Hacker Makes ATMs Cough Up Cash Willy-Nilly
Security researcher Barnaby Jack demonstrated remote hacks against two automated teller machines (ATMs) that made them spew out money at the Black Hat security conference in Las Vegas on Wednesday.
A large number of ATMs are vulnerable to remote and physical attacks, said Jack, who works for IOActive.
The Black Hat ATM Caper
Jack reportedly developed an exploit kit he calls "Dillinger" to access ATMs that are connected to the Internet or to phone lines. Most ATMs are connected this way, he said.
Once Dillinger has penetrated an ATM, it installs a multi-platform rootkit developed by Jack, which he calls "Scrooge," according to the ATM Industry Association (ATMIA). This gives the attacker administrative privileges in the ATM, the association pointed out.
"Scrooge" will also reportedly capture magstripe data embedded in the bank cards people insert into the ATM to make a transaction. Jack reportedly hacked the Tranax ATM by reprogramming it over a network.
Jack reportedly said he has examined ATMs from four manufacturers, and all of them have vulnerabilities.
"ATM security is one of the most technically challenging areas of a financial institution's operation," said Mike Lee, CEO of ATMIA, in response to Jack's presentation. "This type of research conducted by professionals like Jack should be leveraged by our industry to improve ATM security."
ATMIA puts on eight to 10 conferences or events every year at which it has speakers from the industry present the best practices, Sharon Lane, the association's director of finance, told TechNewsWorld.
"We also keep our members informed regularly whenever we hear of an alert from the police or FBI or any type of security organization," Lane added.
ATMIA also holds free webinars about security best practices for members, Lane said. The association is a non-profit organization with nearly 1,800 members in more than 50 countries worldwide. Members include banks, financial institutions, ATM manufacturers, payment processors and software developers.
Jack reportedly hacked the Triton ATM at the Black Hat conference by using a key to open the machine's front panel then inserting a USB stick loaded with his malware.
Attacks like these require expert technical skills, knowledge and equipment, Triton said in response to Jack's demo. The company claims it's unaware of any such attack fruitfully perpetrated on a Triton ATM actually in use.
The company sent out a software upgrade last fall that would prevent anyone loading malware the way Jack did, Aimee Leeper, its marketing manager, told TechNewsWorld. Triton, one of the largest manufacturers of ATMs for the consumer market, sends out technical bulletins to customers regularly, Leeper added.
"The question is, do our customers load every upgrade we send them?" she pointed out. "You can lead a horse to the water but you can't make him drink."
Spreading the Responsibility
Apparently, businesses aren't as careful about protecting their ATMs as they could be.
"ATMs ship with a default password, and sometimes people don't change the password," Triton's Leeper said.
Further, many businesses that deploy ATMs don't equip them with an alarm.
"It's amazing," Leeper said. "Pretty much the only people who buy these alarms and the Raminator are those who got ripped off."
The Raminator is an accordion-pleated device made of steel that can be used instead of bolts to attach an ATM securely to the floor. It prevents thieves from taking the ATM by unfolding as they pull on the machine in an attempt to physically remove it. People often install ATMs without bolting them to the floor, Leeper said. If they do use bolts, these are often of poor quality, she explained.
Economics is probably at the root of these problems.
"The way to make money on ATMs is to get high transaction volumes and keep your transaction costs low," Leeper explained. "An ATM machine costs about (US)$2,000 and security will cost another $500, and that drives up your costs. People are very price-conscious."
Tranax, which was recently purchased by Korean firm Eltna, could not be contacted for comment.