Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week.
The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users’ bank cards (also known as skimming).
Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to.
Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.
Furthermore, 23 percent of the tested ATMs could be attacked and exploited by targeting other network devices connected to the ATM, such as, for example, GSM modems or routers.
“Consequences include disabling security mechanisms and controlling output of banknotes from the dispenser,” researchers said in their report.
PT experts said that the typical “network attack” took under 15 minutes to execute, based on their tests.
But in case ATM hackers were looking for a faster way in, researchers also found that Black Box attacks were the fastest, usually taking under 10 minutes to pull off.
A Black Box attack is when a hacker either opens the ATM case or drills a hole in it to reach the cable connecting the ATM’s computer to the ATM’s cash box (or safe). Attackers then connect a custom-made tool, called a Black Box, that tricks the ATM into dispensing cash on demand.
PT says that 69 percent of the ATMs they tested were vulnerable to such attacks and that on 19 percent of ATMs, there were no protections against Black Box attacks at all.
Another way through which researchers attacked the tested ATMs was by trying to exit kiosk mode –the OS mode in which the ATM interface runs in.
Researchers found that by plugging a device into one of the ATM’s USB or PS/2 interfaces, they could pluck the ATM from kiosk mode and run commands on the underlying OS to cash out money from the ATM safe.
The PT team says this attack usually takes under 15 minutes, and that 76 percent of the tested ATMs were vulnerable.
Another attack, and the one that took the longest to pull off but yielded the highest results, was one during which researchers bypassed the ATM’s internal hard drive and booted from an external one.
PT experts said that 92 percent of the ATMs they tested were vulnerable. This happened because the ATMs either didn’t have a BIOS password, used one that was easy to guess, or didn’t use disk data encryption.
Researchers said that during their tests, which normally didn’t take more than 20 minutes, they changed the boot order in the BIOS, booted the ATM from their own hard drive, and made changes to the ATM’s normal OS on the legitimate hard drive, changes which could permit cash outs or ATM skimming operations.
In another test, PT researchers also found that attackers with physical access to the ATM could restart the device and force it to boot into a safe/debug mode.
This, in turn, would allow the attackers access to various debug utilities or COM ports through which they could infect the ATM with malware.
The attack took under 15 minutes to execute, and researchers found that 42 percent of the ATMs they tested were vulnerable.
Last but not least, the most depressing results came in regards to tests of how ATMs transmitted card data internally, or to the bank.
PT researchers said they were able to intercept card data sent between the tested ATMs and a bank processing center in 58 percent of the cases, but they were 100 percent successful in intercepting card data while it was processed internally inside the ATM, such as when it was transmitted from the card reader to the ATM’s OS.
This attack also took under 15 minutes to pull off. Taking into account that most real-world ATM attacks happen during the night and target ATMs in isolated locations, 20 minutes is more than enough for most criminal operations.
“More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case,” the PT team said. “Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale.”
The following ATMs were tested.