Considering that ATMs have precisely one purpose — to connect bank customers with their accounts — we decided to investigate the effort it takes to commit a successful attack on an ATM. Our experts made a short video showcasing a proof-of-concept attack by a criminal who has physical access to the ATM’s internals.
As you may know, an ATM is really just a basic PC with some custom hardware added. The PC runs an operating system similar to the one installed on your laptop. In fact, in most cases it is Windows (Windows XP, at that).
ATMs are terrifyingly easy to hack #protectmybiz
Tweet
In the video, we see somebody opening the machine using a key, inserting a flash drive containing malware, and then using a keyboard to send a command. The attack ends with the ATM spewing out cash.
This third part can be repeated until the ATM is empty.
An ATM’s service lock isn’t much of an obstacle for a criminal; there are many ways to acquire a duplicate of the keys used by service teams and cash couriers. Not all ATMs are equipped with alarm systems, either. And there are many ways to neutralize security cameras, too.
Ultimately, criminals are not having much trouble infecting ATMs with malware.
In fact, physical access isn’t even necessary; malware can be planted over the Internet (more than a few ATMs are directly exposed to the Web). Once an ATM has been compromised, a shady individual arrives late at night with a backpack, packs up the cash, and swiftly disappears.
Getting a physical access, criminals do not have much trouble infecting ATMs with malware. #protectmybiz
Tweet
How are such attacks even possible? In this particular case, besides the obvious ease of physical access to the ATM’s interiors, there are software-related issues as well. ATM PCs apparently lack any serious antimalware protection. Default Deny technology, which would prevent any undesirable software from running, isn’t there either. As a result, criminals can run any arbitrary code on this machine.
Nothing is preventing the deployment of unauthorized hardware, either, because ATMs have no hardware authentication tools.
Hence, looting an ATM is a trivial task, and banks are losing big.