back to article What do you call an old, unpatched and easily hacked PC? An ATM

Almost any cash machine in the world could be illegally accessed and jackpotted1 with or without the help of malware. Security researchers at Kaspersky Lab reached this conclusion after investigating real attacks on ATMs and assessments of the machines carried out for several international banks. The susceptibility of ATMs in …

  1. Martin Summers Silver badge

    Jackpotting

    So everytime I've put my card in to one of those things and got money, you mean to say I haven't really won anything? Explains a few things...

    1. Michael Wojcik Silver badge

      Re: Jackpotting

      The trick is to put someone else's card in and get money.

  2. Anonymous Coward
    Anonymous Coward

    ATMs are largely managed as static machines that occasionally need a maintenance engineer as well as some monitoring in the data-centre.

    Unsurprisingly: many have had teamviewer, radmin etc. installed by staff at the network owners.

    ATMs and other IoT devices should become much more dynamic and have the ability to upgrade. The current generations of hackers, developers etc. are being trained with Raspberry PIs etc. that are not that far off from the capabilities of the ATMs, and they will use the knowledge.

    It will be interesting to see how the ATMs evolve.

    1. Charlie Clark Silver badge

      It will be interesting to see how the ATMs evolve.

      Become extinct if the banks have their way: cash is expensive to move around. Electronic cash also pushes more of the risk to the consumer, oh and it makes it easier for central banks to punish savers…

  3. Ugotta B. Kiddingme

    physical intrusion

    while I can't speak for the rest of the world, here in Yankville, most (not all, but most) ATMs by "major" banks are "through the wall" where the user has no access to USB or network ports. I consider those highly tamper resistant and they are the only type I will use. The ones you have to be very wary of are those in convenience stores/chemists which are free-standing devices. In addition to the often exorbitant fees associated with those, you have no way of knowing who has accessed the innards and tampered with it. I avoid those except in dire cash emergencies. And given that my chip-and-pin debit card works almost everywhere, very little qualifies as a dire cash emergency.

    1. Nick Ryan Silver badge

      Re: physical intrusion

      Many "through the wall" ATM machines may be secure enough from the front, however the rear of them where the access to the "interesting" parts can be had is often not so well protected. Just behind a screen or in a box and often with nothing more than a standard "security" hex style bolt keeping the case closed. I've seen a few with vents where one can readily see more interesting parts.

      Obviously tampering with an ATM inside a bank is risky, however so is tampering with one outside as they're often covered by CCTV. However what you've missed in the article is the fact that the ATM networks are often so insecure, that gaining access to one of them will give the successful attacker access to many more ATMs, so even if it appears to be physically secure, how about the one around the corner inside the bank or even another branch of the same bank?

      1. Anonymous Coward
        Anonymous Coward

        Re: physical intrusion

        If the bank is not using double controlled physical keys to the ATM they are doing it wrong. For those that need single person access, again it would be a physical key, with hopefully fully audited case intrusion (last person accessing etc, and printed on till receipts to prevent any software hack try to cover the footprints).

        Any ATM with plain screws, even hex, will just get stripped for the metal panels quicker than anyone could even get to fill it with cash.

        It's any possibility of hacks through the card reader/keyboard/pins shoved through gaps in the case that are a risk, as it's the low hanging fruit. Though hopefully far to complex and card skimming and ram raiding are all the thieves will aim for.

  4. Anonymous Coward
    Anonymous Coward

    You don't f***ing say?

    criminals can potentially install a specially programmed microcomputer (a so-called black box),

    Without wishing to be too accusatory, this is The Reg. And you've published an article containing this gem. Do you think our average knowledge and intellect is somewhere around that of the average Daily Mail/Mirror reader?

    1. Stevie Silver badge

      Re: You don't f***ing say?

      Wait, I thought the black box was the internet. Somebody nip up Big Ben and see if it's still there.

    2. moiety

      Re: You don't f***ing say?

      That's what I was doing wrong! The boxes were the wrong colour! *gets out sharpie*

  5. Herbert Meyer

    through the wall

    My bank has replaced free standing ATM with through-the-wall ATM because thieves with backhoes were demolishing the boxes around them, and craning the ATM onto a trailer and away for leisurely looting. Much less sophisticated than hacking.

    Now, they are stalling on EMV cards, because they will have to replace the ATM again, or replace and upgrade the card readers.

    1. Ole Juul Silver badge

      thieves with backhoes

      Those are real hackers.

  6. DougS Silver badge

    They will replace the old insecure ATMs

    When the money they lose from "jackpotting" is greater than the cost of replacement. Not before.

    1. Adam 1 Silver badge

      Re: They will replace the old insecure ATMs

      Correct, but this article doesn't even follow the threat model like a bank does.

      1. The ATM and cash is insured, so any loss is not paid directly by the bank.

      2. Insurance is a cost of business that is passed onto their customers as part of the fees.

      3. Unless specific banks are more vulnerable than others, the insurance premiums will rise uniformly across all banks to cover it, that number gets crunched through Excel (or worse) and everyone's account fees or ATM fees or whatever raise by a few dollars over the year.

      1. DougS Silver badge

        Re: They will replace the old insecure ATMs

        When the point is reached that replacing ATMs makes sense, some banks will realize that, do so, and the savings will allow them to avoid increasing fees on their customers - with the result that they steal customers from other banks meaning more profit for them (or, if customers are too stupid to comparison shop and they stick with their higher fee bank, the bank with the new ATMs will raise their fees to match even though they don't need to and make more money that way)

        1. Michael Wojcik Silver badge

          Re: They will replace the old insecure ATMs

          with the result that they steal customers from other banks meaning more profit for them

          Retail banking customers are notoriously brand-loyal, though probably almost entirely from the costs (opportunity cost, labor of changing automatic withdrawals, etc) rather than from any sentimental attachment to their banks.

          And in the US, price-conscious banking customers are probably using a credit union, and it's hard for a commercial bank to beat them on pricing. Leverage, yes; pricing, not so much.

          if customers are too stupid to comparison shop and they stick with their higher fee bank, the bank with the new ATMs will raise their fees to match even though they don't need to and make more money that way

          Possibly, but retail banking has poor margins - it's capital-intensive (all those branches, staff, dealing with people, etc) and is mostly the long-tail end of banking, so you have lots of small accounts and overhead is high relative to average profit. I suspect it'd take a while to realize a positive return on the investment in new ATMs, were it made solely for security reasons.

          Now, when old ATMs have to be replaced for other reasons, upgrading to more-secure ATMs (should any be available - remember these are produced by companies like Diebold) might justify some additional price premium.

  7. Anonymous Coward
    Anonymous Coward

    Funny enough

    80%++ of the cash machines are made by Siemens or have their SW on them. More funny is that Kapersky competitors are securing the OS on machines so of course they'll try to find a way to win business at all costs.

    Hysterics! Never in the INsecurity industry?

  8. Anonymous Coward
    Anonymous Coward

    If you think ATMs are bad, then you need to see the software on the average till / cash register. I briefly worked on one leading software suite for these machines, and the code was like a case study in how to write unmaintainable and insecure code.

    1. Pascal Monett Silver badge

      Yeah but cash registers are typically not used by anyone outside of company employees - which makes them a different problem compared to ATMs which are used by anyone.

      Also, cash register issues are the problem of the company (as Target found out last year to its great detriment), and its customers, whereas ATM issues are everybody's problem.

      Finally, cash registers are generally under more direct surveillance than ATMs (and have never been attacked by backhoes - yet). People standing around an ATM generally do not get noticed by passers-by, whereas Joe Hacker is not going to have much time to muck with a cash register before store security is standing next to him and asking questions.

      But yeah, Target is a clear demonstration that cash registers are a weak point whose security depends more on luck than actual defences.

  9. asdf Silver badge

    Why fix?

    Why should the banks fix it? They will just chalk it up to the costs of doing business and add it on the next bail out they get from the taxpayer.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why fix?

      This one is not passed on so indirectly. It will go directly to banking and insurance fees. It may go indirectly via security measures offered to the public in general that they would like more attention from. However a big public bail out gives them a big red face, so might need a more subtle means.

  10. Barry Rueger Silver badge

    Banks? Security?

    I am not in the least surprised.

    Bad enough that my bank STILL refuses to make passwords case sensitive, or allow "Special" characters.

    This week though they trumped themselves with repeated messages on-line, in app, and even via Robo phone call "encouraging" me to make sure that both Android and the Banks' app on my phone were up to date.

    My bank has never phoned me for anything, so I'm assuming that the app has the mother of all security holes in it.

    If you are experiencing issues using the Android app on your mobile phone or tablet, you must install app version 16.3.0 or above, on a device operating with Android OS 3.0 or above.

    We are sending you this message because you have signed into our mobile app with a device requiring one or both of these updates. To continue using your mobile app:

    If you haven't already done so, update your Android OS.

    Update to the latest version of the Scotiabank Mobile Banking app. You can download Scotiabank's Android mobile banking app directly from Google Play on your device.

    If you need help updating your device OS, please contact your wireless carrier or device manufacturer. If your device does not support the upgrade to the latest Android OS, please visit www.scotiaonline.com on your mobile device and Sign In to access your accounts.

    Thank you for taking these steps to ensure you can continue to use the Scotiabank Mobile Banking app.

    Everything on my phone is as up to date as possible, so I'm really left wondering.

    If my account had any money in it I'd worry.

    1. Adam 1 Silver badge

      Re: Banks? Security?

      You can install fiddler on your PC then proxy your phone via that PC and fiddler will intercept the traffic for you.

      Then you can see if they are encrypting the traffic itself. It is quite an eye opening* thing to observe and works for all apps. You can even mitm** yourself if they aren't pinning the certificates and inspect what they are encrypting. That can also reveal privacy breaches.

      * not in a good way

      ** android will warn you that others can observe if you install the fake root certificate to permit this.

    2. Daniel B.
      Boffin

      Re: Banks? Security?

      Bad enough that my bank STILL refuses to make passwords case sensitive, or allow "Special" characters.

      That's a problem everywhere, and the sad thing is that I know why this is the case.

      RACF has issues with non-alphanumeric characters due to ASCII/EBCDIC.

      Many bank systems do RACF authentication. Therefore, bank password policies won't allow non-alphanumeric password.

      Client-facing systems don't authenticate clients against RACF. Yet they're also saddled with the same password policies because having a single policy for everything is easier!

      1. Pascal Monett Silver badge

        I can easily imagine that this ASCII/EBCDIC issue is going to take mountains of cash to change, meaning that we are going to be saddled with the problem for decades to come - or until the mainframes start failing (which, due to the mountains of cash already paid for their maintenance, ain't gonna happen anytime soon).

        1. Michael Wojcik Silver badge

          I can easily imagine that this ASCII/EBCDIC issue is going to take mountains of cash to change

          Nah. Migrations from the mainframe to certain emulation environments, including converting to ASCII, can be done relatively cheaply, for the typical suite of banking apps. Let's say < $1M for hardware and software, six months of development time with existing staff. Minimal changes to application source. Compared to mainframe leasing costs...

          Banks just tend to be conservative with their IT. Often where they try to achieve savings is in operations, which is why you have your NatWest-type failures. They're reluctant to do application lift-and-shift, or portfolio analysis, or other things that might save them money but require watching the sausages get made.

      2. Michael Wojcik Silver badge

        Re: Banks? Security?

        RACF has issues with non-alphanumeric characters due to ASCII/EBCDIC.

        Many bank systems do RACF authentication. Therefore, bank password policies won't allow non-alphanumeric password.

        True, but there's a trivial fix for this.

        (And, technically, it's not RACF or even SAF that's at fault, but the matter of 8-bit code limitations and the proliferation of EBCDIC code pages. You'd have the same issue with ACF2 or Top Secret or a home-grown authentication mechanism that used text passwords on zOS. Not that it matters.)

  11. JeffyPoooh Silver badge
    Pint

    Kaspersky Labs

    'We know how to make ATMs spew wads of cash, but we'd rather extract cash from old folks with PCs buying our "Security" software.'

  12. 45RPM Silver badge

    Now how about posting some step by step instructions so that we can all go out and jackpot a cashpoint before knocking off early? Selfish, I call it, to keep this information to yourself!

    1. Anonymous Coward
      Anonymous Coward

      yeah, nah

      If you start making this info known (or even just demonstrating that it can work) then you're liable to "accidentally" overdose, walk in front of a car or zip yourself into a bag.

  13. Charlie Clark Silver badge

    And this is news because?

    Most of the computers we deal with in public places have either USB or serial ports for maintenance purposes. Guess what – get access to those and you pretty much own the machine.

    However, the favourite method of cash extraction at the moment seems to be good old safe-cracking: blow the machine up or tow it away: low tech usually has the lowest opportunity cost.

    Software hacks targeting the clearing system – recently in Bangladesh and elsewhere – are far more lucrative and alarming.

  14. JimmyPage Silver badge
    Meh

    It's a transient problem ...

    I suspect the banks relaxed attitude is premised on the decline of cash, plus the availability (in the UK certainly) of retailer cashback (which is a win win for retailer and bank). I'd wager most banks only see ATMs as a service in decline.

    How many new anti-fraud initiatives have been developer for cheques (US:checks) in the past 10 years ?

  15. Hero_Pig

    Search ATM bombings on Youtube......now thats some old school hacking.

  16. Ironclad

    Small potatoes

    Losses at ATMs due to so called jackpotting are a very small percentage of the total:

    https://www.european-atm-security.eu/card-skimming-losses-continue-rise-outside-europe/

    "In 2014 EAST began to collect statistics for ATM Malware after the first incidents were reported in Western Europe. 15 incidents were reported in 2015, down from 51 in 2014. These were all ‘cash out’ or ‘jackpotting’ attacks. Related losses of €743,000 were reported, down from €1.23 million in 2014."

    Compare that with the total ATM fraud of 327 million Euros.

    And all ATM fraud is completely dwarfed by Card Not Present / Remote Purchase fraud:

    http://www.theukcardsassociation.org.uk/plastic_fraud_figures/index.asp

    Those figures are just for UK issued cards.

  17. Cynic_999 Silver badge

    I'm not sure why cash is still so prevalent. I usually carry a couple of £5 notes for unusual contingencies, but they are very seldom required. In the UK, I can do just about any transaction I want either electronically or by card. Even with a private sale, I can do an online transfer between my bank account and the other party's bank account using my laptop or phone. Cash is needed only for trivial transactions and children's pocket money. And of course when no record of the transaction is desired.

    I was always disappointed that the Mondex system didn't gain appeal. It seemed to me to be a perfect substitute for cash, having all the advantages and less disadvantages as physical notes & coins.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019