What makes ATM machines easy to hack?

Security researchers claim ATM machines are usually not that difficult for hackers to penetrate. Once they're inside, they can steal money, or banking details from unsuspecting victims.

Now, researchers from Kaspersky Lab have investigated what makes ATMs such an easy target for hackers, and came to two conclusions: both software and hardware are easy to access and temper with.

According to the researchers, ATMs are usually based on outdated systems (usually Windows XP), which makes them vulnerable to either malware attacks or exploits. In many cases, ATMs communicate with banking infrastructure through an old, unsecure XFS standard.

“The problem is that XFS specification requires no authorisation for the commands it processes, meaning that any app installed or launched on the ATM can issue commands to any other ATM hardware unit, including the card reader and cash dispenser,” the researchers claim.

If the ATM is successfully infected, hackers basically get unlimited capabilities.

The other problem is hardware-based. Apparently, it’s not so difficult to physically gain access to the PC inside the ATM, or to the network cable connecting the ATM to the internet.

Getting physical access to the ATM allows hackers to either install a microcomputer known as a black box, giving them remote access, or reconnecting it to a rogue processing centre.

“The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models. This makes them unprepared for criminals actively challenging the security of these devices,” said Olga Kochetova, security expert at Kaspersky Lab’s Penetration Testing department.

“This is today’s reality that causes banks and their customers huge financial losses. From our perspective, this is the result of a long-time misbelief that cybercriminals are only interested in cyber-attacks against Internet banking. They are interested in these attacks, but also increasingly see the value in exploiting ATM vulnerabilities because a direct attack against such devices significantly shortens their route to real money.”

Kaspersky Lab advises ATM manufacturers to revise the XFS standard, introduce two-factor authentication, implement ‘authenticated dispensing’, to exclude attacks via fake processing centres, and to implement both cryptographic protection and integrity control over data transmitted between hardware units.

Image source: Shutterstock/cozyta