ATMs Can Be Hacked in Minutes: Positive Technologies
“Regular security analysis of ATMs is important for timely detection and remediation of vulnerabilities.”
A new report from Framingham-based Positive Technologies described how attacks against ATMs have been a snowballing worry worldwide. In January 2018, the U.S. Secret Service, as well as major ATM vendors Diebold Nixdorf and NCR, issued urgent warnings about the threat of ATM attacks.
According to NCR reports, Black Box attacks were uncovered in Mexico in 2017. In 2018, these spread to the U.S. The first reports of ATM malware attacks date back to 2009, with the discovery of Skimer, a Trojan capable of stealing funds and card data. Since then, logic attacks have become increasingly popular among cybercriminals.
The report maintained for criminals, the interesting parts of an ATM include the computer, network equipment, and main peripherals (card reader and cash dispenser). “An attack on these components could enable intercepting card data, interfering with transaction processing by the processing center, or telling the dispenser to issue cash. For such attacks, the criminal requires physical access to the cabinet of the ATM or a connection to the network on which the ATM is located.”
Positive Technologies researchers discovered that most ATMs (85%) were poorly secured against network attacks such as spoofing. As a result, a fraudster could interfere with the transaction confirmation process and fake a response from the processing center in order to approve all withdrawal requests or increase the quantity of dispensed banknotes to. The report also described scenarios involving attacks on GSM modems, which accept SIM cards, connected to ATMs, and use it to attack other ATMs on the same network and even the internal network of the financial institution.
A failure to utilize hard drive encryption makes 92% of ATMs vulnerable to a number of attacks. An attacker could connect directly to an ATM hard drive and, if the contents are unencrypted, infect it with malware and disable security mechanisms. As a result, the attacker controls the cash dispenser.
Exiting kiosk mode was possible on 76% of tested ATMs, which is a problem because when restrictions placed on ordinary users are bypassed an attacker can run commands in the ATM operating system. Positive Technologies experts estimated the time necessary for this attack at 15 minutes and, for well-prepared attackers who make use of automation, even less.
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies said: “Our research shows that most ATMs have no restrictions to stop connection of unknown hardware devices. So, an attacker can connect a keyboard or other devices to imitate user input. On most ATMs, there is no prohibition on some of the common key combinations used to access OS functions. What’s more, local security policies were frequently misconfigured or absent entirely. On 88% of ATMs, Application Control solutions could be bypassed due to poor whitelisting and vulnerabilities (some of them zero-day) contained in this very same Application Control software.”
Galloway added although ATM owners bear the brunt of the threat from logic attacks, financial institution clients may fall victim as well. “In our security work, we constantly uncover vulnerabilities related to network security, improper configuration, and poor protection of peripherals. These flaws allow criminals to steal ATM cash and obtain card information.” Galloway suggested to reduce the risk of attack and expedite threat response, the first step is to physically secure ATMs, as well as implement logging and monitoring of security events on the ATM and related infrastructure. “Regular security analysis of ATMs is important for timely detection and remediation of vulnerabilities.”