, etc.

        source
        • -> View More Comments
    • pupbiru@aussie.zone ⁨2⁩ ⁨days⁩ ago

      i’d have said that’s less important than TLS or something on your ATM, a VLAN for ATMs that can only access specific services, and all ports not on a VLAN just disabled

      really you just want to stop traffic from being sniffed (stolen credentials) and spoofed (“correct - dispense $10000”)… beyond that, you just have to assume nothing. the services that an ATM connects to should be robust enough that they do all the validation - the ATM is pretty dumb (kinda in the same way as your browser on your computer: it gets no decision making to access your bank; just is input and output)

      MAC addresses are easy to spoof, and physical security is pretty difficult on something like an ATM that’s publicly accessible

      source
      • Saleh@feddit.org ⁨1⁩ ⁨day⁩ ago

        Ahh, i remember how my older brother locked down my internet access after midnight on behalf of my parents, boasting about having set up a MAC-address whitelist in the router some 15 years ago.

        About a week later or so he proceeded to play Battlefield 3 on his early Samsung smartphone all night during summer holidays.

        source
    • cyberpunk007@lemmy.ca ⁨2⁩ ⁨days⁩ ago

      Yup, this is the way. Pretty crazy a bank doesn’t have proper security lol

      source
  • Infinite@lemmy.zip ⁨2⁩ ⁨days⁩ ago

    Ah yes, the most devious of exploits, the bind mount.

    source
  • null@lemmy.nullspace.lol ⁨1⁩ ⁨day⁩ ago

    What in the Mr. Robot…

    source
  • x00z@lemmy.world ⁨1⁩ ⁨day⁩ ago

    This is quite an awesome attack if you think about it.

    source
  • thiseggowaffles@lemmy.zip ⁨1⁩ ⁨day⁩ ago

    Wouldn’t the 4G connection be easily traceable? Like law enforcement could pretty easily figure out who owns the line.

    source
    • FauxLiving@lemmy.world ⁨1⁩ ⁨day⁩ ago

      It’s not too hard to get a SIM in someone else name.

      They’d have an account owner name, but that person may not exist or they only remember some person paying them to get a phone in their name which isn’t illegal.

      source
      • HenryDorsett@lemmy.world ⁨1⁩ ⁨day⁩ ago

        Don’t forget, burner phones still exist.

        You can handle everything in cash if you’re smart.

        The phone isn’t important, you just want a cheap sim with no tracks leading to you.

        source
  • SlartyBartFast@sh.itjust.works ⁨1⁩ ⁨day⁩ ago

    Its like Ocean 11

    source
  • MonkderVierte@lemmy.zip ⁨1⁩ ⁨day⁩ ago

    Don’t give hackers a bad name.

    source