November 14, 2018
Positive Technologies experts tested NCR, Diebold Nixdorf, and
GRGBanking ATMs to identify potential risks to banks and their clients
percent of tested ATMs were vulnerable to Black Box attacks. Criminals
could connect "Black Box" devices to the cash dispenser of an ATM, where
the device is programmed to send the command to dispense banknotes.
Performing the entire attack—connecting the device to the ATM, bypassing
security, and collecting the cash—would take just 10 minutes on some ATM
models, as detailed in the new Positive Technologies report.
Attacks against ATMs have become an increasing concern, globally. In
January 2018, the U.S. Secret Service, as well as major ATM vendors
Diebold Nixdorf and NCR, issued urgent warnings about the threat of
attacks on ATMs. According to NCR reports, Black Box attacks were
uncovered in Mexico in 2017. In 2018, these spread to the US. The first
reports of ATM malware attacks date back to 2009, with the discovery of
Skimer, a Trojan able to steal funds and bank card data. Ever since,
logic attacks have become increasingly popular among cybercriminals.
Positive Technologies researchers found that most ATMs (85%) were poorly
secured against network attacks such as spoofing the processing center.
As a result, a criminal could interfere with the transaction
confirmation process and fake a response from the processing center in
order to approve every withdrawal request or increase the number of
banknotes to dispense. The report also describes scenarios involving
attacks on GSM modems connected to ATMs. An attacker could obtain access
to a GSM modem and use it to attack other ATMs on the same network and
even the internal network of the bank.
A failure to implement hard drive encryption makes 92 percent of ATMs
vulnerable to a number of attacks. An attacker could connect directly to
an ATM hard drive and, if the contents are not encrypted, infect it with
malware and disable security mechanisms. As a result, the attacker can
control the cash dispenser.
Exiting kiosk mode was possible on 76 percent of tested ATMs, which is
an issue because when restrictions placed on ordinary users are bypassed
an attacker can run commands in the ATM operating system. Positive
Technologies experts estimated the time necessary for this attack at 15
minutes and, for well-prepared attackers who make use of automation,
Galloway, cyber security resilience lead at Positive Technologies, said:
"Our research shows that most ATMs have no restrictions to stop
connection of unknown hardware devices. So an attacker can connect a
keyboard or other devices to imitate user input. On most ATMs, there is
no prohibition on some of the common key combinations used to access OS
functions. What’s more, local security policies were frequently
misconfigured or absent entirely. On 88 percent of ATMs, Application
Control solutions could be bypassed due to poor whitelisting and
vulnerabilities (some of them zero-day) contained in this very same
Application Control software."
"Although ATM owners bear the brunt of the threat from logic attacks,
bank clients may fall victim as well. In our security work, we
constantly uncover vulnerabilities related to network security, improper
configuration, and poor protection of peripherals. These flaws allow
criminals to steal ATM cash and obtain card information. To reduce the
risk of attack and expedite threat response, the first step is to
physically secure ATMs, as well as implement logging and monitoring of
security events on the ATM and related infrastructure. Regular security
analysis of ATMs is important for timely detection and remediation of