Cash out with ease: why and how ATMs get attacked

Remember the beginning of Terminator 2: The Judgement Day where John Connor is shown hacking an ATM with an Atari Portfolio?

Picture this: a late night, a badly lit corner in the slums; aside from a lonesome streetlamp, there’s yet another dim light source – a lobby of a small sub-office of a major bank. It’s too late for anyone to be around, street is empty, the surroundings have fallen asleep long ago.

A shady figure emerges from the dark. It’s next to impossible to tell the gender: the person is wearing a baggy street-style hoodie. The figure enters the lobby, comes to one of those cash dispensers, then freezes. A moment or two later, he (or maybe she? – you never know) starts packing something into a knapsack he has brought along. Once everything’s done, the figure vanishes into the dark again…

…In the morning the bank workers discover that at least one ATM is empty of cash.

As readers could have already guessed, the hooded figure was a so-called money mule, the person hired for taking the cash from the compromised ATM – most likely the compromise had been performed remotely.  There’s a reason this is a simple act to perform.

Easy come, easy go

In fact, modern ATMs are basically construction kits comprised of a number of hardware modules such as cash dispenser, a card reader, a keypad, the display (touch-sensitive or not), etc. But the main system unit is a very mundane PC; whatever custom software is installed there – ATM units management software, programs used to interact with the user, to communicate with the processing center, etc., all of it run on a quite common operating system.

And the vast majority of today’s ATMs still use Windows XP. For some reason certain banks also install Acrobat Reader 6.0, Radmin, TeamViewer and other unnecessary programs, and in some cases even dangerous software, making the device even more vulnerable.

As we know, Microsoft finally dropped the support of this OS in 2014. Two years onwards, it’s still around in various forms. ATMs aren’t exactly cheap devices, so it seems quite logical that as long as they can perform their functions, they are exploited, no matter what OS they are using.

Microsoft dropped the support, so all newly discovered vulnerabilities are there to stay. And not just them: Securelist reports that many machines still have the unpatched critical vulnerability MS08-067 which allows remote code execution.

In 2014, Kaspersky Lab researchers discovered Tyupkin – one of the first widely known examples of malware for ATMs, and in 2015 company experts uncovered the Carbanak gang, which, among other things, was capable of jackpotting ATMs through compromised banking infrastructure. Both examples of attack were possible due to the exploitation of several common weaknesses in ATM technology, and in the infrastructure that supports them. This is only the tip of the iceberg.

Attackers sometimes use very sophisticated, multistage operations ending up with mass ATM compromise. The “chain” may indeed be long: some hacking group may compromise infrastructure of some telecom operator using a plain and simple social engineering technique. Having installed backdoors, the hacking group #1 may sell it to somebody else, who then discovers that the telecom company is serving some banks networks. Further research by hacking group #2 shows that ATMs are remotely accessible. Then hacking group #2 deploys some malware to redirect money to the rogue accounts or to force the cash out of certain ATMs at a certain time, which is picked by “hooded figures”.

But it is quite possible that no exceedingly “hi-tech” efforts are needed. In many cases observed by Kaspersky Lab researchers, criminals don’t even have to use malware to infect the ATM or the network of the bank it’s attached to. Physical security for the ATMs themselves is a very common issue: often ATMs are constructed and installed in a way that means a third-party can easily gain access to the PC inside the ATM, or to the network cable connecting the machine to the Internet.

And by gaining even partial physical access to the ATM, criminals potentially can install a specially programmed microcomputer (a so called black box) inside the ATM, which will give attackers remote access to the machine; or even reconnect the ATM to a rogue processing center.

A fake processing center is a server that processes payment data and is identical to the bank’s server despite the fact that it doesn’t belong to the bank. Once the ATM is reconnected to a fake processing center, attackers can issue any command they want. And the ATM will obey.

XFS problem

Through research of commonly used ATMs (and actual attacks that have taken place recently) Kaspersky Lab researchers discovered that in the vast majority of cases the custom special software that allows the ATM’s PC to interact with the banking infrastructure and hardware units, processing cash and credit cards, is based on XFS standard. This a rather old and insecure technology specification, originally created in order to standardize ATM software so that it can work on any equipment regardless of manufacturer.

The problem is that XFS specification requires no authorization for the commands it processes; meaning that any app installed or launched on the ATM can issue commands to any other ATM hardware units, including the card reader and cash dispenser.

Should malware successfully infect an ATM, it receives almost unlimited capabilities in terms of control over that ATM: it can turn the PIN pad and card reader into a “native” skimmer or just give away all the money stored in the ATM upon a command from its hacker.

XFS is clearly the major source of the problems with ATMs.

What to do then?

Kaspersky Lab experts say ATM manufacturers can reduce the risk of attack on cash machines by applying the following measures:

• First, it is necessary to revise the XFS standard with an emphasis on safety, and introduce two-factor authentication between devices and legitimate software. This will help reduce the likelihood of unauthorized money withdrawals using trojans and attackers gaining direct control over ATM units.
• Secondly, it is necessary to implement “authenticated dispensing” to exclude the possibility of attacks via fake processing centers.
• Third, it is necessary to implement cryptographic protection and integrity control over the data transmitted between all hardware units and the PCs inside ATMs.

The large portion of the problem, however, is that while ATM manufacturers are developing more and more secure devices, banks themselves keep going on with obsolete Windows XP-based machines.

“This is today’s reality that causes banks and their customers huge financial losses. From our perspective this is the result of a longtime misbelief, that cybercriminals are only interested in cyberattacks against Internet banking. They are interested in these attacks, but also increasingly see the value in exploiting ATM vulnerabilities, because direct attacks against such devices significantly shortens their route to real money,” – said Olga Kochetova, security expert at Kaspersky Lab’s Penetration Testing department.

For more details, check out the Securelist article authored by Olga Kochetova, where today’s issues with ATMs are described in detail.