The vast majority of Automated Teller Machines (ATMs) manufactured by NCR, Diebold Nixdorf, and GRGBanking and used by banks as cash dispensers have been proven to be easily hacked by potential attackers either remotely or locally, most times in under 15 minutes.
According to Positive Technologies' analysis , ATMs arevulnerable to four categories of security issues ranging from insufficient peripheral and network security to system/device improper configurations and Application Control security bugs/faulty configuration.
Roughly 85% of ATMs manufactured byNCR, Diebold Nixdorf, and GRGBanking are easily hackable in about 15 minutes by potential attackers when they have access to the ATM network.
"If the attacker is an employee of the bank or Internet provider, this access can be obtained remotely," said Positive Technologies. "Otherwise, an attacker needs to be physically present to open the ATM, unplug the Ethernet cable, and connect a malicious device to the modem (or replace the modem with such a device)."
After infiltrating the ATM, crooks can either make use of direct attacks targeting the ATM or the servicesrunning on it, orman-in-the-middle attacks that would allow them to intercept and modify data packets to spoof processing center responses and take control of the besieged device.The security measures out in place to protect ATMs are usually just a small annoyance for attackers
Most of the ATMs tested featured highly insufficient data protection for the information exchanged with the processing center, and they came with firewallprotection which unfortunately was poorly configured.
"In many cases, the cause of insufficient peripheral security is lack of authentication between peripherals and the ATM OS," also statedPositive Technologies. "As a result, a criminal able to infect the ATM with malware can access these devices or directly connect their own equipment to the dispenser or card reader. The criminal can then steal cash or intercept card data."
Saying that the ATMs were improperly configured is short for the units featuring almost no protection against exiting kiosk mode, allowing attackers with physical access to connect external devices and a lack of storage encryption.
Full details on the research team's findings are available on their "ATM logic attacks: scenarios, 2018" report (PDF) page.