Many automated teller machines (ATMs) lack adequate security mechanisms and can be compromised in minutes using various methods, according to a new report from vulnerability assessment firm Positive Technologies.
Assaults on ATMs aren’t new and attack techniques are plenty. Positive Technologies’ security researchers decided to have a look into how machines from different vendors are secured against various attacks. They discovered that many of the security mechanisms in place are simply a nuisance in most cases.
The researchers conducted their tests on 46 ATM machines from NCR, Diebold Nixdorf, and GRGBanking. The machines were running Windows XP, Windows 7, or Windows 10, and each had its own unique configuration.
Attack exposure varies according to factors such as the type of connection to the processing center, the installed software, and security features, the researchers say. They found that several vulnerabilities stemmed from issues such as insufficient network and peripheral security, improper configuration of systems or devices, and vulnerable or improper configuration of Application Control.
Manby attacks on ATMs are in an effort to steal cash located inside the machine. Other incidents, however, aim at stealing the information stored on the banking cards users insert into the ATMs.
According to the study, 85% of the ATMs that were analyzed are vulnerable to network-level attacks as means to fraudulently dispense the cash inside. With access to the network to which the machine is connected, an attacker would only need about 15 minutes to compromise the machine, the security researchers say.
The report also shows that 27% of the tested ATMs were vulnerable to the spoofing of processing center, an attack scenario where the connection to the processing center is not properly secured, allowing the attacker to manipulate the transaction confirmation process.
Vulnerabilities in available network services, such as poor firewall protection, use of vulnerable or out-of-date software versions, and improper configuration of security tools, can be exploited to compromise 58% of the tested ATMs, the study discovered. 23% of the ATMs are vulnerable to attacks targeting network devices connected to them.
Cybercriminals looking to steal cash from ATMs also engage into so called Black Box attacks, where, having physical access to the machine, they connect to the cash dispenser using malware or special devices. 69% of the tested devices were found vulnerable, with an attacker able to steal cash within 10 minutes.
Attackers may also attempt to run commands on the machine’s operating system, bypassing the usual restriction where the ATM users only interact with a single application, which runs in kiosk mode. 76% of the tested devices were found vulnerable.
The security researchers also reveal that the tested ATMs contained various configuration errors, with the majority of them involving insufficient restriction of user account rights.
The discovered issues include insufficient protection of communication with peripherals (96% of devices), use of outdated or vulnerable applications and OS versions (92%), vulnerabilities or improper configuration of Application Control (88%), insufficient local security policies (85%), unauthorized exit from kiosk mode (85%), and connection of arbitrary USB and PS2 devices (81%).
“Most tested ATMs ran special software to selectively disable key combinations. However, in 85 percent of cases, standard key combinations remained available, including Alt+F4 (close active window) and Win+Ctrl, Alt+Tab, and Alt+Shift+Tab (switch task). This technique allowed closing the window of the ATM kiosk application and disabling the applications responsible for blocking arbitrary keyboard input,” Positive Technologies says.
92% of the tested ATMs were found to allow direct access to hard drive, thus allowing an attacker to gain control of the cash dispenser. 27% of the machines support boot from external disks, while 42% allow starting the OS in a special mode that can bypass security (such as kernel debug mode, Directory Service Restore Mode, and various safe modes).
All of the tested ATMs were vulnerable to attacks aiming at stealing users’ credit card data, either through skimmers (physical shims) placed on card readers, to steal information directly from the cards, or by targeting the data transmission between ATM operating system and card reader (100% of tested ATMs), or between the ATM and processing center (58% of tested ATMs).
“Logic attacks on ATMs are growing in popularity, with losses running in the millions of dollars. […] More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case. Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale,” Positive Technologies concludes.