Kumari Palany & Co

Report highlights poor security in ATMs

Posted on: 28/Apr/2016 4:20:11 PM
Recent research has shown that ATMs use outdated and insecure software. In addition, a report has pointed out mistakes in network configuration and the lack of physical security. 

Various techniques have evolved over the years, where ATMs have been vulnerable to theft. In the past, the major threat was skimming, a technique in which special devices attached to a machine in order to steal data from the card`s magnetic strips. 

In 2014, researchers discovered a malware called Tyupkin. In 2015, they found a gang that called themselves the Carbanak  gang who jackpot ATMs by compromising the banking infrastructure. The recent report has tried to map all ATM related security issues. They have found that malware attacks are possible mainly due to the outdated software. Many ATMs are actually PCs that run on extremely old versions of operating systems like Windows XP. 

Another old and insecure technology is the XFS standard that is a software that allows the PC to interact with banking infrastructure and hardware units, while processing cash and credit cards. The XFS specification does not require authorisation for the commands it processes. This means that any app that has been launched or installed on the ATM can issue commands to other ATM hardware units.

The report has found an extreme lack of physical security for ATMs. It says that ATMs are constructed and installed in a way that a third party can easily gain access to the machine, and so, the PC inside it. They can also easily access the network cable the connects the machine to the Internet. By gaining this access, criminals can install specially programmed microcomputers in the ATM. This gives them remote access to the ATM. They can also reconnect the ATM to a rogue processing centre. A rogue, or fake, processing centre is a software that processes payment data. The centre is identical to the bank`s software. The ATM, therefore, obeys any command that is issued to it. 

So how does one stop ATM jack potting? Says an expert, The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models and this makes them unprepared for criminals actively challenging the security of these devices. This is today’s reality that causes banks and their customers huge financial losses. From our perspective this is the result of a longtime misbelief, that cybercriminals are only interested in cyberattacks against Internet banking. They are interested in these attacks, but also increasingly see the value in exploiting ATM vulnerabilities, because direct attacks against such devices significantly shortens their route to real money.