Kiosks can be hacked

Common ATMs can be hacked within minutes

Less than 20 minutes, in some cases only 10 minutes - and the ATM is hacked and spits out bills without a PIN and banking or giro card. The IT security company Positive Technologies examined 26 ATMs from popular manufacturers and found numerous vulnerabilities. Particularly alarming: 69 percent of ATMs were vulnerable to black box attacks and criminals can connect to the cash dispensing mechanism of an ATM within a few minutes and have the money spit out.

Attacks on vending machines from different manufacturers have become an increasing problem worldwide. In January 2018, the US secret service and the major ATM manufacturers Diebold Nixdorf, GRGBanking and NCR issued an urgent warning of the threat posed by attacks on ATMs. According to NCR reports, the first black box attacks were uncovered in Mexico in 2017. In 2018 this wave spread to the United States. The first reports of ATM malware attacks date back to 2009 when Skimer, a Trojan horse that can steal money and bank card information, was discovered. Since then, logic attacks have become increasingly popular with cyber criminals.

Serious security gaps in ATMs

Positive Technologies experts have now determined that most devices (85 percent of devices) were inadequately protected against network attacks such as data center spoofing. As a result, criminals could disrupt the transaction verification process and fake a response from the data center to approve any withdrawal request or increase the number of banknotes to be dispensed. The report also describes scenarios with attacks on GSM modems connected to the devices. An attacker could easily gain access to a GSM modem and use it to attack other ATMs in the same network and even in the bank's internal network.

A mistake in the implementation of hard disk encryption leaves a whopping 92 percent of ATMs vulnerable to a number of attack scenarios. An attacker could connect directly to a hard drive of the ATM and, if the content is not encrypted, infect it with malware and deactivate security mechanisms. This allows the attacker to control the ATM. Given the privacy of such data, it is hard to believe that this content is not encrypted, but it is by no means unusual in many banking environments.

The operating system's kiosk mode was possible in 76 percent of the ATMs tested, which is a problem. Because if restrictions for normal users are circumvented, an attacker can execute commands in the operating system of the ATM. Positive Technologies experts estimate the time required for this attack to be 15 minutes and even less for well-prepared attackers using automation.

Outdated technology makes it unnecessarily easy for attackers

Anyone who sees an ATM while it is booting is often surprised at the age of the respective operating system. Obviously, in many cases it was sufficient to expose the ATM with a small computer such as the Raspberry Pi to a black box attack. The ATMs ran on Windows XP, which is no longer provided with security updates, Windows 7 and 10. According to a similar analysis by IT security specialist Kaspersky from 2016, around 90 percent of all ATMs were still running on Windows, at least back then XP - so that even today one can assume that a relatively large number of devices will be found under the operating system that is now 17 years old. The connection to the device was implemented, among other things, via a drilled housing. Often the devices could also be controlled via standard USB devices, which makes it even easier for attackers, even if the USB ports are securely attached.

Our research shows that most ATMs have no restrictions on disconnecting unknown hardware devices. An attacker can connect a keyboard or other device to impersonate user input. Most ATMs do not prohibit using some of the common keyboard shortcuts to access common operating system functions. In addition, local security policies were often incorrectly configured or missing altogether. At 88 percent of the ATMs, application control solutions could be bypassed due to poor whitelists and weak points. "

Leigh-Anne Galloway, Head of Cyber ​​Resilience Technology at Positive Technologies

Although the ATM owners bear the brunt of the logical attack threat, bank customers can also be among the victims. According to its own information, the company regularly discovers weak points in connection with network security, improper configuration and poor protection of peripheral devices - expensive errors for which a bank must be liable in case of doubt or which are at the expense of all customers. These flaws allow criminals to steal ATMs and obtain card information. But the financial damage is only one component of the whole. What is much more important is the loss of trust on the part of customers and the associated damage to the image of the bank, but also for terminal-related banking transactions in general.

To reduce the risk of attack and speed up the response to threats, the first step should be to physically secure ATMs and implement logging and monitoring of security events on the ATM and associated infrastructure. A regular security analysis of ATMs is important for the timely detection and elimination of weak points. In this context, banks should also deal with protective devices against blasting ATMs, another (more physical) security problem that has become more common in Germany in recent years.

A paper on the most common IT-based security problems in ATMs is available for download free of charge. partly

You can find this article on the Internet on the website:

(1 Votes, average: 3,00 of a maximum of 5)
Loading ...

Interesting too