We have already told you about a number of hacker groups jackpotting money from ATMs. Now you can see it with your own eyes! Our experts shot four videos of ATM hack demos. Disclaimer: No bank was harmed in the process, and we do not recommend you try any of these methods.
Method 1: Fake processing center
This method requires an attacker to access a cable connecting the machine to the network. The hacker disconnects the ATM from the bank’s network and then connects it to an appliance that acts as a fake processing center.
The box is used to control the cash trays and send commands to the ATM, requesting money from the chosen tray. It’s as simple as that: The attacker can now use any card or input any PIN code, and the rogue transactions will look legitimate.
Method 2: A remote attack on several ATMs
This method involves an insider working in the target bank. The criminal purchases a key from the insider that opens the ATM chassis. The key does not give an attacker access to the cash trays, but it exposes the network cable. The hacker disconnects the ATM from the bank’s network and plugs in a special appliance that sends all of the data to their own server.
Networks connecting ATMs are often not segmented (separated for security), and ATMs themselves can be configured incorrectly. In that case, with such a device a hacker could compromise several ATMs at once, even if the malicious device is connected to only one of them.
The rest of the attack is carried out just as described in Method 1: A fake processing center is installed on the server, and the attacker gains full control over the ATMs. Using any card, a criminal can withdraw all of the cash from an ATM, regardless of the model. The only thing the ATMs need to have in common for this method to work is the protocol they use to connect to the processing center.
Method 3: The black box attack
As previously described, the attacker obtains the key to the ATM chassis and accesses it, but this time puts the machine into maintenance mode. Then the hacker plugs a so-called black box into the exposed USB port. A black box in this case is a device that allows an attacker to control the ATM’s cash trays.
While the attacker tampers with the ATM, its screen displays a service message like “Maintenance in progress” or “Out of service,” although in reality the ATM can still draw cash. Moreover, the black box can be controlled wirelessly via a smartphone. The hacker just taps a button on the screen to get the cash and then disposes of the black box to hide the evidence that the machine was compromised.
Method 4: Malware attack
There are two ways to infect a target ATM with malware: by inserting a malware-laced USB drive into the port (requiring the key to the ATM chassis) or by infecting the machine remotely, having first compromised the bank’s network.
If the target ATM is not protected against malware or does not employ allowlists, a hacker can run malware to send commands to the ATM and make it dispense cash, repeating the attack until the cash trays are empty.
Of course, not all ATMs are hackable. The attacks described above are feasible only if something is misconfigured. It could be that the bank’s network is not segmented, or authentication is not required when the ATM’s software exchanges data with the hardware, or there is no list of permitted apps, or the network cable is easily accessible.
Unfortunately, such problems are rather common. For example, they allowed attackers infect a number of ATMs with the Tyupkin Trojan. Experts at Kaspersky Lab are always ready to help banks fix these issues: We offer consulting services and can audit a bank’s infrastructure and test it for resilience to attacks.