Positive Technologies Researcher Reveals How Hackers Hack ATMs

ATMs can be compromised and used to jackpot cash, skim cards and further infect the network

London, UK – July 29, 2017: Researchers at Positive Technologies have demonstrated how easily hackers can compromise ATMs. Having gained access to the front of the machine, a criminal can access USB ports within the device to perform various attacks. These include forcing the machine to dispense cash, install malware to skim card details, and even inject malware back through the network to infect further ATMs. In a report published today, the team also reveal how easily hackers can perform logic attacks against banks, including the recent spate of GreenDispenser malware. There are currently 70,000 ATMs in circulation within the UK and reports confirm that malware is the number one threat they face. Positive Technology predicts that 2017 will see a 30 percent growth in overall cyberattacks against banks, including at the ATM level.

Speaking about the attackers methodology, Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies explains: “Many people do not realise that an ATM is just a safe with a computer on top. While the safe element is typically concrete and steel, requiring explosives to breach, protection for the computer is far more flimsy. Cash can still be stolen without having to blow the safe doors off and, once the computer is accessed, it’s not just the one ATM that is exposed as hackers typically can gain access to the entire bank’s ATM network. The financial sector has to realise that any technology that makes banking more accessible to customers has the side effect of making life easier for criminals who are looking for weak points from which to launch an attack. Just as the money within an ATM is afforded protection, the computer controlling the device needs to have similar protection.”

There are also attacks that will focus on bypassing the ATM’s computer altogether, so encryption should be enforced between the computer and the dispenser. Leigh-Anne adds, “While ATMs made in the last six years will likely have this any manufactured before 2011, and there are many in use today, should be fitted with an ‘after-market’ device that monitors the current between the dispenser and PC for anomalies. These devices typically retail at £150.

ATM Logic Attacks

ATM logic attacks involving malware started in earnest in 2009, with the ‘Skimer’ Trojan. Since then, security researchers have identified several families of Trojans: Skimer, Ploutus, NeoPocket, Padpin (Tyupkin), Suceful, GreenDispenser, Ripper, and Alice.

Leigh-Anne continues, “Attack organisers are active within the Dark Web to identify and train people to install Trojans – such as GreenDispenser. Ideally, they’re looking for people with legitimate access to the ATM such as a bank employee or contractor responsible for ATM maintenance that can be bribed to compromise machines and install the malware. Once the necessary ATMs have been infected, the criminals proceed to the cash withdrawal phase. Although the malware is stealthy and relatively advanced, this phase is the riskiest and carries the greatest risk of discovery by the bank. After all, someone still, which is referred to as a ‘mule,’ has to physically come to the ATM and take the cash.”

Based on interest observed by Positive Technologies’ researchers of cybercriminal forums in ATM-related standards and system libraries, the team expects ongoing development of new malware involving either direct physical access to ATMs or targeted attacks on bank ATM management infrastructure. Similarities among ATMs make it possible for criminals to reuse the same malware for crimes in multiple countries.

Besides securing network infrastructure against both insiders and internet hackers, banks need to pay attention to the physical security of ATMs. Special protection should be enforced for the computer that manages all ATM functions.

  • First, banks should perform an audit to work out where exact gaps exist
  • Second, banks should disable external input devices (keyboards, mice, etc.) and loading from external disks (USB drives, CDs, etc.), since these are major opportunities for hackers. A strong BIOS password is necessary to prevent attackers from changing ATM startup settings.
  • Third, banks should install and properly configure application control software to monitor software integrity, allowing only whitelisted programs that have been checked for unauthorized modifications.
  • Finally, banks should regularly review practices to ensure they are adhering to the latest ATM security advice to minimise the chances of intrusion.

To find out more information about Positive Technologies, and its solutions, visit: www.ptsecurity.com. To view its report ‘Attacks Against ATMs Using GreenDispenser: Organisation and Techniques’ visit:https://www.ptsecurity.com/upload/corporate/ww-en/analytics/ATM-Security-eng.pdf