ATMs have a grueling history. ATMs were first introduced in Ohio in the United States in 1959. Since then, more than 2.2 million ATMs have gone into service worldwide.
The success of the payout terminals can be attributed to their ease of use. They are also always ready for use, and customers can access their money at any time – at least as long as there is no technical defect or the card is not confiscated.
How to hack an ATM
An ATM itself is just a cabinet with a computer that regulates the dispensing of money and ensures that the customer receives the money he has requested. Typical components include the card reader, a PIN pad, the disbursement module, and cash cassettes inside.
The computer basically does not work much differently than a normal PC that is also used at home. It usually has a CD or DVD-ROM drive, at least one USB port, a hard drive, and various other things that a basic computer should include. Most ATMs come with Windows operating systems.
As indicated earlier, physical attacks are risky and often noisy. Using explosives against the device can be dangerous, even to the bank robber himself. Moreover, the police are on the scene relatively quickly. Cybercriminals have therefore figured that there must be easier ways to achieve their goal.
Hacking attempt 1: Use a default password
But how could one attack an ATM? The easiest way is to search the Internet for default passwords. Some ATMs can be operated in “operator mode” by entering a specific key combination. Just as there are default passwords for routers, there are also for ATMs.
A few years ago, some cybercriminals discovered that they could find default passwords through a simple Google search – for example, in online instructions for ATMs. Once a device was identified where the password worked, it was reconfigured. The ATM henceforth denominated 50-euro bills as 5-euro bills.
This allowed the criminals to withdraw more money than allowed. They then reversed the command so that the attack could not be traced. The same gang carried out the attack again and again until they once forgot to undo the command, which alerted the operator to the security incident.
Hacking attempt 2: Malware and attacks on the operating system
The majority of ATMs still run Windows-based operating systems. In January 2014, NCP reported that an estimated 95 percent of ATMs were still running Windows XP. To provide at least a little extra peace of mind, most companies have signed contracts assuring them of XP support beyond April 2014.
Another interesting fact is that the vast majority of ATMs use the CEN/XFS standard. This allows the same ATM applications and configurations to be used across different manufacturers. Thus, the devices have a common API that allows Windows applications to communicate with various peripheral components (disbursement module, card reader).
The XEN/XFS standard is freely available and can be accessed via the Internet. So even with relatively little knowledge of software development, it is possible to program a Windows application to control ATM peripherals. So the problem is not to write malware, but to inject it into the ATM. Cybercriminals proceed as follows.
Via the USB interface: the Ploutus malware (first discovered in 2014) was installed on the ATMs via USB stick. For this, the cybercriminals gained physical access to the USB port through the ATM chassis. This is not too difficult because the computer is less protected compared to the other components.
About the network: Carbanak was the first APT attack on ATMs. Here, cybercriminals attacked the ATMs through the bank’s network itself and used malware to gain access to the money.
ATMs are nothing more than normal Windows PCs, it is not particularly complex to program malware for them. The hard part for cybercriminals is getting their malware onto ATMs. To prevent that from happening, there are a number of basic steps that can be taken to increase the security of ATMs.
- Security solutions, from typical anti-virus solutions to application whitelisting.
- Continuously update the operating system
- Encrypting ATM hard disks
- Segmenting ATM into other network zones
- BIOS protection
- Make visible what is happening on the ATM and in the network