SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
29 Feb 2016

7 reasons why it’s so easy for bad guys to hack an ATM

Automated teller machines (ATM) have always a been a big target for criminals.

In the past hunting for ATMs included some heavy tools like a cutting torch or explosives. However with the dawn of the Digital Age, everything has changed.

Nowadays culprits can ‘jackpot’ an ATM without such special effects. At the recent SAS 2016 conference Olga Kochetova, a penetration-testing specialist at Kaspersky Lab explained why ATMs are so vulnerable, in her talk entitled ‘Malware and non-malware ways for ATM jackpotting.’

1. First of all, ATMs are basically computers. They consist of a number of electronic subsystems, including some exotic industrial controllers, but there’s always a conventional PC in the very center of ATM’s system.

2. Moreover, it’s very likely that this PC is controlled by a rather old operating system like Windows XP. You probably know what is wrong with Windows XP: it is not supported by Microsoft anymore, so any vulnerability found after support was killed off is a perpetual zero-day that nobody will ever patch. And you can bet that there’s A LOT of these vulnerabilities.

3. Besides, it’s also very likely, that there’s a lot of vulnerable software running in ATM’s system. From some outdated flash players with over 9000 widely known bugs inside to remote administration tools and more.

4. ATMs manufacturers tend to believe that ATMs are always operating in ‘normal conditions’ and nothing ever goes wrong. Hence there’s usually no software integrity control, no antivirus solutions, no authentication of an app that sends commands to cash dispenser.

5. In contrast to cash deposit unit and money dispenser, which are always pretty carefully armored and locked, the PC part of an ATM is easily accessible. Its enclosure is usually made of plastic, thin metal at best, and secured with locks too simple to keep criminals at bay. The logic of ATMs manufacturers is as following: if there’s no money in this part of an ATM, why bother to keep it secure?

6. Modules of ATMs are interconnected with standard interfaces, such as COM and USB ports. Sometimes these interfaces are accessible from outside of the cabinet. Even if not, you still need to keep in mind previous issue.

7. By their very nature, ATMs must be connected — and they always are. Since the Internet is the cheapest way of communicating these days, banks use it to connect ATMs to processing centers. And guess what? Yes, you can find ATMs on Shodan!

Considering all the above mentioned issues, there are a plenty of opportunities for criminals. For example, they can write a piece of malware, install it on the ATM’s system and cash out. Such trojans specially crafted for ATMs emerge regularly. For example, about a year ago we discovered one of them called Tyupkin.

Another way is to use some additional hardware that can be attached to ATM’s USB port. For their proof-of-concept Olga Kochetova and Alexey Osipov used a cheap and tiny single-board computer Raspberry Pi equipped with a Wi-Fi adapter and a battery. Watch the video below to see what happens next.

The attack through the World Wide Web can be even more dangerous. Culprits can establish fake processing centers, or seize a real one. In this case criminals can rob lots of ATMs without even getting physical access to their hardware. That is exactly what One-Billion-Hackers from the Carbanak group managed to achieve: they had obtained control over critical PCs in banks’ networks and after that they were able to send commands to ATMs directly.

All in all, banks and ATMs manufacturers should be more concerned about security of banking machines. They need to reconsider both software and hardware security measures, make a safer network infrastructure and so on. It’s also important for banks and manufacturers to react quicker to threats and to intensively collaborate with law enforcement agencies and security companies.

Tags:
ATM information leaks fraud
Source:
Kaspersky Daily
1956
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015