Positive Technologies report uncovers ATMs can be hacked in minutes

Online security platform Positive Technologies has compiled a report which finds ATMs can be hacked within minutes.

The company’s experts tested NCR, Diebold Nixdorf, and GRGBanking ATMs in order to find any risks to banks or clients. Of those tested, 69 per cent were vulnerable to Black Box attacks.

This means, criminals could connect ‘Black Box’ devices to the cash dispenser of ATMs, and the device will command the unit to dispense banknotes. The report states that to conduct the whole attack, from connecting the device, bypassing security and collecting the cash, it would take only 10 minutes.

Its researchers also found that 85 per cent of the ATMs were poorly protected from network attacks like spoofing the processing centre. This means a criminal could tamper with transaction confirmation and fake responses of the processing centre, so they can approve every withdrawal request or increase the number of notes released.

The report also describes situations with attacks on GSM modems connected to ATMs. If criminals access these, they could attack other ATMs on the network or the internal bank network.

Of those tested, 92 per cent were at risk of attacks due to a failure to implement hard drive encryption. With ATMs not being encrypted, attackers could access its hard drive and infect it with malware and disable security measures, giving them full control of the unit.

Researchers also found that the kiosk mode could be exited of 76 per cent of the ATMs, which means they could issue commands to its operating system. This attack was estimated to take around 15 minutes, but could be even lower depending on their skill.

Positive Technologies cybersecurity resilience lead Leigh-Anne Galloway said, “Our research shows that most ATMs have no restrictions to stop connection of unknown hardware devices. So an attacker can connect a keyboard or other devices to imitate user input.

“On most ATMs, there is no prohibition on some of the common key combinations used to access OS functions. What’s more, local security policies were frequently misconfigured or absent entirely.

“On 88 percent of ATMs, Application Control solutions could be bypassed due to poor whitelisting and vulnerabilities (some of them zero-day) contained in this very same Application Control software.”

Copyright © 2018 FinTech Global

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.