69% of ATMs can be hacked to spit cash in minutes

ATM vulnerabilities highlight the importance of securing machines against network attacks, according to a Positive Technologies report.

Jackpotting could leave thousands of ATMs at risk of cyberattack Jackpotting, a cyberattack common in Europe that can empty an ATM machine in seconds, is now targeting Diebold machines in the U.S., says TechRepublic's Brandon Vigliarolo.

Some 69% of ATMs are vulnerable to Black Box attacks, wherein criminals connect programmed Black Box devices to the cash dispenser to bypass security and collect money in as little as 10 minutes on certain models, according to a Wednesday report from Positive Technologies.

Attacks against ATMs have become increasingly common across the globe, the report noted, leading the US Secret Service to issue an urgent ATM threat warning to banks in October. The first reports of ATM malware attacks date back to 2009, when a Trojan called Skimer was found to steal funds and bank card data, the report noted.

Today, 85% of ATMs remain poorly secured against network attacks, such as spoofing the processing center, the report found. This potentially allows criminals to interfere with the transaction confirmation process, and fake a response from the processing center to approve every withdrawal request, or increase the amount of money dispensed.

SEE: Intrusion detection policy (Tech Pro Research)

Attackers can also gain access to GSM modems connected to ATMs, and use them to attack other ATMs on the same network, or even the internal network of the bank.

The vast majority of ATMs tested (92%) were vulnerable to a number of attacks due to a failure to implement hard drive encryption, according to the report. This means an attacker could connect directly to an ATM hard drive and infect it with malware to disable security, controlling the cash dispenser, the report noted.

On 76% of the ATMs tested, exiting kiosk mode was possible, which would allow attackers to potentially run commands in the ATM operating system, the report found. They would only need about 15 minutes to complete this attack.

"Our research shows that most ATMs have no restrictions to stop connection of unknown hardware devices," Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies said in a press release. "Although ATM owners bear the brunt of the threat from logic attacks, bank clients may fall victim as well. In our security work, we constantly uncover vulnerabilities related to network security, improper configuration, and poor protection of peripherals. These flaws allow criminals to steal ATM cash and obtain card information."

To reduce the risk of attack and speed threat response, banks should work to physically secure ATMs, the report recommended. They should also implement logging and monitoring of security events on the ATM and related infrastructure, and perform regular security analysis of the machines.

The big takeaways for tech leaders:

  • 69% of ATMs are vulnerable to Black Box attacks. -- Positive Technologies, 2018
  • 85% of ATMs remain poorly secured against network attacks such as spoofing the processing center. -- Positive Technologies, 2018

Also see

istock-506664622-1.jpg

Dollars from ATM

Image: iStockphoto/selensergen