back to article Want to hack a hole-in-the-wall cash machine for free dosh? It's as easy as Windows XP

ATM machines are vulnerable to an array of basic attack techniques that would allow hackers to lift thousands in cash. This according to researchers at Positive Technologies, who studied more than two dozen different models of ATMs and found (PDF) nearly all would be vulnerable to network or local access attacks that would …

  1. Anonymous Coward
    Anonymous Coward

    Absolute security does not exist, enough time and resources and any security is vulernable

    That direct access to ATM hardware makes it's easier to bypass security measures goes without saying, atm manufactorers need a reliable way to spot the compromised ones when they are returned to service, more than they need more evidence that once the ATM is out of their control that it is vulnerable.

  2. iron Silver badge

    > banks take to take a dim view of customers handing out at ATMs for longer than a few minutes

    Banks sure but what about all those ATMs sitting by themselves in a shop or service station? Or those many locations where the bank closed the branch but left a machine so customers still had some access to their money? Without trying I can think of several local ATMs that are not built into a wall, have no one watching them and no CCTV except for any camera built into the ATM itself.

  3. imanidiot Silver badge

    The ones not built into a wall are usually bolted to the floor. When it comes to access to compromise a machine I think the wall mounted units are actually more vulnerable as they usually have an enclosed backroom for access while filling the machine. The front is usually entirely sealed, but that backroom can be accessed by bribing the right sales clerk or shop owner, who probably also has access to the video recording equipment to accidentally switch it off or spill some coffee a day ahead of the attack. And once the attacker is in the backroom he is out of view and can do his nefarious deeds undisturbed. Hanging around in public is usually more visible. Though the blatant "put on a polo shirt with the banks logo, walk in and put up some barriers, open the machine and get to work" approach will probably also work. People are surprisingly unquestioning if you wear a correct looking outfit and act like what you are doing is completely normal.

  4. phuzz Silver badge
    Coat

    People are surprisingly unquestioning if you wear a correct looking outfit and act like what you are doing is completely normal.

    Leading to the counter-intuitive situation where a high-vis jacket makes you invisible.

  5. Anonymous Coward
    Anonymous Coward

    hence why visually profiling people doesn't work. its an idea that makes sense to the public who visualise thieves in masks, stripy tops and swag bags, or terrorists in beards, keffayahs and turbans.

    the politicians and security services realised long time that 90% of security theatre is perception management. it doesnt matter if people are robbed or hurt as long as they *feel* safe. and rather strangely, its worse when people *feel* unsafe than when they're *actually* unsafe.

    hence, the shepherd is there to watch the sheep, and cares little about the wolves.

  6. jake Silver badge

    Not really.

    "Leading to the counter-intuitive situation where a high-vis jacket makes you invisible."

    It's not counter-intuitive at all. It's called "camouflage", or, if you prefer, "blending in with your surroundings". What works in the Sahara doesn't necessarily work in the Arctic and vice versa. The trick is to make your mark look past you instead of at you. See the predominance of cheap suits in middle management for a good example ... the wearers are all nameless and faceless, and they like it that way.

  7. phuzz Silver badge

    Re: Not really.

    You're right, 'counter-intuitive' is the wrong choice of words. Perhaps I should have said that it's literally wrong (but figuratively correct)?

  8. Criggie
    Pirate

    As a cyclist, you're not wrong.

  9. Anonymous Coward
    Anonymous Coward

    As far a I can see, all of the attacks mentioned require access to the hardware, so that immediately limits the actual risk of these exploits taking place.

    Criminals either need to remove the device to a place where they can work on it undisturbed, or somehow gain access without being seen.

    Any computer, of any description, is vulnerable if you can start plugging things into ports, or nicking the hard-drive.

    And they are probably NOT running Windows XP. Instead they are likely to be running Windows XP Embedded or Windows Embedded Standard 2009, which is still under extended support, and both of which have much less attack area than vanilla XP.

  10. Halfmad

    You'll need access to the hardware in order to pick up the cash anyway so you'd be nearby regardless.

    "we need to be physically near" isn't really a get out when these can be placed in quiet shopping centre areas, sides of petrol stations, closed back branches etc.

  11. caffeine addict Silver badge

    And they are probably NOT running Windows XP. Instead they are likely to be running Windows XP Embedded or Windows Embedded Standard 2009, which is still under extended support, and both of which have much less attack area than vanilla XP.

    Came here to say the exact same thing. I'd expect that kind of cockup from the Daily Mail not El Reg...

  12. Danny 14 Silver badge

    a few small banks have their ATMs inside, at night a card swipe lets you into a small foyer where the atm is accessible.

    Our local spar has an ATM and a spotty oik manning the till at 11pm

  13. Andy Humphreys

    XP Version

    The NCR machine here at the Tesco Superstore up the road from the office, shows Windows XP Professional, copyright 1983-2001! When I took the picture of the machine last June, it was in a state of shutdown, but frozen up..

    Whether embedded or not, to any customer who has been spoon fed the risks of staying with XP, it then doesn't look that brilliant..

  14. Captain Scarlet Silver badge

    all of the attacks mentioned require access to the hardware

    A lot of attacks reported near where I live extract the machines with stolen diggers (So being near a building site immediatly increases the actual risk greatly), none with the explsoives have been used around here yet.

  15. DougS Silver badge

    Not the network port attacks

    All you need is physical access to the twisted pair connected to its port - if a convenience store had an ATM connected in that way it would probably be pretty easy - many of them will have wiring run in a suspended ceiling which would be trivial to access from a restroom.

    Just cut the cable, attach connectors to both ends, and connect it to a wifi router with a battery. Then you can replace the ceiling tile, hack the ATM at your leisure from the parking lot over wifi, and when you are ready to trigger the "dispense all cash" command you have a couple conspirators go inside and distract the cashier so he isn't watching when the ATM spits out $10,000. They probably wouldn't figure it how it happened, so you'd be able to return later, swap the battery, and do it again!

    Many ATMs use cellular, I wonder if the network port attacks could be done against that either by splicing into the antenna wire (since the antenna is often just sitting on top with a wire running inside the ATM) or by getting it to connect to a fake base station.

  16. sanmigueelbeer Silver badge
    Happy

    at night a card swipe lets you into a small foyer where the atm is accessible.

    A few years ago the big banks (Australia) were caught out when it was exposed that the swipe access works with ANYTHING. Swiping a hotel room key, for instance, or a train/bus ticket and the door opens just like Aladdin's cave. Fun times that was.

  17. entfe001

    A few years ago the big banks (Australia) were caught out when it was exposed that the swipe access works with ANYTHING.

    Same here in Spain: the "swipe access" is nothing more than a little button embedded into a credit card sized slot that, when triggered, unlocks the door. Any solid object which can fit this slot can open any of these doors: travelcards, business cards, even a paperclip if you know where to poke (and if not, just keep poking around and you'll eventually hit it).

    This has been that way for ages and nobody cares. This easy access is useful for homeless people to spend the night, to the point that it is virtually impossible to find an indoor ATM at night without a tenant. Mind you, unemployment and housing prices are still a huge problem here despite the "we're out of the crisis" official statements.

  18. Ian Johnston Silver badge

    As far a I can see, all of the attacks mentioned require access to the hardware, so that immediately limits the actual risk of these exploits taking place.

    What's more, getting at the hardware to hack it invariably means getting into the same security casing which protects the cash store. Who busts open a safe - effectively - and then spends ten minutes to an hour hacking the computer inside rather than simply removing the drawer full of cash and scarpering?

  19. silks

    The cash safe is much more hardened and separate than the PC gubbins that controls the ATM.

  20. Binraider666

    I can assure you from first hand experience that certain rather large banks are still running NT4 on ATM's let alone XP. OS/2 was prevalent until very recently!

    But yes, the real issue is access in the first place. Prevent physical access and 99% of these attack vectors go away. The exception, and the far more plausible one, would be for someone with access other areas of a banks network to direct attacks to the ATM.

    The inside job, supported by insider info is far more plausible a threat.

  21. Credas Silver badge

    Will criminals actually bother with all this?

    It's nice that someone's thinking about the IT side of ATM vulnerabilities, but i can't see criminals bothering with gaining physical access to LAN ports, etc and working out how to hack the machine to dispense the cash. They seem to have worked out quite serviceable low-tech methods of doing this already, using JCBs, gas canisters, or even just a Land Rover with a steel cable.

  22. Mongrel

    "As far a I can see, all of the attacks mentioned require access to the hardware, so that immediately limits the actual risk of these exploits taking place."

    Go have a poke around the Deviant Ollams YouTube channel, here's a good start https://www.youtube.com/watch?v=a9b9IYqsb_U&t=31s .

    He, convincingly, demonstrates just how many things that should be kept secure are not - often laughably so. Here he is opening a banks vestibule door with a mouthful of whiskey https://www.youtube.com/watch?v=SDl4AO4ancI

    So just cover the camera and use the manufacturer key\spend 20 seconds picking the lock and you have access to the hardware. Do this late at night and there's a pretty good chance you'll be undisturbed for 10 minutes.

  23. Ian Johnston Silver badge

    The cash safe is much more hardened and separate than the PC gubbins that controls the ATM.

    Having watched the things being refilled in banks, the PC seems to be inside the same safe which protects the money. I suppose the miniature freestanding ones you find in shops might do it differently, though.

  24. Flywheel Silver badge

    Re: all of the attacks mentioned require access to the hardware

    Explosives you say?

    Round our way they tend to use compressed air - to literally blow the ATM out of the wall. It's a lot easier to find a compressor lying around than dynamite ...

  25. Peter2 Silver badge

    Re: all of the attacks mentioned require access to the hardware

    none with the explosives have been used around here yet.

    Blowing up an ATM with explosives is dangerous, wakes everybody within miles and attracts attention, which leads to photographs etc, plus produces such a huge outcry that the police are obliged to exhaustively investigate any lead going. Explosives are also very tightly regulated and thus highly traceable.

    Ramming a digger into the ATM and driving off with it, sticking the ATM in a makeshift farraday cage (one assumes they have a tracking device) while you blowtorch it open is relatively easy in that all you need is a digger and it also doesn't attract much attention from the public, or from the police.

  26. steviebuk Silver badge

    Or get a job repairing the ATM's. The companies that normally do this don't seem to give a shit. Like a past friend I knew had to go to a none working ATM for a fix. When he got there is was all taped off with police as it had been raided. Calling back to base to inform said knob head boss he was told "I don't care if the police are there, go and fix it.".

  27. jake Silver badge

    Re: all of the attacks mentioned require access to the hardware

    "Explosives are also very tightly regulated and thus highly traceable."

    Horse hockey.

    Anybody with a basic knowledge of chemistry can easily make explosives powerful enough for this kind of shenanigans with nothing more than the contents of the average urban house.

    Yes, even in Blighty.

  28. Anonymous Coward
    Anonymous Coward

    "a few small banks have their ATMs inside, at night a card swipe lets you into a small foyer where the atm is accessible."

    Midland (before they became HSBC) had a setup like that in the middle of Bristol 20-ish years ago. I knew someone who worked in that branch and he once explained how it was always amusing on a Monday morning to go through the CCTV footage from Friday/Saturday night to see what the people who met up in a club/bar that night and thought they'd found a "private-ish" place to take their relationships to the next level ... apparently this was a very regular occurence!

  29. Anonymous Coward
    Anonymous Coward

    Re: XP Version

    XP embedded shows professional logos. There are no embedded logos.

    For numpties like the "experts" that wrote the clickbait ba

    garbage, XP Embedded has a lower attack surface that XP, depending on how it's configured, slightly lower, or massively lower.

    I have made a 90mb XPe runtime image, with a read-only file system (writes are filtered). Its likely more secure than Windows 10.

  30. Josco

    Physical access is quite easy

    A few years ago I had a temp job changing the signage on a certain banks network of ATMs. This required me to have unfettered access to the machines and all work was carried out during opening hours. Rarely was I questioned about what I was doing by members of staff, and there was never any check that I was certified to carry out the work and no ID was ever requested. On external machines I would await my turn to access the ATM with members of the public in the queue and then proceed to attack the machine with various tools to remove its outer coverings. No one questioned me, not even the two coppers who passed on one occasion.

    I have to say that at no point was I able to actually connect to the inner workings because I had neither the knowledge or the tools, but I doubt any one would have said anything even if I had.

    Amazing what a Hi-Vis vest can do.

  31. A Non e-mouse Silver badge

    Re: Physical access is quite easy

    Amazing what a Hi-Vis vest can do.

    There are numerous studies about how if you look like you know what you're doing you're very unlikely to be challenged. Milgram is a good (and scary!) starting point on this.

  32. caffeine addict Silver badge

    Re: Physical access is quite easy

    Many years ago (mid 70s maybe) my father ended up trapped airside at Heathrow pretty much by accident because he was holding a clipboard and people kept holding doors open for him... :/

  33. Anonymous Coward
    Anonymous Coward

    Re: Physical access is quite easy

    Milgram is scary alright, but more for the damage it has done to the reputation of social psychology than anything else. Unfortunately, his write up of the experiment seems to have very little resemblance to what actually happened.

  34. jake Silver badge

    Re: Physical access is quite easy

    "Amazing what a Hi-Vis vest can do."

    Indeed. Add a hard hat, white van, well-used tool belt and a clipboard and you can get away with almost anything.

  35. Shadow Systems Silver badge

    Re: Physical access is quite easy

    At Josco, re: a HighViz Vest.

    Back when I used to be a YardDuty & Crossing Guard at my son's elementary school, I wore a HVV as part of safety. I already had one of my own, but the school provided one as well.

    I was coming home one early evening when an accident happened to some cars ahead of me on the motorway. Viz was shite, a fog was building, & I feared that other drivers might worsen the situation by adding themselves to the scene. So I pulled over into a nearby parking lot, put on my HVV, grabbed my (6 D cell) MagLite, & walked to the accident scene. I started directing traffic around the scene, just one arm pointed into the parking lot & the other waving the flashlight in a "Go that way" fashion, & traffic started to do as I directed. I kept it up until an actual policeman showed up & thanked me for the assist. As I tipped my hat & was about to leave he asked me what department I was with.

    "I'm not. I'm a civilian. I just didn't want your job to get any harder before you got here."

    Long story short, he ended up buying me a pint in gratitude & I wound up joining the Policeman's Bowling League... All because I owned a HVV & used it to good intent.

    You can do very good & very bad things with a HVV, a clipboard, & a flashlight. If you have a HVV hard hat & a fat walkie talkie (so you look like a construction site foreman) then you can REALLY make things happen. It's all in what you intend & how you go about it.

  36. Anonymous Coward
    Anonymous Coward

    Re: Physical access is quite easy

    Milgram is scary alright, but more for the damage it has done to the reputation of social psychology than anything else

    On the contrary, his work helped to establish that social psychology is junk science. We should be grateful to him for making it so obvious.

  37. Sceptic Tank
    Stop

    Re: Physical access is quite easy

    @Shadow Systems

    The trouble with directing traffic like that is that you are not an authorised person, and you may personally be held liable for damages if an accident happens.

  38. Rich 11 Silver badge

    Re: Physical access is quite easy

    & I wound up joining the Policeman's Bowling League

    A better choice than the Policy Rugby Team. You spend every Sunday feeling like you've been thrown down the custody suite stairs, twice.

  39. Anonymous Coward
    Anonymous Coward

    Re: Physical access is quite easy

    Amazing what a Hi-Vis vest can do

    Many years ago I routinely used a white lab coat to access Universities, Hospitals, and Research labs - never had a single problem.

  40. jake Silver badge

    Re: Physical access is quite easy

    On the other hand, you may be personally held liable for damages it it comes out that you were capable of directing traffic but chose not to and an accident occured ... negligence as a legal term can be used for some very ugly things.

  41. jake Silver badge

    Re: Physical access is quite easy

    "his work helped to establish that social psychology is junk science."

    Yeahbut ... since when did proving anything to be "junk science" ever prevent TheGreatUnwashed from believing it to be absolutely true?

  42. Rich 11 Silver badge

    Re: Physical access is quite easy

    Policy Rugby Team

    Damn you, Autocorrupt! Damn you all to hell!

  43. Anonymous Coward
    Anonymous Coward

    Re: Physical access is quite easy

    "I'm not. I'm a civilian. I just didn't want your job to get any harder before you got here."

    I've had both sides of cops while doing that. Most have been grateful and a few have asked me to stay on so they can do more important stuff till backup arrives, but in one case where I was directing traffic away from a very bad accident I was actually threatened with arrest by the first attending officer. He wasn't even going to go look at the scene till he'd dealt with me. A higher-up who showed up a few minutes later spoke to us, and told the junior he'd watch me while the junior went on to survey the accident scene. Suffice to say I was soon very much thanked by the higher up and the junior got a telling off.

    Interfere in police work at your peril in many jurisdictions, even if your "interference" has a chance of saving lives.

  44. Anonymous Coward
    Anonymous Coward

    Re: Physical access is quite easy

    We should be grateful to him for making it so obvious.

    I'd say I thought it was about as plainly obvious as you can get.

    But then I remember that psychologists still get to make policy and all sorts of things.

    A family member of mine got involved in some legal shenanigans. psych involved in report writing told us that we could challenge anything factual that was wrong in their report, but anything that was part of the opinion would not change. That alone proves that their reports are not, in any sense, based on fact but merely opinion. Yet even if the factual basis of their opinion can be shown to be wrong[1], their opinions still carry enough weight to have far-reaching and life-changing consequences for their victims and the families of their victims. But there is seldom any chance to take action against said psychologist because 'they merely presented an opinion based on their experience and training'.

    If ever there was just-cause for a death penalty.............

    [1] "Your honour, in my opinion he's a dangerous murdered who will commit further crimes because he confessed to several murders during out sessions".

    'Actually no, I did not confess anything of the sort!'

    "You're right, my mistake. I confused you with someone else. Your honour, in my opinion he's a dangerous murderer who will commit further crimes despite no evidence of such ever having been presented to me"

    "'"Very well. The psychologist's report says you're dangerous, so I'm going to rule that you be committed to a secure facility, without appeal or recourse, despite the fact that there is not one shred of evidence outside of this opinion that you're dangerous. The evidence is incontrovertible. The psychologist speaks, therefore it must be. "'"

    [Not my familty's experience, BUT stuff that I understand has actually happened in several places - paraphrased]

  45. steelpillow Silver badge
    Mushroom

    eXperience Points? hahaha

    My local bank's ATM was attempting to restart XP when I happened to be passing a few days ago. One of the Big [However Many are Left].

    Just one example of how banking IT security is still an utter shambles.

  46. Locky

    These black hat hacks are all well and good, but the Lincolnshire ne'er-do-wells prefer a more.... brute force attack

  47. caffeine addict Silver badge

    There's nothing special about Lincolnshire. It's basically your good old fashioned ram-raiding.

    Round my parts they prefer Landies and JCBs to smash the wall or the front door, then a Subaru to scarper with it. Earlier in the year they hit three local Aldi's on three consecutive nights...

    The other one I've heard is basically filling the machine with gas, although I don't recall if that's to use the gas pressure directly or to ignite it and blast the things open.

  48. A.P. Veening

    Gas filling

    Ignite and blast, gas pressure itself is insufficient as those things leak worth than sieves, which is just what you like for a nice fuel-air explosion.

  49. Anonymous Coward
    Anonymous Coward

    But in Lincolnshire they do it in style.

    On the second ram raid around here, they took the forklift into the old listed building, taking out 1 of the 3 cash machines in the village out... then when they police turned up, in force, from the local town... turns out it was a distraction, and they then hit the bigger cash machine in said local town that had no police cars left in it to respond. XD

  50. fidodogbreath Silver badge

    "ATM machine"

    Is that where you enter your Personal Identification Number number?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018