He's traveling right now. I saw him in Plano last week, and he's been to many HP sites worldwide in the last 3 weeks, in a bid to calm employees and reassure HP's biggest customers. I don't know what this BS is about the board keeping him away. He's doing his job, meeting people and reaching out.

And after hearing him speak and meeting with him last week, I have to say I'm impressed. He's not the used car salesman that Mark was, nor the fiery bitch that Carli was. He's kind of a geek, and a definite software nerd. Not only that, he genuinely impressed me. He's sharp and capable without being slimy. And unlike most Germans, he appears to have had his sense of humor reinstalled.

Moreover, he's SMART about the tech HP sells, and why people buy it in a way that Mark never was.

And I'll take that.

See, this statement right here tells me that you have little to no real understanding of the actual economics behind the ATM business. There's nothing wrong with that, but still, it's somewhat arrogant to criticize a business model without knowing a bit about the business.

Due to the proliferation of ATMs in the United States, a location having an ATM is no longer a marketing device. It is a convenience. And to be totally honest, the only product for which an ATM drives sales is the Lottery (which can only be bought with cash).

The assertion that "If the ATM isn't paying for itself in additional sales, then it isn't worth it and shouldn't be in that location" is just absurd, and shows a total lack of real knowledge on the subject.

I, the third party ATM owner, charge the customers of the business. Not the business itself. Actually, in every location but one that I have a machine installed, the business gets a piece of the surcharge, between $0.125 per transaction and $0.40 per transaction. Again, this is a CONVENIENCE charge. No one is forcing the customer to use the ATM. He or she is perfectly free to walk down the street to find another machine.

You're welcome to your opinions, and I highly encourage you to take this moral model of yours and try to make it work. We in the industry might learn something from you. Likely, what we'll learn is that your business model sucks, and you can't make money with it, but I highly encourage you to try, and wish you the best of luck.

I guess to start, when you refer to a digital locking mechanism, what are you locking? Are you talking about physical access to the top of the machine, or are you talking about programming access via the keypad?

Also, what digital lock are you referring to that will be (1) unique, (2) easy to give access to, (3) allow for better access tracking, and (4) instantly lock out compromised codes? I've seen these systems (my office has one on all of the access doors), but none of them satisify the all-so-important (5) inexpensive. How on earth are you going to convince a customer to install a $300 thin client to run $350 worth of RFID, plus an extra cable run for it to have access to the internet (to allow for this easy granting of access), plus issuing your vaulting company, your repair company, and anyone else that needs access the RFID cards necessary to get into the machine?

I appreciate that you understand where I'm coming from. I personally would love the increased complication. I'm tech savvy enough that it would only help my little nascent business. If working on machines becomes so complicated that it drives my (2) competitors out of business, I would increase my cashflow 4 or 5 times.

That being said, the complexity isn't what's stopping these proposed ideas. If I have to more than double the total cost of a machine, my profit margin stays the same, my sales fall by more than half, and I have fewer locations on which to work.

Hopefully quite a while. The fundamental tenet of security you're overlooking is the unmolested physical access to the machine. If you're monkeying about with internal bits, employees of the location in which the machine is installed come over and find out what's going on. Especially the places I have contracts with. I don't show up to monkey with the machine until they call me and tell me it's broken. Is it possible to socially engineer around that? You bet. But I promise you can socially engineer around any hurdle (real or imagined) in this business.

And that, boys and girls, is why we're bonded and licensed by the state, and in my case, the Fed.

Moreover, EVERY part of security EVERYWHERE depends on trusting the guy who's in there fixing the broken bits. From the guys at Ft. Knox to the guys at the data aggreators, you have to trust your people.

Agreed. I'll be happy to sell you one today for between $2000 and $5000, depending on model and options.

And here I totally disagree. You don't understand the process by which an ATM works, which is fine, but they have almost nothing in common with a till (cash drawer) and card reader.

Trickier, no. More expensive, yes. To get a bank-quality Diebold or NCR, you're looking at a starting price of around $50,000.

And honestly, the only difference between the two is how many bills it will hold. Quality wise, they're really pretty close. The ATMs that accept deposits, dispense stamps, and all that are a freaking fortune. You're looking at $100,000 minimum.

disclaimer (again) - I own about 30 of these small ATM's, so have a vested business interest in this topic

See, I don't understand this line of thinking. Your using that ATM is indeed a "privilege." This isn't happy happy funtime world. This is the real world. That ATM that you used at the gas station didn't magically appear out of nowhere. Someone had to buy it, someone had to install and configure it, someone has to provide it with electricity and receipt paper, someone has to fill it with money, and someone has to do all the regulatory paperwork that allows it to exist. And that's just for the physical machine.

The work that you never see is the people and computers involved in transmitting that data and moving that money that you withdrew as cash to the bank account that provided the case. In most cases, that money goes from your account, to an account at the federal reserve, to an account at the processing company, to the account of the guy that sticks the cash in the machine.

And none of that is free. Sorry man.

And I, the owner of the machine, have no obligation to let you use my ATM for free. We have no business relationship. I've made no promises to you. Why do you think you should take my work and investment and use it for free, denying me not only the chance to make a profit, but also to recoup my investment?

And if you don't like it, get in your car/a bus/walk/take a segway down the street to your local bank, and use their ATM for free. They do have a relationship with you, and in exchange for your keeping your money with them, they will provide you certain things. Like free ATMs.

But I don't have to.

I agree completely. However, at the end, if the customer (owner) doesn't want the product (the ATM), the ATM company goes out of business.

OK, with regard to the ability to accept incoming communications, it's about customer convienence. With a machine connected through a standard phone line, 99% of the machine's I've installed get to share their phone line with the location's fax line. If the ATM is dialing out at set intervals, it is taking both the machine and the phone line out of service for 45 seconds to a minute every time it goes out. That's bad for business. The solution used to be (5 or so years ago) that the processor would call the ATM twice or so a day to check on it's health status, etc.

Also, remember, most of my customers have this feature disabled.

Now, however, with an IP based connection, the information transfer is instantaneous (or nearly so, as viewed by the customer). Therefore, it's not a big deal for the machine to contact the processor every 15 minutes or so with a status update. Therefore, as there is no need to remotely access the machine, they simply removed the functionality.

This is a fair point. However, the data that you're capturing with all of these attacks is super encrypted (not in the "super! thanks for asking" sense, but more in the they encrypt data that has already been encrypted using a different process), a MITM attack is going to log a bunch of gibberish packets. Assuming you can break the one time key established in handshake, you can't break the secure keys that are only known at the source and destination.

In every bar/gas station/liquor store/bowling alley/porn store I've ever worked on an internet connected machine, it's jacked into a consumer ADSL or Cable connection. I've yet to see a dedicated connection for the ATM. That's part of the value proposition for the owner, he gets to eliminate a $75 a month phone line from his overhead by putting the machine online.

When I said cost prohibitive, I was indeed talking about the cost of the connection. You work for a telco, so let's be charitable. What do you figure a setup like this costs? $250 or $300 a month? For a machine that only costs $3000 and only makes the owner $300 a month? What's his business justification for that purchase? There's no way he's going to pay that.

Like everything else in business, these little guys are 100% focused on the bottom line. They want to use that ATM to make money. Period. If the costs of keeping it going exceed the return, they're going to get out of it.

Maybe yes, maybe no. The first part of this answer is that when you're connected to the internet, you remove the bandwidth problem of a modem connection. AND, because you're not tying up a phone line anymore, you have more flexibility with your communications.

So, machines that are hooked in via TCP/IP do not have the option to accept remote connections initiated from anywhere other than the machine. The communication HAS to start with the machine, and the data is encrypted 19 ways from Sunday. To start with, you have the master keys that allow the machine to communicate with the processor. After they are input, they're encrypted and stored in epoxy buried chips in the keypad, and any interruption of electrical power to those chips (which runs through fry wires from a battery also stored within the epoxy matrix) kills the keys.

So your communication starts with the machine opening a connection with a dedicated IP server on one of 3 possible ports. During handshake and authentication a unique time-based one time key is transmitted back to the machine. This super-encrypts the keys, which are then sent, followed by the transaction information, and the transmission is closed out. These machines are also usually programmed to auto-connect every 15 or 30 minutes with a machine status update (thereby eliminating the need to dial in remotely).

Now, as all this information is going out over the general internet, it's possible to intercept the packets, but I don't know what good they'd do for you, as there's no way to get to the original master keys assuming you could get past the super encryption, thereby securing the first level.

The machines that are located at gas stations and bars and whatnot use a standard internet connection. The only requirement is that the location has to have a static IP. You have to remember, these machines only cost $2K - $5K, and the owner only makes $100 - $500 per month on the machine. Not to mention, they're not doing that many transactions.

Would the solution you propose make more sense? Absolutely. But it's cost prohibitive, and beyond the scope of 99% of the owners, and 75% of the service techs. If these proposals were to be codified, you'd see fees go through the roof to make up the difference.

Also:

Pet peeve.

Well, I guess if I'm going to criticize, I'll start here. No PCI-compliant machines allow you to go through the configuration process without inputting 3 different levels of new password. The attack you describe above might have worked 2 years ago. No longer. Sorry. And you don't have to buy the manual, they're (mostly) available for free.

No there haven't. The only exploit that could be executed in person was the following:
1. Thief buys prepaid $200 visa card with PIN.
2. Thief accesses the service menu of the machine (using default or socially engineered password).
3. Thief changes the machine's internal systems to think it's holding $5 bills instead of $20 bills.
4. Thief exits service menus.
5. Thief puts in card and withdraws $200. Since the machine thinks it's holding $5's, it dispenses 40 total $20 bills ($800). The thief makes off with a net of $600.

However, this exploit is no longer possible, as the master keys that allow an ATM to communicate with the processor are now erased when you change the denomination of bills the ATM dispenses.

The process you describe has never worked. There is an option in a service menu called "test dispense," but it kicks the bill into the reject bin, not into the cash pickup.

Please try again.

That's a big selling point when I go to place a machine. Instead of the location paying $2,500+ monthly to their credit card processor, they can just charge a $0.25 transaction fee, and make some money. One of my customers realized a net monthly gain of about $4,000. It's been really popular with liquor stores and bars.

Disclaimer: I own about 30 of these machines, and work as a repair tech for a statewide area. It's a nice side income. Let's start at the beginning. This hack requires that a machine be connected to the outside via phone. This is increasingly going away. I would guess that 40% of the machines I work on are connected via internet now, as opposed to 15% a year ago. My first comment is that the remote management software that is being exploited isn't turned on in the vast majority of the machines that are out there. Whether it's triton connect, or tranax's remote access, all of the processors that I've encountered require that it be disabled for the machine to work. This software was important 4 or 5 years ago from a machine management standpoint, but with realtime internet tracking of machine status, there's just no reason for it to be enabled. Now, as to the comment about keys not being unique per device: A key on an ATM opens two areas: the "computer" module on top of the safe, and the bit of plastic that obscures the safe dial. A service technician (like me) is most of the time a freelancer who's in this for some side cash. When I go to a customer's location, my goal is to fix the problem and get out. As I almost never need to get to the vault of the machine, I have a keyring that has the standard sized keys for all of the machines I work on. An access password or vault combination can be obtained by a call to the owner of the machine. A unique key, however, cannot. Moreover, as many older machines require access to the processing unit in order to fill the machine (you have to hit a physical button to get into that menu), you have to make it easy for your armored service to access the top as well as the vault. It's unreasonable to expect a vaulting company to haul around 60 or 70 keys to fill the machines that they have on their list for that day.