Five ATM security vulnerabilities

Five ATM security vulnerabilities

Few targets attract criminals like automated teller machines (ATMs), unlike banks or armored vehicles, which have minimal monitoring and no guards. Therefore, ATM has become the target of various attacks. In Europe, attacks against ATMs have risen for the fourth consecutive iiyear, with an increase of 27% in 2018 compared to 2017. The damage caused by various attacks in 2018 exceeded 36 million euros ($40.5 million), an increase of 16% over 2017. It is estimated that by 2020, more than 3.5 million ATMs will be in use worldwide, meaning that criminals have more opportunities. From cutting in safes to trapping networks or software, criminals use a range of techniques to steal cash from ATMs. In one case, after a bank lost a whole ATM for a few months, the same model series ATM suffered significant cash losses. So the bank hired IBM Security's experienced hacker team X-Force Red to test its ATM environment. During the test, X-Force Red discovered a zero-day vulnerability that the thief used to install custom malware. Banks are well aware of the attractiveness of ATMs to criminals and are increasingly working to strengthen the security of their ATMs. From 2017 to 2018, global banks increased their ATM security testing by 300%. In these tests, vulnerabilities in machines and their connectivity infrastructure were often discovered.

One or five major ATM security vulnerabilities

The following are the five major ATM vulnerabilities discovered during years of ATM penetration testing, and almost all tested ATMs have at least one of these vulnerabilities.

1 Backhoes

ATMs are highly vulnerable to physical threats, such as using the Backhoes to steal the entire ATM machine. There are techniques that can make physical attacks more difficult, such as using in-wall models, bollards, and so on. But the excavator is big enough to steal the ATM from the concrete. But when using an excavator, criminals are easily captured by the camera, and the risks are high.

2. Weak physical lock

Most ATMs are divided into two cabinets. The lower part is a safe with an ATM and a deposit acceptor. The upper part contains the computer, card reader, PIN pad, receipt printer and so on. The safe itself is very safe. However, the upper cabinet is usually protected by a very weak password lock that can be bypassed in a matter of seconds. Although bypassing protection does not provide direct access to cash, it allows physical access to the computer components of the ATM. Cash dispensers typically have a USB interface, so direct access to the computer can lead to a range of other attacks, eventually executing cash withdrawal commands.

3. Unsafe network communication

Many financial institutions still believe what they call a "trusted network," but this is an outdated concept that is extremely insecure in today's threat environment. Thirty years ago, most systems were physically isolated to ensure their security. Only some managers could access the system, and the technology used at the time was not public, but it was no longer secure. Once the hacker accesses the ATM network, a man-in-the-middle attack can be used to destroy the ATM settings.

An attacker can initiate passive monitoring, which can result in theft of customer information.

An attacker could install malicious hardware/software on the ATM and force it to empty the ATM as directed by the network traffic.

The remote attack caused the bank server's refusal to respond to the approval request and divide any amount of cash into the bank card in the hands of the attacker.

4. ATM operating system

The screen that the client sees on the ATM is the same as any other program on the computer. If the attacker can insert the keyboard and mouse, you can close the program and try to interact with the underlying operating system (OS). In the past 20 years or so, operating system vendors have hardened servers many times: disabling unwanted services, using host firewalls, requiring authentication, and more. However, it is still very difficult to harden the operating system to defend against attackers, because there are still many ways to allow an attacker to interact directly with the underlying operating system.

5. Disk encryption

Without strong disk encryption, criminals can steal ATM hard drives and see if they have vulnerabilities. Considering that ATMs need to push all device updates remotely, it is understandable why financial institutions postpone the implementation of full disk encryption on all ATMs. A bank manages thousands of ATMs in the region, and in order to reduce costs, remote automation is required to update the software, usually with limited bandwidth. Deploying disk encryption can result in the need for administrators to physically access the machine offline and fix issues. For example, ATM interrupts power at critical steps in initial disk encryption. When disk encryption is deployed, it increases the complexity of the boot process and makes troubleshooting more difficult. By limiting encryption, managers can save money by physically accessing the machine to solve the problem's maintenance budget. In this case, if the attacker really targets the disk, the bank will face greater challenges and affect many ATMs in the banking infrastructure. Even with disk encryption, vulnerabilities such as poor key protection, vendor algorithm flaws, and configuration errors can expose ATM to the same risks.

Second, improve ATM security protection

Some financial institutions may think that if they are not attacked and suffer significant losses, it is unreasonable to deploy expensive security devices in their ATMs. However, ATM security should be an integral part of the bank's overall security plan. Neglecting potential vulnerabilities is by no means a reasonable security policy. Security testing should be performed regularly on ATMs to identify and fix vulnerabilities. Security management should also ensure that ATM has updated the latest patches to minimize attacks.