Discussing ATM Hacks and the Different Kinds of ATM Attacks

ATM security is, in fact, a delicate area. There are experts who opine that almost all ATMs today are vulnerable to software-based cyberattacks and give up customer data to cybercriminals, in one way or the other. There are clever hackers who devise different ways to bypass security mechanisms and get away with loads of data, which finally helps lay hands of customers’ money.

An ATM comprises a computer and a safe, both enclosed in a cabinet. It’s easy for a criminal to open the cabinet and get access to the computer, which mostly runs on Windows OS. The cash, which is contained in the safe, is dispensed using a cash dispenser that is directly attached to the safe. To open the safe, a criminal would need to use heavy equipment or even explosives. But clever cybercriminals can rob customers of their money by hacking the computer and gaining access to its network connections or the interface connecting the system to the safe. It also helps hackers steal card data, which they could then misuse.

To be noted is the fact that the connections between the ATM computer and the server at the transaction processing center are not always encrypted, and this too gives hackers a chance to carry out their activities. The security software installed, including firewall software, sometimes happen to be very poor and that too helps cybercriminals hack ATMs.

Let’s discuss the different kinds of ATM attacks that cybercriminals carry out…

Remote ATM attacks- As we had already mentioned, not all connections between ATM computers and transaction process center servers are encrypted. A hacker can thus access data from an ATM by simply tapping into the network traffic and without any kind of physical access to the machines. Some ATMs are seen to use faulty VPNs to secure the traffic, the encryption for such connections can also be cracked. Security experts analyzing ATM hacks have found criminals using encryption keys found in the modem firmware of ATMs using cellular connections to carry out the attacks. Some ATMs are attacked by brute-forcing weak administrative credentials.

Non-intrusive physical attacks- Hackers carry out non-intrusive physical ATM attacks by disconnecting the cable (in ATMs where the Ethernet port is placed outside the cabinet) and plugging in a laptop that spoofs a processing server. Thus they can get cash dispensed out of the ATM. Non-intrusive physical attacks are also carried out exploiting known security flaws in the network hardware or the software of an ATM. Such non-intrusive attacks, which require only 15 minutes to be carried out, are mostly done past midnight or in the early hours of the morning.

Attacks by opening the cabinet- Hackers sometimes rob ATMs by opening the cabinet and thus gaining access to the input ports of the computer. In an ATM that allows freely connecting USB or PS/2 devices, a hacker could easily connect a keyboard or some other device imitating user input. Plugging in a keyboard or another device makes the computer exit kiosk mode and it can then be used like a regular computer. A hacker can then run malicious commands on the ATM and if the system runs on Windows XP with many known vulnerabilities, the hacker’s job becomes very easy. Even if there is a digital video recorder application running in the background, hackers can easily erase security footage and thus ensure that they don’t leave behind any traces.

Exploiting security application vulnerabilities to install malicious software- Hackers can exploit security flaws in the security applications that ATMs run and then connect to the ATM hard drive to install malicious software, provided the drive isn’t encrypted. They can then use the malicious code to steal data from the ATM.

Installing malicious software after booting using a USB stick- Hackers can plug in a USB stick to the USB port of an ATM and then boot from that. This would give them free access to the main hard drive of the ATM, wherein they could install malicious software.

Attack using an ATM ‘black box’- A hacker can plug a ‘black box’ (a Raspberry Pi or similar machine running modified ATM diagnostic software) to the cash dispenser on the safe and thus get it to dispense cash. Thus, there is no need to access the ATM computer at all. This kind of an attack is possible in ATMs with unencrypted or poorly encrypted connection between the computer and the cash dispenser.

In the U.S. and in most other countries, the banking regulations protect customers from liability in ATM attacks and hence the real risk is mostly to the banks and financial establishments. Thus, it becomes important that financial organizations take sufficient precautions to prevent such attacks. This would include ensuring proper encryption, installation of security software, upgrading to Windows 10, using better administrative passwords, protecting ATMs from physical access etc.