ATMs can be simply hacked and malware installed, allowing data or cash to be stolen; this is according to research by Kaspersky Labs. The company identified two key flaws that can give control to hackers: the computer inside the machine can easily be accessed – and the operating systems used are out-dated and malware can easily be introduced.
The recent Kaspersky study found that many machines tested were running Windows XP which is no longer supported by Microsoft. This means that the security has vulnerabilities that can be exploited quite easily. As well as this, the standard for the communication between the cash-point hardware and the banking infrastructure is XFS, an old standard that doesn’t require authorization for communications. This means that the data used to process cash and credit cards and includes PINs can be logged, or intercepted and redirected by malware. This level of control could be either used to track transactions and credentials for future stealthy banking fraud, or as a key to physically empty the money out of a machine.
Criminals do not even need to do a remote hack – instead, they can install a pre-programmed microcomputer to hijack the ATM. Basically, they would control the machine by connecting it to a rogue processing point. Olga Kochetova of the Lab’s Penetration Testing department explained:
“The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models. This makes them unprepared for criminals actively challenging the security of these devices. This is today’s reality that causes banks and their customers huge financial losses.”
Such vulnerabilities are not new news. At the 2010 Black Hat conference, researcher Barnaby Jack carried out the now legendary ‘ATM jackpotting’ demo. He showed that commonly used machines made by the firm Tranax could be hacked remotely over a dial-up connection, while machines made by another firm, Trident could be physically opened and reprogrammed via a USB port.
The findings conclude that it is a mistake to think that cyber-attacks against the banking industry are only on-line – and that this is the only attack vector of the hackers. The criminals are interested in the vulnerabilities of the outdated ATMs because it rationalizes their business – they can find a more direct way to collect the cash.