Mission “Patching impossible” – why ATM's every vulnerability is in billions worth
Have you ever wondered what would happen if your ATM was hacked?
What we often see in movies or documentaries about ATM theft might not be a Sisyphean task.
From a hacker's viewpoint, ATMs not only seem to be vast piles of money but are also a great source of confidential information which can be turned into cash.
In Europe, physical attacks have been consecutively growing for 4 years, targeting ATMs. These attacks have caused a loss of over 36 million euros ($40.5 million) in 2018 alone.
The machine being the weakest site in a bank's infrastructure with minimal to no surveillance makes it an appealing target for criminals.
The fastest-growing risk to ATMs in today's age is from cyberspace.
In 2020, with over 3.5 million ATMs in use, the opportunities for attackers were plentiful.
Let's dive into it!
Table of Contents:
The table below shows a few of the significant cyber bank attacks involving ATMs:
|
Countries
|
Year
|
Loss
|
Reason
|
|---|---|---|---|
|
49 cities from Moscow to Atlanta
|
2008
|
The US $9 million
|
A server at payment processor RBS World Pay was hacked
|
|
Greece, Russia, Spain, Sweden, Ukraine, UK
|
2011
|
The US $13 million
|
22 Stolen pre-paid debit cards from FIS
|
|
Mexico
|
2013
|
Over $40 million
|
Hacked 4 largest banks in-country
|
|
Russia
|
2014
|
$10 billion
|
A hacker group "Money Taker" hijacked payments
|
|
Bangladesh
|
2016
|
$81 million
|
Security hackers issued fraudulent instructions
|
|
Japan
|
2016
|
1.4 billion Yen/$12.7 million
|
Cash is withdrawn from convenience store ATMs using leaked information
|
|
European countries
|
2017
|
£1.52 million
|
Logic attacks
|
ATM Vulnerabilities
Typically, ATMs are available 24/7 and often located off-premises which makes them vulnerable to cash theft. The act of stealing money from ATMs involves fraud, identity theft, and whatnot.
Image source – positivetechnologies.com
Zero Day
From physically cutting open the safe to hacking into networks, attackers opt for different ways to access the cash inside ATM.
IBM's security team of hackers, X-Force Red, was hired by a bank to test the ATM environment after an ATM theft followed by continuous cash loss.
Upon research, it was found that the thieves exploited a zero-day vulnerability to install custom malware.
In this case, the criminals got away with almost $8 million of cash.
Malware and Logic attacks
In this progressive era, many criminals have opted for well-organized and sophisticated attacks, aka logic attacks.
Image source - ptsecurity.com
The first-ever logic attack was conducted in 2015 when payment terminals were attacked. The depositing money was emulated by malware, and then transactions were carried out from bank accounts to electronic money wallets.
Such mechanisms are termed "Virtual cash acceptors," where attackers learn about payment's internal mechanisms and features.
Recently, Kaspersky Lab revealed that a piece of malware that allows an attacker to control compromised ATMs remotely had been discovered after a Russian bank was targeted.
The bank's forensic team recovered 2 text files (located at C:\Windows\Temp\kl.txt and C:\logfile.txt) and only names of two exe files, (C:\ATM\!A.EXE and C:\ATM\IJ.EXE).
Upon researching, the component of malware allowing remote access to attackers was found to be ATMitch.
Numerous major organizations were targeted by "file-less attacks" around the globe in 2017, which were significantly related to this first attack, noted Kaspersky.
Identity Impersonation
The majority of ATM attacks are facilitated by stolen identities. The stolen personal digital assets are also sold on the dark web at a price starting from $1500.
While the amount may seem expensive, the benefit it may bring for the attacker is far more significant.
To minimize identity fraud, many financial organizations are now shifting to biometric or facial recognition. This change serves to eliminate attacks like skimming, eavesdropping, and network shifting.
Magnetic strips from credit/debit cards will also be eliminated from 2024 for similar reasons.
DMA
The Direct Memory Access (DMA) attack is of great concern for banks, among other cybersecurity threats.
In DMA attacks, the main target is in the areas of a computer that require direct memory access, such as PCI buses or USB Thunderbolt ports.
Through a DMA attack, a vile actor can acquire physical access to read and overwrite memory, thus getting complete control over OS and performing criminal activities
Once an adversary has gained access to a PCI bus or USB port, they gain complete control of the OS.
Although physical access is often required for exploiting DMA, some may be done remotely as DMA attacks are also evolving.
Image source – thefreedictionary.com
Unfortunately, DMA attacks can easily bypass several security precautions like firewalls, process monitoring software, or even hard drive encryptions, which makes them extremely dangerous.
ATM Infrastructure and what makes it weak
Almost every ATM penetration test reveals at least one of these vulnerabilities. It certainly means that bolstering security around ATMs can be helpful.
- Black hoes
- Insecure network communication
- Lack of disk encryption
- Outdated windows
The recent decade has introduced several cyber threats to ATMs.
The screen we see in ATMs is of a computer, and connecting any keyboard or tablet lets the user control the computer and interact with OS.
Many institutions avoid physical maintenance due to budget, but disk encryption is a feasible method to ensure security.
Although institutes are often indulged in improving their technologies day by day, it is seen that many ATMs are still running on Windows XP. Each one of these can easily spill $200,000 with minimum effort.
But why is Windows XP a significant threat?
In 2014, Microsoft ceased its support to this OS, putting an end to anti-malware patches and security updates. Even a small group of criminals can exploit vulnerabilities and conduct fraudulent transactions within moments.
Windows 7 was also discarded by Microsoft, with its support ceasing on January 14, 2020.
Image source – kaspersky.com
ATM Network
Trusted Network" is an outdated term in today's world.
Network-based ATM attacks are far more elaborate than physical ones.
Routinely tests by X Force Red unveil that many of the ATM connections are not properly encrypted.
Once the attackers get access to the network, it is not hard to perform MitM tasks.
Cybercriminals can initiate passive monitoring or opt for jackpotting, both having catastrophic impacts.
A considerable adoption of using malware instead of physical means for attacks has been seen among cybercriminals in the recent decade.
Common ATM attacks
There are several ways of conducting ATM theft, but some of the common attacks are as follows.
Card Skimming
It is one of the oldest and most popular ATM attacks, for sure. It is stealing confidential information like pins or credit/debit card details and fraudulent transactions.
In 2020, Claire's, an accessories company, fell prey to a card-skimming Magecart infection.
You can avoid falling prey to this attack if you examine the ATM before using it. If it has a fake front, spongy or thick pin-pad, or wider/loose card slot, leave. The chances are that an attacker has exploited the machine.
The citizens of Bihar and Nagpur lost millions in the last fortnight due to ATM skimming.
On August 30, someone thrice withdrew Rs. 10,000 from my wife's account, but my son, who had received messages from the bank on his cell phone, though it was me. The crooks withdrew more cash on different occasions from my account using ATM information before we could realize it and block the cards.
Vilas Admane, a retired public works department (PWD) engineer
Image source – howstuffworks.com
To understand how a card skimming hack happens, let's have a look at the structure of an ATM.
Automated Teller Machines are comprised of two parts, the top, and the bottom.
The top box includes a printer for receipts, speaker, camera, and display, with the computer being the most critical part as it
The lower part is aka the safety vault, contains cash and is, therefore, heavily protected.
Unfortunately, the top box isn't much protected, unlike the cash deposit.
To access the cash in the safety vault, the attacker first gains control of the computer. To do so, they open the top box as it is poorly protected and usually attach a keyboard to a tablet to transfer the malware.
After it, they only need to press a few buttons to control the machine.
Black box attack
Attackers physically access the top of the ATM, i.e., the ATM's shell, and attach an electronic device, aka black-box, to it. It is a type of logical attack that leaves no trace on the targeted payment terminal, relying purely on the output produced by the ATM computer.
This specific type of criminal hack compels the ATM to dispense cash illegitimately. The term "black box" refers to the use of ATM as a black box and its reprogramming.
Image source – researchgate.net
Black box attacks are a massive problem in England and may also become common in the US due to developing technology.
Jackpotting attack
Well, you might not have one jackpot yet, but Cybercriminals often do!
It is the exploitation of hardware and software vulnerabilities in ATMs allowing cash dispense.
Specially designed malware is installed in ATM's computer followed by a few commands, usually keyboard shortcuts. It makes the ATM spew out as much money as wanted.
Surprisingly enough, it is easier than we may expect.
The cherry on top is that no personal information is required this way, be it credit/debit card details or PINs.
This attack was introduced by Barnaby Jack, a security expert, at a Black Hat conference.
- The first-ever jackpotting attack took place in Belgium.
- Mexico's 1st large-scale attack reported hacking 450 ATMs and stealing $40 million in just a few days. The banks initially assumed that the delivery drivers were responsible, but upon further investigation, a virus named "PLOUTUS-MADE-IN-LATIN AMERICA-XD" was the reason.
- It was explicitly designed to infiltrate and control those ATM computers made by KAL, a leading company, allowing complete access. Its malware, along with a set of instructions, was being sold on the dark web.
When a series of jackpotting attacks broke out in Latin America in 2017, similar attacks were seen in Europe, Asia, and the US in 2018, resulting in the theft of over a million dollars.
Solution for Protection
As a cyber-security specialist, I recommend a leading, all-in-one ATM security provider, ATMeye.iQ.
It provides dispute handling and the antifraud solution developed by BS/2, a software ATM security company.
Its Cyber Defense Centre provides 24/7 security services in the recommended territories.
ATMeye.iQ suggests the following steps to maintain and increase customers' trust in the ATM channel.
Anti skimming solutions
Install anti-skimming solutions on ATM to detect vulns and notify the operator and disable the attack in real-time. A good example is NCR's Skimming Protection Solution (or SPS).
It is necessary to lock the most vulnerable part of the ATM containing the mainboard and dispenser connections, i.e., the top box.
Up to Date Software
The software versions should be up-to-date, including OS, XFS, and ATM Software.
To add another layer of protection, you must update secure BIOS with a complex password and allow the ATM to boot only from the Hard Drive.
Trained Employees
The risk of ATM attacks and subsequent loss can be prevented by spreading awareness within banks through training.
For instance, keen observation of ATMs for any abnormal activity and regular inspections of the location.
Advanced set of security measures
Considering a complete set of security measures while deploying ATMs should be mandatory. ATMs must be deployed in public areas like bank lobbies or off-site with ample security, minimizing the opportunities for attackers.
Intrusion Detection
Other protective measures include access controls for service staff and intrusion detection with alarms to notify when the ATM has been tampered with.
Hard Disc Encryption
Continuous patch management protects against known vulnerabilities. To protect ATM from external boot attacks, you must hard disk encryption would help.
Further protection can be achieved by deploying an allow listing solution such as NCR Solid Core Suite for APTRA.
Remote Management
Remote ATM monitoring and management enable banks to manage ATMs conveniently.
The software scans and notifies whenever an unusual transaction or suspicious activity is recorded.
Infographic
I have added an infographic for a better understanding of this topic.
The problem of hacking ATMs remains relevant to this day. The infographic provides up-to-date statistics on ATM hacking, as well as data on risk management.
Conclusion
There is no universal way to protect ATMs from cyber-attacks. Still, teams need to continuously control efficacy and hardware resilience so that the window of opportunity for attackers is minimized.
The pandemic has impacted every industry along with the financial sector. The idea of contactless transactions is going to put an end to ATM exploitation completely till 2037.
Cyber security experts try to take control of the situation ASAP every time such severe crimes occur. Still, the digital world is constantly evolving, isn't it?
Stay tuned for more helpful content!
Your email address will not be published. Required fields are marked