Few targets are as appealing to criminals as automatic teller machines (ATMs). After all, they can store hundreds of thousands of dollars and, unlike banks or armored cars, can have minimal surveillance and no guards. Because of those factors, ATMs are a target of a variety of attacks. In Europe, physical attacks targeting ATMs have risen for the fourth consecutive year, rising 27 percent in 2018 compared with 2017. Losses due to various physical attacks amounted to over 36 million euros ($40.5 million) in 2018, up 16 percent from 2017. It’s estimated that in 2020, there will be over 3.5 million ATMs in use across the globe, which means opportunities for criminals are plentiful.
Criminals display a wide array of techniques to access the cash placed inside ATMs, from physically cutting open the safe to compromising networks or software. In one case, a bank hired X-Force Red, IBM Security’s team of veteran hackers, to test its ATM environment after criminals stole an entire machine to perform their own vulnerability testing. A few months later, the bank began to experience significant cash losses from other devices in the same model line. During our testing, X-Force Red hackers discovered a zero-day vulnerability that the thieves had exploited to install custom malware. The criminals in this case made off with the equivalent of $8 million in cash.
Banks are well-aware of the criminal interest in ATMs and are increasingly working to strengthen their ATMs’ security. From 2017 to 2018, X-Force Red saw a 300 percent increase globally in banks requesting ATM security testing, and during those tests, we often uncovered the same kinds of vulnerabilities exposing the machines and their connected infrastructure.
Top 5 ATM Security Vulnerabilities
Below are the top five ATM vulnerabilities our team has uncovered during its many years of performing ATM penetration tests. Nearly every ATM we test has at least one of these weaknesses, so bolstering security around them can make a difference in keeping the safe safer.
Yes, ATMs are vulnerable to physical threats such as backhoes. There are techniques to make physical attacks more difficult — such as using in-wall models, bollards, etc. — but there will always be a machine large enough to wrench an ATM out of the concrete or break it open.
On the other hand, backhoes aren’t exactly low-profile. The criminals can easily get caught on camera and the resulting mess makes for an easy root-cause analysis.
2. Weak Physical Locks
Most ATM models are divided into two cabinets. The lower half is a safe that contains the cash dispenser and deposit receiver; the upper half houses everything else — the computer, card reader, PIN pad, receipt printer, etc. On their own, the safes are very secure. Bank suppliers mastered safe security years before ATMs were invented.
The upper cabinets, however, are often protected with very weak locks that can be bypassed in a matter of seconds. This doesn’t allow for direct access to the cash, but it does grant physical access to the computerized component of the ATM. Making matters worse, the cash dispenser is often a USB peripheral, so access to the computer can lead to a slew of other possible attacks to ultimately gain access to commands that will dispense cash.
Weak locks on this compartment can also simplify the process of harvesting payment card numbers through skimmers or similar monitoring devices planted by criminals for the ongoing collection of magnetic stripe and card PIN data.
3. Insecure Network Communication
Many financial institutions still believe in the resilience of what they call “trusted networks.” However, this is an outdated concept that is extremely insecure in today’s advanced threat landscape.
Thirty years ago, most critical systems were connected via air-gapped networks, with only a handful of trusted users allowed to access them and using technology that wasn’t publicly available. Applying that logic to ATMs as some sort of “security by obscurity” was always questionable, but it is more naïve than ever today.
X-Force Red routinely tests ATM deployments that either use plaintext network protocols or do not properly validate a protocol’s encryption and authentication. This can be devastating when the attacker can also gain access to the ATM’s network by, for example, exploiting weak locks. Sometimes network switches are not even protected by locks or are stored in places that could be easily accessible to a would-be attacker.
Once attackers have access to the ATM’s network, it is relatively trivial for them to find a way to perform man-in-the-middle (MitM) attacks against the communication with the bank’s backend systems:
- Attackers can initiate passive monitoring, which may result in the theft of customer information.
- They can opt for ATM jackpotting, or cash-out attacks, in which criminals install malicious hardware/software (or both) on the ATM, forcing it to empty the cash dispenser on command. These attacks can become possible with active network traffic modifications.
- Another attack could be changing a dispensing denial response from the bank’s server into an approval command, and dispensing any amount of cash into the hands of the thieves using any card they have on hand.
4. Operating System Hardening
The screen content that customers see on an ATM is a program just like any other. If an attacker can plug in a keyboard and mouse, it’s trivial to close the program and try to interact with the underlying operating system (OS).
Over the last 20 years or so, OS vendors have made it much easier to harden servers against network attacks, disable unneeded services, use host firewalls, require authentication, etc. It is still very difficult, however, to harden an OS against an attacker with console access, because there are many keyboard shortcuts, obscure user interface controls and other tricks that can allow access to the underlying OS.
It used to be common for financial institutions to run ATM interface software as a local administrator. X-Force Red doesn’t see this as often anymore, but many attacks are still unfortunately possible with just the standard user’s access level.
5. Disk Encryption
Without strong disk encryption, criminals can steal an ATM’s hard drive and review it for vulnerabilities at their leisure.
Considering the support model for ATMs, which requires pushing updates to all devices from a remote location, it’s easy to understand why many financial institutions may be delaying implementing full-disk encryption on all their ATMs.
A bank may manage thousands of ATMs across a large geographic area. To keep costs down, software changes need to be performed using remote automation, often with limited bandwidth. The deployment of disk encryption can result in problems that may require a physical visit. For example, an ATM may lose power during a key step in the initial disk encryption. After disk encryption has been deployed, it adds complexity to the boot-up process and can make troubleshooting more difficult.
Physical visits translate into maintenance expenses that some budgets may choose to avoid, but by limiting encryption, attackers have a wider window of opportunity if they ever do get their hands on a disk. If that happens, the aggregate risk can climb up quickly to affect many ATMs across that bank’s extended infrastructure.
Even when disk encryption is used, we have seen vulnerabilities related to improper key protection, vendor implementation flaws and configuration mistakes that end up exposing the ATM to the same risks. Bottom line: Encryption is necessary and can help impede an attacker’s steps in the bigger picture.
Improving ATM Security
Like any other security challenge, businesses work under a risk appetite assumption, and the cost of prevention is a business decision.
Some financial institutions may decide that deploying an expensive security control across their ATM population isn’t justified if they haven’t experienced significant enough losses from the corresponding deficiency. Much like any risk is quantified and translated into the security budget, this aspect is no different.
However, ATMs should be an integral part of the overall security program. Ignorance about potential vulnerabilities is never a sound strategy, and like it is performed on any other valuable assets, security testing should be performed on ATMs on a regular basis to identify and fix physical and software vulnerabilities. Teams should also continuously work to ensure ATMs are up to date on patches, control efficacy and hardware resilience to minimize the proverbial window of opportunity for attackers. The more strenuous an attack will be, the more likely attackers will look elsewhere.
On that note, if you are attending Black Hat USA 2019 this week, stop by IBM Security’s lounge, No. 2104, where our hackers will be demonstrating live how to compromise an ATM. If you are interested in learning more about X-Force Red’s ATM testing services, download our new white paper.
Our team was also recently featured on CNBC, demonstrating how criminals are compromising ATMs. Watch the segment here.
Global Head of Methodology, X-Force Red
David Byrne is the Global Lead for Methodology in X-Force Red, IBM’s elite security testing team. His responsibilities include establishing testing methodo...