English (US) English (US)
English (UK) English (UK)
French (France) Français (France)
Chinese (Simplified) 简体中文
Chinese (Traditional) 繁体中文

ATM Cyber security: How hackers could (if they want) become billionaire

Once again in 2016 we had some impressive demonstration of how to hack ATM machines. As usual (..., 2010, 2011, 2013, 2014, 2015) nothing has changed (or very little) to protect OUR money!

What am I talking about?

In the past years many hackers or criminal organizations stole millions of dollars from ATM machines. However it does not stop here, many white hackers (good guys trying to demonstrate are vulnerable a system can be) made many videos to actually prove that it was really not complicate to do so.

Let's take the most recent example: in 2016 India's banks has been robbed with 3.2 Million debit cards including 2.6 Million powered by Visa or MasterCard. Even it is not yet clear how much money has been stolen it will not be a few hundred bucks...

Who cares, it's India, they are not really advanced in Cyber Security... You could not be more wrong!

Taiwan, Japan, China, U.S.A, Europe, Africa, ... There is not (or almost) a single country that hasn't been victim of ATM hack including the "Big country" such as U.S.A. Let's have a look about what's the real problem...

Why ATM machines are so vulnerable

You probably are going to laugh but the reason ATM machines are so vulnerable is because they are outdated technology on every layers! Truly...

Software layer - Bank responsibility

Banks are very old institution, most of them exist for a very long time and they all, at their own time, adopt IT technologies to increase their efficiency and services. However at that time, Security meant to not touch something when it is working fine...

By that time they implement new solutions above old ones. It resulted into very advanced digital technologies based on old protocol such as XFS standard which is, in our day, far (VERY FAR) from being secured...

ATM machines are mostly based on this protocol and to change that it would require a huge amount of internal work in banking system considering that a lot of modern services are closely or not relaying on it.

OS layer - Microsoft responsibility

95% of ATM machines are running on Windows XP which was the most stable, less resources consuming, best cost solutions several years before.

The little problem is that since April 8th 2014 Microsoft is not supporting Windows XP anymore. It basically means that even if Zero day breach are found (the most dangerous vulnerability we could expect) Microsoft will not release an update for it. Furthermore, Microsoft is not an open source OS and will not give (or very few) room for banks to patch-it by themselves...

In other words, ATM machines are using old and vulnerable OS which represent around 3 millions ATM machines.

Hardware layer - ATM manufacturers responsibility

Last problem but not least, the ATM embedded hardware is old and do not possess enough resources to exploit more recent OS. It may not seems so but space, in an ATM machine, is exploited to his maximum capacity and (ironically) pretty safe (in terms that you can't put anything you want inside without disrupting the machine).

What I want to highlight here is the possibility for banks to only change the IT devices of ATM. It would not be possible since new hardware do not shares the same technical and physical characteristics...

Furthermore, ATM manufacturers are more focusing on physical security than IT security as they believe it is banks and OS distributors responsibility.

How come banks are not focusing on these threats?

Here is the thing, even it is obvious that bank need to improve they are also counting on OS distributors and ATM manufacturers solutions to improve the overall Cyber Security.

Another topic is about the risk... Any change is always compared to the expected win they will reach. Changing ATM machines, buying new OS licenses and develop stronger protocols will results in hundred millions cost. Considering they lost approximately few millions buck every year it is sadly to say that they do not really care. Without exagerating let's say that it is not their top priority...

They are indeed working on such topic but at a very slow pace regarding how fast hackers are finding new ways of hacking. For banks, their online payment system, online banking system, internal system or database are much more important to secure regarding the HUGE impact it would have if they were to experience a breach.

Banks have their hands on a lot of things (and it is the less we can expect when we talk about OUR money). This will result in years of development before ATM are up to date or dead... Thanks to our new digitalizing world. Maybe that's what they are waiting for...

MY CONCLUSION - Don't worry, worse is coming...

ATM hack is a great way to become richer than rich specifically considering that, so far, none of the major hackers doing ATM money theft has been arrested. Even so, the worst part is yet to come.

Nowadays you can pay with your mobile phone, SMS, Paypal, NFC payment card, ... Every new possibility is a lot of potential for hackers to exploit new vulnerabilities. Even ATM are increasing their way to withdraw money (NFC card and mobile contact mostly). So far the risk is low considering an ATM machine is limited in the amount of cash it contain and hacking 100 ATM means having 100 teammate to take the money...

However i bet that one day, a hacker will do the biggest ATM hack of all time. He will ask all ATM machines to spit out money even there is no one to take it, only to make a point. By that time, Banks will take some serious actions as in security we mostly improve after being attacked...

P.S.: I could have said much much more about ATMs but i need to go withdraw some money for my coffee ;-)

Original post: ATM Cyber security: How hackers could (if they want) become billionaire

备案号:沪ICP备19003830号-4
PSB Logo 沪公网安备 31010502005140号