Back in the summer of 2010 the late Barnaby Jack gave a presentation at the Black Hat security conference in which he demonstrated the ‘jackpotting’ of two ATMs. During his presentation, Jack was able to get both machines to dispense cash by exploiting them both physically and remotely.
In the physical attack he used a flash drive pre-loaded with malware to gain administrator access to the ATM, giving himself control over its cash dispensing mechanism.
Now, more than a year after Jack’s untimely death, it seems that the security industry has still not caught up with the hackers who are increasingly able to exploit ATMs around the world without the need for expert knowledge or even the latest malware.
Following reports of ATM hacking in Malaysia, in which gangs stole around $1 million, investigative reporter Brian Krebs took a closer look into the issue and discovered that the problem lies with the use of old infrastructure.
According to Krebs, the recent spike in malware attacks on ATMs is due to the age of the machines rather than the use of new high-tech skimming devices or a specific targeting of the now-defunct Windows XP operating system that many still use.
Owen Wild, global marketing director security compliance solutions at ATM manufacturer NCR, whose machines were fingered in the Malaysian attacks, told Krebs that the problem is industry wide, saying that “It’s occurring on ATMS from every manufacturer, multiple model lines and is not something endemic to NCR ATMs.” Wild did admit, however, that the Persona series of NCR ATMs attacked in Malaysia were old, having been superseded by a newer model seven years ago.
Wild revealed that around half of the NCR install base are still using the older Personas. This presents a problem to any operator who hasn’t dumped a pile of cash on Microsoft’s table in return for continuing security updates as compliance with PCI DSS (Payment Card Industry Data Security Standards) mandates the use of an operating system that is fully supported with continuing security updates.
Wild did add however that stand-alone machines were the bigger risk (because of the typically easier physical access for CD Rom and USB boots), whereas the use of Windows XP was not a major factor as operating systems were either being bypassed or manipulated with the software.
Wild went on to detail two types of attack. The first, he said, is ‘black box’ attacks in which an electronic device is used to bypass the infrastructure in the processing of the ATM and send an unauthorized cash dispense code to the ATM.
The second type of attack, which Wild says is on the increase, is the introduction of malware into older ATMs which have fewer protective mechanisms in place, having been designed at a time when such threats and risks were nowhere near as large as they are now.
Commenting on the availability of ATM manuals online, Wild said “You don’t have to be an ATM expert or have inside knowledge to generate or code malware for ATMs. Which is what makes the deployment of preventative measures so important.”
In terms of mitigating attacks against ATMs, our advice would be to:
- Review physical security of the machine including placement, camera surveillance, the use of non-standard locks and the implementation of ATM security alarms
- The regular checking of the machine to ensure no third party devices have been added to them
- Security awareness training for staff to ensure they are on the lookout for socially engineered cons from criminals who may pose as engineers or inspectors
- Training staff to respond to, and investigate, alarms and suspicious activity
- Limiting the amount of cash within the ATM to the amount expected to be dispensed on any given day